1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
24 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25 * but vtls.c should ever call or use these functions.
29 * The original SSLeay-using code for curl was written by Linas Vepstas and
30 * Sampo Kellomaki 1998.
33 #include "curl_setup.h"
43 #include "formdata.h" /* for the boundary function */
44 #include "url.h" /* for the ssl config check function */
45 #include "inet_pton.h"
53 #include "hostcheck.h"
54 #include "curl_printf.h"
56 #include <openssl/ssl.h>
57 #include <openssl/rand.h>
58 #include <openssl/x509v3.h>
59 #include <openssl/dsa.h>
60 #include <openssl/dh.h>
61 #include <openssl/err.h>
62 #include <openssl/md5.h>
63 #include <openssl/conf.h>
64 #include <openssl/bn.h>
65 #include <openssl/rsa.h>
67 #ifdef HAVE_OPENSSL_PKCS12_H
68 #include <openssl/pkcs12.h>
71 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_IS_BORINGSSL)
72 #include <openssl/ocsp.h>
76 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
78 /* The last #include files should be: */
79 #include "curl_memory.h"
82 #ifndef OPENSSL_VERSION_NUMBER
83 #error "OPENSSL_VERSION_NUMBER not defined"
86 #if OPENSSL_VERSION_NUMBER >= 0x00907001L && !defined(OPENSSL_IS_BORINGSSL)
87 /* ENGINE_load_private_key() takes four arguments */
88 #define HAVE_ENGINE_LOAD_FOUR_ARGS
89 #include <openssl/ui.h>
91 /* ENGINE_load_private_key() takes three arguments */
92 #undef HAVE_ENGINE_LOAD_FOUR_ARGS
95 #if (OPENSSL_VERSION_NUMBER >= 0x00903001L) && \
96 defined(HAVE_OPENSSL_PKCS12_H) && \
97 !defined(OPENSSL_IS_BORINGSSL)
98 /* OpenSSL has PKCS 12 support, BoringSSL does not */
99 #define HAVE_PKCS12_SUPPORT
101 /* OpenSSL does not have PKCS12 support */
102 #undef HAVE_PKCS12_SUPPORT
105 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
106 #define SSL_METHOD_QUAL const
108 #define SSL_METHOD_QUAL
111 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
112 /* 0.9.6 didn't have X509_STORE_set_flags() */
113 #define HAVE_X509_STORE_SET_FLAGS 1
115 #define X509_STORE_set_flags(x,y) Curl_nop_stmt
118 #ifdef OPENSSL_IS_BORINGSSL
119 /* BoringSSL has no ERR_remove_state() */
120 #define ERR_remove_state(x)
121 #elif (OPENSSL_VERSION_NUMBER >= 0x10000000L)
122 #define HAVE_ERR_REMOVE_THREAD_STATE 1
125 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
126 OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
127 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
128 #define OPENSSL_NO_SSL2
131 #if defined(OPENSSL_IS_BORINGSSL)
132 #define NO_RAND_SEED 1
133 /* In BoringSSL OpenSSL_add_all_algorithms does nothing */
134 #define OpenSSL_add_all_algorithms()
135 /* BoringSSL does not have CONF_modules_load_file */
136 #define CONF_modules_load_file(a,b,c)
139 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL) || defined(OPENSSL_IS_BORINGSSL)
140 /* not present in BoringSSL or older OpenSSL */
141 #define OPENSSL_load_builtin_modules(x)
145 * Number of bytes to read from the random number seed file. This must be
146 * a finite value (because some entropy "files" like /dev/urandom have
147 * an infinite length), but must be large enough to provide enough
148 * entopy to properly seed OpenSSL's PRNG.
150 #define RAND_LOAD_LENGTH 1024
152 static int passwd_callback(char *buf, int num, int encrypting,
155 DEBUGASSERT(0 == encrypting);
158 int klen = curlx_uztosi(strlen((char *)global_passwd));
160 memcpy(buf, global_passwd, klen+1);
168 * rand_enough() is a function that returns TRUE if we have seeded the random
169 * engine properly. We use some preprocessor magic to provide a seed_enough()
170 * macro to use, just to prevent a compiler warning on this function if we
171 * pass in an argument that is never used.
175 #ifdef HAVE_RAND_STATUS
176 #define seed_enough(x) rand_enough()
177 static bool rand_enough(void)
179 return (0 != RAND_status()) ? TRUE : FALSE;
182 #define seed_enough(x) rand_enough(x)
183 static bool rand_enough(int nread)
185 /* this is a very silly decision to make */
186 return (nread > 500) ? TRUE : FALSE;
190 static int ossl_seed(struct SessionHandle *data)
192 char *buf = data->state.buffer; /* point to the big buffer */
195 /* Q: should we add support for a random file name as a libcurl option?
196 A: Yes, it is here */
199 /* if RANDOM_FILE isn't defined, we only perform this if an option tells
201 if(data->set.ssl.random_file)
202 #define RANDOM_FILE "" /* doesn't matter won't be used */
205 /* let the option override the define */
206 nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
207 data->set.str[STRING_SSL_RANDOM_FILE]:
210 if(seed_enough(nread))
214 #if defined(HAVE_RAND_EGD)
215 /* only available in OpenSSL 0.9.5 and later */
216 /* EGD_SOCKET is set at configure time or not at all */
218 /* If we don't have the define set, we only do this if the egd-option
220 if(data->set.str[STRING_SSL_EGDSOCKET])
221 #define EGD_SOCKET "" /* doesn't matter won't be used */
224 /* If there's an option and a define, the option overrides the
226 int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
227 data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
230 if(seed_enough(nread))
236 /* If we get here, it means we need to seed the PRNG using a "silly"
239 unsigned char randb[64];
240 int len = sizeof(randb);
241 RAND_bytes(randb, len);
242 RAND_add(randb, len, (len >> 1));
243 } while(!RAND_status());
245 /* generates a default path for the random seed file */
246 buf[0]=0; /* blank it first */
247 RAND_file_name(buf, BUFSIZE);
249 /* we got a file name to try */
250 nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
251 if(seed_enough(nread))
255 infof(data, "libcurl is now using a weak random seed!\n");
259 static void Curl_ossl_seed(struct SessionHandle *data)
261 /* we have the "SSL is seeded" boolean static to prevent multiple
262 time-consuming seedings in vain */
263 static bool ssl_seeded = FALSE;
265 if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
266 data->set.str[STRING_SSL_EGDSOCKET]) {
272 /* BoringSSL needs no seeding */
273 #define Curl_ossl_seed(x)
277 #ifndef SSL_FILETYPE_ENGINE
278 #define SSL_FILETYPE_ENGINE 42
280 #ifndef SSL_FILETYPE_PKCS12
281 #define SSL_FILETYPE_PKCS12 43
283 static int do_file_type(const char *type)
285 if(!type || !type[0])
286 return SSL_FILETYPE_PEM;
287 if(Curl_raw_equal(type, "PEM"))
288 return SSL_FILETYPE_PEM;
289 if(Curl_raw_equal(type, "DER"))
290 return SSL_FILETYPE_ASN1;
291 if(Curl_raw_equal(type, "ENG"))
292 return SSL_FILETYPE_ENGINE;
293 if(Curl_raw_equal(type, "P12"))
294 return SSL_FILETYPE_PKCS12;
298 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS)
300 * Supply default password to the engine user interface conversation.
301 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
302 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
304 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
306 const char *password;
307 switch(UI_get_string_type(uis)) {
310 password = (const char*)UI_get0_user_data(ui);
311 if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
312 UI_set_result(ui, uis, password);
318 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
322 * Suppress interactive request for a default password if available.
324 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
326 switch(UI_get_string_type(uis)) {
329 if(UI_get0_user_data(ui) &&
330 (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
336 return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
341 int cert_stuff(struct connectdata *conn,
344 const char *cert_type,
346 const char *key_type)
348 struct SessionHandle *data = conn->data;
350 int file_type = do_file_type(cert_type);
352 if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
357 if(data->set.str[STRING_KEY_PASSWD]) {
358 /* set the password in the callback userdata */
359 SSL_CTX_set_default_passwd_cb_userdata(ctx,
360 data->set.str[STRING_KEY_PASSWD]);
361 /* Set passwd callback: */
362 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
367 case SSL_FILETYPE_PEM:
368 /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
369 if(SSL_CTX_use_certificate_chain_file(ctx,
372 "could not load PEM client certificate, OpenSSL error %s, "
373 "(no key found, wrong pass phrase, or wrong file format?)",
374 ERR_error_string(ERR_get_error(), NULL) );
379 case SSL_FILETYPE_ASN1:
380 /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
381 we use the case above for PEM so this can only be performed with
383 if(SSL_CTX_use_certificate_file(ctx,
387 "could not load ASN1 client certificate, OpenSSL error %s, "
388 "(no key found, wrong pass phrase, or wrong file format?)",
389 ERR_error_string(ERR_get_error(), NULL) );
393 case SSL_FILETYPE_ENGINE:
394 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
396 if(data->state.engine) {
397 const char *cmd_name = "LOAD_CERT_CTRL";
403 params.cert_id = cert_file;
406 /* Does the engine supports LOAD_CERT_CTRL ? */
407 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
408 0, (void *)cmd_name, NULL)) {
409 failf(data, "ssl engine does not support loading certificates");
413 /* Load the certificate from the engine */
414 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
415 0, ¶ms, NULL, 1)) {
416 failf(data, "ssl engine cannot load client cert with id"
417 " '%s' [%s]", cert_file,
418 ERR_error_string(ERR_get_error(), NULL));
423 failf(data, "ssl engine didn't initialized the certificate "
428 if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
429 failf(data, "unable to set client certificate");
430 X509_free(params.cert);
433 X509_free(params.cert); /* we don't need the handle any more... */
436 failf(data, "crypto engine not set, can't load certificate");
442 failf(data, "file type ENG for certificate not implemented");
446 case SSL_FILETYPE_PKCS12:
448 #ifdef HAVE_PKCS12_SUPPORT
452 STACK_OF(X509) *ca = NULL;
455 f = fopen(cert_file, "rb");
457 failf(data, "could not open PKCS12 file '%s'", cert_file);
460 p12 = d2i_PKCS12_fp(f, NULL);
464 failf(data, "error reading PKCS12 file '%s'", cert_file);
470 if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
473 "could not parse PKCS12 file, check password, OpenSSL error %s",
474 ERR_error_string(ERR_get_error(), NULL) );
481 if(SSL_CTX_use_certificate(ctx, x509) != 1) {
483 "could not load PKCS12 client certificate, OpenSSL error %s",
484 ERR_error_string(ERR_get_error(), NULL) );
488 if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
489 failf(data, "unable to use private key from PKCS12 file '%s'",
494 if(!SSL_CTX_check_private_key (ctx)) {
495 failf(data, "private key from PKCS12 file '%s' "
496 "does not match certificate in same file", cert_file);
499 /* Set Certificate Verification chain */
500 if(ca && sk_X509_num(ca)) {
501 for(i = 0; i < sk_X509_num(ca); i++) {
503 * Note that sk_X509_pop() is used below to make sure the cert is
504 * removed from the stack properly before getting passed to
505 * SSL_CTX_add_extra_chain_cert(). Previously we used
506 * sk_X509_value() instead, but then we'd clean it in the subsequent
507 * sk_X509_pop_free() call.
