luna - curl/lib/vtls/gtls.c

   1/***************************************************************************
   2 *                                  _   _ ____  _
   3 *  Project                     ___| | | |  _ \| |
   4 *                             / __| | | | |_) | |
   5 *                            | (__| |_| |  _ <| |___
   6 *                             \___|\___/|_| \_\_____|
   7 *
   8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
   9 *
  10 * This software is licensed as described in the file COPYING, which
  11 * you should have received as part of this distribution. The terms
  12 * are also available at https://curl.se/docs/copyright.html.
  13 *
  14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15 * copies of the Software, and permit persons to whom the Software is
  16 * furnished to do so, under the terms of the COPYING file.
  17 *
  18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19 * KIND, either express or implied.
  20 *
  21 * SPDX-License-Identifier: curl
  22 *
  23 ***************************************************************************/
  24/*
  25 * Source file for all GnuTLS-specific code for the TLS/SSL layer. No code
  26 * but vtls.c should ever call or use these functions.
  27 *
  28 * Note: do not use the GnuTLS' *_t variable type names in this source code,
  29 * since they were not present in 1.0.X.
  30 */
  31#include "curl_setup.h"
  32
  33#ifdef USE_GNUTLS
  34
  35#include <gnutls/abstract.h>
  36#include <gnutls/gnutls.h>
  37#include <gnutls/x509.h>
  38#include <gnutls/crypto.h>
  39#include <nettle/sha2.h>
  40#include <nettle/version.h>
  41
  42#include "urldata.h"
  43#include "curl_trc.h"
  44#include "vtls/keylog.h"
  45#include "vtls/gtls.h"
  46#include "vtls/vtls.h"
  47#include "vtls/vtls_int.h"
  48#include "vtls/vtls_scache.h"
  49#include "vtls/apple.h"
  50#include "vauth/vauth.h"
  51#include "parsedate.h"
  52#include "connect.h" /* for the connect timeout */
  53#include "progress.h"
  54#include "curlx/strdup.h"
  55#include "curlx/fopen.h"
  56#include "vtls/x509asn1.h"
  57
  58/* Enable GnuTLS debugging by defining GTLSDEBUG */
  59#if 0
  60#define GTLSDEBUG
  61#endif
  62
  63#ifdef GTLSDEBUG
  64static void tls_log_func(int level, const char *str)
  65{
  66  curl_mfprintf(stderr, "|<%d>| %s", level, str);
  67}
  68#endif
  69
  70#if !defined(GNUTLS_VERSION_NUMBER) || (GNUTLS_VERSION_NUMBER < 0x030605)
  71#error "too old GnuTLS version"
  72#endif
  73
  74#undef CURL_GNUTLS_EARLY_DATA
  75#if GNUTLS_VERSION_NUMBER >= 0x03060d
  76#define CURL_GNUTLS_EARLY_DATA
  77#endif
  78
  79#include <gnutls/ocsp.h>
  80
  81struct gtls_ssl_backend_data {
  82  struct gtls_ctx gtls;
  83};
  84
  85static ssize_t gtls_push(void *s, const void *buf, size_t blen)
  86{
  87  struct Curl_cfilter *cf = s;
  88  struct ssl_connect_data *connssl = cf->ctx;
  89  struct gtls_ssl_backend_data *backend =
  90    (struct gtls_ssl_backend_data *)connssl->backend;
  91  struct Curl_easy *data = CF_DATA_CURRENT(cf);
  92  size_t nwritten;
  93  CURLcode result;
  94
  95  DEBUGASSERT(data);
  96  result = Curl_conn_cf_send(cf->next, data, buf, blen, FALSE, &nwritten);
  97  CURL_TRC_CF(data, cf, "gtls_push(len=%zu) -> %d, %zu",
  98              blen, result, nwritten);
  99  backend->gtls.io_result = result;
 100  if(result) {
 101    /* !checksrc! disable ERRNOVAR 1 */
 102    gnutls_transport_set_errno(backend->gtls.session,
 103                               (result == CURLE_AGAIN) ? EAGAIN : EINVAL);
 104    return -1;
 105  }
 106  return (ssize_t)nwritten;
 107}
 108
 109static ssize_t gtls_pull(void *s, void *buf, size_t blen)
 110{
 111  struct Curl_cfilter *cf = s;
 112  struct ssl_connect_data *connssl = cf->ctx;
 113  struct gtls_ssl_backend_data *backend =
 114    (struct gtls_ssl_backend_data *)connssl->backend;
 115  struct Curl_easy *data = CF_DATA_CURRENT(cf);
 116  size_t nread;
 117  CURLcode result;
 118
 119  DEBUGASSERT(data);
 120  if(!backend->gtls.shared_creds->trust_setup) {
 121    result = Curl_gtls_client_trust_setup(cf, data, &backend->gtls);
 122    if(result) {
 123      /* !checksrc! disable ERRNOVAR 1 */
 124      gnutls_transport_set_errno(backend->gtls.session, EINVAL);
 125      backend->gtls.io_result = result;
 126      return -1;
 127    }
 128  }
 129
 130  result = Curl_conn_cf_recv(cf->next, data, buf, blen, &nread);
 131  CURL_TRC_CF(data, cf, "gtls_pull(len=%zu) -> %d, %zu", blen, result, nread);
 132  backend->gtls.io_result = result;
 133  if(result) {
 134    /* !checksrc! disable ERRNOVAR 1 */
 135    gnutls_transport_set_errno(backend->gtls.session,
 136                               (result == CURLE_AGAIN) ? EAGAIN : EINVAL);
 137    return -1;
 138  }
 139  else if(nread == 0)
 140    connssl->peer_closed = TRUE;
 141  return (ssize_t)nread;
 142}
 143
 144/**
 145 * gtls_init()
 146 *
 147 * Global GnuTLS init, called from Curl_ssl_init(). This calls functions that
 148 * are not thread-safe (It is thread-safe since GnuTLS 3.3.0) and thus this
 149 * function itself is not thread-safe and must only be called from within
 150 * curl_global_init() to keep the thread situation under control!
 151 *
 152 * @retval 0 error initializing SSL
 153 * @retval 1 SSL initialized successfully
 154 */
 155static int gtls_init(void)
 156{
 157  int ret = 1;
 158  ret = gnutls_global_init() ? 0 : 1;
 159#ifdef GTLSDEBUG
 160  gnutls_global_set_log_function(tls_log_func);
 161  gnutls_global_set_log_level(2);
 162#endif
 163  return ret;
 164}
 165
 166static void gtls_cleanup(void)
 167{
 168  gnutls_global_deinit();
 169  Curl_tls_keylog_close();
 170}
 171
 172#ifdef CURLVERBOSE
 173static void showtime(struct Curl_easy *data, const char *text, time_t stamp)
 174{
 175  struct tm buffer;
 176  const struct tm *tm = &buffer;
 177  char str[96];
 178  CURLcode result = curlx_gmtime(stamp, &buffer);
 179  if(result)
 180    return;
 181
 182  curl_msnprintf(str,
 183                 sizeof(str),
 184                 "  %s: %s, %02d %s %4d %02d:%02d:%02d GMT",
 185                 text,
 186                 Curl_wkday[tm->tm_wday ? tm->tm_wday-1 : 6],
 187                 tm->tm_mday,
 188                 Curl_month[tm->tm_mon],
 189                 tm->tm_year + 1900,
 190                 tm->tm_hour,
 191                 tm->tm_min,
 192                 tm->tm_sec);
 193  infof(data, "%s", str);
 194}
 195#endif
 196
 197static gnutls_datum_t load_file(const char *file)
 198{
 199  FILE *f;
 200  gnutls_datum_t loaded_file = { NULL, 0 };
 201  long filelen;
 202  void *ptr;
 203
 204  f = curlx_fopen(file, "rb");
 205  if(!f)
 206    return loaded_file;
 207  if(fseek(f, 0, SEEK_END) != 0)
 208    goto out;
 209  filelen = ftell(f);
 210  if(filelen < 0 || filelen > CURL_MAX_INPUT_LENGTH)
 211    goto out;
 212  if(fseek(f, 0, SEEK_SET) != 0)
 213    goto out;
 214  ptr = curlx_malloc((size_t)filelen);
 215  if(!ptr)
 216    goto out;
 217  if(fread(ptr, 1, (size_t)filelen, f) < (size_t)filelen) {
 218    curlx_free(ptr);
 219    goto out;
 220  }
 221
 222  loaded_file.data = ptr;
 223  loaded_file.size = (unsigned int)filelen;
 224out:
 225  curlx_fclose(f);
 226  return loaded_file;
 227}
 228
 229static void unload_file(gnutls_datum_t data)
 230{
 231  curlx_free(data.data);
 232}
 233
 234/* this function does an SSL/TLS (re-)handshake */
 235static CURLcode cf_gtls_handshake(struct Curl_cfilter *cf,
 236                                  struct Curl_easy *data)
 237{
 238  struct ssl_connect_data *connssl = cf->ctx;
 239  struct gtls_ssl_backend_data *backend =
 240    (struct gtls_ssl_backend_data *)connssl->backend;
 241  gnutls_session_t session;
 242  int rc;
 243
 244  DEBUGASSERT(backend);
 245  session = backend->gtls.session;
 246
 247  connssl->io_need = CURL_SSL_IO_NEED_NONE;
 248  backend->gtls.io_result = CURLE_OK;
 249  rc = gnutls_handshake(session);
 250
 251  if(!backend->gtls.shared_creds->trust_setup) {
 252    /* After having send off the ClientHello, we prepare the trust
 253     * store to verify the coming certificate from the server */
 254    CURLcode result = Curl_gtls_client_trust_setup(cf, data, &backend->gtls);
 255    if(result)
 256      return result;
 257  }
 258
 259  if((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)) {
 260    connssl->io_need =
 261      gnutls_record_get_direction(session) ?
