1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
24 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25 * but vtls.c should ever call or use these functions.
29 * The original SSLeay-using code for curl was written by Linas Vepstas and
30 * Sampo Kellomaki 1998.
33 #include "curl_setup.h"
41 #include "formdata.h" /* for the boundary function */
42 #include "url.h" /* for the ssl config check function */
43 #include "inet_pton.h"
51 #include "hostcheck.h"
53 #define _MPRINTF_REPLACE /* use the internal *printf() functions */
54 #include <curl/mprintf.h>
59 #include <openssl/rand.h>
60 #include <openssl/x509v3.h>
61 #include <openssl/dsa.h>
62 #include <openssl/dh.h>
63 #include <openssl/err.h>
64 #include <openssl/md5.h>
72 #include "curl_memory.h"
73 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
75 /* The last #include file should be: */
78 #ifndef OPENSSL_VERSION_NUMBER
79 #error "OPENSSL_VERSION_NUMBER not defined"
82 #if OPENSSL_VERSION_NUMBER >= 0x0090581fL
83 #define HAVE_SSL_GET1_SESSION 1
85 #undef HAVE_SSL_GET1_SESSION
88 #if OPENSSL_VERSION_NUMBER >= 0x00904100L
89 #define HAVE_USERDATA_IN_PWD_CALLBACK 1
91 #undef HAVE_USERDATA_IN_PWD_CALLBACK
94 #if OPENSSL_VERSION_NUMBER >= 0x00907001L
95 /* ENGINE_load_private_key() takes four arguments */
96 #define HAVE_ENGINE_LOAD_FOUR_ARGS
97 #include <openssl/ui.h>
99 /* ENGINE_load_private_key() takes three arguments */
100 #undef HAVE_ENGINE_LOAD_FOUR_ARGS
103 #if (OPENSSL_VERSION_NUMBER >= 0x00903001L) && defined(HAVE_OPENSSL_PKCS12_H)
104 /* OpenSSL has PKCS 12 support */
105 #define HAVE_PKCS12_SUPPORT
107 /* OpenSSL/SSLEay does not have PKCS12 support */
108 #undef HAVE_PKCS12_SUPPORT
111 #if OPENSSL_VERSION_NUMBER >= 0x00906001L
112 #define HAVE_ERR_ERROR_STRING_N 1
115 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
116 #define SSL_METHOD_QUAL const
118 #define SSL_METHOD_QUAL
121 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
122 /* 0.9.6 didn't have X509_STORE_set_flags() */
123 #define HAVE_X509_STORE_SET_FLAGS 1
125 #define X509_STORE_set_flags(x,y) Curl_nop_stmt
128 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
129 #define HAVE_ERR_REMOVE_THREAD_STATE 1
132 #ifndef HAVE_SSLV2_CLIENT_METHOD
133 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
134 #define OPENSSL_NO_SSL2
138 * Number of bytes to read from the random number seed file. This must be
139 * a finite value (because some entropy "files" like /dev/urandom have
140 * an infinite length), but must be large enough to provide enough
141 * entopy to properly seed OpenSSL's PRNG.
143 #define RAND_LOAD_LENGTH 1024
145 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
146 static char global_passwd[64];
149 static int passwd_callback(char *buf, int num, int encrypting
150 #ifdef HAVE_USERDATA_IN_PWD_CALLBACK
151 /* This was introduced in 0.9.4, we can set this
152 using SSL_CTX_set_default_passwd_cb_userdata()
154 , void *global_passwd
158 DEBUGASSERT(0 == encrypting);
161 int klen = curlx_uztosi(strlen((char *)global_passwd));
163 memcpy(buf, global_passwd, klen+1);
171 * rand_enough() is a function that returns TRUE if we have seeded the random
172 * engine properly. We use some preprocessor magic to provide a seed_enough()
173 * macro to use, just to prevent a compiler warning on this function if we
174 * pass in an argument that is never used.
177 #ifdef HAVE_RAND_STATUS
178 #define seed_enough(x) rand_enough()
179 static bool rand_enough(void)
181 return (0 != RAND_status()) ? TRUE : FALSE;
184 #define seed_enough(x) rand_enough(x)
185 static bool rand_enough(int nread)
187 /* this is a very silly decision to make */
188 return (nread > 500) ? TRUE : FALSE;
192 static int ossl_seed(struct SessionHandle *data)
194 char *buf = data->state.buffer; /* point to the big buffer */
197 /* Q: should we add support for a random file name as a libcurl option?
198 A: Yes, it is here */
201 /* if RANDOM_FILE isn't defined, we only perform this if an option tells
203 if(data->set.ssl.random_file)
204 #define RANDOM_FILE "" /* doesn't matter won't be used */
207 /* let the option override the define */
208 nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
209 data->set.str[STRING_SSL_RANDOM_FILE]:
212 if(seed_enough(nread))
216 #if defined(HAVE_RAND_EGD)
217 /* only available in OpenSSL 0.9.5 and later */
218 /* EGD_SOCKET is set at configure time or not at all */
220 /* If we don't have the define set, we only do this if the egd-option
222 if(data->set.str[STRING_SSL_EGDSOCKET])
223 #define EGD_SOCKET "" /* doesn't matter won't be used */
226 /* If there's an option and a define, the option overrides the
228 int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
229 data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
232 if(seed_enough(nread))
238 /* If we get here, it means we need to seed the PRNG using a "silly"
241 unsigned char randb[64];
242 int len = sizeof(randb);
243 RAND_bytes(randb, len);
244 RAND_add(randb, len, (len >> 1));
245 } while(!RAND_status());
247 /* generates a default path for the random seed file */
248 buf[0]=0; /* blank it first */
249 RAND_file_name(buf, BUFSIZE);
251 /* we got a file name to try */
252 nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
253 if(seed_enough(nread))
257 infof(data, "libcurl is now using a weak random seed!\n");
261 int Curl_ossl_seed(struct SessionHandle *data)
263 /* we have the "SSL is seeded" boolean static to prevent multiple
264 time-consuming seedings in vain */
265 static bool ssl_seeded = FALSE;
267 if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
268 data->set.str[STRING_SSL_EGDSOCKET]) {
276 #ifndef SSL_FILETYPE_ENGINE
277 #define SSL_FILETYPE_ENGINE 42
279 #ifndef SSL_FILETYPE_PKCS12
280 #define SSL_FILETYPE_PKCS12 43
282 static int do_file_type(const char *type)
284 if(!type || !type[0])
285 return SSL_FILETYPE_PEM;
286 if(Curl_raw_equal(type, "PEM"))
287 return SSL_FILETYPE_PEM;
288 if(Curl_raw_equal(type, "DER"))
289 return SSL_FILETYPE_ASN1;
290 if(Curl_raw_equal(type, "ENG"))
291 return SSL_FILETYPE_ENGINE;
292 if(Curl_raw_equal(type, "P12"))
293 return SSL_FILETYPE_PKCS12;
297 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS)
299 * Supply default password to the engine user interface conversation.
300 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
301 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
303 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
305 const char *password;
306 switch(UI_get_string_type(uis)) {
309 password = (const char*)UI_get0_user_data(ui);
310 if(NULL != password &&
311 UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD) {
312 UI_set_result(ui, uis, password);
318 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
322 * Suppress interactive request for a default password if available.
324 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
326 switch(UI_get_string_type(uis)) {
329 if(NULL != UI_get0_user_data(ui) &&
330 UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD) {
336 return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
341 int cert_stuff(struct connectdata *conn,
344 const char *cert_type,
346 const char *key_type)
348 struct SessionHandle *data = conn->data;
350 int file_type = do_file_type(cert_type);
352 if(cert_file != NULL || file_type == SSL_FILETYPE_ENGINE) {
357 if(data->set.str[STRING_KEY_PASSWD]) {
358 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
360 * If password has been given, we store that in the global
361 * area (*shudder*) for a while:
363 size_t len = strlen(data->set.str[STRING_KEY_PASSWD]);
364 if(len < sizeof(global_passwd))
365 memcpy(global_passwd, data->set.str[STRING_KEY_PASSWD], len+1);
367 global_passwd[0] = '\0';
370 * We set the password in the callback userdata
372 SSL_CTX_set_default_passwd_cb_userdata(ctx,
373 data->set.str[STRING_KEY_PASSWD]);
375 /* Set passwd callback: */
376 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
380 #define SSL_CLIENT_CERT_ERR \
381 "unable to use client certificate (no key found or wrong pass phrase?)"
