luna - curl/lib/vtls/openssl.c

   1/***************************************************************************
   2 *                                  _   _ ____  _
   3 *  Project                     ___| | | |  _ \| |
   4 *                             / __| | | | |_) | |
   5 *                            | (__| |_| |  _ <| |___
   6 *                             \___|\___/|_| \_\_____|
   7 *
   8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
   9 *
  10 * This software is licensed as described in the file COPYING, which
  11 * you should have received as part of this distribution. The terms
  12 * are also available at https://curl.se/docs/copyright.html.
  13 *
  14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15 * copies of the Software, and permit persons to whom the Software is
  16 * furnished to do so, under the terms of the COPYING file.
  17 *
  18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19 * KIND, either express or implied.
  20 *
  21 * SPDX-License-Identifier: curl
  22 *
  23 ***************************************************************************/
  24/*
  25 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
  26 * but vtls.c should ever call or use these functions.
  27 */
  28#include "curl_setup.h"
  29
  30#ifdef USE_OPENSSL
  31
  32#include "urldata.h"
  33#include "curl_trc.h"
  34#include "httpsrr.h"
  35#include "formdata.h" /* for the boundary function */
  36#include "url.h" /* for the ssl config check function */
  37#include "curlx/inet_pton.h"
  38#include "vtls/openssl.h"
  39#include "connect.h"
  40#include "cf-dns.h"
  41#include "progress.h"
  42#include "vtls/vtls.h"
  43#include "vtls/vtls_int.h"
  44#include "vtls/vtls_scache.h"
  45#include "vauth/vauth.h"
  46#include "vtls/keylog.h"
  47#include "vtls/hostcheck.h"
  48#include "transfer.h"
  49#include "multiif.h"
  50#include "curlx/strerr.h"
  51#include "curlx/strparse.h"
  52#include "curlx/strcopy.h"
  53#include "curlx/strdup.h"
  54#include "vtls/apple.h"
  55#ifdef USE_ECH
  56#include "curlx/base64.h"
  57#endif
  58
  59#include <openssl/rand.h>
  60#include <openssl/x509v3.h>
  61#ifndef OPENSSL_NO_DSA
  62#include <openssl/dsa.h>
  63#endif
  64#include <openssl/dh.h>
  65#include <openssl/err.h>
  66#include <openssl/conf.h>
  67#include <openssl/bn.h>
  68#include <openssl/rsa.h>
  69#include <openssl/bio.h>
  70#include <openssl/pkcs12.h>
  71#include <openssl/tls1.h>
  72#include <openssl/evp.h>
  73
  74#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) && !defined(HAVE_BORINGSSL_LIKE)
  75#include <openssl/ech.h>
  76#endif
  77
  78#ifndef OPENSSL_NO_OCSP
  79#include <openssl/ocsp.h>
  80#endif
  81
  82#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
  83#define USE_OPENSSL_ENGINE
  84#include <openssl/engine.h>
  85#endif
  86
  87#ifdef LIBRESSL_VERSION_NUMBER
  88/* As of LibreSSL 2.0.0-4.0.0: OPENSSL_VERSION_NUMBER == 0x20000000L */
  89#  if LIBRESSL_VERSION_NUMBER < 0x2090100fL /* 2019-04-13 */
  90#    error "LibreSSL 2.9.1 or later required"
  91#  endif
  92#elif !defined(HAVE_BORINGSSL_LIKE)
  93#  ifndef HAVE_OPENSSL3 /* 2021-09-07 */
  94#    error "OpenSSL 3.0.0 or later required"
  95#  endif
  96#endif
  97
  98#if defined(HAVE_OPENSSL3) && !defined(OPENSSL_NO_UI_CONSOLE)
  99#include <openssl/provider.h>
 100#include <openssl/store.h>
 101/* this is used in the following conditions to make them easier to read */
 102#define OPENSSL_HAS_PROVIDERS
 103#endif
 104
 105/* AWS-LC fixed a bug with large buffers in v1.61.0 which also introduced
 106 * X509_V_ERR_EC_KEY_EXPLICIT_PARAMS. */
 107#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) && \
 108  (!defined(OPENSSL_IS_AWSLC) || defined(X509_V_ERR_EC_KEY_EXPLICIT_PARAMS))
 109#define HAVE_SSL_CTX_SET_DEFAULT_READ_BUFFER_LEN 1
 110#endif
 111
 112#if defined(USE_OPENSSL_ENGINE) || defined(OPENSSL_HAS_PROVIDERS)
 113#include <openssl/ui.h>
 114#endif
 115
 116#ifdef HAVE_OPENSSL3
 117#define HAVE_EVP_PKEY_GET_PARAMS 1
 118#endif
 119
 120#ifdef HAVE_EVP_PKEY_GET_PARAMS
 121#include <openssl/core_names.h>
 122#define DECLARE_PKEY_PARAM_BIGNUM(name) BIGNUM *name = NULL
 123#define FREE_PKEY_PARAM_BIGNUM(name) BN_clear_free(name)
 124#else
 125#define DECLARE_PKEY_PARAM_BIGNUM(name) const BIGNUM *name
 126#define FREE_PKEY_PARAM_BIGNUM(name)
 127#endif
 128
 129/* Whether SSL_CTX_set_ciphersuites is available.
 130 * BoringSSL: no
 131 * LibreSSL: supported since 3.4.1 (released 2021-10-14)
 132 * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
 133 */
 134#if (!defined(LIBRESSL_VERSION_NUMBER) || \
 135     (defined(LIBRESSL_VERSION_NUMBER) && \
 136      LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \
 137    !defined(OPENSSL_IS_BORINGSSL)
 138#  define HAVE_SSL_CTX_SET_CIPHERSUITES
 139#  ifndef OPENSSL_IS_AWSLC
 140#    define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
 141#  endif
 142#endif
 143
 144/* Whether SSL_CTX_set1_sigalgs_list is available
 145 * BoringSSL: supported since 0.20240913.0 (commit 826ce15)
 146 * LibreSSL: no
 147 * OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
 148 */
 149#ifndef LIBRESSL_VERSION_NUMBER
 150#define HAVE_SSL_CTX_SET1_SIGALGS
 151#endif
 152
 153#ifdef LIBRESSL_VERSION_NUMBER
 154#define OSSL_PACKAGE "LibreSSL"
 155#elif defined(OPENSSL_IS_AWSLC)
 156#define OSSL_PACKAGE "AWS-LC"
 157#elif defined(OPENSSL_IS_BORINGSSL)
 158#define OSSL_PACKAGE "BoringSSL"
 159#elif defined(USE_NGTCP2) && defined(USE_NGHTTP3) && \
 160  !defined(OPENSSL_QUIC_API2)
 161#define OSSL_PACKAGE "quictls"
 162#else
 163#define OSSL_PACKAGE "OpenSSL"
 164#endif
 165
 166#ifdef HAVE_BORINGSSL_LIKE
 167typedef size_t numcert_t;
 168typedef uint32_t sslerr_t;
 169#else
 170typedef int numcert_t;
 171typedef unsigned long sslerr_t;
 172#endif
 173#define ossl_valsize_t numcert_t
 174
 175static CURLcode push_certinfo(struct Curl_easy *data,
 176                              BIO *mem, const char *label, int num)
 177  WARN_UNUSED_RESULT;
 178
 179static CURLcode push_certinfo(struct Curl_easy *data,
 180                              BIO *mem, const char *label, int num)
 181{
 182  char *ptr;
 183  long len = BIO_get_mem_data(mem, &ptr);
 184  CURLcode result = Curl_ssl_push_certinfo_len(data, num, label, ptr, len);
 185  (void)BIO_reset(mem);
 186  return result;
 187}
 188
 189static CURLcode pubkey_show(struct Curl_easy *data,
 190                            BIO *mem,
 191                            int num,
 192                            const char *type,
 193                            const char *name,
 194                            const BIGNUM *bn) WARN_UNUSED_RESULT;
 195
 196static CURLcode pubkey_show(struct Curl_easy *data,
 197                            BIO *mem,
 198                            int num,
 199                            const char *type,
 200                            const char *name,
 201                            const BIGNUM *bn)
 202{
 203  char namebuf[32];
 204
 205  curl_msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
 206
 207  if(bn)
 208    BN_print(mem, bn);
 209  return push_certinfo(data, mem, namebuf, num);
 210}
 211
 212#define print_pubkey_BN(_type, _name, _num)           \
 213  pubkey_show(data, mem, _num, #_type, #_name, _name)
 214
 215static int asn1_object_dump(const ASN1_OBJECT *a, char *buf, size_t len)
 216{
 217  int i = i2t_ASN1_OBJECT(buf, (int)len, a);
 218  return (i >= (int)len);  /* buffer too small */
 219}
 220
 221static CURLcode X509V3_ext(struct Curl_easy *data,
 222                           int certnum,
 223                           const STACK_OF(X509_EXTENSION) *extsarg)
 224{
 225  int i;
 226  CURLcode result = CURLE_OK;
 227#ifdef LIBRESSL_VERSION_NUMBER
 228  STACK_OF(X509_EXTENSION) *exts = CURL_UNCONST(extsarg);
 229#else
 230  const STACK_OF(X509_EXTENSION) *exts = extsarg;
 231#endif
 232
 233  if((int)sk_X509_EXTENSION_num(exts) <= 0)
 234    /* no extensions, bail out */
 235    return result;
 236
 237  for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
 238    const ASN1_OBJECT *obj;
 239    X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, (ossl_valsize_t)i);
 240    BUF_MEM *biomem;
 241    char namebuf[128];
 242    BIO *bio_out = BIO_new(BIO_s_mem());
 243
 244    if(!bio_out)
 245      return result;
 246
 247    obj = X509_EXTENSION_get_object(ext);
 248
 249    if(asn1_object_dump(obj, namebuf, sizeof(namebuf)))
 250      /* make sure the name is null-terminated */
 251      namebuf[sizeof(namebuf) - 1] = 0;
 252
 253    if(!X509V3_EXT_print(bio_out, ext, 0, 0))
 254      ASN1_STRING_print(bio_out,
 255                        (const ASN1_STRING *)X509_EXTENSION_get_data(ext));
 256
 257    BIO_get_mem_ptr(bio_out, &biomem);
 258    result = Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data,
 259                                        biomem->length);
 260    BIO_free(bio_out);
 261    if(result)
 262      break;
 263  }
 264  return result;
 265}
 266
 267static CURLcode get_pkey_rsa(struct Curl_easy *data,
 268                             EVP_PKEY *pubkey, BIO *mem, int i)
 269{
 270  CURLcode result = CURLE_OK;
 271#ifndef HAVE_EVP_PKEY_GET_PARAMS
 272  RSA *rsa = EVP_PKEY_get0_RSA(pubkey);
 273#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
 274  DECLARE_PKEY_PARAM_BIGNUM(n);
 275  DECLARE_PKEY_PARAM_BIGNUM(e);
 276#ifdef HAVE_EVP_PKEY_GET_PARAMS
 277  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
 278  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
 279#else
 280  RSA_get0_key(rsa, &n, &e, NULL);
 281#endif /* HAVE_EVP_PKEY_GET_PARAMS */
 282  BIO_printf(mem, "%d", (int)(n ? BN_num_bits(n) : 0));
 283  result = push_certinfo(data, mem, "RSA Public Key", i);
 284  if(!result) {
 285    result = print_pubkey_BN(rsa, n, i);
 286    if(!result)
 287      result = print_pubkey_BN(rsa, e, i);
 288  }
 289  FREE_PKEY_PARAM_BIGNUM(n);
 290  FREE_PKEY_PARAM_BIGNUM(e);
 291  return result;
 292}
 293
 294#ifndef OPENSSL_NO_DSA
 295static CURLcode get_pkey_dsa(struct Curl_easy *data,
 296                             EVP_PKEY *pubkey, BIO *mem, int i)
 297{
 298  CURLcode result = CURLE_OK;
 299#ifndef HAVE_EVP_PKEY_GET_PARAMS
 300  DSA *dsa = EVP_PKEY_get0_DSA(pubkey);
 301#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
 302  DECLARE_PKEY_PARAM_BIGNUM(p);
 303  DECLARE_PKEY_PARAM_BIGNUM(q);
 304  DECLARE_PKEY_PARAM_BIGNUM(g);
 305  DECLARE_PKEY_PARAM_BIGNUM(pub_key);
 306#ifdef HAVE_EVP_PKEY_GET_PARAMS
 307  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
 308  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
 309  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
 310  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
 311#else
