1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
24 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25 * but vtls.c should ever call or use these functions.
29 * The original SSLeay-using code for curl was written by Linas Vepstas and
30 * Sampo Kellomaki 1998.
33 #include "curl_setup.h"
43 #include "formdata.h" /* for the boundary function */
44 #include "url.h" /* for the ssl config check function */
45 #include "inet_pton.h"
53 #include "hostcheck.h"
54 #include "curl_printf.h"
56 #include <openssl/ssl.h>
57 #include <openssl/rand.h>
58 #include <openssl/x509v3.h>
59 #include <openssl/dsa.h>
60 #include <openssl/dh.h>
61 #include <openssl/err.h>
62 #include <openssl/md5.h>
63 #include <openssl/conf.h>
64 #include <openssl/bn.h>
65 #include <openssl/rsa.h>
67 #ifdef HAVE_OPENSSL_PKCS12_H
68 #include <openssl/pkcs12.h>
71 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
72 #include <openssl/ocsp.h>
76 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
78 /* The last #include files should be: */
79 #include "curl_memory.h"
82 #ifndef OPENSSL_VERSION_NUMBER
83 #error "OPENSSL_VERSION_NUMBER not defined"
86 #if defined(HAVE_OPENSSL_ENGINE_H)
87 #include <openssl/ui.h>
90 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
91 #define SSL_METHOD_QUAL const
93 #define SSL_METHOD_QUAL
96 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
97 #define HAVE_ERR_REMOVE_THREAD_STATE 1
98 #if (OPENSSL_VERSION_NUMBER >= 0x10100004L)
99 /* OpenSSL 1.1.0-pre4 removed the argument! */
100 #define HAVE_ERR_REMOVE_THREAD_STATE_NOARG 1
104 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
105 OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
106 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
107 #define OPENSSL_NO_SSL2
110 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
111 !defined(LIBRESSL_VERSION_NUMBER)
112 #define SSLeay_add_ssl_algorithms() SSL_library_init()
113 #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
114 #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
115 #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
118 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
119 !defined(LIBRESSL_VERSION_NUMBER)
120 #define HAVE_X509_GET0_SIGNATURE 1
123 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
124 /* not present in older OpenSSL */
125 #define OPENSSL_load_builtin_modules(x)
128 #if defined(LIBRESSL_VERSION_NUMBER)
129 #define OSSL_PACKAGE "LibreSSL"
130 #elif defined(OPENSSL_IS_BORINGSSL)
131 #define OSSL_PACKAGE "BoringSSL"
133 #define OSSL_PACKAGE "OpenSSL"
137 * Number of bytes to read from the random number seed file. This must be
138 * a finite value (because some entropy "files" like /dev/urandom have
139 * an infinite length), but must be large enough to provide enough
140 * entopy to properly seed OpenSSL's PRNG.
142 #define RAND_LOAD_LENGTH 1024
144 static int passwd_callback(char *buf, int num, int encrypting,
147 DEBUGASSERT(0 == encrypting);
150 int klen = curlx_uztosi(strlen((char *)global_passwd));
152 memcpy(buf, global_passwd, klen+1);
160 * rand_enough() is a function that returns TRUE if we have seeded the random
161 * engine properly. We use some preprocessor magic to provide a seed_enough()
162 * macro to use, just to prevent a compiler warning on this function if we
163 * pass in an argument that is never used.
166 #ifdef HAVE_RAND_STATUS
167 #define seed_enough(x) rand_enough()
168 static bool rand_enough(void)
170 return (0 != RAND_status()) ? TRUE : FALSE;
173 #define seed_enough(x) rand_enough(x)
174 static bool rand_enough(int nread)
176 /* this is a very silly decision to make */
177 return (nread > 500) ? TRUE : FALSE;
181 static int ossl_seed(struct SessionHandle *data)
183 char *buf = data->state.buffer; /* point to the big buffer */
186 /* Q: should we add support for a random file name as a libcurl option?
187 A: Yes, it is here */
190 /* if RANDOM_FILE isn't defined, we only perform this if an option tells
192 if(data->set.ssl.random_file)
193 #define RANDOM_FILE "" /* doesn't matter won't be used */
196 /* let the option override the define */
197 nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
198 data->set.str[STRING_SSL_RANDOM_FILE]:
201 if(seed_enough(nread))
205 #if defined(HAVE_RAND_EGD)
206 /* only available in OpenSSL 0.9.5 and later */
207 /* EGD_SOCKET is set at configure time or not at all */
209 /* If we don't have the define set, we only do this if the egd-option
211 if(data->set.str[STRING_SSL_EGDSOCKET])
212 #define EGD_SOCKET "" /* doesn't matter won't be used */
215 /* If there's an option and a define, the option overrides the
217 int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
218 data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
221 if(seed_enough(nread))
227 /* If we get here, it means we need to seed the PRNG using a "silly"
230 unsigned char randb[64];
231 int len = sizeof(randb);
232 RAND_bytes(randb, len);
233 RAND_add(randb, len, (len >> 1));
234 } while(!RAND_status());
236 /* generates a default path for the random seed file */
237 buf[0]=0; /* blank it first */
238 RAND_file_name(buf, BUFSIZE);
240 /* we got a file name to try */
241 nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
242 if(seed_enough(nread))
246 infof(data, "libcurl is now using a weak random seed!\n");
250 static void Curl_ossl_seed(struct SessionHandle *data)
252 /* we have the "SSL is seeded" boolean static to prevent multiple
253 time-consuming seedings in vain */
254 static bool ssl_seeded = FALSE;
256 if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
257 data->set.str[STRING_SSL_EGDSOCKET]) {
263 #ifndef SSL_FILETYPE_ENGINE
264 #define SSL_FILETYPE_ENGINE 42
266 #ifndef SSL_FILETYPE_PKCS12
267 #define SSL_FILETYPE_PKCS12 43
269 static int do_file_type(const char *type)
271 if(!type || !type[0])
272 return SSL_FILETYPE_PEM;
273 if(Curl_raw_equal(type, "PEM"))
274 return SSL_FILETYPE_PEM;
275 if(Curl_raw_equal(type, "DER"))
276 return SSL_FILETYPE_ASN1;
277 if(Curl_raw_equal(type, "ENG"))
278 return SSL_FILETYPE_ENGINE;
279 if(Curl_raw_equal(type, "P12"))
280 return SSL_FILETYPE_PKCS12;
284 #if defined(HAVE_OPENSSL_ENGINE_H)
286 * Supply default password to the engine user interface conversation.
287 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
288 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
290 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
292 const char *password;
293 switch(UI_get_string_type(uis)) {
296 password = (const char*)UI_get0_user_data(ui);
297 if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
298 UI_set_result(ui, uis, password);
304 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
308 * Suppress interactive request for a default password if available.
310 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
312 switch(UI_get_string_type(uis)) {
315 if(UI_get0_user_data(ui) &&
316 (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
322 return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
327 int cert_stuff(struct connectdata *conn,
330 const char *cert_type,
332 const char *key_type)
334 struct SessionHandle *data = conn->data;
336 int file_type = do_file_type(cert_type);
338 if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
343 if(data->set.str[STRING_KEY_PASSWD]) {
344 /* set the password in the callback userdata */
345 SSL_CTX_set_default_passwd_cb_userdata(ctx,
346 data->set.str[STRING_KEY_PASSWD]);
347 /* Set passwd callback: */
348 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
353 case SSL_FILETYPE_PEM:
354 /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
355 if(SSL_CTX_use_certificate_chain_file(ctx,
358 "could not load PEM client certificate, " OSSL_PACKAGE
360 "(no key found, wrong pass phrase, or wrong file format?)",
361 ERR_error_string(ERR_get_error(), NULL) );
366 case SSL_FILETYPE_ASN1:
367 /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
368 we use the case above for PEM so this can only be performed with
370 if(SSL_CTX_use_certificate_file(ctx,
374 "could not load ASN1 client certificate, " OSSL_PACKAGE
376 "(no key found, wrong pass phrase, or wrong file format?)",
377 ERR_error_string(ERR_get_error(), NULL) );
381 case SSL_FILETYPE_ENGINE:
382 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
384 if(data->state.engine) {
385 const char *cmd_name = "LOAD_CERT_CTRL";
391 params.cert_id = cert_file;
394 /* Does the engine supports LOAD_CERT_CTRL ? */
395 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
396 0, (void *)cmd_name, NULL)) {
397 failf(data, "ssl engine does not support loading certificates");
401 /* Load the certificate from the engine */
402 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
403 0, ¶ms, NULL, 1)) {
404 failf(data, "ssl engine cannot load client cert with id"
405 " '%s' [%s]", cert_file,
406 ERR_error_string(ERR_get_error(), NULL));
411 failf(data, "ssl engine didn't initialized the certificate "
416 if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
417 failf(data, "unable to set client certificate");
418 X509_free(params.cert);
421 X509_free(params.cert); /* we don't need the handle any more... */
424 failf(data, "crypto engine not set, can't load certificate");
430 failf(data, "file type ENG for certificate not implemented");
434 case SSL_FILETYPE_PKCS12:
436 #ifdef HAVE_OPENSSL_PKCS12_H
440 STACK_OF(X509) *ca = NULL;
442 f = fopen(cert_file, "rb");
444 failf(data, "could not open PKCS12 file '%s'", cert_file);
447 p12 = d2i_PKCS12_fp(f, NULL);
451 failf(data, "error reading PKCS12 file '%s'", cert_file);
457 if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
460 "could not parse PKCS12 file, check password, " OSSL_PACKAGE
462 ERR_error_string(ERR_get_error(), NULL) );
469 if(SSL_CTX_use_certificate(ctx, x509) != 1) {
471 "could not load PKCS12 client certificate, " OSSL_PACKAGE
473 ERR_error_string(ERR_get_error(), NULL) );
477 if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
478 failf(data, "unable to use private key from PKCS12 file '%s'",
483 if(!SSL_CTX_check_private_key (ctx)) {
484 failf(data, "private key from PKCS12 file '%s' "
485 "does not match certificate in same file", cert_file);
488 /* Set Certificate Verification chain */
490 while(sk_X509_num(ca)) {
492 * Note that sk_X509_pop() is used below to make sure the cert is
493 * removed from the stack properly before getting passed to
494 * SSL_CTX_add_extra_chain_cert(). Previously we used
495 * sk_X509_value() instead, but then we'd clean it in the subsequent
496 * sk_X509_pop_free() call.