509 X509 *x = sk_X509_pop(ca);
510 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
511 failf(data, "cannot add certificate to certificate chain");
514 /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
515 * presumably because it duplicates what we pass to it.
517 if(!SSL_CTX_add_client_CA(ctx, x)) {
518 failf(data, "cannot add certificate to client CA list");
528 sk_X509_pop_free(ca, X509_free);
531 return 0; /* failure! */
534 failf(data, "file type P12 for certificate not supported");
539 failf(data, "not supported file type '%s' for certificate", cert_type);
543 file_type = do_file_type(key_type);
546 case SSL_FILETYPE_PEM:
550 /* cert & key can only be in PEM case in the same file */
552 case SSL_FILETYPE_ASN1:
553 if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
554 failf(data, "unable to set private key file: '%s' type %s",
555 key_file, key_type?key_type:"PEM");
559 case SSL_FILETYPE_ENGINE:
560 #ifdef HAVE_OPENSSL_ENGINE_H
561 { /* XXXX still needs some work */
562 EVP_PKEY *priv_key = NULL;
563 if(data->state.engine) {
564 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
565 UI_METHOD *ui_method =
566 UI_create_method((char *)"cURL user interface");
568 failf(data, "unable do create OpenSSL user-interface method");
571 UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
572 UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
573 UI_method_set_reader(ui_method, ssl_ui_reader);
574 UI_method_set_writer(ui_method, ssl_ui_writer);
576 /* the typecast below was added to please mingw32 */
577 priv_key = (EVP_PKEY *)
578 ENGINE_load_private_key(data->state.engine, key_file,
579 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
582 data->set.str[STRING_KEY_PASSWD]);
583 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
584 UI_destroy_method(ui_method);
587 failf(data, "failed to load private key from crypto engine");
590 if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
591 failf(data, "unable to set private key");
592 EVP_PKEY_free(priv_key);
595 EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
598 failf(data, "crypto engine not set, can't load private key");
604 failf(data, "file type ENG for private key not supported");
607 case SSL_FILETYPE_PKCS12:
609 failf(data, "file type P12 for private key not supported");
614 failf(data, "not supported file type for private key");
620 failf(data, "unable to create an SSL structure");
624 x509=SSL_get_certificate(ssl);
626 /* This version was provided by Evan Jordan and is supposed to not
627 leak memory as the previous version: */
629 EVP_PKEY *pktmp = X509_get_pubkey(x509);
630 EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
631 EVP_PKEY_free(pktmp);
636 /* If we are using DSA, we can copy the parameters from
640 /* Now we know that a key and cert have been set against
642 if(!SSL_CTX_check_private_key(ctx)) {
643 failf(data, "Private key does not match the certificate public key");
650 /* returns non-zero on failure */
651 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
654 return X509_NAME_oneline(a, buf, size);
656 BIO *bio_out = BIO_new(BIO_s_mem());
661 return 1; /* alloc failed! */
663 rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
664 BIO_get_mem_ptr(bio_out, &biomem);
666 if((size_t)biomem->length < size)
667 size = biomem->length;
669 size--; /* don't overwrite the buffer end */
671 memcpy(buf, biomem->data, size);
680 /* Return error string for last OpenSSL error
682 static char *SSL_strerror(unsigned long error, char *buf, size_t size)
684 /* OpenSSL 0.9.6 and later has a function named
685 ERR_error_string_n() that takes the size of the buffer as a
687 ERR_error_string_n(error, buf, size);
694 * @retval 0 error initializing SSL
695 * @retval 1 SSL initialized successfully
697 int Curl_ossl_init(void)
699 OPENSSL_load_builtin_modules();
701 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
702 ENGINE_load_builtin_engines();
705 /* Lets get nice error messages */
706 SSL_load_error_strings();
708 /* Init the global ciphers and digests */
709 if(!SSLeay_add_ssl_algorithms())
712 OpenSSL_add_all_algorithms();
715 /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
716 that function makes an exit() call on wrongly formatted config files
717 which makes it hard to use in some situations. OPENSSL_config() itself
718 calls CONF_modules_load_file() and we use that instead and we ignore
721 /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
723 #ifndef CONF_MFLAGS_DEFAULT_SECTION
724 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
727 CONF_modules_load_file(NULL, NULL,
728 CONF_MFLAGS_DEFAULT_SECTION|
729 CONF_MFLAGS_IGNORE_MISSING_FILE);
735 void Curl_ossl_cleanup(void)
737 /* Free ciphers and digests lists */
740 #ifdef HAVE_ENGINE_CLEANUP
741 /* Free engine list */
745 #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
746 /* Free OpenSSL ex_data table */
747 CRYPTO_cleanup_all_ex_data();
750 /* Free OpenSSL error strings */
753 /* Free thread local error state, destroying hash upon zero refcount */
754 #ifdef HAVE_ERR_REMOVE_THREAD_STATE
755 ERR_remove_thread_state(NULL);
762 * This function uses SSL_peek to determine connection status.
765 * 1 means the connection is still in place
766 * 0 means the connection has been closed
767 * -1 means the connection status is unknown
769 int Curl_ossl_check_cxn(struct connectdata *conn)
774 rc = SSL_peek(conn->ssl[FIRSTSOCKET].handle, (void*)&buf, 1);
776 return 1; /* connection still in place */
779 return 0; /* connection has been closed */
781 return -1; /* connection status unknown */
784 /* Selects an OpenSSL crypto engine
786 CURLcode Curl_ossl_set_engine(struct SessionHandle *data, const char *engine)
788 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
791 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
792 e = ENGINE_by_id(engine);
794 /* avoid memory leak */
795 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
796 const char *e_id = ENGINE_get_id(e);
797 if(!strcmp(engine, e_id))
803 failf(data, "SSL Engine '%s' not found", engine);
804 return CURLE_SSL_ENGINE_NOTFOUND;
807 if(data->state.engine) {
808 ENGINE_finish(data->state.engine);
809 ENGINE_free(data->state.engine);
810 data->state.engine = NULL;
812 if(!ENGINE_init(e)) {
816 failf(data, "Failed to initialise SSL Engine '%s':\n%s",
817 engine, SSL_strerror(ERR_get_error(), buf, sizeof(buf)));
818 return CURLE_SSL_ENGINE_INITFAILED;
820 data->state.engine = e;
824 failf(data, "SSL Engine not supported");
825 return CURLE_SSL_ENGINE_NOTFOUND;
829 /* Sets engine as default for all SSL operations
831 CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
833 #ifdef HAVE_OPENSSL_ENGINE_H
834 if(data->state.engine) {
835 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
836 infof(data, "set default crypto engine '%s'\n",
837 ENGINE_get_id(data->state.engine));
840 failf(data, "set default crypto engine '%s' failed",
841 ENGINE_get_id(data->state.engine));
842 return CURLE_SSL_ENGINE_SETFAILED;
851 /* Return list of OpenSSL crypto engine names.
853 struct curl_slist *Curl_ossl_engines_list(struct SessionHandle *data)
855 struct curl_slist *list = NULL;
856 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
857 struct curl_slist *beg;
860 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
861 beg = curl_slist_append(list, ENGINE_get_id(e));
863 curl_slist_free_all(list);
875 * This function is called when an SSL connection is closed.