 262      CURL_SSL_IO_NEED_SEND : CURL_SSL_IO_NEED_RECV;
 263    return CURLE_AGAIN;
 264  }
 265  else if((rc < 0) && !gnutls_error_is_fatal(rc)) {
 266#ifdef CURLVERBOSE
 267    const char *strerr = NULL;
 268
 269    if(rc == GNUTLS_E_WARNING_ALERT_RECEIVED) {
 270      gnutls_alert_description_t alert = gnutls_alert_get(session);
 271      strerr = gnutls_alert_get_name(alert);
 272    }
 273
 274    if(!strerr)
 275      strerr = gnutls_strerror(rc);
 276
 277    infof(data, "gnutls_handshake() warning: %s", strerr);
 278#endif
 279    return CURLE_AGAIN;
 280  }
 281  else if((rc < 0) && backend->gtls.io_result) {
 282    return backend->gtls.io_result;
 283  }
 284  else if(rc < 0) {
 285    const char *strerr = NULL;
 286
 287    if(rc == GNUTLS_E_FATAL_ALERT_RECEIVED) {
 288      gnutls_alert_description_t alert = gnutls_alert_get(session);
 289      strerr = gnutls_alert_get_name(alert);
 290    }
 291
 292    if(!strerr)
 293      strerr = gnutls_strerror(rc);
 294
 295    failf(data, "GnuTLS, handshake failed: %s", strerr);
 296    return CURLE_SSL_CONNECT_ERROR;
 297  }
 298
 299  return CURLE_OK;
 300}
 301
 302static gnutls_x509_crt_fmt_t gnutls_do_file_type(const char *type)
 303{
 304  if(!type || !type[0])
 305    return GNUTLS_X509_FMT_PEM;
 306  if(curl_strequal(type, "PEM"))
 307    return GNUTLS_X509_FMT_PEM;
 308  if(curl_strequal(type, "DER"))
 309    return GNUTLS_X509_FMT_DER;
 310  return GNUTLS_X509_FMT_PEM; /* default to PEM */
 311}
 312
 313#define GNUTLS_CIPHERS "NORMAL:%PROFILE_MEDIUM:-ARCFOUR-128:" \
 314  "-CTYPE-ALL:+CTYPE-X509"
 315/* If GnuTLS was compiled without support for SRP it errors out if SRP is
 316   requested in the priority string, so treat it specially
 317 */
 318#define GNUTLS_SRP "+SRP"
 319
 320#define QUIC_PRIORITY \
 321  "NORMAL:%PROFILE_MEDIUM:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:" \
 322  "+AES-256-GCM:+CHACHA20-POLY1305:+AES-128-CCM:-GROUP-ALL:" \
 323  "+GROUP-SECP256R1:+GROUP-X25519:+GROUP-SECP384R1:+GROUP-SECP521R1:" \
 324  "%DISABLE_TLS13_COMPAT_MODE"
 325
 326static CURLcode
 327gnutls_set_ssl_version_min_max(struct Curl_easy *data,
 328                               struct ssl_peer *peer,
 329                               struct ssl_primary_config *conn_config,
 330                               const char **prioritylist,
 331                               bool tls13support)
 332{
 333  long ssl_version = conn_config->version;
 334  long ssl_version_max = conn_config->version_max;
 335
 336  DEBUGASSERT(ssl_version != CURL_SSLVERSION_DEFAULT);
 337  if(ssl_version <= CURL_SSLVERSION_TLSv1)
 338    ssl_version = CURL_SSLVERSION_TLSv1_0;
 339  if((ssl_version_max == CURL_SSLVERSION_MAX_NONE) ||
 340     (ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT))
 341    ssl_version_max = tls13support ?
 342      CURL_SSLVERSION_MAX_TLSv1_3 : CURL_SSLVERSION_MAX_TLSv1_2;
 343
 344  if(peer->transport == TRNSPRT_QUIC) {
 345    if(ssl_version_max < CURL_SSLVERSION_MAX_TLSv1_3) {
 346      failf(data, "QUIC needs at least TLS version 1.3");
 347      return CURLE_SSL_CONNECT_ERROR;
 348    }
 349    *prioritylist = QUIC_PRIORITY;
 350    return CURLE_OK;
 351  }
 352
 353  switch(ssl_version | ssl_version_max) {
 354  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
 355    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 356      "+VERS-TLS1.0";
 357    return CURLE_OK;
 358  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1:
 359    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 360      "+VERS-TLS1.1:+VERS-TLS1.0";
 361    return CURLE_OK;
 362  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
 363    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 364      "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0";
 365    return CURLE_OK;
 366  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1:
 367    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 368      "+VERS-TLS1.1";
 369    return CURLE_OK;
 370  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
 371    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 372      "+VERS-TLS1.2:+VERS-TLS1.1";
 373    return CURLE_OK;
 374  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
 375    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 376      "+VERS-TLS1.2";
 377    return CURLE_OK;
 378  case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_TLSv1_3:
 379    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 380      "+VERS-TLS1.3";
 381    return CURLE_OK;
 382  case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3:
 383    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";
 384    return CURLE_OK;
 385  case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3:
 386    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 387      "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1";
 388    return CURLE_OK;
 389  case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3:
 390    *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
 391      "+VERS-TLS1.3:+VERS-TLS1.2";
 392    return CURLE_OK;
 393  }
 394
 395  failf(data, "GnuTLS: cannot set TLS protocol");
 396  return CURLE_SSL_CONNECT_ERROR;
 397}
 398
 399CURLcode Curl_gtls_shared_creds_create(struct Curl_easy *data,
 400                                       struct gtls_shared_creds **pcreds)
 401{
 402  struct gtls_shared_creds *shared;
 403  int rc;
 404
 405  *pcreds = NULL;
 406  shared = curlx_calloc(1, sizeof(*shared));
 407  if(!shared)
 408    return CURLE_OUT_OF_MEMORY;
 409
 410  rc = gnutls_certificate_allocate_credentials(&shared->creds);
 411  if(rc != GNUTLS_E_SUCCESS) {
 412    failf(data, "gnutls_cert_all_cred() failed: %s", gnutls_strerror(rc));
 413    curlx_free(shared);
 414    return CURLE_SSL_CONNECT_ERROR;
 415  }
 416
 417  shared->refcount = 1;
 418  shared->time = *Curl_pgrs_now(data);
 419  *pcreds = shared;
 420  return CURLE_OK;
 421}
 422
 423CURLcode Curl_gtls_shared_creds_up_ref(struct gtls_shared_creds *creds)
 424{
 425  DEBUGASSERT(creds);
 426  if(creds->refcount < SIZE_MAX) {
 427    ++creds->refcount;
 428    return CURLE_OK;
 429  }
 430  return CURLE_BAD_FUNCTION_ARGUMENT;
 431}
 432
 433void Curl_gtls_shared_creds_free(struct gtls_shared_creds **pcreds)
 434{
 435  struct gtls_shared_creds *shared = *pcreds;
 436  *pcreds = NULL;
 437  if(shared) {
 438    --shared->refcount;
 439    if(!shared->refcount) {
 440      gnutls_certificate_free_credentials(shared->creds);
 441      curlx_free(shared->CAfile);
 442      curlx_free(shared);
 443    }
 444  }
 445}
 446
 447static CURLcode gtls_populate_creds(struct Curl_cfilter *cf,
 448                                    struct Curl_easy *data,
 449                                    gnutls_certificate_credentials_t creds)
 450{
 451  struct ssl_primary_config *config = Curl_ssl_cf_get_primary_config(cf);
 452  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
 453  bool creds_are_empty = TRUE;
 454  int rc;
 455
 456  if(!config->verifypeer) {
 457    infof(data, "SSL Trust: peer verification disabled");
 458    return CURLE_OK;
 459  }
 460
 461  infof(data, "SSL Trust Anchors:");
 462  if(ssl_config->native_ca_store) {
 463#ifdef USE_APPLE_SECTRUST
 464    infof(data, "  Native: Apple SecTrust");
 465    creds_are_empty = FALSE;
 466#else
 467    rc = gnutls_certificate_set_x509_system_trust(creds);
 468    if(rc < 0)
 469      infof(data, "error reading native CA store (%s), continuing anyway",
 470            gnutls_strerror(rc));
 471    else {
 472      infof(data, "  Native: %d certificates from system trust", rc);
 473      if(rc > 0)
 474        creds_are_empty = FALSE;
 475    }
 476#endif
 477  }
 478
 479  if(config->ca_info_blob) {
 480    gnutls_datum_t ca_info_datum;
 481    if(config->ca_info_blob->len > (size_t)UINT_MAX) {
 482      failf(data, "certificate blob too long: %zu bytes",
 483            config->ca_info_blob->len);
 484      return CURLE_SSL_CACERT_BADFILE;
 485    }
 486    ca_info_datum.data = config->ca_info_blob->data;
 487    ca_info_datum.size = (unsigned int)config->ca_info_blob->len;
 488    rc = gnutls_certificate_set_x509_trust_mem(creds, &ca_info_datum,
 489                                               GNUTLS_X509_FMT_PEM);
 490    creds_are_empty = creds_are_empty && (rc <= 0);
 491    if(rc < 0) {
 492      infof(data, "error reading CA cert blob (%s)%s", gnutls_strerror(rc),
 493            (creds_are_empty ? "" : ", continuing anyway"));
 494      if(creds_are_empty) {
 495        ssl_config->certverifyresult = rc;
 496        return CURLE_SSL_CACERT_BADFILE;
 497      }
 498    }
 499    else
 500      infof(data, "  CA Blob: %d certificates", rc);
 501  }
 502  /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
 503  else if(config->CAfile) {
 504    /* set the trusted CA cert bundle file */
 505    gnutls_certificate_set_verify_flags(creds,
 506                                        GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 507
 508    rc = gnutls_certificate_set_x509_trust_file(creds,
 509                                                config->CAfile,
 510                                                GNUTLS_X509_FMT_PEM);
 511    creds_are_empty = creds_are_empty && (rc <= 0);
 512    if(rc < 0) {
 513      infof(data, "error reading CA cert file %s (%s)%s",
 514            config->CAfile, gnutls_strerror(rc),
 515            (creds_are_empty ? "" : ", continuing anyway"));
 516      if(creds_are_empty) {
 517        ssl_config->certverifyresult = rc;
 518        return CURLE_SSL_CACERT_BADFILE;
 519      }
 520    }
 521    else
 522      infof(data, "  CAfile: %d certificates in %s", rc, config->CAfile);
 523  }
 524
 525  if(config->CApath) {
 526    /* set the trusted CA cert directory */
 527    rc = gnutls_certificate_set_x509_trust_dir(creds, config->CApath,
 528                                               GNUTLS_X509_FMT_PEM);
 529    creds_are_empty = creds_are_empty && (rc <= 0);
 530    if(rc < 0) {
 531      infof(data, "error reading CA cert file %s (%s)%s",
 532            config->CApath, gnutls_strerror(rc),
 533            (creds_are_empty ? "" : ", continuing anyway"));
 534      if(creds_are_empty) {
 535        ssl_config->certverifyresult = rc;
 536        return CURLE_SSL_CACERT_BADFILE;
 537      }
 538    }
 539    else
 540      infof(data, "  CApath: %d certificates in %s", rc, config->CApath);
 541  }
 542
 543  if(creds_are_empty)
 544    infof(data, "  no trust anchors configured");
 545
 546  if(config->CRLfile) {
 547    /* set the CRL list file */
 548    rc = gnutls_certificate_set_x509_crl_file(creds, config->CRLfile,
 549                                              GNUTLS_X509_FMT_PEM);
 550    if(rc < 0) {
 551      failf(data, "error reading CRL file %s (%s)",
 552            config->CRLfile, gnutls_strerror(rc));
 553      return CURLE_SSL_CRL_BADFILE;
 554    }
 555    else
 556      infof(data, "  CRLfile: %d CRL in %s", rc, config->CRLfile);
 557  }
 558
 559  return CURLE_OK;
 560}
 561
 562/* key to use at `multi->proto_hash` */
 563#define MPROTO_GTLS_X509_KEY   "tls:gtls:x509:share"
 564
 565static bool gtls_shared_creds_expired(struct Curl_easy *data,
 566                                      const struct gtls_shared_creds *sc)
 567{
 568  const struct ssl_general_config *cfg = &data->set.general_ssl;