498 X509 *x = sk_X509_pop(ca);
499 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
501 failf(data, "cannot add certificate to certificate chain");
504 /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
505 * presumably because it duplicates what we pass to it.
507 if(!SSL_CTX_add_client_CA(ctx, x)) {
508 failf(data, "cannot add certificate to client CA list");
518 sk_X509_pop_free(ca, X509_free);
521 return 0; /* failure! */
524 failf(data, "file type P12 for certificate not supported");
529 failf(data, "not supported file type '%s' for certificate", cert_type);
533 file_type = do_file_type(key_type);
536 case SSL_FILETYPE_PEM:
540 /* cert & key can only be in PEM case in the same file */
542 case SSL_FILETYPE_ASN1:
543 if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
544 failf(data, "unable to set private key file: '%s' type %s",
545 key_file, key_type?key_type:"PEM");
549 case SSL_FILETYPE_ENGINE:
550 #ifdef HAVE_OPENSSL_ENGINE_H
551 { /* XXXX still needs some work */
552 EVP_PKEY *priv_key = NULL;
553 if(data->state.engine) {
554 UI_METHOD *ui_method =
555 UI_create_method((char *)"cURL user interface");
557 failf(data, "unable do create " OSSL_PACKAGE
558 " user-interface method");
561 UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
562 UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
563 UI_method_set_reader(ui_method, ssl_ui_reader);
564 UI_method_set_writer(ui_method, ssl_ui_writer);
565 /* the typecast below was added to please mingw32 */
566 priv_key = (EVP_PKEY *)
567 ENGINE_load_private_key(data->state.engine, key_file,
569 data->set.str[STRING_KEY_PASSWD]);
570 UI_destroy_method(ui_method);
572 failf(data, "failed to load private key from crypto engine");
575 if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
576 failf(data, "unable to set private key");
577 EVP_PKEY_free(priv_key);
580 EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
583 failf(data, "crypto engine not set, can't load private key");
589 failf(data, "file type ENG for private key not supported");
592 case SSL_FILETYPE_PKCS12:
594 failf(data, "file type P12 for private key not supported");
599 failf(data, "not supported file type for private key");
605 failf(data, "unable to create an SSL structure");
609 x509=SSL_get_certificate(ssl);
611 /* This version was provided by Evan Jordan and is supposed to not
612 leak memory as the previous version: */
614 EVP_PKEY *pktmp = X509_get_pubkey(x509);
615 EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
616 EVP_PKEY_free(pktmp);
621 /* If we are using DSA, we can copy the parameters from
625 /* Now we know that a key and cert have been set against
627 if(!SSL_CTX_check_private_key(ctx)) {
628 failf(data, "Private key does not match the certificate public key");
635 /* returns non-zero on failure */
636 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
639 return X509_NAME_oneline(a, buf, size);
641 BIO *bio_out = BIO_new(BIO_s_mem());
646 return 1; /* alloc failed! */
648 rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
649 BIO_get_mem_ptr(bio_out, &biomem);
651 if((size_t)biomem->length < size)
652 size = biomem->length;
654 size--; /* don't overwrite the buffer end */
656 memcpy(buf, biomem->data, size);
665 /* Return error string for last OpenSSL error
667 static char *SSL_strerror(unsigned long error, char *buf, size_t size)
669 /* OpenSSL 0.9.6 and later has a function named
670 ERR_error_string_n() that takes the size of the buffer as a
672 ERR_error_string_n(error, buf, size);
679 * @retval 0 error initializing SSL
680 * @retval 1 SSL initialized successfully
682 int Curl_ossl_init(void)
684 OPENSSL_load_builtin_modules();
686 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
687 ENGINE_load_builtin_engines();
690 /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
691 that function makes an exit() call on wrongly formatted config files
692 which makes it hard to use in some situations. OPENSSL_config() itself
693 calls CONF_modules_load_file() and we use that instead and we ignore
696 /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
698 #ifndef CONF_MFLAGS_DEFAULT_SECTION
699 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
702 CONF_modules_load_file(NULL, NULL,
703 CONF_MFLAGS_DEFAULT_SECTION|
704 CONF_MFLAGS_IGNORE_MISSING_FILE);
706 /* Lets get nice error messages */
707 SSL_load_error_strings();
709 /* Init the global ciphers and digests */
710 if(!SSLeay_add_ssl_algorithms())
713 OpenSSL_add_all_algorithms();
719 void Curl_ossl_cleanup(void)
721 /* Free ciphers and digests lists */
724 #ifdef HAVE_ENGINE_CLEANUP
725 /* Free engine list */
729 #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
730 /* Free OpenSSL ex_data table */
731 CRYPTO_cleanup_all_ex_data();
734 /* Free OpenSSL error strings */
737 /* Free thread local error state, destroying hash upon zero refcount */
738 #ifdef HAVE_ERR_REMOVE_THREAD_STATE_NOARG
739 ERR_remove_thread_state();
740 #elif defined(HAVE_ERR_REMOVE_THREAD_STATE)
741 ERR_remove_thread_state(NULL);
746 /* Free all memory allocated by all configuration modules */
751 * This function uses SSL_peek to determine connection status.
754 * 1 means the connection is still in place
755 * 0 means the connection has been closed
756 * -1 means the connection status is unknown
758 int Curl_ossl_check_cxn(struct connectdata *conn)
763 rc = SSL_peek(conn->ssl[FIRSTSOCKET].handle, (void*)&buf, 1);
765 return 1; /* connection still in place */
768 return 0; /* connection has been closed */
770 return -1; /* connection status unknown */
773 /* Selects an OpenSSL crypto engine
775 CURLcode Curl_ossl_set_engine(struct SessionHandle *data, const char *engine)
777 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
780 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
781 e = ENGINE_by_id(engine);
783 /* avoid memory leak */
784 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
785 const char *e_id = ENGINE_get_id(e);
786 if(!strcmp(engine, e_id))
792 failf(data, "SSL Engine '%s' not found", engine);
793 return CURLE_SSL_ENGINE_NOTFOUND;
796 if(data->state.engine) {
797 ENGINE_finish(data->state.engine);
798 ENGINE_free(data->state.engine);
799 data->state.engine = NULL;
801 if(!ENGINE_init(e)) {
805 failf(data, "Failed to initialise SSL Engine '%s':\n%s",
806 engine, SSL_strerror(ERR_get_error(), buf, sizeof(buf)));
807 return CURLE_SSL_ENGINE_INITFAILED;
809 data->state.engine = e;
813 failf(data, "SSL Engine not supported");
814 return CURLE_SSL_ENGINE_NOTFOUND;
818 /* Sets engine as default for all SSL operations
820 CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
822 #ifdef HAVE_OPENSSL_ENGINE_H
823 if(data->state.engine) {
824 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
825 infof(data, "set default crypto engine '%s'\n",
826 ENGINE_get_id(data->state.engine));
829 failf(data, "set default crypto engine '%s' failed",
830 ENGINE_get_id(data->state.engine));
831 return CURLE_SSL_ENGINE_SETFAILED;
840 /* Return list of OpenSSL crypto engine names.
842 struct curl_slist *Curl_ossl_engines_list(struct SessionHandle *data)
844 struct curl_slist *list = NULL;
845 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
846 struct curl_slist *beg;
849 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
850 beg = curl_slist_append(list, ENGINE_get_id(e));
852 curl_slist_free_all(list);
864 * This function is called when an SSL connection is closed.
