1 #ifndef HEADER_CURL_VTLS_H
2 #define HEADER_CURL_VTLS_H
3 /***************************************************************************
5 * Project ___| | | | _ \| |
7 * | (__| |_| | _ <| |___
8 * \___|\___/|_| \_\_____|
10 * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
12 * This software is licensed as described in the file COPYING, which
13 * you should have received as part of this distribution. The terms
14 * are also available at https://curl.se/docs/copyright.html.
16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17 * copies of the Software, and permit persons to whom the Software is
18 * furnished to do so, under the terms of the COPYING file.
20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21 * KIND, either express or implied.
23 * SPDX-License-Identifier: curl
25 ***************************************************************************/
26 #include "curl_setup.h"
29 struct ssl_connect_data;
31 #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */
32 #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */
33 #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
34 #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
35 #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
36 #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
37 #define SSLSUPP_CAINFO_BLOB (1<<6)
39 #define ALPN_ACCEPTED "ALPN: server accepted "
41 #define VTLS_INFOF_NO_ALPN \
42 "ALPN: server did not agree on a protocol. Uses default."
43 #define VTLS_INFOF_ALPN_OFFER_1STR \
45 #define VTLS_INFOF_ALPN_ACCEPTED_1STR \
47 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \
52 * This *must* be the first entry to allow returning the list of available
53 * backends in curl_global_sslset().
55 curl_ssl_backend info;
56 unsigned int supports; /* bitfield, see above */
57 size_t sizeof_ssl_backend_data;
60 void (*cleanup)(void);
62 size_t (*version)(char *buffer, size_t size);
63 int (*check_cxn)(struct connectdata *cxn);
64 int (*shut_down)(struct Curl_easy *data, struct connectdata *conn,
66 bool (*data_pending)(const struct connectdata *conn,
69 /* return 0 if a find random is filled in */
70 CURLcode (*random)(struct Curl_easy *data, unsigned char *entropy,
72 bool (*cert_status_request)(void);
74 CURLcode (*connect_blocking)(struct Curl_easy *data,
75 struct connectdata *conn, int sockindex);
76 CURLcode (*connect_nonblocking)(struct Curl_easy *data,
77 struct connectdata *conn, int sockindex,
80 /* If the SSL backend wants to read or write on this connection during a
81 handshake, set socks[0] to the connection's FIRSTSOCKET, and return
82 a bitmap indicating read or write with GETSOCK_WRITESOCK(0) or
83 GETSOCK_READSOCK(0). Otherwise return GETSOCK_BLANK.
85 int (*getsock)(struct connectdata *conn, curl_socket_t *socks);
87 void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info);
88 void (*close_one)(struct Curl_easy *data, struct connectdata *conn,
90 void (*close_all)(struct Curl_easy *data);
91 void (*session_free)(void *ptr);
93 CURLcode (*set_engine)(struct Curl_easy *data, const char *engine);
94 CURLcode (*set_engine_default)(struct Curl_easy *data);
95 struct curl_slist *(*engines_list)(struct Curl_easy *data);
97 bool (*false_start)(void);
98 CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen,
99 unsigned char *sha256sum, size_t sha256sumlen);
101 bool (*associate_connection)(struct Curl_easy *data,
102 struct connectdata *conn,
104 void (*disassociate_connection)(struct Curl_easy *data, int sockindex);
108 extern const struct Curl_ssl *Curl_ssl;
111 int Curl_none_init(void);
112 void Curl_none_cleanup(void);
113 int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn,
115 int Curl_none_check_cxn(struct connectdata *conn);
116 CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy,
118 void Curl_none_close_all(struct Curl_easy *data);
119 void Curl_none_session_free(void *ptr);
120 bool Curl_none_data_pending(const struct connectdata *conn, int connindex);
121 bool Curl_none_cert_status_request(void);
122 CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
123 CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
124 struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
125 bool Curl_none_false_start(void);
126 bool Curl_ssl_tls13_ciphersuites(void);
128 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
129 const curl_ssl_backend ***avail);
131 #include "openssl.h" /* OpenSSL versions */
132 #include "gtls.h" /* GnuTLS versions */
133 #include "nssg.h" /* NSS versions */
