• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.haxx.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  ***************************************************************************/
22 
23 /*
24  * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25  * but vtls.c should ever call or use these functions.
26  */
27 
28 /*
29  * The original SSLeay-using code for curl was written by Linas Vepstas and
30  * Sampo Kellomaki 1998.
31  */
32 
33 #include "curl_setup.h"
34 
35 #ifdef USE_OPENSSL
36 
37 #ifdef HAVE_LIMITS_H
38 #include <limits.h>
39 #endif
40 
41 #include "urldata.h"
42 #include "sendf.h"
43 #include "formdata.h" /* for the boundary function */
44 #include "url.h" /* for the ssl config check function */
45 #include "inet_pton.h"
46 #include "openssl.h"
47 #include "connect.h"
48 #include "slist.h"
49 #include "select.h"
50 #include "vtls.h"
51 #include "strcase.h"
52 #include "hostcheck.h"
53 #include "curl_printf.h"
54 
55 #include <openssl/ssl.h>
56 #include <openssl/rand.h>
57 #include <openssl/x509v3.h>
58 #include <openssl/dsa.h>
59 #include <openssl/dh.h>
60 #include <openssl/err.h>
61 #include <openssl/md5.h>
62 #include <openssl/conf.h>
63 #include <openssl/bn.h>
64 #include <openssl/rsa.h>
65 
66 #ifdef HAVE_OPENSSL_PKCS12_H
67 #include <openssl/pkcs12.h>
68 #endif
69 
70 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
71 #include <openssl/ocsp.h>
72 #endif
73 
74 #include "warnless.h"
75 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
76 
77 /* The last #include files should be: */
78 #include "curl_memory.h"
79 #include "memdebug.h"
80 
81 #ifndef OPENSSL_VERSION_NUMBER
82 #error "OPENSSL_VERSION_NUMBER not defined"
83 #endif
84 
85 #if defined(HAVE_OPENSSL_ENGINE_H)
86 #include <openssl/ui.h>
87 #endif
88 
89 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
90 #define SSL_METHOD_QUAL const
91 #else
92 #define SSL_METHOD_QUAL
93 #endif
94 
95 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
96 #define HAVE_ERR_REMOVE_THREAD_STATE 1
97 #endif
98 
99 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
100   OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
101 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
102 #define OPENSSL_NO_SSL2
103 #endif
104 
105 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
106   !defined(LIBRESSL_VERSION_NUMBER)
107 #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
108 #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
109 #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
110 #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
111 #define CONST_EXTS const
112 #define CONST_ASN1_BIT_STRING const
113 #define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
114 #else
115 /* For OpenSSL before 1.1.0 */
116 #define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
117 #define X509_get0_notBefore(x) X509_get_notBefore(x)
118 #define X509_get0_notAfter(x) X509_get_notAfter(x)
119 #define CONST_EXTS /* nope */
120 #define CONST_ASN1_BIT_STRING /* nope */
121 #ifdef LIBRESSL_VERSION_NUMBER
OpenSSL_version_num(void)122 static unsigned long OpenSSL_version_num(void)
123 {
124   return LIBRESSL_VERSION_NUMBER;
125 }
126 #else
127 #define OpenSSL_version_num() SSLeay()
128 #endif
129 #endif
130 
131 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
132   !defined(LIBRESSL_VERSION_NUMBER)
133 #define HAVE_X509_GET0_SIGNATURE 1
134 #endif
135 
136 #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
137   OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
138   !defined(OPENSSL_NO_COMP)
139 #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
140 #endif
141 
142 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
143 /* not present in older OpenSSL */
144 #define OPENSSL_load_builtin_modules(x)
145 #endif
146 
147 #if defined(LIBRESSL_VERSION_NUMBER)
148 #define OSSL_PACKAGE "LibreSSL"
149 #elif defined(OPENSSL_IS_BORINGSSL)
150 #define OSSL_PACKAGE "BoringSSL"
151 #else
152 #define OSSL_PACKAGE "OpenSSL"
153 #endif
154 
155 /*
156  * Number of bytes to read from the random number seed file. This must be
157  * a finite value (because some entropy "files" like /dev/urandom have
158  * an infinite length), but must be large enough to provide enough
159  * entopy to properly seed OpenSSL's PRNG.
160  */
161 #define RAND_LOAD_LENGTH 1024
162 
passwd_callback(char * buf,int num,int encrypting,void * global_passwd)163 static int passwd_callback(char *buf, int num, int encrypting,
164                            void *global_passwd)
165 {
166   DEBUGASSERT(0 == encrypting);
167 
168   if(!encrypting) {
169     int klen = curlx_uztosi(strlen((char *)global_passwd));
170     if(num > klen) {
171       memcpy(buf, global_passwd, klen+1);
172       return klen;
173     }
174   }
175   return 0;
176 }
177 
178 /*
179  * rand_enough() returns TRUE if we have seeded the random engine properly.
180  */
rand_enough(void)181 static bool rand_enough(void)
182 {
183   return (0 != RAND_status()) ? TRUE : FALSE;
184 }
185 
Curl_ossl_seed(struct Curl_easy * data)186 static CURLcode Curl_ossl_seed(struct Curl_easy *data)
187 {
188   /* we have the "SSL is seeded" boolean static to prevent multiple
189      time-consuming seedings in vain */
190   static bool ssl_seeded = FALSE;
191   char *buf = data->state.buffer; /* point to the big buffer */
192   int nread=0;
193 
194   if(ssl_seeded)
195     return CURLE_OK;
196 
197   if(rand_enough()) {
198     /* OpenSSL 1.1.0+ will return here */
199     ssl_seeded = TRUE;
200     return CURLE_OK;
201   }
202 
203 #ifndef RANDOM_FILE
204   /* if RANDOM_FILE isn't defined, we only perform this if an option tells
205      us to! */
206   if(data->set.str[STRING_SSL_RANDOM_FILE])
207 #define RANDOM_FILE "" /* doesn't matter won't be used */
208 #endif
209   {
210     /* let the option override the define */
211     nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
212                              data->set.str[STRING_SSL_RANDOM_FILE]:
213                              RANDOM_FILE),
214                             RAND_LOAD_LENGTH);
215     if(rand_enough())
216       return nread;
217   }
218 
219 #if defined(HAVE_RAND_EGD)
220   /* only available in OpenSSL 0.9.5 and later */
221   /* EGD_SOCKET is set at configure time or not at all */
222 #ifndef EGD_SOCKET
223   /* If we don't have the define set, we only do this if the egd-option
224      is set */
225   if(data->set.str[STRING_SSL_EGDSOCKET])
226 #define EGD_SOCKET "" /* doesn't matter won't be used */
227 #endif
228   {
229     /* If there's an option and a define, the option overrides the
230        define */
231     int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
232                        data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
233     if(-1 != ret) {
234       nread += ret;
235       if(rand_enough())
236         return nread;
237     }
238   }
239 #endif
240 
241   /* If we get here, it means we need to seed the PRNG using a "silly"
242      approach! */
243   do {
244     unsigned char randb[64];
245     int len = sizeof(randb);
246     if(!RAND_bytes(randb, len))
247       break;
248     RAND_add(randb, len, (len >> 1));
249   } while(!rand_enough());
250 
251   /* generates a default path for the random seed file */
252   buf[0]=0; /* blank it first */
253   RAND_file_name(buf, BUFSIZE);
254   if(buf[0]) {
255     /* we got a file name to try */
256     nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
257     if(rand_enough())
258       return nread;
259   }
260 
261   infof(data, "libcurl is now using a weak random seed!\n");
262   return CURLE_SSL_CONNECT_ERROR; /* confusing error code */
263 }
264 
265 #ifndef SSL_FILETYPE_ENGINE
266 #define SSL_FILETYPE_ENGINE 42
267 #endif
268 #ifndef SSL_FILETYPE_PKCS12
269 #define SSL_FILETYPE_PKCS12 43
270 #endif
do_file_type(const char * type)271 static int do_file_type(const char *type)
272 {
273   if(!type || !type[0])
274     return SSL_FILETYPE_PEM;
275   if(strcasecompare(type, "PEM"))
276     return SSL_FILETYPE_PEM;
277   if(strcasecompare(type, "DER"))
278     return SSL_FILETYPE_ASN1;
279   if(strcasecompare(type, "ENG"))
280     return SSL_FILETYPE_ENGINE;
281   if(strcasecompare(type, "P12"))
282     return SSL_FILETYPE_PKCS12;
283   return -1;
284 }
285 
286 #if defined(HAVE_OPENSSL_ENGINE_H)
287 /*
288  * Supply default password to the engine user interface conversation.
289  * The password is passed by OpenSSL engine from ENGINE_load_private_key()
290  * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
291  */
ssl_ui_reader(UI * ui,UI_STRING * uis)292 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
293 {
294   const char *password;
295   switch(UI_get_string_type(uis)) {
296   case UIT_PROMPT:
297   case UIT_VERIFY:
298     password = (const char *)UI_get0_user_data(ui);
299     if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
300       UI_set_result(ui, uis, password);
301       return 1;
302     }
303   default:
304     break;
305   }
306   return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
307 }
308 
309 /*
310  * Suppress interactive request for a default password if available.
311  */
ssl_ui_writer(UI * ui,UI_STRING * uis)312 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
313 {
314   switch(UI_get_string_type(uis)) {
315   case UIT_PROMPT:
316   case UIT_VERIFY:
317     if(UI_get0_user_data(ui) &&
318        (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
319       return 1;
320     }
321   default:
322     break;
323   }
324   return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
325 }
326 #endif
327 
328 static
cert_stuff(struct connectdata * conn,SSL_CTX * ctx,char * cert_file,const char * cert_type,char * key_file,const char * key_type,char * key_passwd)329 int cert_stuff(struct connectdata *conn,
330                SSL_CTX* ctx,
331                char *cert_file,
332                const char *cert_type,
333                char *key_file,
334                const char *key_type,
335                char *key_passwd)
336 {
337   struct Curl_easy *data = conn->data;
338 
339   int file_type = do_file_type(cert_type);
340 
341   if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
342     SSL *ssl;
343     X509 *x509;
344     int cert_done = 0;
345 
346     if(key_passwd) {
347       /* set the password in the callback userdata */
348       SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
349       /* Set passwd callback: */
350       SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
351     }
352 
353 
354     switch(file_type) {
355     case SSL_FILETYPE_PEM:
356       /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
357       if(SSL_CTX_use_certificate_chain_file(ctx,
358                                             cert_file) != 1) {
359         failf(data,
360               "could not load PEM client certificate, " OSSL_PACKAGE
361               " error %s, "
362               "(no key found, wrong pass phrase, or wrong file format?)",
363               ERR_error_string(ERR_get_error(), NULL) );
364         return 0;
365       }
366       break;
367 
368     case SSL_FILETYPE_ASN1:
369       /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
370          we use the case above for PEM so this can only be performed with
371          ASN1 files. */
372       if(SSL_CTX_use_certificate_file(ctx,
373                                       cert_file,
374                                       file_type) != 1) {
375         failf(data,
376               "could not load ASN1 client certificate, " OSSL_PACKAGE
377               " error %s, "
378               "(no key found, wrong pass phrase, or wrong file format?)",
379               ERR_error_string(ERR_get_error(), NULL) );
380         return 0;
381       }
382       break;
383     case SSL_FILETYPE_ENGINE:
384 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
385       {
386         if(data->state.engine) {
387           const char *cmd_name = "LOAD_CERT_CTRL";
388           struct {
389             const char *cert_id;
390             X509 *cert;
391           } params;
392 
393           params.cert_id = cert_file;
394           params.cert = NULL;
395 
396           /* Does the engine supports LOAD_CERT_CTRL ? */
397           if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
398                           0, (void *)cmd_name, NULL)) {
399             failf(data, "ssl engine does not support loading certificates");
400             return 0;
401           }
402 
403           /* Load the certificate from the engine */
404           if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
405                               0, &params, NULL, 1)) {
406             failf(data, "ssl engine cannot load client cert with id"
407                   " '%s' [%s]", cert_file,
408                   ERR_error_string(ERR_get_error(), NULL));
409             return 0;
410           }
411 
412           if(!params.cert) {
413             failf(data, "ssl engine didn't initialized the certificate "
414                   "properly.");
415             return 0;
416           }
417 
418           if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
419             failf(data, "unable to set client certificate");
420             X509_free(params.cert);
421             return 0;
422           }
423           X509_free(params.cert); /* we don't need the handle any more... */
424         }
425         else {
426           failf(data, "crypto engine not set, can't load certificate");
427           return 0;
428         }
429       }
430       break;
431 #else
432       failf(data, "file type ENG for certificate not implemented");
433       return 0;
434 #endif
435 
436     case SSL_FILETYPE_PKCS12:
437     {
438 #ifdef HAVE_OPENSSL_PKCS12_H
439       FILE *f;
440       PKCS12 *p12;
441       EVP_PKEY *pri;
442       STACK_OF(X509) *ca = NULL;
443 
444       f = fopen(cert_file, "rb");
445       if(!f) {
446         failf(data, "could not open PKCS12 file '%s'", cert_file);
447         return 0;
448       }
449       p12 = d2i_PKCS12_fp(f, NULL);
450       fclose(f);
451 
452       if(!p12) {
453         failf(data, "error reading PKCS12 file '%s'", cert_file);
454         return 0;
455       }
456 
457       PKCS12_PBE_add();
458 
459       if(!PKCS12_parse(p12, key_passwd, &pri, &x509,
460                        &ca)) {
461         failf(data,
462               "could not parse PKCS12 file, check password, " OSSL_PACKAGE
463               " error %s",
464               ERR_error_string(ERR_get_error(), NULL) );
465         PKCS12_free(p12);
466         return 0;
467       }
468 
469       PKCS12_free(p12);
470 
471       if(SSL_CTX_use_certificate(ctx, x509) != 1) {
472         failf(data,
473               "could not load PKCS12 client certificate, " OSSL_PACKAGE
474               " error %s",
475               ERR_error_string(ERR_get_error(), NULL) );
476         goto fail;
477       }
478 
479       if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
480         failf(data, "unable to use private key from PKCS12 file '%s'",
481               cert_file);
482         goto fail;
483       }
484 
485       if(!SSL_CTX_check_private_key (ctx)) {
486         failf(data, "private key from PKCS12 file '%s' "
487               "does not match certificate in same file", cert_file);
488         goto fail;
489       }
490       /* Set Certificate Verification chain */
491       if(ca) {
492         while(sk_X509_num(ca)) {
493           /*
494            * Note that sk_X509_pop() is used below to make sure the cert is
495            * removed from the stack properly before getting passed to
496            * SSL_CTX_add_extra_chain_cert(). Previously we used
497            * sk_X509_value() instead, but then we'd clean it in the subsequent
498            * sk_X509_pop_free() call.