866 void Curl_ossl_close(struct connectdata *conn, int sockindex)
868 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
870 if(connssl->handle) {
871 (void)SSL_shutdown(connssl->handle);
872 SSL_set_connect_state(connssl->handle);
874 SSL_free (connssl->handle);
875 connssl->handle = NULL;
878 SSL_CTX_free (connssl->ctx);
884 * This function is called to shut down the SSL layer but keep the
885 * socket open (CCC - Clear Command Channel)
887 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
890 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
891 struct SessionHandle *data = conn->data;
892 char buf[120]; /* We will use this for the OpenSSL error buffer, so it has
893 to be at least 120 bytes long. */
894 unsigned long sslerror;
900 /* This has only been tested on the proftpd server, and the mod_tls code
901 sends a close notify alert without waiting for a close notify alert in
902 response. Thus we wait for a close notify alert from the server, but
903 we do not send one. Let's hope other servers do the same... */
905 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
906 (void)SSL_shutdown(connssl->handle);
908 if(connssl->handle) {
909 buffsize = (int)sizeof(buf);
911 int what = Curl_socket_ready(conn->sock[sockindex],
912 CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
916 /* Something to read, let's do it and hope that it is the close
917 notify alert from the server */
918 nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
920 err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
923 case SSL_ERROR_NONE: /* this is not an error */
924 case SSL_ERROR_ZERO_RETURN: /* no more data */
925 /* This is the expected response. There was no data but only
926 the close notify alert */
929 case SSL_ERROR_WANT_READ:
930 /* there's data pending, re-invoke SSL_read() */
931 infof(data, "SSL_ERROR_WANT_READ\n");
933 case SSL_ERROR_WANT_WRITE:
934 /* SSL wants a write. Really odd. Let's bail out. */
935 infof(data, "SSL_ERROR_WANT_WRITE\n");
939 /* openssl/ssl.h says "look at error stack/return value/errno" */
940 sslerror = ERR_get_error();
941 failf(conn->data, OSSL_PACKAGE " SSL read: %s, errno %d",
942 ERR_error_string(sslerror, buf),
950 failf(data, "SSL shutdown timeout");
954 /* anything that gets here is fatally bad */
955 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
959 } /* while()-loop for the select() */
961 if(data->set.verbose) {
962 #ifdef HAVE_SSL_GET_SHUTDOWN
963 switch(SSL_get_shutdown(connssl->handle)) {
964 case SSL_SENT_SHUTDOWN:
965 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
967 case SSL_RECEIVED_SHUTDOWN:
968 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
970 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
971 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
972 "SSL_RECEIVED__SHUTDOWN\n");
978 SSL_free (connssl->handle);
979 connssl->handle = NULL;
984 void Curl_ossl_session_free(void *ptr)
987 SSL_SESSION_free(ptr);
991 * This function is called when the 'data' struct is going away. Close
992 * down everything and free all resources!
994 void Curl_ossl_close_all(struct SessionHandle *data)
996 #ifdef HAVE_OPENSSL_ENGINE_H
997 if(data->state.engine) {
998 ENGINE_finish(data->state.engine);
999 ENGINE_free(data->state.engine);
1000 data->state.engine = NULL;
1007 /* ====================================================== */
1010 /* Quote from RFC2818 section 3.1 "Server Identity"
1012 If a subjectAltName extension of type dNSName is present, that MUST
1013 be used as the identity. Otherwise, the (most specific) Common Name
1014 field in the Subject field of the certificate MUST be used. Although
1015 the use of the Common Name is existing practice, it is deprecated and
1016 Certification Authorities are encouraged to use the dNSName instead.
1018 Matching is performed using the matching rules specified by
1019 [RFC2459]. If more than one identity of a given type is present in
1020 the certificate (e.g., more than one dNSName name, a match in any one
1021 of the set is considered acceptable.) Names may contain the wildcard
1022 character * which is considered to match any single domain name
1023 component or component fragment. E.g., *.a.com matches foo.a.com but
1024 not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1026 In some cases, the URI is specified as an IP address rather than a
1027 hostname. In this case, the iPAddress subjectAltName must be present
1028 in the certificate and must exactly match the IP in the URI.
1031 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
1033 bool matched = FALSE;
1034 int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1036 struct SessionHandle *data = conn->data;
1037 STACK_OF(GENERAL_NAME) *altnames;
1039 struct in6_addr addr;
1041 struct in_addr addr;
1043 CURLcode result = CURLE_OK;
1046 if(conn->bits.ipv6_ip &&
1047 Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
1049 addrlen = sizeof(struct in6_addr);
1053 if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
1055 addrlen = sizeof(struct in_addr);
1058 /* get a "list" of alternative names */
1059 altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1065 /* get amount of alternatives, RFC2459 claims there MUST be at least
1066 one, but we don't depend on it... */
1067 numalts = sk_GENERAL_NAME_num(altnames);
1069 /* loop through all alternatives while none has matched */
1070 for(i=0; (i<numalts) && !matched; i++) {
1071 /* get a handle to alternative name number i */
1072 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1074 /* only check alternatives of the same type the target is */
1075 if(check->type == target) {
1076 /* get data and length */
1077 const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
1078 size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1081 case GEN_DNS: /* name/pattern comparison */
1082 /* The OpenSSL man page explicitly says: "In general it cannot be
1083 assumed that the data returned by ASN1_STRING_data() is null
1084 terminated or does not contain embedded nulls." But also that
1085 "The actual format of the data will depend on the actual string
1086 type itself: for example for and IA5String the data will be ASCII"
1088 Gisle researched the OpenSSL sources:
1089 "I checked the 0.9.6 and 0.9.8 sources before my patch and
1090 it always 0-terminates an IA5String."
1092 if((altlen == strlen(altptr)) &&
1093 /* if this isn't true, there was an embedded zero in the name
1094 string and we cannot match it. */
1095 Curl_cert_hostcheck(altptr, conn->host.name)) {
1098 " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
1099 conn->host.dispname, altptr);
1103 case GEN_IPADD: /* IP address comparison */
1104 /* compare alternative IP address if the data chunk is the same size
1105 our server IP address is */
1106 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
1109 " subjectAltName: host \"%s\" matched cert's IP address!\n",
1110 conn->host.dispname);
1116 GENERAL_NAMES_free(altnames);
1120 /* an alternative name matched */
1123 /* an alternative name field existed, but didn't match and then we MUST
1125 infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
1126 failf(data, "SSL: no alternative certificate subject name matches "
1127 "target host name '%s'", conn->host.dispname);
1128 result = CURLE_PEER_FAILED_VERIFICATION;
1131 /* we have to look to the last occurrence of a commonName in the
1132 distinguished one to get the most significant one. */
1135 /* The following is done because of a bug in 0.9.6b */
1137 unsigned char *nulstr = (unsigned char *)"";
1138 unsigned char *peer_CN = nulstr;
1140 X509_NAME *name = X509_get_subject_name(server_cert);
1142 while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
1145 /* we have the name entry and we will now convert this to a string
1146 that we can use for comparison. Doing this we support BMPstring,
1151 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
1153 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1154 is already UTF-8 encoded. We check for this case and copy the raw
1155 string manually to avoid the problem. This code can be made
1156 conditional in the future when OpenSSL has been fixed. Work-around
1157 brought by Alexis S. L. Carvalho. */
1159 if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1160 j = ASN1_STRING_length(tmp);
1162 peer_CN = OPENSSL_malloc(j+1);
1164 memcpy(peer_CN, ASN1_STRING_data(tmp), j);
1169 else /* not a UTF8 name */