 312  DSA_get0_pqg(dsa, &p, &q, &g);
 313  DSA_get0_key(dsa, &pub_key, NULL);
 314#endif /* HAVE_EVP_PKEY_GET_PARAMS */
 315  result = print_pubkey_BN(dsa, p, i);
 316  if(!result)
 317    result = print_pubkey_BN(dsa, q, i);
 318  if(!result)
 319    result = print_pubkey_BN(dsa, g, i);
 320  if(!result)
 321    result = print_pubkey_BN(dsa, pub_key, i);
 322  FREE_PKEY_PARAM_BIGNUM(p);
 323  FREE_PKEY_PARAM_BIGNUM(q);
 324  FREE_PKEY_PARAM_BIGNUM(g);
 325  FREE_PKEY_PARAM_BIGNUM(pub_key);
 326  return result;
 327}
 328#endif /* !OPENSSL_NO_DSA */
 329
 330static CURLcode get_pkey_dh(struct Curl_easy *data,
 331                            EVP_PKEY *pubkey, BIO *mem, int i)
 332{
 333  CURLcode result;
 334#ifndef HAVE_EVP_PKEY_GET_PARAMS
 335  DH *dh = EVP_PKEY_get0_DH(pubkey);
 336#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
 337  DECLARE_PKEY_PARAM_BIGNUM(p);
 338  DECLARE_PKEY_PARAM_BIGNUM(q);
 339  DECLARE_PKEY_PARAM_BIGNUM(g);
 340  DECLARE_PKEY_PARAM_BIGNUM(pub_key);
 341#ifdef HAVE_EVP_PKEY_GET_PARAMS
 342  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
 343  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
 344  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
 345  EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
 346#else
 347  DH_get0_pqg(dh, &p, &q, &g);
 348  DH_get0_key(dh, &pub_key, NULL);
 349#endif /* HAVE_EVP_PKEY_GET_PARAMS */
 350  result = print_pubkey_BN(dh, p, i);
 351  if(!result)
 352    result = print_pubkey_BN(dh, q, i);
 353  if(!result)
 354    result = print_pubkey_BN(dh, g, i);
 355  if(!result)
 356    result = print_pubkey_BN(dh, pub_key, i);
 357  FREE_PKEY_PARAM_BIGNUM(p);
 358  FREE_PKEY_PARAM_BIGNUM(q);
 359  FREE_PKEY_PARAM_BIGNUM(g);
 360  FREE_PKEY_PARAM_BIGNUM(pub_key);
 361  return result;
 362}
 363
 364#ifdef HAVE_OPENSSL3
 365/* from OpenSSL commit fc756e594ed5a27af378 */
 366typedef const X509_PUBKEY pubkeytype_t;
 367#else
 368typedef X509_PUBKEY pubkeytype_t;
 369#endif
 370
 371static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
 372{
 373  CURLcode result;
 374  STACK_OF(X509) *sk;
 375  int i;
 376  numcert_t numcerts;
 377  BIO *mem;
 378
 379  DEBUGASSERT(ssl);
 380
 381  sk = SSL_get_peer_cert_chain(ssl);
 382  if(!sk)
 383    return CURLE_SSL_CONNECT_ERROR;
 384
 385  numcerts = sk_X509_num(sk);
 386  if(numcerts > MAX_ALLOWED_CERT_AMOUNT) {
 387    failf(data, "%d certificates is more than allowed (%d)", (int)numcerts,
 388          MAX_ALLOWED_CERT_AMOUNT);
 389    return CURLE_SSL_CONNECT_ERROR;
 390  }
 391
 392  result = Curl_ssl_init_certinfo(data, (int)numcerts);
 393  if(result)
 394    return result;
 395
 396  mem = BIO_new(BIO_s_mem());
 397  if(!mem)
 398    result = CURLE_OUT_OF_MEMORY;
 399
 400  for(i = 0; !result && (i < (int)numcerts); i++) {
 401    ASN1_INTEGER *num;
 402    const unsigned char *numdata;
 403    X509 *x = sk_X509_value(sk, (ossl_valsize_t)i);
 404    EVP_PKEY *pubkey = NULL;
 405    int j;
 406    const ASN1_BIT_STRING *psig = NULL;
 407
 408    X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
 409    result = push_certinfo(data, mem, "Subject", i);
 410    if(result)
 411      break;
 412
 413    X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
 414    result = push_certinfo(data, mem, "Issuer", i);
 415    if(result)
 416      break;
 417
 418    BIO_printf(mem, "%lx", X509_get_version(x));
 419    result = push_certinfo(data, mem, "Version", i);
 420    if(result)
 421      break;
 422
 423    num = X509_get_serialNumber(x);
 424    if(ASN1_STRING_type(num) == V_ASN1_NEG_INTEGER)
 425      BIO_puts(mem, "-");
 426    numdata = ASN1_STRING_get0_data(num);
 427    for(j = 0; j < ASN1_STRING_length(num); j++)
 428      BIO_printf(mem, "%02x", numdata[j]);
 429    result = push_certinfo(data, mem, "Serial Number", i);
 430    if(result)
 431      break;
 432
 433    {
 434      const X509_ALGOR *sigalg = NULL;
 435      pubkeytype_t *xpubkey = NULL;
 436      ASN1_OBJECT *pubkeyoid = NULL;
 437
 438      X509_get0_signature(&psig, &sigalg, x);
 439      if(sigalg) {
 440        const ASN1_OBJECT *sigalgoid = NULL;
 441        X509_ALGOR_get0(&sigalgoid, NULL, NULL, sigalg);
 442        i2a_ASN1_OBJECT(mem, sigalgoid);
 443        result = push_certinfo(data, mem, "Signature Algorithm", i);
 444        if(result)
 445          break;
 446      }
 447
 448      xpubkey = X509_get_X509_PUBKEY(x);
 449      if(xpubkey) {
 450        X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey);
 451        if(pubkeyoid) {
 452          i2a_ASN1_OBJECT(mem, pubkeyoid);
 453          result = push_certinfo(data, mem, "Public Key Algorithm", i);
 454          if(result)
 455            break;
 456        }
 457      }
 458
 459      result = X509V3_ext(data, i, X509_get0_extensions(x));
 460      if(result)
 461        break;
 462    }
 463
 464    ASN1_TIME_print(mem, X509_get0_notBefore(x));
 465    result = push_certinfo(data, mem, "Start date", i);
 466    if(result)
 467      break;
 468
 469    ASN1_TIME_print(mem, X509_get0_notAfter(x));
 470    result = push_certinfo(data, mem, "Expire date", i);
 471    if(result)
 472      break;
 473
 474    pubkey = X509_get_pubkey(x);
 475    if(!pubkey)
 476      infof(data, "   Unable to load public key");
 477    else {
 478      switch(EVP_PKEY_id(pubkey)) {
 479      case EVP_PKEY_RSA:
 480        result = get_pkey_rsa(data, pubkey, mem, i);
 481        break;
 482
 483#ifndef OPENSSL_NO_DSA
 484      case EVP_PKEY_DSA:
 485        result = get_pkey_dsa(data, pubkey, mem, i);
 486        break;
 487#endif
 488
 489      case EVP_PKEY_DH:
 490        result = get_pkey_dh(data, pubkey, mem, i);
 491        break;
 492      }
 493      EVP_PKEY_free(pubkey);
 494    }
 495
 496    if(!result && psig) {
 497      const unsigned char *psigdata = ASN1_STRING_get0_data(psig);
 498      for(j = 0; j < ASN1_STRING_length(psig); j++)
 499        BIO_printf(mem, "%02x:", psigdata[j]);
 500      result = push_certinfo(data, mem, "Signature", i);
 501    }
 502
 503    if(!result) {
 504      PEM_write_bio_X509(mem, x);
 505      result = push_certinfo(data, mem, "Cert", i);
 506    }
 507  }
 508
 509  BIO_free(mem);
 510
 511  if(result)
 512    /* cleanup all leftovers */
 513    Curl_ssl_free_certinfo(data);
 514
 515  return result;
 516}
 517
 518static int ossl_bio_cf_create(BIO *bio)
 519{
 520  BIO_set_shutdown(bio, 1);
 521  BIO_set_init(bio, 1);
 522  BIO_set_data(bio, NULL);
 523  return 1;
 524}
 525
 526static int ossl_bio_cf_destroy(BIO *bio)
 527{
 528  if(!bio)
 529    return 0;
 530  return 1;
 531}
 532
 533static long ossl_bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr)
 534{
 535  struct Curl_cfilter *cf = BIO_get_data(bio);
 536  long ret = 1;
 537
 538  (void)cf;
 539  (void)ptr;
 540  switch(cmd) {
 541  case BIO_CTRL_GET_CLOSE:
 542    ret = (long)BIO_get_shutdown(bio);
 543    break;
 544  case BIO_CTRL_SET_CLOSE:
 545    BIO_set_shutdown(bio, (int)num);
 546    break;
 547  case BIO_CTRL_FLUSH:
 548    /* we do no delayed writes, but if we ever would, this
 549     * needs to trigger it. */
 550    ret = 1;
 551    break;
 552  case BIO_CTRL_DUP:
 553    ret = 1;
 554    break;
 555  case BIO_CTRL_EOF: {
 556    /* EOF has been reached on input? */
 557    struct ssl_connect_data *connssl = cf->ctx;
 558    return connssl->peer_closed;
 559  }
 560  default:
 561    ret = 0;
 562    break;
 563  }
 564  return ret;
 565}
 566
 567static int ossl_bio_cf_out_write(BIO *bio, const char *buf, int blen)
 568{
 569  struct Curl_cfilter *cf = BIO_get_data(bio);
 570  struct ssl_connect_data *connssl = cf->ctx;
 571  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
 572  struct Curl_easy *data = CF_DATA_CURRENT(cf);
 573  size_t nwritten;
 574  CURLcode result;
 575
 576  DEBUGASSERT(data);
 577  if(blen < 0)
 578    return 0;
 579
 580  result = Curl_conn_cf_send(cf->next, data,
 581                             (const uint8_t *)buf, (size_t)blen, FALSE,
 582                             &nwritten);
 583  CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, %zu",
 584              blen, result, nwritten);
 585  BIO_clear_retry_flags(bio);
 586  octx->io_result = result;
 587  if(result) {
 588    if(result == CURLE_AGAIN)
 589      BIO_set_retry_write(bio);
 590    return -1;
 591  }
 592  return (int)nwritten;
 593}
 594
 595static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
 596{
 597  struct Curl_cfilter *cf = BIO_get_data(bio);
 598  struct ssl_connect_data *connssl = cf->ctx;
 599  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
 600  struct Curl_easy *data = CF_DATA_CURRENT(cf);
 601  size_t nread;
 602  CURLcode result, r2;
 603
 604  DEBUGASSERT(data);
 605  /* OpenSSL catches this case, so should we. */
 606  if(!buf)
 607    return 0;
 608  if(blen < 0)
 609    return 0;
 610
 611  result = Curl_conn_cf_recv(cf->next, data, buf, (size_t)blen, &nread);
 612  CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, %zu",
 613              blen, result, nread);
 614  BIO_clear_retry_flags(bio);
 615  octx->io_result = result;
 616  if(result) {
 617    if(result == CURLE_AGAIN)
 618      BIO_set_retry_read(bio);
 619  }
 620  else {
 621    /* feeding data to OpenSSL means SSL_read() might succeed */
 622    connssl->input_pending = TRUE;
 623    if(nread == 0)
 624      connssl->peer_closed = TRUE;
 625  }
 626
 627  /* Before returning server replies to the SSL instance, we need
 628   * to have setup the x509 store or verification fails. */
 629  if(!octx->x509_store_setup) {
 630    r2 = Curl_ssl_setup_x509_store(cf, data, octx);
 631    if(r2) {
 632      BIO_clear_retry_flags(bio);
 633      octx->io_result = r2;
 634      return -1;
 635    }
 636    octx->x509_store_setup = TRUE;
 637  }
 638  return result ? -1 : (int)nread;
 639}
 640
 641static BIO_METHOD *ossl_bio_cf_method_create(void)
 642{
 643  BIO_METHOD *m = BIO_meth_new(BIO_TYPE_MEM, "OpenSSL CF BIO");
 644  if(m) {
 645    BIO_meth_set_write(m, &ossl_bio_cf_out_write);
 646    BIO_meth_set_read(m, &ossl_bio_cf_in_read);
 647    BIO_meth_set_ctrl(m, &ossl_bio_cf_ctrl);
 648    BIO_meth_set_create(m, &ossl_bio_cf_create);
 649    BIO_meth_set_destroy(m, &ossl_bio_cf_destroy);
 650  }
 651  return m;
 652}
 653
 654static void ossl_bio_cf_method_free(BIO_METHOD *m)
 655{
 656  if(m)
 657    BIO_meth_free(m);
 658}
 659
 660#ifndef HAVE_KEYLOG_UPSTREAM
 661#ifdef HAVE_KEYLOG_CALLBACK
 662static void ossl_keylog_callback(const SSL *ssl, const char *line)
 663{
 664  (void)ssl;
 665
 666  Curl_tls_keylog_write_line(line);
 667}
 668#else
 669/*
 670 * ossl_log_tls12_secret is called by libcurl to make the CLIENT_RANDOMs if the
 671 * OpenSSL being used does not have native support for doing that.