499            */
500           X509 *x = sk_X509_pop(ca);
501           if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
502             X509_free(x);
503             failf(data, "cannot add certificate to certificate chain");
504             goto fail;
505           }
506           /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
507            * presumably because it duplicates what we pass to it.
508            */
509           if(!SSL_CTX_add_client_CA(ctx, x)) {
510             failf(data, "cannot add certificate to client CA list");
511             goto fail;
512           }
513         }
514       }
515 
516       cert_done = 1;
517   fail:
518       EVP_PKEY_free(pri);
519       X509_free(x509);
520       sk_X509_pop_free(ca, X509_free);
521 
522       if(!cert_done)
523         return 0; /* failure! */
524       break;
525 #else
526       failf(data, "file type P12 for certificate not supported");
527       return 0;
528 #endif
529     }
530     default:
531       failf(data, "not supported file type '%s' for certificate", cert_type);
532       return 0;
533     }
534 
535     file_type = do_file_type(key_type);
536 
537     switch(file_type) {
538     case SSL_FILETYPE_PEM:
539       if(cert_done)
540         break;
541       if(!key_file)
542         /* cert & key can only be in PEM case in the same file */
543         key_file=cert_file;
544     case SSL_FILETYPE_ASN1:
545       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
546         failf(data, "unable to set private key file: '%s' type %s",
547               key_file, key_type?key_type:"PEM");
548         return 0;
549       }
550       break;
551     case SSL_FILETYPE_ENGINE:
552 #ifdef HAVE_OPENSSL_ENGINE_H
553       {                         /* XXXX still needs some work */
554         EVP_PKEY *priv_key = NULL;
555         if(data->state.engine) {
556           UI_METHOD *ui_method =
557             UI_create_method((char *)"curl user interface");
558           if(!ui_method) {
559             failf(data, "unable do create " OSSL_PACKAGE
560                   " user-interface method");
561             return 0;
562           }
563           UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
564           UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
565           UI_method_set_reader(ui_method, ssl_ui_reader);
566           UI_method_set_writer(ui_method, ssl_ui_writer);
567           /* the typecast below was added to please mingw32 */
568           priv_key = (EVP_PKEY *)
569             ENGINE_load_private_key(data->state.engine, key_file,
570                                     ui_method,
571                                     key_passwd);
572           UI_destroy_method(ui_method);
573           if(!priv_key) {
574             failf(data, "failed to load private key from crypto engine");
575             return 0;
576           }
577           if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
578             failf(data, "unable to set private key");
579             EVP_PKEY_free(priv_key);
580             return 0;
581           }
582           EVP_PKEY_free(priv_key);  /* we don't need the handle any more... */
583         }
584         else {
585           failf(data, "crypto engine not set, can't load private key");
586           return 0;
587         }
588       }
589       break;
590 #else
591       failf(data, "file type ENG for private key not supported");
592       return 0;
593 #endif
594     case SSL_FILETYPE_PKCS12:
595       if(!cert_done) {
596         failf(data, "file type P12 for private key not supported");
597         return 0;
598       }
599       break;
600     default:
601       failf(data, "not supported file type for private key");
602       return 0;
603     }
604 
605     ssl=SSL_new(ctx);
606     if(!ssl) {
607       failf(data, "unable to create an SSL structure");
608       return 0;
609     }
610 
611     x509=SSL_get_certificate(ssl);
612 
613     /* This version was provided by Evan Jordan and is supposed to not
614        leak memory as the previous version: */
615     if(x509) {
616       EVP_PKEY *pktmp = X509_get_pubkey(x509);
617       EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
618       EVP_PKEY_free(pktmp);
619     }
620 
621     SSL_free(ssl);
622 
623     /* If we are using DSA, we can copy the parameters from
624      * the private key */
625 
626 
627     /* Now we know that a key and cert have been set against
628      * the SSL context */
629     if(!SSL_CTX_check_private_key(ctx)) {
630       failf(data, "Private key does not match the certificate public key");
631       return 0;
632     }
633   }
634   return 1;
635 }
636 
637 /* returns non-zero on failure */
x509_name_oneline(X509_NAME * a,char * buf,size_t size)638 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
639 {
640 #if 0
641   return X509_NAME_oneline(a, buf, size);
642 #else
643   BIO *bio_out = BIO_new(BIO_s_mem());
644   BUF_MEM *biomem;
645   int rc;
646 
647   if(!bio_out)
648     return 1; /* alloc failed! */
649 
650   rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
651   BIO_get_mem_ptr(bio_out, &biomem);
652 
653   if((size_t)biomem->length < size)
654     size = biomem->length;
655   else
656     size--; /* don't overwrite the buffer end */
657 
658   memcpy(buf, biomem->data, size);
659   buf[size]=0;
660 
661   BIO_free(bio_out);
662 
663   return !rc;
664 #endif
665 }
666 
667 /* Return error string for last OpenSSL error
668  */
ossl_strerror(unsigned long error,char * buf,size_t size)669 static char *ossl_strerror(unsigned long error, char *buf, size_t size)
670 {
671   /* OpenSSL 0.9.6 and later has a function named
672      ERR_error_string_n() that takes the size of the buffer as a
673      third argument */
674   ERR_error_string_n(error, buf, size);
675   return buf;
676 }
677 
678 /**
679  * Global SSL init
680  *
681  * @retval 0 error initializing SSL
682  * @retval 1 SSL initialized successfully
683  */
Curl_ossl_init(void)684 int Curl_ossl_init(void)
685 {
686   OPENSSL_load_builtin_modules();
687 
688 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
689   ENGINE_load_builtin_engines();
690 #endif
691 
692   /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
693      that function makes an exit() call on wrongly formatted config files
694      which makes it hard to use in some situations. OPENSSL_config() itself
695      calls CONF_modules_load_file() and we use that instead and we ignore
696      its return code! */
697 
698   /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
699      0.9.8e */
700 #ifndef CONF_MFLAGS_DEFAULT_SECTION
701 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
702 #endif
703 
704   CONF_modules_load_file(NULL, NULL,
705                          CONF_MFLAGS_DEFAULT_SECTION|
706                          CONF_MFLAGS_IGNORE_MISSING_FILE);
707 
708 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
709     !defined(LIBRESSL_VERSION_NUMBER)
710   /* OpenSSL 1.1.0+ takes care of initialization itself */
711 #else
712   /* Lets get nice error messages */
713   SSL_load_error_strings();
714 
715   /* Init the global ciphers and digests */
716   if(!SSLeay_add_ssl_algorithms())
717     return 0;
718 
719   OpenSSL_add_all_algorithms();
720 #endif
721 
722   return 1;
723 }
724 
725 /* Global cleanup */
Curl_ossl_cleanup(void)726 void Curl_ossl_cleanup(void)
727 {
728 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
729     !defined(LIBRESSL_VERSION_NUMBER)
730   /* OpenSSL 1.1 deprecates all these cleanup functions and
731      turns them into no-ops in OpenSSL 1.0 compatibility mode */
732 #else
733   /* Free ciphers and digests lists */
734   EVP_cleanup();
735 
736 #ifdef HAVE_ENGINE_CLEANUP
737   /* Free engine list */
738   ENGINE_cleanup();
739 #endif
740 
741   /* Free OpenSSL error strings */
742   ERR_free_strings();
743 
744   /* Free thread local error state, destroying hash upon zero refcount */
745 #ifdef HAVE_ERR_REMOVE_THREAD_STATE
746   ERR_remove_thread_state(NULL);
747 #else
748   ERR_remove_state(0);
749 #endif
750 
751   /* Free all memory allocated by all configuration modules */
752   CONF_modules_free();
753 
754 #ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
755   SSL_COMP_free_compression_methods();
756 #endif
757 #endif
758 }
759 
760 /*
761  * This function is used to determine connection status.
762  *
763  * Return codes:
764  *     1 means the connection is still in place
765  *     0 means the connection has been closed
766  *    -1 means the connection status is unknown
767  */
Curl_ossl_check_cxn(struct connectdata * conn)768 int Curl_ossl_check_cxn(struct connectdata *conn)
769 {
770   /* SSL_peek takes data out of the raw recv buffer without peeking so we use
771      recv MSG_PEEK instead. Bug #795 */
772 #ifdef MSG_PEEK
773   char buf;
774   ssize_t nread;
775   nread = recv((RECV_TYPE_ARG1)conn->sock[FIRSTSOCKET], (RECV_TYPE_ARG2)&buf,
776                (RECV_TYPE_ARG3)1, (RECV_TYPE_ARG4)MSG_PEEK);
777   if(nread == 0)
778     return 0; /* connection has been closed */
779   else if(nread == 1)
780     return 1; /* connection still in place */
781   else if(nread == -1) {
782       int err = SOCKERRNO;
783       if(err == EINPROGRESS ||
784 #if defined(EAGAIN) && (EAGAIN != EWOULDBLOCK)
785          err == EAGAIN ||
786 #endif
787          err == EWOULDBLOCK)
788         return 1; /* connection still in place */
789       if(err == ECONNRESET ||
790 #ifdef ECONNABORTED
791          err == ECONNABORTED ||
792 #endif
793 #ifdef ENETDOWN
794          err == ENETDOWN ||
795 #endif
796 #ifdef ENETRESET
797          err == ENETRESET ||
798 #endif
799 #ifdef ESHUTDOWN
800          err == ESHUTDOWN ||
801 #endif
802 #ifdef ETIMEDOUT
803          err == ETIMEDOUT ||
804 #endif
805          err == ENOTCONN)
806         return 0; /* connection has been closed */
807   }
808 #endif
809   return -1; /* connection status unknown */
810 }
811 
812 /* Selects an OpenSSL crypto engine
813  */
Curl_ossl_set_engine(struct Curl_easy * data,const char * engine)814 CURLcode Curl_ossl_set_engine(struct Curl_easy *data, const char *engine)
815 {
816 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
817   ENGINE *e;
818 
819 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
820   e = ENGINE_by_id(engine);
821 #else
822   /* avoid memory leak */
823   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
824     const char *e_id = ENGINE_get_id(e);
825     if(!strcmp(engine, e_id))
826       break;
827   }
828 #endif
829 
830   if(!e) {
831     failf(data, "SSL Engine '%s' not found", engine);
832     return CURLE_SSL_ENGINE_NOTFOUND;
833   }
834 
835   if(data->state.engine) {
836     ENGINE_finish(data->state.engine);
837     ENGINE_free(data->state.engine);
838     data->state.engine = NULL;
839   }
840   if(!ENGINE_init(e)) {
841     char buf[256];
842 
843     ENGINE_free(e);
844     failf(data, "Failed to initialise SSL Engine '%s':\n%s",
845           engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
846     return CURLE_SSL_ENGINE_INITFAILED;
847   }
848   data->state.engine = e;
849   return CURLE_OK;
850 #else
851   (void)engine;
852   failf(data, "SSL Engine not supported");
853   return CURLE_SSL_ENGINE_NOTFOUND;
854 #endif
855 }
856 
857 /* Sets engine as default for all SSL operations
858  */
Curl_ossl_set_engine_default(struct Curl_easy * data)859 CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data)
860 {
861 #ifdef HAVE_OPENSSL_ENGINE_H
862   if(data->state.engine) {
863     if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
864       infof(data, "set default crypto engine '%s'\n",
865             ENGINE_get_id(data->state.engine));
866     }
867     else {
868       failf(data, "set default crypto engine '%s' failed",
869             ENGINE_get_id(data->state.engine));
870       return CURLE_SSL_ENGINE_SETFAILED;
871     }
872   }
873 #else
874   (void) data;
875 #endif
876   return CURLE_OK;
877 }
878 
879 /* Return list of OpenSSL crypto engine names.
880  */
Curl_ossl_engines_list(struct Curl_easy * data)881 struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data)
882 {
883   struct curl_slist *list = NULL;
884 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
885   struct curl_slist *beg;
886   ENGINE *e;
887 
888   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
889     beg = curl_slist_append(list, ENGINE_get_id(e));
890     if(!beg) {
891       curl_slist_free_all(list);
892       return NULL;
893     }
894     list = beg;
895   }
896 #endif
897   (void) data;
898   return list;
899 }
900 
901 
ossl_close(struct ssl_connect_data * connssl)902 static void ossl_close(struct ssl_connect_data *connssl)
903 {
904   if(connssl->handle) {
905     (void)SSL_shutdown(connssl->handle);
906     SSL_set_connect_state(connssl->handle);
907 
908     SSL_free (connssl->handle);
909     connssl->handle = NULL;
910   }
911   if(connssl->ctx) {
912     SSL_CTX_free (connssl->ctx);
913     connssl->ctx = NULL;
914   }
915 }
916 
917 /*
918  * This function is called when an SSL connection is closed.
