1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
24 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25 * but vtls.c should ever call or use these functions.
29 * The original SSLeay-using code for curl was written by Linas Vepstas and
30 * Sampo Kellomaki 1998.
33 #include "curl_setup.h"
41 #include "formdata.h" /* for the boundary function */
42 #include "url.h" /* for the ssl config check function */
43 #include "inet_pton.h"
51 #include "hostcheck.h"
53 #define _MPRINTF_REPLACE /* use the internal *printf() functions */
54 #include <curl/mprintf.h>
59 #include <openssl/rand.h>
60 #include <openssl/x509v3.h>
61 #include <openssl/dsa.h>
62 #include <openssl/dh.h>
63 #include <openssl/err.h>
64 #include <openssl/md5.h>
65 #include <openssl/conf.h>
66 #include <openssl/bn.h>
74 #include "curl_memory.h"
75 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
77 /* The last #include file should be: */
80 #ifndef OPENSSL_VERSION_NUMBER
81 #error "OPENSSL_VERSION_NUMBER not defined"
84 #if OPENSSL_VERSION_NUMBER >= 0x0090581fL
85 #define HAVE_SSL_GET1_SESSION 1
87 #undef HAVE_SSL_GET1_SESSION
90 #if OPENSSL_VERSION_NUMBER >= 0x00904100L
91 #define HAVE_USERDATA_IN_PWD_CALLBACK 1
93 #undef HAVE_USERDATA_IN_PWD_CALLBACK
96 #if OPENSSL_VERSION_NUMBER >= 0x00907001L
97 /* ENGINE_load_private_key() takes four arguments */
98 #define HAVE_ENGINE_LOAD_FOUR_ARGS
99 #include <openssl/ui.h>
101 /* ENGINE_load_private_key() takes three arguments */
102 #undef HAVE_ENGINE_LOAD_FOUR_ARGS
105 #if (OPENSSL_VERSION_NUMBER >= 0x00903001L) && defined(HAVE_OPENSSL_PKCS12_H)
106 /* OpenSSL has PKCS 12 support */
107 #define HAVE_PKCS12_SUPPORT
109 /* OpenSSL/SSLEay does not have PKCS12 support */
110 #undef HAVE_PKCS12_SUPPORT
113 #if OPENSSL_VERSION_NUMBER >= 0x00906001L
114 #define HAVE_ERR_ERROR_STRING_N 1
117 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
118 #define SSL_METHOD_QUAL const
120 #define SSL_METHOD_QUAL
123 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
124 /* 0.9.6 didn't have X509_STORE_set_flags() */
125 #define HAVE_X509_STORE_SET_FLAGS 1
127 #define X509_STORE_set_flags(x,y) Curl_nop_stmt
130 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
131 #define HAVE_ERR_REMOVE_THREAD_STATE 1
134 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
135 OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
136 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
137 #define OPENSSL_NO_SSL2
141 * Number of bytes to read from the random number seed file. This must be
142 * a finite value (because some entropy "files" like /dev/urandom have
143 * an infinite length), but must be large enough to provide enough
144 * entopy to properly seed OpenSSL's PRNG.
146 #define RAND_LOAD_LENGTH 1024
148 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
149 static char global_passwd[64];
152 static int passwd_callback(char *buf, int num, int encrypting
153 #ifdef HAVE_USERDATA_IN_PWD_CALLBACK
154 /* This was introduced in 0.9.4, we can set this
155 using SSL_CTX_set_default_passwd_cb_userdata()
157 , void *global_passwd
161 DEBUGASSERT(0 == encrypting);
164 int klen = curlx_uztosi(strlen((char *)global_passwd));
166 memcpy(buf, global_passwd, klen+1);
174 * rand_enough() is a function that returns TRUE if we have seeded the random
175 * engine properly. We use some preprocessor magic to provide a seed_enough()
176 * macro to use, just to prevent a compiler warning on this function if we
177 * pass in an argument that is never used.
180 #ifdef HAVE_RAND_STATUS
181 #define seed_enough(x) rand_enough()
182 static bool rand_enough(void)
184 return (0 != RAND_status()) ? TRUE : FALSE;
187 #define seed_enough(x) rand_enough(x)
188 static bool rand_enough(int nread)
190 /* this is a very silly decision to make */
191 return (nread > 500) ? TRUE : FALSE;
195 static int ossl_seed(struct SessionHandle *data)
197 char *buf = data->state.buffer; /* point to the big buffer */
200 /* Q: should we add support for a random file name as a libcurl option?
201 A: Yes, it is here */
204 /* if RANDOM_FILE isn't defined, we only perform this if an option tells
206 if(data->set.ssl.random_file)
207 #define RANDOM_FILE "" /* doesn't matter won't be used */
210 /* let the option override the define */
211 nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
212 data->set.str[STRING_SSL_RANDOM_FILE]:
215 if(seed_enough(nread))
219 #if defined(HAVE_RAND_EGD)
220 /* only available in OpenSSL 0.9.5 and later */
221 /* EGD_SOCKET is set at configure time or not at all */
223 /* If we don't have the define set, we only do this if the egd-option
225 if(data->set.str[STRING_SSL_EGDSOCKET])
226 #define EGD_SOCKET "" /* doesn't matter won't be used */
229 /* If there's an option and a define, the option overrides the
231 int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
232 data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
235 if(seed_enough(nread))
241 /* If we get here, it means we need to seed the PRNG using a "silly"
244 unsigned char randb[64];
245 int len = sizeof(randb);
246 RAND_bytes(randb, len);
247 RAND_add(randb, len, (len >> 1));
248 } while(!RAND_status());
250 /* generates a default path for the random seed file */
251 buf[0]=0; /* blank it first */
252 RAND_file_name(buf, BUFSIZE);
254 /* we got a file name to try */
255 nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
256 if(seed_enough(nread))
260 infof(data, "libcurl is now using a weak random seed!\n");
264 static int Curl_ossl_seed(struct SessionHandle *data)
266 /* we have the "SSL is seeded" boolean static to prevent multiple
267 time-consuming seedings in vain */
268 static bool ssl_seeded = FALSE;
270 if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
271 data->set.str[STRING_SSL_EGDSOCKET]) {
279 #ifndef SSL_FILETYPE_ENGINE
280 #define SSL_FILETYPE_ENGINE 42
282 #ifndef SSL_FILETYPE_PKCS12
283 #define SSL_FILETYPE_PKCS12 43
285 static int do_file_type(const char *type)
287 if(!type || !type[0])
288 return SSL_FILETYPE_PEM;
289 if(Curl_raw_equal(type, "PEM"))
290 return SSL_FILETYPE_PEM;
291 if(Curl_raw_equal(type, "DER"))
292 return SSL_FILETYPE_ASN1;
293 if(Curl_raw_equal(type, "ENG"))
294 return SSL_FILETYPE_ENGINE;
295 if(Curl_raw_equal(type, "P12"))
296 return SSL_FILETYPE_PKCS12;
300 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS)
302 * Supply default password to the engine user interface conversation.
303 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
304 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
306 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
308 const char *password;
309 switch(UI_get_string_type(uis)) {
312 password = (const char*)UI_get0_user_data(ui);
313 if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
314 UI_set_result(ui, uis, password);
320 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
324 * Suppress interactive request for a default password if available.
326 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
328 switch(UI_get_string_type(uis)) {
331 if(UI_get0_user_data(ui) &&
332 (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
338 return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
343 int cert_stuff(struct connectdata *conn,
346 const char *cert_type,
348 const char *key_type)
350 struct SessionHandle *data = conn->data;
352 int file_type = do_file_type(cert_type);
354 if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
359 if(data->set.str[STRING_KEY_PASSWD]) {
360 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
362 * If password has been given, we store that in the global
363 * area (*shudder*) for a while:
365 size_t len = strlen(data->set.str[STRING_KEY_PASSWD]);
366 if(len < sizeof(global_passwd))
367 memcpy(global_passwd, data->set.str[STRING_KEY_PASSWD], len+1);
369 global_passwd[0] = '\0';
372 * We set the password in the callback userdata
374 SSL_CTX_set_default_passwd_cb_userdata(ctx,
375 data->set.str[STRING_KEY_PASSWD]);
377 /* Set passwd callback: */
378 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
382 #define SSL_CLIENT_CERT_ERR \
383 "unable to use client certificate (no key found or wrong pass phrase?)"