877 void Curl_ossl_close(struct connectdata *conn, int sockindex)
879 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
881 if(connssl->handle) {
882 (void)SSL_shutdown(connssl->handle);
883 SSL_set_connect_state(connssl->handle);
885 SSL_free (connssl->handle);
886 connssl->handle = NULL;
889 SSL_CTX_free (connssl->ctx);
895 * This function is called to shut down the SSL layer but keep the
896 * socket open (CCC - Clear Command Channel)
898 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
901 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
902 struct SessionHandle *data = conn->data;
903 char buf[120]; /* We will use this for the OpenSSL error buffer, so it has
904 to be at least 120 bytes long. */
905 unsigned long sslerror;
911 /* This has only been tested on the proftpd server, and the mod_tls code
912 sends a close notify alert without waiting for a close notify alert in
913 response. Thus we wait for a close notify alert from the server, but
914 we do not send one. Let's hope other servers do the same... */
916 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
917 (void)SSL_shutdown(connssl->handle);
919 if(connssl->handle) {
920 buffsize = (int)sizeof(buf);
922 int what = Curl_socket_ready(conn->sock[sockindex],
923 CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
927 /* Something to read, let's do it and hope that it is the close
928 notify alert from the server */
929 nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
931 err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
934 case SSL_ERROR_NONE: /* this is not an error */
935 case SSL_ERROR_ZERO_RETURN: /* no more data */
936 /* This is the expected response. There was no data but only
937 the close notify alert */
940 case SSL_ERROR_WANT_READ:
941 /* there's data pending, re-invoke SSL_read() */
942 infof(data, "SSL_ERROR_WANT_READ\n");
944 case SSL_ERROR_WANT_WRITE:
945 /* SSL wants a write. Really odd. Let's bail out. */
946 infof(data, "SSL_ERROR_WANT_WRITE\n");
950 /* openssl/ssl.h says "look at error stack/return value/errno" */
951 sslerror = ERR_get_error();
952 failf(conn->data, "SSL read: %s, errno %d",
953 ERR_error_string(sslerror, buf),
961 failf(data, "SSL shutdown timeout");
965 /* anything that gets here is fatally bad */
966 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
970 } /* while()-loop for the select() */
972 if(data->set.verbose) {
973 #ifdef HAVE_SSL_GET_SHUTDOWN
974 switch(SSL_get_shutdown(connssl->handle)) {
975 case SSL_SENT_SHUTDOWN:
976 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
978 case SSL_RECEIVED_SHUTDOWN:
979 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
981 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
982 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
983 "SSL_RECEIVED__SHUTDOWN\n");
989 SSL_free (connssl->handle);
990 connssl->handle = NULL;
995 void Curl_ossl_session_free(void *ptr)
998 SSL_SESSION_free(ptr);
1002 * This function is called when the 'data' struct is going away. Close
1003 * down everything and free all resources!
1005 void Curl_ossl_close_all(struct SessionHandle *data)
1007 #ifdef HAVE_OPENSSL_ENGINE_H
1008 if(data->state.engine) {
1009 ENGINE_finish(data->state.engine);
1010 ENGINE_free(data->state.engine);
1011 data->state.engine = NULL;
1018 static int asn1_output(const ASN1_UTCTIME *tm,
1022 const char *asn1_string;
1025 int year=0, month=0, day=0, hour=0, minute=0, second=0;
1028 asn1_string=(const char *)tm->data;
1032 if(asn1_string[i-1] == 'Z')
1035 if((asn1_string[i] > '9') || (asn1_string[i] < '0'))
1038 year= (asn1_string[0]-'0')*10+(asn1_string[1]-'0');
1042 month= (asn1_string[2]-'0')*10+(asn1_string[3]-'0');
1043 if((month > 12) || (month < 1))
1046 day= (asn1_string[4]-'0')*10+(asn1_string[5]-'0');
1047 hour= (asn1_string[6]-'0')*10+(asn1_string[7]-'0');
1048 minute= (asn1_string[8]-'0')*10+(asn1_string[9]-'0');
1050 if((asn1_string[10] >= '0') && (asn1_string[10] <= '9') &&
1051 (asn1_string[11] >= '0') && (asn1_string[11] <= '9'))
1052 second= (asn1_string[10]-'0')*10+(asn1_string[11]-'0');
1054 snprintf(buf, sizeofbuf,
1055 "%04d-%02d-%02d %02d:%02d:%02d %s",
1056 year+1900, month, day, hour, minute, second, (gmt?"GMT":""));
1061 /* ====================================================== */
1064 /* Quote from RFC2818 section 3.1 "Server Identity"
1066 If a subjectAltName extension of type dNSName is present, that MUST
1067 be used as the identity. Otherwise, the (most specific) Common Name
1068 field in the Subject field of the certificate MUST be used. Although
1069 the use of the Common Name is existing practice, it is deprecated and
1070 Certification Authorities are encouraged to use the dNSName instead.
1072 Matching is performed using the matching rules specified by
1073 [RFC2459]. If more than one identity of a given type is present in
1074 the certificate (e.g., more than one dNSName name, a match in any one
1075 of the set is considered acceptable.) Names may contain the wildcard
1076 character * which is considered to match any single domain name
1077 component or component fragment. E.g., *.a.com matches foo.a.com but
1078 not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1080 In some cases, the URI is specified as an IP address rather than a
1081 hostname. In this case, the iPAddress subjectAltName must be present
1082 in the certificate and must exactly match the IP in the URI.
1085 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
1087 int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
1089 int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1091 struct SessionHandle *data = conn->data;
1092 STACK_OF(GENERAL_NAME) *altnames;
1094 struct in6_addr addr;
1096 struct in_addr addr;
1098 CURLcode result = CURLE_OK;
1101 if(conn->bits.ipv6_ip &&
1102 Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
1104 addrlen = sizeof(struct in6_addr);
1108 if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
1110 addrlen = sizeof(struct in_addr);
1113 /* get a "list" of alternative names */
1114 altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1120 /* get amount of alternatives, RFC2459 claims there MUST be at least
1121 one, but we don't depend on it... */
1122 numalts = sk_GENERAL_NAME_num(altnames);
1124 /* loop through all alternatives while none has matched */
1125 for(i=0; (i<numalts) && (matched != 1); i++) {
1126 /* get a handle to alternative name number i */
1127 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1129 /* only check alternatives of the same type the target is */
1130 if(check->type == target) {
1131 /* get data and length */
1132 const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
1133 size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1136 case GEN_DNS: /* name/pattern comparison */
1137 /* The OpenSSL man page explicitly says: "In general it cannot be
1138 assumed that the data returned by ASN1_STRING_data() is null
1139 terminated or does not contain embedded nulls." But also that
1140 "The actual format of the data will depend on the actual string
1141 type itself: for example for and IA5String the data will be ASCII"
1143 Gisle researched the OpenSSL sources:
1144 "I checked the 0.9.6 and 0.9.8 sources before my patch and
1145 it always 0-terminates an IA5String."
1147 if((altlen == strlen(altptr)) &&
1148 /* if this isn't true, there was an embedded zero in the name
1149 string and we cannot match it. */
1150 Curl_cert_hostcheck(altptr, conn->host.name))
1156 case GEN_IPADD: /* IP address comparison */
1157 /* compare alternative IP address if the data chunk is the same size
1158 our server IP address is */
1159 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
1167 GENERAL_NAMES_free(altnames);
1171 /* an alternative name matched the server hostname */
1172 infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
1173 else if(matched == 0) {
1174 /* an alternative name field existed, but didn't match and then
1176 infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
1177 failf(data, "SSL: no alternative certificate subject name matches "
1178 "target host name '%s'", conn->host.dispname);
1179 result = CURLE_PEER_FAILED_VERIFICATION;
1182 /* we have to look to the last occurrence of a commonName in the
1183 distinguished one to get the most significant one. */
1186 /* The following is done because of a bug in 0.9.6b */
1188 unsigned char *nulstr = (unsigned char *)"";
1189 unsigned char *peer_CN = nulstr;
1191 X509_NAME *name = X509_get_subject_name(server_cert);
1193 while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
1196 /* we have the name entry and we will now convert this to a string
1197 that we can use for comparison. Doing this we support BMPstring,
1202 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
1204 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1205 is already UTF-8 encoded. We check for this case and copy the raw
1206 string manually to avoid the problem. This code can be made
1207 conditional in the future when OpenSSL has been fixed. Work-around
1208 brought by Alexis S. L. Carvalho. */
1210 if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1211 j = ASN1_STRING_length(tmp);
1213 peer_CN = OPENSSL_malloc(j+1);
1215 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
1220 else /* not a UTF8 name */
1221 j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1223 if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1224 /* there was a terminating zero before the end of string, this
1225 cannot match and we return failure! */
1226 failf(data, "SSL: illegal cert name field");
1227 result = CURLE_PEER_FAILED_VERIFICATION;
1232 if(peer_CN == nulstr)
1235 /* convert peer_CN from UTF8 */
1236 CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
1237 /* Curl_convert_from_utf8 calls failf if unsuccessful */
1239 OPENSSL_free(peer_CN);
1245 /* error already detected, pass through */
1249 "SSL: unable to obtain common name from peer certificate");
1250 result = CURLE_PEER_FAILED_VERIFICATION;
1252 else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
1253 failf(data, "SSL: certificate subject name '%s' does not match "
1254 "target host name '%s'", peer_CN, conn->host.dispname);
1255 result = CURLE_PEER_FAILED_VERIFICATION;
1258 infof(data, "\t common name: %s (matched)\n", peer_CN);
1261 OPENSSL_free(peer_CN);
1267 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
1268 !defined(OPENSSL_IS_BORINGSSL)
1269 static CURLcode verifystatus(struct connectdata *conn,
1270 struct ssl_connect_data *connssl)
1273 const unsigned char *p;
1274 CURLcode result = CURLE_OK;
1275 struct SessionHandle *data = conn->data;
1277 OCSP_RESPONSE *rsp = NULL;
1278 OCSP_BASICRESP *br = NULL;
1279 X509_STORE *st = NULL;
1280 STACK_OF(X509) *ch = NULL;
1282 long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
1285 failf(data, "No OCSP response received");
1286 result = CURLE_SSL_INVALIDCERTSTATUS;
1290 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1292 failf(data, "Invalid OCSP response");
1293 result = CURLE_SSL_INVALIDCERTSTATUS;
1297 ocsp_status = OCSP_response_status(rsp);