919  */
Curl_ossl_close(struct connectdata * conn,int sockindex)920 void Curl_ossl_close(struct connectdata *conn, int sockindex)
921 {
922   ossl_close(&conn->ssl[sockindex]);
923   ossl_close(&conn->proxy_ssl[sockindex]);
924 }
925 
926 /*
927  * This function is called to shut down the SSL layer but keep the
928  * socket open (CCC - Clear Command Channel)
929  */
Curl_ossl_shutdown(struct connectdata * conn,int sockindex)930 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
931 {
932   int retval = 0;
933   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
934   struct Curl_easy *data = conn->data;
935   char buf[256]; /* We will use this for the OpenSSL error buffer, so it has
936                     to be at least 256 bytes long. */
937   unsigned long sslerror;
938   ssize_t nread;
939   int buffsize;
940   int err;
941   int done = 0;
942 
943   /* This has only been tested on the proftpd server, and the mod_tls code
944      sends a close notify alert without waiting for a close notify alert in
945      response. Thus we wait for a close notify alert from the server, but
946      we do not send one. Let's hope other servers do the same... */
947 
948   if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
949       (void)SSL_shutdown(connssl->handle);
950 
951   if(connssl->handle) {
952     buffsize = (int)sizeof(buf);
953     while(!done) {
954       int what = SOCKET_READABLE(conn->sock[sockindex],
955                                  SSL_SHUTDOWN_TIMEOUT);
956       if(what > 0) {
957         ERR_clear_error();
958 
959         /* Something to read, let's do it and hope that it is the close
960            notify alert from the server */
961         nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
962                                   buffsize);
963         err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
964 
965         switch(err) {
966         case SSL_ERROR_NONE: /* this is not an error */
967         case SSL_ERROR_ZERO_RETURN: /* no more data */
968           /* This is the expected response. There was no data but only
969              the close notify alert */
970           done = 1;
971           break;
972         case SSL_ERROR_WANT_READ:
973           /* there's data pending, re-invoke SSL_read() */
974           infof(data, "SSL_ERROR_WANT_READ\n");
975           break;
976         case SSL_ERROR_WANT_WRITE:
977           /* SSL wants a write. Really odd. Let's bail out. */
978           infof(data, "SSL_ERROR_WANT_WRITE\n");
979           done = 1;
980           break;
981         default:
982           /* openssl/ssl.h says "look at error stack/return value/errno" */
983           sslerror = ERR_get_error();
984           failf(conn->data, OSSL_PACKAGE " SSL read: %s, errno %d",
985                 ossl_strerror(sslerror, buf, sizeof(buf)),
986                 SOCKERRNO);
987           done = 1;
988           break;
989         }
990       }
991       else if(0 == what) {
992         /* timeout */
993         failf(data, "SSL shutdown timeout");
994         done = 1;
995       }
996       else {
997         /* anything that gets here is fatally bad */
998         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
999         retval = -1;
1000         done = 1;
1001       }
1002     } /* while()-loop for the select() */
1003 
1004     if(data->set.verbose) {
1005 #ifdef HAVE_SSL_GET_SHUTDOWN
1006       switch(SSL_get_shutdown(connssl->handle)) {
1007       case SSL_SENT_SHUTDOWN:
1008         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
1009         break;
1010       case SSL_RECEIVED_SHUTDOWN:
1011         infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
1012         break;
1013       case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
1014         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
1015               "SSL_RECEIVED__SHUTDOWN\n");
1016         break;
1017       }
1018 #endif
1019     }
1020 
1021     SSL_free (connssl->handle);
1022     connssl->handle = NULL;
1023   }
1024   return retval;
1025 }
1026 
Curl_ossl_session_free(void * ptr)1027 void Curl_ossl_session_free(void *ptr)
1028 {
1029   /* free the ID */
1030   SSL_SESSION_free(ptr);
1031 }
1032 
1033 /*
1034  * This function is called when the 'data' struct is going away. Close
1035  * down everything and free all resources!
1036  */
Curl_ossl_close_all(struct Curl_easy * data)1037 void Curl_ossl_close_all(struct Curl_easy *data)
1038 {
1039 #ifdef HAVE_OPENSSL_ENGINE_H
1040   if(data->state.engine) {
1041     ENGINE_finish(data->state.engine);
1042     ENGINE_free(data->state.engine);
1043     data->state.engine = NULL;
1044   }
1045 #else
1046   (void)data;
1047 #endif
1048 #if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \
1049   defined(HAVE_ERR_REMOVE_THREAD_STATE)
1050   /* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
1051      so we need to clean it here in case the thread will be killed. All OpenSSL
1052      code should extract the error in association with the error so clearing
1053      this queue here should be harmless at worst. */
1054   ERR_remove_thread_state(NULL);
1055 #endif
1056 }
1057 
1058 /* ====================================================== */
1059 
1060 
1061 /* Quote from RFC2818 section 3.1 "Server Identity"
1062 
1063    If a subjectAltName extension of type dNSName is present, that MUST
1064    be used as the identity. Otherwise, the (most specific) Common Name
1065    field in the Subject field of the certificate MUST be used. Although
1066    the use of the Common Name is existing practice, it is deprecated and
1067    Certification Authorities are encouraged to use the dNSName instead.
1068 
1069    Matching is performed using the matching rules specified by
1070    [RFC2459].  If more than one identity of a given type is present in
1071    the certificate (e.g., more than one dNSName name, a match in any one
1072    of the set is considered acceptable.) Names may contain the wildcard
1073    character * which is considered to match any single domain name
1074    component or component fragment. E.g., *.a.com matches foo.a.com but
1075    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1076 
1077    In some cases, the URI is specified as an IP address rather than a
1078    hostname. In this case, the iPAddress subjectAltName must be present
1079    in the certificate and must exactly match the IP in the URI.
1080 
1081 */
verifyhost(struct connectdata * conn,X509 * server_cert)1082 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
1083 {
1084   bool matched = FALSE;
1085   int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1086   size_t addrlen = 0;
1087   struct Curl_easy *data = conn->data;
1088   STACK_OF(GENERAL_NAME) *altnames;
1089 #ifdef ENABLE_IPV6
1090   struct in6_addr addr;
1091 #else
1092   struct in_addr addr;
1093 #endif
1094   CURLcode result = CURLE_OK;
1095   bool dNSName = FALSE; /* if a dNSName field exists in the cert */
1096   bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
1097   const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
1098     conn->host.name;
1099   const char * const dispname = SSL_IS_PROXY() ?
1100     conn->http_proxy.host.dispname : conn->host.dispname;
1101 
1102 #ifdef ENABLE_IPV6
1103   if(conn->bits.ipv6_ip &&
1104      Curl_inet_pton(AF_INET6, hostname, &addr)) {
1105     target = GEN_IPADD;
1106     addrlen = sizeof(struct in6_addr);
1107   }
1108   else
1109 #endif
1110     if(Curl_inet_pton(AF_INET, hostname, &addr)) {
1111       target = GEN_IPADD;
1112       addrlen = sizeof(struct in_addr);
1113     }
1114 
1115   /* get a "list" of alternative names */
1116   altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1117 
1118   if(altnames) {
1119     int numalts;
1120     int i;
1121     bool dnsmatched = FALSE;
1122     bool ipmatched = FALSE;
1123 
1124     /* get amount of alternatives, RFC2459 claims there MUST be at least
1125        one, but we don't depend on it... */
1126     numalts = sk_GENERAL_NAME_num(altnames);
1127 
1128     /* loop through all alternatives - until a dnsmatch */
1129     for(i=0; (i < numalts) && !dnsmatched; i++) {
1130       /* get a handle to alternative name number i */
1131       const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1132 
1133       if(check->type == GEN_DNS)
1134         dNSName = TRUE;
1135       else if(check->type == GEN_IPADD)
1136         iPAddress = TRUE;
1137 
1138       /* only check alternatives of the same type the target is */
1139       if(check->type == target) {
1140         /* get data and length */
1141         const char *altptr = (char *)ASN1_STRING_get0_data(check->d.ia5);
1142         size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1143 
1144         switch(target) {
1145         case GEN_DNS: /* name/pattern comparison */
1146           /* The OpenSSL man page explicitly says: "In general it cannot be
1147              assumed that the data returned by ASN1_STRING_data() is null
1148              terminated or does not contain embedded nulls." But also that
1149              "The actual format of the data will depend on the actual string
1150              type itself: for example for and IA5String the data will be ASCII"
1151 
1152              Gisle researched the OpenSSL sources:
1153              "I checked the 0.9.6 and 0.9.8 sources before my patch and
1154              it always 0-terminates an IA5String."
1155           */
1156           if((altlen == strlen(altptr)) &&
1157              /* if this isn't true, there was an embedded zero in the name
1158                 string and we cannot match it. */
1159              Curl_cert_hostcheck(altptr, hostname)) {
1160             dnsmatched = TRUE;
1161             infof(data,
1162                   " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
1163                   dispname, altptr);
1164           }
1165           break;
1166 
1167         case GEN_IPADD: /* IP address comparison */
1168           /* compare alternative IP address if the data chunk is the same size
1169              our server IP address is */
1170           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
1171             ipmatched = TRUE;
1172             infof(data,
1173                   " subjectAltName: host \"%s\" matched cert's IP address!\n",
1174                   dispname);
1175           }
1176           break;
1177         }
1178       }
1179     }
1180     GENERAL_NAMES_free(altnames);
1181 
1182     if(dnsmatched || ipmatched)
1183       matched = TRUE;
1184   }
1185 
1186   if(matched)
1187     /* an alternative name matched */
1188     ;
1189   else if(dNSName || iPAddress) {
1190     infof(data, " subjectAltName does not match %s\n", dispname);
1191     failf(data, "SSL: no alternative certificate subject name matches "
1192           "target host name '%s'", dispname);
1193     result = CURLE_PEER_FAILED_VERIFICATION;
1194   }
1195   else {
1196     /* we have to look to the last occurrence of a commonName in the
1197        distinguished one to get the most significant one. */
1198     int j, i=-1;
1199 
1200     /* The following is done because of a bug in 0.9.6b */
1201 
1202     unsigned char *nulstr = (unsigned char *)"";
1203     unsigned char *peer_CN = nulstr;
1204 
1205     X509_NAME *name = X509_get_subject_name(server_cert);
1206     if(name)
1207       while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
1208         i=j;
1209 
1210     /* we have the name entry and we will now convert this to a string
1211        that we can use for comparison. Doing this we support BMPstring,
1212        UTF8 etc. */
1213 
1214     if(i>=0) {
1215       ASN1_STRING *tmp =
1216         X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
1217 
1218       /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1219          is already UTF-8 encoded. We check for this case and copy the raw
1220          string manually to avoid the problem. This code can be made
1221          conditional in the future when OpenSSL has been fixed. Work-around
1222          brought by Alexis S. L. Carvalho. */
1223       if(tmp) {
1224         if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1225           j = ASN1_STRING_length(tmp);
1226           if(j >= 0) {
1227             peer_CN = OPENSSL_malloc(j+1);
1228             if(peer_CN) {
1229               memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
1230               peer_CN[j] = '\0';
1231             }
1232           }
1233         }
1234         else /* not a UTF8 name */
1235           j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1236 
1237         if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1238           /* there was a terminating zero before the end of string, this
1239              cannot match and we return failure! */
1240           failf(data, "SSL: illegal cert name field");
1241           result = CURLE_PEER_FAILED_VERIFICATION;
1242         }
1243       }
1244     }
1245 
1246     if(peer_CN == nulstr)
1247        peer_CN = NULL;
1248     else {
1249       /* convert peer_CN from UTF8 */
1250       CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
1251       /* Curl_convert_from_utf8 calls failf if unsuccessful */
1252       if(rc) {
1253         OPENSSL_free(peer_CN);
1254         return rc;
1255       }
1256     }
1257 
1258     if(result)
1259       /* error already detected, pass through */
1260       ;
1261     else if(!peer_CN) {
1262       failf(data,
1263             "SSL: unable to obtain common name from peer certificate");
1264       result = CURLE_PEER_FAILED_VERIFICATION;
1265     }
1266     else if(!Curl_cert_hostcheck((const char *)peer_CN, hostname)) {
1267       failf(data, "SSL: certificate subject name '%s' does not match "
1268             "target host name '%s'", peer_CN, dispname);
1269       result = CURLE_PEER_FAILED_VERIFICATION;
1270     }
1271     else {
1272       infof(data, " common name: %s (matched)\n", peer_CN);
1273     }
1274     if(peer_CN)
1275       OPENSSL_free(peer_CN);
1276   }
1277 
1278   return result;
1279 }
1280 
1281 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
1282     !defined(OPENSSL_NO_OCSP)