134 #include "gskit.h" /* Global Secure ToolKit versions */
135 #include "wolfssl.h" /* wolfSSL versions */
136 #include "schannel.h" /* Schannel SSPI version */
137 #include "sectransp.h" /* SecureTransport (Darwin) version */
138 #include "mbedtls.h" /* mbedTLS versions */
139 #include "bearssl.h" /* BearSSL versions */
140 #include "rustls.h" /* rustls versions */
142 #ifndef MAX_PINNED_PUBKEY_SIZE
143 #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
146 #ifndef CURL_SHA256_DIGEST_LENGTH
147 #define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */
150 /* see https://www.iana.org/assignments/tls-extensiontype-values/ */
151 #define ALPN_HTTP_1_1_LENGTH 8
152 #define ALPN_HTTP_1_1 "http/1.1"
153 #define ALPN_H2_LENGTH 2
156 /* set of helper macros for the backends to access the correct fields. For the
157 proxy or for the remote host - to properly support HTTPS proxy */
158 #ifndef CURL_DISABLE_PROXY
159 #define SSL_IS_PROXY() \
160 (CURLPROXY_HTTPS == conn->http_proxy.proxytype && \
161 ssl_connection_complete != \
162 conn->proxy_ssl[conn->sock[SECONDARYSOCKET] == \
163 CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
164 #define SSL_SET_OPTION(var) \
165 (SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
166 #define SSL_SET_OPTION_LVALUE(var) \
167 (*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
168 #define SSL_CONN_CONFIG(var) \
169 (SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
170 #define SSL_HOST_NAME() \
171 (SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
172 #define SSL_HOST_DISPNAME() \
173 (SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
174 #define SSL_HOST_PORT() \
175 (SSL_IS_PROXY() ? conn->port : conn->remote_port)
176 #define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
177 ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
178 : data->set.str[STRING_SSL_PINNEDPUBLICKEY])
180 #define SSL_IS_PROXY() FALSE
181 #define SSL_SET_OPTION(var) data->set.ssl.var
182 #define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
183 #define SSL_CONN_CONFIG(var) conn->ssl_config.var
184 #define SSL_HOST_NAME() conn->host.name
185 #define SSL_HOST_DISPNAME() conn->host.dispname
186 #define SSL_HOST_PORT() conn->remote_port
187 #define SSL_PINNED_PUB_KEY() \
188 data->set.str[STRING_SSL_PINNEDPUBLICKEY]
191 char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen);
192 bool Curl_ssl_config_matches(struct ssl_primary_config *data,
193 struct ssl_primary_config *needle);
194 bool Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
195 struct ssl_primary_config *dest);
196 void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc);
197 /* An implementation of the getsock field of Curl_ssl that relies
198 on the ssl_connect_state enum. Asks for read or write depending
199 on whether conn->state is ssl_connect_2_reading or
200 ssl_connect_2_writing. */
201 int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks);
203 curl_sslbackend Curl_ssl_backend(void);
206 int Curl_ssl_init(void);
207 void Curl_ssl_cleanup(void);
208 CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
210 CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data,
211 struct connectdata *conn,
215 /* tell the SSL stuff to close down all open information regarding
216 connections (and thus session ID caching etc) */
217 void Curl_ssl_close_all(struct Curl_easy *data);
218 void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
220 CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
222 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
223 /* Sets engine as default for all SSL operations */
224 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
225 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data);
227 /* init the SSL session ID cache */
228 CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t);
229 void Curl_ssl_version(char *buffer, size_t size);
230 bool Curl_ssl_data_pending(const struct connectdata *conn,
232 int Curl_ssl_check_cxn(struct connectdata *conn);
234 /* Certificate information list handling. */
236 void Curl_ssl_free_certinfo(struct Curl_easy *data);
237 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num);
238 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum,
239 const char *label, const char *value,
241 CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum,
242 const char *label, const char *value);
244 /* Functions to be used by SSL library adaptation functions */
246 /* Lock session cache mutex.