 569  timediff_t elapsed_ms = curlx_ptimediff_ms(Curl_pgrs_now(data), &sc->time);
 570  timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
 571
 572  if(timeout_ms < 0)
 573    return FALSE;
 574
 575  return elapsed_ms >= timeout_ms;
 576}
 577
 578static bool gtls_shared_creds_different(struct Curl_cfilter *cf,
 579                                        const struct gtls_shared_creds *sc)
 580{
 581  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
 582  if(!sc->CAfile || !conn_config->CAfile)
 583    return sc->CAfile != conn_config->CAfile;
 584
 585  return strcmp(sc->CAfile, conn_config->CAfile);
 586}
 587
 588static struct gtls_shared_creds *gtls_get_cached_creds(struct Curl_cfilter *cf,
 589                                                       struct Curl_easy *data)
 590{
 591  struct gtls_shared_creds *shared_creds;
 592
 593  if(data->multi) {
 594    shared_creds = Curl_hash_pick(&data->multi->proto_hash,
 595                                  CURL_UNCONST(MPROTO_GTLS_X509_KEY),
 596                                  sizeof(MPROTO_GTLS_X509_KEY) - 1);
 597    if(shared_creds && shared_creds->creds &&
 598       !gtls_shared_creds_expired(data, shared_creds) &&
 599       !gtls_shared_creds_different(cf, shared_creds)) {
 600      return shared_creds;
 601    }
 602  }
 603  return NULL;
 604}
 605
 606static void gtls_shared_creds_hash_free(void *key, size_t key_len, void *p)
 607{
 608  struct gtls_shared_creds *sc = p;
 609  DEBUGASSERT(key_len == (sizeof(MPROTO_GTLS_X509_KEY) - 1));
 610  DEBUGASSERT(!memcmp(MPROTO_GTLS_X509_KEY, key, key_len));
 611  (void)key;
 612  (void)key_len;
 613  Curl_gtls_shared_creds_free(&sc); /* down reference */
 614}
 615
 616static void gtls_set_cached_creds(struct Curl_cfilter *cf,
 617                                  struct Curl_easy *data,
 618                                  struct gtls_shared_creds *sc)
 619{
 620  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
 621
 622  DEBUGASSERT(sc);
 623  DEBUGASSERT(sc->creds);
 624  DEBUGASSERT(!sc->CAfile);
 625  DEBUGASSERT(sc->refcount == 1);
 626  if(!data->multi)
 627    return;
 628
 629  if(conn_config->CAfile) {
 630    sc->CAfile = curlx_strdup(conn_config->CAfile);
 631    if(!sc->CAfile)
 632      return;
 633  }
 634
 635  if(Curl_gtls_shared_creds_up_ref(sc))
 636    return;
 637
 638  if(!Curl_hash_add2(&data->multi->proto_hash,
 639                     CURL_UNCONST(MPROTO_GTLS_X509_KEY),
 640                     sizeof(MPROTO_GTLS_X509_KEY) - 1,
 641                     sc, gtls_shared_creds_hash_free)) {
 642    Curl_gtls_shared_creds_free(&sc); /* down reference again */
 643    return;
 644  }
 645}
 646
 647CURLcode Curl_gtls_client_trust_setup(struct Curl_cfilter *cf,
 648                                      struct Curl_easy *data,
 649                                      struct gtls_ctx *gtls)
 650{
 651  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
 652  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
 653  struct gtls_shared_creds *cached_creds = NULL;
 654  bool cache_criteria_met;
 655  CURLcode result;
 656  int rc;
 657
 658  /* Consider the X509 store cacheable if it comes exclusively from a CAfile,
 659     or no source is provided and we are falling back to OpenSSL's built-in
 660     default. */
 661  cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
 662    conn_config->verifypeer &&
 663    !conn_config->CApath &&
 664    !conn_config->ca_info_blob &&
 665    !ssl_config->primary.CRLfile &&
 666    !ssl_config->native_ca_store &&
 667    !conn_config->clientcert; /* GnuTLS adds client cert to its credentials! */
 668
 669  if(cache_criteria_met)
 670    cached_creds = gtls_get_cached_creds(cf, data);
 671
 672  if(cached_creds && !Curl_gtls_shared_creds_up_ref(cached_creds)) {
 673    CURL_TRC_CF(data, cf, "using shared trust anchors and CRLs");
 674    Curl_gtls_shared_creds_free(&gtls->shared_creds);
 675    gtls->shared_creds = cached_creds;
 676    rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_CERTIFICATE,
 677                                gtls->shared_creds->creds);
 678    if(rc != GNUTLS_E_SUCCESS) {
 679      failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
 680      return CURLE_SSL_CONNECT_ERROR;
 681    }
 682  }
 683  else {
 684    CURL_TRC_CF(data, cf, "loading trust anchors and CRLs");
 685    result = gtls_populate_creds(cf, data, gtls->shared_creds->creds);
 686    if(result)
 687      return result;
 688    gtls->shared_creds->trust_setup = TRUE;
 689    if(cache_criteria_met)
 690      gtls_set_cached_creds(cf, data, gtls->shared_creds);
 691  }
 692  return CURLE_OK;
 693}
 694
 695#ifdef CURL_GNUTLS_EARLY_DATA
 696static int gtls_get_ietf_proto(gnutls_session_t session)
 697{
 698  switch(gnutls_protocol_get_version(session)) {
 699  case GNUTLS_SSL3:
 700    return CURL_IETF_PROTO_SSL3;
 701  case GNUTLS_TLS1_0:
 702    return CURL_IETF_PROTO_TLS1;
 703  case GNUTLS_TLS1_1:
 704    return CURL_IETF_PROTO_TLS1_1;
 705  case GNUTLS_TLS1_2:
 706    return CURL_IETF_PROTO_TLS1_2;
 707  case GNUTLS_TLS1_3:
 708    return CURL_IETF_PROTO_TLS1_3;
 709  default:
 710    return CURL_IETF_PROTO_UNKNOWN;
 711  }
 712}
 713
 714CURLcode Curl_gtls_cache_session(struct Curl_cfilter *cf,
 715                                 struct Curl_easy *data,
 716                                 const char *ssl_peer_key,
 717                                 gnutls_session_t session,
 718                                 curl_off_t valid_until,
 719                                 const char *alpn,
 720                                 unsigned char *quic_tp,
 721                                 size_t quic_tp_len)
 722{
 723  struct Curl_ssl_session *sc_session;
 724  unsigned char *sdata, *qtp_clone = NULL;
 725  size_t sdata_len = 0;
 726  size_t earlydata_max = 0;
 727  CURLcode result = CURLE_OK;
 728
 729  if(!Curl_ssl_scache_use(cf, data))
 730    return CURLE_OK;
 731
 732  /* we always unconditionally get the session id here, as even if we
 733     already got it from the cache and asked to use it in the connection, it
 734     might have been rejected and then a new one is in use now and we need to
 735     detect that. */
 736
 737  /* get the session ID data size */
 738  gnutls_session_get_data(session, NULL, &sdata_len);
 739  if(!sdata_len) /* GnuTLS does this for some version combinations */
 740    return CURLE_OK;
 741
 742  sdata = curlx_malloc(sdata_len); /* get a buffer for it */
 743  if(!sdata)
 744    return CURLE_OUT_OF_MEMORY;
 745
 746  /* extract session ID to the allocated buffer */
 747  gnutls_session_get_data(session, sdata, &sdata_len);
 748  earlydata_max = gnutls_record_get_max_early_data_size(session);
 749
 750  CURL_TRC_CF(data, cf, "get session id (len=%zu, alpn=%s, earlymax=%zu) "
 751              "and store in cache", sdata_len, alpn ? alpn : "-",
 752              earlydata_max);
 753  if(quic_tp && quic_tp_len) {
 754    qtp_clone = curlx_memdup0((const char *)quic_tp, quic_tp_len);
 755    if(!qtp_clone) {
 756      curlx_free(sdata);
 757      return CURLE_OUT_OF_MEMORY;
 758    }
 759  }
 760
 761  result = Curl_ssl_session_create2(sdata, sdata_len,
 762                                    gtls_get_ietf_proto(session),
 763                                    alpn, valid_until, earlydata_max,
 764                                    qtp_clone, quic_tp_len,
 765                                    &sc_session);
 766  /* call took ownership of `sdata` and `qtp_clone` */
 767  if(!result) {
 768    result = Curl_ssl_scache_put(cf, data, ssl_peer_key, sc_session);
 769    /* took ownership of `sc_session` */
 770  }
 771  return result;
 772}
 773#endif
 774
 775#ifdef CURL_GNUTLS_EARLY_DATA
 776static CURLcode cf_gtls_update_session_id(struct Curl_cfilter *cf,
 777                                          struct Curl_easy *data,
 778                                          gnutls_session_t session)
 779{
 780  struct ssl_connect_data *connssl = cf->ctx;
 781  return Curl_gtls_cache_session(cf, data, connssl->peer.scache_key,
 782                                 session, 0, connssl->negotiated.alpn,
 783                                 NULL, 0);
 784}
 785
 786static int gtls_handshake_cb(gnutls_session_t session, unsigned int htype,
 787                             unsigned when, unsigned int incoming,
 788                             const gnutls_datum_t *msg)
 789{
 790  struct Curl_cfilter *cf = gnutls_session_get_ptr(session);
 791
 792  (void)msg;
 793  (void)incoming;
 794  if(when) { /* after message has been processed */
 795    struct Curl_easy *data = CF_DATA_CURRENT(cf);
 796    if(data) {
 797      CURL_TRC_CF(data, cf, "handshake: %s message type %u",
 798                  incoming ? "incoming" : "outgoing", htype);
 799      switch(htype) {
 800      case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: {
 801        cf_gtls_update_session_id(cf, data, session);
 802        break;
 803      }
 804      default:
 805        break;
 806      }
 807    }
 808  }
 809  return 0;
 810}
 811#endif
 812
 813static CURLcode gtls_set_priority(struct Curl_cfilter *cf,
 814                                  struct Curl_easy *data,
 815                                  struct gtls_ctx *gtls,
 816                                  const char *priority)
 817{
 818  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
 819  struct dynbuf buf;
 820  const char *err = NULL;
 821  CURLcode result = CURLE_OK;
 822  int rc;
 823
 824  curlx_dyn_init(&buf, 4096);
 825
 826#ifdef USE_GNUTLS_SRP
 827  if(conn_config->username) {
 828    /* Only add SRP to the cipher list if SRP is requested. Otherwise
 829     * GnuTLS disables TLS 1.3 support. */
 830    result = curlx_dyn_add(&buf, priority);
 831    if(!result)
 832      result = curlx_dyn_add(&buf, ":" GNUTLS_SRP);
 833    if(result)
 834      goto out;
 835    priority = curlx_dyn_ptr(&buf);
 836  }
 837#endif
 838
 839  if(conn_config->cipher_list) {
 840    if((conn_config->cipher_list[0] == '+') ||
 841       (conn_config->cipher_list[0] == '-') ||
 842       (conn_config->cipher_list[0] == '!')) {
 843      /* add it to our own */
 844      if(!curlx_dyn_len(&buf)) {  /* not added yet */
 845        result = curlx_dyn_add(&buf, priority);
 846        if(result)
 847          goto out;
 848      }
 849      result = curlx_dyn_addf(&buf, ":%s", conn_config->cipher_list);
 850      if(result)
 851        goto out;
 852      priority = curlx_dyn_ptr(&buf);
 853    }
 854    else /* replace our own completely */
 855      priority = conn_config->cipher_list;
 856  }
 857
 858  infof(data, "GnuTLS priority: %s", priority);
 859  rc = gnutls_priority_set_direct(gtls->session, priority, &err);
 860  if(rc != GNUTLS_E_SUCCESS) {
 861    failf(data, "Error %d setting GnuTLS priority: %s", rc, err);
 862    result = CURLE_SSL_CONNECT_ERROR;
 863  }
 864
 865out:
 866  curlx_dyn_free(&buf);
 867  return result;
 868}
 869
 870static CURLcode gtls_client_init(struct Curl_cfilter *cf,
 871                                 struct Curl_easy *data,
 872                                 struct ssl_peer *peer,
 873                                 size_t earlydata_max,
 874                                 struct gtls_ctx *gtls)
 875{
 876  struct ssl_primary_config *config = Curl_ssl_cf_get_primary_config(cf);
 877  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