verifystatus(struct connectdata * conn,struct ssl_connect_data * connssl)1283 static CURLcode verifystatus(struct connectdata *conn,
1284                              struct ssl_connect_data *connssl)
1285 {
1286   int i, ocsp_status;
1287   const unsigned char *p;
1288   CURLcode result = CURLE_OK;
1289   struct Curl_easy *data = conn->data;
1290 
1291   OCSP_RESPONSE *rsp = NULL;
1292   OCSP_BASICRESP *br = NULL;
1293   X509_STORE     *st = NULL;
1294   STACK_OF(X509) *ch = NULL;
1295 
1296   long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
1297 
1298   if(!p) {
1299     failf(data, "No OCSP response received");
1300     result = CURLE_SSL_INVALIDCERTSTATUS;
1301     goto end;
1302   }
1303 
1304   rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1305   if(!rsp) {
1306     failf(data, "Invalid OCSP response");
1307     result = CURLE_SSL_INVALIDCERTSTATUS;
1308     goto end;
1309   }
1310 
1311   ocsp_status = OCSP_response_status(rsp);
1312   if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1313     failf(data, "Invalid OCSP response status: %s (%d)",
1314           OCSP_response_status_str(ocsp_status), ocsp_status);
1315     result = CURLE_SSL_INVALIDCERTSTATUS;
1316     goto end;
1317   }
1318 
1319   br = OCSP_response_get1_basic(rsp);
1320   if(!br) {
1321     failf(data, "Invalid OCSP response");
1322     result = CURLE_SSL_INVALIDCERTSTATUS;
1323     goto end;
1324   }
1325 
1326   ch = SSL_get_peer_cert_chain(connssl->handle);
1327   st = SSL_CTX_get_cert_store(connssl->ctx);
1328 
1329 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
1330      defined(LIBRESSL_VERSION_NUMBER))
1331   /* The authorized responder cert in the OCSP response MUST be signed by the
1332      peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
1333      no problem, but if it's an intermediate cert OpenSSL has a bug where it
1334      expects this issuer to be present in the chain embedded in the OCSP
1335      response. So we add it if necessary. */
1336 
1337   /* First make sure the peer cert chain includes both a peer and an issuer,
1338      and the OCSP response contains a responder cert. */
1339   if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
1340     X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
1341 
1342     /* Find issuer of responder cert and add it to the OCSP response chain */
1343     for(i = 0; i < sk_X509_num(ch); i++) {
1344       X509 *issuer = sk_X509_value(ch, i);
1345       if(X509_check_issued(issuer, responder) == X509_V_OK) {
1346         if(!OCSP_basic_add1_cert(br, issuer)) {
1347           failf(data, "Could not add issuer cert to OCSP response");
1348           result = CURLE_SSL_INVALIDCERTSTATUS;
1349           goto end;
1350         }
1351       }
1352     }
1353   }
1354 #endif
1355 
1356   if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
1357     failf(data, "OCSP response verification failed");
1358     result = CURLE_SSL_INVALIDCERTSTATUS;
1359     goto end;
1360   }
1361 
1362   for(i = 0; i < OCSP_resp_count(br); i++) {
1363     int cert_status, crl_reason;
1364     OCSP_SINGLERESP *single = NULL;
1365 
1366     ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1367 
1368     single = OCSP_resp_get0(br, i);
1369     if(!single)
1370       continue;
1371 
1372     cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
1373                                           &thisupd, &nextupd);
1374 
1375     if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
1376       failf(data, "OCSP response has expired");
1377       result = CURLE_SSL_INVALIDCERTSTATUS;
1378       goto end;
1379     }
1380 
1381     infof(data, "SSL certificate status: %s (%d)\n",
1382           OCSP_cert_status_str(cert_status), cert_status);
1383 
1384     switch(cert_status) {
1385       case V_OCSP_CERTSTATUS_GOOD:
1386         break;
1387 
1388       case V_OCSP_CERTSTATUS_REVOKED:
1389         result = CURLE_SSL_INVALIDCERTSTATUS;
1390 
1391         failf(data, "SSL certificate revocation reason: %s (%d)",
1392               OCSP_crl_reason_str(crl_reason), crl_reason);
1393         goto end;
1394 
1395       case V_OCSP_CERTSTATUS_UNKNOWN:
1396         result = CURLE_SSL_INVALIDCERTSTATUS;
1397         goto end;
1398     }
1399   }
1400 
1401 end:
1402   if(br) OCSP_BASICRESP_free(br);
1403   OCSP_RESPONSE_free(rsp);
1404 
1405   return result;
1406 }
1407 #endif
1408 
1409 #endif /* USE_OPENSSL */
1410 
1411 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
1412    and thus this cannot be done there. */
1413 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1414 
ssl_msg_type(int ssl_ver,int msg)1415 static const char *ssl_msg_type(int ssl_ver, int msg)
1416 {
1417 #ifdef SSL2_VERSION_MAJOR
1418   if(ssl_ver == SSL2_VERSION_MAJOR) {
1419     switch (msg) {
1420       case SSL2_MT_ERROR:
1421         return "Error";
1422       case SSL2_MT_CLIENT_HELLO:
1423         return "Client hello";
1424       case SSL2_MT_CLIENT_MASTER_KEY:
1425         return "Client key";
1426       case SSL2_MT_CLIENT_FINISHED:
1427         return "Client finished";
1428       case SSL2_MT_SERVER_HELLO:
1429         return "Server hello";
1430       case SSL2_MT_SERVER_VERIFY:
1431         return "Server verify";
1432       case SSL2_MT_SERVER_FINISHED:
1433         return "Server finished";
1434       case SSL2_MT_REQUEST_CERTIFICATE:
1435         return "Request CERT";
1436       case SSL2_MT_CLIENT_CERTIFICATE:
1437         return "Client CERT";
1438     }
1439   }
1440   else
1441 #endif
1442   if(ssl_ver == SSL3_VERSION_MAJOR) {
1443     switch (msg) {
1444       case SSL3_MT_HELLO_REQUEST:
1445         return "Hello request";
1446       case SSL3_MT_CLIENT_HELLO:
1447         return "Client hello";
1448       case SSL3_MT_SERVER_HELLO:
1449         return "Server hello";
1450 #ifdef SSL3_MT_NEWSESSION_TICKET
1451       case SSL3_MT_NEWSESSION_TICKET:
1452         return "Newsession Ticket";
1453 #endif
1454       case SSL3_MT_CERTIFICATE:
1455         return "Certificate";
1456       case SSL3_MT_SERVER_KEY_EXCHANGE:
1457         return "Server key exchange";
1458       case SSL3_MT_CLIENT_KEY_EXCHANGE:
1459         return "Client key exchange";
1460       case SSL3_MT_CERTIFICATE_REQUEST:
1461         return "Request CERT";
1462       case SSL3_MT_SERVER_DONE:
1463         return "Server finished";
1464       case SSL3_MT_CERTIFICATE_VERIFY:
1465         return "CERT verify";
1466       case SSL3_MT_FINISHED:
1467         return "Finished";
1468 #ifdef SSL3_MT_CERTIFICATE_STATUS
1469       case SSL3_MT_CERTIFICATE_STATUS:
1470         return "Certificate Status";
1471 #endif
1472     }
1473   }
1474   return "Unknown";
1475 }
1476 
tls_rt_type(int type)1477 static const char *tls_rt_type(int type)
1478 {
1479   switch(type) {
1480 #ifdef SSL3_RT_HEADER
1481   case SSL3_RT_HEADER:
1482     return "TLS header";
1483 #endif
1484   case SSL3_RT_CHANGE_CIPHER_SPEC:
1485     return "TLS change cipher";
1486   case SSL3_RT_ALERT:
1487     return "TLS alert";
1488   case SSL3_RT_HANDSHAKE:
1489     return "TLS handshake";
1490   case SSL3_RT_APPLICATION_DATA:
1491     return "TLS app data";
1492   default:
1493     return "TLS Unknown";
1494   }
1495 }
1496 
1497 
1498 /*
1499  * Our callback from the SSL/TLS layers.
1500  */
ssl_tls_trace(int direction,int ssl_ver,int content_type,const void * buf,size_t len,SSL * ssl,void * userp)1501 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1502                           const void *buf, size_t len, SSL *ssl,
1503                           void *userp)
1504 {
1505   struct Curl_easy *data;
1506   const char *msg_name, *tls_rt_name;
1507   char ssl_buf[1024];
1508   char unknown[32];
1509   int msg_type, txt_len;
1510   const char *verstr = NULL;
1511   struct connectdata *conn = userp;
1512 
1513   if(!conn || !conn->data || !conn->data->set.fdebug ||
1514      (direction != 0 && direction != 1))
1515     return;
1516 
1517   data = conn->data;
1518 
1519   switch(ssl_ver) {
1520 #ifdef SSL2_VERSION /* removed in recent versions */
1521   case SSL2_VERSION:
1522     verstr = "SSLv2";
1523     break;
1524 #endif
1525 #ifdef SSL3_VERSION
1526   case SSL3_VERSION:
1527     verstr = "SSLv3";
1528     break;
1529 #endif
1530   case TLS1_VERSION:
1531     verstr = "TLSv1.0";
1532     break;
1533 #ifdef TLS1_1_VERSION
1534   case TLS1_1_VERSION:
1535     verstr = "TLSv1.1";
1536     break;
1537 #endif
1538 #ifdef TLS1_2_VERSION
1539   case TLS1_2_VERSION:
1540     verstr = "TLSv1.2";
1541     break;
1542 #endif
1543 #ifdef TLS1_3_VERSION
1544   case TLS1_3_VERSION:
1545     verstr = "TLSv1.3";
1546     break;
1547 #endif
1548   case 0:
1549     break;
1550   default:
1551     snprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
1552     verstr = unknown;
1553     break;
1554   }
1555 
1556   if(ssl_ver) {
1557     /* the info given when the version is zero is not that useful for us */
1558 
1559     ssl_ver >>= 8; /* check the upper 8 bits only below */
1560 
1561     /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
1562      * always pass-up content-type as 0. But the interesting message-type
1563      * is at 'buf[0]'.
1564      */
1565     if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
1566       tls_rt_name = tls_rt_type(content_type);
1567     else
1568       tls_rt_name = "";
1569 
1570     msg_type = *(char *)buf;
1571     msg_name = ssl_msg_type(ssl_ver, msg_type);
1572 
1573     txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
1574                        verstr, direction?"OUT":"IN",
1575                        tls_rt_name, msg_name, msg_type);
1576     Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
1577   }
1578 
1579   Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
1580              CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
1581   (void) ssl;
1582 }
1583 #endif
1584 
1585 #ifdef USE_OPENSSL
1586 /* ====================================================== */
1587 
1588 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1589 #  define use_sni(x)  sni = (x)
1590 #else
1591 #  define use_sni(x)  Curl_nop_stmt
1592 #endif
1593 
1594 /* Check for OpenSSL 1.0.2 which has ALPN support. */
1595 #undef HAS_ALPN
1596 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \
1597     && !defined(OPENSSL_NO_TLSEXT)
1598 #  define HAS_ALPN 1
1599 #endif
1600 
1601 /* Check for OpenSSL 1.0.1 which has NPN support. */
1602 #undef HAS_NPN
1603 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \
1604     && !defined(OPENSSL_NO_TLSEXT) \
1605     && !defined(OPENSSL_NO_NEXTPROTONEG)
1606 #  define HAS_NPN 1
1607 #endif
1608 
1609 #ifdef HAS_NPN
1610 
1611 /*
1612  * in is a list of lenght prefixed strings. this function has to select
1613  * the protocol we want to use from the list and write its string into out.
1614  */
1615 
1616 static int
select_next_protocol(unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,const char * key,unsigned int keylen)1617 select_next_protocol(unsigned char **out, unsigned char *outlen,
1618                      const unsigned char *in, unsigned int inlen,
1619                      const char *key, unsigned int keylen)
1620 {
1621   unsigned int i;
1622   for(i = 0; i + keylen <= inlen; i += in[i] + 1) {
1623     if(memcmp(&in[i + 1], key, keylen) == 0) {
1624       *out = (unsigned char *) &in[i + 1];
1625       *outlen = in[i];
1626       return 0;
1627     }
1628   }
1629   return -1;
1630 }
1631 
1632 static int
select_next_proto_cb(SSL * ssl,unsigned char ** out,unsigned char * outlen,const unsigned char * in,unsigned int inlen,void * arg)1633 select_next_proto_cb(SSL *ssl,
1634                      unsigned char **out, unsigned char *outlen,
1635                      const unsigned char *in, unsigned int inlen,
1636                      void *arg)
1637 {
1638   struct connectdata *conn = (struct connectdata*) arg;
1639 
1640   (void)ssl;
1641 
1642 #ifdef USE_NGHTTP2
1643   if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 &&
1644      !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
1645                            NGHTTP2_PROTO_VERSION_ID_LEN)) {
1646     infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
1647           NGHTTP2_PROTO_VERSION_ID);
1648     conn->negnpn = CURL_HTTP_VERSION_2;
1649     return SSL_TLSEXT_ERR_OK;
1650   }
1651 #endif
1652 
1653   if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
1654                            ALPN_HTTP_1_1_LENGTH)) {
1655     infof(conn->data, "NPN, negotiated HTTP1.1\n");
1656     conn->negnpn = CURL_HTTP_VERSION_1_1;
1657     return SSL_TLSEXT_ERR_OK;
1658   }
1659 
1660   infof(conn->data, "NPN, no overlap, use HTTP1.1\n");
1661   *out = (unsigned char *)ALPN_HTTP_1_1;
1662   *outlen = ALPN_HTTP_1_1_LENGTH;
1663   conn->negnpn = CURL_HTTP_VERSION_1_1;
1664 
1665   return SSL_TLSEXT_ERR_OK;
1666 }
1667 #endif /* HAS_NPN */
1668 
1669 static const char *
get_ssl_version_txt(SSL * ssl)1670 get_ssl_version_txt(SSL *ssl)
1671 {
1672   if(!ssl)
1673     return "";
1674 
1675   switch(SSL_version(ssl)) {
1676 #ifdef TLS1_3_VERSION
1677   case TLS1_3_VERSION:
1678     return "TLSv1.3";
1679 #endif
1680 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1681   case TLS1_2_VERSION:
1682     return "TLSv1.2";
1683   case TLS1_1_VERSION:
1684     return "TLSv1.1";
1685 #endif
1686   case TLS1_VERSION:
1687     return "TLSv1.0";
1688   case SSL3_VERSION:
1689     return "SSLv3";
1690   case SSL2_VERSION:
1691     return "SSLv2";
1692   }
1693   return "unknown";
1694 }
1695 
ossl_connect_step1(struct connectdata * conn,int sockindex)1696 static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
1697 {
1698   CURLcode result = CURLE_OK;
1699   char *ciphers;
1700   struct Curl_easy *data = conn->data;
1701   SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
1702   X509_LOOKUP *lookup = NULL;
1703   curl_socket_t sockfd = conn->sock[sockindex];
1704   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1705   long ctx_options;
1706 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1707   bool sni;
1708 #ifdef ENABLE_IPV6
1709   struct in6_addr addr;
1710 #else
1711   struct in_addr addr;
1712 #endif
1713 #endif
1714   long * const certverifyresult = SSL_IS_PROXY() ?