 672 */
 673static void ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
 674{
 675  const SSL_SESSION *session;
 676  unsigned char client_random[SSL3_RANDOM_SIZE];
 677  unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
 678  int master_key_length = 0;
 679
 680  ERR_set_mark();
 681
 682  session = SSL_get_session(ssl);
 683
 684  if(!session || *keylog_done) {
 685    ERR_pop_to_mark();
 686    return;
 687  }
 688
 689  SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
 690  master_key_length = (int)
 691    SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH);
 692
 693  ERR_pop_to_mark();
 694
 695  /* The handshake has not progressed sufficiently yet, or this is a TLS 1.3
 696   * session (when curl was built with older OpenSSL headers and running with
 697   * newer OpenSSL runtime libraries). */
 698  if(master_key_length <= 0)
 699    return;
 700
 701  *keylog_done = TRUE;
 702  Curl_tls_keylog_write("CLIENT_RANDOM", client_random,
 703                        master_key, master_key_length);
 704}
 705#endif /* !HAVE_KEYLOG_CALLBACK */
 706#endif /* HAVE_KEYLOG_UPSTREAM */
 707
 708static const char *SSL_ERROR_to_str(int err)
 709{
 710  switch(err) {
 711  case SSL_ERROR_NONE:
 712    return "SSL_ERROR_NONE";
 713  case SSL_ERROR_SSL:
 714    return "SSL_ERROR_SSL";
 715  case SSL_ERROR_WANT_READ:
 716    return "SSL_ERROR_WANT_READ";
 717  case SSL_ERROR_WANT_WRITE:
 718    return "SSL_ERROR_WANT_WRITE";
 719  case SSL_ERROR_WANT_X509_LOOKUP:
 720    return "SSL_ERROR_WANT_X509_LOOKUP";
 721  case SSL_ERROR_SYSCALL:
 722    return "SSL_ERROR_SYSCALL";
 723  case SSL_ERROR_ZERO_RETURN:
 724    return "SSL_ERROR_ZERO_RETURN";
 725  case SSL_ERROR_WANT_CONNECT:
 726    return "SSL_ERROR_WANT_CONNECT";
 727  case SSL_ERROR_WANT_ACCEPT:
 728    return "SSL_ERROR_WANT_ACCEPT";
 729#ifdef SSL_ERROR_WANT_ASYNC  /* OpenSSL 1.1.0+, LibreSSL 3.6.0+ */
 730  case SSL_ERROR_WANT_ASYNC:
 731    return "SSL_ERROR_WANT_ASYNC";
 732#endif
 733#ifdef SSL_ERROR_WANT_ASYNC_JOB  /* OpenSSL 1.1.0+, LibreSSL 3.6.0+ */
 734  case SSL_ERROR_WANT_ASYNC_JOB:
 735    return "SSL_ERROR_WANT_ASYNC_JOB";
 736#endif
 737#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB  /* OpenSSL 1.1.1, LibreSSL 3.6.0+ */
 738  case SSL_ERROR_WANT_CLIENT_HELLO_CB:
 739    return "SSL_ERROR_WANT_CLIENT_HELLO_CB";
 740#endif
 741  default:
 742    return "SSL_ERROR unknown";
 743  }
 744}
 745
 746/* Return error string for last OpenSSL error
 747 */
 748static char *ossl_strerror(unsigned long error, char *buf, size_t size)
 749{
 750  size_t len;
 751  DEBUGASSERT(size);
 752  *buf = '\0';
 753
 754  len = Curl_ossl_version(buf, size);
 755  DEBUGASSERT(len < (size - 2));
 756  if(len < (size - 2)) {
 757    buf += len;
 758    size -= (len + 2);
 759    *buf++ = ':';
 760    *buf++ = ' ';
 761    *buf = '\0';
 762  }
 763
 764#ifdef HAVE_BORINGSSL_LIKE
 765  ERR_error_string_n((uint32_t)error, buf, size);
 766#else
 767  ERR_error_string_n(error, buf, size);
 768#endif
 769
 770  if(!*buf) {
 771    const char *msg = error ? "Unknown error" : "No error";
 772    curlx_strcopy(buf, size, msg, strlen(msg));
 773  }
 774
 775  return buf;
 776}
 777
 778static int passwd_callback(char *buf, int num, int encrypting, void *password)
 779{
 780  DEBUGASSERT(encrypting == 0);
 781
 782  if(!encrypting && num >= 0 && password) {
 783    int klen = curlx_uztosi(strlen((char *)password));
 784    if(num > klen) {
 785      memcpy(buf, password, klen + 1);
 786      return klen;
 787    }
 788  }
 789  return 0;
 790}
 791
 792/*
 793 * rand_enough() returns TRUE if we have seeded the random engine properly.
 794 */
 795static bool rand_enough(void)
 796{
 797  return RAND_status() != 0;
 798}
 799
 800static CURLcode ossl_seed(struct Curl_easy *data)
 801{
 802  /* This might get called before it has been added to a multi handle */
 803  if(data->multi && data->multi->ssl_seeded)
 804    return CURLE_OK;
 805
 806  if(rand_enough()) {
 807    /* OpenSSL 1.1.0+ should return here */
 808    if(data->multi)
 809      data->multi->ssl_seeded = TRUE;
 810    return CURLE_OK;
 811  }
 812  failf(data, "Insufficient randomness");
 813  return CURLE_SSL_CONNECT_ERROR;
 814}
 815
 816#ifndef SSL_FILETYPE_ENGINE
 817#define SSL_FILETYPE_ENGINE 42
 818#endif
 819#ifndef SSL_FILETYPE_PKCS12
 820#define SSL_FILETYPE_PKCS12 43
 821#endif
 822#ifndef SSL_FILETYPE_PROVIDER
 823#define SSL_FILETYPE_PROVIDER 44
 824#endif
 825static int ossl_do_file_type(const char *type)
 826{
 827  if(!type || !type[0])
 828    return SSL_FILETYPE_PEM;
 829  if(curl_strequal(type, "PEM"))
 830    return SSL_FILETYPE_PEM;
 831  if(curl_strequal(type, "DER"))
 832    return SSL_FILETYPE_ASN1;
 833  if(curl_strequal(type, "PROV"))
 834    return SSL_FILETYPE_PROVIDER;
 835  if(curl_strequal(type, "ENG"))
 836    return SSL_FILETYPE_ENGINE;
 837  if(curl_strequal(type, "P12"))
 838    return SSL_FILETYPE_PKCS12;
 839  return -1;
 840}
 841
 842#if defined(USE_OPENSSL_ENGINE) || defined(OPENSSL_HAS_PROVIDERS)
 843/*
 844 * Supply default password to the engine user interface conversation.
 845 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
 846 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
 847 */
 848static int ssl_ui_reader(UI *ui, UI_STRING *uis)
 849{
 850  const char *password;
 851  switch(UI_get_string_type(uis)) {
 852  case UIT_PROMPT:
 853  case UIT_VERIFY:
 854    password = (const char *)UI_get0_user_data(ui);
 855    if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
 856      UI_set_result(ui, uis, password);
 857      return 1;
 858    }
 859    FALLTHROUGH();
 860  default:
 861    break;
 862  }
 863  return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
 864}
 865
 866/*
 867 * Suppress interactive request for a default password if available.
 868 */
 869static int ssl_ui_writer(UI *ui, UI_STRING *uis)
 870{
 871  switch(UI_get_string_type(uis)) {
 872  case UIT_PROMPT:
 873  case UIT_VERIFY:
 874    if(UI_get0_user_data(ui) &&
 875       (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
 876      return 1;
 877    }
 878    FALLTHROUGH();
 879  default:
 880    break;
 881  }
 882  return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
 883}
 884
 885/*
 886 * Check if a given string is a PKCS#11 URI
 887 */
 888static bool is_pkcs11_uri(const char *string)
 889{
 890  return string && curl_strnequal(string, "pkcs11:", 7);
 891}
 892
 893#endif
 894
 895static CURLcode ossl_set_engine(struct Curl_easy *data, const char *name);
 896#ifdef OPENSSL_HAS_PROVIDERS
 897static CURLcode ossl_set_provider(struct Curl_easy *data, const char *iname);
 898#endif
 899
 900static int use_certificate_blob(SSL_CTX *ctx, const struct curl_blob *blob,
 901                                int type, const char *key_passwd)
 902{
 903  int ret = 0;
 904  X509 *x = NULL;
 905  /* the typecast of blob->len is fine since it is guaranteed to never be
 906     larger than CURL_MAX_INPUT_LENGTH */
 907  BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
 908  if(!in)
 909    return CURLE_OUT_OF_MEMORY;
 910
 911  if(type == SSL_FILETYPE_ASN1) {
 912    /* j = ERR_R_ASN1_LIB; */
 913    x = d2i_X509_bio(in, NULL);
 914  }
 915  else if(type == SSL_FILETYPE_PEM) {
 916    /* ERR_R_PEM_LIB; */
 917    x = PEM_read_bio_X509(in, NULL, passwd_callback, CURL_UNCONST(key_passwd));
 918  }
 919  else {
 920    ret = 0;
 921    goto end;
 922  }
 923
 924  if(!x) {
 925    ret = 0;
 926    goto end;
 927  }
 928
 929  ret = SSL_CTX_use_certificate(ctx, x);
 930end:
 931  X509_free(x);
 932  BIO_free(in);
 933  return ret;
 934}
 935
 936static int use_privatekey_blob(SSL_CTX *ctx, const struct curl_blob *blob,
 937                               int type, const char *key_passwd)
 938{
 939  int ret = 0;
 940  EVP_PKEY *pkey = NULL;
 941  BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
 942  if(!in)
 943    return CURLE_OUT_OF_MEMORY;
 944
 945  if(type == SSL_FILETYPE_PEM)
 946    pkey = PEM_read_bio_PrivateKey(in, NULL, passwd_callback,
 947                                   CURL_UNCONST(key_passwd));
 948  else if(type == SSL_FILETYPE_ASN1)
 949    pkey = d2i_PrivateKey_bio(in, NULL);
 950  else
 951    goto end;
 952
 953  if(!pkey)
 954    goto end;
 955
 956  ret = SSL_CTX_use_PrivateKey(ctx, pkey);
 957  EVP_PKEY_free(pkey);
 958end:
 959  BIO_free(in);
 960  return ret;
 961}
 962
 963static int use_certificate_chain_blob(SSL_CTX *ctx,
 964                                      const struct curl_blob *blob,
 965                                      const char *key_passwd)
 966{
 967  int ret = 0;
 968  X509 *x = NULL;
 969  BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
 970  if(!in)
 971    return CURLE_OUT_OF_MEMORY;
 972
 973  ERR_clear_error();
 974
 975  x = PEM_read_bio_X509_AUX(in, NULL,
 976                            passwd_callback, CURL_UNCONST(key_passwd));
 977  if(!x)
 978    goto end;
 979
 980  ret = SSL_CTX_use_certificate(ctx, x);
 981
 982  if(ERR_peek_error() != 0)
 983    ret = 0;
 984
 985  if(ret) {
 986    X509 *ca;
 987    sslerr_t err;
 988
 989    if(!SSL_CTX_clear_chain_certs(ctx)) {
 990      ret = 0;
 991      goto end;
 992    }
 993
 994    while((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
 995                                  CURL_UNCONST(key_passwd))) != NULL) {
 996
 997      if(!SSL_CTX_add0_chain_cert(ctx, ca)) {
 998        X509_free(ca);
 999        ret = 0;
1000        goto end;
1001      }
1002    }
1003
1004    err = ERR_peek_last_error();
1005    if((ERR_GET_LIB(err) == ERR_LIB_PEM) &&
1006       (ERR_GET_REASON(err) == PEM_R_NO_START_LINE))
1007      ERR_clear_error();
1008    else
1009      ret = 0;
1010  }
1011
1012end:
1013  X509_free(x);
1014  BIO_free(in);
1015  return ret;
1016}
1017
1018static int enginecheck(struct Curl_easy *data,
1019                       SSL_CTX* ctx,
1020                       const char *key_file,
1021                       const char *key_passwd)
1022{
1023#ifdef USE_OPENSSL_ENGINE
1024  EVP_PKEY *priv_key = NULL;
1025
1026  /* Implicitly use pkcs11 engine if none was provided and the
1027   * key_file is a PKCS#11 URI */
1028  if(!data->state.engine) {
1029    if(is_pkcs11_uri(key_file)) {
1030      if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1031        return 0;
1032      }
1033    }
1034  }
1035
1036  if(data->state.engine) {
1037    UI_METHOD *ui_method = UI_create_method("curl user interface");
1038    if(!ui_method) {
1039      failf(data, "unable to create " OSSL_PACKAGE " user-interface method");
1040      return 0;
1041    }
1042    UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
1043    UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
1044    UI_method_set_reader(ui_method, ssl_ui_reader);
1045    UI_method_set_writer(ui_method, ssl_ui_writer);
1046    priv_key = ENGINE_load_private_key(data->state.engine, key_file,
1047                                       ui_method,
1048                                       CURL_UNCONST(key_passwd));
1049    UI_destroy_method(ui_method);
1050    if(!priv_key) {
1051      failf(data, "failed to load private key from crypto engine");
1052      return 0;
1053    }
1054    if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
1055      failf(data, "unable to set private key");
1056      EVP_PKEY_free(priv_key);
1057      return 0;
1058    }
1059    EVP_PKEY_free(priv_key);  /* we do not need the handle any more... */
1060  }
1061  else {
1062    failf(data, "crypto engine not set, cannot load private key");
1063    return 0;
1064  }
1065  return 1;
1066#else
1067  (void)ctx;
1068  (void)key_file;
1069  (void)key_passwd;
1070  failf(data, "SSL_FILETYPE_ENGINE not supported for private key");
1071  return 0;
1072#endif
1073}
1074
1075static int providercheck(struct Curl_easy *data,
1076                         SSL_CTX* ctx,
1077                         const char *key_file)
1078{
1079#ifdef OPENSSL_HAS_PROVIDERS
1080  char error_buffer[256];
1081  /* Implicitly use pkcs11 provider if none was provided and the
1082   * key_file is a PKCS#11 URI */
1083  if(!data->state.provider_loaded) {
1084    if(is_pkcs11_uri(key_file)) {
1085      if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
1086        return 0;
1087      }
1088    }
1089  }
1090
1091  if(data->state.provider_loaded) {
1092    /* Load the private key from the provider */
1093    EVP_PKEY *priv_key = NULL;
1094    OSSL_STORE_CTX *store = NULL;
1095    OSSL_STORE_INFO *info = NULL;
1096    UI_METHOD *ui_method = UI_create_method("curl user interface");
1097    if(!ui_method) {
1098      failf(data, "unable to create " OSSL_PACKAGE " user-interface method");
1099      return 0;
1100    }
1101    UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
1102    UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
1103    UI_method_set_reader(ui_method, ssl_ui_reader);
1104    UI_method_set_writer(ui_method, ssl_ui_writer);