 878  unsigned int init_flags;
 879  int rc;
 880  const char *prioritylist;
 881  bool tls13support;
 882  CURLcode result;
 883
 884  if(config->version == CURL_SSLVERSION_SSLv2 ||
 885     config->version == CURL_SSLVERSION_SSLv3) {
 886    failf(data, "GnuTLS does not support SSLv2 or SSLv3");
 887    return CURLE_SSL_CONNECT_ERROR;
 888  }
 889
 890  /* allocate a shared creds struct */
 891  result = Curl_gtls_shared_creds_create(data, &gtls->shared_creds);
 892  if(result)
 893    return result;
 894
 895#ifdef USE_GNUTLS_SRP
 896  if(config->username && Curl_auth_allowed_to_host(data)) {
 897    infof(data, "Using TLS-SRP username: %s", config->username);
 898
 899    rc = gnutls_srp_allocate_client_credentials(&gtls->srp_client_cred);
 900    if(rc == GNUTLS_E_UNIMPLEMENTED_FEATURE) {
 901      failf(data, "GnuTLS: TLS-SRP support not built in: %s",
 902            gnutls_strerror(rc));
 903      return CURLE_NOT_BUILT_IN;
 904    }
 905    else if(rc != GNUTLS_E_SUCCESS) {
 906      failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
 907            gnutls_strerror(rc));
 908      return CURLE_OUT_OF_MEMORY;
 909    }
 910
 911    rc = gnutls_srp_set_client_credentials(gtls->srp_client_cred,
 912                                           config->username,
 913                                           config->password);
 914    if(rc != GNUTLS_E_SUCCESS) {
 915      failf(data, "gnutls_srp_set_client_cred() failed: %s",
 916            gnutls_strerror(rc));
 917      return CURLE_BAD_FUNCTION_ARGUMENT;
 918    }
 919  }
 920#endif
 921
 922  ssl_config->certverifyresult = 0;
 923
 924  /* Initialize TLS session as a client */
 925  init_flags = GNUTLS_CLIENT;
 926#ifdef CURL_GNUTLS_EARLY_DATA
 927  if(peer->transport == TRNSPRT_QUIC && earlydata_max > 0)
 928    init_flags |= GNUTLS_ENABLE_EARLY_DATA | GNUTLS_NO_END_OF_EARLY_DATA;
 929  else if(earlydata_max > 0 && earlydata_max != 0xFFFFFFFFUL)
 930    /* See https://gitlab.com/gnutls/gnutls/-/issues/1619
 931     * We cannot differentiate between a session announcing no earldata
 932     * and one announcing 0xFFFFFFFFUL. On TCP+TLS, this is unlikely, but
 933     * on QUIC this is common. */
 934    init_flags |= GNUTLS_ENABLE_EARLY_DATA;
 935#endif
 936
 937#ifdef GNUTLS_FORCE_CLIENT_CERT
 938  init_flags |= GNUTLS_FORCE_CLIENT_CERT;
 939#endif
 940
 941#ifdef GNUTLS_NO_TICKETS_TLS12
 942  init_flags |= GNUTLS_NO_TICKETS_TLS12;
 943#endif
 944
 945#ifdef GNUTLS_NO_STATUS_REQUEST
 946  if(!config->verifystatus)
 947    /* Disable the "status_request" TLS extension, enabled by default since
 948       GnuTLS 3.8.0. */
 949    init_flags |= GNUTLS_NO_STATUS_REQUEST;
 950#endif
 951
 952  CURL_TRC_CF(data, cf, "gnutls_init(flags=%x), earlydata=%zu",
 953              init_flags, earlydata_max);
 954  rc = gnutls_init(&gtls->session, init_flags);
 955  if(rc != GNUTLS_E_SUCCESS) {
 956    failf(data, "gnutls_init() failed: %d", rc);
 957    return CURLE_SSL_CONNECT_ERROR;
 958  }
 959
 960  if(peer->sni) {
 961    if(gnutls_server_name_set(gtls->session, GNUTLS_NAME_DNS,
 962                              peer->sni, strlen(peer->sni)) < 0) {
 963      failf(data, "Failed to set SNI");
 964      return CURLE_SSL_CONNECT_ERROR;
 965    }
 966  }
 967
 968  /* Use default priorities */
 969  rc = gnutls_set_default_priority(gtls->session);
 970  if(rc != GNUTLS_E_SUCCESS)
 971    return CURLE_SSL_CONNECT_ERROR;
 972
 973  /* "In GnuTLS 3.6.5, TLS 1.3 is enabled by default" */
 974  tls13support = !!gnutls_check_version("3.6.5");
 975
 976  if(config->version == CURL_SSLVERSION_TLSv1_3) {
 977    if(!tls13support) {
 978      failf(data, "This GnuTLS installation does not support TLS 1.3");
 979      return CURLE_SSL_CONNECT_ERROR;
 980    }
 981  }
 982
 983  /* At this point we know we have a supported TLS version, so set it */
 984  result = gnutls_set_ssl_version_min_max(data, peer,
 985                                          config, &prioritylist, tls13support);
 986  if(result)
 987    return result;
 988
 989  result = gtls_set_priority(cf, data, gtls, prioritylist);
 990  if(result)
 991    return result;
 992
 993  if(config->clientcert) {
 994    if(!gtls->shared_creds->trust_setup) {
 995      result = Curl_gtls_client_trust_setup(cf, data, gtls);
 996      if(result)
 997        return result;
 998    }
 999    if(ssl_config->cert_type && curl_strequal(ssl_config->cert_type, "P12")) {
1000      rc = gnutls_certificate_set_x509_simple_pkcs12_file(
1001        gtls->shared_creds->creds, config->clientcert, GNUTLS_X509_FMT_DER,
1002        ssl_config->key_passwd ? ssl_config->key_passwd : "");
1003      if(rc != GNUTLS_E_SUCCESS) {
1004        failf(data,
1005              "error reading X.509 potentially-encrypted key or certificate "
1006              "file: %s",
1007              gnutls_strerror(rc));
1008        return CURLE_SSL_CONNECT_ERROR;
1009      }
1010    }
1011    else {
1012      const unsigned int supported_key_encryption_algorithms =
1013        GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
1014        GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |
1015        GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 |
1016        GNUTLS_PKCS_USE_PBES2_AES_256;
1017      rc = gnutls_certificate_set_x509_key_file2(
1018           gtls->shared_creds->creds,
1019           config->clientcert,
1020           ssl_config->key ? ssl_config->key : config->clientcert,
1021           gnutls_do_file_type(ssl_config->cert_type),
1022           ssl_config->key_passwd,
1023           supported_key_encryption_algorithms);
1024      if(rc != GNUTLS_E_SUCCESS) {
1025        failf(data,
1026              "error reading X.509 %skey file: %s",
1027              ssl_config->key_passwd ? "potentially-encrypted " : "",
1028              gnutls_strerror(rc));
1029        return CURLE_SSL_CONNECT_ERROR;
1030      }
1031    }
1032  }
1033
1034#ifdef USE_GNUTLS_SRP
1035  /* put the credentials to the current session */
1036  if(config->username) {
1037    rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_SRP,
1038                                gtls->srp_client_cred);
1039    if(rc != GNUTLS_E_SUCCESS) {
1040      failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
1041      return CURLE_SSL_CONNECT_ERROR;
1042    }
1043  }
1044  else
1045#endif
1046  {
1047    rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_CERTIFICATE,
1048                                gtls->shared_creds->creds);
1049    if(rc != GNUTLS_E_SUCCESS) {
1050      failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc));
1051      return CURLE_SSL_CONNECT_ERROR;
1052    }
1053  }
1054
1055  if(config->verifystatus) {
1056    rc = gnutls_ocsp_status_request_enable_client(gtls->session,
1057                                                  NULL, 0, NULL);
1058    if(rc != GNUTLS_E_SUCCESS) {
1059      failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc);
1060      return CURLE_SSL_CONNECT_ERROR;
1061    }
1062  }
1063
1064  return CURLE_OK;
1065}
1066
1067#ifdef CURL_GNUTLS_EARLY_DATA
1068static int keylog_callback(gnutls_session_t session, const char *label,
1069                           const gnutls_datum_t *secret)
1070{
1071  gnutls_datum_t crandom;
1072  gnutls_datum_t srandom;
1073
1074  gnutls_session_get_random(session, &crandom, &srandom);
1075  if(crandom.size != 32) {
1076    return -1;
1077  }
1078
1079  Curl_tls_keylog_write(label, crandom.data, secret->data, secret->size);
1080  return 0;
1081}
1082
1083static CURLcode gtls_on_session_reuse(struct Curl_cfilter *cf,
1084                                      struct Curl_easy *data,
1085                                      struct alpn_spec *alpns,
1086                                      struct Curl_ssl_session *scs,
1087                                      bool *do_early_data)
1088{
1089  struct ssl_connect_data *connssl = cf->ctx;
1090  struct gtls_ssl_backend_data *backend =
1091    (struct gtls_ssl_backend_data *)connssl->backend;
1092
1093  connssl->earlydata_max =
1094    gnutls_record_get_max_early_data_size(backend->gtls.session);
1095
1096  /* Seems to be no GnuTLS way to signal no EarlyData in session */
1097  return Curl_on_session_reuse(cf, data, alpns, scs, do_early_data,
1098                               connssl->earlydata_max &&
1099                               connssl->earlydata_max != 0xFFFFFFFFUL);
1100}
1101#endif
1102
1103CURLcode Curl_gtls_ctx_init(struct gtls_ctx *gctx,
1104                            struct Curl_cfilter *cf,
1105                            struct Curl_easy *data,
1106                            struct ssl_peer *peer,
1107                            const struct alpn_spec *alpns_requested,
1108                            Curl_gtls_ctx_setup_cb *cb_setup,
1109                            void *cb_user_data,
1110                            void *ssl_user_data,
1111                            Curl_gtls_init_session_reuse_cb *sess_reuse_cb)
1112{
1113  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
1114  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
1115  struct Curl_ssl_session *scs = NULL;
1116  gnutls_datum_t gtls_alpns[ALPN_ENTRIES_MAX];
1117  size_t gtls_alpns_count = 0;
1118  bool gtls_session_setup = FALSE;
1119  struct alpn_spec alpns;
1120  CURLcode result = CURLE_OK;
1121  int rc;
1122
1123  DEBUGASSERT(gctx);
1124  Curl_alpn_copy(&alpns, alpns_requested);
1125
1126  /* This might be a reconnect, so we check for a session ID in the cache
1127     to speed up things. We need to do this before constructing the GnuTLS
1128     session since we need to set flags depending on the kind of reuse. */
1129  if(conn_config->cache_session && !conn_config->verifystatus) {
1130    result = Curl_ssl_scache_take(cf, data, peer->scache_key, &scs);
1131    if(result)
1132      goto out;
1133
1134    if(scs && scs->sdata && scs->sdata_len &&
1135       (!scs->alpn || Curl_alpn_contains_proto(&alpns, scs->alpn))) {
1136      /* we got a cached session, use it! */
1137
1138      result = gtls_client_init(cf, data, peer, scs->earlydata_max, gctx);
1139      if(result)
1140        goto out;
1141      gtls_session_setup = TRUE;
1142
1143      rc = gnutls_session_set_data(gctx->session, scs->sdata, scs->sdata_len);
1144      if(rc < 0)
1145        infof(data, "SSL session not accepted by GnuTLS, continuing without");
1146      else {
1147        infof(data, "SSL reusing session with ALPN '%s'",
1148              scs->alpn ? scs->alpn : "-");
1149        if(ssl_config->earlydata && scs->alpn &&
1150           !cf->conn->bits.connect_only) {
1151          bool do_early_data = FALSE;
1152          if(sess_reuse_cb) {
1153            result = sess_reuse_cb(cf, data, &alpns, scs, &do_early_data);
1154            if(result)
1155              goto out;
1156          }
1157          if(do_early_data) {
1158            /* We only try the ALPN protocol the session used before,
1159             * otherwise we might send early data for the wrong protocol */
1160            Curl_alpn_restrict_to(&alpns, scs->alpn);
1161          }
1162        }
1163      }
1164    }
1165  }
1166
1167  if(!gtls_session_setup) {
1168    result = gtls_client_init(cf, data, peer, 0, gctx);
1169    if(result)
1170      goto out;
1171  }
1172
1173  gnutls_session_set_ptr(gctx->session, ssl_user_data);
1174
1175  if(cb_setup) {