1715     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
1716   const long int ssl_version = SSL_CONN_CONFIG(version);
1717 #ifdef USE_TLS_SRP
1718   const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
1719 #endif
1720   char * const ssl_cert = SSL_SET_OPTION(cert);
1721   const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
1722   const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
1723   const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
1724   const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
1725   const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
1726   const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
1727     conn->host.name;
1728 
1729   DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
1730 
1731   /* Make funny stuff to get random input */
1732   result = Curl_ossl_seed(data);
1733   if(result)
1734     return result;
1735 
1736   *certverifyresult = !X509_V_OK;
1737 
1738   /* check to see if we've been told to use an explicit SSL/TLS version */
1739 
1740   switch(ssl_version) {
1741   case CURL_SSLVERSION_DEFAULT:
1742   case CURL_SSLVERSION_TLSv1:
1743   case CURL_SSLVERSION_TLSv1_0:
1744   case CURL_SSLVERSION_TLSv1_1:
1745   case CURL_SSLVERSION_TLSv1_2:
1746   case CURL_SSLVERSION_TLSv1_3:
1747     /* it will be handled later with the context options */
1748 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1749     !defined(LIBRESSL_VERSION_NUMBER)
1750     req_method = TLS_client_method();
1751 #else
1752     req_method = SSLv23_client_method();
1753 #endif
1754     use_sni(TRUE);
1755     break;
1756   case CURL_SSLVERSION_SSLv2:
1757 #ifdef OPENSSL_NO_SSL2
1758     failf(data, OSSL_PACKAGE " was built without SSLv2 support");
1759     return CURLE_NOT_BUILT_IN;
1760 #else
1761 #ifdef USE_TLS_SRP
1762     if(ssl_authtype == CURL_TLSAUTH_SRP)
1763       return CURLE_SSL_CONNECT_ERROR;
1764 #endif
1765     req_method = SSLv2_client_method();
1766     use_sni(FALSE);
1767     break;
1768 #endif
1769   case CURL_SSLVERSION_SSLv3:
1770 #ifdef OPENSSL_NO_SSL3_METHOD
1771     failf(data, OSSL_PACKAGE " was built without SSLv3 support");
1772     return CURLE_NOT_BUILT_IN;
1773 #else
1774 #ifdef USE_TLS_SRP
1775     if(ssl_authtype == CURL_TLSAUTH_SRP)
1776       return CURLE_SSL_CONNECT_ERROR;
1777 #endif
1778     req_method = SSLv3_client_method();
1779     use_sni(FALSE);
1780     break;
1781 #endif
1782   default:
1783     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
1784     return CURLE_SSL_CONNECT_ERROR;
1785   }
1786 
1787   if(connssl->ctx)
1788     SSL_CTX_free(connssl->ctx);
1789   connssl->ctx = SSL_CTX_new(req_method);
1790 
1791   if(!connssl->ctx) {
1792     failf(data, "SSL: couldn't create a context: %s",
1793           ERR_error_string(ERR_peek_error(), NULL));
1794     return CURLE_OUT_OF_MEMORY;
1795   }
1796 
1797 #ifdef SSL_MODE_RELEASE_BUFFERS
1798   SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
1799 #endif
1800 
1801 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1802   if(data->set.fdebug && data->set.verbose) {
1803     /* the SSL trace callback is only used for verbose logging */
1804     SSL_CTX_set_msg_callback(connssl->ctx, ssl_tls_trace);
1805     SSL_CTX_set_msg_callback_arg(connssl->ctx, conn);
1806   }
1807 #endif
1808 
1809   /* OpenSSL contains code to work-around lots of bugs and flaws in various
1810      SSL-implementations. SSL_CTX_set_options() is used to enabled those
1811      work-arounds. The man page for this option states that SSL_OP_ALL enables
1812      all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
1813      enable the bug workaround options if compatibility with somewhat broken
1814      implementations is desired."
1815 
1816      The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
1817      disable "rfc4507bis session ticket support".  rfc4507bis was later turned
1818      into the proper RFC5077 it seems: https://tools.ietf.org/html/rfc5077
1819 
1820      The enabled extension concerns the session management. I wonder how often
1821      libcurl stops a connection and then resumes a TLS session. also, sending
1822      the session data is some overhead. .I suggest that you just use your
1823      proposed patch (which explicitly disables TICKET).
1824 
1825      If someone writes an application with libcurl and openssl who wants to
1826      enable the feature, one can do this in the SSL callback.
1827 
1828      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
1829      interoperability with web server Netscape Enterprise Server 2.0.1 which
1830      was released back in 1996.
1831 
1832      Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
1833      become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
1834      CVE-2010-4180 when using previous OpenSSL versions we no longer enable
1835      this option regardless of OpenSSL version and SSL_OP_ALL definition.
1836 
1837      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
1838      (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
1839      SSL_OP_ALL that _disables_ that work-around despite the fact that
1840      SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
1841      keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
1842      must not be set.
1843   */
1844 
1845   ctx_options = SSL_OP_ALL;
1846 
1847 #ifdef SSL_OP_NO_TICKET
1848   ctx_options |= SSL_OP_NO_TICKET;
1849 #endif
1850 
1851 #ifdef SSL_OP_NO_COMPRESSION
1852   ctx_options |= SSL_OP_NO_COMPRESSION;
1853 #endif
1854 
1855 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1856   /* mitigate CVE-2010-4180 */
1857   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
1858 #endif
1859 
1860 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1861   /* unless the user explicitly ask to allow the protocol vulnerability we
1862      use the work-around */
1863   if(!SSL_SET_OPTION(enable_beast))
1864     ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1865 #endif
1866 
1867   switch(ssl_version) {
1868   case CURL_SSLVERSION_SSLv3:
1869 #ifdef USE_TLS_SRP
1870     if(ssl_authtype == CURL_TLSAUTH_SRP) {
1871       infof(data, "Set version TLSv1.x for SRP authorisation\n");
1872     }
1873 #endif
1874     ctx_options |= SSL_OP_NO_SSLv2;
1875     ctx_options |= SSL_OP_NO_TLSv1;
1876 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1877     ctx_options |= SSL_OP_NO_TLSv1_1;
1878     ctx_options |= SSL_OP_NO_TLSv1_2;
1879 #ifdef TLS1_3_VERSION
1880     ctx_options |= SSL_OP_NO_TLSv1_3;
1881 #endif
1882 #endif
1883     break;
1884 
1885   case CURL_SSLVERSION_DEFAULT:
1886   case CURL_SSLVERSION_TLSv1:
1887     ctx_options |= SSL_OP_NO_SSLv2;
1888     ctx_options |= SSL_OP_NO_SSLv3;
1889     break;
1890 
1891   case CURL_SSLVERSION_TLSv1_0:
1892     ctx_options |= SSL_OP_NO_SSLv2;
1893     ctx_options |= SSL_OP_NO_SSLv3;
1894 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1895     ctx_options |= SSL_OP_NO_TLSv1_1;
1896     ctx_options |= SSL_OP_NO_TLSv1_2;
1897 #ifdef TLS1_3_VERSION
1898     ctx_options |= SSL_OP_NO_TLSv1_3;
1899 #endif
1900 #endif
1901     break;
1902 
1903   case CURL_SSLVERSION_TLSv1_1:
1904 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1905     ctx_options |= SSL_OP_NO_SSLv2;
1906     ctx_options |= SSL_OP_NO_SSLv3;
1907     ctx_options |= SSL_OP_NO_TLSv1;
1908     ctx_options |= SSL_OP_NO_TLSv1_2;
1909 #ifdef TLS1_3_VERSION
1910     ctx_options |= SSL_OP_NO_TLSv1_3;
1911 #endif
1912     break;
1913 #else
1914     failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
1915     return CURLE_NOT_BUILT_IN;
1916 #endif
1917 
1918   case CURL_SSLVERSION_TLSv1_2:
1919 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1920     ctx_options |= SSL_OP_NO_SSLv2;
1921     ctx_options |= SSL_OP_NO_SSLv3;
1922     ctx_options |= SSL_OP_NO_TLSv1;
1923     ctx_options |= SSL_OP_NO_TLSv1_1;
1924 #ifdef TLS1_3_VERSION
1925     ctx_options |= SSL_OP_NO_TLSv1_3;
1926 #endif
1927     break;
1928 #else
1929     failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
1930     return CURLE_NOT_BUILT_IN;
1931 #endif
1932 
1933   case CURL_SSLVERSION_TLSv1_3:
1934 #ifdef TLS1_3_VERSION
1935     SSL_CTX_set_max_proto_version(connssl->ctx, TLS1_3_VERSION);
1936     ctx_options |= SSL_OP_NO_SSLv2;
1937     ctx_options |= SSL_OP_NO_SSLv3;
1938     ctx_options |= SSL_OP_NO_TLSv1;
1939     ctx_options |= SSL_OP_NO_TLSv1_1;
1940     ctx_options |= SSL_OP_NO_TLSv1_2;
1941     break;
1942 #else
1943     failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
1944     return CURLE_NOT_BUILT_IN;
1945 #endif
1946 
1947   case CURL_SSLVERSION_SSLv2:
1948 #ifndef OPENSSL_NO_SSL2
1949     ctx_options |= SSL_OP_NO_SSLv3;
1950     ctx_options |= SSL_OP_NO_TLSv1;
1951 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1952     ctx_options |= SSL_OP_NO_TLSv1_1;
1953     ctx_options |= SSL_OP_NO_TLSv1_2;
1954 #ifdef TLS1_3_VERSION
1955     ctx_options |= SSL_OP_NO_TLSv1_3;
1956 #endif
1957 #endif
1958     break;
1959 #else
1960     failf(data, OSSL_PACKAGE " was built without SSLv2 support");
1961     return CURLE_NOT_BUILT_IN;
1962 #endif
1963 
1964   default:
1965     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
1966     return CURLE_SSL_CONNECT_ERROR;
1967   }
1968 
1969   SSL_CTX_set_options(connssl->ctx, ctx_options);
1970 
1971 #ifdef HAS_NPN
1972   if(conn->bits.tls_enable_npn)
1973     SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb, conn);
1974 #endif
1975 
1976 #ifdef HAS_ALPN
1977   if(conn->bits.tls_enable_alpn) {
1978     int cur = 0;
1979     unsigned char protocols[128];
1980 
1981 #ifdef USE_NGHTTP2
1982     if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
1983       protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
1984 
1985       memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
1986           NGHTTP2_PROTO_VERSION_ID_LEN);
1987       cur += NGHTTP2_PROTO_VERSION_ID_LEN;
1988       infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
1989     }
1990 #endif
1991 
1992     protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
1993     memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
1994     cur += ALPN_HTTP_1_1_LENGTH;
1995     infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
1996 
1997     /* expects length prefixed preference ordered list of protocols in wire
1998      * format
1999      */
2000     SSL_CTX_set_alpn_protos(connssl->ctx, protocols, cur);
2001   }
2002 #endif
2003 
2004   if(ssl_cert || ssl_cert_type) {
2005     if(!cert_stuff(conn, connssl->ctx, ssl_cert, ssl_cert_type,
2006                    SSL_SET_OPTION(key), SSL_SET_OPTION(key_type),
2007                    SSL_SET_OPTION(key_passwd))) {
2008       /* failf() is already done in cert_stuff() */
2009       return CURLE_SSL_CERTPROBLEM;
2010     }
2011   }
2012 
2013   ciphers = SSL_CONN_CONFIG(cipher_list);
2014   if(!ciphers)
2015     ciphers = (char *)DEFAULT_CIPHER_SELECTION;
2016   if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
2017     failf(data, "failed setting cipher list: %s", ciphers);
2018     return CURLE_SSL_CIPHER;
2019   }
2020   infof(data, "Cipher selection: %s\n", ciphers);
2021 
2022 #ifdef USE_TLS_SRP
2023   if(ssl_authtype == CURL_TLSAUTH_SRP) {
2024     char * const ssl_username = SSL_SET_OPTION(username);
2025 
2026     infof(data, "Using TLS-SRP username: %s\n", ssl_username);
2027 
2028     if(!SSL_CTX_set_srp_username(connssl->ctx, ssl_username)) {
2029       failf(data, "Unable to set SRP user name");
2030       return CURLE_BAD_FUNCTION_ARGUMENT;
2031     }
2032     if(!SSL_CTX_set_srp_password(connssl->ctx, SSL_SET_OPTION(password))) {
2033       failf(data, "failed setting SRP password");
2034       return CURLE_BAD_FUNCTION_ARGUMENT;
2035     }
2036     if(!SSL_CONN_CONFIG(cipher_list)) {
2037       infof(data, "Setting cipher list SRP\n");
2038 
2039       if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
2040         failf(data, "failed setting SRP cipher list");
2041         return CURLE_SSL_CIPHER;
2042       }
2043     }
2044   }
2045 #endif
2046 
2047   if(ssl_cafile || ssl_capath) {
2048     /* tell SSL where to find CA certificates that are used to verify
2049        the servers certificate. */
2050     if(!SSL_CTX_load_verify_locations(connssl->ctx, ssl_cafile, ssl_capath)) {
2051       if(verifypeer) {
2052         /* Fail if we insist on successfully verifying the server. */
2053         failf(data, "error setting certificate verify locations:\n"
2054               "  CAfile: %s\n  CApath: %s",
2055               ssl_cafile ? ssl_cafile : "none",
2056               ssl_capath ? ssl_capath : "none");
2057         return CURLE_SSL_CACERT_BADFILE;
2058       }
2059       else {
2060         /* Just continue with a warning if no strict  certificate verification
2061            is required. */
2062         infof(data, "error setting certificate verify locations,"
2063               " continuing anyway:\n");
2064       }
2065     }
2066     else {
2067       /* Everything is fine. */
2068       infof(data, "successfully set certificate verify locations:\n");
2069     }
2070     infof(data,
2071           "  CAfile: %s\n"
2072           "  CApath: %s\n",
2073           ssl_cafile ? ssl_cafile : "none",
2074           ssl_capath ? ssl_capath : "none");
2075   }
2076 #ifdef CURL_CA_FALLBACK
2077   else if(verifypeer) {
2078     /* verfying the peer without any CA certificates won't
2079        work so use openssl's built in default as fallback */
2080     SSL_CTX_set_default_verify_paths(connssl->ctx);
2081   }
2082 #endif
2083 
2084   if(ssl_crlfile) {
2085     /* tell SSL where to find CRL file that is used to check certificate
2086      * revocation */
2087     lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
2088                                  X509_LOOKUP_file());
2089     if(!lookup ||
2090        (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
2091       failf(data, "error loading CRL file: %s", ssl_crlfile);
2092       return CURLE_SSL_CRL_BADFILE;
2093     }
2094     else {
2095       /* Everything is fine. */
2096       infof(data, "successfully load CRL file:\n");
2097       X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
2098                            X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2099     }
2100     infof(data, "  CRLfile: %s\n", ssl_crlfile);
2101   }
2102 
2103   /* Try building a chain using issuers in the trusted store first to avoid
2104   problems with server-sent legacy intermediates.
2105   Newer versions of OpenSSL do alternate chain checking by default which
2106   gives us the same fix without as much of a performance hit (slight), so we
2107   prefer that if available.