1170 j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1172 if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1173 /* there was a terminating zero before the end of string, this
1174 cannot match and we return failure! */
1175 failf(data, "SSL: illegal cert name field");
1176 result = CURLE_PEER_FAILED_VERIFICATION;
1181 if(peer_CN == nulstr)
1184 /* convert peer_CN from UTF8 */
1185 CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
1186 /* Curl_convert_from_utf8 calls failf if unsuccessful */
1188 OPENSSL_free(peer_CN);
1194 /* error already detected, pass through */
1198 "SSL: unable to obtain common name from peer certificate");
1199 result = CURLE_PEER_FAILED_VERIFICATION;
1201 else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
1202 failf(data, "SSL: certificate subject name '%s' does not match "
1203 "target host name '%s'", peer_CN, conn->host.dispname);
1204 result = CURLE_PEER_FAILED_VERIFICATION;
1207 infof(data, " common name: %s (matched)\n", peer_CN);
1210 OPENSSL_free(peer_CN);
1216 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
1217 !defined(OPENSSL_NO_OCSP)
1218 static CURLcode verifystatus(struct connectdata *conn,
1219 struct ssl_connect_data *connssl)
1222 const unsigned char *p;
1223 CURLcode result = CURLE_OK;
1224 struct SessionHandle *data = conn->data;
1226 OCSP_RESPONSE *rsp = NULL;
1227 OCSP_BASICRESP *br = NULL;
1228 X509_STORE *st = NULL;
1229 STACK_OF(X509) *ch = NULL;
1231 long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
1234 failf(data, "No OCSP response received");
1235 result = CURLE_SSL_INVALIDCERTSTATUS;
1239 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1241 failf(data, "Invalid OCSP response");
1242 result = CURLE_SSL_INVALIDCERTSTATUS;
1246 ocsp_status = OCSP_response_status(rsp);
1247 if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1248 failf(data, "Invalid OCSP response status: %s (%d)",
1249 OCSP_response_status_str(ocsp_status), ocsp_status);
1250 result = CURLE_SSL_INVALIDCERTSTATUS;
1254 br = OCSP_response_get1_basic(rsp);
1256 failf(data, "Invalid OCSP response");
1257 result = CURLE_SSL_INVALIDCERTSTATUS;
1261 ch = SSL_get_peer_cert_chain(connssl->handle);
1262 st = SSL_CTX_get_cert_store(connssl->ctx);
1264 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
1265 defined(LIBRESSL_VERSION_NUMBER))
1266 /* The authorized responder cert in the OCSP response MUST be signed by the
1267 peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
1268 no problem, but if it's an intermediate cert OpenSSL has a bug where it
1269 expects this issuer to be present in the chain embedded in the OCSP
1270 response. So we add it if necessary. */
1272 /* First make sure the peer cert chain includes both a peer and an issuer,
1273 and the OCSP response contains a responder cert. */
1274 if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
1275 X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
1277 /* Find issuer of responder cert and add it to the OCSP response chain */
1278 for(i = 0; i < sk_X509_num(ch); i++) {
1279 X509 *issuer = sk_X509_value(ch, i);
1280 if(X509_check_issued(issuer, responder) == X509_V_OK) {
1281 if(!OCSP_basic_add1_cert(br, issuer)) {
1282 failf(data, "Could not add issuer cert to OCSP response");
1283 result = CURLE_SSL_INVALIDCERTSTATUS;
1291 if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
1292 failf(data, "OCSP response verification failed");
1293 result = CURLE_SSL_INVALIDCERTSTATUS;
1297 for(i = 0; i < OCSP_resp_count(br); i++) {
1298 int cert_status, crl_reason;
1299 OCSP_SINGLERESP *single = NULL;
1301 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1303 single = OCSP_resp_get0(br, i);
1307 cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
1308 &thisupd, &nextupd);
1310 if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
1311 failf(data, "OCSP response has expired");
1312 result = CURLE_SSL_INVALIDCERTSTATUS;
1316 infof(data, "SSL certificate status: %s (%d)\n",
1317 OCSP_cert_status_str(cert_status), cert_status);
1319 switch(cert_status) {
1320 case V_OCSP_CERTSTATUS_GOOD:
1323 case V_OCSP_CERTSTATUS_REVOKED:
1324 result = CURLE_SSL_INVALIDCERTSTATUS;
1326 failf(data, "SSL certificate revocation reason: %s (%d)",
1327 OCSP_crl_reason_str(crl_reason), crl_reason);
1330 case V_OCSP_CERTSTATUS_UNKNOWN:
1331 result = CURLE_SSL_INVALIDCERTSTATUS;
1337 if(br) OCSP_BASICRESP_free(br);
1338 OCSP_RESPONSE_free(rsp);
1344 #endif /* USE_OPENSSL */
1346 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
1347 and thus this cannot be done there. */
1348 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1350 static const char *ssl_msg_type(int ssl_ver, int msg)
1352 #ifdef SSL2_VERSION_MAJOR
1353 if(ssl_ver == SSL2_VERSION_MAJOR) {
1357 case SSL2_MT_CLIENT_HELLO:
1358 return "Client hello";
1359 case SSL2_MT_CLIENT_MASTER_KEY:
1360 return "Client key";
1361 case SSL2_MT_CLIENT_FINISHED:
1362 return "Client finished";
1363 case SSL2_MT_SERVER_HELLO:
1364 return "Server hello";
1365 case SSL2_MT_SERVER_VERIFY:
1366 return "Server verify";
1367 case SSL2_MT_SERVER_FINISHED:
1368 return "Server finished";
1369 case SSL2_MT_REQUEST_CERTIFICATE:
1370 return "Request CERT";
1371 case SSL2_MT_CLIENT_CERTIFICATE:
1372 return "Client CERT";
1377 if(ssl_ver == SSL3_VERSION_MAJOR) {
1379 case SSL3_MT_HELLO_REQUEST:
1380 return "Hello request";
1381 case SSL3_MT_CLIENT_HELLO:
1382 return "Client hello";
1383 case SSL3_MT_SERVER_HELLO:
1384 return "Server hello";
1385 #ifdef SSL3_MT_NEWSESSION_TICKET
1386 case SSL3_MT_NEWSESSION_TICKET:
1387 return "Newsession Ticket";
1389 case SSL3_MT_CERTIFICATE:
1390 return "Certificate";
1391 case SSL3_MT_SERVER_KEY_EXCHANGE:
1392 return "Server key exchange";
1393 case SSL3_MT_CLIENT_KEY_EXCHANGE:
1394 return "Client key exchange";
1395 case SSL3_MT_CERTIFICATE_REQUEST:
1396 return "Request CERT";
1397 case SSL3_MT_SERVER_DONE:
1398 return "Server finished";
1399 case SSL3_MT_CERTIFICATE_VERIFY:
1400 return "CERT verify";
1401 case SSL3_MT_FINISHED:
1403 #ifdef SSL3_MT_CERTIFICATE_STATUS
1404 case SSL3_MT_CERTIFICATE_STATUS:
1405 return "Certificate Status";
1412 static const char *tls_rt_type(int type)
1415 #ifdef SSL3_RT_HEADER
1416 case SSL3_RT_HEADER:
1417 return "TLS header";
1419 case SSL3_RT_CHANGE_CIPHER_SPEC:
1420 return "TLS change cipher";
1423 case SSL3_RT_HANDSHAKE:
1424 return "TLS handshake";
1425 case SSL3_RT_APPLICATION_DATA:
1426 return "TLS app data";
1428 return "TLS Unknown";
1434 * Our callback from the SSL/TLS layers.
1436 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1437 const void *buf, size_t len, SSL *ssl,
1440 struct SessionHandle *data;
1441 const char *msg_name, *tls_rt_name;
1444 int msg_type, txt_len;
1445 const char *verstr = NULL;
1446 struct connectdata *conn = userp;
1448 if(!conn || !conn->data || !conn->data->set.fdebug ||
1449 (direction != 0 && direction != 1))
1455 #ifdef SSL2_VERSION /* removed in recent versions */
1468 #ifdef TLS1_1_VERSION
1469 case TLS1_1_VERSION:
1473 #ifdef TLS1_2_VERSION
1474 case TLS1_2_VERSION:
1481 snprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
1487 /* the info given when the version is zero is not that useful for us */
1489 ssl_ver >>= 8; /* check the upper 8 bits only below */
1491 /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
1492 * always pass-up content-type as 0. But the interesting message-type
1495 if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
1496 tls_rt_name = tls_rt_type(content_type);
1500 msg_type = *(char*)buf;
1501 msg_name = ssl_msg_type(ssl_ver, msg_type);
1503 txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
1504 verstr, direction?"OUT":"IN",
1505 tls_rt_name, msg_name, msg_type);
1506 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
1509 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
1510 CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
1516 /* ====================================================== */
1518 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1519 # define use_sni(x) sni = (x)
1521 # define use_sni(x) Curl_nop_stmt
1524 /* Check for OpenSSL 1.0.2 which has ALPN support. */
1526 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \
1527 && !defined(OPENSSL_NO_TLSEXT)
1531 /* Check for OpenSSL 1.0.1 which has NPN support. */
1533 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \
1534 && !defined(OPENSSL_NO_TLSEXT) \
1535 && !defined(OPENSSL_NO_NEXTPROTONEG)
1542 * in is a list of lenght prefixed strings. this function has to select
1543 * the protocol we want to use from the list and write its string into out.