1176    result = cb_setup(cf, data, cb_user_data);
1177    if(result)
1178      goto out;
1179  }
1180
1181#ifdef CURL_GNUTLS_EARLY_DATA
1182  /* Open the file if a TLS or QUIC backend has not done this before. */
1183  Curl_tls_keylog_open();
1184  if(Curl_tls_keylog_enabled()) {
1185    gnutls_session_set_keylog_function(gctx->session, keylog_callback);
1186  }
1187#endif
1188
1189  /* convert the ALPN string from our arguments to a list of strings that
1190   * GnuTLS wants and does convert internally back to this string for sending
1191   * to the server. nice. */
1192  if(!gtls_alpns_count && alpns.count) {
1193    size_t i;
1194    DEBUGASSERT(CURL_ARRAYSIZE(gtls_alpns) >= alpns.count);
1195    for(i = 0; i < alpns.count; ++i) {
1196      gtls_alpns[i].data = (unsigned char *)alpns.entries[i];
1197      gtls_alpns[i].size = (unsigned int)strlen(alpns.entries[i]);
1198    }
1199    gtls_alpns_count = alpns.count;
1200  }
1201
1202  if(gtls_alpns_count &&
1203     gnutls_alpn_set_protocols(gctx->session,
1204                               gtls_alpns, (unsigned int)gtls_alpns_count,
1205                               GNUTLS_ALPN_MANDATORY)) {
1206    failf(data, "failed setting ALPN");
1207    result = CURLE_SSL_CONNECT_ERROR;
1208  }
1209
1210out:
1211  Curl_ssl_scache_return(cf, data, peer->scache_key, scs);
1212  return result;
1213}
1214
1215static CURLcode gtls_connect_step1(struct Curl_cfilter *cf,
1216                                   struct Curl_easy *data)
1217{
1218  struct ssl_connect_data *connssl = cf->ctx;
1219  struct gtls_ssl_backend_data *backend =
1220    (struct gtls_ssl_backend_data *)connssl->backend;
1221  CURLcode result;
1222
1223  DEBUGASSERT(backend);
1224
1225  if(connssl->state == ssl_connection_complete)
1226    /* to make us tolerant against being called more than once for the
1227       same connection */
1228    return CURLE_OK;
1229
1230  result = Curl_gtls_ctx_init(&backend->gtls, cf, data, &connssl->peer,
1231                              connssl->alpn, NULL, NULL, cf,
1232#ifdef CURL_GNUTLS_EARLY_DATA
1233                              gtls_on_session_reuse
1234#else
1235                              NULL
1236#endif
1237                              );
1238
1239  if(result)
1240    return result;
1241
1242  if(connssl->alpn && (connssl->state != ssl_connection_deferred)) {
1243    struct alpn_proto_buf proto;
1244    memset(&proto, 0, sizeof(proto));
1245    Curl_alpn_to_proto_str(&proto, connssl->alpn);
1246    infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
1247  }
1248
1249#ifdef CURL_GNUTLS_EARLY_DATA
1250  gnutls_handshake_set_hook_function(backend->gtls.session,
1251                                     GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST,
1252                                     gtls_handshake_cb);
1253#endif
1254
1255  /* register callback functions and handle to send and receive data. */
1256  gnutls_transport_set_ptr(backend->gtls.session, cf);
1257  gnutls_transport_set_push_function(backend->gtls.session, gtls_push);
1258  gnutls_transport_set_pull_function(backend->gtls.session, gtls_pull);
1259
1260  return CURLE_OK;
1261}
1262
1263static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
1264                                    gnutls_x509_crt_t cert,
1265                                    const char *pinnedpubkey)
1266{
1267  /* Scratch */
1268  size_t len1 = 0, len2 = 0;
1269  unsigned char *buff1 = NULL;
1270
1271  gnutls_pubkey_t key = NULL;
1272
1273  /* Result is returned to caller */
1274  CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
1275
1276  /* if a path was not specified, do not pin */
1277  if(!pinnedpubkey)
1278    return CURLE_OK;
1279
1280  if(!cert)
1281    return result;
1282
1283  do {
1284    int ret;
1285
1286    /* Begin Gyrations to get the public key */
1287    ret = gnutls_pubkey_init(&key);
1288    if(ret < 0)
1289      break; /* failed */
1290
1291    ret = gnutls_pubkey_import_x509(key, cert, 0);
1292    if(ret < 0)
1293      break; /* failed */
1294
1295    ret = gnutls_pubkey_export(key, GNUTLS_X509_FMT_DER, NULL, &len1);
1296    if(ret != GNUTLS_E_SHORT_MEMORY_BUFFER || len1 == 0)
1297      break; /* failed */
1298
1299    buff1 = curlx_malloc(len1);
1300    if(!buff1)
1301      break; /* failed */
1302
1303    len2 = len1;
1304
1305    ret = gnutls_pubkey_export(key, GNUTLS_X509_FMT_DER, buff1, &len2);
1306    if(ret < 0 || len1 != len2)
1307      break; /* failed */
1308
1309    /* End Gyrations */
1310
1311    /* The one good exit point */
1312    result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
1313  } while(0);
1314
1315  if(key)
1316    gnutls_pubkey_deinit(key);
1317
1318  curlx_safefree(buff1);
1319
1320  return result;
1321}
1322
1323void Curl_gtls_report_handshake(struct Curl_easy *data, struct gtls_ctx *gctx)
1324{
1325#ifdef CURLVERBOSE
1326  if(Curl_trc_is_verbose(data)) {
1327    const char *ptr;
1328    gnutls_protocol_t version = gnutls_protocol_get_version(gctx->session);
1329
1330    /* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
1331    ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(gctx->session),
1332                                       gnutls_cipher_get(gctx->session),
1333                                       gnutls_mac_get(gctx->session));
1334
1335    infof(data, "SSL connection using %s / %s",
1336          gnutls_protocol_get_name(version), ptr);
1337  }
1338#else
1339  (void)data;
1340  (void)gctx;
1341#endif
1342}
1343
1344static void gtls_msg_verify_result(struct Curl_easy *data,
1345                                   struct ssl_peer *peer,
1346                                   gnutls_x509_crt_t x509_cert,
1347                                   bool was_verified,
1348                                   bool needs_verified)
1349{
1350  char certname[65] = ""; /* limited to 64 chars by ASN.1 */
1351  size_t size = sizeof(certname);
1352  int rc;
1353
1354  rc = gnutls_x509_crt_get_dn_by_oid(x509_cert, GNUTLS_OID_X520_COMMON_NAME,
1355                                     0, /* the first and only one */
1356                                     FALSE, certname, &size);
1357  if(rc) {
1358    infof(data, "error fetching CN from cert:%s", gnutls_strerror(rc));
1359    certname[0] = 0;
1360  }
1361
1362  if(!was_verified) {
1363    if(needs_verified) {
1364      failf(data, "SSL: certificate subject name (%s) does not match "
1365            "target hostname '%s'", certname,
1366            peer->dest->user_hostname);
1367    }
1368    else
1369      infof(data, "  common name: %s (does not match '%s')",
1370            certname, peer->dest->user_hostname);
1371  }
1372  else
1373    infof(data, "  common name: %s (matched)", certname);
1374}
1375
1376static void gtls_infof_cert(struct Curl_easy *data,
1377                            gnutls_x509_crt_t x509_cert)
1378{
1379#ifdef CURLVERBOSE
1380  if(Curl_trc_is_verbose(data)) {
1381    gnutls_datum_t certfields;
1382    int rc, algo;
1383    time_t tstamp;
1384    unsigned int bits;
1385
1386    /* public key algorithm's parameters */
1387    algo = gnutls_x509_crt_get_pk_algorithm(x509_cert, &bits);
1388    infof(data, "  certificate public key: %s",
1389          gnutls_pk_algorithm_get_name((gnutls_pk_algorithm_t)algo));
1390
1391    /* version of the X.509 certificate. */
1392    infof(data, "  certificate version: #%d",
1393          gnutls_x509_crt_get_version(x509_cert));
1394
1395    rc = gnutls_x509_crt_get_dn2(x509_cert, &certfields);
1396    if(rc)
1397      infof(data, "Failed to get certificate name");
1398    else {
1399      infof(data, "  subject: %s", certfields.data);
1400
1401      tstamp = gnutls_x509_crt_get_activation_time(x509_cert);
1402      showtime(data, "start date", tstamp);
1403
1404      tstamp = gnutls_x509_crt_get_expiration_time(x509_cert);
1405      showtime(data, "expire date", tstamp);
1406
1407      gnutls_free(certfields.data);
1408    }
1409
1410    rc = gnutls_x509_crt_get_issuer_dn2(x509_cert, &certfields);
1411    if(rc)
1412      infof(data, "Failed to get certificate issuer");
1413    else {
1414      infof(data, "  issuer: %s", certfields.data);
1415
1416      gnutls_free(certfields.data);
1417    }
1418  }
1419#else
1420  (void)data;
1421  (void)x509_cert;
1422#endif
1423}
1424
1425static CURLcode gtls_verify_ocsp_status(struct Curl_easy *data,
1426                                        gnutls_session_t session)
1427{
1428  gnutls_ocsp_resp_t ocsp_resp = NULL;
1429  gnutls_datum_t status_request;
1430  gnutls_ocsp_cert_status_t status;
1431  gnutls_x509_crl_reason_t reason;
1432  CURLcode result = CURLE_OK;
1433  int rc;
1434
1435  rc = gnutls_ocsp_status_request_get(session, &status_request);
1436
1437  if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
1438    failf(data, "No OCSP response received");
1439    result = CURLE_SSL_INVALIDCERTSTATUS;
1440    goto out;
1441  }
1442  else if(rc < 0) {
1443    failf(data, "Invalid OCSP response received");
1444    result = CURLE_SSL_INVALIDCERTSTATUS;
1445    goto out;
1446  }
1447
1448  rc = gnutls_ocsp_resp_init(&ocsp_resp);
1449  if(rc < 0) {
1450    failf(data, "Failed to initialize OCSP response object");
1451    result = CURLE_SSL_INVALIDCERTSTATUS;
1452    goto out;
1453  }
1454
1455  rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
1456  if(rc < 0) {
1457    failf(data, "Invalid OCSP response received");
1458    result = CURLE_SSL_INVALIDCERTSTATUS;
1459    goto out;
1460  }
1461
1462  (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
1463                                    &status, NULL, NULL, NULL, &reason);
1464
1465  switch(status) {
1466  case GNUTLS_OCSP_CERT_GOOD:
1467    break;
1468
1469  case GNUTLS_OCSP_CERT_REVOKED: {
1470    const char *crl_reason;
1471
1472    switch(reason) {
1473    default:
1474    case GNUTLS_X509_CRLREASON_UNSPECIFIED:
1475      crl_reason = "unspecified reason";
1476      break;
1477
1478    case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
1479      crl_reason = "private key compromised";
1480      break;
1481
1482    case GNUTLS_X509_CRLREASON_CACOMPROMISE:
1483      crl_reason = "CA compromised";
1484      break;
1485
1486    case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
1487      crl_reason = "affiliation has changed";
1488      break;
1489
1490    case GNUTLS_X509_CRLREASON_SUPERSEDED:
1491      crl_reason = "certificate superseded";
1492      break;
1493
1494    case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
1495      crl_reason = "operation has ceased";
1496      break;
1497
1498    case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
1499      crl_reason = "certificate is on hold";
1500      break;
1501
1502    case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
1503      crl_reason = "will be removed from delta CRL";
1504      break;
1505
1506    case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
1507      crl_reason = "privilege withdrawn";
1508      break;
1509
1510    case GNUTLS_X509_CRLREASON_AACOMPROMISE:
1511      crl_reason = "AA compromised";
1512      break;
1513    }
1514
1515    failf(data, "Server certificate was revoked: %s", crl_reason);
1516    break;
1517  }
1518
1519  default:
1520  case GNUTLS_OCSP_CERT_UNKNOWN:
1521    failf(data, "Server certificate status is unknown");
1522    break;
1523  }
1524
1525  result = (status != GNUTLS_OCSP_CERT_GOOD) ?