384 case SSL_FILETYPE_PEM:
385 /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
386 if(SSL_CTX_use_certificate_chain_file(ctx,
388 failf(data, SSL_CLIENT_CERT_ERR);
393 case SSL_FILETYPE_ASN1:
394 /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
395 we use the case above for PEM so this can only be performed with
397 if(SSL_CTX_use_certificate_file(ctx,
400 failf(data, SSL_CLIENT_CERT_ERR);
404 case SSL_FILETYPE_ENGINE:
405 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
407 if(data->state.engine) {
408 const char *cmd_name = "LOAD_CERT_CTRL";
414 params.cert_id = cert_file;
417 /* Does the engine supports LOAD_CERT_CTRL ? */
418 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
419 0, (void *)cmd_name, NULL)) {
420 failf(data, "ssl engine does not support loading certificates");
424 /* Load the certificate from the engine */
425 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
426 0, ¶ms, NULL, 1)) {
427 failf(data, "ssl engine cannot load client cert with id"
428 " '%s' [%s]", cert_file,
429 ERR_error_string(ERR_get_error(), NULL));
434 failf(data, "ssl engine didn't initialized the certificate "
439 if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
440 failf(data, "unable to set client certificate");
441 X509_free(params.cert);
444 X509_free(params.cert); /* we don't need the handle any more... */
447 failf(data, "crypto engine not set, can't load certificate");
453 failf(data, "file type ENG for certificate not implemented");
457 case SSL_FILETYPE_PKCS12:
459 #ifdef HAVE_PKCS12_SUPPORT
463 STACK_OF(X509) *ca = NULL;
466 f = fopen(cert_file,"rb");
468 failf(data, "could not open PKCS12 file '%s'", cert_file);
471 p12 = d2i_PKCS12_fp(f, NULL);
475 failf(data, "error reading PKCS12 file '%s'", cert_file );
481 if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
484 "could not parse PKCS12 file, check password, OpenSSL error %s",
485 ERR_error_string(ERR_get_error(), NULL) );
492 if(SSL_CTX_use_certificate(ctx, x509) != 1) {
493 failf(data, SSL_CLIENT_CERT_ERR);
497 if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
498 failf(data, "unable to use private key from PKCS12 file '%s'",
503 if(!SSL_CTX_check_private_key (ctx)) {
504 failf(data, "private key from PKCS12 file '%s' "
505 "does not match certificate in same file", cert_file);
508 /* Set Certificate Verification chain */
509 if(ca && sk_X509_num(ca)) {
510 for(i = 0; i < sk_X509_num(ca); i++) {
512 * Note that sk_X509_pop() is used below to make sure the cert is
513 * removed from the stack properly before getting passed to
514 * SSL_CTX_add_extra_chain_cert(). Previously we used
515 * sk_X509_value() instead, but then we'd clean it in the subsequent
516 * sk_X509_pop_free() call.
518 X509 *x = sk_X509_pop(ca);
519 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
520 failf(data, "cannot add certificate to certificate chain");
523 /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
524 * presumably because it duplicates what we pass to it.
526 if(!SSL_CTX_add_client_CA(ctx, x)) {
527 failf(data, "cannot add certificate to client CA list");
537 sk_X509_pop_free(ca, X509_free);
540 return 0; /* failure! */
543 failf(data, "file type P12 for certificate not supported");
548 failf(data, "not supported file type '%s' for certificate", cert_type);
552 file_type = do_file_type(key_type);
555 case SSL_FILETYPE_PEM:
559 /* cert & key can only be in PEM case in the same file */
561 case SSL_FILETYPE_ASN1:
562 if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
563 failf(data, "unable to set private key file: '%s' type %s",
564 key_file, key_type?key_type:"PEM");
568 case SSL_FILETYPE_ENGINE:
569 #ifdef HAVE_OPENSSL_ENGINE_H
570 { /* XXXX still needs some work */
571 EVP_PKEY *priv_key = NULL;
572 if(data->state.engine) {
573 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
574 UI_METHOD *ui_method =
575 UI_create_method((char *)"cURL user interface");
576 if(NULL == ui_method) {
577 failf(data, "unable do create OpenSSL user-interface method");
580 UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
581 UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
582 UI_method_set_reader(ui_method, ssl_ui_reader);
583 UI_method_set_writer(ui_method, ssl_ui_writer);
585 /* the typecast below was added to please mingw32 */
586 priv_key = (EVP_PKEY *)
587 ENGINE_load_private_key(data->state.engine,key_file,
588 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
591 data->set.str[STRING_KEY_PASSWD]);
592 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
593 UI_destroy_method(ui_method);
596 failf(data, "failed to load private key from crypto engine");
599 if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
600 failf(data, "unable to set private key");
601 EVP_PKEY_free(priv_key);
604 EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
607 failf(data, "crypto engine not set, can't load private key");
613 failf(data, "file type ENG for private key not supported");
616 case SSL_FILETYPE_PKCS12:
618 failf(data, "file type P12 for private key not supported");
623 failf(data, "not supported file type for private key");
629 failf(data,"unable to create an SSL structure");
633 x509=SSL_get_certificate(ssl);
635 /* This version was provided by Evan Jordan and is supposed to not
636 leak memory as the previous version: */
638 EVP_PKEY *pktmp = X509_get_pubkey(x509);
639 EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(ssl));
640 EVP_PKEY_free(pktmp);
645 /* If we are using DSA, we can copy the parameters from
649 /* Now we know that a key and cert have been set against
651 if(!SSL_CTX_check_private_key(ctx)) {
652 failf(data, "Private key does not match the certificate public key");
655 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
657 memset(global_passwd, 0, sizeof(global_passwd));
663 /* returns non-zero on failure */
664 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
667 return X509_NAME_oneline(a, buf, size);
669 BIO *bio_out = BIO_new(BIO_s_mem());
674 return 1; /* alloc failed! */
676 rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
677 BIO_get_mem_ptr(bio_out, &biomem);
679 if((size_t)biomem->length < size)
680 size = biomem->length;
682 size--; /* don't overwrite the buffer end */
684 memcpy(buf, biomem->data, size);
694 int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
699 err_cert=X509_STORE_CTX_get_current_cert(ctx);
700 (void)x509_name_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
704 /* Return error string for last OpenSSL error
706 static char *SSL_strerror(unsigned long error, char *buf, size_t size)
708 #ifdef HAVE_ERR_ERROR_STRING_N
709 /* OpenSSL 0.9.6 and later has a function named
710 ERRO_error_string_n() that takes the size of the buffer as a
712 ERR_error_string_n(error, buf, size);
715 ERR_error_string(error, buf);
720 #endif /* USE_SSLEAY */
726 * @retval 0 error initializing SSL
727 * @retval 1 SSL initialized successfully
729 int Curl_ossl_init(void)
731 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
732 ENGINE_load_builtin_engines();
735 /* Lets get nice error messages */
736 SSL_load_error_strings();
738 /* Init the global ciphers and digests */
739 if(!SSLeay_add_ssl_algorithms())
742 OpenSSL_add_all_algorithms();
747 #endif /* USE_SSLEAY */
752 void Curl_ossl_cleanup(void)
754 /* Free ciphers and digests lists */
757 #ifdef HAVE_ENGINE_CLEANUP
758 /* Free engine list */
762 #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
763 /* Free OpenSSL ex_data table */
764 CRYPTO_cleanup_all_ex_data();
767 /* Free OpenSSL error strings */
770 /* Free thread local error state, destroying hash upon zero refcount */
771 #ifdef HAVE_ERR_REMOVE_THREAD_STATE
772 ERR_remove_thread_state(NULL);
779 * This function uses SSL_peek to determine connection status.
782 * 1 means the connection is still in place
783 * 0 means the connection has been closed
784 * -1 means the connection status is unknown
786 int Curl_ossl_check_cxn(struct connectdata *conn)
791 rc = SSL_peek(conn->ssl[FIRSTSOCKET].handle, (void*)&buf, 1);
793 return 1; /* connection still in place */
796 return 0; /* connection has been closed */
798 return -1; /* connection status unknown */
801 /* Selects an OpenSSL crypto engine
803 CURLcode Curl_ossl_set_engine(struct SessionHandle *data, const char *engine)
805 #if defined(USE_SSLEAY) && defined(HAVE_OPENSSL_ENGINE_H)
808 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
809 e = ENGINE_by_id(engine);
811 /* avoid memory leak */
812 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
813 const char *e_id = ENGINE_get_id(e);
814 if(!strcmp(engine, e_id))
820 failf(data, "SSL Engine '%s' not found", engine);
821 return CURLE_SSL_ENGINE_NOTFOUND;
824 if(data->state.engine) {
825 ENGINE_finish(data->state.engine);
826 ENGINE_free(data->state.engine);
827 data->state.engine = NULL;
829 if(!ENGINE_init(e)) {
833 failf(data, "Failed to initialise SSL Engine '%s':\n%s",
834 engine, SSL_strerror(ERR_get_error(), buf, sizeof(buf)));
835 return CURLE_SSL_ENGINE_INITFAILED;
837 data->state.engine = e;
841 failf(data, "SSL Engine not supported");
842 return CURLE_SSL_ENGINE_NOTFOUND;
846 /* Sets engine as default for all SSL operations
848 CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
850 #ifdef HAVE_OPENSSL_ENGINE_H
851 if(data->state.engine) {
852 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
853 infof(data,"set default crypto engine '%s'\n",
854 ENGINE_get_id(data->state.engine));
857 failf(data, "set default crypto engine '%s' failed",
858 ENGINE_get_id(data->state.engine));
859 return CURLE_SSL_ENGINE_SETFAILED;
868 /* Return list of OpenSSL crypto engine names.