386 case SSL_FILETYPE_PEM:
387 /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
388 if(SSL_CTX_use_certificate_chain_file(ctx,
390 failf(data, SSL_CLIENT_CERT_ERR);
395 case SSL_FILETYPE_ASN1:
396 /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
397 we use the case above for PEM so this can only be performed with
399 if(SSL_CTX_use_certificate_file(ctx,
402 failf(data, SSL_CLIENT_CERT_ERR);
406 case SSL_FILETYPE_ENGINE:
407 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
409 if(data->state.engine) {
410 const char *cmd_name = "LOAD_CERT_CTRL";
416 params.cert_id = cert_file;
419 /* Does the engine supports LOAD_CERT_CTRL ? */
420 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
421 0, (void *)cmd_name, NULL)) {
422 failf(data, "ssl engine does not support loading certificates");
426 /* Load the certificate from the engine */
427 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
428 0, ¶ms, NULL, 1)) {
429 failf(data, "ssl engine cannot load client cert with id"
430 " '%s' [%s]", cert_file,
431 ERR_error_string(ERR_get_error(), NULL));
436 failf(data, "ssl engine didn't initialized the certificate "
441 if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
442 failf(data, "unable to set client certificate");
443 X509_free(params.cert);
446 X509_free(params.cert); /* we don't need the handle any more... */
449 failf(data, "crypto engine not set, can't load certificate");
455 failf(data, "file type ENG for certificate not implemented");
459 case SSL_FILETYPE_PKCS12:
461 #ifdef HAVE_PKCS12_SUPPORT
465 STACK_OF(X509) *ca = NULL;
468 f = fopen(cert_file,"rb");
470 failf(data, "could not open PKCS12 file '%s'", cert_file);
473 p12 = d2i_PKCS12_fp(f, NULL);
477 failf(data, "error reading PKCS12 file '%s'", cert_file );
483 if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
486 "could not parse PKCS12 file, check password, OpenSSL error %s",
487 ERR_error_string(ERR_get_error(), NULL) );
494 if(SSL_CTX_use_certificate(ctx, x509) != 1) {
495 failf(data, SSL_CLIENT_CERT_ERR);
499 if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
500 failf(data, "unable to use private key from PKCS12 file '%s'",
505 if(!SSL_CTX_check_private_key (ctx)) {
506 failf(data, "private key from PKCS12 file '%s' "
507 "does not match certificate in same file", cert_file);
510 /* Set Certificate Verification chain */
511 if(ca && sk_X509_num(ca)) {
512 for(i = 0; i < sk_X509_num(ca); i++) {
514 * Note that sk_X509_pop() is used below to make sure the cert is
515 * removed from the stack properly before getting passed to
516 * SSL_CTX_add_extra_chain_cert(). Previously we used
517 * sk_X509_value() instead, but then we'd clean it in the subsequent
518 * sk_X509_pop_free() call.
520 X509 *x = sk_X509_pop(ca);
521 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
522 failf(data, "cannot add certificate to certificate chain");
525 /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
526 * presumably because it duplicates what we pass to it.
528 if(!SSL_CTX_add_client_CA(ctx, x)) {
529 failf(data, "cannot add certificate to client CA list");
539 sk_X509_pop_free(ca, X509_free);
542 return 0; /* failure! */
545 failf(data, "file type P12 for certificate not supported");
550 failf(data, "not supported file type '%s' for certificate", cert_type);
554 file_type = do_file_type(key_type);
557 case SSL_FILETYPE_PEM:
561 /* cert & key can only be in PEM case in the same file */
563 case SSL_FILETYPE_ASN1:
564 if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
565 failf(data, "unable to set private key file: '%s' type %s",
566 key_file, key_type?key_type:"PEM");
570 case SSL_FILETYPE_ENGINE:
571 #ifdef HAVE_OPENSSL_ENGINE_H
572 { /* XXXX still needs some work */
573 EVP_PKEY *priv_key = NULL;
574 if(data->state.engine) {
575 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
576 UI_METHOD *ui_method =
577 UI_create_method((char *)"cURL user interface");
579 failf(data, "unable do create OpenSSL user-interface method");
582 UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
583 UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
584 UI_method_set_reader(ui_method, ssl_ui_reader);
585 UI_method_set_writer(ui_method, ssl_ui_writer);
587 /* the typecast below was added to please mingw32 */
588 priv_key = (EVP_PKEY *)
589 ENGINE_load_private_key(data->state.engine,key_file,
590 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
593 data->set.str[STRING_KEY_PASSWD]);
594 #ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
595 UI_destroy_method(ui_method);
598 failf(data, "failed to load private key from crypto engine");
601 if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
602 failf(data, "unable to set private key");
603 EVP_PKEY_free(priv_key);
606 EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
609 failf(data, "crypto engine not set, can't load private key");
615 failf(data, "file type ENG for private key not supported");
618 case SSL_FILETYPE_PKCS12:
620 failf(data, "file type P12 for private key not supported");
625 failf(data, "not supported file type for private key");
631 failf(data,"unable to create an SSL structure");
635 x509=SSL_get_certificate(ssl);
637 /* This version was provided by Evan Jordan and is supposed to not
638 leak memory as the previous version: */
640 EVP_PKEY *pktmp = X509_get_pubkey(x509);
641 EVP_PKEY_copy_parameters(pktmp,SSL_get_privatekey(ssl));
642 EVP_PKEY_free(pktmp);
647 /* If we are using DSA, we can copy the parameters from
651 /* Now we know that a key and cert have been set against
653 if(!SSL_CTX_check_private_key(ctx)) {
654 failf(data, "Private key does not match the certificate public key");
657 #ifndef HAVE_USERDATA_IN_PWD_CALLBACK
659 memset(global_passwd, 0, sizeof(global_passwd));
665 /* returns non-zero on failure */
666 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
669 return X509_NAME_oneline(a, buf, size);
671 BIO *bio_out = BIO_new(BIO_s_mem());
676 return 1; /* alloc failed! */
678 rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
679 BIO_get_mem_ptr(bio_out, &biomem);
681 if((size_t)biomem->length < size)
682 size = biomem->length;
684 size--; /* don't overwrite the buffer end */
686 memcpy(buf, biomem->data, size);
696 int cert_verify_callback(int ok, X509_STORE_CTX *ctx)
701 err_cert=X509_STORE_CTX_get_current_cert(ctx);
702 (void)x509_name_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
706 /* Return error string for last OpenSSL error
708 static char *SSL_strerror(unsigned long error, char *buf, size_t size)
710 #ifdef HAVE_ERR_ERROR_STRING_N
711 /* OpenSSL 0.9.6 and later has a function named
712 ERRO_error_string_n() that takes the size of the buffer as a
714 ERR_error_string_n(error, buf, size);
717 ERR_error_string(error, buf);
722 #endif /* USE_SSLEAY */
728 * @retval 0 error initializing SSL
729 * @retval 1 SSL initialized successfully
731 int Curl_ossl_init(void)
733 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
734 ENGINE_load_builtin_engines();
737 /* Lets get nice error messages */
738 SSL_load_error_strings();
740 /* Init the global ciphers and digests */
741 if(!SSLeay_add_ssl_algorithms())
744 OpenSSL_add_all_algorithms();
747 /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
748 that function makes an exit() call on wrongly formatted config files
749 which makes it hard to use in some situations. OPENSSL_config() itself
750 calls CONF_modules_load_file() and we use that instead and we ignore
753 /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
755 #ifndef CONF_MFLAGS_DEFAULT_SECTION
756 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
759 (void)CONF_modules_load_file(NULL, NULL,
760 CONF_MFLAGS_DEFAULT_SECTION|
761 CONF_MFLAGS_IGNORE_MISSING_FILE);
766 #endif /* USE_SSLEAY */
771 void Curl_ossl_cleanup(void)
773 /* Free ciphers and digests lists */
776 #ifdef HAVE_ENGINE_CLEANUP
777 /* Free engine list */
781 #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
782 /* Free OpenSSL ex_data table */
783 CRYPTO_cleanup_all_ex_data();
786 /* Free OpenSSL error strings */
789 /* Free thread local error state, destroying hash upon zero refcount */
790 #ifdef HAVE_ERR_REMOVE_THREAD_STATE
791 ERR_remove_thread_state(NULL);
798 * This function uses SSL_peek to determine connection status.
801 * 1 means the connection is still in place
802 * 0 means the connection has been closed
803 * -1 means the connection status is unknown
805 int Curl_ossl_check_cxn(struct connectdata *conn)
810 rc = SSL_peek(conn->ssl[FIRSTSOCKET].handle, (void*)&buf, 1);
812 return 1; /* connection still in place */
815 return 0; /* connection has been closed */
817 return -1; /* connection status unknown */
820 /* Selects an OpenSSL crypto engine
822 CURLcode Curl_ossl_set_engine(struct SessionHandle *data, const char *engine)
824 #if defined(USE_SSLEAY) && defined(HAVE_OPENSSL_ENGINE_H)
827 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
828 e = ENGINE_by_id(engine);
830 /* avoid memory leak */
831 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
832 const char *e_id = ENGINE_get_id(e);
833 if(!strcmp(engine, e_id))
839 failf(data, "SSL Engine '%s' not found", engine);
840 return CURLE_SSL_ENGINE_NOTFOUND;
843 if(data->state.engine) {
844 ENGINE_finish(data->state.engine);
845 ENGINE_free(data->state.engine);
846 data->state.engine = NULL;
848 if(!ENGINE_init(e)) {
852 failf(data, "Failed to initialise SSL Engine '%s':\n%s",
853 engine, SSL_strerror(ERR_get_error(), buf, sizeof(buf)));
854 return CURLE_SSL_ENGINE_INITFAILED;
856 data->state.engine = e;
860 failf(data, "SSL Engine not supported");
861 return CURLE_SSL_ENGINE_NOTFOUND;
865 /* Sets engine as default for all SSL operations
867 CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
869 #ifdef HAVE_OPENSSL_ENGINE_H
870 if(data->state.engine) {
871 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
872 infof(data,"set default crypto engine '%s'\n",
873 ENGINE_get_id(data->state.engine));
876 failf(data, "set default crypto engine '%s' failed",
877 ENGINE_get_id(data->state.engine));
878 return CURLE_SSL_ENGINE_SETFAILED;
887 /* Return list of OpenSSL crypto engine names.