1526           CURLE_SSL_INVALIDCERTSTATUS : CURLE_OK;
1527
1528out:
1529  if(ocsp_resp)
1530    gnutls_ocsp_resp_deinit(ocsp_resp);
1531  return result;
1532}
1533
1534struct gtls_cert_chain {
1535  const gnutls_datum_t *certs;
1536  unsigned int num_certs;
1537};
1538
1539#ifdef USE_APPLE_SECTRUST
1540static CURLcode gtls_chain_get_der(struct Curl_cfilter *cf,
1541                                   struct Curl_easy *data,
1542                                   void *user_data,
1543                                   size_t i,
1544                                   unsigned char **pder,
1545                                   size_t *pder_len)
1546{
1547  struct gtls_cert_chain *chain = user_data;
1548
1549  (void)cf;
1550  (void)data;
1551  *pder_len = 0;
1552  *pder = NULL;
1553
1554  if(i >= chain->num_certs)
1555    return CURLE_TOO_LARGE;
1556  *pder = chain->certs[i].data;
1557  *pder_len = (size_t)chain->certs[i].size;
1558  return CURLE_OK;
1559}
1560#endif /* USE_APPLE_SECTRUST */
1561
1562/* This function verifies the peer's certificate and returns CURLE_OK on
1563   success or an appropriate CURLcode on error. The certificate verification
1564   status bitmask (trusted, invalid etc.) is stored in
1565   ssl_config->certverifyresult as one or more gnutls_certificate_status_t
1566   enumerated elements bitwise or'd. */
1567static CURLcode gtls_verify_cert(struct Curl_easy *data,
1568                                 struct ssl_primary_config *config,
1569                                 struct ssl_config_data *ssl_config,
1570                                 gnutls_session_t session,
1571                                 struct Curl_cfilter *cf,
1572                                 struct ssl_peer *peer,
1573                                 struct gtls_cert_chain *chain)
1574{
1575  bool verified = FALSE;
1576  unsigned int verify_status = 0;
1577  long * const certverifyresult = &ssl_config->certverifyresult;
1578  int rc = gnutls_certificate_verify_peers2(session, &verify_status);
1579  if(rc < 0) {
1580    failf(data, "server cert verify failed: %d", rc);
1581    *certverifyresult = rc;
1582    return CURLE_SSL_CONNECT_ERROR;
1583  }
1584  *certverifyresult = verify_status;
1585  verified = !(verify_status & GNUTLS_CERT_INVALID);
1586  if(verified)
1587    infof(data, "  SSL certificate verified by GnuTLS");
1588
1589#ifdef USE_APPLE_SECTRUST
1590  if(!verified && ssl_config->native_ca_store) {
1591    CURLcode result =
1592      Curl_vtls_apple_verify(cf, data, peer, chain->num_certs,
1593                             gtls_chain_get_der, chain, NULL, 0);
1594    if(result && (result != CURLE_PEER_FAILED_VERIFICATION))
1595      return result; /* unexpected error */
1596    verified = !result;
1597    if(verified) {
1598      infof(data, "SSL certificate verified via Apple SecTrust.");
1599      *certverifyresult = 0;
1600    }
1601  }
1602#else
1603  (void)cf;
1604  (void)peer;
1605  (void)chain;
1606#endif
1607
1608  if(!verified) {
1609    /* verify_status is a bitmask of gnutls_certificate_status bits */
1610    const char *cause = "certificate error, no details available";
1611    if(verify_status & GNUTLS_CERT_EXPIRED)
1612      cause = "certificate has expired";
1613    else if(verify_status & GNUTLS_CERT_SIGNER_NOT_FOUND)
1614      cause = "certificate signer not trusted";
1615    else if(verify_status & GNUTLS_CERT_INSECURE_ALGORITHM)
1616      cause = "certificate uses insecure algorithm";
1617    else if(verify_status & GNUTLS_CERT_INVALID_OCSP_STATUS)
1618      cause = "attached OCSP status response is invalid";
1619    failf(data, "SSL certificate verification failed: %s. (CAfile: %s "
1620          "CRLfile: %s)", cause,
1621          config->CAfile ? config->CAfile : "none",
1622          ssl_config->primary.CRLfile ?
1623          ssl_config->primary.CRLfile : "none");
1624
1625    return CURLE_PEER_FAILED_VERIFICATION;
1626  }
1627  return CURLE_OK;
1628}
1629
1630CURLcode Curl_gtls_verifyserver(struct Curl_cfilter *cf,
1631                                struct Curl_easy *data,
1632                                gnutls_session_t session,
1633                                struct ssl_primary_config *config,
1634                                struct ssl_config_data *ssl_config,
1635                                struct ssl_peer *peer,
1636                                const char *pinned_key)
1637{
1638  struct gtls_cert_chain chain;
1639  gnutls_x509_crt_t x509_cert = NULL, x509_issuer = NULL;
1640  time_t certclock;
1641  int rc;
1642  CURLcode result = CURLE_OK;
1643  long * const certverifyresult = &ssl_config->certverifyresult;
1644
1645  (void)cf;
1646  /* This function returns the peer's raw certificate (chain) as sent by
1647     the peer. These certificates are in raw format (DER encoded for
1648     X.509). In case of a X.509 then a certificate list may be present. The
1649     first certificate in the list is the peer's certificate, following the
1650     issuer's certificate, then the issuer's issuer etc. */
1651
1652  chain.certs = gnutls_certificate_get_peers(session, &chain.num_certs);
1653  if(!chain.certs) {
1654    if(config->verifypeer ||
1655       config->verifyhost ||
1656       config->issuercert) {
1657#ifdef USE_GNUTLS_SRP
1658      if(ssl_config->primary.username && !config->verifypeer &&
1659         gnutls_cipher_get(session)) {
1660        /* no peer cert, but auth is ok if we have SRP user and cipher and no
1661           peer verify */
1662      }
1663      else {
1664#endif
1665        failf(data, "failed to get server cert");
1666        *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
1667        result = CURLE_PEER_FAILED_VERIFICATION;
1668        goto out;
1669#ifdef USE_GNUTLS_SRP
1670      }
1671#endif
1672    }
1673    infof(data, " common name: WARNING could not obtain");
1674  }
1675
1676  if(data->set.ssl.certinfo && chain.certs) {
1677    if(chain.num_certs > MAX_ALLOWED_CERT_AMOUNT) {
1678      failf(data, "%u certificates is more than allowed (%d)",
1679            chain.num_certs, MAX_ALLOWED_CERT_AMOUNT);
1680      result = CURLE_SSL_CONNECT_ERROR;
1681      goto out;
1682    }
1683    else {
1684      unsigned int i;
1685
1686      result = Curl_ssl_init_certinfo(data, (int)chain.num_certs);
1687      if(result)
1688        goto out;
1689
1690      for(i = 0; i < chain.num_certs; i++) {
1691        const char *beg = (const char *)chain.certs[i].data;
1692        const char *end = beg + chain.certs[i].size;
1693
1694        result = Curl_extract_certinfo(data, (int)i, beg, end);
1695        if(result)
1696          goto out;
1697      }
1698    }
1699  }
1700
1701  if(config->verifypeer) {
1702    result = gtls_verify_cert(data, config, ssl_config, session,
1703                              cf, peer, &chain);
1704    if(result)
1705      goto out;
1706  }
1707  else
1708    infof(data, "  SSL certificate verification SKIPPED");
1709
1710  /* initialize an X.509 certificate structure. */
1711  if(gnutls_x509_crt_init(&x509_cert)) {
1712    failf(data, "failed to init GnuTLS x509_crt");
1713    *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
1714    result = CURLE_SSL_CONNECT_ERROR;
1715    goto out;
1716  }
1717
1718  if(chain.certs) {
1719    /* convert the given DER or PEM encoded Certificate to the native
1720       gnutls_x509_crt_t format */
1721    rc = gnutls_x509_crt_import(x509_cert, chain.certs, GNUTLS_X509_FMT_DER);
1722    if(rc) {
1723      failf(data, "error parsing server's certificate chain");
1724      *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
1725      result = CURLE_SSL_CONNECT_ERROR;
1726      goto out;
1727    }
1728  }
1729
1730  /* Check for time-based validity */
1731  certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
1732
1733  if(certclock == (time_t)-1) {
1734    if(config->verifypeer) {
1735      failf(data, "server cert expiration date verify failed");
1736      *certverifyresult = GNUTLS_CERT_EXPIRED;
1737      result = CURLE_SSL_CONNECT_ERROR;
1738      goto out;
1739    }
1740    else
1741      infof(data, "  SSL certificate expiration date verify FAILED");
1742  }
1743  else {
1744    if(certclock < time(NULL)) {
1745      if(config->verifypeer) {
1746        failf(data, "server certificate expiration date has passed.");
1747        *certverifyresult = GNUTLS_CERT_EXPIRED;
1748        result = CURLE_PEER_FAILED_VERIFICATION;
1749        goto out;
1750      }
1751      else
1752        infof(data, "  SSL certificate expiration date FAILED");
1753    }
1754    else
1755      infof(data, "  SSL certificate expiration date OK");
1756  }
1757
1758  certclock = gnutls_x509_crt_get_activation_time(x509_cert);
1759
1760  if(certclock == (time_t)-1) {
1761    if(config->verifypeer) {
1762      failf(data, "server cert activation date verify failed");
1763      *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED;
1764      result = CURLE_SSL_CONNECT_ERROR;
1765      goto out;
1766    }
1767    else
1768      infof(data, "  SSL certificate activation date verify FAILED");
1769  }
1770  else {
1771    if(certclock > time(NULL)) {
1772      if(config->verifypeer) {
1773        failf(data, "server certificate not activated yet.");
1774        *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED;
1775        result = CURLE_PEER_FAILED_VERIFICATION;
1776        goto out;
1777      }
1778      else
1779        infof(data, "  SSL certificate activation date FAILED");
1780    }
1781    else
1782      infof(data, "  SSL certificate activation date OK");
1783  }
1784
1785  if(config->verifystatus) {
1786    result = gtls_verify_ocsp_status(data, session);
1787    if(result)
1788      goto out;
1789  }
1790  else
1791    infof(data, "  SSL certificate status verification SKIPPED");
1792
1793  if(config->issuercert) {
1794    gnutls_datum_t issuerp;
1795    if(gnutls_x509_crt_init(&x509_issuer)) {
1796      failf(data, "failed to init GnuTLS x509_crt for issuer");
1797      result = CURLE_SSL_ISSUER_ERROR;
1798      goto out;
1799    }
1800    issuerp = load_file(config->issuercert);
1801    rc = gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
1802    if(!rc)
1803      rc = (int)gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
1804    unload_file(issuerp);
1805    if(rc <= 0) {
1806      failf(data, "server certificate issuer check failed (IssuerCert: %s)",
1807            config->issuercert ? config->issuercert : "none");
1808      result = CURLE_SSL_ISSUER_ERROR;
1809      goto out;
1810    }
1811    infof(data, "  SSL certificate issuer check OK (Issuer Cert: %s)",
1812          config->issuercert ? config->issuercert : "none");
1813  }
1814
1815  /* This function checks if the given certificate's subject matches the
1816     given hostname. This is a basic implementation of the matching described
1817     in RFC2818 (HTTPS), which takes into account wildcards, and the subject
1818     alternative name PKIX extension. Returns non zero on success, and zero on
1819     failure. */
1820
1821  /* This function does not handle trailing dots, so if we have an SNI name
1822     use that and fallback to the hostname only if there is no SNI (like for
1823     IP addresses) */
1824  rc = (int)gnutls_x509_crt_check_hostname(x509_cert,
1825                                           peer->sni ? peer->sni :
1826                                           peer->dest->hostname);
1827  result = (!rc && config->verifyhost) ?