870 struct curl_slist *Curl_ossl_engines_list(struct SessionHandle *data)
872 struct curl_slist *list = NULL;
873 #if defined(USE_SSLEAY) && defined(HAVE_OPENSSL_ENGINE_H)
874 struct curl_slist *beg;
877 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
878 beg = curl_slist_append(list, ENGINE_get_id(e));
880 curl_slist_free_all(list);
892 * This function is called when an SSL connection is closed.
894 void Curl_ossl_close(struct connectdata *conn, int sockindex)
896 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
898 if(connssl->handle) {
899 (void)SSL_shutdown(connssl->handle);
900 SSL_set_connect_state(connssl->handle);
902 SSL_free (connssl->handle);
903 connssl->handle = NULL;
906 SSL_CTX_free (connssl->ctx);
912 * This function is called to shut down the SSL layer but keep the
913 * socket open (CCC - Clear Command Channel)
915 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
918 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
919 struct SessionHandle *data = conn->data;
920 char buf[120]; /* We will use this for the OpenSSL error buffer, so it has
921 to be at least 120 bytes long. */
922 unsigned long sslerror;
928 /* This has only been tested on the proftpd server, and the mod_tls code
929 sends a close notify alert without waiting for a close notify alert in
930 response. Thus we wait for a close notify alert from the server, but
931 we do not send one. Let's hope other servers do the same... */
933 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
934 (void)SSL_shutdown(connssl->handle);
936 if(connssl->handle) {
937 buffsize = (int)sizeof(buf);
939 int what = Curl_socket_ready(conn->sock[sockindex],
940 CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
944 /* Something to read, let's do it and hope that it is the close
945 notify alert from the server */
946 nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
948 err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
951 case SSL_ERROR_NONE: /* this is not an error */
952 case SSL_ERROR_ZERO_RETURN: /* no more data */
953 /* This is the expected response. There was no data but only
954 the close notify alert */
957 case SSL_ERROR_WANT_READ:
958 /* there's data pending, re-invoke SSL_read() */
959 infof(data, "SSL_ERROR_WANT_READ\n");
961 case SSL_ERROR_WANT_WRITE:
962 /* SSL wants a write. Really odd. Let's bail out. */
963 infof(data, "SSL_ERROR_WANT_WRITE\n");
967 /* openssl/ssl.h says "look at error stack/return value/errno" */
968 sslerror = ERR_get_error();
969 failf(conn->data, "SSL read: %s, errno %d",
970 ERR_error_string(sslerror, buf),
978 failf(data, "SSL shutdown timeout");
982 /* anything that gets here is fatally bad */
983 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
987 } /* while()-loop for the select() */
989 if(data->set.verbose) {
990 #ifdef HAVE_SSL_GET_SHUTDOWN
991 switch(SSL_get_shutdown(connssl->handle)) {
992 case SSL_SENT_SHUTDOWN:
993 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
995 case SSL_RECEIVED_SHUTDOWN:
996 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
998 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
999 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
1000 "SSL_RECEIVED__SHUTDOWN\n");
1006 SSL_free (connssl->handle);
1007 connssl->handle = NULL;
1012 void Curl_ossl_session_free(void *ptr)
1015 SSL_SESSION_free(ptr);
1019 * This function is called when the 'data' struct is going away. Close
1020 * down everything and free all resources!
1022 int Curl_ossl_close_all(struct SessionHandle *data)
1024 #ifdef HAVE_OPENSSL_ENGINE_H
1025 if(data->state.engine) {
1026 ENGINE_finish(data->state.engine);
1027 ENGINE_free(data->state.engine);
1028 data->state.engine = NULL;
1036 static int asn1_output(const ASN1_UTCTIME *tm,
1040 const char *asn1_string;
1043 int year=0,month=0,day=0,hour=0,minute=0,second=0;
1046 asn1_string=(const char *)tm->data;
1050 if(asn1_string[i-1] == 'Z')
1053 if((asn1_string[i] > '9') || (asn1_string[i] < '0'))
1056 year= (asn1_string[0]-'0')*10+(asn1_string[1]-'0');
1060 month= (asn1_string[2]-'0')*10+(asn1_string[3]-'0');
1061 if((month > 12) || (month < 1))
1064 day= (asn1_string[4]-'0')*10+(asn1_string[5]-'0');
1065 hour= (asn1_string[6]-'0')*10+(asn1_string[7]-'0');
1066 minute= (asn1_string[8]-'0')*10+(asn1_string[9]-'0');
1068 if((asn1_string[10] >= '0') && (asn1_string[10] <= '9') &&
1069 (asn1_string[11] >= '0') && (asn1_string[11] <= '9'))
1070 second= (asn1_string[10]-'0')*10+(asn1_string[11]-'0');
1072 snprintf(buf, sizeofbuf,
1073 "%04d-%02d-%02d %02d:%02d:%02d %s",
1074 year+1900, month, day, hour, minute, second, (gmt?"GMT":""));
1079 /* ====================================================== */
1082 /* Quote from RFC2818 section 3.1 "Server Identity"
1084 If a subjectAltName extension of type dNSName is present, that MUST
1085 be used as the identity. Otherwise, the (most specific) Common Name
1086 field in the Subject field of the certificate MUST be used. Although
1087 the use of the Common Name is existing practice, it is deprecated and
1088 Certification Authorities are encouraged to use the dNSName instead.
1090 Matching is performed using the matching rules specified by
1091 [RFC2459]. If more than one identity of a given type is present in
1092 the certificate (e.g., more than one dNSName name, a match in any one
1093 of the set is considered acceptable.) Names may contain the wildcard
1094 character * which is considered to match any single domain name
1095 component or component fragment. E.g., *.a.com matches foo.a.com but
1096 not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1098 In some cases, the URI is specified as an IP address rather than a
1099 hostname. In this case, the iPAddress subjectAltName must be present
1100 in the certificate and must exactly match the IP in the URI.
1103 static CURLcode verifyhost(struct connectdata *conn,
1106 int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
1108 int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1110 struct SessionHandle *data = conn->data;
1111 STACK_OF(GENERAL_NAME) *altnames;
1113 struct in6_addr addr;
1115 struct in_addr addr;
1117 CURLcode res = CURLE_OK;
1120 if(conn->bits.ipv6_ip &&
1121 Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
1123 addrlen = sizeof(struct in6_addr);
1127 if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
1129 addrlen = sizeof(struct in_addr);
1132 /* get a "list" of alternative names */
1133 altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1139 /* get amount of alternatives, RFC2459 claims there MUST be at least
1140 one, but we don't depend on it... */
1141 numalts = sk_GENERAL_NAME_num(altnames);
1143 /* loop through all alternatives while none has matched */
1144 for(i=0; (i<numalts) && (matched != 1); i++) {
1145 /* get a handle to alternative name number i */
1146 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1148 /* only check alternatives of the same type the target is */
1149 if(check->type == target) {
1150 /* get data and length */
1151 const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
1152 size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1155 case GEN_DNS: /* name/pattern comparison */
1156 /* The OpenSSL man page explicitly says: "In general it cannot be
1157 assumed that the data returned by ASN1_STRING_data() is null
1158 terminated or does not contain embedded nulls." But also that
1159 "The actual format of the data will depend on the actual string
1160 type itself: for example for and IA5String the data will be ASCII"
1162 Gisle researched the OpenSSL sources:
1163 "I checked the 0.9.6 and 0.9.8 sources before my patch and
1164 it always 0-terminates an IA5String."