1105
1106    store = OSSL_STORE_open_ex(key_file, data->state.libctx,
1107                               data->state.propq, ui_method, NULL, NULL,
1108                               NULL, NULL);
1109    if(!store) {
1110      failf(data, "Failed to open OpenSSL store: %s",
1111            ossl_strerror(ERR_get_error(), error_buffer,
1112                          sizeof(error_buffer)));
1113      UI_destroy_method(ui_method);
1114      return 0;
1115    }
1116    if(OSSL_STORE_expect(store, OSSL_STORE_INFO_PKEY) != 1) {
1117      failf(data, "Failed to set store preference. Ignoring the error: %s",
1118            ossl_strerror(ERR_get_error(), error_buffer,
1119                          sizeof(error_buffer)));
1120    }
1121
1122    info = OSSL_STORE_load(store);
1123    if(info) {
1124      int ossl_type = OSSL_STORE_INFO_get_type(info);
1125
1126      if(ossl_type == OSSL_STORE_INFO_PKEY)
1127        priv_key = OSSL_STORE_INFO_get1_PKEY(info);
1128      OSSL_STORE_INFO_free(info);
1129    }
1130    OSSL_STORE_close(store);
1131    UI_destroy_method(ui_method);
1132    if(!priv_key) {
1133      failf(data, "No private key found in the openssl store: %s",
1134            ossl_strerror(ERR_get_error(), error_buffer,
1135                          sizeof(error_buffer)));
1136      return 0;
1137    }
1138
1139    if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
1140      failf(data, "unable to set private key [%s]",
1141            ossl_strerror(ERR_get_error(), error_buffer,
1142                          sizeof(error_buffer)));
1143      EVP_PKEY_free(priv_key);
1144      return 0;
1145    }
1146    EVP_PKEY_free(priv_key); /* we do not need the handle any more... */
1147  }
1148  else {
1149    failf(data, "crypto provider not set, cannot load private key");
1150    return 0;
1151  }
1152  return 1;
1153#else
1154  (void)ctx;
1155  (void)key_file;
1156  failf(data, "SSL_FILETYPE_PROVIDER not supported for private key");
1157  return 0;
1158#endif
1159}
1160
1161static int engineload(struct Curl_easy *data,
1162                      SSL_CTX* ctx,
1163                      const char *cert_file)
1164{
1165/* ENGINE_CTRL_GET_CMD_FROM_NAME supported by OpenSSL, LibreSSL <=3.8.3 */
1166#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
1167  char error_buffer[256];
1168  /* Implicitly use pkcs11 engine if none was provided and the
1169   * cert_file is a PKCS#11 URI */
1170  if(!data->state.engine) {
1171    if(is_pkcs11_uri(cert_file)) {
1172      if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1173        return 0;
1174      }
1175    }
1176  }
1177
1178  if(data->state.engine) {
1179    const char *cmd_name = "LOAD_CERT_CTRL";
1180    struct {
1181      const char *cert_id;
1182      X509 *cert;
1183    } params;
1184
1185    params.cert_id = cert_file;
1186    params.cert = NULL;
1187
1188    /* Does the engine supports LOAD_CERT_CTRL ? */
1189    if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1190                    0, CURL_UNCONST(cmd_name), NULL)) {
1191      failf(data, "ssl engine does not support loading certificates");
1192      return 0;
1193    }
1194
1195    /* Load the certificate from the engine */
1196    if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name, 0, &params, NULL, 1)) {
1197      failf(data, "ssl engine cannot load client cert with id '%s' [%s]",
1198            cert_file,
1199            ossl_strerror(ERR_get_error(), error_buffer,
1200                          sizeof(error_buffer)));
1201      return 0;
1202    }
1203
1204    if(!params.cert) {
1205      failf(data, "ssl engine did not initialized the certificate properly.");
1206      return 0;
1207    }
1208
1209    if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
1210      failf(data, "unable to set client certificate [%s]",
1211            ossl_strerror(ERR_get_error(), error_buffer,
1212                          sizeof(error_buffer)));
1213      X509_free(params.cert);
1214      return 0;
1215    }
1216    X509_free(params.cert); /* we do not need the handle any more... */
1217  }
1218  else {
1219    failf(data, "crypto engine not set, cannot load certificate");
1220    return 0;
1221  }
1222  return 1;
1223#else
1224  (void)ctx;
1225  (void)cert_file;
1226  failf(data, "SSL_FILETYPE_ENGINE not supported for certificate");
1227  return 0;
1228#endif
1229}
1230
1231static int providerload(struct Curl_easy *data,
1232                        SSL_CTX* ctx,
1233                        const char *cert_file)
1234{
1235#ifdef OPENSSL_HAS_PROVIDERS
1236  char error_buffer[256];
1237  /* Implicitly use pkcs11 provider if none was provided and the
1238   * cert_file is a PKCS#11 URI */
1239  if(!data->state.provider_loaded) {
1240    if(is_pkcs11_uri(cert_file)) {
1241      if(ossl_set_provider(data, "pkcs11") != CURLE_OK) {
1242        return 0;
1243      }
1244    }
1245  }
1246
1247  if(data->state.provider_loaded) {
1248    /* Load the certificate from the provider */
1249    OSSL_STORE_INFO *info = NULL;
1250    X509 *cert = NULL;
1251    OSSL_STORE_CTX *store =
1252      OSSL_STORE_open_ex(cert_file, data->state.libctx,
1253                         NULL, NULL, NULL, NULL, NULL, NULL);
1254    int rc;
1255
1256    if(!store) {
1257      failf(data, "Failed to open OpenSSL store: %s",
1258            ossl_strerror(ERR_get_error(), error_buffer,
1259                          sizeof(error_buffer)));
1260      return 0;
1261    }
1262    if(OSSL_STORE_expect(store, OSSL_STORE_INFO_CERT) != 1) {
1263      failf(data, "Failed to set store preference. Ignoring the error: %s",
1264            ossl_strerror(ERR_get_error(), error_buffer,
1265                          sizeof(error_buffer)));
1266    }
1267
1268    info = OSSL_STORE_load(store);
1269    if(info) {
1270      int ossl_type = OSSL_STORE_INFO_get_type(info);
1271
1272      if(ossl_type == OSSL_STORE_INFO_CERT)
1273        cert = OSSL_STORE_INFO_get1_CERT(info);
1274      OSSL_STORE_INFO_free(info);
1275    }
1276    OSSL_STORE_close(store);
1277    if(!cert) {
1278      failf(data, "No cert found in the openssl store: %s",
1279            ossl_strerror(ERR_get_error(), error_buffer,
1280                          sizeof(error_buffer)));
1281      return 0;
1282    }
1283
1284    rc = SSL_CTX_use_certificate(ctx, cert);
1285    X509_free(cert); /* we do not need the handle any more... */
1286
1287    if(rc != 1) {
1288      failf(data, "unable to set client certificate [%s]",
1289            ossl_strerror(ERR_get_error(), error_buffer,
1290                          sizeof(error_buffer)));
1291      return 0;
1292    }
1293  }
1294  else {
1295    failf(data, "crypto provider not set, cannot load certificate");
1296    return 0;
1297  }
1298  return 1;
1299#else
1300  (void)ctx;
1301  (void)cert_file;
1302  failf(data, "SSL_FILETYPE_PROVIDER not supported for certificate");
1303  return 0;
1304#endif
1305}
1306
1307static int pkcs12load(struct Curl_easy *data,
1308                      SSL_CTX* ctx,
1309                      const struct curl_blob *cert_blob,
1310                      const char *cert_file,
1311                      const char *key_passwd)
1312{
1313  char error_buffer[256];
1314  BIO *cert_bio = NULL;
1315  PKCS12 *p12 = NULL;
1316  EVP_PKEY *pri;
1317  X509 *x509;
1318  int cert_done = 0;
1319  STACK_OF(X509) *ca = NULL;
1320  if(cert_blob) {
1321    cert_bio = BIO_new_mem_buf(cert_blob->data, (int)(cert_blob->len));
1322    if(!cert_bio) {
1323      failf(data, "BIO_new_mem_buf NULL, " OSSL_PACKAGE " error %s",
1324            ossl_strerror(ERR_get_error(), error_buffer,
1325                          sizeof(error_buffer)));
1326      return 0;
1327    }
1328  }
1329  else {
1330    cert_bio = BIO_new(BIO_s_file());
1331    if(!cert_bio) {
1332      failf(data, "BIO_new return NULL, " OSSL_PACKAGE " error %s",
1333            ossl_strerror(ERR_get_error(), error_buffer,
1334                          sizeof(error_buffer)));
1335      return 0;
1336    }
1337
1338    if(BIO_read_filename(cert_bio, CURL_UNCONST(cert_file)) <= 0) {
1339      failf(data, "could not open PKCS12 file '%s'", cert_file);
1340      BIO_free(cert_bio);
1341      return 0;
1342    }
1343  }
1344
1345  p12 = d2i_PKCS12_bio(cert_bio, NULL);
1346  BIO_free(cert_bio);
1347
1348  if(!p12) {
1349    failf(data, "error reading PKCS12 file '%s'",
1350          cert_blob ? "(memory blob)" : cert_file);
1351    return 0;
1352  }
1353
1354  if(!PKCS12_parse(p12, key_passwd, &pri, &x509, &ca)) {
1355    failf(data, "could not parse PKCS12 file, check password, " OSSL_PACKAGE
1356          " error %s",
1357          ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer)));
1358    PKCS12_free(p12);
1359    return 0;
1360  }
1361
1362  PKCS12_free(p12);
1363
1364  if(SSL_CTX_use_certificate(ctx, x509) != 1) {
1365    failf(data, "could not load PKCS12 client certificate, " OSSL_PACKAGE
1366          " error %s",
1367          ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer)));
1368    goto fail;
1369  }
1370
1371  if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
1372    failf(data, "unable to use private key from PKCS12 file '%s'", cert_file);
1373    goto fail;
1374  }
1375
1376  if(!SSL_CTX_check_private_key(ctx)) {
1377    failf(data, "private key from PKCS12 file '%s' "
1378          "does not match certificate in same file", cert_file);
1379    goto fail;
1380  }
1381  /* Set Certificate Verification chain */
1382  if(ca) {
1383    while(sk_X509_num(ca)) {
1384      /*
1385       * Note that sk_X509_pop() is used below to make sure the cert is
1386       * removed from the stack properly before getting passed to
1387       * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
1388       * we used sk_X509_value() instead, but then we would clean it in the
1389       * subsequent sk_X509_pop_free() call.
1390       */
1391      X509 *x = sk_X509_pop(ca);
1392      if(!SSL_CTX_add_client_CA(ctx, x)) {
1393        X509_free(x);
1394        failf(data, "cannot add certificate to client CA list");
1395        goto fail;
1396      }
1397      if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
1398        X509_free(x);
1399        failf(data, "cannot add certificate to certificate chain");
1400        goto fail;
1401      }
1402    }
1403  }
1404
1405  cert_done = 1;
1406fail:
1407  EVP_PKEY_free(pri);
1408  X509_free(x509);
1409#if defined(__clang__) && __clang_major__ >= 16
1410#pragma clang diagnostic push
1411#pragma clang diagnostic ignored "-Wcast-function-type-strict"
1412#endif
1413  sk_X509_pop_free(ca, X509_free);
1414#if defined(__clang__) && __clang_major__ >= 16
1415#pragma clang diagnostic pop
1416#endif
1417  if(!cert_done)
1418    return 0; /* failure! */
1419  return 1;
1420}
1421
1422static CURLcode client_cert(struct Curl_easy *data,
1423                            SSL_CTX* ctx,
1424                            char *cert_file,
1425                            const struct curl_blob *cert_blob,
1426                            const char *cert_type,
1427                            char *key_file,
1428                            const struct curl_blob *key_blob,
1429                            const char *key_type,
1430                            char *key_passwd)
1431{
1432  char error_buffer[256];
1433  bool check_privkey = TRUE;
1434  int file_type = ossl_do_file_type(cert_type);
1435
1436  if(cert_file || cert_blob || (file_type == SSL_FILETYPE_ENGINE) ||
1437     (file_type == SSL_FILETYPE_PROVIDER)) {
1438    SSL *ssl;
1439    X509 *x509;
1440    bool pcks12_done = FALSE;
1441    int cert_use_result;
1442
1443    if(key_passwd) {
1444      /* set the password in the callback userdata */
1445      SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
1446      /* Set passwd callback: */
1447      SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
1448    }
1449
1450    switch(file_type) {
1451    case SSL_FILETYPE_PEM:
1452      /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
1453      cert_use_result = cert_blob ?
1454        use_certificate_chain_blob(ctx, cert_blob, key_passwd) :
1455        SSL_CTX_use_certificate_chain_file(ctx, cert_file);
1456      if(cert_use_result != 1) {
1457        failf(data,
1458              "could not load PEM client certificate from %s, " OSSL_PACKAGE
1459              " error %s, "
1460              "(no key found, wrong passphrase, or wrong file format?)",
1461              (cert_blob ? "CURLOPT_SSLCERT_BLOB" : cert_file),
1462              ossl_strerror(ERR_get_error(), error_buffer,
1463                            sizeof(error_buffer)));
1464        return CURLE_SSL_CERTPROBLEM;
1465      }
1466      break;
1467
1468    case SSL_FILETYPE_ASN1:
1469      /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
1470         we use the case above for PEM so this can only be performed with
1471         ASN1 files. */
1472
1473      cert_use_result = cert_blob ?