1828    CURLE_PEER_FAILED_VERIFICATION : CURLE_OK;
1829  gtls_msg_verify_result(data, peer, x509_cert, rc, config->verifyhost);
1830  if(result)
1831    goto out;
1832
1833  if(pinned_key) {
1834    result = pkp_pin_peer_pubkey(data, x509_cert, pinned_key);
1835    if(result != CURLE_OK) {
1836      failf(data, "SSL: public key does not match pinned public key");
1837      goto out;
1838    }
1839  }
1840
1841  gtls_infof_cert(data, x509_cert);
1842
1843out:
1844  if(x509_issuer)
1845    gnutls_x509_crt_deinit(x509_issuer);
1846  if(x509_cert)
1847    gnutls_x509_crt_deinit(x509_cert);
1848  return result;
1849}
1850
1851static CURLcode gtls_verifyserver(struct Curl_cfilter *cf,
1852                                  struct Curl_easy *data,
1853                                  gnutls_session_t session)
1854{
1855  struct ssl_connect_data *connssl = cf->ctx;
1856  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
1857  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
1858#ifndef CURL_DISABLE_PROXY
1859  const char *pinned_key = Curl_ssl_cf_is_proxy(cf) ?
1860    data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
1861    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1862#else
1863  const char *pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
1864#endif
1865  CURLcode result;
1866
1867  result = Curl_gtls_verifyserver(cf, data, session, conn_config, ssl_config,
1868                                  &connssl->peer, pinned_key);
1869  if(result)
1870    goto out;
1871
1872#ifdef CURL_GNUTLS_EARLY_DATA
1873  /* Only on TLSv1.2 or lower do we have the session id now. For
1874   * TLSv1.3 we get it via a SESSION_TICKET message that arrives later. */
1875  if(gnutls_protocol_get_version(session) < GNUTLS_TLS1_3)
1876    result = cf_gtls_update_session_id(cf, data, session);
1877#endif
1878
1879out:
1880  return result;
1881}
1882
1883#ifdef CURL_GNUTLS_EARLY_DATA
1884static CURLcode gtls_send_earlydata(struct Curl_cfilter *cf,
1885                                    struct Curl_easy *data)
1886{
1887  struct ssl_connect_data *connssl = cf->ctx;
1888  struct gtls_ssl_backend_data *backend =
1889    (struct gtls_ssl_backend_data *)connssl->backend;
1890  CURLcode result = CURLE_OK;
1891  const unsigned char *buf;
1892  size_t blen;
1893  ssize_t n;
1894
1895  DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sending);
1896  backend->gtls.io_result = CURLE_OK;
1897  while(Curl_bufq_peek(&connssl->earlydata, &buf, &blen)) {
1898    n = gnutls_record_send_early_data(backend->gtls.session, buf, blen);
1899    CURL_TRC_CF(data, cf, "gtls_send_earlydata(len=%zu) -> %zd", blen, n);
1900    if(n < 0) {
1901      if(n == GNUTLS_E_AGAIN)
1902        result = CURLE_AGAIN;
1903      else
1904        result = backend->gtls.io_result ?
1905                 backend->gtls.io_result : CURLE_SEND_ERROR;
1906      goto out;
1907    }
1908    else if(!n) {
1909      /* GnuTLS is buggy, it *SHOULD* return the amount of bytes it took in.
1910       * Instead it returns 0 if everything was written. */
1911      n = (ssize_t)blen;
1912    }
1913
1914    Curl_bufq_skip(&connssl->earlydata, (size_t)n);
1915  }
1916  /* sent everything there was */
1917  infof(data, "SSL sending %zu bytes of early data", connssl->earlydata_skip);
1918out:
1919  return result;
1920}
1921#endif
1922
1923/*
1924 * This function is called after the TCP connect has completed. Setup the TLS
1925 * layer and do all necessary magic.
1926 */
1927/* We use connssl->connecting_state to keep track of the connection status;
1928   there are three states: 'ssl_connect_1' (not started yet or complete),
1929   'ssl_connect_2' (doing handshake with the server), and
1930   'ssl_connect_3' (verifying and getting stats).
1931 */
1932static CURLcode gtls_connect_common(struct Curl_cfilter *cf,
1933                                    struct Curl_easy *data,
1934                                    bool *done)
1935{
1936  struct ssl_connect_data *connssl = cf->ctx;
1937  struct gtls_ssl_backend_data *backend =
1938    (struct gtls_ssl_backend_data *)connssl->backend;
1939  CURLcode result = CURLE_OK;
1940
1941  DEBUGASSERT(backend);
1942  /* check if the connection has already been established */
1943  if(ssl_connection_complete == connssl->state) {
1944    *done = TRUE;
1945    return CURLE_OK;
1946  }
1947
1948  *done = FALSE;
1949
1950  /* Initiate the connection, if not already done */
1951  if(connssl->connecting_state == ssl_connect_1) {
1952    result = gtls_connect_step1(cf, data);
1953    if(result)
1954      goto out;
1955    connssl->connecting_state = ssl_connect_2;
1956  }
1957
1958  if(connssl->connecting_state == ssl_connect_2) {
1959#ifdef CURL_GNUTLS_EARLY_DATA
1960    if(connssl->earlydata_state == ssl_earlydata_await) {
1961      goto out;
1962    }
1963    else if(connssl->earlydata_state == ssl_earlydata_sending) {
1964      result = gtls_send_earlydata(cf, data);
1965      if(result)
1966        goto out;
1967      connssl->earlydata_state = ssl_earlydata_sent;
1968    }
1969    DEBUGASSERT((connssl->earlydata_state == ssl_earlydata_none) ||
1970                (connssl->earlydata_state == ssl_earlydata_sent));
1971#endif
1972    result = cf_gtls_handshake(cf, data);
1973    if(result)
1974      goto out;
1975    connssl->connecting_state = ssl_connect_3;
1976  }
1977
1978  /* Finish connecting once the handshake is done */
1979  if(connssl->connecting_state == ssl_connect_3) {
1980    gnutls_datum_t proto;
1981    int rc;
1982
1983    Curl_gtls_report_handshake(data, &backend->gtls);
1984
1985    result = gtls_verifyserver(cf, data, backend->gtls.session);
1986    if(result)
1987      goto out;
1988
1989    connssl->state = ssl_connection_complete;
1990
1991    rc = gnutls_alpn_get_selected_protocol(backend->gtls.session, &proto);
1992    if(rc) {  /* No ALPN from server */
1993      proto.data = NULL;
1994      proto.size = 0;
1995    }
1996
1997    result = Curl_alpn_set_negotiated(cf, data, connssl,
1998                                      proto.data, proto.size);
1999    if(result)
2000      goto out;