1166 if((altlen == strlen(altptr)) &&
1167 /* if this isn't true, there was an embedded zero in the name
1168 string and we cannot match it. */
1169 Curl_cert_hostcheck(altptr, conn->host.name))
1175 case GEN_IPADD: /* IP address comparison */
1176 /* compare alternative IP address if the data chunk is the same size
1177 our server IP address is */
1178 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
1186 GENERAL_NAMES_free(altnames);
1190 /* an alternative name matched the server hostname */
1191 infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
1192 else if(matched == 0) {
1193 /* an alternative name field existed, but didn't match and then
1195 infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
1196 failf(data, "SSL: no alternative certificate subject name matches "
1197 "target host name '%s'", conn->host.dispname);
1198 res = CURLE_PEER_FAILED_VERIFICATION;
1201 /* we have to look to the last occurrence of a commonName in the
1202 distinguished one to get the most significant one. */
1205 /* The following is done because of a bug in 0.9.6b */
1207 unsigned char *nulstr = (unsigned char *)"";
1208 unsigned char *peer_CN = nulstr;
1210 X509_NAME *name = X509_get_subject_name(server_cert) ;
1212 while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
1215 /* we have the name entry and we will now convert this to a string
1216 that we can use for comparison. Doing this we support BMPstring,
1220 ASN1_STRING *tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
1222 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1223 is already UTF-8 encoded. We check for this case and copy the raw
1224 string manually to avoid the problem. This code can be made
1225 conditional in the future when OpenSSL has been fixed. Work-around
1226 brought by Alexis S. L. Carvalho. */
1228 if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1229 j = ASN1_STRING_length(tmp);
1231 peer_CN = OPENSSL_malloc(j+1);
1233 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
1238 else /* not a UTF8 name */
1239 j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1241 if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1242 /* there was a terminating zero before the end of string, this
1243 cannot match and we return failure! */
1244 failf(data, "SSL: illegal cert name field");
1245 res = CURLE_PEER_FAILED_VERIFICATION;
1250 if(peer_CN == nulstr)
1253 /* convert peer_CN from UTF8 */
1254 CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
1255 /* Curl_convert_from_utf8 calls failf if unsuccessful */
1257 OPENSSL_free(peer_CN);
1263 /* error already detected, pass through */
1267 "SSL: unable to obtain common name from peer certificate");
1268 res = CURLE_PEER_FAILED_VERIFICATION;
1270 else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
1271 failf(data, "SSL: certificate subject name '%s' does not match "
1272 "target host name '%s'", peer_CN, conn->host.dispname);
1273 res = CURLE_PEER_FAILED_VERIFICATION;
1276 infof(data, "\t common name: %s (matched)\n", peer_CN);
1279 OPENSSL_free(peer_CN);
1283 #endif /* USE_SSLEAY */
1285 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
1286 and thus this cannot be done there. */
1287 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1289 static const char *ssl_msg_type(int ssl_ver, int msg)
1291 if(ssl_ver == SSL2_VERSION_MAJOR) {
1295 case SSL2_MT_CLIENT_HELLO:
1296 return "Client hello";
1297 case SSL2_MT_CLIENT_MASTER_KEY:
1298 return "Client key";
1299 case SSL2_MT_CLIENT_FINISHED:
1300 return "Client finished";
1301 case SSL2_MT_SERVER_HELLO:
1302 return "Server hello";
1303 case SSL2_MT_SERVER_VERIFY:
1304 return "Server verify";
1305 case SSL2_MT_SERVER_FINISHED:
1306 return "Server finished";
1307 case SSL2_MT_REQUEST_CERTIFICATE:
1308 return "Request CERT";
1309 case SSL2_MT_CLIENT_CERTIFICATE:
1310 return "Client CERT";
1313 else if(ssl_ver == SSL3_VERSION_MAJOR) {
1315 case SSL3_MT_HELLO_REQUEST:
1316 return "Hello request";
1317 case SSL3_MT_CLIENT_HELLO:
1318 return "Client hello";
1319 case SSL3_MT_SERVER_HELLO:
1320 return "Server hello";
1321 case SSL3_MT_CERTIFICATE:
1323 case SSL3_MT_SERVER_KEY_EXCHANGE:
1324 return "Server key exchange";
1325 case SSL3_MT_CLIENT_KEY_EXCHANGE:
1326 return "Client key exchange";
1327 case SSL3_MT_CERTIFICATE_REQUEST:
1328 return "Request CERT";
1329 case SSL3_MT_SERVER_DONE:
1330 return "Server finished";
1331 case SSL3_MT_CERTIFICATE_VERIFY:
1332 return "CERT verify";
1333 case SSL3_MT_FINISHED:
1340 static const char *tls_rt_type(int type)
1343 type == SSL3_RT_CHANGE_CIPHER_SPEC ? "TLS change cipher, " :
1344 type == SSL3_RT_ALERT ? "TLS alert, " :
1345 type == SSL3_RT_HANDSHAKE ? "TLS handshake, " :
1346 type == SSL3_RT_APPLICATION_DATA ? "TLS app data, " :
1352 * Our callback from the SSL/TLS layers.
1354 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1355 const void *buf, size_t len, const SSL *ssl,
1356 struct connectdata *conn)
1358 struct SessionHandle *data;
1359 const char *msg_name, *tls_rt_name;
1361 int ver, msg_type, txt_len;
1363 if(!conn || !conn->data || !conn->data->set.fdebug ||
1364 (direction != 0 && direction != 1))
1369 ver = (ssl_ver == SSL2_VERSION_MAJOR ? '2' :
1370 ssl_ver == SSL3_VERSION_MAJOR ? '3' : '?');
1372 /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
1373 * always pass-up content-type as 0. But the interesting message-type
1376 if(ssl_ver == SSL3_VERSION_MAJOR && content_type != 0)
1377 tls_rt_name = tls_rt_type(content_type);
1381 msg_type = *(char*)buf;
1382 msg_name = ssl_msg_type(ssl_ver, msg_type);
1384 txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "SSLv%c, %s%s (%d):\n",
1385 ver, tls_rt_name, msg_name, msg_type);
1386 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
1388 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
1389 CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
1395 /* ====================================================== */
1397 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1398 # define use_sni(x) sni = (x)
1400 # define use_sni(x) Curl_nop_stmt
1406 #if defined(HAVE_SSL_CTX_SET_ALPN_PROTOS) && \
1407 defined(HAVE_SSL_CTX_SET_ALPN_SELECT_CB)
1411 #if !defined(HAVE_SSL_CTX_SET_NEXT_PROTO_SELECT_CB) || \
1412 defined(OPENSSL_NO_NEXTPROTONEG)
1413 # if !defined(HAS_ALPN)
1414 # error http2 builds require OpenSSL with NPN or ALPN support
1420 * in is a list of lenght prefixed strings. this function has to select
1421 * the protocol we want to use from the list and write its string into out.
1424 select_next_proto_cb(SSL *ssl,
1425 unsigned char **out, unsigned char *outlen,
1426 const unsigned char *in, unsigned int inlen,
1429 struct connectdata *conn = (struct connectdata*) arg;
1430 int retval = nghttp2_select_next_protocol(out, outlen, in, inlen);
1434 infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
1435 NGHTTP2_PROTO_VERSION_ID);
1436 conn->negnpn = NPN_HTTP2;
1438 else if(retval == 0) {
1439 infof(conn->data, "NPN, negotiated HTTP1.1\n");
1440 conn->negnpn = NPN_HTTP1_1;
1443 infof(conn->data, "NPN, no overlap, use HTTP1.1\n",
1444 NGHTTP2_PROTO_VERSION_ID);
1445 *out = (unsigned char*)"http/1.1";
1446 *outlen = sizeof("http/1.1") - 1;
1447 conn->negnpn = NPN_HTTP1_1;
1450 return SSL_TLSEXT_ERR_OK;
1455 get_ssl_version_txt(SSL_SESSION *session)
1460 switch(session->ssl_version) {
1461 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1462 case TLS1_2_VERSION:
1464 case TLS1_1_VERSION:
1479 ossl_connect_step1(struct connectdata *conn,
1482 CURLcode retcode = CURLE_OK;
1484 struct SessionHandle *data = conn->data;
1485 SSL_METHOD_QUAL SSL_METHOD *req_method=NULL;
1486 void *ssl_sessionid=NULL;
1487 X509_LOOKUP *lookup=NULL;
1488 curl_socket_t sockfd = conn->sock[sockindex];
1489 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1491 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1494 struct in6_addr addr;
1496 struct in_addr addr;
1500 unsigned char protocols[128];
1503 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
1505 /* Make funny stuff to get random input */
1506 Curl_ossl_seed(data);
1508 data->set.ssl.certverifyresult = !X509_V_OK;
1510 /* check to see if we've been told to use an explicit SSL/TLS version */
1512 switch(data->set.ssl.version) {
1514 case CURL_SSLVERSION_DEFAULT:
1515 case CURL_SSLVERSION_TLSv1:
1516 case CURL_SSLVERSION_TLSv1_0:
1517 case CURL_SSLVERSION_TLSv1_1:
1518 case CURL_SSLVERSION_TLSv1_2:
1519 /* it will be handled later with the context options */
1520 req_method = SSLv23_client_method();
1523 case CURL_SSLVERSION_SSLv2:
1524 #ifdef OPENSSL_NO_SSL2
1525 failf(data, "OpenSSL was built without SSLv2 support");
1526 return CURLE_NOT_BUILT_IN;
1529 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1530 return CURLE_SSL_CONNECT_ERROR;
1532 req_method = SSLv2_client_method();
1536 case CURL_SSLVERSION_SSLv3:
1538 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1539 return CURLE_SSL_CONNECT_ERROR;
1541 req_method = SSLv3_client_method();
1547 SSL_CTX_free(connssl->ctx);
1548 connssl->ctx = SSL_CTX_new(req_method);
1551 failf(data, "SSL: couldn't create a context: %s",
1552 ERR_error_string(ERR_peek_error(), NULL));
1553 return CURLE_OUT_OF_MEMORY;
1556 #ifdef SSL_MODE_RELEASE_BUFFERS
1557 SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
1560 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1561 if(data->set.fdebug && data->set.verbose) {
1562 /* the SSL trace callback is only used for verbose logging so we only
1563 inform about failures of setting it */
1564 if(!SSL_CTX_callback_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK,
1565 (void (*)(void))ssl_tls_trace)) {
1566 infof(data, "SSL: couldn't set callback!\n");
1568 else if(!SSL_CTX_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK_ARG, 0,
1570 infof(data, "SSL: couldn't set callback argument!\n");
1575 /* OpenSSL contains code to work-around lots of bugs and flaws in various
1576 SSL-implementations. SSL_CTX_set_options() is used to enabled those
1577 work-arounds. The man page for this option states that SSL_OP_ALL enables
1578 all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
1579 enable the bug workaround options if compatibility with somewhat broken
1580 implementations is desired."