889 struct curl_slist *Curl_ossl_engines_list(struct SessionHandle *data)
891 struct curl_slist *list = NULL;
892 #if defined(USE_SSLEAY) && defined(HAVE_OPENSSL_ENGINE_H)
893 struct curl_slist *beg;
896 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
897 beg = curl_slist_append(list, ENGINE_get_id(e));
899 curl_slist_free_all(list);
911 * This function is called when an SSL connection is closed.
913 void Curl_ossl_close(struct connectdata *conn, int sockindex)
915 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
917 if(connssl->handle) {
918 (void)SSL_shutdown(connssl->handle);
919 SSL_set_connect_state(connssl->handle);
921 SSL_free (connssl->handle);
922 connssl->handle = NULL;
925 SSL_CTX_free (connssl->ctx);
931 * This function is called to shut down the SSL layer but keep the
932 * socket open (CCC - Clear Command Channel)
934 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
937 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
938 struct SessionHandle *data = conn->data;
939 char buf[120]; /* We will use this for the OpenSSL error buffer, so it has
940 to be at least 120 bytes long. */
941 unsigned long sslerror;
947 /* This has only been tested on the proftpd server, and the mod_tls code
948 sends a close notify alert without waiting for a close notify alert in
949 response. Thus we wait for a close notify alert from the server, but
950 we do not send one. Let's hope other servers do the same... */
952 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
953 (void)SSL_shutdown(connssl->handle);
955 if(connssl->handle) {
956 buffsize = (int)sizeof(buf);
958 int what = Curl_socket_ready(conn->sock[sockindex],
959 CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
963 /* Something to read, let's do it and hope that it is the close
964 notify alert from the server */
965 nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
967 err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
970 case SSL_ERROR_NONE: /* this is not an error */
971 case SSL_ERROR_ZERO_RETURN: /* no more data */
972 /* This is the expected response. There was no data but only
973 the close notify alert */
976 case SSL_ERROR_WANT_READ:
977 /* there's data pending, re-invoke SSL_read() */
978 infof(data, "SSL_ERROR_WANT_READ\n");
980 case SSL_ERROR_WANT_WRITE:
981 /* SSL wants a write. Really odd. Let's bail out. */
982 infof(data, "SSL_ERROR_WANT_WRITE\n");
986 /* openssl/ssl.h says "look at error stack/return value/errno" */
987 sslerror = ERR_get_error();
988 failf(conn->data, "SSL read: %s, errno %d",
989 ERR_error_string(sslerror, buf),
997 failf(data, "SSL shutdown timeout");
1001 /* anything that gets here is fatally bad */
1002 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1006 } /* while()-loop for the select() */
1008 if(data->set.verbose) {
1009 #ifdef HAVE_SSL_GET_SHUTDOWN
1010 switch(SSL_get_shutdown(connssl->handle)) {
1011 case SSL_SENT_SHUTDOWN:
1012 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
1014 case SSL_RECEIVED_SHUTDOWN:
1015 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
1017 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
1018 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
1019 "SSL_RECEIVED__SHUTDOWN\n");
1025 SSL_free (connssl->handle);
1026 connssl->handle = NULL;
1031 void Curl_ossl_session_free(void *ptr)
1034 SSL_SESSION_free(ptr);
1038 * This function is called when the 'data' struct is going away. Close
1039 * down everything and free all resources!
1041 void Curl_ossl_close_all(struct SessionHandle *data)
1043 #ifdef HAVE_OPENSSL_ENGINE_H
1044 if(data->state.engine) {
1045 ENGINE_finish(data->state.engine);
1046 ENGINE_free(data->state.engine);
1047 data->state.engine = NULL;
1054 static int asn1_output(const ASN1_UTCTIME *tm,
1058 const char *asn1_string;
1061 int year=0,month=0,day=0,hour=0,minute=0,second=0;
1064 asn1_string=(const char *)tm->data;
1068 if(asn1_string[i-1] == 'Z')
1071 if((asn1_string[i] > '9') || (asn1_string[i] < '0'))
1074 year= (asn1_string[0]-'0')*10+(asn1_string[1]-'0');
1078 month= (asn1_string[2]-'0')*10+(asn1_string[3]-'0');
1079 if((month > 12) || (month < 1))
1082 day= (asn1_string[4]-'0')*10+(asn1_string[5]-'0');
1083 hour= (asn1_string[6]-'0')*10+(asn1_string[7]-'0');
1084 minute= (asn1_string[8]-'0')*10+(asn1_string[9]-'0');
1086 if((asn1_string[10] >= '0') && (asn1_string[10] <= '9') &&
1087 (asn1_string[11] >= '0') && (asn1_string[11] <= '9'))
1088 second= (asn1_string[10]-'0')*10+(asn1_string[11]-'0');
1090 snprintf(buf, sizeofbuf,
1091 "%04d-%02d-%02d %02d:%02d:%02d %s",
1092 year+1900, month, day, hour, minute, second, (gmt?"GMT":""));
1097 /* ====================================================== */
1100 /* Quote from RFC2818 section 3.1 "Server Identity"
1102 If a subjectAltName extension of type dNSName is present, that MUST
1103 be used as the identity. Otherwise, the (most specific) Common Name
1104 field in the Subject field of the certificate MUST be used. Although
1105 the use of the Common Name is existing practice, it is deprecated and
1106 Certification Authorities are encouraged to use the dNSName instead.
1108 Matching is performed using the matching rules specified by
1109 [RFC2459]. If more than one identity of a given type is present in
1110 the certificate (e.g., more than one dNSName name, a match in any one
1111 of the set is considered acceptable.) Names may contain the wildcard
1112 character * which is considered to match any single domain name
1113 component or component fragment. E.g., *.a.com matches foo.a.com but
1114 not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1116 In some cases, the URI is specified as an IP address rather than a
1117 hostname. In this case, the iPAddress subjectAltName must be present
1118 in the certificate and must exactly match the IP in the URI.
1121 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
1123 int matched = -1; /* -1 is no alternative match yet, 1 means match and 0
1125 int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1127 struct SessionHandle *data = conn->data;
1128 STACK_OF(GENERAL_NAME) *altnames;
1130 struct in6_addr addr;
1132 struct in_addr addr;
1134 CURLcode result = CURLE_OK;
1137 if(conn->bits.ipv6_ip &&
1138 Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
1140 addrlen = sizeof(struct in6_addr);
1144 if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
1146 addrlen = sizeof(struct in_addr);
1149 /* get a "list" of alternative names */
1150 altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1156 /* get amount of alternatives, RFC2459 claims there MUST be at least
1157 one, but we don't depend on it... */
1158 numalts = sk_GENERAL_NAME_num(altnames);
1160 /* loop through all alternatives while none has matched */
1161 for(i=0; (i<numalts) && (matched != 1); i++) {
1162 /* get a handle to alternative name number i */
1163 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1165 /* only check alternatives of the same type the target is */
1166 if(check->type == target) {
1167 /* get data and length */
1168 const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
1169 size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1172 case GEN_DNS: /* name/pattern comparison */
1173 /* The OpenSSL man page explicitly says: "In general it cannot be
1174 assumed that the data returned by ASN1_STRING_data() is null
1175 terminated or does not contain embedded nulls." But also that
1176 "The actual format of the data will depend on the actual string
1177 type itself: for example for and IA5String the data will be ASCII"
1179 Gisle researched the OpenSSL sources:
1180 "I checked the 0.9.6 and 0.9.8 sources before my patch and
1181 it always 0-terminates an IA5String."