1474        use_certificate_blob(ctx, cert_blob, file_type, key_passwd) :
1475      SSL_CTX_use_certificate_file(ctx, cert_file, file_type);
1476      if(cert_use_result != 1) {
1477        failf(data,
1478              "could not load ASN1 client certificate from %s, " OSSL_PACKAGE
1479              " error %s, "
1480              "(no key found, wrong passphrase, or wrong file format?)",
1481              (cert_blob ? "CURLOPT_SSLCERT_BLOB" : cert_file),
1482              ossl_strerror(ERR_get_error(), error_buffer,
1483                            sizeof(error_buffer)));
1484        return CURLE_SSL_CERTPROBLEM;
1485      }
1486      break;
1487
1488    case SSL_FILETYPE_ENGINE:
1489      if(!cert_file || !engineload(data, ctx, cert_file))
1490        return CURLE_SSL_CERTPROBLEM;
1491      break;
1492
1493    case SSL_FILETYPE_PROVIDER:
1494      if(!cert_file || !providerload(data, ctx, cert_file))
1495        return CURLE_SSL_CERTPROBLEM;
1496      break;
1497
1498    case SSL_FILETYPE_PKCS12:
1499      if(!pkcs12load(data, ctx, cert_blob, cert_file, key_passwd))
1500        return CURLE_SSL_CERTPROBLEM;
1501      pcks12_done = TRUE;
1502      break;
1503
1504    default:
1505      failf(data, "not supported file type '%s' for certificate", cert_type);
1506      return CURLE_BAD_FUNCTION_ARGUMENT;
1507    }
1508
1509    if(!key_file && !key_blob) {
1510      key_file = cert_file;
1511      key_blob = cert_blob;
1512    }
1513    else
1514      file_type = ossl_do_file_type(key_type);
1515
1516    switch(file_type) {
1517    case SSL_FILETYPE_PEM:
1518    case SSL_FILETYPE_ASN1:
1519      cert_use_result = key_blob ?
1520        use_privatekey_blob(ctx, key_blob, file_type, key_passwd) :
1521      SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type);
1522      if(cert_use_result != 1) {
1523        failf(data, "unable to set private key file: '%s' type %s",
1524              key_file ? key_file : "(memory blob)",
1525              key_type ? key_type : "PEM");
1526        return CURLE_BAD_FUNCTION_ARGUMENT;
1527      }
1528      break;
1529    case SSL_FILETYPE_ENGINE:
1530      if(!enginecheck(data, ctx, key_file, key_passwd))
1531        return CURLE_SSL_CERTPROBLEM;
1532      break;
1533
1534    case SSL_FILETYPE_PROVIDER:
1535      if(!providercheck(data, ctx, key_file))
1536        return CURLE_SSL_CERTPROBLEM;
1537      break;
1538
1539    case SSL_FILETYPE_PKCS12:
1540      if(!pcks12_done) {
1541        failf(data, "file type P12 for private key not supported");
1542        return CURLE_SSL_CERTPROBLEM;
1543      }
1544      break;
1545    default:
1546      failf(data, "not supported file type for private key");
1547      return CURLE_BAD_FUNCTION_ARGUMENT;
1548    }
1549
1550    ssl = SSL_new(ctx);
1551    if(!ssl) {
1552      failf(data, "unable to create an SSL structure");
1553      return CURLE_OUT_OF_MEMORY;
1554    }
1555
1556    x509 = SSL_get_certificate(ssl);
1557
1558    if(x509) {
1559      EVP_PKEY *pktmp = X509_get_pubkey(x509);
1560      EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
1561      EVP_PKEY_free(pktmp);
1562    }
1563
1564#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
1565    {
1566      /* If RSA is used, do not check the private key if its flags indicate
1567       * it does not support it. */
1568      EVP_PKEY *priv_key = SSL_get_privatekey(ssl);
1569      if(EVP_PKEY_id(priv_key) == EVP_PKEY_RSA) {
1570        RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
1571        if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
1572          check_privkey = FALSE;
1573        RSA_free(rsa); /* Decrement reference count */
1574      }
1575    }
1576#endif
1577
1578    SSL_free(ssl);
1579
1580    /* If we are using DSA, we can copy the parameters from
1581     * the private key */
1582
1583    if(check_privkey == TRUE) {
1584      /* Now we know that a key and cert have been set against
1585       * the SSL context */
1586      if(!SSL_CTX_check_private_key(ctx)) {
1587        failf(data, "Private key does not match the certificate public key");
1588        return CURLE_SSL_CERTPROBLEM;
1589      }
1590    }
1591  }
1592  return CURLE_OK;
1593}
1594
1595#ifdef CURLVERBOSE
1596/* returns non-zero on failure */
1597static CURLcode x509_name_oneline(const X509_NAME *a, struct dynbuf *d)
1598{
1599  BIO *bio_out = BIO_new(BIO_s_mem());
1600  BUF_MEM *biomem;
1601  int rc;
1602  CURLcode result = CURLE_OUT_OF_MEMORY;
1603
1604  if(bio_out) {
1605    unsigned long flags = XN_FLAG_SEP_SPLUS_SPC |
1606      (XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB & ~XN_FLAG_SPC_EQ);
1607    curlx_dyn_reset(d);
1608    rc = X509_NAME_print_ex(bio_out, a, 0, flags);
1609    if(rc != -1) {
1610      BIO_get_mem_ptr(bio_out, &biomem);
1611      result = curlx_dyn_addn(d, biomem->data, biomem->length);
1612    }
1613    BIO_free(bio_out);
1614  }
1615  return result;
1616}
1617#endif
1618
1619/**
1620 * Global SSL init
1621 *
1622 * @retval 0 error initializing SSL
1623 * @retval 1 SSL initialized successfully
1624 */
1625static int ossl_init(void)
1626{
1627  const uint64_t flags =
1628#ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN
1629    /* not present in BoringSSL */
1630    OPENSSL_INIT_ENGINE_ALL_BUILTIN |
1631#endif
1632#ifdef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1633    OPENSSL_INIT_NO_LOAD_CONFIG |
1634#else
1635    OPENSSL_INIT_LOAD_CONFIG |
1636#endif
1637    0;
1638  OPENSSL_init_ssl(flags, NULL);
1639
1640#ifndef HAVE_KEYLOG_UPSTREAM
1641  Curl_tls_keylog_open();
1642#endif
1643
1644  return 1;
1645}
1646
1647/* Global cleanup */
1648static void ossl_cleanup(void)
1649{
1650#ifndef HAVE_KEYLOG_UPSTREAM
1651  Curl_tls_keylog_close();
1652#endif
1653}
1654
1655/* Selects an OpenSSL crypto engine or provider.
1656 */
1657static CURLcode ossl_set_engine(struct Curl_easy *data, const char *name)
1658{
1659#ifdef USE_OPENSSL_ENGINE
1660  CURLcode result = CURLE_SSL_ENGINE_NOTFOUND;
1661  ENGINE *e = ENGINE_by_id(name);
1662
1663  if(e) {
1664
1665    if(data->state.engine) {
1666      ENGINE_finish(data->state.engine);
1667      ENGINE_free(data->state.engine);
1668      data->state.engine = NULL;
1669    }
1670    if(!ENGINE_init(e)) {
1671      char buf[256];
1672
1673      ENGINE_free(e);
1674      failf(data, "Failed to initialize SSL Engine '%s': %s",
1675            name, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
1676      result = CURLE_SSL_ENGINE_INITFAILED;
1677      e = NULL;
1678    }
1679    else {
1680      result = CURLE_OK;
1681    }
1682    data->state.engine = e;
1683    return result;
1684  }
1685#endif
1686#ifdef OPENSSL_HAS_PROVIDERS
1687  return ossl_set_provider(data, name);
1688#else
1689  (void)name;
1690  failf(data, "OpenSSL engine not found");
1691  return CURLE_SSL_ENGINE_NOTFOUND;
1692#endif
1693}
1694
1695/* Sets engine as default for all SSL operations
1696 */
1697static CURLcode ossl_set_engine_default(struct Curl_easy *data)
1698{
1699#ifdef USE_OPENSSL_ENGINE
1700  if(data->state.engine) {
1701    if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
1702      infof(data, "set default crypto engine '%s'",
1703            ENGINE_get_id(data->state.engine));
1704    }
1705    else {
1706      failf(data, "set default crypto engine '%s' failed",
1707            ENGINE_get_id(data->state.engine));
1708      return CURLE_SSL_ENGINE_SETFAILED;
1709    }
1710  }
1711#else
1712  (void)data;
1713#endif
1714  return CURLE_OK;
1715}
1716
1717/* Return list of OpenSSL crypto engine names.
1718 */
1719static struct curl_slist *ossl_engines_list(struct Curl_easy *data)
1720{
1721  struct curl_slist *list = NULL;
1722#ifdef USE_OPENSSL_ENGINE
1723  struct curl_slist *beg;
1724  ENGINE *e;
1725
1726  for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1727    beg = curl_slist_append(list, ENGINE_get_id(e));
1728    if(!beg) {
1729      curl_slist_free_all(list);
1730      return NULL;
1731    }
1732    list = beg;
1733  }
1734#endif
1735  (void)data;
1736  return list;
1737}
1738
1739#ifdef OPENSSL_HAS_PROVIDERS
1740
1741static void ossl_provider_cleanup(struct Curl_easy *data)
1742{
1743  if(data->state.baseprov) {
1744    OSSL_PROVIDER_unload(data->state.baseprov);
1745    data->state.baseprov = NULL;
1746  }
1747  if(data->state.provider) {
1748    OSSL_PROVIDER_unload(data->state.provider);
1749    data->state.provider = NULL;
1750  }
1751  OSSL_LIB_CTX_free(data->state.libctx);
1752  data->state.libctx = NULL;
1753  curlx_safefree(data->state.propq);
1754  data->state.provider_loaded = FALSE;
1755}
1756
1757#define MAX_PROVIDER_LEN 128 /* reasonable */
1758
1759/* Selects an OpenSSL crypto provider.
1760 *
1761 * A provider might need an associated property, a string passed on to
1762 * OpenSSL. Specify this as [PROVIDER][:PROPERTY]: separate the name and the
1763 * property with a colon. No colon means no property is set.
1764 *
1765 * An example provider + property looks like "tpm2:?provider=tpm2".