1582 The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
1583 disable "rfc4507bis session ticket support". rfc4507bis was later turned
1584 into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
1586 The enabled extension concerns the session management. I wonder how often
1587 libcurl stops a connection and then resumes a TLS session. also, sending
1588 the session data is some overhead. .I suggest that you just use your
1589 proposed patch (which explicitly disables TICKET).
1591 If someone writes an application with libcurl and openssl who wants to
1592 enable the feature, one can do this in the SSL callback.
1594 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
1595 interoperability with web server Netscape Enterprise Server 2.0.1 which
1596 was released back in 1996.
1598 Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
1599 become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
1600 CVE-2010-4180 when using previous OpenSSL versions we no longer enable
1601 this option regardless of OpenSSL version and SSL_OP_ALL definition.
1603 OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
1604 (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
1605 SSL_OP_ALL that _disables_ that work-around despite the fact that
1606 SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
1607 keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
1611 ctx_options = SSL_OP_ALL;
1613 #ifdef SSL_OP_NO_TICKET
1614 ctx_options |= SSL_OP_NO_TICKET;
1617 #ifdef SSL_OP_NO_COMPRESSION
1618 ctx_options |= SSL_OP_NO_COMPRESSION;
1621 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1622 /* mitigate CVE-2010-4180 */
1623 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
1626 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1627 /* unless the user explicitly ask to allow the protocol vulnerability we
1628 use the work-around */
1629 if(!conn->data->set.ssl_enable_beast)
1630 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1633 switch(data->set.ssl.version) {
1634 case CURL_SSLVERSION_DEFAULT:
1635 ctx_options |= SSL_OP_NO_SSLv2;
1637 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1638 infof(data, "Set version TLSv1.x for SRP authorisation\n");
1639 ctx_options |= SSL_OP_NO_SSLv3;
1644 case CURL_SSLVERSION_SSLv3:
1645 ctx_options |= SSL_OP_NO_SSLv2;
1646 ctx_options |= SSL_OP_NO_TLSv1;
1647 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1648 ctx_options |= SSL_OP_NO_TLSv1_1;
1649 ctx_options |= SSL_OP_NO_TLSv1_2;
1653 case CURL_SSLVERSION_TLSv1:
1654 ctx_options |= SSL_OP_NO_SSLv2;
1655 ctx_options |= SSL_OP_NO_SSLv3;
1658 case CURL_SSLVERSION_TLSv1_0:
1659 ctx_options |= SSL_OP_NO_SSLv2;
1660 ctx_options |= SSL_OP_NO_SSLv3;
1661 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1662 ctx_options |= SSL_OP_NO_TLSv1_1;
1663 ctx_options |= SSL_OP_NO_TLSv1_2;
1667 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1668 case CURL_SSLVERSION_TLSv1_1:
1669 ctx_options |= SSL_OP_NO_SSLv2;
1670 ctx_options |= SSL_OP_NO_SSLv3;
1671 ctx_options |= SSL_OP_NO_TLSv1;
1672 ctx_options |= SSL_OP_NO_TLSv1_2;
1675 case CURL_SSLVERSION_TLSv1_2:
1676 ctx_options |= SSL_OP_NO_SSLv2;
1677 ctx_options |= SSL_OP_NO_SSLv3;
1678 ctx_options |= SSL_OP_NO_TLSv1;
1679 ctx_options |= SSL_OP_NO_TLSv1_1;
1683 #ifndef OPENSSL_NO_SSL2
1684 case CURL_SSLVERSION_SSLv2:
1685 ctx_options |= SSL_OP_NO_SSLv3;
1686 ctx_options |= SSL_OP_NO_TLSv1;
1687 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1688 ctx_options |= SSL_OP_NO_TLSv1_1;
1689 ctx_options |= SSL_OP_NO_TLSv1_2;
1695 failf(data, "Unsupported SSL protocol version");
1696 return CURLE_SSL_CONNECT_ERROR;
1699 SSL_CTX_set_options(connssl->ctx, ctx_options);
1702 if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
1703 if(data->set.ssl_enable_npn) {
1704 SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb,
1709 if(data->set.ssl_enable_alpn) {
1710 protocols[0] = NGHTTP2_PROTO_VERSION_ID_LEN;
1711 memcpy(&protocols[1], NGHTTP2_PROTO_VERSION_ID,
1712 NGHTTP2_PROTO_VERSION_ID_LEN);
1714 protocols[NGHTTP2_PROTO_VERSION_ID_LEN+1] = ALPN_HTTP_1_1_LENGTH;
1715 memcpy(&protocols[NGHTTP2_PROTO_VERSION_ID_LEN+2], ALPN_HTTP_1_1,
1716 ALPN_HTTP_1_1_LENGTH);
1718 /* expects length prefixed preference ordered list of protocols in wire
1721 SSL_CTX_set_alpn_protos(connssl->ctx, protocols,
1722 NGHTTP2_PROTO_VERSION_ID_LEN + ALPN_HTTP_1_1_LENGTH + 2);
1724 infof(data, "ALPN, offering %s, %s\n", NGHTTP2_PROTO_VERSION_ID,
1731 if(data->set.str[STRING_CERT] || data->set.str[STRING_CERT_TYPE]) {
1732 if(!cert_stuff(conn,
1734 data->set.str[STRING_CERT],
1735 data->set.str[STRING_CERT_TYPE],
1736 data->set.str[STRING_KEY],
1737 data->set.str[STRING_KEY_TYPE])) {
1738 /* failf() is already done in cert_stuff() */
1739 return CURLE_SSL_CERTPROBLEM;
1743 ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
1745 ciphers = (char *)DEFAULT_CIPHER_SELECTION;
1746 if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
1747 failf(data, "failed setting cipher list: %s", ciphers);
1748 return CURLE_SSL_CIPHER;
1752 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1753 infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
1755 if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
1756 failf(data, "Unable to set SRP user name");
1757 return CURLE_BAD_FUNCTION_ARGUMENT;
1759 if(!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
1760 failf(data, "failed setting SRP password");
1761 return CURLE_BAD_FUNCTION_ARGUMENT;
1763 if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
1764 infof(data, "Setting cipher list SRP\n");
1766 if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
1767 failf(data, "failed setting SRP cipher list");
1768 return CURLE_SSL_CIPHER;
1773 if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
1774 /* tell SSL where to find CA certificates that are used to verify
1775 the servers certificate. */
1776 if(!SSL_CTX_load_verify_locations(connssl->ctx,
1777 data->set.str[STRING_SSL_CAFILE],
1778 data->set.str[STRING_SSL_CAPATH])) {
1779 if(data->set.ssl.verifypeer) {
1780 /* Fail if we insist on successfully verifying the server. */
1781 failf(data,"error setting certificate verify locations:\n"
1782 " CAfile: %s\n CApath: %s",
1783 data->set.str[STRING_SSL_CAFILE]?
1784 data->set.str[STRING_SSL_CAFILE]: "none",
1785 data->set.str[STRING_SSL_CAPATH]?