1547 select_next_protocol(unsigned char **out, unsigned char *outlen,
1548 const unsigned char *in, unsigned int inlen,
1549 const char *key, unsigned int keylen)
1552 for(i = 0; i + keylen <= inlen; i += in[i] + 1) {
1553 if(memcmp(&in[i + 1], key, keylen) == 0) {
1554 *out = (unsigned char *) &in[i + 1];
1563 select_next_proto_cb(SSL *ssl,
1564 unsigned char **out, unsigned char *outlen,
1565 const unsigned char *in, unsigned int inlen,
1568 struct connectdata *conn = (struct connectdata*) arg;
1573 if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 &&
1574 !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
1575 NGHTTP2_PROTO_VERSION_ID_LEN)) {
1576 infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
1577 NGHTTP2_PROTO_VERSION_ID);
1578 conn->negnpn = CURL_HTTP_VERSION_2;
1579 return SSL_TLSEXT_ERR_OK;
1583 if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
1584 ALPN_HTTP_1_1_LENGTH)) {
1585 infof(conn->data, "NPN, negotiated HTTP1.1\n");
1586 conn->negnpn = CURL_HTTP_VERSION_1_1;
1587 return SSL_TLSEXT_ERR_OK;
1590 infof(conn->data, "NPN, no overlap, use HTTP1.1\n");
1591 *out = (unsigned char *)ALPN_HTTP_1_1;
1592 *outlen = ALPN_HTTP_1_1_LENGTH;
1593 conn->negnpn = CURL_HTTP_VERSION_1_1;
1595 return SSL_TLSEXT_ERR_OK;
1597 #endif /* HAS_NPN */
1600 get_ssl_version_txt(SSL *ssl)
1605 switch(SSL_version(ssl)) {
1606 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1607 case TLS1_2_VERSION:
1609 case TLS1_1_VERSION:
1622 static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
1624 CURLcode result = CURLE_OK;
1626 struct SessionHandle *data = conn->data;
1627 SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
1628 void *ssl_sessionid = NULL;
1629 X509_LOOKUP *lookup = NULL;
1630 curl_socket_t sockfd = conn->sock[sockindex];
1631 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1633 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
1636 struct in6_addr addr;
1638 struct in_addr addr;
1642 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
1644 /* Make funny stuff to get random input */
1645 Curl_ossl_seed(data);
1647 data->set.ssl.certverifyresult = !X509_V_OK;
1649 /* check to see if we've been told to use an explicit SSL/TLS version */
1651 switch(data->set.ssl.version) {
1653 case CURL_SSLVERSION_DEFAULT:
1654 case CURL_SSLVERSION_TLSv1:
1655 case CURL_SSLVERSION_TLSv1_0:
1656 case CURL_SSLVERSION_TLSv1_1:
1657 case CURL_SSLVERSION_TLSv1_2:
1658 /* it will be handled later with the context options */
1659 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1660 !defined(LIBRESSL_VERSION_NUMBER)
1661 req_method = TLS_client_method();
1663 req_method = SSLv23_client_method();
1667 case CURL_SSLVERSION_SSLv2:
1668 #ifdef OPENSSL_NO_SSL2
1669 failf(data, OSSL_PACKAGE " was built without SSLv2 support");
1670 return CURLE_NOT_BUILT_IN;
1673 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1674 return CURLE_SSL_CONNECT_ERROR;
1676 req_method = SSLv2_client_method();
1680 case CURL_SSLVERSION_SSLv3:
1681 #ifdef OPENSSL_NO_SSL3_METHOD
1682 failf(data, OSSL_PACKAGE " was built without SSLv3 support");
1683 return CURLE_NOT_BUILT_IN;
1686 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
1687 return CURLE_SSL_CONNECT_ERROR;
1689 req_method = SSLv3_client_method();
1696 SSL_CTX_free(connssl->ctx);
1697 connssl->ctx = SSL_CTX_new(req_method);
1700 failf(data, "SSL: couldn't create a context: %s",
1701 ERR_error_string(ERR_peek_error(), NULL));
1702 return CURLE_OUT_OF_MEMORY;
1705 #ifdef SSL_MODE_RELEASE_BUFFERS
1706 SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
1709 #ifdef SSL_CTRL_SET_MSG_CALLBACK
1710 if(data->set.fdebug && data->set.verbose) {
1711 /* the SSL trace callback is only used for verbose logging */
1712 SSL_CTX_set_msg_callback(connssl->ctx, ssl_tls_trace);
1713 SSL_CTX_set_msg_callback_arg(connssl->ctx, conn);
1717 /* OpenSSL contains code to work-around lots of bugs and flaws in various
1718 SSL-implementations. SSL_CTX_set_options() is used to enabled those
1719 work-arounds. The man page for this option states that SSL_OP_ALL enables
1720 all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
1721 enable the bug workaround options if compatibility with somewhat broken
1722 implementations is desired."
1724 The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
1725 disable "rfc4507bis session ticket support". rfc4507bis was later turned
1726 into the proper RFC5077 it seems: https://tools.ietf.org/html/rfc5077
1728 The enabled extension concerns the session management. I wonder how often
1729 libcurl stops a connection and then resumes a TLS session. also, sending
1730 the session data is some overhead. .I suggest that you just use your
1731 proposed patch (which explicitly disables TICKET).
1733 If someone writes an application with libcurl and openssl who wants to
1734 enable the feature, one can do this in the SSL callback.
1736 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
1737 interoperability with web server Netscape Enterprise Server 2.0.1 which
1738 was released back in 1996.
1740 Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
1741 become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
1742 CVE-2010-4180 when using previous OpenSSL versions we no longer enable
1743 this option regardless of OpenSSL version and SSL_OP_ALL definition.
1745 OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
1746 (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
1747 SSL_OP_ALL that _disables_ that work-around despite the fact that
1748 SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
1749 keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
1753 ctx_options = SSL_OP_ALL;
1755 #ifdef SSL_OP_NO_TICKET
1756 ctx_options |= SSL_OP_NO_TICKET;
1759 #ifdef SSL_OP_NO_COMPRESSION
1760 ctx_options |= SSL_OP_NO_COMPRESSION;
1763 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
1764 /* mitigate CVE-2010-4180 */
1765 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
1768 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
1769 /* unless the user explicitly ask to allow the protocol vulnerability we
1770 use the work-around */
1771 if(!conn->data->set.ssl_enable_beast)
1772 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
1775 switch(data->set.ssl.version) {
1776 case CURL_SSLVERSION_SSLv3:
1778 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1779 infof(data, "Set version TLSv1.x for SRP authorisation\n");
1782 ctx_options |= SSL_OP_NO_SSLv2;
1783 ctx_options |= SSL_OP_NO_TLSv1;
1784 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1785 ctx_options |= SSL_OP_NO_TLSv1_1;
1786 ctx_options |= SSL_OP_NO_TLSv1_2;
1790 case CURL_SSLVERSION_DEFAULT:
1791 case CURL_SSLVERSION_TLSv1:
1792 ctx_options |= SSL_OP_NO_SSLv2;
1793 ctx_options |= SSL_OP_NO_SSLv3;
1796 case CURL_SSLVERSION_TLSv1_0:
1797 ctx_options |= SSL_OP_NO_SSLv2;
1798 ctx_options |= SSL_OP_NO_SSLv3;
1799 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1800 ctx_options |= SSL_OP_NO_TLSv1_1;
1801 ctx_options |= SSL_OP_NO_TLSv1_2;
1805 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1806 case CURL_SSLVERSION_TLSv1_1:
1807 ctx_options |= SSL_OP_NO_SSLv2;
1808 ctx_options |= SSL_OP_NO_SSLv3;
1809 ctx_options |= SSL_OP_NO_TLSv1;
1810 ctx_options |= SSL_OP_NO_TLSv1_2;
1813 case CURL_SSLVERSION_TLSv1_2:
1814 ctx_options |= SSL_OP_NO_SSLv2;
1815 ctx_options |= SSL_OP_NO_SSLv3;
1816 ctx_options |= SSL_OP_NO_TLSv1;
1817 ctx_options |= SSL_OP_NO_TLSv1_1;
1821 #ifndef OPENSSL_NO_SSL2
1822 case CURL_SSLVERSION_SSLv2:
1823 ctx_options |= SSL_OP_NO_SSLv3;
1824 ctx_options |= SSL_OP_NO_TLSv1;
1825 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1826 ctx_options |= SSL_OP_NO_TLSv1_1;
1827 ctx_options |= SSL_OP_NO_TLSv1_2;
1833 failf(data, "Unsupported SSL protocol version");
1834 return CURLE_SSL_CONNECT_ERROR;
1837 SSL_CTX_set_options(connssl->ctx, ctx_options);
1840 if(data->set.ssl_enable_npn)
1841 SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb, conn);
1845 if(data->set.ssl_enable_alpn) {
1847 unsigned char protocols[128];
1850 if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
1851 protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
1853 memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
1854 NGHTTP2_PROTO_VERSION_ID_LEN);
1855 cur += NGHTTP2_PROTO_VERSION_ID_LEN;
1856 infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
1860 protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
1861 memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
1862 cur += ALPN_HTTP_1_1_LENGTH;
1863 infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
1865 /* expects length prefixed preference ordered list of protocols in wire
1868 SSL_CTX_set_alpn_protos(connssl->ctx, protocols, cur);
1872 if(data->set.str[STRING_CERT] || data->set.str[STRING_CERT_TYPE]) {
1873 if(!cert_stuff(conn,
1875 data->set.str[STRING_CERT],
1876 data->set.str[STRING_CERT_TYPE],
1877 data->set.str[STRING_KEY],
1878 data->set.str[STRING_KEY_TYPE])) {
1879 /* failf() is already done in cert_stuff() */
1880 return CURLE_SSL_CERTPROBLEM;
1884 ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
1886 ciphers = (char *)DEFAULT_CIPHER_SELECTION;
1887 if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
1888 failf(data, "failed setting cipher list: %s", ciphers);
1889 return CURLE_SSL_CIPHER;
1891 infof(data, "Cipher selection: %s\n", ciphers);
1894 if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
1895 infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
1897 if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
1898 failf(data, "Unable to set SRP user name");
1899 return CURLE_BAD_FUNCTION_ARGUMENT;
1901 if(!SSL_CTX_set_srp_password(connssl->ctx, data->set.ssl.password)) {
1902 failf(data, "failed setting SRP password");
1903 return CURLE_BAD_FUNCTION_ARGUMENT;
1905 if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
1906 infof(data, "Setting cipher list SRP\n");
1908 if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
1909 failf(data, "failed setting SRP cipher list");
1910 return CURLE_SSL_CIPHER;
1915 if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
1916 /* tell SSL where to find CA certificates that are used to verify
1917 the servers certificate. */
1918 if(!SSL_CTX_load_verify_locations(connssl->ctx,
1919 data->set.str[STRING_SSL_CAFILE],
1920 data->set.str[STRING_SSL_CAPATH])) {
1921 if(data->set.ssl.verifypeer) {
1922 /* Fail if we insist on successfully verifying the server. */
1923 failf(data, "error setting certificate verify locations:\n"
1924 " CAfile: %s\n CApath: %s",
1925 data->set.str[STRING_SSL_CAFILE]?
1926 data->set.str[STRING_SSL_CAFILE]: "none",
1927 data->set.str[STRING_SSL_CAPATH]?