1183 if((altlen == strlen(altptr)) &&
1184 /* if this isn't true, there was an embedded zero in the name
1185 string and we cannot match it. */
1186 Curl_cert_hostcheck(altptr, conn->host.name))
1192 case GEN_IPADD: /* IP address comparison */
1193 /* compare alternative IP address if the data chunk is the same size
1194 our server IP address is */
1195 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen))
1203 GENERAL_NAMES_free(altnames);
1207 /* an alternative name matched the server hostname */
1208 infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
1209 else if(matched == 0) {
1210 /* an alternative name field existed, but didn't match and then
1212 infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
1213 failf(data, "SSL: no alternative certificate subject name matches "
1214 "target host name '%s'", conn->host.dispname);
1215 result = CURLE_PEER_FAILED_VERIFICATION;
1218 /* we have to look to the last occurrence of a commonName in the
1219 distinguished one to get the most significant one. */
1222 /* The following is done because of a bug in 0.9.6b */
1224 unsigned char *nulstr = (unsigned char *)"";
1225 unsigned char *peer_CN = nulstr;
1227 X509_NAME *name = X509_get_subject_name(server_cert) ;
1229 while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
1232 /* we have the name entry and we will now convert this to a string
1233 that we can use for comparison. Doing this we support BMPstring,
1237 ASN1_STRING *tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name,i));
1239 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1240 is already UTF-8 encoded. We check for this case and copy the raw
1241 string manually to avoid the problem. This code can be made
1242 conditional in the future when OpenSSL has been fixed. Work-around
1243 brought by Alexis S. L. Carvalho. */
1245 if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1246 j = ASN1_STRING_length(tmp);
1248 peer_CN = OPENSSL_malloc(j+1);
1250 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
1255 else /* not a UTF8 name */
1256 j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1258 if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1259 /* there was a terminating zero before the end of string, this
1260 cannot match and we return failure! */
1261 failf(data, "SSL: illegal cert name field");
1262 result = CURLE_PEER_FAILED_VERIFICATION;
1267 if(peer_CN == nulstr)
1270 /* convert peer_CN from UTF8 */
1271 CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
1272 /* Curl_convert_from_utf8 calls failf if unsuccessful */
1274 OPENSSL_free(peer_CN);
1280 /* error already detected, pass through */
1284 "SSL: unable to obtain common name from peer certificate");
1285 result = CURLE_PEER_FAILED_VERIFICATION;
1287 else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
1288 failf(data, "SSL: certificate subject name '%s' does not match "
1289 "target host name '%s'", peer_CN, conn->host.dispname);
1290 result = CURLE_PEER_FAILED_VERIFICATION;
1293 infof(data, "\t common name: %s (matched)\n", peer_CN);
1296 OPENSSL_free(peer_CN);
1301 #endif /* USE_SSLEAY */
1303 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
1304 and thus this cannot be done there. */
1305 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1307 static const char *ssl_msg_type(int ssl_ver, int msg)
1309 #ifdef SSL2_VERSION_MAJOR
1310 if(ssl_ver == SSL2_VERSION_MAJOR) {
1314 case SSL2_MT_CLIENT_HELLO:
1315 return "Client hello";
1316 case SSL2_MT_CLIENT_MASTER_KEY:
1317 return "Client key";
1318 case SSL2_MT_CLIENT_FINISHED:
1319 return "Client finished";
1320 case SSL2_MT_SERVER_HELLO:
1321 return "Server hello";
1322 case SSL2_MT_SERVER_VERIFY:
1323 return "Server verify";
1324 case SSL2_MT_SERVER_FINISHED:
1325 return "Server finished";
1326 case SSL2_MT_REQUEST_CERTIFICATE:
1327 return "Request CERT";
1328 case SSL2_MT_CLIENT_CERTIFICATE:
1329 return "Client CERT";
1334 if(ssl_ver == SSL3_VERSION_MAJOR) {
1336 case SSL3_MT_HELLO_REQUEST:
1337 return "Hello request";
1338 case SSL3_MT_CLIENT_HELLO:
1339 return "Client hello";
1340 case SSL3_MT_SERVER_HELLO:
1341 return "Server hello";
1342 case SSL3_MT_CERTIFICATE:
1344 case SSL3_MT_SERVER_KEY_EXCHANGE:
1345 return "Server key exchange";
1346 case SSL3_MT_CLIENT_KEY_EXCHANGE:
1347 return "Client key exchange";
1348 case SSL3_MT_CERTIFICATE_REQUEST:
1349 return "Request CERT";
1350 case SSL3_MT_SERVER_DONE:
1351 return "Server finished";
1352 case SSL3_MT_CERTIFICATE_VERIFY:
1353 return "CERT verify";
1354 case SSL3_MT_FINISHED:
1361 static const char *tls_rt_type(int type)
1364 type == SSL3_RT_CHANGE_CIPHER_SPEC ? "TLS change cipher, " :
1365 type == SSL3_RT_ALERT ? "TLS alert, " :
1366 type == SSL3_RT_HANDSHAKE ? "TLS handshake, " :
1367 type == SSL3_RT_APPLICATION_DATA ? "TLS app data, " :
1373 * Our callback from the SSL/TLS layers.
1375 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1376 const void *buf, size_t len, const SSL *ssl,
1377 struct connectdata *conn)
1379 struct SessionHandle *data;
1380 const char *msg_name, *tls_rt_name;
1383 int msg_type, txt_len;
1386 if(!conn || !conn->data || !conn->data->set.fdebug ||
1387 (direction != 0 && direction != 1))
1393 #ifdef SSL2_VERSION_MAJOR /* removed in recent versions */
1394 case SSL2_VERSION_MAJOR:
1406 #ifdef TLS1_1_VERSION
1407 case TLS1_1_VERSION:
1411 #ifdef TLS1_2_VERSION
1412 case TLS1_2_VERSION:
1417 snprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
1422 ssl_ver >>= 8; /* check the upper 8 bits only below */
1424 /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
1425 * always pass-up content-type as 0. But the interesting message-type
1428 if(ssl_ver == SSL3_VERSION_MAJOR && content_type != 0)
1429 tls_rt_name = tls_rt_type(content_type);
1433 msg_type = *(char*)buf;
1434 msg_name = ssl_msg_type(ssl_ver, msg_type);
1436 txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "%s, %s%s (%d):\n",
1437 verstr, tls_rt_name, msg_name, msg_type);
1438 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
1440 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
1441 CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
1447 /* ====================================================== */
1449 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1450 # define use_sni(x) sni = (x)
1452 # define use_sni(x) Curl_nop_stmt
1457 /* Check for OpenSSL 1.0.2 which has ALPN support. */
1459 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \
1460 && !defined(OPENSSL_NO_TLSEXT)
1464 /* Check for OpenSSL 1.0.1 which has NPN support. */
1466 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \
1467 && !defined(OPENSSL_NO_TLSEXT) \
1468 && !defined(OPENSSL_NO_NEXTPROTONEG)
1475 * in is a list of lenght prefixed strings. this function has to select
1476 * the protocol we want to use from the list and write its string into out.
1479 select_next_proto_cb(SSL *ssl,
1480 unsigned char **out, unsigned char *outlen,
1481 const unsigned char *in, unsigned int inlen,
1484 struct connectdata *conn = (struct connectdata*) arg;
1485 int retval = nghttp2_select_next_protocol(out, outlen, in, inlen);
1490 infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
1491 NGHTTP2_PROTO_VERSION_ID);
1492 conn->negnpn = NPN_HTTP2;
1494 else if(retval == 0) {
1495 infof(conn->data, "NPN, negotiated HTTP1.1\n");
1496 conn->negnpn = NPN_HTTP1_1;
1499 infof(conn->data, "NPN, no overlap, use HTTP1.1\n",
1500 NGHTTP2_PROTO_VERSION_ID);
1501 *out = (unsigned char*)"http/1.1";
1502 *outlen = sizeof("http/1.1") - 1;
1503 conn->negnpn = NPN_HTTP1_1;
1506 return SSL_TLSEXT_ERR_OK;
1508 #endif /* HAS_NPN */
1510 #endif /* USE_NGHTTP2 */
1513 get_ssl_version_txt(SSL_SESSION *session)
1518 switch(session->ssl_version) {
1519 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1520 case TLS1_2_VERSION:
1522 case TLS1_1_VERSION:
1535 static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
1537 CURLcode result = CURLE_OK;
1539 struct SessionHandle *data = conn->data;
1540 SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
1541 void *ssl_sessionid = NULL;
1542 X509_LOOKUP *lookup = NULL;
1543 curl_socket_t sockfd = conn->sock[sockindex];
1544 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1546 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1549 struct in6_addr addr;
1551 struct in_addr addr;
1555 unsigned char protocols[128];
1558 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
1560 /* Make funny stuff to get random input */
1561 Curl_ossl_seed(data);
1563 data->set.ssl.certverifyresult = !X509_V_OK;
1565 /* check to see if we've been told to use an explicit SSL/TLS version */
1567 switch(data->set.ssl.version) {
1569 case CURL_SSLVERSION_DEFAULT:
1570 case CURL_SSLVERSION_TLSv1:
1571 case CURL_SSLVERSION_TLSv1_0:
1572 case CURL_SSLVERSION_TLSv1_1:
1573 case CURL_SSLVERSION_TLSv1_2:
1574 /* it will be handled later with the context options */
1575 req_method = SSLv23_client_method();
1578 case CURL_SSLVERSION_SSLv2:
1579 #ifdef OPENSSL_NO_SSL2
1580 failf(data, "OpenSSL was built without SSLv2 support");
1581 return CURLE_NOT_BUILT_IN;
1584 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1585 return CURLE_SSL_CONNECT_ERROR;
1587 req_method = SSLv2_client_method();
1591 case CURL_SSLVERSION_SSLv3:
1593 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1594 return CURLE_SSL_CONNECT_ERROR;
1596 req_method = SSLv3_client_method();
1602 SSL_CTX_free(connssl->ctx);
1603 connssl->ctx = SSL_CTX_new(req_method);
1606 failf(data, "SSL: couldn't create a context: %s",
1607 ERR_error_string(ERR_peek_error(), NULL));
1608 return CURLE_OUT_OF_MEMORY;
1611 #ifdef SSL_MODE_RELEASE_BUFFERS
1612 SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
1615 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1616 if(data->set.fdebug && data->set.verbose) {
1617 /* the SSL trace callback is only used for verbose logging so we only
1618 inform about failures of setting it */
1619 if(!SSL_CTX_callback_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK,
1620 (void (*)(void))ssl_tls_trace)) {
1621 infof(data, "SSL: couldn't set callback!\n");
1623 else if(!SSL_CTX_ctrl(connssl->ctx, SSL_CTRL_SET_MSG_CALLBACK_ARG, 0,
1625 infof(data, "SSL: couldn't set callback argument!\n");
1630 /* OpenSSL contains code to work-around lots of bugs and flaws in various
1631 SSL-implementations. SSL_CTX_set_options() is used to enabled those
1632 work-arounds. The man page for this option states that SSL_OP_ALL enables
1633 all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
1634 enable the bug workaround options if compatibility with somewhat broken
1635 implementations is desired."
1637 The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
1638 disable "rfc4507bis session ticket support". rfc4507bis was later turned
1639 into the proper RFC5077 it seems: http://tools.ietf.org/html/rfc5077
1641 The enabled extension concerns the session management. I wonder how often
1642 libcurl stops a connection and then resumes a TLS session. also, sending
1643 the session data is some overhead. .I suggest that you just use your
1644 proposed patch (which explicitly disables TICKET).