1298 if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1299 failf(data, "Invalid OCSP response status: %s (%d)",
1300 OCSP_response_status_str(ocsp_status), ocsp_status);
1301 result = CURLE_SSL_INVALIDCERTSTATUS;
1305 br = OCSP_response_get1_basic(rsp);
1307 failf(data, "Invalid OCSP response");
1308 result = CURLE_SSL_INVALIDCERTSTATUS;
1312 ch = SSL_get_peer_cert_chain(connssl->handle);
1313 st = SSL_CTX_get_cert_store(connssl->ctx);
1315 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
1316 defined(LIBRESSL_VERSION_NUMBER))
1317 /* The authorized responder cert in the OCSP response MUST be signed by the
1318 peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
1319 no problem, but if it's an intermediate cert OpenSSL has a bug where it
1320 expects this issuer to be present in the chain embedded in the OCSP
1321 response. So we add it if necessary. */
1323 /* First make sure the peer cert chain includes both a peer and an issuer,
1324 and the OCSP response contains a responder cert. */
1325 if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
1326 X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
1328 /* Find issuer of responder cert and add it to the OCSP response chain */
1329 for(i = 0; i < sk_X509_num(ch); i++) {
1330 X509 *issuer = sk_X509_value(ch, i);
1331 if(X509_check_issued(issuer, responder) == X509_V_OK) {
1332 if(!OCSP_basic_add1_cert(br, issuer)) {
1333 failf(data, "Could not add issuer cert to OCSP response");
1334 result = CURLE_SSL_INVALIDCERTSTATUS;
1342 if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
1343 failf(data, "OCSP response verification failed");
1344 result = CURLE_SSL_INVALIDCERTSTATUS;
1348 for(i = 0; i < OCSP_resp_count(br); i++) {
1349 int cert_status, crl_reason;
1350 OCSP_SINGLERESP *single = NULL;
1352 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1354 if(!(single = OCSP_resp_get0(br, i)))
1357 cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
1358 &thisupd, &nextupd);
1360 if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
1361 failf(data, "OCSP response has expired");
1362 result = CURLE_SSL_INVALIDCERTSTATUS;
1366 infof(data, "SSL certificate status: %s (%d)\n",
1367 OCSP_cert_status_str(cert_status), cert_status);
1369 switch(cert_status) {
1370 case V_OCSP_CERTSTATUS_GOOD:
1373 case V_OCSP_CERTSTATUS_REVOKED:
1374 result = CURLE_SSL_INVALIDCERTSTATUS;
1376 failf(data, "SSL certificate revocation reason: %s (%d)",
1377 OCSP_crl_reason_str(crl_reason), crl_reason);
1380 case V_OCSP_CERTSTATUS_UNKNOWN:
1381 result = CURLE_SSL_INVALIDCERTSTATUS;
1387 if(br) OCSP_BASICRESP_free(br);
1388 OCSP_RESPONSE_free(rsp);
1394 #endif /* USE_OPENSSL */
1396 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
1397 and thus this cannot be done there. */
1398 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1400 static const char *ssl_msg_type(int ssl_ver, int msg)
1402 #ifdef SSL2_VERSION_MAJOR
1403 if(ssl_ver == SSL2_VERSION_MAJOR) {
1407 case SSL2_MT_CLIENT_HELLO:
1408 return "Client hello";
1409 case SSL2_MT_CLIENT_MASTER_KEY:
1410 return "Client key";
1411 case SSL2_MT_CLIENT_FINISHED:
1412 return "Client finished";
1413 case SSL2_MT_SERVER_HELLO:
1414 return "Server hello";
1415 case SSL2_MT_SERVER_VERIFY:
1416 return "Server verify";
1417 case SSL2_MT_SERVER_FINISHED:
1418 return "Server finished";
1419 case SSL2_MT_REQUEST_CERTIFICATE:
1420 return "Request CERT";
1421 case SSL2_MT_CLIENT_CERTIFICATE:
1422 return "Client CERT";
1427 if(ssl_ver == SSL3_VERSION_MAJOR) {
1429 case SSL3_MT_HELLO_REQUEST:
1430 return "Hello request";
1431 case SSL3_MT_CLIENT_HELLO:
1432 return "Client hello";
1433 case SSL3_MT_SERVER_HELLO:
1434 return "Server hello";
1435 #ifdef SSL3_MT_NEWSESSION_TICKET
1436 case SSL3_MT_NEWSESSION_TICKET:
1437 return "Newsession Ticket";
1439 case SSL3_MT_CERTIFICATE:
1440 return "Certificate";
1441 case SSL3_MT_SERVER_KEY_EXCHANGE:
1442 return "Server key exchange";
1443 case SSL3_MT_CLIENT_KEY_EXCHANGE:
1444 return "Client key exchange";
1445 case SSL3_MT_CERTIFICATE_REQUEST:
1446 return "Request CERT";
1447 case SSL3_MT_SERVER_DONE:
1448 return "Server finished";
1449 case SSL3_MT_CERTIFICATE_VERIFY:
1450 return "CERT verify";
1451 case SSL3_MT_FINISHED:
1453 #ifdef SSL3_MT_CERTIFICATE_STATUS
1454 case SSL3_MT_CERTIFICATE_STATUS:
1455 return "Certificate Status";
1462 static const char *tls_rt_type(int type)
1465 #ifdef SSL3_RT_HEADER
1466 case SSL3_RT_HEADER:
1467 return "TLS header";
1469 case SSL3_RT_CHANGE_CIPHER_SPEC:
1470 return "TLS change cipher";
1473 case SSL3_RT_HANDSHAKE:
1474 return "TLS handshake";
1475 case SSL3_RT_APPLICATION_DATA:
1476 return "TLS app data";
1478 return "TLS Unknown";
1484 * Our callback from the SSL/TLS layers.
1486 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1487 const void *buf, size_t len, SSL *ssl,
1490 struct SessionHandle *data;
1491 const char *msg_name, *tls_rt_name;
1494 int msg_type, txt_len;
1495 const char *verstr = NULL;
1496 struct connectdata *conn = userp;
1498 if(!conn || !conn->data || !conn->data->set.fdebug ||
1499 (direction != 0 && direction != 1))
1505 #ifdef SSL2_VERSION /* removed in recent versions */
1518 #ifdef TLS1_1_VERSION
1519 case TLS1_1_VERSION:
1523 #ifdef TLS1_2_VERSION
1524 case TLS1_2_VERSION:
1531 snprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
1537 /* the info given when the version is zero is not that useful for us */
1539 ssl_ver >>= 8; /* check the upper 8 bits only below */
1541 /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
1542 * always pass-up content-type as 0. But the interesting message-type
1545 if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
1546 tls_rt_name = tls_rt_type(content_type);
1550 msg_type = *(char*)buf;
1551 msg_name = ssl_msg_type(ssl_ver, msg_type);
1553 txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
1554 verstr, direction?"OUT":"IN",
1555 tls_rt_name, msg_name, msg_type);
1556 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
1559 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
1560 CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
1566 /* ====================================================== */
1568 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1569 # define use_sni(x) sni = (x)
1571 # define use_sni(x) Curl_nop_stmt
1574 /* Check for OpenSSL 1.0.2 which has ALPN support. */
1576 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \
1577 && !defined(OPENSSL_NO_TLSEXT)
1581 /* Check for OpenSSL 1.0.1 which has NPN support. */
1583 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \
1584 && !defined(OPENSSL_NO_TLSEXT) \
1585 && !defined(OPENSSL_NO_NEXTPROTONEG)
1592 * in is a list of lenght prefixed strings. this function has to select
1593 * the protocol we want to use from the list and write its string into out.
1597 select_next_protocol(unsigned char **out, unsigned char *outlen,
1598 const unsigned char *in, unsigned int inlen,
1599 const char *key, unsigned int keylen)
1602 for(i = 0; i + keylen <= inlen; i += in[i] + 1) {
1603 if(memcmp(&in[i + 1], key, keylen) == 0) {
1604 *out = (unsigned char *) &in[i + 1];
1613 select_next_proto_cb(SSL *ssl,
1614 unsigned char **out, unsigned char *outlen,
1615 const unsigned char *in, unsigned int inlen,
1618 struct connectdata *conn = (struct connectdata*) arg;
1623 if(conn->data->set.httpversion == CURL_HTTP_VERSION_2_0 &&
1624 !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
1625 NGHTTP2_PROTO_VERSION_ID_LEN)) {
1626 infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
1627 NGHTTP2_PROTO_VERSION_ID);
1628 conn->negnpn = CURL_HTTP_VERSION_2_0;
1629 return SSL_TLSEXT_ERR_OK;
1633 if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
1634 ALPN_HTTP_1_1_LENGTH)) {
1635 infof(conn->data, "NPN, negotiated HTTP1.1\n");
1636 conn->negnpn = CURL_HTTP_VERSION_1_1;
1637 return SSL_TLSEXT_ERR_OK;
1640 infof(conn->data, "NPN, no overlap, use HTTP1.1\n");
1641 *out = (unsigned char *)ALPN_HTTP_1_1;
1642 *outlen = ALPN_HTTP_1_1_LENGTH;
1643 conn->negnpn = CURL_HTTP_VERSION_1_1;
1645 return SSL_TLSEXT_ERR_OK;
1647 #endif /* HAS_NPN */
1650 get_ssl_version_txt(SSL *ssl)
1655 switch(SSL_version(ssl)) {
1656 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1657 case TLS1_2_VERSION:
1659 case TLS1_1_VERSION:
1672 static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
1674 CURLcode result = CURLE_OK;
1676 struct SessionHandle *data = conn->data;
1677 SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
1678 void *ssl_sessionid = NULL;
1679 X509_LOOKUP *lookup = NULL;
1680 curl_socket_t sockfd = conn->sock[sockindex];
1681 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1683 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1686 struct in6_addr addr;
1688 struct in_addr addr;
1692 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
1694 /* Make funny stuff to get random input */
1695 Curl_ossl_seed(data);
1697 data->set.ssl.certverifyresult = !X509_V_OK;
1699 /* check to see if we've been told to use an explicit SSL/TLS version */
1701 switch(data->set.ssl.version) {
1703 case CURL_SSLVERSION_DEFAULT:
1704 case CURL_SSLVERSION_TLSv1:
1705 case CURL_SSLVERSION_TLSv1_0:
1706 case CURL_SSLVERSION_TLSv1_1:
1707 case CURL_SSLVERSION_TLSv1_2:
1708 /* it will be handled later with the context options */
1709 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1710 !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
1711 req_method = TLS_client_method();
1713 req_method = SSLv23_client_method();
1717 case CURL_SSLVERSION_SSLv2:
1718 #ifdef OPENSSL_NO_SSL2
1719 failf(data, "OpenSSL was built without SSLv2 support");
1720 return CURLE_NOT_BUILT_IN;
1723 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1724 return CURLE_SSL_CONNECT_ERROR;
1726 req_method = SSLv2_client_method();
1730 case CURL_SSLVERSION_SSLv3:
1731 #ifdef OPENSSL_NO_SSL3_METHOD
1732 failf(data, "OpenSSL was built without SSLv3 support");
1733 return CURLE_NOT_BUILT_IN;
1736 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1737 return CURLE_SSL_CONNECT_ERROR;
1739 req_method = SSLv3_client_method();
1746 SSL_CTX_free(connssl->ctx);
1747 connssl->ctx = SSL_CTX_new(req_method);
1750 failf(data, "SSL: couldn't create a context: %s",
1751 ERR_error_string(ERR_peek_error(), NULL));
1752 return CURLE_OUT_OF_MEMORY;
1755 #ifdef SSL_MODE_RELEASE_BUFFERS
1756 SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
1759 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1760 if(data->set.fdebug && data->set.verbose) {
1761 /* the SSL trace callback is only used for verbose logging */
1762 SSL_CTX_set_msg_callback(connssl->ctx, ssl_tls_trace);
1763 SSL_CTX_set_msg_callback_arg(connssl->ctx, conn);
1767 /* OpenSSL contains code to work-around lots of bugs and flaws in various
1768 SSL-implementations. SSL_CTX_set_options() is used to enabled those
1769 work-arounds. The man page for this option states that SSL_OP_ALL enables
1770 all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
1771 enable the bug workaround options if compatibility with somewhat broken
1772 implementations is desired."