1928 data->set.str[STRING_SSL_CAPATH] : "none");
1929 return CURLE_SSL_CACERT_BADFILE;
1932 /* Just continue with a warning if no strict certificate verification
1934 infof(data, "error setting certificate verify locations,"
1935 " continuing anyway:\n");
1939 /* Everything is fine. */
1940 infof(data, "successfully set certificate verify locations:\n");
1945 data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
1947 data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
1950 #ifdef CURL_CA_FALLBACK
1951 else if(data->set.ssl.verifypeer) {
1952 /* verfying the peer without any CA certificates won't
1953 work so use openssl's built in default as fallback */
1954 SSL_CTX_set_default_verify_paths(connssl->ctx);
1958 if(data->set.str[STRING_SSL_CRLFILE]) {
1959 /* tell SSL where to find CRL file that is used to check certificate
1961 lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
1962 X509_LOOKUP_file());
1964 (!X509_load_crl_file(lookup, data->set.str[STRING_SSL_CRLFILE],
1965 X509_FILETYPE_PEM)) ) {
1966 failf(data, "error loading CRL file: %s",
1967 data->set.str[STRING_SSL_CRLFILE]);
1968 return CURLE_SSL_CRL_BADFILE;
1971 /* Everything is fine. */
1972 infof(data, "successfully load CRL file:\n");
1973 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
1974 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
1977 " CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
1978 data->set.str[STRING_SSL_CRLFILE]: "none");
1981 /* Try building a chain using issuers in the trusted store first to avoid
1982 problems with server-sent legacy intermediates.
1983 Newer versions of OpenSSL do alternate chain checking by default which
1984 gives us the same fix without as much of a performance hit (slight), so we
1985 prefer that if available.
1986 https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
1988 #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
1989 if(data->set.ssl.verifypeer) {
1990 X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
1991 X509_V_FLAG_TRUSTED_FIRST);
1995 /* SSL always tries to verify the peer, this only says whether it should
1996 * fail to connect if the verification fails, or if it should continue
1997 * anyway. In the latter case the result of the verification is checked with
1998 * SSL_get_verify_result() below. */
1999 SSL_CTX_set_verify(connssl->ctx,
2000 data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
2003 /* give application a chance to interfere with SSL set up. */
2004 if(data->set.ssl.fsslctx) {
2005 result = (*data->set.ssl.fsslctx)(data, connssl->ctx,
2006 data->set.ssl.fsslctxp);
2008 failf(data, "error signaled by ssl ctx callback");
2013 /* Lets make an SSL structure */
2015 SSL_free(connssl->handle);
2016 connssl->handle = SSL_new(connssl->ctx);
2017 if(!connssl->handle) {
2018 failf(data, "SSL: couldn't create a context (handle)!");
2019 return CURLE_OUT_OF_MEMORY;
2022 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2023 !defined(OPENSSL_NO_OCSP)
2024 if(data->set.ssl.verifystatus)
2025 SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
2028 SSL_set_connect_state(connssl->handle);
2030 connssl->server_cert = 0x0;
2032 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2033 if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
2035 (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
2038 !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
2039 infof(data, "WARNING: failed to configure server name indication (SNI) "
2043 /* Check if there's a cached ID we can/should use here! */
2044 if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
2045 /* we got a session id, use it! */
2046 if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
2047 failf(data, "SSL: SSL_set_session failed: %s",
2048 ERR_error_string(ERR_get_error(), NULL));
2049 return CURLE_SSL_CONNECT_ERROR;
2051 /* Informational message */
2052 infof (data, "SSL re-using session ID\n");
2055 /* pass the raw socket into the SSL layers */
2056 if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
2057 failf(data, "SSL: SSL_set_fd failed: %s",
2058 ERR_error_string(ERR_get_error(), NULL));
2059 return CURLE_SSL_CONNECT_ERROR;
2062 connssl->connecting_state = ssl_connect_2;
2067 static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
2069 struct SessionHandle *data = conn->data;
2071 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2072 DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
2073 || ssl_connect_2_reading == connssl->connecting_state
2074 || ssl_connect_2_writing == connssl->connecting_state);
2078 err = SSL_connect(connssl->handle);
2081 0 is "not successful but was shut down controlled"
2082 <0 is "handshake was not successful, because a fatal error occurred" */
2084 int detail = SSL_get_error(connssl->handle, err);
2086 if(SSL_ERROR_WANT_READ == detail) {
2087 connssl->connecting_state = ssl_connect_2_reading;
2090 else if(SSL_ERROR_WANT_WRITE == detail) {
2091 connssl->connecting_state = ssl_connect_2_writing;
2095 /* untreated error */
2096 unsigned long errdetail;
2097 char error_buffer[256]=""; /* OpenSSL documents that this must be at
2098 least 256 bytes long. */
2104 /* the connection failed, we're not waiting for anything else. */
2105 connssl->connecting_state = ssl_connect_2;
2107 /* Get the earliest error code from the thread's error queue and removes
2109 errdetail = ERR_get_error();
2111 /* Extract which lib and reason */
2112 lib = ERR_GET_LIB(errdetail);
2113 reason = ERR_GET_REASON(errdetail);
2115 if((lib == ERR_LIB_SSL) &&
2116 (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
2117 result = CURLE_SSL_CACERT;
2119 lerr = SSL_get_verify_result(connssl->handle);
2120 if(lerr != X509_V_OK) {
2121 snprintf(error_buffer, sizeof(error_buffer),
2122 "SSL certificate problem: %s",
2123 X509_verify_cert_error_string(lerr));
2126 /* strcpy() is fine here as long as the string fits within
2128 strcpy(error_buffer, "SSL certificate verification failed");
2131 result = CURLE_SSL_CONNECT_ERROR;
2132 SSL_strerror(errdetail, error_buffer, sizeof(error_buffer));
2135 /* detail is already set to the SSL error above */
2137 /* If we e.g. use SSLv2 request-method and the server doesn't like us
2138 * (RST connection etc.), OpenSSL gives no explanation whatsoever and
2139 * the SO_ERROR is also lost.
2141 if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
2142 failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
2143 conn->host.name, conn->remote_port);
2147 /* Could be a CERT problem */
2148 failf(data, "%s", error_buffer);
2154 /* we have been connected fine, we're not waiting for anything else. */
2155 connssl->connecting_state = ssl_connect_3;
2157 /* Informational message */
2158 infof(data, "SSL connection using %s / %s\n",
2159 get_ssl_version_txt(connssl->handle),
2160 SSL_get_cipher(connssl->handle));
2163 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
2166 if(data->set.ssl_enable_alpn) {
2167 const unsigned char* neg_protocol;
2169 SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
2171 infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
2174 if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2175 !memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
2176 conn->negnpn = CURL_HTTP_VERSION_2;
2180 if(len == ALPN_HTTP_1_1_LENGTH &&
2181 !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
2182 conn->negnpn = CURL_HTTP_VERSION_1_1;
2186 infof(data, "ALPN, server did not agree to a protocol\n");
2194 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
2198 if((ilen = (int)len) < 0)
2199 return 1; /* buffer too big */
2201 i = i2t_ASN1_OBJECT(buf, ilen, a);
2204 return 1; /* buffer too small */
2209 #define push_certinfo(_label, _num) \
2211 long info_len = BIO_get_mem_data(mem, &ptr); \
2212 Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
2213 if(1!=BIO_reset(mem)) \
2217 static void pubkey_show(struct SessionHandle *data,
2227 snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
2230 push_certinfo(namebuf, num);
2233 #define print_pubkey_BN(_type, _name, _num) \
2235 if(_type->_name) { \
2236 pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
2240 static int X509V3_ext(struct SessionHandle *data,
2242 STACK_OF(X509_EXTENSION) *exts)
2247 if((int)sk_X509_EXTENSION_num(exts) <= 0)
2248 /* no extensions, bail out */
2251 for(i=0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
2253 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2258 BIO *bio_out = BIO_new(BIO_s_mem());
2263 obj = X509_EXTENSION_get_object(ext);
2265 asn1_object_dump(obj, namebuf, sizeof(namebuf));
2267 if(!X509V3_EXT_print(bio_out, ext, 0, 0))
2268 ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
2270 BIO_get_mem_ptr(bio_out, &biomem);
2272 for(j = 0; j < (size_t)biomem->length; j++) {
2274 if(biomem->data[j] == '\n') {
2276 j++; /* skip the newline */
2278 while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
2280 if(j<(size_t)biomem->length)
2281 ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
2285 Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2290 return 0; /* all is fine */
2293 static CURLcode get_cert_chain(struct connectdata *conn,
2294 struct ssl_connect_data *connssl)
2300 struct SessionHandle *data = conn->data;
2304 sk = SSL_get_peer_cert_chain(connssl->handle);
2306 return CURLE_OUT_OF_MEMORY;
2309 numcerts = sk_X509_num(sk);
2311 result = Curl_ssl_init_certinfo(data, numcerts);
2316 mem = BIO_new(BIO_s_mem());
2318 for(i = 0; i < numcerts; i++) {