2108   https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2109   */
2110 #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
2111   if(verifypeer) {
2112     X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
2113                          X509_V_FLAG_TRUSTED_FIRST);
2114   }
2115 #endif
2116 
2117   /* SSL always tries to verify the peer, this only says whether it should
2118    * fail to connect if the verification fails, or if it should continue
2119    * anyway. In the latter case the result of the verification is checked with
2120    * SSL_get_verify_result() below. */
2121   SSL_CTX_set_verify(connssl->ctx,
2122                      verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
2123 
2124   /* give application a chance to interfere with SSL set up. */
2125   if(data->set.ssl.fsslctx) {
2126     result = (*data->set.ssl.fsslctx)(data, connssl->ctx,
2127                                       data->set.ssl.fsslctxp);
2128     if(result) {
2129       failf(data, "error signaled by ssl ctx callback");
2130       return result;
2131     }
2132   }
2133 
2134   /* Lets make an SSL structure */
2135   if(connssl->handle)
2136     SSL_free(connssl->handle);
2137   connssl->handle = SSL_new(connssl->ctx);
2138   if(!connssl->handle) {
2139     failf(data, "SSL: couldn't create a context (handle)!");
2140     return CURLE_OUT_OF_MEMORY;
2141   }
2142 
2143 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2144     !defined(OPENSSL_NO_OCSP)
2145   if(SSL_CONN_CONFIG(verifystatus))
2146     SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
2147 #endif
2148 
2149   SSL_set_connect_state(connssl->handle);
2150 
2151   connssl->server_cert = 0x0;
2152 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2153   if((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
2154 #ifdef ENABLE_IPV6
2155      (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
2156 #endif
2157      sni &&
2158      !SSL_set_tlsext_host_name(connssl->handle, hostname))
2159     infof(data, "WARNING: failed to configure server name indication (SNI) "
2160           "TLS extension\n");
2161 #endif
2162 
2163   /* Check if there's a cached ID we can/should use here! */
2164   if(data->set.general_ssl.sessionid) {
2165     void *ssl_sessionid = NULL;
2166 
2167     Curl_ssl_sessionid_lock(conn);
2168     if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
2169       /* we got a session id, use it! */
2170       if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
2171         Curl_ssl_sessionid_unlock(conn);
2172         failf(data, "SSL: SSL_set_session failed: %s",
2173               ERR_error_string(ERR_get_error(), NULL));
2174         return CURLE_SSL_CONNECT_ERROR;
2175       }
2176       /* Informational message */
2177       infof (data, "SSL re-using session ID\n");
2178     }
2179     Curl_ssl_sessionid_unlock(conn);
2180   }
2181 
2182   if(conn->proxy_ssl[sockindex].use) {
2183     BIO *const bio = BIO_new(BIO_f_ssl());
2184     DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
2185     DEBUGASSERT(conn->proxy_ssl[sockindex].handle != NULL);
2186     DEBUGASSERT(bio != NULL);
2187     BIO_set_ssl(bio, conn->proxy_ssl[sockindex].handle, FALSE);
2188     SSL_set_bio(connssl->handle, bio, bio);
2189   }
2190   else if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
2191     /* pass the raw socket into the SSL layers */
2192     failf(data, "SSL: SSL_set_fd failed: %s",
2193           ERR_error_string(ERR_get_error(), NULL));
2194     return CURLE_SSL_CONNECT_ERROR;
2195   }
2196 
2197   connssl->connecting_state = ssl_connect_2;
2198 
2199   return CURLE_OK;
2200 }
2201 
ossl_connect_step2(struct connectdata * conn,int sockindex)2202 static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
2203 {
2204   struct Curl_easy *data = conn->data;
2205   int err;
2206   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2207   long * const certverifyresult = SSL_IS_PROXY() ?
2208     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
2209   DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
2210               || ssl_connect_2_reading == connssl->connecting_state
2211               || ssl_connect_2_writing == connssl->connecting_state);
2212 
2213   ERR_clear_error();
2214 
2215   err = SSL_connect(connssl->handle);
2216 
2217   /* 1  is fine
2218      0  is "not successful but was shut down controlled"
2219      <0 is "handshake was not successful, because a fatal error occurred" */
2220   if(1 != err) {
2221     int detail = SSL_get_error(connssl->handle, err);
2222 
2223     if(SSL_ERROR_WANT_READ == detail) {
2224       connssl->connecting_state = ssl_connect_2_reading;
2225       return CURLE_OK;
2226     }
2227     else if(SSL_ERROR_WANT_WRITE == detail) {
2228       connssl->connecting_state = ssl_connect_2_writing;
2229       return CURLE_OK;
2230     }
2231     else {
2232       /* untreated error */
2233       unsigned long errdetail;
2234       char error_buffer[256]=""; /* OpenSSL documents that this must be at
2235                                     least 256 bytes long. */
2236       CURLcode result;
2237       long lerr;
2238       int lib;
2239       int reason;
2240 
2241       /* the connection failed, we're not waiting for anything else. */
2242       connssl->connecting_state = ssl_connect_2;
2243 
2244       /* Get the earliest error code from the thread's error queue and removes
2245          the entry. */
2246       errdetail = ERR_get_error();
2247 
2248       /* Extract which lib and reason */
2249       lib = ERR_GET_LIB(errdetail);
2250       reason = ERR_GET_REASON(errdetail);
2251 
2252       if((lib == ERR_LIB_SSL) &&
2253          (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
2254         result = CURLE_SSL_CACERT;
2255 
2256         lerr = SSL_get_verify_result(connssl->handle);
2257         if(lerr != X509_V_OK) {
2258           *certverifyresult = lerr;
2259           snprintf(error_buffer, sizeof(error_buffer),
2260                    "SSL certificate problem: %s",
2261                    X509_verify_cert_error_string(lerr));
2262         }
2263         else
2264           /* strcpy() is fine here as long as the string fits within
2265              error_buffer */
2266           strcpy(error_buffer, "SSL certificate verification failed");
2267       }
2268       else {
2269         result = CURLE_SSL_CONNECT_ERROR;
2270         ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
2271       }
2272 
2273       /* detail is already set to the SSL error above */
2274 
2275       /* If we e.g. use SSLv2 request-method and the server doesn't like us
2276        * (RST connection etc.), OpenSSL gives no explanation whatsoever and
2277        * the SO_ERROR is also lost.
2278        */
2279       if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
2280         const char * const hostname = SSL_IS_PROXY() ?
2281           conn->http_proxy.host.name : conn->host.name;
2282         const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
2283         failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
2284               hostname, port);
2285         return result;
2286       }
2287 
2288       /* Could be a CERT problem */
2289       failf(data, "%s", error_buffer);
2290 
2291       return result;
2292     }
2293   }
2294   else {
2295     /* we have been connected fine, we're not waiting for anything else. */
2296     connssl->connecting_state = ssl_connect_3;
2297 
2298     /* Informational message */
2299     infof(data, "SSL connection using %s / %s\n",
2300           get_ssl_version_txt(connssl->handle),
2301           SSL_get_cipher(connssl->handle));
2302 
2303 #ifdef HAS_ALPN
2304     /* Sets data and len to negotiated protocol, len is 0 if no protocol was
2305      * negotiated
2306      */
2307     if(conn->bits.tls_enable_alpn) {
2308       const unsigned char *neg_protocol;
2309       unsigned int len;
2310       SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
2311       if(len != 0) {
2312         infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
2313 
2314 #ifdef USE_NGHTTP2
2315         if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2316            !memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
2317           conn->negnpn = CURL_HTTP_VERSION_2;
2318         }
2319         else
2320 #endif
2321         if(len == ALPN_HTTP_1_1_LENGTH &&
2322            !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
2323           conn->negnpn = CURL_HTTP_VERSION_1_1;
2324         }
2325       }
2326       else
2327         infof(data, "ALPN, server did not agree to a protocol\n");
2328     }
2329 #endif
2330 
2331     return CURLE_OK;
2332   }
2333 }
2334 
asn1_object_dump(ASN1_OBJECT * a,char * buf,size_t len)2335 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
2336 {
2337   int i, ilen;
2338 
2339   if((ilen = (int)len) < 0)
2340     return 1; /* buffer too big */
2341 
2342   i = i2t_ASN1_OBJECT(buf, ilen, a);
2343 
2344   if(i >= ilen)
2345     return 1; /* buffer too small */
2346 
2347   return 0;
2348 }
2349 
2350 #define push_certinfo(_label, _num) \
2351 do {                              \
2352   long info_len = BIO_get_mem_data(mem, &ptr); \
2353   Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
2354   if(1!=BIO_reset(mem))                                          \
2355     break;                                                       \
2356 } WHILE_FALSE
2357 
pubkey_show(struct Curl_easy * data,BIO * mem,int num,const char * type,const char * name,const BIGNUM * bn)2358 static void pubkey_show(struct Curl_easy *data,
2359                         BIO *mem,
2360                         int num,
2361                         const char *type,
2362                         const char *name,
2363 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2364                         const
2365 #endif
2366                         BIGNUM *bn)
2367 {
2368   char *ptr;
2369   char namebuf[32];
2370 
2371   snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
2372 
2373   if(bn)
2374     BN_print(mem, bn);
2375   push_certinfo(namebuf, num);
2376 }
2377 
2378 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2379 #define print_pubkey_BN(_type, _name, _num)              \
2380   pubkey_show(data, mem, _num, #_type, #_name, _name)
2381 
2382 #else
2383 #define print_pubkey_BN(_type, _name, _num)    \
2384 do {                              \
2385   if(_type->_name) { \
2386     pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
2387   } \
2388 } WHILE_FALSE
2389 #endif
2390 
X509V3_ext(struct Curl_easy * data,int certnum,CONST_EXTS STACK_OF (X509_EXTENSION)* exts)2391 static int X509V3_ext(struct Curl_easy *data,
2392                       int certnum,
2393                       CONST_EXTS STACK_OF(X509_EXTENSION) *exts)
2394 {
2395   int i;
2396   size_t j;
2397 
2398   if((int)sk_X509_EXTENSION_num(exts) <= 0)
2399     /* no extensions, bail out */
2400     return 1;
2401 
2402   for(i=0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
2403     ASN1_OBJECT *obj;
2404     X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2405     BUF_MEM *biomem;
2406     char buf[512];
2407     char *ptr=buf;
2408     char namebuf[128];
2409     BIO *bio_out = BIO_new(BIO_s_mem());
2410 
2411     if(!bio_out)
2412       return 1;
2413 
2414     obj = X509_EXTENSION_get_object(ext);
2415 
2416     asn1_object_dump(obj, namebuf, sizeof(namebuf));
2417 
2418     if(!X509V3_EXT_print(bio_out, ext, 0, 0))
2419       ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
2420 
2421     BIO_get_mem_ptr(bio_out, &biomem);
2422 
2423     for(j = 0; j < (size_t)biomem->length; j++) {
2424       const char *sep="";
2425       if(biomem->data[j] == '\n') {
2426         sep=", ";
2427         j++; /* skip the newline */
2428       };
2429       while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
2430         j++;
2431       if(j<(size_t)biomem->length)
2432         ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
2433                       biomem->data[j]);
2434     }
2435 
2436     Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2437 
2438     BIO_free(bio_out);
2439 
2440   }
2441   return 0; /* all is fine */
2442 }
2443 
get_cert_chain(struct connectdata * conn,struct ssl_connect_data * connssl)2444 static CURLcode get_cert_chain(struct connectdata *conn,
2445                                struct ssl_connect_data *connssl)
2446 
2447 {
2448   CURLcode result;
2449   STACK_OF(X509) *sk;
2450   int i;
2451   struct Curl_easy *data = conn->data;
2452   int numcerts;
2453   BIO *mem;
2454 
2455   sk = SSL_get_peer_cert_chain(connssl->handle);
2456   if(!sk) {
2457     return CURLE_OUT_OF_MEMORY;
2458   }
2459 
2460   numcerts = sk_X509_num(sk);
2461 
2462   result = Curl_ssl_init_certinfo(data, numcerts);
2463   if(result) {
2464     return result;
2465   }
2466 
2467   mem = BIO_new(BIO_s_mem());
2468 
2469   for(i = 0; i < numcerts; i++) {
2470     ASN1_INTEGER *num;
2471     X509 *x = sk_X509_value(sk, i);
2472     EVP_PKEY *pubkey=NULL;
2473     int j;
2474     char *ptr;
2475     CONST_ASN1_BIT_STRING ASN1_BIT_STRING *psig = NULL;
2476 
2477     X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
2478     push_certinfo("Subject", i);
2479 
2480     X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
2481     push_certinfo("Issuer", i);
2482 
2483     BIO_printf(mem, "%lx", X509_get_version(x));
2484     push_certinfo("Version", i);
2485 
2486     num = X509_get_serialNumber(x);
2487     if(num->type == V_ASN1_NEG_INTEGER)
2488       BIO_puts(mem, "-");
2489     for(j = 0; j < num->length; j++)
2490       BIO_printf(mem, "%02x", num->data[j]);
2491     push_certinfo("Serial Number", i);
2492 
2493 #if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
2494     {
2495       const X509_ALGOR *palg = NULL;
2496       ASN1_STRING *a = ASN1_STRING_new();
2497       if(a) {
2498         X509_get0_signature(&psig, &palg, x);
2499         X509_signature_print(mem, palg, a);
2500         ASN1_STRING_free(a);
2501 
2502         if(palg) {
2503           i2a_ASN1_OBJECT(mem, palg->algorithm);
2504           push_certinfo("Public Key Algorithm", i);
2505         }
2506       }
2507       X509V3_ext(data, i, X509_get0_extensions(x));
2508     }
2509 #else
2510     {
2511       /* before OpenSSL 1.0.2 */
2512       X509_CINF *cinf = x->cert_info;
2513 
2514       i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
2515       push_certinfo("Signature Algorithm", i);
2516 
2517       i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
2518       push_certinfo("Public Key Algorithm", i);