1786 data->set.str[STRING_SSL_CAPATH] : "none");
1787 return CURLE_SSL_CACERT_BADFILE;
1790 /* Just continue with a warning if no strict certificate verification
1792 infof(data, "error setting certificate verify locations,"
1793 " continuing anyway:\n");
1797 /* Everything is fine. */
1798 infof(data, "successfully set certificate verify locations:\n");
1803 data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
1805 data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
1809 if(data->set.str[STRING_SSL_CRLFILE]) {
1810 /* tell SSL where to find CRL file that is used to check certificate
1812 lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
1813 X509_LOOKUP_file());
1815 (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
1816 X509_FILETYPE_PEM)) ) {
1817 failf(data,"error loading CRL file: %s",
1818 data->set.str[STRING_SSL_CRLFILE]);
1819 return CURLE_SSL_CRL_BADFILE;
1822 /* Everything is fine. */
1823 infof(data, "successfully load CRL file:\n");
1824 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
1825 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1828 " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
1829 data->set.str[STRING_SSL_CRLFILE]: "none");
1832 /* SSL always tries to verify the peer, this only says whether it should
1833 * fail to connect if the verification fails, or if it should continue
1834 * anyway. In the latter case the result of the verification is checked with
1835 * SSL_get_verify_result() below. */
1836 SSL_CTX_set_verify(connssl->ctx,
1837 data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
1838 cert_verify_callback);
1840 /* give application a chance to interfere with SSL set up. */
1841 if(data->set.ssl.fsslctx) {
1842 retcode = (*data->set.ssl.fsslctx)(data, connssl->ctx,
1843 data->set.ssl.fsslctxp);
1845 failf(data,"error signaled by ssl ctx callback");
1850 /* Lets make an SSL structure */
1852 SSL_free(connssl->handle);
1853 connssl->handle = SSL_new(connssl->ctx);
1854 if(!connssl->handle) {
1855 failf(data, "SSL: couldn't create a context (handle)!");
1856 return CURLE_OUT_OF_MEMORY;
1858 SSL_set_connect_state(connssl->handle);
1860 connssl->server_cert = 0x0;
1862 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1863 if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
1865 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
1868 !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
1869 infof(data, "WARNING: failed to configure server name indication (SNI) "
1873 /* Check if there's a cached ID we can/should use here! */
1874 if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
1875 /* we got a session id, use it! */
1876 if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
1877 failf(data, "SSL: SSL_set_session failed: %s",
1878 ERR_error_string(ERR_get_error(),NULL));
1879 return CURLE_SSL_CONNECT_ERROR;
1881 /* Informational message */
1882 infof (data, "SSL re-using session ID\n");
1885 /* pass the raw socket into the SSL layers */
1886 if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
1887 failf(data, "SSL: SSL_set_fd failed: %s",
1888 ERR_error_string(ERR_get_error(),NULL));
1889 return CURLE_SSL_CONNECT_ERROR;
1892 connssl->connecting_state = ssl_connect_2;
1897 ossl_connect_step2(struct connectdata *conn, int sockindex)
1899 struct SessionHandle *data = conn->data;
1901 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1902 DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
1903 || ssl_connect_2_reading == connssl->connecting_state
1904 || ssl_connect_2_writing == connssl->connecting_state);
1908 err = SSL_connect(connssl->handle);
1911 0 is "not successful but was shut down controlled"
1912 <0 is "handshake was not successful, because a fatal error occurred" */
1914 int detail = SSL_get_error(connssl->handle, err);
1916 if(SSL_ERROR_WANT_READ == detail) {
1917 connssl->connecting_state = ssl_connect_2_reading;
1920 else if(SSL_ERROR_WANT_WRITE == detail) {
1921 connssl->connecting_state = ssl_connect_2_writing;
1925 /* untreated error */
1926 unsigned long errdetail;
1927 char error_buffer[256]; /* OpenSSL documents that this must be at least
1930 const char *cert_problem = NULL;
1933 connssl->connecting_state = ssl_connect_2; /* the connection failed,
1934 we're not waiting for
1937 errdetail = ERR_get_error(); /* Gets the earliest error code from the
1938 thread's error queue and removes the
1945 SSL2_SET_CERTIFICATE:
1946 certificate verify failed */
1951 SSL3_GET_SERVER_CERTIFICATE:
1952 certificate verify failed */
1953 rc = CURLE_SSL_CACERT;
1955 lerr = SSL_get_verify_result(connssl->handle);
1956 if(lerr != X509_V_OK) {
1957 snprintf(error_buffer, sizeof(error_buffer),
1958 "SSL certificate problem: %s",
1959 X509_verify_cert_error_string(lerr));
1962 cert_problem = "SSL certificate problem, verify that the CA cert is"
1967 rc = CURLE_SSL_CONNECT_ERROR;
1968 SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
1972 /* detail is already set to the SSL error above */
1974 /* If we e.g. use SSLv2 request-method and the server doesn't like us
1975 * (RST connection etc.), OpenSSL gives no explanation whatsoever and
1976 * the SO_ERROR is also lost.
1978 if(CURLE_SSL_CONNECT_ERROR == rc && errdetail == 0) {
1979 failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
1980 conn->host.name, conn->remote_port);
1983 /* Could be a CERT problem */
1985 failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer);
1990 /* we have been connected fine, we're not waiting for anything else. */
1991 connssl->connecting_state = ssl_connect_3;
1993 /* Informational message */
1994 infof (data, "SSL connection using %s / %s\n",
1995 get_ssl_version_txt(SSL_get_session(connssl->handle)),
1996 SSL_get_cipher(connssl->handle));
1999 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
2002 if(data->set.ssl_enable_alpn) {
2003 const unsigned char* neg_protocol;
2005 SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
2007 infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
2009 if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2010 memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len) == 0) {
2011 conn->negnpn = NPN_HTTP2;
2013 else if(len == ALPN_HTTP_1_1_LENGTH && memcmp(ALPN_HTTP_1_1,
2014 neg_protocol, ALPN_HTTP_1_1_LENGTH) == 0) {
2015 conn->negnpn = NPN_HTTP1_1;
2019 infof(data, "ALPN, server did not agree to a protocol\n");
2028 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
2032 if((ilen = (int)len) < 0)
2033 return 1; /* buffer too big */
2035 i = i2t_ASN1_OBJECT(buf, ilen, a);
2038 return 1; /* buffer too small */
2043 static void pubkey_show(struct SessionHandle *data,
2056 buffer = malloc(left);
2059 snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
2060 for(i=0; i< len; i++) {
2061 snprintf(ptr, left, "%02x:", raw[i]);
2065 infof(data, " %s: %s\n", namebuf, buffer);
2066 Curl_ssl_push_certinfo(data, num, namebuf, buffer);
2071 #define print_pubkey_BN(_type, _name, _num) \
2073 if(pubkey->pkey._type->_name != NULL) { \
2074 int len = BN_num_bytes(pubkey->pkey._type->_name); \
2075 if(len < CERTBUFFERSIZE) { \
2076 BN_bn2bin(pubkey->pkey._type->_name, (unsigned char*)bufp); \
2078 pubkey_show(data, _num, #_type, #_name, (unsigned char*)bufp, len); \
2083 static int X509V3_ext(struct SessionHandle *data,
2085 STACK_OF(X509_EXTENSION) *exts)
2090 if(sk_X509_EXTENSION_num(exts) <= 0)
2091 /* no extensions, bail out */
2094 for(i=0; i<sk_X509_EXTENSION_num(exts); i++) {
2096 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2101 BIO *bio_out = BIO_new(BIO_s_mem());
2106 obj = X509_EXTENSION_get_object(ext);
2108 asn1_object_dump(obj, namebuf, sizeof(namebuf));
2110 infof(data, "%s: %s\n", namebuf,
2111 X509_EXTENSION_get_critical(ext)?"(critical)":"");
2113 if(!X509V3_EXT_print(bio_out, ext, 0, 0))
2114 M_ASN1_OCTET_STRING_print(bio_out, ext->value);
2116 BIO_get_mem_ptr(bio_out, &biomem);
2118 /* biomem->length bytes at biomem->data, this little loop here is only
2119 done for the infof() call, we send the "raw" data to the certinfo
2121 for(j=0; j<(size_t)biomem->length; j++) {
2123 if(biomem->data[j] == '\n') {
2125 j++; /* skip the newline */
2127 while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
2129 if(j<(size_t)biomem->length)
2130 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
2133 infof(data, " %s\n", buf);
2135 Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2140 return 0; /* all is fine */
2144 static void X509_signature(struct SessionHandle *data,
2151 for(i=0; i<sig->length; i++)
2152 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%02x:", sig->data[i]);
2154 infof(data, " Signature: %s\n", buf);
2155 Curl_ssl_push_certinfo(data, numcert, "Signature", buf);
2158 static void dumpcert(struct SessionHandle *data, X509 *x, int numcert)
2160 BIO *bio_out = BIO_new(BIO_s_mem());
2163 /* this outputs the cert in this 64 column wide style with newlines and
2164 -----BEGIN CERTIFICATE----- texts and more */
2165 PEM_write_bio_X509(bio_out, x);
2167 BIO_get_mem_ptr(bio_out, &biomem);
2169 Curl_ssl_push_certinfo_len(data, numcert,
2170 "Cert", biomem->data, biomem->length);
2177 * This size was previously 512 which has been reported "too small" without
2178 * any specifics, so it was enlarged to allow more data to get shown uncut.
2179 * The "perfect" size is yet to figure out.