1646 If someone writes an application with libcurl and openssl who wants to
1647 enable the feature, one can do this in the SSL callback.
1649 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
1650 interoperability with web server Netscape Enterprise Server 2.0.1 which
1651 was released back in 1996.
1653 Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
1654 become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
1655 CVE-2010-4180 when using previous OpenSSL versions we no longer enable
1656 this option regardless of OpenSSL version and SSL_OP_ALL definition.
1658 OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
1659 (http://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
1660 SSL_OP_ALL that _disables_ that work-around despite the fact that
1661 SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
1662 keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
1666 ctx_options = SSL_OP_ALL;
1668 #ifdef SSL_OP_NO_TICKET
1669 ctx_options |= SSL_OP_NO_TICKET;
1672 #ifdef SSL_OP_NO_COMPRESSION
1673 ctx_options |= SSL_OP_NO_COMPRESSION;
1676 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1677 /* mitigate CVE-2010-4180 */
1678 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
1681 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1682 /* unless the user explicitly ask to allow the protocol vulnerability we
1683 use the work-around */
1684 if(!conn->data->set.ssl_enable_beast)
1685 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1688 switch(data->set.ssl.version) {
1689 case CURL_SSLVERSION_SSLv3:
1691 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1692 infof(data, "Set version TLSv1.x for SRP authorisation\n");
1695 ctx_options |= SSL_OP_NO_SSLv2;
1696 ctx_options |= SSL_OP_NO_TLSv1;
1697 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1698 ctx_options |= SSL_OP_NO_TLSv1_1;
1699 ctx_options |= SSL_OP_NO_TLSv1_2;
1703 case CURL_SSLVERSION_DEFAULT:
1704 case CURL_SSLVERSION_TLSv1:
1705 ctx_options |= SSL_OP_NO_SSLv2;
1706 ctx_options |= SSL_OP_NO_SSLv3;
1709 case CURL_SSLVERSION_TLSv1_0:
1710 ctx_options |= SSL_OP_NO_SSLv2;
1711 ctx_options |= SSL_OP_NO_SSLv3;
1712 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1713 ctx_options |= SSL_OP_NO_TLSv1_1;
1714 ctx_options |= SSL_OP_NO_TLSv1_2;
1718 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1719 case CURL_SSLVERSION_TLSv1_1:
1720 ctx_options |= SSL_OP_NO_SSLv2;
1721 ctx_options |= SSL_OP_NO_SSLv3;
1722 ctx_options |= SSL_OP_NO_TLSv1;
1723 ctx_options |= SSL_OP_NO_TLSv1_2;
1726 case CURL_SSLVERSION_TLSv1_2:
1727 ctx_options |= SSL_OP_NO_SSLv2;
1728 ctx_options |= SSL_OP_NO_SSLv3;
1729 ctx_options |= SSL_OP_NO_TLSv1;
1730 ctx_options |= SSL_OP_NO_TLSv1_1;
1734 #ifndef OPENSSL_NO_SSL2
1735 case CURL_SSLVERSION_SSLv2:
1736 ctx_options |= SSL_OP_NO_SSLv3;
1737 ctx_options |= SSL_OP_NO_TLSv1;
1738 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1739 ctx_options |= SSL_OP_NO_TLSv1_1;
1740 ctx_options |= SSL_OP_NO_TLSv1_2;
1746 failf(data, "Unsupported SSL protocol version");
1747 return CURLE_SSL_CONNECT_ERROR;
1750 SSL_CTX_set_options(connssl->ctx, ctx_options);
1753 if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
1755 if(data->set.ssl_enable_npn) {
1756 SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb,
1762 if(data->set.ssl_enable_alpn) {
1763 protocols[0] = NGHTTP2_PROTO_VERSION_ID_LEN;
1764 memcpy(&protocols[1], NGHTTP2_PROTO_VERSION_ID,
1765 NGHTTP2_PROTO_VERSION_ID_LEN);
1767 protocols[NGHTTP2_PROTO_VERSION_ID_LEN+1] = ALPN_HTTP_1_1_LENGTH;
1768 memcpy(&protocols[NGHTTP2_PROTO_VERSION_ID_LEN+2], ALPN_HTTP_1_1,
1769 ALPN_HTTP_1_1_LENGTH);
1771 /* expects length prefixed preference ordered list of protocols in wire
1774 SSL_CTX_set_alpn_protos(connssl->ctx, protocols,
1775 NGHTTP2_PROTO_VERSION_ID_LEN + ALPN_HTTP_1_1_LENGTH + 2);
1777 infof(data, "ALPN, offering %s, %s\n", NGHTTP2_PROTO_VERSION_ID,
1779 connssl->asked_for_h2 = TRUE;
1785 if(data->set.str[STRING_CERT] || data->set.str[STRING_CERT_TYPE]) {
1786 if(!cert_stuff(conn,
1788 data->set.str[STRING_CERT],
1789 data->set.str[STRING_CERT_TYPE],
1790 data->set.str[STRING_KEY],
1791 data->set.str[STRING_KEY_TYPE])) {
1792 /* failf() is already done in cert_stuff() */
1793 return CURLE_SSL_CERTPROBLEM;
1797 ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
1799 ciphers = (char *)DEFAULT_CIPHER_SELECTION;
1800 if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
1801 failf(data, "failed setting cipher list: %s", ciphers);
1802 return CURLE_SSL_CIPHER;
1806 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1807 infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
1809 if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
1810 failf(data, "Unable to set SRP user name");
1811 return CURLE_BAD_FUNCTION_ARGUMENT;
1813 if(!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
1814 failf(data, "failed setting SRP password");
1815 return CURLE_BAD_FUNCTION_ARGUMENT;
1817 if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
1818 infof(data, "Setting cipher list SRP\n");
1820 if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
1821 failf(data, "failed setting SRP cipher list");
1822 return CURLE_SSL_CIPHER;
1827 if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
1828 /* tell SSL where to find CA certificates that are used to verify
1829 the servers certificate. */
1830 if(!SSL_CTX_load_verify_locations(connssl->ctx,
1831 data->set.str[STRING_SSL_CAFILE],
1832 data->set.str[STRING_SSL_CAPATH])) {
1833 if(data->set.ssl.verifypeer) {
1834 /* Fail if we insist on successfully verifying the server. */
1835 failf(data,"error setting certificate verify locations:\n"
1836 " CAfile: %s\n CApath: %s",
1837 data->set.str[STRING_SSL_CAFILE]?
1838 data->set.str[STRING_SSL_CAFILE]: "none",
1839 data->set.str[STRING_SSL_CAPATH]?
1840 data->set.str[STRING_SSL_CAPATH] : "none");
1841 return CURLE_SSL_CACERT_BADFILE;
1844 /* Just continue with a warning if no strict certificate verification
1846 infof(data, "error setting certificate verify locations,"
1847 " continuing anyway:\n");
1851 /* Everything is fine. */
1852 infof(data, "successfully set certificate verify locations:\n");
1857 data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
1859 data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
1863 if(data->set.str[STRING_SSL_CRLFILE]) {
1864 /* tell SSL where to find CRL file that is used to check certificate
1866 lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
1867 X509_LOOKUP_file());
1869 (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
1870 X509_FILETYPE_PEM)) ) {
1871 failf(data,"error loading CRL file: %s",
1872 data->set.str[STRING_SSL_CRLFILE]);
1873 return CURLE_SSL_CRL_BADFILE;
1876 /* Everything is fine. */
1877 infof(data, "successfully load CRL file:\n");
1878 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
1879 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1882 " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
1883 data->set.str[STRING_SSL_CRLFILE]: "none");
1886 /* SSL always tries to verify the peer, this only says whether it should
1887 * fail to connect if the verification fails, or if it should continue
1888 * anyway. In the latter case the result of the verification is checked with
1889 * SSL_get_verify_result() below. */
1890 SSL_CTX_set_verify(connssl->ctx,
1891 data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
1892 cert_verify_callback);
1894 /* give application a chance to interfere with SSL set up. */
1895 if(data->set.ssl.fsslctx) {
1896 result = (*data->set.ssl.fsslctx)(data, connssl->ctx,
1897 data->set.ssl.fsslctxp);
1899 failf(data,"error signaled by ssl ctx callback");
1904 /* Lets make an SSL structure */
1906 SSL_free(connssl->handle);
1907 connssl->handle = SSL_new(connssl->ctx);
1908 if(!connssl->handle) {
1909 failf(data, "SSL: couldn't create a context (handle)!");
1910 return CURLE_OUT_OF_MEMORY;
1912 SSL_set_connect_state(connssl->handle);
1914 connssl->server_cert = 0x0;
1916 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1917 if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
1919 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
1922 !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
1923 infof(data, "WARNING: failed to configure server name indication (SNI) "
1927 /* Check if there's a cached ID we can/should use here! */
1928 if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
1929 /* we got a session id, use it! */
1930 if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
1931 failf(data, "SSL: SSL_set_session failed: %s",
1932 ERR_error_string(ERR_get_error(),NULL));
1933 return CURLE_SSL_CONNECT_ERROR;
1935 /* Informational message */
1936 infof (data, "SSL re-using session ID\n");
1939 /* pass the raw socket into the SSL layers */
1940 if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
1941 failf(data, "SSL: SSL_set_fd failed: %s",
1942 ERR_error_string(ERR_get_error(),NULL));
1943 return CURLE_SSL_CONNECT_ERROR;
1946 connssl->connecting_state = ssl_connect_2;
1951 static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
1953 struct SessionHandle *data = conn->data;
1955 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1956 DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
1957 || ssl_connect_2_reading == connssl->connecting_state
1958 || ssl_connect_2_writing == connssl->connecting_state);
1962 err = SSL_connect(connssl->handle);
1965 0 is "not successful but was shut down controlled"
1966 <0 is "handshake was not successful, because a fatal error occurred" */
1968 int detail = SSL_get_error(connssl->handle, err);
1970 if(SSL_ERROR_WANT_READ == detail) {
1971 connssl->connecting_state = ssl_connect_2_reading;
1974 else if(SSL_ERROR_WANT_WRITE == detail) {
1975 connssl->connecting_state = ssl_connect_2_writing;
1979 /* untreated error */
1980 unsigned long errdetail;
1981 char error_buffer[256]; /* OpenSSL documents that this must be at least
1984 const char *cert_problem = NULL;
1987 connssl->connecting_state = ssl_connect_2; /* the connection failed,
1988 we're not waiting for
1991 errdetail = ERR_get_error(); /* Gets the earliest error code from the
1992 thread's error queue and removes the
1999 SSL2_SET_CERTIFICATE:
2000 certificate verify failed */
2005 SSL3_GET_SERVER_CERTIFICATE:
2006 certificate verify failed */
2007 result = CURLE_SSL_CACERT;
2009 lerr = SSL_get_verify_result(connssl->handle);
2010 if(lerr != X509_V_OK) {
2011 snprintf(error_buffer, sizeof(error_buffer),
2012 "SSL certificate problem: %s",
2013 X509_verify_cert_error_string(lerr));
2016 cert_problem = "SSL certificate problem, verify that the CA cert is"
2021 result = CURLE_SSL_CONNECT_ERROR;
2022 SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
2026 /* detail is already set to the SSL error above */
2028 /* If we e.g. use SSLv2 request-method and the server doesn't like us
2029 * (RST connection etc.), OpenSSL gives no explanation whatsoever and
2030 * the SO_ERROR is also lost.