2519 
2520       X509V3_ext(data, i, cinf->extensions);
2521 
2522       psig = x->signature;
2523     }
2524 #endif
2525 
2526     ASN1_TIME_print(mem, X509_get0_notBefore(x));
2527     push_certinfo("Start date", i);
2528 
2529     ASN1_TIME_print(mem, X509_get0_notAfter(x));
2530     push_certinfo("Expire date", i);
2531 
2532     pubkey = X509_get_pubkey(x);
2533     if(!pubkey)
2534       infof(data, "   Unable to load public key\n");
2535     else {
2536       int pktype;
2537 #ifdef HAVE_OPAQUE_EVP_PKEY
2538       pktype = EVP_PKEY_id(pubkey);
2539 #else
2540       pktype = pubkey->type;
2541 #endif
2542       switch(pktype) {
2543       case EVP_PKEY_RSA:
2544       {
2545         RSA *rsa;
2546 #ifdef HAVE_OPAQUE_EVP_PKEY
2547         rsa = EVP_PKEY_get0_RSA(pubkey);
2548 #else
2549         rsa = pubkey->pkey.rsa;
2550 #endif
2551 
2552 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2553         {
2554           const BIGNUM *n;
2555           const BIGNUM *e;
2556           const BIGNUM *d;
2557           const BIGNUM *p;
2558           const BIGNUM *q;
2559           const BIGNUM *dmp1;
2560           const BIGNUM *dmq1;
2561           const BIGNUM *iqmp;
2562 
2563           RSA_get0_key(rsa, &n, &e, &d);
2564           RSA_get0_factors(rsa, &p, &q);
2565           RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
2566           BN_print(mem, n);
2567           push_certinfo("RSA Public Key", i);
2568           print_pubkey_BN(rsa, n, i);
2569           print_pubkey_BN(rsa, e, i);
2570           print_pubkey_BN(rsa, d, i);
2571           print_pubkey_BN(rsa, p, i);
2572           print_pubkey_BN(rsa, q, i);
2573           print_pubkey_BN(rsa, dmp1, i);
2574           print_pubkey_BN(rsa, dmq1, i);
2575           print_pubkey_BN(rsa, iqmp, i);
2576         }
2577 #else
2578         BIO_printf(mem, "%d", BN_num_bits(rsa->n));
2579         push_certinfo("RSA Public Key", i);
2580         print_pubkey_BN(rsa, n, i);
2581         print_pubkey_BN(rsa, e, i);
2582         print_pubkey_BN(rsa, d, i);
2583         print_pubkey_BN(rsa, p, i);
2584         print_pubkey_BN(rsa, q, i);
2585         print_pubkey_BN(rsa, dmp1, i);
2586         print_pubkey_BN(rsa, dmq1, i);
2587         print_pubkey_BN(rsa, iqmp, i);
2588 #endif
2589 
2590         break;
2591       }
2592       case EVP_PKEY_DSA:
2593       {
2594         DSA *dsa;
2595 #ifdef HAVE_OPAQUE_EVP_PKEY
2596         dsa = EVP_PKEY_get0_DSA(pubkey);
2597 #else
2598         dsa = pubkey->pkey.dsa;
2599 #endif
2600 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2601         {
2602           const BIGNUM *p;
2603           const BIGNUM *q;
2604           const BIGNUM *g;
2605           const BIGNUM *priv_key;
2606           const BIGNUM *pub_key;
2607 
2608           DSA_get0_pqg(dsa, &p, &q, &g);
2609           DSA_get0_key(dsa, &pub_key, &priv_key);
2610 
2611           print_pubkey_BN(dsa, p, i);
2612           print_pubkey_BN(dsa, q, i);
2613           print_pubkey_BN(dsa, g, i);
2614           print_pubkey_BN(dsa, priv_key, i);
2615           print_pubkey_BN(dsa, pub_key, i);
2616         }
2617 #else
2618         print_pubkey_BN(dsa, p, i);
2619         print_pubkey_BN(dsa, q, i);
2620         print_pubkey_BN(dsa, g, i);
2621         print_pubkey_BN(dsa, priv_key, i);
2622         print_pubkey_BN(dsa, pub_key, i);
2623 #endif
2624         break;
2625       }
2626       case EVP_PKEY_DH:
2627       {
2628         DH *dh;
2629 #ifdef HAVE_OPAQUE_EVP_PKEY
2630         dh = EVP_PKEY_get0_DH(pubkey);
2631 #else
2632         dh = pubkey->pkey.dh;
2633 #endif
2634 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2635         {
2636           const BIGNUM *p;
2637           const BIGNUM *q;
2638           const BIGNUM *g;
2639           const BIGNUM *priv_key;
2640           const BIGNUM *pub_key;
2641           DH_get0_pqg(dh, &p, &q, &g);
2642           DH_get0_key(dh, &pub_key, &priv_key);
2643           print_pubkey_BN(dh, p, i);
2644           print_pubkey_BN(dh, q, i);
2645           print_pubkey_BN(dh, g, i);
2646           print_pubkey_BN(dh, priv_key, i);
2647           print_pubkey_BN(dh, pub_key, i);
2648        }
2649 #else
2650         print_pubkey_BN(dh, p, i);
2651         print_pubkey_BN(dh, g, i);
2652         print_pubkey_BN(dh, priv_key, i);
2653         print_pubkey_BN(dh, pub_key, i);
2654 #endif
2655         break;
2656       }
2657 #if 0
2658       case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
2659         /* left TODO */
2660         break;
2661 #endif
2662       }
2663       EVP_PKEY_free(pubkey);
2664     }
2665 
2666     if(psig) {
2667       for(j = 0; j < psig->length; j++)
2668         BIO_printf(mem, "%02x:", psig->data[j]);
2669       push_certinfo("Signature", i);
2670     }
2671 
2672     PEM_write_bio_X509(mem, x);
2673     push_certinfo("Cert", i);
2674   }
2675 
2676   BIO_free(mem);
2677 
2678   return CURLE_OK;
2679 }
2680 
2681 /*
2682  * Heavily modified from:
2683  * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
2684  */
pkp_pin_peer_pubkey(struct Curl_easy * data,X509 * cert,const char * pinnedpubkey)2685 static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
2686                                     const char *pinnedpubkey)
2687 {
2688   /* Scratch */
2689   int len1 = 0, len2 = 0;
2690   unsigned char *buff1 = NULL, *temp = NULL;
2691 
2692   /* Result is returned to caller */
2693   CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
2694 
2695   /* if a path wasn't specified, don't pin */
2696   if(!pinnedpubkey)
2697     return CURLE_OK;
2698 
2699   if(!cert)
2700     return result;
2701 
2702   do {
2703     /* Begin Gyrations to get the subjectPublicKeyInfo     */
2704     /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
2705 
2706     /* https://groups.google.com/group/mailing.openssl.users/browse_thread
2707      /thread/d61858dae102c6c7 */
2708     len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
2709     if(len1 < 1)
2710       break; /* failed */
2711 
2712     /* https://www.openssl.org/docs/crypto/buffer.html */
2713     buff1 = temp = malloc(len1);
2714     if(!buff1)
2715       break; /* failed */
2716 
2717     /* https://www.openssl.org/docs/crypto/d2i_X509.html */
2718     len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
2719 
2720     /*
2721      * These checks are verifying we got back the same values as when we
2722      * sized the buffer. It's pretty weak since they should always be the
2723      * same. But it gives us something to test.
2724      */
2725     if((len1 != len2) || !temp || ((temp - buff1) != len1))
2726       break; /* failed */
2727 
2728     /* End Gyrations */
2729 
2730     /* The one good exit point */
2731     result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
2732   } while(0);
2733 
2734   /* https://www.openssl.org/docs/crypto/buffer.html */
2735   if(buff1)
2736     free(buff1);
2737 
2738   return result;
2739 }
2740 
2741 /*
2742  * Get the server cert, verify it and show it etc, only call failf() if the
2743  * 'strict' argument is TRUE as otherwise all this is for informational
2744  * purposes only!
2745  *
2746  * We check certificates to authenticate the server; otherwise we risk
2747  * man-in-the-middle attack.
2748  */
servercert(struct connectdata * conn,struct ssl_connect_data * connssl,bool strict)2749 static CURLcode servercert(struct connectdata *conn,
2750                            struct ssl_connect_data *connssl,
2751                            bool strict)
2752 {
2753   CURLcode result = CURLE_OK;
2754   int rc;
2755   long lerr, len;
2756   struct Curl_easy *data = conn->data;
2757   X509 *issuer;
2758   FILE *fp;
2759   char *buffer = data->state.buffer;
2760   const char *ptr;
2761   long * const certverifyresult = SSL_IS_PROXY() ?
2762     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
2763   BIO *mem = BIO_new(BIO_s_mem());
2764 
2765   if(data->set.ssl.certinfo)
2766     /* we've been asked to gather certificate info! */
2767     (void)get_cert_chain(conn, connssl);
2768 
2769   connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
2770   if(!connssl->server_cert) {
2771     if(!strict)
2772       return CURLE_OK;
2773 
2774     failf(data, "SSL: couldn't get peer certificate!");
2775     return CURLE_PEER_FAILED_VERIFICATION;
2776   }
2777 
2778   infof(data, "%s certificate:\n", SSL_IS_PROXY() ? "Proxy" : "Server");
2779 
2780   rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
2781                          buffer, BUFSIZE);
2782   infof(data, " subject: %s\n", rc?"[NONE]":buffer);
2783 
2784   ASN1_TIME_print(mem, X509_get0_notBefore(connssl->server_cert));
2785   len = BIO_get_mem_data(mem, (char **) &ptr);
2786   infof(data, " start date: %.*s\n", len, ptr);
2787   rc = BIO_reset(mem);
2788 
2789   ASN1_TIME_print(mem, X509_get0_notAfter(connssl->server_cert));
2790   len = BIO_get_mem_data(mem, (char **) &ptr);
2791   infof(data, " expire date: %.*s\n", len, ptr);
2792   rc = BIO_reset(mem);
2793 
2794   BIO_free(mem);
2795 
2796   if(SSL_CONN_CONFIG(verifyhost)) {
2797     result = verifyhost(conn, connssl->server_cert);
2798     if(result) {
2799       X509_free(connssl->server_cert);
2800       connssl->server_cert = NULL;
2801       return result;
2802     }
2803   }
2804 
2805   rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
2806                          buffer, BUFSIZE);
2807   if(rc) {
2808     if(strict)
2809       failf(data, "SSL: couldn't get X509-issuer name!");
2810     result = CURLE_SSL_CONNECT_ERROR;
2811   }
2812   else {
2813     infof(data, " issuer: %s\n", buffer);
2814 
2815     /* We could do all sorts of certificate verification stuff here before
2816        deallocating the certificate. */
2817 
2818     /* e.g. match issuer name with provided issuer certificate */
2819     if(SSL_SET_OPTION(issuercert)) {
2820       fp = fopen(SSL_SET_OPTION(issuercert), FOPEN_READTEXT);
2821       if(!fp) {
2822         if(strict)
2823           failf(data, "SSL: Unable to open issuer cert (%s)",
2824                 SSL_SET_OPTION(issuercert));
2825         X509_free(connssl->server_cert);
2826         connssl->server_cert = NULL;
2827         return CURLE_SSL_ISSUER_ERROR;
2828       }
2829 
2830       issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
2831       if(!issuer) {
2832         if(strict)
2833           failf(data, "SSL: Unable to read issuer cert (%s)",
2834                 SSL_SET_OPTION(issuercert));
2835         X509_free(connssl->server_cert);
2836         X509_free(issuer);
2837         fclose(fp);
2838         return CURLE_SSL_ISSUER_ERROR;
2839       }
2840 
2841       fclose(fp);
2842 
2843       if(X509_check_issued(issuer, connssl->server_cert) != X509_V_OK) {
2844         if(strict)
2845           failf(data, "SSL: Certificate issuer check failed (%s)",
2846                 SSL_SET_OPTION(issuercert));
2847         X509_free(connssl->server_cert);
2848         X509_free(issuer);
2849         connssl->server_cert = NULL;
2850         return CURLE_SSL_ISSUER_ERROR;
2851       }
2852 
2853       infof(data, " SSL certificate issuer check ok (%s)\n",
2854             SSL_SET_OPTION(issuercert));
2855       X509_free(issuer);
2856     }
2857 
2858     lerr = *certverifyresult = SSL_get_verify_result(connssl->handle);
2859 
2860     if(*certverifyresult != X509_V_OK) {
2861       if(SSL_CONN_CONFIG(verifypeer)) {
2862         /* We probably never reach this, because SSL_connect() will fail
2863            and we return earlier if verifypeer is set? */
2864         if(strict)
2865           failf(data, "SSL certificate verify result: %s (%ld)",
2866                 X509_verify_cert_error_string(lerr), lerr);
2867         result = CURLE_PEER_FAILED_VERIFICATION;
2868       }
2869       else
2870         infof(data, " SSL certificate verify result: %s (%ld),"
2871               " continuing anyway.\n",
2872               X509_verify_cert_error_string(lerr), lerr);
2873     }
2874     else
2875       infof(data, " SSL certificate verify ok.\n");
2876   }
2877 
2878 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2879     !defined(OPENSSL_NO_OCSP)
2880   if(SSL_CONN_CONFIG(verifystatus)) {
2881     result = verifystatus(conn, connssl);
2882     if(result) {
2883       X509_free(connssl->server_cert);
2884       connssl->server_cert = NULL;
2885       return result;
2886     }
2887   }
2888 #endif
2889 
2890   if(!strict)
2891     /* when not strict, we don't bother about the verify cert problems */
2892     result = CURLE_OK;
2893 
2894   ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
2895   if(!result && ptr) {
2896     result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr);
2897     if(result)
2898       failf(data, "SSL: public key does not match pinned public key!");
2899   }
2900 
2901   X509_free(connssl->server_cert);
2902   connssl->server_cert = NULL;
2903   connssl->connecting_state = ssl_connect_done;
2904 
2905   return result;
2906 }
2907 
ossl_connect_step3(struct connectdata * conn,int sockindex)2908 static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
2909 {
2910   CURLcode result = CURLE_OK;
2911   struct Curl_easy *data = conn->data;
2912   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2913 
2914   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
2915 
2916   if(data->set.general_ssl.sessionid) {
2917     bool incache;
2918     SSL_SESSION *our_ssl_sessionid;
2919     void *old_ssl_sessionid = NULL;
2920 
2921     our_ssl_sessionid = SSL_get1_session(connssl->handle);
2922 
2923     /* SSL_get1_session() will increment the reference count and the session
2924         will stay in memory until explicitly freed with SSL_SESSION_free(3),
2925         regardless of its state. */
2926 
2927     Curl_ssl_sessionid_lock(conn);
2928     incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
2929                                       sockindex));
2930     if(incache) {
2931       if(old_ssl_sessionid != our_ssl_sessionid) {
2932         infof(data, "old SSL session ID is stale, removing\n");
2933         Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2934         incache = FALSE;
2935       }
2936     }
2937 
2938     if(!incache) {
2939       result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
2940                                       0 /* unknown size */, sockindex);
2941       if(result) {
2942         Curl_ssl_sessionid_unlock(conn);
2943         failf(data, "failed to store ssl session");
2944         return result;
2945       }
2946     }
2947     else {
2948       /* Session was incache, so refcount already incremented earlier.