1774 The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
1775 disable "rfc4507bis session ticket support". rfc4507bis was later turned
1776 into the proper RFC5077 it seems: https://tools.ietf.org/html/rfc5077
1778 The enabled extension concerns the session management. I wonder how often
1779 libcurl stops a connection and then resumes a TLS session. also, sending
1780 the session data is some overhead. .I suggest that you just use your
1781 proposed patch (which explicitly disables TICKET).
1783 If someone writes an application with libcurl and openssl who wants to
1784 enable the feature, one can do this in the SSL callback.
1786 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
1787 interoperability with web server Netscape Enterprise Server 2.0.1 which
1788 was released back in 1996.
1790 Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
1791 become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
1792 CVE-2010-4180 when using previous OpenSSL versions we no longer enable
1793 this option regardless of OpenSSL version and SSL_OP_ALL definition.
1795 OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
1796 (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
1797 SSL_OP_ALL that _disables_ that work-around despite the fact that
1798 SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
1799 keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
1803 ctx_options = SSL_OP_ALL;
1805 #ifdef SSL_OP_NO_TICKET
1806 ctx_options |= SSL_OP_NO_TICKET;
1809 #ifdef SSL_OP_NO_COMPRESSION
1810 ctx_options |= SSL_OP_NO_COMPRESSION;
1813 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1814 /* mitigate CVE-2010-4180 */
1815 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
1818 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1819 /* unless the user explicitly ask to allow the protocol vulnerability we
1820 use the work-around */
1821 if(!conn->data->set.ssl_enable_beast)
1822 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1825 switch(data->set.ssl.version) {
1826 case CURL_SSLVERSION_SSLv3:
1828 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1829 infof(data, "Set version TLSv1.x for SRP authorisation\n");
1832 ctx_options |= SSL_OP_NO_SSLv2;
1833 ctx_options |= SSL_OP_NO_TLSv1;
1834 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1835 ctx_options |= SSL_OP_NO_TLSv1_1;
1836 ctx_options |= SSL_OP_NO_TLSv1_2;
1840 case CURL_SSLVERSION_DEFAULT:
1841 case CURL_SSLVERSION_TLSv1:
1842 ctx_options |= SSL_OP_NO_SSLv2;
1843 ctx_options |= SSL_OP_NO_SSLv3;
1846 case CURL_SSLVERSION_TLSv1_0:
1847 ctx_options |= SSL_OP_NO_SSLv2;
1848 ctx_options |= SSL_OP_NO_SSLv3;
1849 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1850 ctx_options |= SSL_OP_NO_TLSv1_1;
1851 ctx_options |= SSL_OP_NO_TLSv1_2;
1855 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1856 case CURL_SSLVERSION_TLSv1_1:
1857 ctx_options |= SSL_OP_NO_SSLv2;
1858 ctx_options |= SSL_OP_NO_SSLv3;
1859 ctx_options |= SSL_OP_NO_TLSv1;
1860 ctx_options |= SSL_OP_NO_TLSv1_2;
1863 case CURL_SSLVERSION_TLSv1_2:
1864 ctx_options |= SSL_OP_NO_SSLv2;
1865 ctx_options |= SSL_OP_NO_SSLv3;
1866 ctx_options |= SSL_OP_NO_TLSv1;
1867 ctx_options |= SSL_OP_NO_TLSv1_1;
1871 #ifndef OPENSSL_NO_SSL2
1872 case CURL_SSLVERSION_SSLv2:
1873 ctx_options |= SSL_OP_NO_SSLv3;
1874 ctx_options |= SSL_OP_NO_TLSv1;
1875 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1876 ctx_options |= SSL_OP_NO_TLSv1_1;
1877 ctx_options |= SSL_OP_NO_TLSv1_2;
1883 failf(data, "Unsupported SSL protocol version");
1884 return CURLE_SSL_CONNECT_ERROR;
1887 SSL_CTX_set_options(connssl->ctx, ctx_options);
1890 if(data->set.ssl_enable_npn)
1891 SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb, conn);
1895 if(data->set.ssl_enable_alpn) {
1897 unsigned char protocols[128];
1900 if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
1901 protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
1903 memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
1904 NGHTTP2_PROTO_VERSION_ID_LEN);
1905 cur += NGHTTP2_PROTO_VERSION_ID_LEN;
1906 infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
1910 protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
1911 memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
1912 cur += ALPN_HTTP_1_1_LENGTH;
1913 infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
1915 /* expects length prefixed preference ordered list of protocols in wire
1918 SSL_CTX_set_alpn_protos(connssl->ctx, protocols, cur);
1922 if(data->set.str[STRING_CERT] || data->set.str[STRING_CERT_TYPE]) {
1923 if(!cert_stuff(conn,
1925 data->set.str[STRING_CERT],
1926 data->set.str[STRING_CERT_TYPE],
1927 data->set.str[STRING_KEY],
1928 data->set.str[STRING_KEY_TYPE])) {
1929 /* failf() is already done in cert_stuff() */
1930 return CURLE_SSL_CERTPROBLEM;
1934 ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
1936 ciphers = (char *)DEFAULT_CIPHER_SELECTION;
1937 if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
1938 failf(data, "failed setting cipher list: %s", ciphers);
1939 return CURLE_SSL_CIPHER;
1941 infof(data, "Cipher selection: %s\n", ciphers);
1944 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1945 infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
1947 if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
1948 failf(data, "Unable to set SRP user name");
1949 return CURLE_BAD_FUNCTION_ARGUMENT;
1951 if(!SSL_CTX_set_srp_password(connssl->ctx, data->set.ssl.password)) {
1952 failf(data, "failed setting SRP password");
1953 return CURLE_BAD_FUNCTION_ARGUMENT;
1955 if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
1956 infof(data, "Setting cipher list SRP\n");
1958 if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
1959 failf(data, "failed setting SRP cipher list");
1960 return CURLE_SSL_CIPHER;
1965 if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
1966 /* tell SSL where to find CA certificates that are used to verify
1967 the servers certificate. */
1968 if(!SSL_CTX_load_verify_locations(connssl->ctx,
1969 data->set.str[STRING_SSL_CAFILE],
1970 data->set.str[STRING_SSL_CAPATH])) {
1971 if(data->set.ssl.verifypeer) {
1972 /* Fail if we insist on successfully verifying the server. */
1973 failf(data, "error setting certificate verify locations:\n"
1974 " CAfile: %s\n CApath: %s",
1975 data->set.str[STRING_SSL_CAFILE]?
1976 data->set.str[STRING_SSL_CAFILE]: "none",
1977 data->set.str[STRING_SSL_CAPATH]?
1978 data->set.str[STRING_SSL_CAPATH] : "none");
1979 return CURLE_SSL_CACERT_BADFILE;
1982 /* Just continue with a warning if no strict certificate verification
1984 infof(data, "error setting certificate verify locations,"
1985 " continuing anyway:\n");
1989 /* Everything is fine. */
1990 infof(data, "successfully set certificate verify locations:\n");
1995 data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
1997 data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
2001 if(data->set.str[STRING_SSL_CRLFILE]) {
2002 /* tell SSL where to find CRL file that is used to check certificate
2004 lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
2005 X509_LOOKUP_file());
2007 (!X509_load_crl_file(lookup, data->set.str[STRING_SSL_CRLFILE],
2008 X509_FILETYPE_PEM)) ) {
2009 failf(data, "error loading CRL file: %s",
2010 data->set.str[STRING_SSL_CRLFILE]);
2011 return CURLE_SSL_CRL_BADFILE;
2014 /* Everything is fine. */
2015 infof(data, "successfully load CRL file:\n");
2016 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
2017 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2020 " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
2021 data->set.str[STRING_SSL_CRLFILE]: "none");
2024 /* Try building a chain using issuers in the trusted store first to avoid
2025 problems with server-sent legacy intermediates.
2026 Newer versions of OpenSSL do alternate chain checking by default which
2027 gives us the same fix without as much of a performance hit (slight), so we
2028 prefer that if available.