2032 if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
2033 failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
2034 conn->host.name, conn->remote_port);
2038 /* Could be a CERT problem */
2039 failf(data, "%s%s", cert_problem ? cert_problem : "", error_buffer);
2045 /* we have been connected fine, we're not waiting for anything else. */
2046 connssl->connecting_state = ssl_connect_3;
2048 /* Informational message */
2049 infof(data, "SSL connection using %s / %s\n",
2050 get_ssl_version_txt(SSL_get_session(connssl->handle)),
2051 SSL_get_cipher(connssl->handle));
2054 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
2057 if(data->set.ssl_enable_alpn) {
2058 const unsigned char* neg_protocol;
2060 SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
2062 infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
2064 if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2065 memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len) == 0) {
2066 conn->negnpn = NPN_HTTP2;
2069 ALPN_HTTP_1_1_LENGTH && memcmp(ALPN_HTTP_1_1,
2071 ALPN_HTTP_1_1_LENGTH) == 0) {
2072 conn->negnpn = NPN_HTTP1_1;
2075 else if(connssl->asked_for_h2)
2076 infof(data, "ALPN, server did not agree to a protocol\n");
2084 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
2088 if((ilen = (int)len) < 0)
2089 return 1; /* buffer too big */
2091 i = i2t_ASN1_OBJECT(buf, ilen, a);
2094 return 1; /* buffer too small */
2099 static void pubkey_show(struct SessionHandle *data,
2112 buffer = malloc(left);
2115 snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
2116 for(i=0; i< len; i++) {
2117 snprintf(ptr, left, "%02x:", raw[i]);
2121 infof(data, " %s: %s\n", namebuf, buffer);
2122 Curl_ssl_push_certinfo(data, num, namebuf, buffer);
2127 #define print_pubkey_BN(_type, _name, _num) \
2129 if(pubkey->pkey._type->_name) { \
2130 int len = BN_num_bytes(pubkey->pkey._type->_name); \
2131 if(len < CERTBUFFERSIZE) { \
2132 BN_bn2bin(pubkey->pkey._type->_name, (unsigned char*)bufp); \
2134 pubkey_show(data, _num, #_type, #_name, (unsigned char*)bufp, len); \
2139 static int X509V3_ext(struct SessionHandle *data,
2141 STACK_OF(X509_EXTENSION) *exts)
2146 if(sk_X509_EXTENSION_num(exts) <= 0)
2147 /* no extensions, bail out */
2150 for(i=0; i<sk_X509_EXTENSION_num(exts); i++) {
2152 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2157 BIO *bio_out = BIO_new(BIO_s_mem());
2162 obj = X509_EXTENSION_get_object(ext);
2164 asn1_object_dump(obj, namebuf, sizeof(namebuf));
2166 infof(data, "%s: %s\n", namebuf,
2167 X509_EXTENSION_get_critical(ext)?"(critical)":"");
2169 if(!X509V3_EXT_print(bio_out, ext, 0, 0))
2170 M_ASN1_OCTET_STRING_print(bio_out, ext->value);
2172 BIO_get_mem_ptr(bio_out, &biomem);
2174 /* biomem->length bytes at biomem->data, this little loop here is only
2175 done for the infof() call, we send the "raw" data to the certinfo
2177 for(j=0; j<(size_t)biomem->length; j++) {
2179 if(biomem->data[j] == '\n') {
2181 j++; /* skip the newline */
2183 while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
2185 if(j<(size_t)biomem->length)
2186 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
2189 infof(data, " %s\n", buf);
2191 Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2196 return 0; /* all is fine */
2200 static void X509_signature(struct SessionHandle *data,
2208 for(i=0; i<sig->length; i++)
2209 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%02x:", sig->data[i]);
2211 infof(data, " Signature: %s\n", buf);
2212 Curl_ssl_push_certinfo(data, numcert, "Signature", buf);
2215 static void dumpcert(struct SessionHandle *data, X509 *x, int numcert)
2217 BIO *bio_out = BIO_new(BIO_s_mem());
2220 /* this outputs the cert in this 64 column wide style with newlines and
2221 -----BEGIN CERTIFICATE----- texts and more */
2222 PEM_write_bio_X509(bio_out, x);
2224 BIO_get_mem_ptr(bio_out, &biomem);
2226 Curl_ssl_push_certinfo_len(data, numcert,
2227 "Cert", biomem->data, biomem->length);
2233 * This size was previously 512 which has been reported "too small" without
2234 * any specifics, so it was enlarged to allow more data to get shown uncut.
2235 * The "perfect" size is yet to figure out.