2949         * Avoid further increments with each SSL_get1_session() call.
2950         * This does not free the session as refcount remains > 0
2951         */
2952       SSL_SESSION_free(our_ssl_sessionid);
2953     }
2954     Curl_ssl_sessionid_unlock(conn);
2955   }
2956 
2957   /*
2958    * We check certificates to authenticate the server; otherwise we risk
2959    * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
2960    * verify the peer ignore faults and failures from the server cert
2961    * operations.
2962    */
2963 
2964   result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
2965                                       SSL_CONN_CONFIG(verifyhost)));
2966 
2967   if(!result)
2968     connssl->connecting_state = ssl_connect_done;
2969 
2970   return result;
2971 }
2972 
2973 static Curl_recv ossl_recv;
2974 static Curl_send ossl_send;
2975 
ossl_connect_common(struct connectdata * conn,int sockindex,bool nonblocking,bool * done)2976 static CURLcode ossl_connect_common(struct connectdata *conn,
2977                                     int sockindex,
2978                                     bool nonblocking,
2979                                     bool *done)
2980 {
2981   CURLcode result;
2982   struct Curl_easy *data = conn->data;
2983   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2984   curl_socket_t sockfd = conn->sock[sockindex];
2985   time_t timeout_ms;
2986   int what;
2987 
2988   /* check if the connection has already been established */
2989   if(ssl_connection_complete == connssl->state) {
2990     *done = TRUE;
2991     return CURLE_OK;
2992   }
2993 
2994   if(ssl_connect_1 == connssl->connecting_state) {
2995     /* Find out how much more time we're allowed */
2996     timeout_ms = Curl_timeleft(data, NULL, TRUE);
2997 
2998     if(timeout_ms < 0) {
2999       /* no need to continue if time already is up */
3000       failf(data, "SSL connection timeout");
3001       return CURLE_OPERATION_TIMEDOUT;
3002     }
3003 
3004     result = ossl_connect_step1(conn, sockindex);
3005     if(result)
3006       return result;
3007   }
3008 
3009   while(ssl_connect_2 == connssl->connecting_state ||
3010         ssl_connect_2_reading == connssl->connecting_state ||
3011         ssl_connect_2_writing == connssl->connecting_state) {
3012 
3013     /* check allowed time left */
3014     timeout_ms = Curl_timeleft(data, NULL, TRUE);
3015 
3016     if(timeout_ms < 0) {
3017       /* no need to continue if time already is up */
3018       failf(data, "SSL connection timeout");
3019       return CURLE_OPERATION_TIMEDOUT;
3020     }
3021 
3022     /* if ssl is expecting something, check if it's available. */
3023     if(connssl->connecting_state == ssl_connect_2_reading ||
3024        connssl->connecting_state == ssl_connect_2_writing) {
3025 
3026       curl_socket_t writefd = ssl_connect_2_writing==
3027         connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
3028       curl_socket_t readfd = ssl_connect_2_reading==
3029         connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
3030 
3031       what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
3032                                nonblocking?0:timeout_ms);
3033       if(what < 0) {
3034         /* fatal error */
3035         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
3036         return CURLE_SSL_CONNECT_ERROR;
3037       }
3038       else if(0 == what) {
3039         if(nonblocking) {
3040           *done = FALSE;
3041           return CURLE_OK;
3042         }
3043         else {
3044           /* timeout */
3045           failf(data, "SSL connection timeout");
3046           return CURLE_OPERATION_TIMEDOUT;
3047         }
3048       }
3049       /* socket is readable or writable */
3050     }
3051 
3052     /* Run transaction, and return to the caller if it failed or if this
3053      * connection is done nonblocking and this loop would execute again. This
3054      * permits the owner of a multi handle to abort a connection attempt
3055      * before step2 has completed while ensuring that a client using select()
3056      * or epoll() will always have a valid fdset to wait on.
3057      */
3058     result = ossl_connect_step2(conn, sockindex);
3059     if(result || (nonblocking &&
3060                   (ssl_connect_2 == connssl->connecting_state ||
3061                    ssl_connect_2_reading == connssl->connecting_state ||
3062                    ssl_connect_2_writing == connssl->connecting_state)))
3063       return result;
3064 
3065   } /* repeat step2 until all transactions are done. */
3066 
3067   if(ssl_connect_3 == connssl->connecting_state) {
3068     result = ossl_connect_step3(conn, sockindex);
3069     if(result)
3070       return result;
3071   }
3072 
3073   if(ssl_connect_done == connssl->connecting_state) {
3074     connssl->state = ssl_connection_complete;
3075     conn->recv[sockindex] = ossl_recv;
3076     conn->send[sockindex] = ossl_send;
3077     *done = TRUE;
3078   }
3079   else
3080     *done = FALSE;
3081 
3082   /* Reset our connect state machine */
3083   connssl->connecting_state = ssl_connect_1;
3084 
3085   return CURLE_OK;
3086 }
3087 
Curl_ossl_connect_nonblocking(struct connectdata * conn,int sockindex,bool * done)3088 CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
3089                                        int sockindex,
3090                                        bool *done)
3091 {
3092   return ossl_connect_common(conn, sockindex, TRUE, done);
3093 }
3094 
Curl_ossl_connect(struct connectdata * conn,int sockindex)3095 CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex)
3096 {
3097   CURLcode result;
3098   bool done = FALSE;
3099 
3100   result = ossl_connect_common(conn, sockindex, FALSE, &done);
3101   if(result)
3102     return result;
3103 
3104   DEBUGASSERT(done);
3105 
3106   return CURLE_OK;
3107 }
3108 
Curl_ossl_data_pending(const struct connectdata * conn,int connindex)3109 bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex)
3110 {
3111   if(conn->ssl[connindex].handle)
3112     /* SSL is in use */
3113     return (0 != SSL_pending(conn->ssl[connindex].handle) ||
3114            (conn->proxy_ssl[connindex].handle &&
3115             0 != SSL_pending(conn->proxy_ssl[connindex].handle))) ?
3116            TRUE : FALSE;
3117   else
3118     return FALSE;
3119 }
3120 
ossl_send(struct connectdata * conn,int sockindex,const void * mem,size_t len,CURLcode * curlcode)3121 static ssize_t ossl_send(struct connectdata *conn,
3122                          int sockindex,
3123                          const void *mem,
3124                          size_t len,
3125                          CURLcode *curlcode)
3126 {
3127   /* SSL_write() is said to return 'int' while write() and send() returns
3128      'size_t' */
3129   int err;
3130   char error_buffer[256]; /* OpenSSL documents that this must be at least 256
3131                              bytes long. */
3132   unsigned long sslerror;
3133   int memlen;
3134   int rc;
3135 
3136   ERR_clear_error();
3137 
3138   memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
3139   rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
3140 
3141   if(rc <= 0) {
3142     err = SSL_get_error(conn->ssl[sockindex].handle, rc);
3143 
3144     switch(err) {
3145     case SSL_ERROR_WANT_READ:
3146     case SSL_ERROR_WANT_WRITE:
3147       /* The operation did not complete; the same TLS/SSL I/O function
3148          should be called again later. This is basically an EWOULDBLOCK
3149          equivalent. */
3150       *curlcode = CURLE_AGAIN;
3151       return -1;
3152     case SSL_ERROR_SYSCALL:
3153       failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
3154             SOCKERRNO);
3155       *curlcode = CURLE_SEND_ERROR;
3156       return -1;
3157     case SSL_ERROR_SSL:
3158       /*  A failure in the SSL library occurred, usually a protocol error.
3159           The OpenSSL error queue contains more information on the error. */
3160       sslerror = ERR_get_error();
3161       if(ERR_GET_LIB(sslerror) == ERR_LIB_SSL &&
3162          ERR_GET_REASON(sslerror) == SSL_R_BIO_NOT_SET &&
3163          conn->ssl[sockindex].state == ssl_connection_complete &&
3164          conn->proxy_ssl[sockindex].state == ssl_connection_complete) {
3165         char ver[120];
3166         Curl_ossl_version(ver, 120);
3167         failf(conn->data, "Error: %s does not support double SSL tunneling.",
3168               ver);
3169       }
3170       else
3171         failf(conn->data, "SSL_write() error: %s",
3172               ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
3173       *curlcode = CURLE_SEND_ERROR;
3174       return -1;
3175     }
3176     /* a true error */
3177     failf(conn->data, "SSL_write() return error %d", err);
3178     *curlcode = CURLE_SEND_ERROR;
3179     return -1;
3180   }
3181   *curlcode = CURLE_OK;
3182   return (ssize_t)rc; /* number of bytes */
3183 }
3184 
ossl_recv(struct connectdata * conn,int num,char * buf,size_t buffersize,CURLcode * curlcode)3185 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
3186                          int num,                  /* socketindex */
3187                          char *buf,                /* store read data here */
3188                          size_t buffersize,        /* max amount to read */
3189                          CURLcode *curlcode)
3190 {
3191   char error_buffer[256]; /* OpenSSL documents that this must be at
3192                              least 256 bytes long. */
3193   unsigned long sslerror;
3194   ssize_t nread;
3195   int buffsize;
3196 
3197   ERR_clear_error();
3198 
3199   buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
3200   nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
3201   if(nread <= 0) {
3202     /* failed SSL_read */
3203     int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
3204 
3205     switch(err) {
3206     case SSL_ERROR_NONE: /* this is not an error */
3207     case SSL_ERROR_ZERO_RETURN: /* no more data */
3208       break;
3209     case SSL_ERROR_WANT_READ:
3210     case SSL_ERROR_WANT_WRITE:
3211       /* there's data pending, re-invoke SSL_read() */
3212       *curlcode = CURLE_AGAIN;
3213       return -1;
3214     default:
3215       /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
3216          value/errno" */
3217       /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
3218       sslerror = ERR_get_error();
3219       if((nread < 0) || sslerror) {
3220         /* If the return code was negative or there actually is an error in the
3221            queue */
3222         failf(conn->data, "SSL read: %s, errno %d",
3223               ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)),
3224               SOCKERRNO);
3225         *curlcode = CURLE_RECV_ERROR;
3226         return -1;
3227       }
3228     }
3229   }
3230   return nread;
3231 }
3232 
Curl_ossl_version(char * buffer,size_t size)3233 size_t Curl_ossl_version(char *buffer, size_t size)
3234 {
3235 #ifdef OPENSSL_IS_BORINGSSL
3236   return snprintf(buffer, size, OSSL_PACKAGE);
3237 #else /* OPENSSL_IS_BORINGSSL */
3238   char sub[3];
3239   unsigned long ssleay_value;
3240   sub[2]='\0';
3241   sub[1]='\0';
3242   ssleay_value=OpenSSL_version_num();
3243   if(ssleay_value < 0x906000) {
3244     ssleay_value=SSLEAY_VERSION_NUMBER;
3245     sub[0]='\0';
3246   }
3247   else {
3248     if(ssleay_value&0xff0) {
3249       int minor_ver = (ssleay_value >> 4) & 0xff;
3250       if(minor_ver > 26) {
3251         /* handle extended version introduced for 0.9.8za */
3252         sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
3253         sub[0] = 'z';
3254       }
3255       else {
3256         sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
3257       }
3258     }
3259     else
3260       sub[0]='\0';
3261   }
3262 
3263   return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
3264                   OSSL_PACKAGE,
3265                   (ssleay_value>>28)&0xf,
3266                   (ssleay_value>>20)&0xff,
3267                   (ssleay_value>>12)&0xff,
3268                   sub);
3269 #endif /* OPENSSL_IS_BORINGSSL */
3270 }
3271 
3272 /* can be called with data == NULL */
Curl_ossl_random(struct Curl_easy * data,unsigned char * entropy,size_t length)3273 int Curl_ossl_random(struct Curl_easy *data, unsigned char *entropy,
3274                      size_t length)
3275 {
3276   if(data) {
3277     if(Curl_ossl_seed(data)) /* Initiate the seed if not already done */
3278       return 1; /* couldn't seed for some reason */
3279   }
3280   else {
3281     if(!rand_enough())
3282       return 1;
3283   }
3284   RAND_bytes(entropy, curlx_uztosi(length));
3285   return 0; /* 0 as in no problem */
3286 }
3287 
Curl_ossl_md5sum(unsigned char * tmp,size_t tmplen,unsigned char * md5sum,size_t unused)3288 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
3289                       size_t tmplen,
3290                       unsigned char *md5sum /* output */,
3291                       size_t unused)
3292 {
3293   MD5_CTX MD5pw;
3294   (void)unused;
3295   MD5_Init(&MD5pw);
3296   MD5_Update(&MD5pw, tmp, tmplen);
3297   MD5_Final(md5sum, &MD5pw);
3298 }
3299 
3300 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
Curl_ossl_sha256sum(const unsigned char * tmp,size_t tmplen,unsigned char * sha256sum,size_t unused)3301 void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
3302                       size_t tmplen,
3303                       unsigned char *sha256sum /* output */,
3304                       size_t unused)
3305 {
3306   SHA256_CTX SHA256pw;
3307   (void)unused;
3308   SHA256_Init(&SHA256pw);
3309   SHA256_Update(&SHA256pw, tmp, tmplen);
3310   SHA256_Final(sha256sum, &SHA256pw);
3311 }
3312 #endif
3313 
Curl_ossl_cert_status_request(void)3314 bool Curl_ossl_cert_status_request(void)
3315 {
3316 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3317     !defined(OPENSSL_NO_OCSP)
3318   return TRUE;
3319 #else
3320   return FALSE;
3321 #endif
3322 }
3323 #endif /* USE_OPENSSL */
3324