2029 https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2031 #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
2032 if(data->set.ssl.verifypeer) {
2033 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
2034 X509_V_FLAG_TRUSTED_FIRST);
2038 /* SSL always tries to verify the peer, this only says whether it should
2039 * fail to connect if the verification fails, or if it should continue
2040 * anyway. In the latter case the result of the verification is checked with
2041 * SSL_get_verify_result() below. */
2042 SSL_CTX_set_verify(connssl->ctx,
2043 data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
2046 /* give application a chance to interfere with SSL set up. */
2047 if(data->set.ssl.fsslctx) {
2048 result = (*data->set.ssl.fsslctx)(data, connssl->ctx,
2049 data->set.ssl.fsslctxp);
2051 failf(data, "error signaled by ssl ctx callback");
2056 /* Lets make an SSL structure */
2058 SSL_free(connssl->handle);
2059 connssl->handle = SSL_new(connssl->ctx);
2060 if(!connssl->handle) {
2061 failf(data, "SSL: couldn't create a context (handle)!");
2062 return CURLE_OUT_OF_MEMORY;
2065 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2066 !defined(OPENSSL_IS_BORINGSSL)
2067 if(data->set.ssl.verifystatus)
2068 SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
2071 SSL_set_connect_state(connssl->handle);
2073 connssl->server_cert = 0x0;
2075 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2076 if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
2078 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
2081 !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
2082 infof(data, "WARNING: failed to configure server name indication (SNI) "
2086 /* Check if there's a cached ID we can/should use here! */
2087 if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
2088 /* we got a session id, use it! */
2089 if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
2090 failf(data, "SSL: SSL_set_session failed: %s",
2091 ERR_error_string(ERR_get_error(), NULL));
2092 return CURLE_SSL_CONNECT_ERROR;
2094 /* Informational message */
2095 infof (data, "SSL re-using session ID\n");
2098 /* pass the raw socket into the SSL layers */
2099 if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
2100 failf(data, "SSL: SSL_set_fd failed: %s",
2101 ERR_error_string(ERR_get_error(), NULL));
2102 return CURLE_SSL_CONNECT_ERROR;
2105 connssl->connecting_state = ssl_connect_2;
2110 static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
2112 struct SessionHandle *data = conn->data;
2114 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2115 DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
2116 || ssl_connect_2_reading == connssl->connecting_state
2117 || ssl_connect_2_writing == connssl->connecting_state);
2121 err = SSL_connect(connssl->handle);
2124 0 is "not successful but was shut down controlled"
2125 <0 is "handshake was not successful, because a fatal error occurred" */
2127 int detail = SSL_get_error(connssl->handle, err);
2129 if(SSL_ERROR_WANT_READ == detail) {
2130 connssl->connecting_state = ssl_connect_2_reading;
2133 else if(SSL_ERROR_WANT_WRITE == detail) {
2134 connssl->connecting_state = ssl_connect_2_writing;
2138 /* untreated error */
2139 unsigned long errdetail;
2140 char error_buffer[256]=""; /* OpenSSL documents that this must be at
2141 least 256 bytes long. */
2145 connssl->connecting_state = ssl_connect_2; /* the connection failed,
2146 we're not waiting for
2149 errdetail = ERR_get_error(); /* Gets the earliest error code from the
2150 thread's error queue and removes the
2157 SSL2_SET_CERTIFICATE:
2158 certificate verify failed */
2163 SSL3_GET_SERVER_CERTIFICATE:
2164 certificate verify failed */
2165 result = CURLE_SSL_CACERT;
2167 lerr = SSL_get_verify_result(connssl->handle);
2168 if(lerr != X509_V_OK) {
2169 snprintf(error_buffer, sizeof(error_buffer),
2170 "SSL certificate problem: %s",
2171 X509_verify_cert_error_string(lerr));
2174 /* strcpy() is fine here as long as the string fits within
2176 strcpy(error_buffer,
2177 "SSL certificate problem, check your CA cert");
2180 result = CURLE_SSL_CONNECT_ERROR;
2181 SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
2185 /* detail is already set to the SSL error above */
2187 /* If we e.g. use SSLv2 request-method and the server doesn't like us
2188 * (RST connection etc.), OpenSSL gives no explanation whatsoever and
2189 * the SO_ERROR is also lost.
2191 if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
2192 failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
2193 conn->host.name, conn->remote_port);
2197 /* Could be a CERT problem */
2198 failf(data, "%s", error_buffer);
2204 /* we have been connected fine, we're not waiting for anything else. */
2205 connssl->connecting_state = ssl_connect_3;
2207 /* Informational message */
2208 infof(data, "SSL connection using %s / %s\n",
2209 get_ssl_version_txt(connssl->handle),
2210 SSL_get_cipher(connssl->handle));
2213 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
2216 if(data->set.ssl_enable_alpn) {
2217 const unsigned char* neg_protocol;
2219 SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
2221 infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
2224 if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2225 !memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
2226 conn->negnpn = CURL_HTTP_VERSION_2_0;
2230 if(len == ALPN_HTTP_1_1_LENGTH &&
2231 !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
2232 conn->negnpn = CURL_HTTP_VERSION_1_1;
2236 infof(data, "ALPN, server did not agree to a protocol\n");
2244 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
2248 if((ilen = (int)len) < 0)
2249 return 1; /* buffer too big */
2251 i = i2t_ASN1_OBJECT(buf, ilen, a);
2254 return 1; /* buffer too small */
2259 static void pubkey_show(struct SessionHandle *data,
2272 buffer = malloc(left);
2275 snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
2276 for(i=0; i< len; i++) {
2277 snprintf(ptr, left, "%02x:", raw[i]);
2281 infof(data, " %s: %s\n", namebuf, buffer);
2282 Curl_ssl_push_certinfo(data, num, namebuf, buffer);
2287 #define print_pubkey_BN(_type, _name, _num) \
2289 if(pubkey->pkey._type->_name) { \
2290 int len = BN_num_bytes(pubkey->pkey._type->_name); \
2291 if(len < CERTBUFFERSIZE) { \
2292 BN_bn2bin(pubkey->pkey._type->_name, (unsigned char*)bufp); \
2294 pubkey_show(data, _num, #_type, #_name, (unsigned char*)bufp, len); \
2299 static int X509V3_ext(struct SessionHandle *data,
2301 STACK_OF(X509_EXTENSION) *exts)
2306 if(sk_X509_EXTENSION_num(exts) <= 0)
2307 /* no extensions, bail out */
2310 for(i=0; i<sk_X509_EXTENSION_num(exts); i++) {
2312 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2317 BIO *bio_out = BIO_new(BIO_s_mem());
2322 obj = X509_EXTENSION_get_object(ext);
2324 asn1_object_dump(obj, namebuf, sizeof(namebuf));
2326 infof(data, "%s: %s\n", namebuf,
2327 X509_EXTENSION_get_critical(ext)?"(critical)":"");
2329 if(!X509V3_EXT_print(bio_out, ext, 0, 0))
2330 ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
2332 BIO_get_mem_ptr(bio_out, &biomem);
2334 /* biomem->length bytes at biomem->data, this little loop here is only
2335 done for the infof() call, we send the "raw" data to the certinfo
2337 for(j=0; j<(size_t)biomem->length; j++) {
2339 if(biomem->data[j] == '\n') {
2341 j++; /* skip the newline */
2343 while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
2345 if(j<(size_t)biomem->length)
2346 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
2349 infof(data, " %s\n", buf);
2351 Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2356 return 0; /* all is fine */
2360 static void X509_signature(struct SessionHandle *data,
2368 for(i=0; i<sig->length; i++)
2369 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%02x:", sig->data[i]);
2371 infof(data, " Signature: %s\n", buf);
2372 Curl_ssl_push_certinfo(data, numcert, "Signature", buf);
2375 static void dumpcert(struct SessionHandle *data, X509 *x, int numcert)
2377 BIO *bio_out = BIO_new(BIO_s_mem());
2380 /* this outputs the cert in this 64 column wide style with newlines and
2381 -----BEGIN CERTIFICATE----- texts and more */
2382 PEM_write_bio_X509(bio_out, x);
2384 BIO_get_mem_ptr(bio_out, &biomem);
2386 Curl_ssl_push_certinfo_len(data, numcert,
2387 "Cert", biomem->data, biomem->length);
2393 * This size was previously 512 which has been reported "too small" without
2394 * any specifics, so it was enlarged to allow more data to get shown uncut.
2395 * The "perfect" size is yet to figure out.