1766 */
1767static CURLcode ossl_set_provider(struct Curl_easy *data, const char *iname)
1768{
1769  char name[MAX_PROVIDER_LEN + 1];
1770  struct Curl_str prov;
1771  const char *propq = NULL;
1772
1773  if(!iname) {
1774    /* clear and cleanup provider use */
1775    ossl_provider_cleanup(data);
1776    return CURLE_OK;
1777  }
1778  if(curlx_str_until(&iname, &prov, MAX_PROVIDER_LEN, ':'))
1779    return CURLE_BAD_FUNCTION_ARGUMENT;
1780
1781  if(!curlx_str_single(&iname, ':'))
1782    /* there was a colon, get the propq until the end of string */
1783    propq = iname;
1784
1785  /* we need the name in a buffer, null-terminated */
1786  memcpy(name, curlx_str(&prov), curlx_strlen(&prov));
1787  name[curlx_strlen(&prov)] = 0;
1788
1789  if(!data->state.libctx) {
1790    OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
1791    if(!libctx)
1792      return CURLE_OUT_OF_MEMORY;
1793    if(propq) {
1794      data->state.propq = curlx_strdup(propq);
1795      if(!data->state.propq) {
1796        OSSL_LIB_CTX_free(libctx);
1797        return CURLE_OUT_OF_MEMORY;
1798      }
1799    }
1800    data->state.libctx = libctx;
1801  }
1802
1803#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1804  /* load the configuration file into the library context before checking the
1805   * provider availability */
1806  if(!OSSL_LIB_CTX_load_config(data->state.libctx, NULL)) {
1807    infof(data, "Failed to load default openssl config. Proceeding.");
1808  }
1809#endif
1810
1811  if(OSSL_PROVIDER_available(data->state.libctx, name)) {
1812    /* already loaded through the configuration - no action needed */
1813    data->state.provider_loaded = TRUE;
1814    return CURLE_OK;
1815  }
1816
1817  data->state.provider = OSSL_PROVIDER_try_load(data->state.libctx, name, 1);
1818  if(!data->state.provider) {
1819    char error_buffer[256];
1820    failf(data, "Failed to initialize provider: %s",
1821          ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer)));
1822    ossl_provider_cleanup(data);
1823    return CURLE_SSL_ENGINE_NOTFOUND;
1824  }
1825
1826  /* load the base provider as well */
1827  data->state.baseprov = OSSL_PROVIDER_try_load(data->state.libctx, "base", 1);
1828  if(!data->state.baseprov) {
1829    ossl_provider_cleanup(data);
1830    failf(data, "Failed to load base");
1831    return CURLE_SSL_ENGINE_NOTFOUND;
1832  }
1833  else
1834    data->state.provider_loaded = TRUE;
1835  return CURLE_OK;
1836}
1837#endif
1838
1839static CURLcode ossl_shutdown(struct Curl_cfilter *cf,
1840                              struct Curl_easy *data,
1841                              bool send_shutdown, bool *done)
1842{
1843  struct ssl_connect_data *connssl = cf->ctx;
1844  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
1845  CURLcode result = CURLE_OK;
1846  char buf[1024];
1847  int nread = -1, err;
1848  size_t i;
1849
1850  DEBUGASSERT(octx);
1851  if(!octx->ssl || cf->shutdown) {
1852    *done = TRUE;
1853    goto out;
1854  }
1855
1856  connssl->io_need = CURL_SSL_IO_NEED_NONE;
1857  *done = FALSE;
1858  if(!(SSL_get_shutdown(octx->ssl) & SSL_SENT_SHUTDOWN)) {
1859    /* We have not started the shutdown from our side yet. Check
1860     * if the server already sent us one. */
1861    ERR_clear_error();
1862    for(i = 0; i < 10; ++i) {
1863      nread = SSL_read(octx->ssl, buf, (int)sizeof(buf));
1864      CURL_TRC_CF(data, cf, "SSL shutdown not sent, read -> %d", nread);
1865      if(nread <= 0)
1866        break;
1867    }
1868    err = SSL_get_error(octx->ssl, nread);
1869    if(!nread && err == SSL_ERROR_ZERO_RETURN) {
1870      bool input_pending;
1871      /* Yes, it did. */
1872      if(!send_shutdown) {
1873        CURL_TRC_CF(data, cf, "SSL shutdown received, not sending");
1874        *done = TRUE;
1875        goto out;
1876      }
1877      else if(!cf->next->cft->is_alive(cf->next, data, &input_pending)) {
1878        /* Server closed the connection after its closy notify. It
1879         * seems not interested to see our close notify, so do not
1880         * send it. We are done. */
1881        connssl->peer_closed = TRUE;
1882        CURL_TRC_CF(data, cf, "peer closed connection");
1883        *done = TRUE;
1884        goto out;
1885      }
1886    }
1887  }
1888
1889  /* SSL should now have started the shutdown from our side. Since it
1890   * was not complete, we are lacking the close notify from the server. */
1891  if(send_shutdown && !(SSL_get_shutdown(octx->ssl) & SSL_SENT_SHUTDOWN)) {
1892    int rc;
1893    ERR_clear_error();
1894    CURL_TRC_CF(data, cf, "send SSL close notify");
1895    rc = SSL_shutdown(octx->ssl);
1896    if(rc == 1) {
1897      CURL_TRC_CF(data, cf, "SSL shutdown finished");
1898      *done = TRUE;
1899      goto out;
1900    }
1901    if(SSL_ERROR_WANT_WRITE == SSL_get_error(octx->ssl, rc)) {
1902      CURL_TRC_CF(data, cf, "SSL shutdown still wants to send");
1903      connssl->io_need = CURL_SSL_IO_NEED_SEND;
1904      goto out;
1905    }
1906    /* Having sent the close notify, we use SSL_read() to get the
1907     * missing close notify from the server. */
1908  }
1909
1910  for(i = 0; i < 10; ++i) {
1911    ERR_clear_error();
1912    nread = SSL_read(octx->ssl, buf, (int)sizeof(buf));
1913    CURL_TRC_CF(data, cf, "SSL shutdown read -> %d", nread);
1914    if(nread <= 0)
1915      break;
1916  }
1917  err = SSL_get_error(octx->ssl, nread);
1918  switch(err) {
1919  case SSL_ERROR_ZERO_RETURN: /* no more data */
1920    if(SSL_shutdown(octx->ssl) == 1)
1921      CURL_TRC_CF(data, cf, "SSL shutdown finished");
1922    else
1923      CURL_TRC_CF(data, cf, "SSL shutdown not received, but closed");
1924    *done = TRUE;
1925    break;
1926  case SSL_ERROR_NONE: /* did not get anything */
1927  case SSL_ERROR_WANT_READ:
1928    /* SSL has send its notify and now wants to read the reply
1929     * from the server. We are not really interested in that. */
1930    CURL_TRC_CF(data, cf, "SSL shutdown sent, want receive");
1931    connssl->io_need = CURL_SSL_IO_NEED_RECV;
1932    break;
1933  case SSL_ERROR_WANT_WRITE:
1934    CURL_TRC_CF(data, cf, "SSL shutdown send blocked");
1935    connssl->io_need = CURL_SSL_IO_NEED_SEND;
1936    break;
1937  default:
1938    /* Server seems to have closed the connection without sending us
1939     * a close notify. */
1940    {
1941      VERBOSE(unsigned long sslerr = ERR_get_error());
1942      CURL_TRC_CF(data, cf, "SSL shutdown, ignore recv error: '%s', errno %d",
1943                  (sslerr ?
1944                   ossl_strerror(sslerr, buf, sizeof(buf)) :
1945                   SSL_ERROR_to_str(err)),
1946                  SOCKERRNO);
1947    }
1948    *done = TRUE;
1949    result = CURLE_OK;
1950    break;
1951  }
1952
1953out:
1954  cf->shutdown = (result || *done);
1955  if(cf->shutdown || (connssl->io_need != CURL_SSL_IO_NEED_NONE))
1956    connssl->input_pending = FALSE;
1957  return result;
1958}
1959
1960static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1961{
1962  struct ssl_connect_data *connssl = cf->ctx;
1963  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
1964
1965  (void)data;
1966  DEBUGASSERT(octx);
1967
1968  connssl->input_pending = FALSE;
1969  if(octx->ssl) {
1970    SSL_free(octx->ssl);
1971    octx->ssl = NULL;
1972  }
1973  if(octx->ssl_ctx) {
1974    SSL_CTX_free(octx->ssl_ctx);
1975    octx->ssl_ctx = NULL;
1976    octx->x509_store_setup = FALSE;
1977  }
1978  if(octx->bio_method) {
1979    ossl_bio_cf_method_free(octx->bio_method);
1980    octx->bio_method = NULL;
1981  }
1982}
1983
1984/*
1985 * This function is called when the 'data' struct is going away. Close
1986 * down everything and free all resources!
1987 */
1988static void ossl_close_all(struct Curl_easy *data)
1989{
1990#ifdef USE_OPENSSL_ENGINE
1991  if(data->state.engine) {
1992    ENGINE_finish(data->state.engine);
1993    ENGINE_free(data->state.engine);
1994    data->state.engine = NULL;
1995  }
1996#else
1997  (void)data;
1998#endif
1999#ifdef OPENSSL_HAS_PROVIDERS
2000  ossl_provider_cleanup(data);
2001#endif
2002}
2003
2004/* ====================================================== */
2005
2006/* Quote from RFC2818 section 3.1 "Server Identity"
2007
2008   If a subjectAltName extension of type dNSName is present, that MUST
2009   be used as the identity. Otherwise, the (most specific) Common Name
2010   field in the Subject field of the certificate MUST be used. Although
2011   the use of the Common Name is existing practice, it is deprecated and
2012   Certification Authorities are encouraged to use the dNSName instead.
2013
2014   Matching is performed using the matching rules specified by
2015   [RFC2459]. If more than one identity of a given type is present in
2016   the certificate (e.g., more than one dNSName name, a match in any one
2017   of the set is considered acceptable.) Names may contain the wildcard
2018   character * which is considered to match any single domain name
2019   component or component fragment. E.g., *.a.com matches foo.a.com but
2020   not bar.foo.a.com. f*.com matches foo.com but not bar.com.
2021
2022   In some cases, the URI is specified as an IP address rather than a
2023   hostname. In this case, the iPAddress subjectAltName must be present
2024   in the certificate and must exactly match the IP in the URI.
2025
2026   This function is now used from ngtcp2 (QUIC) as well.
2027*/
2028static CURLcode ossl_verifyhost(struct Curl_easy *data,
2029                                struct connectdata *conn,
2030                                struct ssl_peer *peer,
2031                                X509 *server_cert)
2032{
2033  bool matched = FALSE;
2034  int target; /* target type, GEN_DNS or GEN_IPADD */
2035  size_t addrlen = 0;
2036  STACK_OF(GENERAL_NAME) *altnames;
2037#ifdef USE_IPV6
2038  struct in6_addr addr;
2039#else
2040  struct in_addr addr;
2041#endif
2042  CURLcode result = CURLE_OK;
2043  bool dNSName = FALSE; /* if a dNSName field exists in the cert */
2044  bool iPAddress = FALSE; /* if an iPAddress field exists in the cert */
2045  size_t hostlen = strlen(peer->dest->hostname);
2046
2047  (void)conn;
2048  switch(peer->type) {
2049  case CURL_SSL_PEER_IPV4:
2050    if(!curlx_inet_pton(AF_INET, peer->dest->hostname, &addr))
2051      return CURLE_PEER_FAILED_VERIFICATION;
2052    target = GEN_IPADD;
2053    addrlen = sizeof(struct in_addr);
2054    break;
2055#ifdef USE_IPV6
2056  case CURL_SSL_PEER_IPV6:
2057    if(!curlx_inet_pton(AF_INET6, peer->dest->hostname, &addr))
2058      return CURLE_PEER_FAILED_VERIFICATION;
2059    target = GEN_IPADD;
2060    addrlen = sizeof(struct in6_addr);
2061    break;
2062#endif
2063  case CURL_SSL_PEER_DNS:
2064    target = GEN_DNS;
2065    break;
2066  default:
2067    DEBUGASSERT(0);
2068    failf(data, "unexpected ssl peer type: %d", peer->type);
2069    return CURLE_PEER_FAILED_VERIFICATION;
2070  }
2071
2072  /* get a "list" of alternative names */
2073  altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
2074
2075  if(altnames) {
2076#ifdef HAVE_BORINGSSL_LIKE
2077    size_t numalts;
2078    size_t i;
2079#else
2080    int numalts;
2081    int i;
2082#endif
2083
2084    /* get amount of alternatives, RFC2459 claims there MUST be at least
2085       one, but we do not depend on it... */
2086    numalts = sk_GENERAL_NAME_num(altnames);
2087
2088    /* loop through all alternatives - until a dnsmatch */
2089    for(i = 0; (i < numalts) && !matched; i++) {
2090      /* get a handle to alternative name number i */
2091      const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
2092
2093      if(check->type == GEN_DNS)
2094        dNSName = TRUE;
2095      else if(check->type == GEN_IPADD)
2096        iPAddress = TRUE;
2097
2098      /* only check alternatives of the same type the target is */
2099      if(check->type == target) {
2100        /* get data and length */
2101        const char *altptr = (const char *)ASN1_STRING_get0_data(check->d.ia5);
2102        size_t altlen = (size_t)ASN1_STRING_length(check->d.ia5);
2103
2104        switch(target) {
2105        case GEN_DNS: /* name/pattern comparison */
2106          /* The OpenSSL man page explicitly says: "In general it cannot be
2107             assumed that the data returned by ASN1_STRING_data() is null
2108             terminated or does not contain embedded nulls.", but also that
2109             "The actual format of the data depends on the actual string
2110             type itself: for example for an IA5String the data is ASCII"
2111
2112             It has been however verified that in 0.9.6 and 0.9.7, IA5String
2113             is always null-terminated.
2114          */
2115          if((altlen == strlen(altptr)) &&
2116             /* if this is not true, there was an embedded zero in the name
2117                string and we cannot match it. */
2118             Curl_cert_hostcheck(altptr, altlen,
2119                                 peer->dest->hostname, hostlen)) {
2120            matched = TRUE;
2121            infof(data, "  subjectAltName: \"%s\" matches cert's \"%.*s\"",
2122                  peer->dest->user_hostname, (int)altlen, altptr);
2123          }
2124          break;
2125
2126        case GEN_IPADD: /* IP address comparison */
2127          /* compare alternative IP address if the data chunk is the same size
2128             our server IP address is */
2129          if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
2130            matched = TRUE;
2131            infof(data, "  subjectAltName: \"%s\" matches cert's IP address!",
2132                  peer->dest->user_hostname);
2133          }
2134          break;
2135        }
2136      }
2137    }
2138    GENERAL_NAMES_free(altnames);
2139  }
2140
2141  if(matched)
2142    /* an alternative name matched */
2143    ;
2144  else if(dNSName || iPAddress) {
2145    const char *tname = (peer->type == CURL_SSL_PEER_DNS) ? "hostname" :
2146                        (peer->type == CURL_SSL_PEER_IPV4) ?