2320 X509 *x = sk_X509_value(sk, i);
2321 EVP_PKEY *pubkey=NULL;
2324 ASN1_BIT_STRING *psig;
2326 X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
2327 push_certinfo("Subject", i);
2329 X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
2330 push_certinfo("Issuer", i);
2332 BIO_printf(mem, "%lx", X509_get_version(x));
2333 push_certinfo("Version", i);
2335 num = X509_get_serialNumber(x);
2336 if(num->type == V_ASN1_NEG_INTEGER)
2338 for(j = 0; j < num->length; j++)
2339 BIO_printf(mem, "%02x", num->data[j]);
2340 push_certinfo("Serial Number", i);
2342 #if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
2345 ASN1_STRING *a = ASN1_STRING_new();
2347 X509_get0_signature(&psig, &palg, x);
2348 X509_signature_print(mem, palg, a);
2349 ASN1_STRING_free(a);
2351 i2a_ASN1_OBJECT(mem, palg->algorithm);
2352 push_certinfo("Public Key Algorithm", i);
2354 X509V3_ext(data, i, X509_get0_extensions(x));
2358 /* before OpenSSL 1.0.2 */
2359 X509_CINF *cinf = x->cert_info;
2361 i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
2362 push_certinfo("Signature Algorithm", i);
2364 i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
2365 push_certinfo("Public Key Algorithm", i);
2367 X509V3_ext(data, i, cinf->extensions);
2369 psig = x->signature;
2373 ASN1_TIME_print(mem, X509_get_notBefore(x));
2374 push_certinfo("Start date", i);
2376 ASN1_TIME_print(mem, X509_get_notAfter(x));
2377 push_certinfo("Expire date", i);
2379 pubkey = X509_get_pubkey(x);
2381 infof(data, " Unable to load public key\n");
2384 #ifdef HAVE_OPAQUE_EVP_PKEY
2385 pktype = EVP_PKEY_id(pubkey);
2387 pktype = pubkey->type;
2393 #ifdef HAVE_OPAQUE_EVP_PKEY
2394 rsa = EVP_PKEY_get0_RSA(pubkey);
2396 rsa = pubkey->pkey.rsa;
2398 BIO_printf(mem, "%d", BN_num_bits(rsa->n));
2399 push_certinfo("RSA Public Key", i);
2401 print_pubkey_BN(rsa, n, i);
2402 print_pubkey_BN(rsa, e, i);
2403 print_pubkey_BN(rsa, d, i);
2404 print_pubkey_BN(rsa, p, i);
2405 print_pubkey_BN(rsa, q, i);
2406 print_pubkey_BN(rsa, dmp1, i);
2407 print_pubkey_BN(rsa, dmq1, i);
2408 print_pubkey_BN(rsa, iqmp, i);
2414 #ifdef HAVE_OPAQUE_EVP_PKEY
2415 dsa = EVP_PKEY_get0_DSA(pubkey);
2417 dsa = pubkey->pkey.dsa;
2419 print_pubkey_BN(dsa, p, i);
2420 print_pubkey_BN(dsa, q, i);
2421 print_pubkey_BN(dsa, g, i);
2422 print_pubkey_BN(dsa, priv_key, i);
2423 print_pubkey_BN(dsa, pub_key, i);
2429 #ifdef HAVE_OPAQUE_EVP_PKEY
2430 dh = EVP_PKEY_get0_DH(pubkey);
2432 dh = pubkey->pkey.dh;
2434 print_pubkey_BN(dh, p, i);
2435 print_pubkey_BN(dh, g, i);
2436 print_pubkey_BN(dh, priv_key, i);
2437 print_pubkey_BN(dh, pub_key, i);
2441 case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
2446 EVP_PKEY_free(pubkey);
2449 for(j = 0; j < psig->length; j++)
2450 BIO_printf(mem, "%02x:", psig->data[j]);
2451 push_certinfo("Signature", i);
2453 PEM_write_bio_X509(mem, x);
2454 push_certinfo("Cert", i);
2463 * Heavily modified from:
2464 * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
2466 static CURLcode pkp_pin_peer_pubkey(struct SessionHandle *data, X509* cert,
2467 const char *pinnedpubkey)
2470 int len1 = 0, len2 = 0;
2471 unsigned char *buff1 = NULL, *temp = NULL;
2473 /* Result is returned to caller */
2474 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
2476 /* if a path wasn't specified, don't pin */
2484 /* Begin Gyrations to get the subjectPublicKeyInfo */
2485 /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
2487 /* https://groups.google.com/group/mailing.openssl.users/browse_thread
2488 /thread/d61858dae102c6c7 */
2489 len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
2493 /* https://www.openssl.org/docs/crypto/buffer.html */
2494 buff1 = temp = OPENSSL_malloc(len1);
2498 /* https://www.openssl.org/docs/crypto/d2i_X509.html */
2499 len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
2502 * These checks are verifying we got back the same values as when we
2503 * sized the buffer. It's pretty weak since they should always be the
2504 * same. But it gives us something to test.
2506 if((len1 != len2) || !temp || ((temp - buff1) != len1))
2511 /* The one good exit point */
2512 result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
2515 /* https://www.openssl.org/docs/crypto/buffer.html */
2517 OPENSSL_free(buff1);
2523 * Get the server cert, verify it and show it etc, only call failf() if the
2524 * 'strict' argument is TRUE as otherwise all this is for informational
2527 * We check certificates to authenticate the server; otherwise we risk
2528 * man-in-the-middle attack.
2530 static CURLcode servercert(struct connectdata *conn,
2531 struct ssl_connect_data *connssl,
2534 CURLcode result = CURLE_OK;
2537 struct SessionHandle *data = conn->data;
2540 char *buffer = data->state.buffer;
2542 BIO *mem = BIO_new(BIO_s_mem());
2544 if(data->set.ssl.certinfo)
2545 /* we've been asked to gather certificate info! */
2546 (void)get_cert_chain(conn, connssl);
2548 connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
2549 if(!connssl->server_cert) {
2553 failf(data, "SSL: couldn't get peer certificate!");
2554 return CURLE_PEER_FAILED_VERIFICATION;
2557 infof(data, "Server certificate:\n");
2559 rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
2561 infof(data, " subject: %s\n", rc?"[NONE]":buffer);
2563 ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));
2564 len = BIO_get_mem_data(mem, (char **) &ptr);
2565 infof(data, " start date: %.*s\n", len, ptr);
2566 rc = BIO_reset(mem);
2568 ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));
2569 len = BIO_get_mem_data(mem, (char **) &ptr);
2570 infof(data, " expire date: %.*s\n", len, ptr);
2571 rc = BIO_reset(mem);
2575 if(data->set.ssl.verifyhost) {
2576 result = verifyhost(conn, connssl->server_cert);
2578 X509_free(connssl->server_cert);
2579 connssl->server_cert = NULL;
2584 rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
2588 failf(data, "SSL: couldn't get X509-issuer name!");
2589 result = CURLE_SSL_CONNECT_ERROR;
2592 infof(data, " issuer: %s\n", buffer);
2594 /* We could do all sorts of certificate verification stuff here before
2595 deallocating the certificate. */
2597 /* e.g. match issuer name with provided issuer certificate */
2598 if(data->set.str[STRING_SSL_ISSUERCERT]) {
2599 fp = fopen(data->set.str[STRING_SSL_ISSUERCERT], FOPEN_READTEXT);
2602 failf(data, "SSL: Unable to open issuer cert (%s)",
2603 data->set.str[STRING_SSL_ISSUERCERT]);
2604 X509_free(connssl->server_cert);
2605 connssl->server_cert = NULL;
2606 return CURLE_SSL_ISSUER_ERROR;
2609 issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
2612 failf(data, "SSL: Unable to read issuer cert (%s)",
2613 data->set.str[STRING_SSL_ISSUERCERT]);
2614 X509_free(connssl->server_cert);
2617 return CURLE_SSL_ISSUER_ERROR;
2622 if(X509_check_issued(issuer, connssl->server_cert) != X509_V_OK) {
2624 failf(data, "SSL: Certificate issuer check failed (%s)",
2625 data->set.str[STRING_SSL_ISSUERCERT]);
2626 X509_free(connssl->server_cert);
2628 connssl->server_cert = NULL;
2629 return CURLE_SSL_ISSUER_ERROR;
2632 infof(data, " SSL certificate issuer check ok (%s)\n",
2633 data->set.str[STRING_SSL_ISSUERCERT]);
2637 lerr = data->set.ssl.certverifyresult =
2638 SSL_get_verify_result(connssl->handle);
2640 if(data->set.ssl.certverifyresult != X509_V_OK) {
2641 if(data->set.ssl.verifypeer) {
2642 /* We probably never reach this, because SSL_connect() will fail
2643 and we return earlier if verifypeer is set? */
2645 failf(data, "SSL certificate verify result: %s (%ld)",
2646 X509_verify_cert_error_string(lerr), lerr);
2647 result = CURLE_PEER_FAILED_VERIFICATION;
2650 infof(data, " SSL certificate verify result: %s (%ld),"
2651 " continuing anyway.\n",
2652 X509_verify_cert_error_string(lerr), lerr);
2655 infof(data, " SSL certificate verify ok.\n");
2658 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2659 !defined(OPENSSL_NO_OCSP)
2660 if(data->set.ssl.verifystatus) {
2661 result = verifystatus(conn, connssl);
2663 X509_free(connssl->server_cert);
2664 connssl->server_cert = NULL;
2671 /* when not strict, we don't bother about the verify cert problems */
2674 ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
2675 if(!result && ptr) {
2676 result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr);
2678 failf(data, "SSL: public key does not match pinned public key!");
2681 X509_free(connssl->server_cert);
2682 connssl->server_cert = NULL;
2683 connssl->connecting_state = ssl_connect_done;
2688 static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
2690 CURLcode result = CURLE_OK;
2691 void *old_ssl_sessionid = NULL;
2692 struct SessionHandle *data = conn->data;
2693 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2695 SSL_SESSION *our_ssl_sessionid;
2697 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
2699 our_ssl_sessionid = SSL_get1_session(connssl->handle);
2701 /* SSL_get1_session() will increment the reference count and the session
2702 will stay in memory until explicitly freed with SSL_SESSION_free(3),
2703 regardless of its state. */
2705 incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
2707 if(old_ssl_sessionid != our_ssl_sessionid) {
2708 infof(data, "old SSL session ID is stale, removing\n");
2709 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2715 result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
2716 0 /* unknown size */);
2718 failf(data, "failed to store ssl session");
2723 /* Session was incache, so refcount already incremented earlier.