247 * Call this before calling other Curl_ssl_*session* functions
248 * Caller should unlock this mutex as soon as possible, as it may block
249 * other SSL connection from making progress.
250 * The purpose of explicitly locking SSL session cache data is to allow
251 * individual SSL engines to manage session lifetime in their specific way.
253 void Curl_ssl_sessionid_lock(struct Curl_easy *data);
255 /* Unlock session cache mutex */
256 void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
258 /* extract a session ID
259 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
260 * Caller must make sure that the ownership of returned sessionid object
261 * is properly taken (e.g. its refcount is incremented
262 * under sessionid mutex).
264 bool Curl_ssl_getsessionid(struct Curl_easy *data,
265 struct connectdata *conn,
267 void **ssl_sessionid,
268 size_t *idsize, /* set 0 if unknown */
270 /* add a new session ID
271 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
272 * Caller must ensure that it has properly shared ownership of this sessionid
273 * object with cache (e.g. incrementing refcount on success)
275 CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
276 struct connectdata *conn,
282 /* Kill a single session ID entry in the cache
283 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
284 * This will call engine-specific curlssl_session_free function, which must
285 * take sessionid object ownership from sessionid cache
286 * (e.g. decrement refcount).
288 void Curl_ssl_kill_session(struct Curl_ssl_session *session);
289 /* delete a session from the cache
290 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
291 * This will call engine-specific curlssl_session_free function, which must
292 * take sessionid object ownership from sessionid cache
293 * (e.g. decrement refcount).
295 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid);
297 /* get N random bytes into the buffer */
298 CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
300 /* Check pinned public key. */
301 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
302 const char *pinnedpubkey,
303 const unsigned char *pubkey, size_t pubkeylen);
305 bool Curl_ssl_cert_status_request(void);
307 bool Curl_ssl_false_start(void);
309 void Curl_ssl_associate_conn(struct Curl_easy *data,
310 struct connectdata *conn);
311 void Curl_ssl_detach_conn(struct Curl_easy *data,
312 struct connectdata *conn);
314 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
316 #else /* if not USE_SSL */
318 /* When SSL support is not present, just define away these function calls */
319 #define Curl_ssl_init() 1
320 #define Curl_ssl_cleanup() Curl_nop_stmt
321 #define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN
322 #define Curl_ssl_close_all(x) Curl_nop_stmt
323 #define Curl_ssl_close(x,y,z) Curl_nop_stmt
324 #define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN
325 #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
326 #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
327 #define Curl_ssl_engines_list(x) NULL
328 #define Curl_ssl_send(a,b,c,d,e) -1
329 #define Curl_ssl_recv(a,b,c,d,e) -1
330 #define Curl_ssl_initsessions(x,y) CURLE_OK
331 #define Curl_ssl_data_pending(x,y) 0
332 #define Curl_ssl_check_cxn(x) 0
333 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt
334 #define Curl_ssl_connect_nonblocking(x,y,z,w,a) CURLE_NOT_BUILT_IN
335 #define Curl_ssl_kill_session(x) Curl_nop_stmt
336 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
337 #define Curl_ssl_cert_status_request() FALSE
338 #define Curl_ssl_false_start() FALSE
339 #define Curl_ssl_tls13_ciphersuites() FALSE
340 #define Curl_ssl_associate_conn(a,b) Curl_nop_stmt
341 #define Curl_ssl_detach_conn(a,b) Curl_nop_stmt
344 #endif /* HEADER_CURL_VTLS_H */