2181 #define CERTBUFFERSIZE 8192
2183 static CURLcode get_cert_chain(struct connectdata *conn,
2184 struct ssl_connect_data *connssl)
2190 struct SessionHandle *data = conn->data;
2193 bufp = malloc(CERTBUFFERSIZE);
2195 return CURLE_OUT_OF_MEMORY;
2197 sk = SSL_get_peer_cert_chain(connssl->handle);
2200 return CURLE_OUT_OF_MEMORY;
2203 numcerts = sk_X509_num(sk);
2204 if(Curl_ssl_init_certinfo(data, numcerts)) {
2206 return CURLE_OUT_OF_MEMORY;
2209 infof(data, "--- Certificate chain\n");
2210 for(i=0; i<numcerts; i++) {
2213 ASN1_TIME *certdate;
2215 /* get the certs in "importance order" */
2217 X509 *x = sk_X509_value(sk, numcerts - i - 1);
2219 X509 *x = sk_X509_value(sk, i);
2223 EVP_PKEY *pubkey=NULL;
2227 (void)x509_name_oneline(X509_get_subject_name(x), bufp, CERTBUFFERSIZE);
2228 infof(data, "%2d Subject: %s\n", i, bufp);
2229 Curl_ssl_push_certinfo(data, i, "Subject", bufp);
2231 (void)x509_name_oneline(X509_get_issuer_name(x), bufp, CERTBUFFERSIZE);
2232 infof(data, " Issuer: %s\n", bufp);
2233 Curl_ssl_push_certinfo(data, i, "Issuer", bufp);
2235 value = X509_get_version(x);
2236 infof(data, " Version: %lu (0x%lx)\n", value+1, value);
2237 snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
2238 Curl_ssl_push_certinfo(data, i, "Version", bufp); /* hex */
2240 num=X509_get_serialNumber(x);
2241 if(num->length <= 4) {
2242 value = ASN1_INTEGER_get(num);
2243 infof(data," Serial Number: %ld (0x%lx)\n", value, value);
2244 snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
2247 int left = CERTBUFFERSIZE;
2251 if(num->type == V_ASN1_NEG_INTEGER)
2254 for(j=0; (j<num->length) && (left>=4); j++) {
2255 /* TODO: length restrictions */
2256 snprintf(ptr, 3, "%02x%c",num->data[j],
2257 ((j+1 == num->length)?'\n':':'));
2262 infof(data," Serial Number: %s\n", bufp);
2267 Curl_ssl_push_certinfo(data, i, "Serial Number", bufp); /* hex */
2269 cinf = x->cert_info;
2271 j = asn1_object_dump(cinf->signature->algorithm, bufp, CERTBUFFERSIZE);
2273 infof(data, " Signature Algorithm: %s\n", bufp);
2274 Curl_ssl_push_certinfo(data, i, "Signature Algorithm", bufp);
2277 certdate = X509_get_notBefore(x);
2278 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2279 infof(data, " Start date: %s\n", bufp);
2280 Curl_ssl_push_certinfo(data, i, "Start date", bufp);
2282 certdate = X509_get_notAfter(x);
2283 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2284 infof(data, " Expire date: %s\n", bufp);
2285 Curl_ssl_push_certinfo(data, i, "Expire date", bufp);
2287 j = asn1_object_dump(cinf->key->algor->algorithm, bufp, CERTBUFFERSIZE);
2289 infof(data, " Public Key Algorithm: %s\n", bufp);
2290 Curl_ssl_push_certinfo(data, i, "Public Key Algorithm", bufp);
2293 pubkey = X509_get_pubkey(x);
2295 infof(data, " Unable to load public key\n");
2297 switch(pubkey->type) {
2299 infof(data, " RSA Public Key (%d bits)\n",
2300 BN_num_bits(pubkey->pkey.rsa->n));
2301 snprintf(bufp, CERTBUFFERSIZE, "%d", BN_num_bits(pubkey->pkey.rsa->n));
2302 Curl_ssl_push_certinfo(data, i, "RSA Public Key", bufp);
2304 print_pubkey_BN(rsa, n, i);
2305 print_pubkey_BN(rsa, e, i);
2306 print_pubkey_BN(rsa, d, i);
2307 print_pubkey_BN(rsa, p, i);
2308 print_pubkey_BN(rsa, q, i);
2309 print_pubkey_BN(rsa, dmp1, i);
2310 print_pubkey_BN(rsa, dmq1, i);
2311 print_pubkey_BN(rsa, iqmp, i);
2314 print_pubkey_BN(dsa, p, i);
2315 print_pubkey_BN(dsa, q, i);
2316 print_pubkey_BN(dsa, g, i);
2317 print_pubkey_BN(dsa, priv_key, i);
2318 print_pubkey_BN(dsa, pub_key, i);
2321 print_pubkey_BN(dh, p, i);
2322 print_pubkey_BN(dh, g, i);
2323 print_pubkey_BN(dh, priv_key, i);
2324 print_pubkey_BN(dh, pub_key, i);
2327 case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
2332 EVP_PKEY_free(pubkey);
2335 X509V3_ext(data, i, cinf->extensions);
2337 X509_signature(data, i, x->signature);
2339 dumpcert(data, x, i);
2348 * Get the server cert, verify it and show it etc, only call failf() if the
2349 * 'strict' argument is TRUE as otherwise all this is for informational
2352 * We check certificates to authenticate the server; otherwise we risk
2353 * man-in-the-middle attack.
2355 static CURLcode servercert(struct connectdata *conn,
2356 struct ssl_connect_data *connssl,
2359 CURLcode retcode = CURLE_OK;
2362 ASN1_TIME *certdate;
2363 struct SessionHandle *data = conn->data;
2366 char *buffer = data->state.buffer;
2368 if(data->set.ssl.certinfo)
2369 /* we've been asked to gather certificate info! */
2370 (void)get_cert_chain(conn, connssl);
2372 connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
2373 if(!connssl->server_cert) {
2375 failf(data, "SSL: couldn't get peer certificate!");
2376 return CURLE_PEER_FAILED_VERIFICATION;
2378 infof (data, "Server certificate:\n");
2380 rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
2382 infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
2384 certdate = X509_get_notBefore(connssl->server_cert);
2385 asn1_output(certdate, buffer, BUFSIZE);
2386 infof(data, "\t start date: %s\n", buffer);
2388 certdate = X509_get_notAfter(connssl->server_cert);
2389 asn1_output(certdate, buffer, BUFSIZE);
2390 infof(data, "\t expire date: %s\n", buffer);
2392 if(data->set.ssl.verifyhost) {
2393 retcode = verifyhost(conn, connssl->server_cert);
2395 X509_free(connssl->server_cert);
2396 connssl->server_cert = NULL;
2401 rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
2405 failf(data, "SSL: couldn't get X509-issuer name!");
2406 retcode = CURLE_SSL_CONNECT_ERROR;
2409 infof(data, "\t issuer: %s\n", buffer);
2411 /* We could do all sorts of certificate verification stuff here before
2412 deallocating the certificate. */
2414 /* e.g. match issuer name with provided issuer certificate */
2415 if(data->set.str[STRING_SSL_ISSUERCERT]) {
2416 fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r");
2419 failf(data, "SSL: Unable to open issuer cert (%s)",
2420 data->set.str[STRING_SSL_ISSUERCERT]);
2421 X509_free(connssl->server_cert);
2422 connssl->server_cert = NULL;
2423 return CURLE_SSL_ISSUER_ERROR;
2425 issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL);
2428 failf(data, "SSL: Unable to read issuer cert (%s)",
2429 data->set.str[STRING_SSL_ISSUERCERT]);
2430 X509_free(connssl->server_cert);
2433 return CURLE_SSL_ISSUER_ERROR;
2436 if(X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
2438 failf(data, "SSL: Certificate issuer check failed (%s)",
2439 data->set.str[STRING_SSL_ISSUERCERT]);
2440 X509_free(connssl->server_cert);
2442 connssl->server_cert = NULL;
2443 return CURLE_SSL_ISSUER_ERROR;
2445 infof(data, "\t SSL certificate issuer check ok (%s)\n",
2446 data->set.str[STRING_SSL_ISSUERCERT]);
2450 lerr = data->set.ssl.certverifyresult=
2451 SSL_get_verify_result(connssl->handle);
2452 if(data->set.ssl.certverifyresult != X509_V_OK) {
2453 if(data->set.ssl.verifypeer) {
2454 /* We probably never reach this, because SSL_connect() will fail
2455 and we return earlier if verifypeer is set? */
2457 failf(data, "SSL certificate verify result: %s (%ld)",
2458 X509_verify_cert_error_string(lerr), lerr);
2459 retcode = CURLE_PEER_FAILED_VERIFICATION;
2462 infof(data, "\t SSL certificate verify result: %s (%ld),"
2463 " continuing anyway.\n",
2464 X509_verify_cert_error_string(lerr), lerr);
2467 infof(data, "\t SSL certificate verify ok.\n");
2470 X509_free(connssl->server_cert);
2471 connssl->server_cert = NULL;
2472 connssl->connecting_state = ssl_connect_done;
2479 ossl_connect_step3(struct connectdata *conn,
2482 CURLcode retcode = CURLE_OK;
2483 void *old_ssl_sessionid=NULL;
2484 struct SessionHandle *data = conn->data;
2485 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2487 SSL_SESSION *our_ssl_sessionid;
2489 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
2491 #ifdef HAVE_SSL_GET1_SESSION
2492 our_ssl_sessionid = SSL_get1_session(connssl->handle);
2494 /* SSL_get1_session() will increment the reference
2495 count and the session will stay in memory until explicitly freed with
2496 SSL_SESSION_free(3), regardless of its state.
2497 This function was introduced in openssl 0.9.5a. */
2499 our_ssl_sessionid = SSL_get_session(connssl->handle);
2501 /* if SSL_get1_session() is unavailable, use SSL_get_session().
2502 This is an inferior option because the session can be flushed
2503 at any time by openssl. It is included only so curl compiles
2504 under versions of openssl < 0.9.5a.
2506 WARNING: How curl behaves if it's session is flushed is
2511 incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
2513 if(old_ssl_sessionid != our_ssl_sessionid) {
2514 infof(data, "old SSL session ID is stale, removing\n");
2515 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2520 retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
2521 0 /* unknown size */);
2523 failf(data, "failed to store ssl session");
2527 #ifdef HAVE_SSL_GET1_SESSION
2529 /* Session was incache, so refcount already incremented earlier.
2530 * Avoid further increments with each SSL_get1_session() call.