2724 * Avoid further increments with each SSL_get1_session() call.
2725 * This does not free the session as refcount remains > 0
2727 SSL_SESSION_free(our_ssl_sessionid);
2731 * We check certificates to authenticate the server; otherwise we risk
2732 * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
2733 * verify the peer ignore faults and failures from the server cert
2737 result = servercert(conn, connssl,
2738 (data->set.ssl.verifypeer || data->set.ssl.verifyhost));
2741 connssl->connecting_state = ssl_connect_done;
2746 static Curl_recv ossl_recv;
2747 static Curl_send ossl_send;
2749 static CURLcode ossl_connect_common(struct connectdata *conn,
2755 struct SessionHandle *data = conn->data;
2756 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2757 curl_socket_t sockfd = conn->sock[sockindex];
2761 /* check if the connection has already been established */
2762 if(ssl_connection_complete == connssl->state) {
2767 if(ssl_connect_1 == connssl->connecting_state) {
2768 /* Find out how much more time we're allowed */
2769 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2771 if(timeout_ms < 0) {
2772 /* no need to continue if time already is up */
2773 failf(data, "SSL connection timeout");
2774 return CURLE_OPERATION_TIMEDOUT;
2777 result = ossl_connect_step1(conn, sockindex);
2782 while(ssl_connect_2 == connssl->connecting_state ||
2783 ssl_connect_2_reading == connssl->connecting_state ||
2784 ssl_connect_2_writing == connssl->connecting_state) {
2786 /* check allowed time left */
2787 timeout_ms = Curl_timeleft(data, NULL, TRUE);
2789 if(timeout_ms < 0) {
2790 /* no need to continue if time already is up */
2791 failf(data, "SSL connection timeout");
2792 return CURLE_OPERATION_TIMEDOUT;
2795 /* if ssl is expecting something, check if it's available. */
2796 if(connssl->connecting_state == ssl_connect_2_reading ||
2797 connssl->connecting_state == ssl_connect_2_writing) {
2799 curl_socket_t writefd = ssl_connect_2_writing==
2800 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2801 curl_socket_t readfd = ssl_connect_2_reading==
2802 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
2804 what = Curl_socket_ready(readfd, writefd, nonblocking?0:timeout_ms);
2807 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2808 return CURLE_SSL_CONNECT_ERROR;
2810 else if(0 == what) {
2817 failf(data, "SSL connection timeout");
2818 return CURLE_OPERATION_TIMEDOUT;
2821 /* socket is readable or writable */
2824 /* Run transaction, and return to the caller if it failed or if this
2825 * connection is done nonblocking and this loop would execute again. This
2826 * permits the owner of a multi handle to abort a connection attempt
2827 * before step2 has completed while ensuring that a client using select()
2828 * or epoll() will always have a valid fdset to wait on.
2830 result = ossl_connect_step2(conn, sockindex);
2831 if(result || (nonblocking &&
2832 (ssl_connect_2 == connssl->connecting_state ||
2833 ssl_connect_2_reading == connssl->connecting_state ||
2834 ssl_connect_2_writing == connssl->connecting_state)))
2837 } /* repeat step2 until all transactions are done. */
2839 if(ssl_connect_3 == connssl->connecting_state) {
2840 result = ossl_connect_step3(conn, sockindex);
2845 if(ssl_connect_done == connssl->connecting_state) {
2846 connssl->state = ssl_connection_complete;
2847 conn->recv[sockindex] = ossl_recv;
2848 conn->send[sockindex] = ossl_send;
2854 /* Reset our connect state machine */
2855 connssl->connecting_state = ssl_connect_1;
2860 CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
2864 return ossl_connect_common(conn, sockindex, TRUE, done);
2867 CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex)
2872 result = ossl_connect_common(conn, sockindex, FALSE, &done);
2881 bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex)
2883 if(conn->ssl[connindex].handle)
2885 return (0 != SSL_pending(conn->ssl[connindex].handle)) ? TRUE : FALSE;
2890 static ssize_t ossl_send(struct connectdata *conn,
2896 /* SSL_write() is said to return 'int' while write() and send() returns
2899 char error_buffer[120]; /* OpenSSL documents that this must be at least 120
2901 unsigned long sslerror;
2907 memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
2908 rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
2911 err = SSL_get_error(conn->ssl[sockindex].handle, rc);
2914 case SSL_ERROR_WANT_READ:
2915 case SSL_ERROR_WANT_WRITE:
2916 /* The operation did not complete; the same TLS/SSL I/O function
2917 should be called again later. This is basically an EWOULDBLOCK
2919 *curlcode = CURLE_AGAIN;
2921 case SSL_ERROR_SYSCALL:
2922 failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
2924 *curlcode = CURLE_SEND_ERROR;
2927 /* A failure in the SSL library occurred, usually a protocol error.
2928 The OpenSSL error queue contains more information on the error. */
2929 sslerror = ERR_get_error();
2930 failf(conn->data, "SSL_write() error: %s",
2931 ERR_error_string(sslerror, error_buffer));
2932 *curlcode = CURLE_SEND_ERROR;
2936 failf(conn->data, "SSL_write() return error %d", err);
2937 *curlcode = CURLE_SEND_ERROR;
2940 *curlcode = CURLE_OK;
2941 return (ssize_t)rc; /* number of bytes */
2944 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
2945 int num, /* socketindex */
2946 char *buf, /* store read data here */
2947 size_t buffersize, /* max amount to read */
2950 char error_buffer[120]; /* OpenSSL documents that this must be at
2951 least 120 bytes long. */
2952 unsigned long sslerror;
2958 buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
2959 nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
2961 /* failed SSL_read */
2962 int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
2965 case SSL_ERROR_NONE: /* this is not an error */
2966 case SSL_ERROR_ZERO_RETURN: /* no more data */
2968 case SSL_ERROR_WANT_READ:
2969 case SSL_ERROR_WANT_WRITE:
2970 /* there's data pending, re-invoke SSL_read() */
2971 *curlcode = CURLE_AGAIN;
2974 /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
2976 /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
2977 sslerror = ERR_get_error();
2978 if((nread < 0) || sslerror) {
2979 /* If the return code was negative or there actually is an error in the
2981 failf(conn->data, "SSL read: %s, errno %d",
2982 ERR_error_string(sslerror, error_buffer),
2984 *curlcode = CURLE_RECV_ERROR;
2992 size_t Curl_ossl_version(char *buffer, size_t size)
2994 #ifdef OPENSSL_IS_BORINGSSL
2995 return snprintf(buffer, size, OSSL_PACKAGE);
2996 #else /* OPENSSL_IS_BORINGSSL */
2998 unsigned long ssleay_value;
3001 ssleay_value=SSLeay();
3002 if(ssleay_value < 0x906000) {
3003 ssleay_value=SSLEAY_VERSION_NUMBER;
3007 if(ssleay_value&0xff0) {
3008 int minor_ver = (ssleay_value >> 4) & 0xff;
3009 if(minor_ver > 26) {
3010 /* handle extended version introduced for 0.9.8za */
3011 sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
3015 sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
3022 return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
3024 (ssleay_value>>28)&0xf,
3025 (ssleay_value>>20)&0xff,
3026 (ssleay_value>>12)&0xff,
3028 #endif /* OPENSSL_IS_BORINGSSL */
3031 /* can be called with data == NULL */
3032 int Curl_ossl_random(struct SessionHandle *data, unsigned char *entropy,
3036 Curl_ossl_seed(data); /* Initiate the seed if not already done */
3038 RAND_bytes(entropy, curlx_uztosi(length));
3039 return 0; /* 0 as in no problem */
3042 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
3044 unsigned char *md5sum /* output */,
3050 MD5_Update(&MD5pw, tmp, tmplen);
3051 MD5_Final(md5sum, &MD5pw);
3054 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
3055 void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
3057 unsigned char *sha256sum /* output */,
3060 SHA256_CTX SHA256pw;
3062 SHA256_Init(&SHA256pw);
3063 SHA256_Update(&SHA256pw, tmp, tmplen);
3064 SHA256_Final(sha256sum, &SHA256pw);
3068 bool Curl_ossl_cert_status_request(void)
3070 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3071 !defined(OPENSSL_NO_OCSP)
3077 #endif /* USE_OPENSSL */