2001
2002#ifdef CURL_GNUTLS_EARLY_DATA
2003    if(connssl->earlydata_state > ssl_earlydata_none) {
2004      /* We should be in this state by now */
2005      DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sent);
2006      connssl->earlydata_state =
2007        (gnutls_session_get_flags(backend->gtls.session) &
2008         GNUTLS_SFLAGS_EARLY_DATA) ?
2009        ssl_earlydata_accepted : ssl_earlydata_rejected;
2010    }
2011#endif
2012    connssl->connecting_state = ssl_connect_done;
2013  }
2014
2015  if(connssl->connecting_state == ssl_connect_done)
2016    DEBUGASSERT(connssl->state == ssl_connection_complete);
2017
2018out:
2019  if(result == CURLE_AGAIN) {
2020    *done = FALSE;
2021    return CURLE_OK;
2022  }
2023  *done = ((connssl->state == ssl_connection_complete) ||
2024           (connssl->state == ssl_connection_deferred));
2025  CURL_TRC_CF(data, cf, "gtls_connect_common() -> %d, done=%d", result, *done);
2026  return result;
2027}
2028
2029static CURLcode gtls_connect(struct Curl_cfilter *cf,
2030                             struct Curl_easy *data,
2031                             bool *done)
2032{
2033#ifdef CURL_GNUTLS_EARLY_DATA
2034  struct ssl_connect_data *connssl = cf->ctx;
2035  if((connssl->state == ssl_connection_deferred) &&
2036     (connssl->earlydata_state == ssl_earlydata_await)) {
2037    /* We refuse to be pushed, we are waiting for someone to send/recv. */
2038    *done = TRUE;
2039    return CURLE_OK;
2040  }
2041#endif
2042  return gtls_connect_common(cf, data, done);
2043}
2044
2045static bool gtls_data_pending(struct Curl_cfilter *cf,
2046                              const struct Curl_easy *data)
2047{
2048  struct ssl_connect_data *ctx = cf->ctx;
2049  struct gtls_ssl_backend_data *backend;
2050
2051  (void)data;
2052  DEBUGASSERT(ctx && ctx->backend);
2053  backend = (struct gtls_ssl_backend_data *)ctx->backend;
2054  if(backend->gtls.session &&
2055     gnutls_record_check_pending(backend->gtls.session) != 0)
2056    return TRUE;
2057  return FALSE;
2058}
2059
2060static CURLcode gtls_send(struct Curl_cfilter *cf,
2061                          struct Curl_easy *data,
2062                          const void *buf,
2063                          size_t blen,
2064                          size_t *pnwritten)
2065{
2066  struct ssl_connect_data *connssl = cf->ctx;
2067  struct gtls_ssl_backend_data *backend =
2068    (struct gtls_ssl_backend_data *)connssl->backend;
2069  CURLcode result = CURLE_OK;
2070  ssize_t nwritten;
2071  size_t remain = blen;
2072
2073  DEBUGASSERT(backend);
2074  *pnwritten = 0;
2075
2076  while(remain) {
2077    backend->gtls.io_result = CURLE_OK;
2078    nwritten = gnutls_record_send(backend->gtls.session, buf, remain);
2079
2080    if(nwritten >= 0) {
2081      *pnwritten += (size_t)nwritten;
2082      DEBUGASSERT((size_t)nwritten <= remain);
2083      buf = (char *)CURL_UNCONST(buf) + (size_t)nwritten;
2084      remain -= (size_t)nwritten;
2085    }
2086    else {
2087      if(*pnwritten && (nwritten == GNUTLS_E_AGAIN)) {
2088        result = CURLE_OK;
2089        goto out;
2090      }
2091      result = (nwritten == GNUTLS_E_AGAIN) ?
2092        CURLE_AGAIN :
2093        (backend->gtls.io_result ? backend->gtls.io_result : CURLE_SEND_ERROR);
2094      goto out;
2095    }
2096  }
2097
2098out:
2099  CURL_TRC_CF(data, cf, "gtls_send(len=%zu) -> %d, %zu",
2100              blen, result, *pnwritten);
2101  return result;
2102}
2103
2104/*
2105 * This function is called to shut down the SSL layer but keep the
2106 * socket open (CCC - Clear Command Channel)
2107 */
2108static CURLcode gtls_shutdown(struct Curl_cfilter *cf,
2109                              struct Curl_easy *data,
2110                              bool send_shutdown, bool *done)
2111{
2112  struct ssl_connect_data *connssl = cf->ctx;
2113  struct gtls_ssl_backend_data *backend =
2114    (struct gtls_ssl_backend_data *)connssl->backend;
2115  char buf[1024];
2116  CURLcode result = CURLE_OK;
2117  ssize_t nread = 0;
2118  size_t i;
2119
2120  DEBUGASSERT(backend);
2121  /* If we have no handshaked connection or already shut down */
2122  if(!backend->gtls.session || cf->shutdown ||
2123     connssl->state != ssl_connection_complete) {
2124    *done = TRUE;
2125    goto out;
2126  }
2127
2128  connssl->io_need = CURL_SSL_IO_NEED_NONE;
2129  *done = FALSE;
2130
2131  if(!backend->gtls.sent_shutdown) {
2132    /* do this only once */
2133    backend->gtls.sent_shutdown = TRUE;
2134    if(send_shutdown) {
2135      int ret = gnutls_bye(backend->gtls.session, GNUTLS_SHUT_RDWR);
2136      if((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED)) {
2137        CURL_TRC_CF(data, cf, "SSL shutdown, gnutls_bye EAGAIN");
2138        connssl->io_need = gnutls_record_get_direction(backend->gtls.session) ?
2139          CURL_SSL_IO_NEED_SEND : CURL_SSL_IO_NEED_RECV;
2140        backend->gtls.sent_shutdown = FALSE;
2141        result = CURLE_OK;
2142        goto out;
2143      }
2144      if(ret != GNUTLS_E_SUCCESS) {
2145        CURL_TRC_CF(data, cf, "SSL shutdown, gnutls_bye error: '%s'(%d)",
2146                    gnutls_strerror((int)ret), (int)ret);
2147        result = CURLE_RECV_ERROR;
2148        goto out;
2149      }
2150    }
2151  }
2152
2153  /* SSL should now have started the shutdown from our side. Since it
2154   * was not complete, we are lacking the close notify from the server. */
2155  for(i = 0; i < 10; ++i) {
2156    nread = gnutls_record_recv(backend->gtls.session, buf, sizeof(buf));
2157    if(nread <= 0)
2158      break;
2159  }
2160  if(nread > 0) {
2161    /* still data coming in? */
2162  }
2163  else if(nread == 0) {
2164    /* We got the close notify alert and are done. */
2165    *done = TRUE;
2166  }
2167  else if((nread == GNUTLS_E_AGAIN) || (nread == GNUTLS_E_INTERRUPTED)) {
2168    connssl->io_need = gnutls_record_get_direction(backend->gtls.session) ?
2169      CURL_SSL_IO_NEED_SEND : CURL_SSL_IO_NEED_RECV;
2170  }
2171  else {
2172    CURL_TRC_CF(data, cf, "SSL shutdown, error: '%s'(%d)",
2173                gnutls_strerror((int)nread), (int)nread);
2174    result = CURLE_RECV_ERROR;
2175  }
2176
2177out:
2178  cf->shutdown = (result || *done);
2179  return result;
2180}
2181
2182static void gtls_close(struct Curl_cfilter *cf,
2183                       struct Curl_easy *data)
2184{
2185  struct ssl_connect_data *connssl = cf->ctx;
2186  struct gtls_ssl_backend_data *backend =
2187    (struct gtls_ssl_backend_data *)connssl->backend;
2188
2189  DEBUGASSERT(backend);
2190  CURL_TRC_CF(data, cf, "close");
2191  if(backend->gtls.session) {
2192    gnutls_deinit(backend->gtls.session);
2193    backend->gtls.session = NULL;
2194  }
2195  if(backend->gtls.shared_creds) {
2196    Curl_gtls_shared_creds_free(&backend->gtls.shared_creds);
2197  }
2198#ifdef USE_GNUTLS_SRP
2199  if(backend->gtls.srp_client_cred) {
2200    gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred);
2201    backend->gtls.srp_client_cred = NULL;
2202  }
2203#endif
2204}
2205
2206static CURLcode gtls_recv(struct Curl_cfilter *cf,
2207                          struct Curl_easy *data,
2208                          char *buf, size_t blen,
2209                          size_t *pnread)
2210{
2211  struct ssl_connect_data *connssl = cf->ctx;
2212  struct gtls_ssl_backend_data *backend =
2213    (struct gtls_ssl_backend_data *)connssl->backend;
2214  CURLcode result = CURLE_OK;
2215  ssize_t nread;
2216
2217  DEBUGASSERT(backend);
2218
2219  nread = gnutls_record_recv(backend->gtls.session, buf, blen);
2220
2221  if(nread >= 0)
2222    *pnread = (size_t)nread;
2223  else {
2224    if((nread == GNUTLS_E_AGAIN) || (nread == GNUTLS_E_INTERRUPTED)) {
2225      result = CURLE_AGAIN;
2226      goto out;
2227    }
2228    else if(nread == GNUTLS_E_REHANDSHAKE) {
2229      /* Either TLSv1.2 renegotiate or a TLSv1.3 session key update. */
2230      result = cf_gtls_handshake(cf, data);
2231      if(!result)
2232        result = CURLE_AGAIN; /* make us get called again. */
2233      goto out;
2234    }
2235    else {
2236      failf(data, "GnuTLS recv error (%d): %s",
2237            (int)nread, gnutls_strerror((int)nread));
2238      result = backend->gtls.io_result ?
2239        backend->gtls.io_result : CURLE_RECV_ERROR;
2240      goto out;
2241    }
2242  }
2243
2244out:
2245  CURL_TRC_CF(data, cf, "gtls_recv(len=%zu) -> 0, %zd", blen, nread);
2246  return result;
2247}
2248
2249size_t Curl_gtls_version(char *buffer, size_t size)
2250{
2251  return curl_msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL));
2252}
2253
2254/* data might be NULL! */
2255static CURLcode gtls_random(struct Curl_easy *data,
2256                            unsigned char *entropy, size_t length)
2257{
2258  int rc;
2259  (void)data;
2260  rc = gnutls_rnd(GNUTLS_RND_RANDOM, entropy, length);
2261  return rc ? CURLE_FAILED_INIT : CURLE_OK;
2262}
2263
2264static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */
2265                               size_t tmplen,
2266                               unsigned char *sha256sum, /* output */
2267                               size_t sha256len)
2268{
2269  struct sha256_ctx SHA256pw;
2270  sha256_init(&SHA256pw);
2271  sha256_update(&SHA256pw, (unsigned int)tmplen, tmp);
2272#if NETTLE_VERSION_MAJOR >= 4
2273  (void)sha256len;
2274  sha256_digest(&SHA256pw, sha256sum);
2275#else
2276  sha256_digest(&SHA256pw, (unsigned int)sha256len, sha256sum);
2277#endif
2278  return CURLE_OK;
2279}
2280
2281static bool gtls_cert_status_request(void)
2282{
2283  return TRUE;
2284}
2285
2286static void *gtls_get_internals(struct ssl_connect_data *connssl,
2287                                CURLINFO info)
2288{
2289  struct gtls_ssl_backend_data *backend =
2290    (struct gtls_ssl_backend_data *)connssl->backend;
2291  (void)info;
2292  DEBUGASSERT(backend);
2293  return backend->gtls.session;
2294}
2295
2296const struct Curl_ssl Curl_ssl_gnutls = {
2297  { CURLSSLBACKEND_GNUTLS, "gnutls" }, /* info */
2298
2299  SSLSUPP_CA_PATH  |
2300  SSLSUPP_CERTINFO |
2301  SSLSUPP_PINNEDPUBKEY |
2302  SSLSUPP_HTTPS_PROXY |
2303  SSLSUPP_CAINFO_BLOB |
2304  SSLSUPP_CIPHER_LIST |
2305  SSLSUPP_CA_CACHE |
2306  SSLSUPP_ISSUERCERT |
2307  SSLSUPP_CRLFILE,
2308
2309  sizeof(struct gtls_ssl_backend_data),
2310
2311  gtls_init,                     /* init */
2312  gtls_cleanup,                  /* cleanup */
2313  Curl_gtls_version,             /* version */
2314  gtls_shutdown,                 /* shutdown */
2315  gtls_data_pending,             /* data_pending */
2316  gtls_random,                   /* random */
2317  gtls_cert_status_request,      /* cert_status_request */
2318  gtls_connect,                  /* connect */
2319  Curl_ssl_adjust_pollset,       /* adjust_pollset */
2320  gtls_get_internals,            /* get_internals */
2321  gtls_close,                    /* close_one */
2322  NULL,                          /* close_all */
2323  NULL,                          /* set_engine */
2324  NULL,                          /* set_engine_default */
2325  NULL,                          /* engines_list */
2326  gtls_sha256sum,                /* sha256sum */
2327  gtls_recv,                     /* recv decrypted data */
2328  gtls_send,                     /* send data to encrypt */
2329  NULL,                          /* get_channel_binding */
2330};
2331
2332#endif /* USE_GNUTLS */