2531 * This does not free the session as refcount remains > 0
2533 SSL_SESSION_free(our_ssl_sessionid);
2538 * We check certificates to authenticate the server; otherwise we risk
2539 * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
2540 * verify the peer ignore faults and failures from the server cert
2544 if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
2545 (void)servercert(conn, connssl, FALSE);
2547 retcode = servercert(conn, connssl, TRUE);
2549 if(CURLE_OK == retcode)
2550 connssl->connecting_state = ssl_connect_done;
2554 static Curl_recv ossl_recv;
2555 static Curl_send ossl_send;
2558 ossl_connect_common(struct connectdata *conn,
2564 struct SessionHandle *data = conn->data;
2565 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2566 curl_socket_t sockfd = conn->sock[sockindex];
2570 /* check if the connection has already been established */
2571 if(ssl_connection_complete == connssl->state) {
2576 if(ssl_connect_1==connssl->connecting_state) {
2577 /* Find out how much more time we're allowed */
2578 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2580 if(timeout_ms < 0) {
2581 /* no need to continue if time already is up */
2582 failf(data, "SSL connection timeout");
2583 return CURLE_OPERATION_TIMEDOUT;
2585 retcode = ossl_connect_step1(conn, sockindex);
2590 while(ssl_connect_2 == connssl->connecting_state ||
2591 ssl_connect_2_reading == connssl->connecting_state ||
2592 ssl_connect_2_writing == connssl->connecting_state) {
2594 /* check allowed time left */
2595 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2597 if(timeout_ms < 0) {
2598 /* no need to continue if time already is up */
2599 failf(data, "SSL connection timeout");
2600 return CURLE_OPERATION_TIMEDOUT;
2603 /* if ssl is expecting something, check if it's available. */
2604 if(connssl->connecting_state == ssl_connect_2_reading
2605 || connssl->connecting_state == ssl_connect_2_writing) {
2607 curl_socket_t writefd = ssl_connect_2_writing==
2608 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2609 curl_socket_t readfd = ssl_connect_2_reading==
2610 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2612 what = Curl_socket_ready(readfd, writefd, nonblocking?0:timeout_ms);
2615 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2616 return CURLE_SSL_CONNECT_ERROR;
2618 else if(0 == what) {
2625 failf(data, "SSL connection timeout");
2626 return CURLE_OPERATION_TIMEDOUT;
2629 /* socket is readable or writable */
2632 /* Run transaction, and return to the caller if it failed or if this
2633 * connection is done nonblocking and this loop would execute again. This
2634 * permits the owner of a multi handle to abort a connection attempt
2635 * before step2 has completed while ensuring that a client using select()
2636 * or epoll() will always have a valid fdset to wait on.
2638 retcode = ossl_connect_step2(conn, sockindex);
2639 if(retcode || (nonblocking &&
2640 (ssl_connect_2 == connssl->connecting_state ||
2641 ssl_connect_2_reading == connssl->connecting_state ||
2642 ssl_connect_2_writing == connssl->connecting_state)))
2645 } /* repeat step2 until all transactions are done. */
2648 if(ssl_connect_3==connssl->connecting_state) {
2649 retcode = ossl_connect_step3(conn, sockindex);
2654 if(ssl_connect_done==connssl->connecting_state) {
2655 connssl->state = ssl_connection_complete;
2656 conn->recv[sockindex] = ossl_recv;
2657 conn->send[sockindex] = ossl_send;
2663 /* Reset our connect state machine */
2664 connssl->connecting_state = ssl_connect_1;
2670 Curl_ossl_connect_nonblocking(struct connectdata *conn,
2674 return ossl_connect_common(conn, sockindex, TRUE, done);
2678 Curl_ossl_connect(struct connectdata *conn,
2684 retcode = ossl_connect_common(conn, sockindex, FALSE, &done);
2693 bool Curl_ossl_data_pending(const struct connectdata *conn,
2696 if(conn->ssl[connindex].handle)
2698 return (0 != SSL_pending(conn->ssl[connindex].handle)) ? TRUE : FALSE;
2703 static ssize_t ossl_send(struct connectdata *conn,
2709 /* SSL_write() is said to return 'int' while write() and send() returns
2712 char error_buffer[120]; /* OpenSSL documents that this must be at least 120
2714 unsigned long sslerror;
2720 memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
2721 rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
2724 err = SSL_get_error(conn->ssl[sockindex].handle, rc);
2727 case SSL_ERROR_WANT_READ:
2728 case SSL_ERROR_WANT_WRITE:
2729 /* The operation did not complete; the same TLS/SSL I/O function
2730 should be called again later. This is basically an EWOULDBLOCK
2732 *curlcode = CURLE_AGAIN;
2734 case SSL_ERROR_SYSCALL:
2735 failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
2737 *curlcode = CURLE_SEND_ERROR;
2740 /* A failure in the SSL library occurred, usually a protocol error.
2741 The OpenSSL error queue contains more information on the error. */
2742 sslerror = ERR_get_error();
2743 failf(conn->data, "SSL_write() error: %s",
2744 ERR_error_string(sslerror, error_buffer));
2745 *curlcode = CURLE_SEND_ERROR;
2749 failf(conn->data, "SSL_write() return error %d", err);
2750 *curlcode = CURLE_SEND_ERROR;
2753 return (ssize_t)rc; /* number of bytes */
2756 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
2757 int num, /* socketindex */
2758 char *buf, /* store read data here */
2759 size_t buffersize, /* max amount to read */
2762 char error_buffer[120]; /* OpenSSL documents that this must be at
2763 least 120 bytes long. */
2764 unsigned long sslerror;
2770 buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
2771 nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
2773 /* failed SSL_read */
2774 int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
2777 case SSL_ERROR_NONE: /* this is not an error */
2778 case SSL_ERROR_ZERO_RETURN: /* no more data */
2780 case SSL_ERROR_WANT_READ:
2781 case SSL_ERROR_WANT_WRITE:
2782 /* there's data pending, re-invoke SSL_read() */
2783 *curlcode = CURLE_AGAIN;
2786 /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
2788 /* http://www.openssl.org/docs/crypto/ERR_get_error.html */
2789 sslerror = ERR_get_error();
2790 if((nread < 0) || sslerror) {
2791 /* If the return code was negative or there actually is an error in the
2793 failf(conn->data, "SSL read: %s, errno %d",
2794 ERR_error_string(sslerror, error_buffer),
2796 *curlcode = CURLE_RECV_ERROR;
2804 size_t Curl_ossl_version(char *buffer, size_t size)
2806 #ifdef YASSL_VERSION
2807 /* yassl provides an OpenSSL API compatibility layer so it looks identical
2808 to OpenSSL in all other aspects */
2809 return snprintf(buffer, size, "yassl/%s", YASSL_VERSION);
2810 #else /* YASSL_VERSION */
2812 #if(SSLEAY_VERSION_NUMBER >= 0x905000)
2815 unsigned long ssleay_value;
2817 ssleay_value=SSLeay();
2818 if(ssleay_value < 0x906000) {
2819 ssleay_value=SSLEAY_VERSION_NUMBER;
2823 if(ssleay_value&0xff0) {
2824 sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
2830 return snprintf(buffer, size, "OpenSSL/%lx.%lx.%lx%s",
2831 (ssleay_value>>28)&0xf,
2832 (ssleay_value>>20)&0xff,
2833 (ssleay_value>>12)&0xff,
2837 #else /* SSLEAY_VERSION_NUMBER is less than 0.9.5 */
2839 #if(SSLEAY_VERSION_NUMBER >= 0x900000)
2840 return snprintf(buffer, size, "OpenSSL/%lx.%lx.%lx",
2841 (SSLEAY_VERSION_NUMBER>>28)&0xff,
2842 (SSLEAY_VERSION_NUMBER>>20)&0xff,
2843 (SSLEAY_VERSION_NUMBER>>12)&0xf);
2845 #else /* (SSLEAY_VERSION_NUMBER >= 0x900000) */
2849 if(SSLEAY_VERSION_NUMBER&0x0f) {
2850 sub[0]=(SSLEAY_VERSION_NUMBER&0x0f) + 'a' -1;
2855 return snprintf(buffer, size, "SSL/%x.%x.%x%s",
2856 (SSLEAY_VERSION_NUMBER>>12)&0xff,
2857 (SSLEAY_VERSION_NUMBER>>8)&0xf,
2858 (SSLEAY_VERSION_NUMBER>>4)&0xf, sub);
2860 #endif /* (SSLEAY_VERSION_NUMBER >= 0x900000) */
2861 #endif /* SSLEAY_VERSION_NUMBER is less than 0.9.5 */
2863 #endif /* YASSL_VERSION */
2866 void Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy,
2869 Curl_ossl_seed(data); /* Initiate the seed if not already done */
2870 RAND_bytes(entropy, curlx_uztosi(length));
2873 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
2875 unsigned char *md5sum /* output */,
2881 MD5_Update(&MD5pw, tmp, tmplen);
2882 MD5_Final(md5sum, &MD5pw);
2884 #endif /* USE_SSLEAY */