2147                        "ipv4 address" : "ipv6 address";
2148    infof(data, " subjectAltName does not match %s %s", tname,
2149          peer->dest->user_hostname);
2150    failf(data, "SSL: no alternative certificate subject name matches "
2151          "target %s '%s'", tname, peer->dest->user_hostname);
2152    result = CURLE_PEER_FAILED_VERIFICATION;
2153  }
2154  else {
2155    /* we have to look to the last occurrence of a commonName in the
2156       distinguished one to get the most significant one. */
2157    int i = -1;
2158    unsigned char *cn = NULL;
2159    int cnlen = 0;
2160    bool free_cn = FALSE;
2161
2162    /* The following is done because of a bug in 0.9.6b */
2163    const X509_NAME *name = X509_get_subject_name(server_cert);
2164    if(name) {
2165      int j;
2166      while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0)
2167        i = j;
2168    }
2169
2170    /* we have the name entry and we now convert this to a string
2171       that we can use for comparison. Doing this we support BMPstring,
2172       UTF8, etc. */
2173
2174    if(i >= 0) {
2175      const ASN1_STRING *tmp =
2176        X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
2177
2178      /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
2179         is already UTF-8 encoded. We check for this case and copy the raw
2180         string manually to avoid the problem. This code can be made
2181         conditional in the future when OpenSSL has been fixed. */
2182      if(tmp) {
2183        if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
2184          cnlen = ASN1_STRING_length(tmp);
2185          cn = (unsigned char *)CURL_UNCONST(ASN1_STRING_get0_data(tmp));
2186        }
2187        else { /* not a UTF8 name */
2188          cnlen = ASN1_STRING_to_UTF8(&cn, tmp);
2189          free_cn = TRUE;
2190        }
2191
2192        if((cnlen <= 0) || !cn)
2193          result = CURLE_OUT_OF_MEMORY;
2194        else if((size_t)cnlen != strlen((char *)cn)) {
2195          /* there was a terminating zero before the end of string, this
2196             cannot match and we return failure! */
2197          failf(data, "SSL: illegal cert name field");
2198          result = CURLE_PEER_FAILED_VERIFICATION;
2199        }
2200      }
2201    }
2202
2203    if(result)
2204      /* error already detected, pass through */
2205      ;
2206    else if(!cn) {
2207      failf(data, "SSL: unable to obtain common name from peer certificate");
2208      result = CURLE_PEER_FAILED_VERIFICATION;
2209    }
2210    else if(!Curl_cert_hostcheck((const char *)cn, cnlen,
2211                                 peer->dest->hostname, hostlen)) {
2212      failf(data, "SSL: certificate subject name '%s' does not match "
2213            "target hostname '%s'", cn, peer->dest->user_hostname);
2214      result = CURLE_PEER_FAILED_VERIFICATION;
2215    }
2216    else {
2217      infof(data, " common name: %s (matched)", cn);
2218    }
2219    if(free_cn)
2220      OPENSSL_free(cn);
2221  }
2222
2223  return result;
2224}
2225
2226#ifndef OPENSSL_NO_OCSP
2227static CURLcode verifystatus(struct Curl_cfilter *cf,
2228                             struct Curl_easy *data,
2229                             struct ossl_ctx *octx)
2230{
2231  int i, ocsp_status;
2232#ifdef HAVE_BORINGSSL_LIKE
2233  const uint8_t *status;
2234#else
2235  unsigned char *status;
2236#endif
2237  const unsigned char *p;
2238  CURLcode result = CURLE_OK;
2239  OCSP_RESPONSE *rsp = NULL;
2240  OCSP_BASICRESP *br = NULL;
2241  X509_STORE     *st = NULL;
2242  STACK_OF(X509) *ch = NULL;
2243  X509 *cert;
2244  OCSP_CERTID *id = NULL;
2245  int cert_status, crl_reason;
2246  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
2247  int ret;
2248  long len;
2249
2250  (void)cf;
2251  DEBUGASSERT(octx);
2252
2253  len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
2254
2255  if(!status) {
2256    failf(data, "No OCSP response received");
2257    result = CURLE_SSL_INVALIDCERTSTATUS;
2258    goto end;
2259  }
2260  p = status;
2261  rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2262  if(!rsp) {
2263    failf(data, "Invalid OCSP response");
2264    result = CURLE_SSL_INVALIDCERTSTATUS;
2265    goto end;
2266  }
2267
2268  ocsp_status = OCSP_response_status(rsp);
2269  if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2270    failf(data, "Invalid OCSP response status: %s (%d)",
2271          OCSP_response_status_str(ocsp_status), ocsp_status);
2272    result = CURLE_SSL_INVALIDCERTSTATUS;
2273    goto end;
2274  }
2275
2276  br = OCSP_response_get1_basic(rsp);
2277  if(!br) {
2278    failf(data, "Invalid OCSP response");
2279    result = CURLE_SSL_INVALIDCERTSTATUS;
2280    goto end;
2281  }
2282
2283  ch = SSL_get_peer_cert_chain(octx->ssl);
2284  if(!ch) {
2285    failf(data, "Could not get peer certificate chain");
2286    result = CURLE_SSL_INVALIDCERTSTATUS;
2287    goto end;
2288  }
2289  st = SSL_CTX_get_cert_store(octx->ssl_ctx);
2290
2291  if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
2292    failf(data, "OCSP response verification failed");
2293    result = CURLE_SSL_INVALIDCERTSTATUS;
2294    goto end;
2295  }
2296
2297  /* Compute the certificate's ID */
2298  cert = SSL_get1_peer_certificate(octx->ssl);
2299  if(!cert) {
2300    failf(data, "Error getting peer certificate");
2301    result = CURLE_SSL_INVALIDCERTSTATUS;
2302    goto end;
2303  }
2304
2305  for(i = 0; i < (int)sk_X509_num(ch); i++) {
2306    X509 *issuer = sk_X509_value(ch, (ossl_valsize_t)i);
2307    if(X509_check_issued(issuer, cert) == X509_V_OK) {
2308      /* Note to analysis tools: using SHA1 here is fine. The `id`
2309       * generated is used as a hash lookup key, not as a verifier
2310       * of the OCSP data itself. This all according to RFC 5019. */
2311      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
2312      break;
2313    }
2314  }
2315  X509_free(cert);
2316
2317  if(!id) {
2318    failf(data, "Error computing OCSP ID");
2319    result = CURLE_SSL_INVALIDCERTSTATUS;
2320    goto end;
2321  }
2322
2323  /* Find the single OCSP response corresponding to the certificate ID */
2324  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
2325                              &thisupd, &nextupd);
2326  OCSP_CERTID_free(id);
2327  if(ret != 1) {
2328    failf(data, "Could not find certificate ID in OCSP response");
2329    result = CURLE_SSL_INVALIDCERTSTATUS;
2330    goto end;
2331  }
2332
2333  /* Validate the OCSP response issuing and update times.
2334   * - `thisupd` is the time the OCSP response was issued
2335   * - `nextupd` is the time the OCSP response should be updated
2336   *    (valid life time assigned by the OCSP responder)
2337   * - 3rd param: how many seconds of clock skew we allow between
2338   *   our clock and the instance that issued the OCSP response
2339   * - 4th param: how many seconds in the past `thisupd` may be, with
2340   *   -1 meaning there is no limit. */
2341  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
2342    failf(data, "OCSP response has expired");
2343    result = CURLE_SSL_INVALIDCERTSTATUS;
2344    goto end;
2345  }
2346
2347  infof(data, "SSL certificate status: %s (%d)",
2348        OCSP_cert_status_str(cert_status), cert_status);
2349
2350  switch(cert_status) {
2351  case V_OCSP_CERTSTATUS_GOOD:
2352    break;
2353
2354  case V_OCSP_CERTSTATUS_REVOKED:
2355    result = CURLE_SSL_INVALIDCERTSTATUS;
2356    failf(data, "SSL certificate revocation reason: %s (%d)",
2357          OCSP_crl_reason_str(crl_reason), crl_reason);
2358    goto end;
2359
2360  case V_OCSP_CERTSTATUS_UNKNOWN:
2361  default:
2362    result = CURLE_SSL_INVALIDCERTSTATUS;
2363    goto end;
2364  }
2365
2366end:
2367  if(br)
2368    OCSP_BASICRESP_free(br);
2369  OCSP_RESPONSE_free(rsp);
2370
2371  return result;
2372}
2373#endif
2374
2375static const char *ssl_msg_type(int ssl_ver, int msg)
2376{
2377  if(ssl_ver == SSL3_VERSION_MAJOR) {
2378    switch(msg) {
2379    case SSL3_MT_HELLO_REQUEST:
2380      return "Hello request";
2381    case SSL3_MT_CLIENT_HELLO:
2382      return "Client hello";
2383    case SSL3_MT_SERVER_HELLO:
2384      return "Server hello";
2385#ifdef SSL3_MT_NEWSESSION_TICKET
2386    case SSL3_MT_NEWSESSION_TICKET:
2387      return "Newsession Ticket";
2388#endif
2389    case SSL3_MT_CERTIFICATE:
2390      return "Certificate";
2391    case SSL3_MT_SERVER_KEY_EXCHANGE:
2392      return "Server key exchange";
2393    case SSL3_MT_CLIENT_KEY_EXCHANGE:
2394      return "Client key exchange";
2395    case SSL3_MT_CERTIFICATE_REQUEST:
2396      return "Request CERT";
2397    case SSL3_MT_SERVER_DONE:
2398      return "Server finished";
2399    case SSL3_MT_CERTIFICATE_VERIFY:
2400      return "CERT verify";
2401    case SSL3_MT_FINISHED:
2402      return "Finished";
2403#ifdef SSL3_MT_CERTIFICATE_STATUS
2404    case SSL3_MT_CERTIFICATE_STATUS:
2405      return "Certificate Status";
2406#endif
2407#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
2408    case SSL3_MT_ENCRYPTED_EXTENSIONS:
2409      return "Encrypted Extensions";
2410#endif
2411#ifdef SSL3_MT_SUPPLEMENTAL_DATA
2412    case SSL3_MT_SUPPLEMENTAL_DATA:
2413      return "Supplemental data";
2414#endif
2415#ifdef SSL3_MT_END_OF_EARLY_DATA
2416    case SSL3_MT_END_OF_EARLY_DATA:
2417      return "End of early data";
2418#endif
2419#ifdef SSL3_MT_KEY_UPDATE
2420    case SSL3_MT_KEY_UPDATE:
2421      return "Key update";
2422#endif
2423#ifdef SSL3_MT_NEXT_PROTO
2424    case SSL3_MT_NEXT_PROTO:
2425      return "Next protocol";
2426#endif
2427#ifdef SSL3_MT_MESSAGE_HASH
2428    case SSL3_MT_MESSAGE_HASH:
2429      return "Message hash";
2430#endif
2431    }
2432  }
2433  return "Unknown";
2434}
2435
2436static const char *tls_rt_type(int type)
2437{
2438  switch(type) {
2439#ifdef SSL3_RT_HEADER
2440  case SSL3_RT_HEADER:
2441    return "TLS header";
2442#endif
2443  case SSL3_RT_CHANGE_CIPHER_SPEC:
2444    return "TLS change cipher";
2445  case SSL3_RT_ALERT:
2446    return "TLS alert";
2447  case SSL3_RT_HANDSHAKE:
2448    return "TLS handshake";
2449  case SSL3_RT_APPLICATION_DATA:
2450    return "TLS app data";
2451  default:
2452    return "TLS Unknown";
2453  }
2454}
2455
2456/*
2457 * Our callback from the SSL/TLS layers.
2458 */
2459static void ossl_trace(int direction, int ssl_ver, int content_type,
2460                       const void *buf, size_t len, SSL *ssl,
2461                       void *userp)
2462{
2463  const char *verstr;
2464  struct Curl_cfilter *cf = userp;
2465  struct Curl_easy *data = NULL;
2466  char unknown[32];
2467
2468  if(!cf)
2469    return;
2470  data = CF_DATA_CURRENT(cf);
2471  if(!data || !data->set.fdebug || (direction && direction != 1))
2472    return;
2473
2474  switch(ssl_ver) {
2475#ifdef SSL3_VERSION
2476  case SSL3_VERSION:
2477    verstr = "SSLv3";
2478    break;
2479#endif
2480  case TLS1_VERSION:
2481    verstr = "TLSv1.0";
2482    break;
2483#ifdef TLS1_1_VERSION
2484  case TLS1_1_VERSION:
2485    verstr = "TLSv1.1";
2486    break;
2487#endif
2488#ifdef TLS1_2_VERSION
2489  case TLS1_2_VERSION:
2490    verstr = "TLSv1.2";
2491    break;
2492#endif
2493  case TLS1_3_VERSION:
2494    verstr = "TLSv1.3";
2495    break;
2496  default:
2497    curl_msnprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
2498    verstr = unknown;
2499    break;
2500  }
2501
2502  /* Log progress for interesting records only (like Handshake or Alert), skip
2503   * all raw record headers (content_type == SSL3_RT_HEADER or ssl_ver == 0).
2504   * For TLS 1.3, skip notification of the decrypted inner Content-Type.
2505   */
2506  if(ssl_ver
2507#ifdef SSL3_RT_HEADER
2508     && content_type != SSL3_RT_HEADER
2509#endif
2510#ifdef SSL3_RT_INNER_CONTENT_TYPE
2511     && content_type != SSL3_RT_INNER_CONTENT_TYPE
2512#endif
2513    ) {
2514    const char *msg_name = "Truncated message";
2515    const char *tls_rt_name;
2516    char ssl_buf[1024];
2517    int msg_type = 0;
2518    int txt_len;
2519
2520    /* the info given when the version is zero is not that useful for us */
2521
2522    ssl_ver >>= 8; /* check the upper 8 bits only below */
2523
2524    /* SSLv2 does not seem to have TLS record-type headers, so OpenSSL
2525     * always pass-up content-type as 0, but the interesting message-type
2526     * is at 'buf[0]'.