2237 #define CERTBUFFERSIZE 8192
2239 static CURLcode get_cert_chain(struct connectdata *conn,
2240 struct ssl_connect_data *connssl)
2247 struct SessionHandle *data = conn->data;
2250 bufp = malloc(CERTBUFFERSIZE);
2252 return CURLE_OUT_OF_MEMORY;
2254 sk = SSL_get_peer_cert_chain(connssl->handle);
2257 return CURLE_OUT_OF_MEMORY;
2260 numcerts = sk_X509_num(sk);
2262 result = Curl_ssl_init_certinfo(data, numcerts);
2268 infof(data, "--- Certificate chain\n");
2269 for(i=0; i<numcerts; i++) {
2272 ASN1_TIME *certdate;
2274 /* get the certs in "importance order" */
2276 X509 *x = sk_X509_value(sk, numcerts - i - 1);
2278 X509 *x = sk_X509_value(sk, i);
2282 EVP_PKEY *pubkey=NULL;
2286 (void)x509_name_oneline(X509_get_subject_name(x), bufp, CERTBUFFERSIZE);
2287 infof(data, "%2d Subject: %s\n", i, bufp);
2288 Curl_ssl_push_certinfo(data, i, "Subject", bufp);
2290 (void)x509_name_oneline(X509_get_issuer_name(x), bufp, CERTBUFFERSIZE);
2291 infof(data, " Issuer: %s\n", bufp);
2292 Curl_ssl_push_certinfo(data, i, "Issuer", bufp);
2294 value = X509_get_version(x);
2295 infof(data, " Version: %lu (0x%lx)\n", value+1, value);
2296 snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
2297 Curl_ssl_push_certinfo(data, i, "Version", bufp); /* hex */
2299 num=X509_get_serialNumber(x);
2300 if(num->length <= 4) {
2301 value = ASN1_INTEGER_get(num);
2302 infof(data," Serial Number: %ld (0x%lx)\n", value, value);
2303 snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
2306 int left = CERTBUFFERSIZE;
2310 if(num->type == V_ASN1_NEG_INTEGER)
2313 for(j=0; (j<num->length) && (left>=4); j++) {
2314 /* TODO: length restrictions */
2315 snprintf(ptr, 3, "%02x%c",num->data[j],
2316 ((j+1 == num->length)?'\n':':'));
2321 infof(data," Serial Number: %s\n", bufp);
2326 Curl_ssl_push_certinfo(data, i, "Serial Number", bufp); /* hex */
2328 cinf = x->cert_info;
2330 j = asn1_object_dump(cinf->signature->algorithm, bufp, CERTBUFFERSIZE);
2332 infof(data, " Signature Algorithm: %s\n", bufp);
2333 Curl_ssl_push_certinfo(data, i, "Signature Algorithm", bufp);
2336 certdate = X509_get_notBefore(x);
2337 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2338 infof(data, " Start date: %s\n", bufp);
2339 Curl_ssl_push_certinfo(data, i, "Start date", bufp);
2341 certdate = X509_get_notAfter(x);
2342 asn1_output(certdate, bufp, CERTBUFFERSIZE);
2343 infof(data, " Expire date: %s\n", bufp);
2344 Curl_ssl_push_certinfo(data, i, "Expire date", bufp);
2346 j = asn1_object_dump(cinf->key->algor->algorithm, bufp, CERTBUFFERSIZE);
2348 infof(data, " Public Key Algorithm: %s\n", bufp);
2349 Curl_ssl_push_certinfo(data, i, "Public Key Algorithm", bufp);
2352 pubkey = X509_get_pubkey(x);
2354 infof(data, " Unable to load public key\n");
2356 switch(pubkey->type) {
2358 infof(data, " RSA Public Key (%d bits)\n",
2359 BN_num_bits(pubkey->pkey.rsa->n));
2360 snprintf(bufp, CERTBUFFERSIZE, "%d", BN_num_bits(pubkey->pkey.rsa->n));
2361 Curl_ssl_push_certinfo(data, i, "RSA Public Key", bufp);
2363 print_pubkey_BN(rsa, n, i);
2364 print_pubkey_BN(rsa, e, i);
2365 print_pubkey_BN(rsa, d, i);
2366 print_pubkey_BN(rsa, p, i);
2367 print_pubkey_BN(rsa, q, i);
2368 print_pubkey_BN(rsa, dmp1, i);
2369 print_pubkey_BN(rsa, dmq1, i);
2370 print_pubkey_BN(rsa, iqmp, i);
2373 print_pubkey_BN(dsa, p, i);
2374 print_pubkey_BN(dsa, q, i);
2375 print_pubkey_BN(dsa, g, i);
2376 print_pubkey_BN(dsa, priv_key, i);
2377 print_pubkey_BN(dsa, pub_key, i);
2380 print_pubkey_BN(dh, p, i);
2381 print_pubkey_BN(dh, g, i);
2382 print_pubkey_BN(dh, priv_key, i);
2383 print_pubkey_BN(dh, pub_key, i);
2386 case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
2391 EVP_PKEY_free(pubkey);
2394 X509V3_ext(data, i, cinf->extensions);
2396 X509_signature(data, i, x->signature);
2398 dumpcert(data, x, i);
2407 * Heavily modified from:
2408 * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
2410 static CURLcode pkp_pin_peer_pubkey(X509* cert, const char *pinnedpubkey)
2413 int len1 = 0, len2 = 0;
2414 unsigned char *buff1 = NULL, *temp = NULL;
2416 /* Result is returned to caller */
2417 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
2419 /* if a path wasn't specified, don't pin */
2427 /* Begin Gyrations to get the subjectPublicKeyInfo */
2428 /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
2430 /* http://groups.google.com/group/mailing.openssl.users/browse_thread
2431 /thread/d61858dae102c6c7 */
2432 len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
2436 /* http://www.openssl.org/docs/crypto/buffer.html */
2437 buff1 = temp = OPENSSL_malloc(len1);
2441 /* http://www.openssl.org/docs/crypto/d2i_X509.html */
2442 len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
2445 * These checks are verifying we got back the same values as when we
2446 * sized the buffer.Its pretty weak since they should always be the
2447 * same. But it gives us something to test.
2449 if((len1 != len2) || !temp || ((temp - buff1) != len1))
2454 /* The one good exit point */
2455 result = Curl_pin_peer_pubkey(pinnedpubkey, buff1, len1);
2458 /* http://www.openssl.org/docs/crypto/buffer.html */
2460 OPENSSL_free(buff1);
2466 * Get the server cert, verify it and show it etc, only call failf() if the
2467 * 'strict' argument is TRUE as otherwise all this is for informational
2470 * We check certificates to authenticate the server; otherwise we risk
2471 * man-in-the-middle attack.
2473 static CURLcode servercert(struct connectdata *conn,
2474 struct ssl_connect_data *connssl,
2477 CURLcode result = CURLE_OK;
2480 ASN1_TIME *certdate;
2481 struct SessionHandle *data = conn->data;
2484 char *buffer = data->state.buffer;
2487 if(data->set.ssl.certinfo)
2488 /* we've been asked to gather certificate info! */
2489 (void)get_cert_chain(conn, connssl);
2491 connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
2492 if(!connssl->server_cert) {
2494 failf(data, "SSL: couldn't get peer certificate!");
2495 return CURLE_PEER_FAILED_VERIFICATION;
2498 infof(data, "Server certificate:\n");
2500 rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
2502 infof(data, "\t subject: %s\n", rc?"[NONE]":buffer);
2504 certdate = X509_get_notBefore(connssl->server_cert);
2505 asn1_output(certdate, buffer, BUFSIZE);
2506 infof(data, "\t start date: %s\n", buffer);
2508 certdate = X509_get_notAfter(connssl->server_cert);
2509 asn1_output(certdate, buffer, BUFSIZE);
2510 infof(data, "\t expire date: %s\n", buffer);
2512 if(data->set.ssl.verifyhost) {
2513 result = verifyhost(conn, connssl->server_cert);
2515 X509_free(connssl->server_cert);
2516 connssl->server_cert = NULL;
2521 rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
2525 failf(data, "SSL: couldn't get X509-issuer name!");
2526 result = CURLE_SSL_CONNECT_ERROR;
2529 infof(data, "\t issuer: %s\n", buffer);
2531 /* We could do all sorts of certificate verification stuff here before
2532 deallocating the certificate. */
2534 /* e.g. match issuer name with provided issuer certificate */
2535 if(data->set.str[STRING_SSL_ISSUERCERT]) {
2536 fp = fopen(data->set.str[STRING_SSL_ISSUERCERT], "r");
2539 failf(data, "SSL: Unable to open issuer cert (%s)",
2540 data->set.str[STRING_SSL_ISSUERCERT]);
2541 X509_free(connssl->server_cert);
2542 connssl->server_cert = NULL;
2543 return CURLE_SSL_ISSUER_ERROR;
2546 issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
2549 failf(data, "SSL: Unable to read issuer cert (%s)",
2550 data->set.str[STRING_SSL_ISSUERCERT]);
2551 X509_free(connssl->server_cert);
2554 return CURLE_SSL_ISSUER_ERROR;
2559 if(X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
2561 failf(data, "SSL: Certificate issuer check failed (%s)",
2562 data->set.str[STRING_SSL_ISSUERCERT]);
2563 X509_free(connssl->server_cert);
2565 connssl->server_cert = NULL;
2566 return CURLE_SSL_ISSUER_ERROR;
2569 infof(data, "\t SSL certificate issuer check ok (%s)\n",
2570 data->set.str[STRING_SSL_ISSUERCERT]);
2574 lerr = data->set.ssl.certverifyresult =
2575 SSL_get_verify_result(connssl->handle);
2577 if(data->set.ssl.certverifyresult != X509_V_OK) {
2578 if(data->set.ssl.verifypeer) {
2579 /* We probably never reach this, because SSL_connect() will fail
2580 and we return earlier if verifypeer is set? */
2582 failf(data, "SSL certificate verify result: %s (%ld)",
2583 X509_verify_cert_error_string(lerr), lerr);
2584 result = CURLE_PEER_FAILED_VERIFICATION;
2587 infof(data, "\t SSL certificate verify result: %s (%ld),"
2588 " continuing anyway.\n",
2589 X509_verify_cert_error_string(lerr), lerr);
2592 infof(data, "\t SSL certificate verify ok.\n");
2595 ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
2596 if(!result && ptr) {
2597 result = pkp_pin_peer_pubkey(connssl->server_cert, ptr);
2599 failf(data, "SSL: public key does not match pinned public key!");
2602 X509_free(connssl->server_cert);
2603 connssl->server_cert = NULL;
2604 connssl->connecting_state = ssl_connect_done;
2609 static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
2611 CURLcode result = CURLE_OK;
2612 void *old_ssl_sessionid = NULL;
2613 struct SessionHandle *data = conn->data;
2614 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2616 SSL_SESSION *our_ssl_sessionid;
2618 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
2620 #ifdef HAVE_SSL_GET1_SESSION
2621 our_ssl_sessionid = SSL_get1_session(connssl->handle);
2623 /* SSL_get1_session() will increment the reference
2624 count and the session will stay in memory until explicitly freed with
2625 SSL_SESSION_free(3), regardless of its state.
2626 This function was introduced in openssl 0.9.5a. */
2628 our_ssl_sessionid = SSL_get_session(connssl->handle);
2630 /* if SSL_get1_session() is unavailable, use SSL_get_session().
2631 This is an inferior option because the session can be flushed
2632 at any time by openssl. It is included only so curl compiles
2633 under versions of openssl < 0.9.5a.
2635 WARNING: How curl behaves if it's session is flushed is
2640 incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
2642 if(old_ssl_sessionid != our_ssl_sessionid) {
2643 infof(data, "old SSL session ID is stale, removing\n");
2644 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2650 result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
2651 0 /* unknown size */);
2653 failf(data, "failed to store ssl session");
2657 #ifdef HAVE_SSL_GET1_SESSION
2659 /* Session was incache, so refcount already incremented earlier.