2397 #define CERTBUFFERSIZE 8192
2399 static CURLcode get_cert_chain(struct connectdata *conn,
2400 struct ssl_connect_data *connssl)
2407 struct SessionHandle *data = conn->data;
2410 bufp = malloc(CERTBUFFERSIZE);
2412 return CURLE_OUT_OF_MEMORY;
2414 sk = SSL_get_peer_cert_chain(connssl->handle);
2417 return CURLE_OUT_OF_MEMORY;
2420 numcerts = sk_X509_num(sk);
2422 result = Curl_ssl_init_certinfo(data, numcerts);
2428 infof(data, "--- Certificate chain\n");
2429 for(i=0; i<numcerts; i++) {
2432 ASN1_TIME *certdate;
2434 /* get the certs in "importance order" */
2436 X509 *x = sk_X509_value(sk, numcerts - i - 1);
2438 X509 *x = sk_X509_value(sk, i);
2442 EVP_PKEY *pubkey=NULL;
2446 (void)x509_name_oneline(X509_get_subject_name(x), bufp, CERTBUFFERSIZE);
2447 infof(data, "%2d Subject: %s\n", i, bufp);
2448 Curl_ssl_push_certinfo(data, i, "Subject", bufp);
2450 (void)x509_name_oneline(X509_get_issuer_name(x), bufp, CERTBUFFERSIZE);
2451 infof(data, " Issuer: %s\n", bufp);
2452 Curl_ssl_push_certinfo(data, i, "Issuer", bufp);
2454 value = X509_get_version(x);
2455 infof(data, " Version: %lu (0x%lx)\n", value+1, value);
2456 snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
2457 Curl_ssl_push_certinfo(data, i, "Version", bufp); /* hex */
2459 num=X509_get_serialNumber(x);
2461 int left = CERTBUFFERSIZE;
2464 if(num->type == V_ASN1_NEG_INTEGER) {
2469 for(j=0; (j<num->length) && (left>=3); j++) {
2470 snprintf(ptr, left, "%02x", num->data[j]);
2475 infof(data, " Serial Number: %s\n", bufp);
2480 Curl_ssl_push_certinfo(data, i, "Serial Number", bufp); /* hex */
2482 cinf = x->cert_info;
2484 j = asn1_object_dump(cinf->signature->algorithm, bufp, CERTBUFFERSIZE);
2486 infof(data, " Signature Algorithm: %s\n", bufp);
2487 Curl_ssl_push_certinfo(data, i, "Signature Algorithm", bufp);
2490 certdate = X509_get_notBefore(x);
2491 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2492 infof(data, " Start date: %s\n", bufp);
2493 Curl_ssl_push_certinfo(data, i, "Start date", bufp);
2495 certdate = X509_get_notAfter(x);
2496 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2497 infof(data, " Expire date: %s\n", bufp);
2498 Curl_ssl_push_certinfo(data, i, "Expire date", bufp);
2500 j = asn1_object_dump(cinf->key->algor->algorithm, bufp, CERTBUFFERSIZE);
2502 infof(data, " Public Key Algorithm: %s\n", bufp);
2503 Curl_ssl_push_certinfo(data, i, "Public Key Algorithm", bufp);
2506 pubkey = X509_get_pubkey(x);
2508 infof(data, " Unable to load public key\n");
2510 switch(pubkey->type) {
2512 infof(data, " RSA Public Key (%d bits)\n",
2513 BN_num_bits(pubkey->pkey.rsa->n));
2514 snprintf(bufp, CERTBUFFERSIZE, "%d", BN_num_bits(pubkey->pkey.rsa->n));
2515 Curl_ssl_push_certinfo(data, i, "RSA Public Key", bufp);
2517 print_pubkey_BN(rsa, n, i);
2518 print_pubkey_BN(rsa, e, i);
2519 print_pubkey_BN(rsa, d, i);
2520 print_pubkey_BN(rsa, p, i);
2521 print_pubkey_BN(rsa, q, i);
2522 print_pubkey_BN(rsa, dmp1, i);
2523 print_pubkey_BN(rsa, dmq1, i);
2524 print_pubkey_BN(rsa, iqmp, i);
2527 print_pubkey_BN(dsa, p, i);
2528 print_pubkey_BN(dsa, q, i);
2529 print_pubkey_BN(dsa, g, i);
2530 print_pubkey_BN(dsa, priv_key, i);
2531 print_pubkey_BN(dsa, pub_key, i);
2534 print_pubkey_BN(dh, p, i);
2535 print_pubkey_BN(dh, g, i);
2536 print_pubkey_BN(dh, priv_key, i);
2537 print_pubkey_BN(dh, pub_key, i);
2540 case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
2545 EVP_PKEY_free(pubkey);
2548 X509V3_ext(data, i, cinf->extensions);
2550 X509_signature(data, i, x->signature);
2552 dumpcert(data, x, i);
2561 * Heavily modified from:
2562 * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
2564 static CURLcode pkp_pin_peer_pubkey(X509* cert, const char *pinnedpubkey)
2567 int len1 = 0, len2 = 0;
2568 unsigned char *buff1 = NULL, *temp = NULL;
2570 /* Result is returned to caller */
2571 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
2573 /* if a path wasn't specified, don't pin */
2581 /* Begin Gyrations to get the subjectPublicKeyInfo */
2582 /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
2584 /* https://groups.google.com/group/mailing.openssl.users/browse_thread
2585 /thread/d61858dae102c6c7 */
2586 len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
2590 /* https://www.openssl.org/docs/crypto/buffer.html */
2591 buff1 = temp = OPENSSL_malloc(len1);
2595 /* https://www.openssl.org/docs/crypto/d2i_X509.html */
2596 len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
2599 * These checks are verifying we got back the same values as when we
2600 * sized the buffer. It's pretty weak since they should always be the
2601 * same. But it gives us something to test.
2603 if((len1 != len2) || !temp || ((temp - buff1) != len1))
2608 /* The one good exit point */
2609 result = Curl_pin_peer_pubkey(pinnedpubkey, buff1, len1);
2612 /* https://www.openssl.org/docs/crypto/buffer.html */
2614 OPENSSL_free(buff1);
2620 * Get the server cert, verify it and show it etc, only call failf() if the
2621 * 'strict' argument is TRUE as otherwise all this is for informational
2624 * We check certificates to authenticate the server; otherwise we risk
2625 * man-in-the-middle attack.
2627 static CURLcode servercert(struct connectdata *conn,
2628 struct ssl_connect_data *connssl,
2631 CURLcode result = CURLE_OK;
2634 ASN1_TIME *certdate;
2635 struct SessionHandle *data = conn->data;
2638 char *buffer = data->state.buffer;
2641 if(data->set.ssl.certinfo)
2642 /* we've been asked to gather certificate info! */
2643 (void)get_cert_chain(conn, connssl);
2645 connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
2646 if(!connssl->server_cert) {
2648 failf(data, "SSL: couldn't get peer certificate!");
2649 return CURLE_PEER_FAILED_VERIFICATION;
2652 infof(data, "Server certificate:\n");
2654 rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
2656 infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
2658 certdate = X509_get_notBefore(connssl->server_cert);
2659 asn1_output(certdate, buffer, BUFSIZE);
2660 infof(data, "\t start date: %s\n", buffer);
2662 certdate = X509_get_notAfter(connssl->server_cert);
2663 asn1_output(certdate, buffer, BUFSIZE);
2664 infof(data, "\t expire date: %s\n", buffer);
2666 if(data->set.ssl.verifyhost) {
2667 result = verifyhost(conn, connssl->server_cert);
2669 X509_free(connssl->server_cert);
2670 connssl->server_cert = NULL;
2675 rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
2679 failf(data, "SSL: couldn't get X509-issuer name!");
2680 result = CURLE_SSL_CONNECT_ERROR;
2683 infof(data, "\t issuer: %s\n", buffer);
2685 /* We could do all sorts of certificate verification stuff here before
2686 deallocating the certificate. */
2688 /* e.g. match issuer name with provided issuer certificate */
2689 if(data->set.str[STRING_SSL_ISSUERCERT]) {
2690 fp = fopen(data->set.str[STRING_SSL_ISSUERCERT], FOPEN_READTEXT);
2693 failf(data, "SSL: Unable to open issuer cert (%s)",
2694 data->set.str[STRING_SSL_ISSUERCERT]);
2695 X509_free(connssl->server_cert);
2696 connssl->server_cert = NULL;
2697 return CURLE_SSL_ISSUER_ERROR;
2700 issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
2703 failf(data, "SSL: Unable to read issuer cert (%s)",
2704 data->set.str[STRING_SSL_ISSUERCERT]);
2705 X509_free(connssl->server_cert);
2708 return CURLE_SSL_ISSUER_ERROR;
2713 if(X509_check_issued(issuer, connssl->server_cert) != X509_V_OK) {
2715 failf(data, "SSL: Certificate issuer check failed (%s)",
2716 data->set.str[STRING_SSL_ISSUERCERT]);
2717 X509_free(connssl->server_cert);
2719 connssl->server_cert = NULL;
2720 return CURLE_SSL_ISSUER_ERROR;
2723 infof(data, "\t SSL certificate issuer check ok (%s)\n",
2724 data->set.str[STRING_SSL_ISSUERCERT]);
2728 lerr = data->set.ssl.certverifyresult =
2729 SSL_get_verify_result(connssl->handle);
2731 if(data->set.ssl.certverifyresult != X509_V_OK) {
2732 if(data->set.ssl.verifypeer) {
2733 /* We probably never reach this, because SSL_connect() will fail
2734 and we return earlier if verifypeer is set? */
2736 failf(data, "SSL certificate verify result: %s (%ld)",
2737 X509_verify_cert_error_string(lerr), lerr);
2738 result = CURLE_PEER_FAILED_VERIFICATION;
2741 infof(data, "\t SSL certificate verify result: %s (%ld),"
2742 " continuing anyway.\n",
2743 X509_verify_cert_error_string(lerr), lerr);
2746 infof(data, "\t SSL certificate verify ok.\n");
2749 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2750 !defined(OPENSSL_IS_BORINGSSL)
2751 if(data->set.ssl.verifystatus) {
2752 result = verifystatus(conn, connssl);
2754 X509_free(connssl->server_cert);
2755 connssl->server_cert = NULL;
2762 /* when not strict, we don't bother about the verify cert problems */
2765 ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
2766 if(!result && ptr) {
2767 result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
2769 failf(data, "SSL: public key does not match pinned public key!");
2772 X509_free(connssl->server_cert);
2773 connssl->server_cert = NULL;
2774 connssl->connecting_state = ssl_connect_done;
2779 static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
2781 CURLcode result = CURLE_OK;
2782 void *old_ssl_sessionid = NULL;
2783 struct SessionHandle *data = conn->data;
2784 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2786 SSL_SESSION *our_ssl_sessionid;
2788 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
2790 our_ssl_sessionid = SSL_get1_session(connssl->handle);
2792 /* SSL_get1_session() will increment the reference count and the session
2793 will stay in memory until explicitly freed with SSL_SESSION_free(3),
2794 regardless of its state. */
2796 incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
2798 if(old_ssl_sessionid != our_ssl_sessionid) {
2799 infof(data, "old SSL session ID is stale, removing\n");
2800 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2806 result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
2807 0 /* unknown size */);
2809 failf(data, "failed to store ssl session");
2814 /* Session was incache, so refcount already incremented earlier.
2815 * Avoid further increments with each SSL_get1_session() call.
2816 * This does not free the session as refcount remains > 0
2818 SSL_SESSION_free(our_ssl_sessionid);
2822 * We check certificates to authenticate the server; otherwise we risk
2823 * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
2824 * verify the peer ignore faults and failures from the server cert
2828 result = servercert(conn, connssl,
2829 (data->set.ssl.verifypeer || data->set.ssl.verifyhost));
2832 connssl->connecting_state = ssl_connect_done;
2837 static Curl_recv ossl_recv;
2838 static Curl_send ossl_send;
2840 static CURLcode ossl_connect_common(struct connectdata *conn,
2846 struct SessionHandle *data = conn->data;
2847 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2848 curl_socket_t sockfd = conn->sock[sockindex];
2852 /* check if the connection has already been established */
2853 if(ssl_connection_complete == connssl->state) {
2858 if(ssl_connect_1 == connssl->connecting_state) {
2859 /* Find out how much more time we're allowed */
2860 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2862 if(timeout_ms < 0) {
2863 /* no need to continue if time already is up */
2864 failf(data, "SSL connection timeout");
2865 return CURLE_OPERATION_TIMEDOUT;
2868 result = ossl_connect_step1(conn, sockindex);
2873 while(ssl_connect_2 == connssl->connecting_state ||
2874 ssl_connect_2_reading == connssl->connecting_state ||
2875 ssl_connect_2_writing == connssl->connecting_state) {
2877 /* check allowed time left */
2878 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2880 if(timeout_ms < 0) {
2881 /* no need to continue if time already is up */
2882 failf(data, "SSL connection timeout");
2883 return CURLE_OPERATION_TIMEDOUT;
2886 /* if ssl is expecting something, check if it's available. */
2887 if(connssl->connecting_state == ssl_connect_2_reading ||
2888 connssl->connecting_state == ssl_connect_2_writing) {
2890 curl_socket_t writefd = ssl_connect_2_writing==
2891 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2892 curl_socket_t readfd = ssl_connect_2_reading==
2893 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2895 what = Curl_socket_ready(readfd, writefd, nonblocking?0:timeout_ms);
2898 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2899 return CURLE_SSL_CONNECT_ERROR;
2901 else if(0 == what) {
2908 failf(data, "SSL connection timeout");
2909 return CURLE_OPERATION_TIMEDOUT;
2912 /* socket is readable or writable */
2915 /* Run transaction, and return to the caller if it failed or if this
2916 * connection is done nonblocking and this loop would execute again. This
2917 * permits the owner of a multi handle to abort a connection attempt
2918 * before step2 has completed while ensuring that a client using select()
2919 * or epoll() will always have a valid fdset to wait on.
2921 result = ossl_connect_step2(conn, sockindex);
2922 if(result || (nonblocking &&
2923 (ssl_connect_2 == connssl->connecting_state ||
2924 ssl_connect_2_reading == connssl->connecting_state ||
2925 ssl_connect_2_writing == connssl->connecting_state)))
2928 } /* repeat step2 until all transactions are done. */
2930 if(ssl_connect_3 == connssl->connecting_state) {
2931 result = ossl_connect_step3(conn, sockindex);
2936 if(ssl_connect_done == connssl->connecting_state) {
2937 connssl->state = ssl_connection_complete;
2938 conn->recv[sockindex] = ossl_recv;
2939 conn->send[sockindex] = ossl_send;
2945 /* Reset our connect state machine */
2946 connssl->connecting_state = ssl_connect_1;
2951 CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
2955 return ossl_connect_common(conn, sockindex, TRUE, done);
2958 CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex)
2963 result = ossl_connect_common(conn, sockindex, FALSE, &done);
2972 bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex)
2974 if(conn->ssl[connindex].handle)
2976 return (0 != SSL_pending(conn->ssl[connindex].handle)) ? TRUE : FALSE;
2981 static ssize_t ossl_send(struct connectdata *conn,
2987 /* SSL_write() is said to return 'int' while write() and send() returns
2990 char error_buffer[120]; /* OpenSSL documents that this must be at least 120
2992 unsigned long sslerror;
2998 memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
2999 rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
3002 err = SSL_get_error(conn->ssl[sockindex].handle, rc);
3005 case SSL_ERROR_WANT_READ:
3006 case SSL_ERROR_WANT_WRITE:
3007 /* The operation did not complete; the same TLS/SSL I/O function
3008 should be called again later. This is basically an EWOULDBLOCK
3010 *curlcode = CURLE_AGAIN;
3012 case SSL_ERROR_SYSCALL:
3013 failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
3015 *curlcode = CURLE_SEND_ERROR;
3018 /* A failure in the SSL library occurred, usually a protocol error.
3019 The OpenSSL error queue contains more information on the error. */
3020 sslerror = ERR_get_error();
3021 failf(conn->data, "SSL_write() error: %s",
3022 ERR_error_string(sslerror, error_buffer));
3023 *curlcode = CURLE_SEND_ERROR;
3027 failf(conn->data, "SSL_write() return error %d", err);
3028 *curlcode = CURLE_SEND_ERROR;
3031 *curlcode = CURLE_OK;
3032 return (ssize_t)rc; /* number of bytes */
3035 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
3036 int num, /* socketindex */
3037 char *buf, /* store read data here */
3038 size_t buffersize, /* max amount to read */
3041 char error_buffer[120]; /* OpenSSL documents that this must be at
3042 least 120 bytes long. */
3043 unsigned long sslerror;
3049 buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
3050 nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
3052 /* failed SSL_read */
3053 int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
3056 case SSL_ERROR_NONE: /* this is not an error */
3057 case SSL_ERROR_ZERO_RETURN: /* no more data */
3059 case SSL_ERROR_WANT_READ:
3060 case SSL_ERROR_WANT_WRITE:
3061 /* there's data pending, re-invoke SSL_read() */
3062 *curlcode = CURLE_AGAIN;
3065 /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
3067 /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
3068 sslerror = ERR_get_error();
3069 if((nread < 0) || sslerror) {
3070 /* If the return code was negative or there actually is an error in the
3072 failf(conn->data, "SSL read: %s, errno %d",
3073 ERR_error_string(sslerror, error_buffer),
3075 *curlcode = CURLE_RECV_ERROR;
3083 size_t Curl_ossl_version(char *buffer, size_t size)
3085 #ifdef YASSL_VERSION
3086 /* yassl provides an OpenSSL API compatibility layer so it looks identical
3087 to OpenSSL in all other aspects */
3088 return snprintf(buffer, size, "yassl/%s", YASSL_VERSION);
3089 #else /* YASSL_VERSION */
3090 #ifdef OPENSSL_IS_BORINGSSL
3091 return snprintf(buffer, size, "BoringSSL");
3092 #else /* OPENSSL_IS_BORINGSSL */
3094 #if(OPENSSL_VERSION_NUMBER >= 0x905000)
3097 unsigned long ssleay_value;
3100 ssleay_value=SSLeay();
3101 if(ssleay_value < 0x906000) {
3102 ssleay_value=SSLEAY_VERSION_NUMBER;
3106 if(ssleay_value&0xff0) {
3107 int minor_ver = (ssleay_value >> 4) & 0xff;
3108 if(minor_ver > 26) {
3109 /* handle extended version introduced for 0.9.8za */
3110 sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
3114 sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
3121 return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
3122 #ifdef LIBRESSL_VERSION_NUMBER
3127 , (ssleay_value>>28)&0xf,
3128 (ssleay_value>>20)&0xff,
3129 (ssleay_value>>12)&0xff,
3133 #else /* OPENSSL_VERSION_NUMBER is less than 0.9.5 */
3135 #if(OPENSSL_VERSION_NUMBER >= 0x900000)
3136 return snprintf(buffer, size, "OpenSSL/%lx.%lx.%lx",
3137 (OPENSSL_VERSION_NUMBER>>28)&0xff,
3138 (OPENSSL_VERSION_NUMBER>>20)&0xff,
3139 (OPENSSL_VERSION_NUMBER>>12)&0xf);
3141 #else /* (OPENSSL_VERSION_NUMBER >= 0x900000) */
3145 if(OPENSSL_VERSION_NUMBER&0x0f) {
3146 sub[0]=(OPENSSL_VERSION_NUMBER&0x0f) + 'a' -1;
3151 return snprintf(buffer, size, "SSL/%x.%x.%x%s",
3152 (OPENSSL_VERSION_NUMBER>>12)&0xff,
3153 (OPENSSL_VERSION_NUMBER>>8)&0xf,
3154 (OPENSSL_VERSION_NUMBER>>4)&0xf, sub);
3156 #endif /* (OPENSSL_VERSION_NUMBER >= 0x900000) */
3157 #endif /* OPENSSL_VERSION_NUMBER is less than 0.9.5 */
3159 #endif /* OPENSSL_IS_BORINGSSL */
3160 #endif /* YASSL_VERSION */
3163 /* can be called with data == NULL */
3164 int Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy,
3168 Curl_ossl_seed(data); /* Initiate the seed if not already done */
3170 RAND_bytes(entropy, curlx_uztosi(length));
3171 return 0; /* 0 as in no problem */
3174 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
3176 unsigned char *md5sum /* output */,
3182 MD5_Update(&MD5pw, tmp, tmplen);
3183 MD5_Final(md5sum, &MD5pw);
3186 #ifndef OPENSSL_NO_SHA256
3187 void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
3189 unsigned char *sha256sum /* output */,
3192 SHA256_CTX SHA256pw;
3194 SHA256_Init(&SHA256pw);
3195 SHA256_Update(&SHA256pw, tmp, tmplen);
3196 SHA256_Final(sha256sum, &SHA256pw);
3200 bool Curl_ossl_cert_status_request(void)
3202 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3203 !defined(OPENSSL_IS_BORINGSSL)
3209 #endif /* USE_OPENSSL */