2660 * Avoid further increments with each SSL_get1_session() call.
2661 * This does not free the session as refcount remains > 0
2663 SSL_SESSION_free(our_ssl_sessionid);
2668 * We check certificates to authenticate the server; otherwise we risk
2669 * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
2670 * verify the peer ignore faults and failures from the server cert
2674 if(!data->set.ssl.verifypeer && !data->set.ssl.verifyhost)
2675 (void)servercert(conn, connssl, FALSE);
2677 result = servercert(conn, connssl, TRUE);
2680 connssl->connecting_state = ssl_connect_done;
2685 static Curl_recv ossl_recv;
2686 static Curl_send ossl_send;
2688 static CURLcode ossl_connect_common(struct connectdata *conn,
2694 struct SessionHandle *data = conn->data;
2695 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2696 curl_socket_t sockfd = conn->sock[sockindex];
2700 /* check if the connection has already been established */
2701 if(ssl_connection_complete == connssl->state) {
2706 if(ssl_connect_1 == connssl->connecting_state) {
2707 /* Find out how much more time we're allowed */
2708 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2710 if(timeout_ms < 0) {
2711 /* no need to continue if time already is up */
2712 failf(data, "SSL connection timeout");
2713 return CURLE_OPERATION_TIMEDOUT;
2716 result = ossl_connect_step1(conn, sockindex);
2721 while(ssl_connect_2 == connssl->connecting_state ||
2722 ssl_connect_2_reading == connssl->connecting_state ||
2723 ssl_connect_2_writing == connssl->connecting_state) {
2725 /* check allowed time left */
2726 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2728 if(timeout_ms < 0) {
2729 /* no need to continue if time already is up */
2730 failf(data, "SSL connection timeout");
2731 return CURLE_OPERATION_TIMEDOUT;
2734 /* if ssl is expecting something, check if it's available. */
2735 if(connssl->connecting_state == ssl_connect_2_reading ||
2736 connssl->connecting_state == ssl_connect_2_writing) {
2738 curl_socket_t writefd = ssl_connect_2_writing==
2739 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2740 curl_socket_t readfd = ssl_connect_2_reading==
2741 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2743 what = Curl_socket_ready(readfd, writefd, nonblocking?0:timeout_ms);
2746 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2747 return CURLE_SSL_CONNECT_ERROR;
2749 else if(0 == what) {
2756 failf(data, "SSL connection timeout");
2757 return CURLE_OPERATION_TIMEDOUT;
2760 /* socket is readable or writable */
2763 /* Run transaction, and return to the caller if it failed or if this
2764 * connection is done nonblocking and this loop would execute again. This
2765 * permits the owner of a multi handle to abort a connection attempt
2766 * before step2 has completed while ensuring that a client using select()
2767 * or epoll() will always have a valid fdset to wait on.
2769 result = ossl_connect_step2(conn, sockindex);
2770 if(result || (nonblocking &&
2771 (ssl_connect_2 == connssl->connecting_state ||
2772 ssl_connect_2_reading == connssl->connecting_state ||
2773 ssl_connect_2_writing == connssl->connecting_state)))
2776 } /* repeat step2 until all transactions are done. */
2778 if(ssl_connect_3 == connssl->connecting_state) {
2779 result = ossl_connect_step3(conn, sockindex);
2784 if(ssl_connect_done == connssl->connecting_state) {
2785 connssl->state = ssl_connection_complete;
2786 conn->recv[sockindex] = ossl_recv;
2787 conn->send[sockindex] = ossl_send;
2793 /* Reset our connect state machine */
2794 connssl->connecting_state = ssl_connect_1;
2799 CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
2803 return ossl_connect_common(conn, sockindex, TRUE, done);
2806 CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex)
2811 result = ossl_connect_common(conn, sockindex, FALSE, &done);
2820 bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex)
2822 if(conn->ssl[connindex].handle)
2824 return (0 != SSL_pending(conn->ssl[connindex].handle)) ? TRUE : FALSE;
2829 static ssize_t ossl_send(struct connectdata *conn,
2835 /* SSL_write() is said to return 'int' while write() and send() returns
2838 char error_buffer[120]; /* OpenSSL documents that this must be at least 120
2840 unsigned long sslerror;
2846 memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
2847 rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
2850 err = SSL_get_error(conn->ssl[sockindex].handle, rc);
2853 case SSL_ERROR_WANT_READ:
2854 case SSL_ERROR_WANT_WRITE:
2855 /* The operation did not complete; the same TLS/SSL I/O function
2856 should be called again later. This is basically an EWOULDBLOCK
2858 *curlcode = CURLE_AGAIN;
2860 case SSL_ERROR_SYSCALL:
2861 failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
2863 *curlcode = CURLE_SEND_ERROR;
2866 /* A failure in the SSL library occurred, usually a protocol error.
2867 The OpenSSL error queue contains more information on the error. */
2868 sslerror = ERR_get_error();
2869 failf(conn->data, "SSL_write() error: %s",
2870 ERR_error_string(sslerror, error_buffer));
2871 *curlcode = CURLE_SEND_ERROR;
2875 failf(conn->data, "SSL_write() return error %d", err);
2876 *curlcode = CURLE_SEND_ERROR;
2879 *curlcode = CURLE_OK;
2880 return (ssize_t)rc; /* number of bytes */
2883 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
2884 int num, /* socketindex */
2885 char *buf, /* store read data here */
2886 size_t buffersize, /* max amount to read */
2889 char error_buffer[120]; /* OpenSSL documents that this must be at
2890 least 120 bytes long. */
2891 unsigned long sslerror;
2897 buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
2898 nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
2900 /* failed SSL_read */
2901 int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
2904 case SSL_ERROR_NONE: /* this is not an error */
2905 case SSL_ERROR_ZERO_RETURN: /* no more data */
2907 case SSL_ERROR_WANT_READ:
2908 case SSL_ERROR_WANT_WRITE:
2909 /* there's data pending, re-invoke SSL_read() */
2910 *curlcode = CURLE_AGAIN;
2913 /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
2915 /* http://www.openssl.org/docs/crypto/ERR_get_error.html */
2916 sslerror = ERR_get_error();
2917 if((nread < 0) || sslerror) {
2918 /* If the return code was negative or there actually is an error in the
2920 failf(conn->data, "SSL read: %s, errno %d",
2921 ERR_error_string(sslerror, error_buffer),
2923 *curlcode = CURLE_RECV_ERROR;
2931 size_t Curl_ossl_version(char *buffer, size_t size)
2933 #ifdef YASSL_VERSION
2934 /* yassl provides an OpenSSL API compatibility layer so it looks identical
2935 to OpenSSL in all other aspects */
2936 return snprintf(buffer, size, "yassl/%s", YASSL_VERSION);
2937 #else /* YASSL_VERSION */
2939 #if(SSLEAY_VERSION_NUMBER >= 0x905000)
2942 unsigned long ssleay_value;
2945 ssleay_value=SSLeay();
2946 if(ssleay_value < 0x906000) {
2947 ssleay_value=SSLEAY_VERSION_NUMBER;
2951 if(ssleay_value&0xff0) {
2952 int minor_ver = (ssleay_value >> 4) & 0xff;
2953 if(minor_ver > 26) {
2954 /* handle extended version introduced for 0.9.8za */
2955 sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
2959 sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
2966 return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
2967 #ifdef OPENSSL_IS_BORINGSSL
2970 #ifdef LIBRESSL_VERSION_NUMBER
2976 , (ssleay_value>>28)&0xf,
2977 (ssleay_value>>20)&0xff,
2978 (ssleay_value>>12)&0xff,
2982 #else /* SSLEAY_VERSION_NUMBER is less than 0.9.5 */
2984 #if(SSLEAY_VERSION_NUMBER >= 0x900000)
2985 return snprintf(buffer, size, "OpenSSL/%lx.%lx.%lx",
2986 (SSLEAY_VERSION_NUMBER>>28)&0xff,
2987 (SSLEAY_VERSION_NUMBER>>20)&0xff,
2988 (SSLEAY_VERSION_NUMBER>>12)&0xf);
2990 #else /* (SSLEAY_VERSION_NUMBER >= 0x900000) */
2994 if(SSLEAY_VERSION_NUMBER&0x0f) {
2995 sub[0]=(SSLEAY_VERSION_NUMBER&0x0f) + 'a' -1;
3000 return snprintf(buffer, size, "SSL/%x.%x.%x%s",
3001 (SSLEAY_VERSION_NUMBER>>12)&0xff,
3002 (SSLEAY_VERSION_NUMBER>>8)&0xf,
3003 (SSLEAY_VERSION_NUMBER>>4)&0xf, sub);
3005 #endif /* (SSLEAY_VERSION_NUMBER >= 0x900000) */
3006 #endif /* SSLEAY_VERSION_NUMBER is less than 0.9.5 */
3008 #endif /* YASSL_VERSION */
3011 /* can be called with data == NULL */
3012 int Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy,
3016 Curl_ossl_seed(data); /* Initiate the seed if not already done */
3017 RAND_bytes(entropy, curlx_uztosi(length));
3018 return 0; /* 0 as in no problem */
3021 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
3023 unsigned char *md5sum /* output */,
3029 MD5_Update(&MD5pw, tmp, tmplen);
3030 MD5_Final(md5sum, &MD5pw);
3032 #endif /* USE_SSLEAY */