2527     */
2528    if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
2529      tls_rt_name = tls_rt_type(content_type);
2530    else
2531      tls_rt_name = "";
2532
2533    if(content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
2534      if(len) {
2535        msg_type = *(const unsigned char *)buf;
2536        msg_name = "Change cipher spec";
2537      }
2538    }
2539    else if(content_type == SSL3_RT_ALERT) {
2540      if(len >= 2) {
2541        msg_type =
2542          (((const unsigned char *)buf)[0] << 8) +
2543           ((const unsigned char *)buf)[1];
2544        msg_name = SSL_alert_desc_string_long(msg_type);
2545      }
2546    }
2547    else if(len) {
2548      msg_type = *(const unsigned char *)buf;
2549      msg_name = ssl_msg_type(ssl_ver, msg_type);
2550    }
2551
2552    txt_len = curl_msnprintf(ssl_buf, sizeof(ssl_buf),
2553                             "%s (%s), %s, %s (%d):\n",
2554                             verstr, direction ? "OUT" : "IN",
2555                             tls_rt_name, msg_name, msg_type);
2556    Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len);
2557  }
2558
2559  Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
2560             CURLINFO_SSL_DATA_IN, (const char *)buf, len);
2561  (void)ssl;
2562}
2563
2564static CURLcode ossl_set_ssl_version_min_max(struct Curl_cfilter *cf,
2565                                             SSL_CTX *ctx,
2566                                             unsigned int ssl_version_min)
2567{
2568  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2569  /* first, TLS min version... */
2570  long curl_ssl_version_min = (long)ssl_version_min;
2571  long curl_ssl_version_max;
2572
2573  /* convert curl min SSL version option to OpenSSL constant */
2574#if defined(HAVE_BORINGSSL_LIKE) || defined(LIBRESSL_VERSION_NUMBER)
2575  uint16_t ossl_ssl_version_min = 0;
2576  uint16_t ossl_ssl_version_max = 0;
2577#else
2578  long ossl_ssl_version_min = 0;
2579  long ossl_ssl_version_max = 0;
2580#endif
2581  /* it cannot be default here */
2582  DEBUGASSERT(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT);
2583  switch(curl_ssl_version_min) {
2584  case CURL_SSLVERSION_TLSv1: /* TLS 1.x */
2585  case CURL_SSLVERSION_TLSv1_0:
2586    ossl_ssl_version_min = TLS1_VERSION;
2587    break;
2588  case CURL_SSLVERSION_TLSv1_1:
2589    ossl_ssl_version_min = TLS1_1_VERSION;
2590    break;
2591  case CURL_SSLVERSION_TLSv1_2:
2592    ossl_ssl_version_min = TLS1_2_VERSION;
2593    break;
2594  case CURL_SSLVERSION_TLSv1_3:
2595    ossl_ssl_version_min = TLS1_3_VERSION;
2596    break;
2597  }
2598
2599  /* ... then, TLS max version */
2600  curl_ssl_version_max = (long)conn_config->version_max;
2601
2602  /* convert curl max SSL version option to OpenSSL constant */
2603  switch(curl_ssl_version_max) {
2604  case CURL_SSLVERSION_MAX_TLSv1_0:
2605    ossl_ssl_version_max = TLS1_VERSION;
2606    break;
2607  case CURL_SSLVERSION_MAX_TLSv1_1:
2608    ossl_ssl_version_max = TLS1_1_VERSION;
2609    break;
2610  case CURL_SSLVERSION_MAX_TLSv1_2:
2611    ossl_ssl_version_max = TLS1_2_VERSION;
2612    break;
2613  case CURL_SSLVERSION_MAX_TLSv1_3:
2614    ossl_ssl_version_max = TLS1_3_VERSION;
2615    break;
2616  case CURL_SSLVERSION_MAX_NONE:  /* none selected */
2617  case CURL_SSLVERSION_MAX_DEFAULT:  /* max selected */
2618  default:
2619    /* SSL_CTX_set_max_proto_version states that: setting the maximum to 0
2620       enables protocol versions up to the highest version supported by
2621       the library */
2622    ossl_ssl_version_max = 0;
2623    break;
2624  }
2625
2626  if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min) ||
2627     !SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max))
2628    return CURLE_SSL_CONNECT_ERROR;
2629
2630  return CURLE_OK;
2631}
2632
2633#ifdef HAVE_BORINGSSL_LIKE
2634typedef uint32_t ctx_option_t;
2635#elif defined(HAVE_OPENSSL3)
2636typedef uint64_t ctx_option_t;
2637#elif defined(LIBRESSL_VERSION_NUMBER)
2638typedef long ctx_option_t;
2639#else
2640typedef unsigned long ctx_option_t;
2641#endif
2642
2643CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
2644                               struct Curl_easy *data,
2645                               const char *ssl_peer_key,
2646                               SSL_SESSION *session,
2647                               int ietf_tls_id,
2648                               const char *alpn,
2649                               unsigned char *quic_tp,
2650                               size_t quic_tp_len)
2651{
2652  unsigned char *der_session_buf = NULL;
2653  unsigned char *qtp_clone = NULL;
2654  CURLcode result = CURLE_OK;
2655
2656  if(!cf || !data)
2657    goto out;
2658
2659  if(Curl_ssl_scache_use(cf, data)) {
2660    struct Curl_ssl_session *sc_session = NULL;
2661    size_t der_session_size;
2662    unsigned char *der_session_ptr;
2663    size_t earlydata_max = 0;
2664
2665    der_session_size = i2d_SSL_SESSION(session, NULL);
2666    if(der_session_size == 0) {
2667      result = CURLE_OUT_OF_MEMORY;
2668      goto out;
2669    }
2670
2671    der_session_buf = der_session_ptr = curlx_malloc(der_session_size);
2672    if(!der_session_buf) {
2673      result = CURLE_OUT_OF_MEMORY;
2674      goto out;
2675    }
2676
2677    der_session_size = i2d_SSL_SESSION(session, &der_session_ptr);
2678    if(der_session_size == 0) {
2679      result = CURLE_OUT_OF_MEMORY;
2680      goto out;
2681    }
2682
2683#ifdef HAVE_OPENSSL_EARLYDATA
2684    earlydata_max = SSL_SESSION_get_max_early_data(session);
2685#endif
2686    if(quic_tp && quic_tp_len) {
2687      qtp_clone = curlx_memdup0((const char *)quic_tp, quic_tp_len);
2688      if(!qtp_clone) {
2689        result = CURLE_OUT_OF_MEMORY;
2690        goto out;
2691      }
2692    }
2693
2694    result = Curl_ssl_session_create2(der_session_buf, der_session_size,
2695                                      ietf_tls_id, alpn,
2696                                      (curl_off_t)time(NULL) +
2697                                        SSL_SESSION_get_timeout(session),
2698                                      earlydata_max, qtp_clone, quic_tp_len,
2699                                      &sc_session);
2700    der_session_buf = NULL;  /* took ownership of sdata */
2701    if(!result) {
2702      result = Curl_ssl_scache_put(cf, data, ssl_peer_key, sc_session);
2703      /* took ownership of `sc_session` */
2704    }
2705  }
2706
2707out:
2708  curlx_free(der_session_buf);
2709  return result;
2710}
2711
2712/* The "new session" callback must return zero if the session can be removed
2713 * or non-zero if the session has been put into the session cache.
2714 */
2715static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
2716{
2717  struct Curl_cfilter *cf = (struct Curl_cfilter *)SSL_get_app_data(ssl);
2718  if(cf) {
2719    struct Curl_easy *data = CF_DATA_CURRENT(cf);
2720    struct ssl_connect_data *connssl = cf->ctx;
2721    Curl_ossl_add_session(cf, data, connssl->peer.scache_key, ssl_sessionid,
2722                          SSL_version(ssl), connssl->negotiated.alpn, NULL, 0);
2723  }
2724  return 0;
2725}
2726
2727static CURLcode load_cacert_from_memory(X509_STORE *store,
2728                                        const struct curl_blob *ca_info_blob)
2729{
2730  /* these need to be freed at the end */
2731  BIO *cbio = NULL;
2732  STACK_OF(X509_INFO) *inf = NULL;
2733
2734  /* everything else is a reference */
2735  int i, count = 0;
2736  X509_INFO *itmp = NULL;
2737
2738  if(ca_info_blob->len > (size_t)INT_MAX)
2739    return CURLE_SSL_CACERT_BADFILE;
2740
2741  cbio = BIO_new_mem_buf(ca_info_blob->data, (int)ca_info_blob->len);
2742  if(!cbio)
2743    return CURLE_OUT_OF_MEMORY;
2744
2745  inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
2746  if(!inf) {
2747    BIO_free(cbio);
2748    return CURLE_SSL_CACERT_BADFILE;
2749  }
2750
2751  /* add each entry from PEM file to x509_store */
2752  for(i = 0; i < (int)sk_X509_INFO_num(inf); ++i) {
2753    itmp = sk_X509_INFO_value(inf, (ossl_valsize_t)i);
2754    if(itmp->x509) {
2755      if(X509_STORE_add_cert(store, itmp->x509)) {
2756        ++count;
2757      }
2758      else {
2759        /* set count to 0 to return an error */
2760        count = 0;
2761        break;
2762      }
2763    }
2764    if(itmp->crl) {
2765      if(X509_STORE_add_crl(store, itmp->crl)) {
2766        ++count;
2767      }
2768      else {
2769        /* set count to 0 to return an error */
2770        count = 0;
2771        break;
2772      }
2773    }
2774  }
2775
2776#if defined(__clang__) && __clang_major__ >= 16
2777#pragma clang diagnostic push
2778#pragma clang diagnostic ignored "-Wcast-function-type-strict"
2779#endif
2780  sk_X509_INFO_pop_free(inf, X509_INFO_free);
2781#if defined(__clang__) && __clang_major__ >= 16
2782#pragma clang diagnostic pop
2783#endif
2784  BIO_free(cbio);
2785
2786  /* if we did not end up importing anything, treat that as an error */
2787  return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE;
2788}
2789
2790#ifdef USE_WIN32_CRYPTO
2791static CURLcode ossl_win_load_store(struct Curl_easy *data,
2792                                    struct Curl_cfilter *cf,
2793                                    const char *win_store,
2794                                    X509_STORE *store,
2795                                    bool *padded)
2796{
2797  CURLcode result = CURLE_OK;
2798  HCERTSTORE hStore;
2799
2800  *padded = FALSE;
2801
2802  hStore = CertOpenSystemStoreA(0, win_store);
2803  if(hStore) {
2804    PCCERT_CONTEXT pContext = NULL;
2805    /* The array of enhanced key usage OIDs varies per certificate and
2806       is declared outside of the loop so that rather than malloc/free each
2807       iteration we can grow it with realloc, when necessary. */
2808    CERT_ENHKEY_USAGE *enhkey_usage = NULL;
2809    DWORD enhkey_usage_size = 0;
2810    VERBOSE(size_t total = 0);
2811    VERBOSE(size_t imported = 0);
2812
2813    /* This loop makes a best effort to import all valid certificates from
2814       the MS root store. If a certificate cannot be imported it is
2815       skipped. 'result' is used to store only hard-fail conditions (such
2816       as out of memory) that cause an early break. */
2817    result = CURLE_OK;
2818    for(;;) {
2819      X509 *x509;
2820      FILETIME now;
2821      BYTE key_usage[2];
2822      DWORD req_size;
2823      const unsigned char *encoded_cert;
2824      pContext = CertEnumCertificatesInStore(hStore, pContext);
2825      if(!pContext)
2826        break;
2827
2828      VERBOSE(++total);
2829
2830#if defined(DEBUGBUILD) && defined(CURLVERBOSE)
2831      {
2832        char cert_name[256];
2833        if(!CertGetNameStringA(pContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0,
2834                               NULL, cert_name, sizeof(cert_name)))
2835          infof(data, "SSL: unknown cert name");
2836        else
2837          infof(data, "SSL: Checking cert \"%s\"", cert_name);
2838      }
2839#endif
2840      encoded_cert = (const unsigned char *)pContext->pbCertEncoded;
2841      if(!encoded_cert)
2842        continue;
2843
2844      GetSystemTimeAsFileTime(&now);
2845      if(CompareFileTime(&pContext->pCertInfo->NotBefore, &now) > 0 ||
2846         CompareFileTime(&now, &pContext->pCertInfo->NotAfter) > 0)
2847        continue;
2848
2849      /* If key usage exists check for signing attribute */
2850      if(CertGetIntendedKeyUsage(pContext->dwCertEncodingType,
2851                                 pContext->pCertInfo,
2852                                 key_usage, sizeof(key_usage))) {
2853        if(!(key_usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))
2854          continue;
2855      }
2856      else if(GetLastError())
2857        continue;
2858
2859      /* If enhanced key usage exists check for server auth attribute.
2860       *
2861       * Note "In a Microsoft environment, a certificate might also have
2862       * EKU extended properties that specify valid uses for the
2863       * certificate."  The call below checks both, and behavior varies
2864       * depending on what is found. For more details see
2865       * CertGetEnhancedKeyUsage doc.
2866       */
2867      if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size) && req_size) {
2868        if(req_size > enhkey_usage_size) {
2869          void *tmp = curlx_realloc(enhkey_usage, req_size);
2870
2871          if(!tmp) {
2872            failf(data, "SSL: Out of memory allocating for OID list");
2873            result = CURLE_OUT_OF_MEMORY;
2874            break;
2875          }
2876
2877          enhkey_usage = (CERT_ENHKEY_USAGE *)tmp;
2878          enhkey_usage_size = req_size;
2879        }
2880
2881        if(CertGetEnhancedKeyUsage(pContext, 0, enhkey_usage, &req_size)) {
2882          if(!enhkey_usage->cUsageIdentifier) {
2883            /* "If GetLastError returns CRYPT_E_NOT_FOUND, the certificate
2884               is good for all uses. If it returns zero, the certificate
2885               has no valid uses." */
2886            if((HRESULT)GetLastError() != CRYPT_E_NOT_FOUND)
2887              continue;
2888          }
2889          else {
2890            DWORD i;
2891            bool found = FALSE;
2892
2893            for(i = 0; i < enhkey_usage->cUsageIdentifier; ++i) {
2894              if(!strcmp("1.3.6.1.5.5.7.3.1" /* OID server auth */,
2895                         enhkey_usage->rgpszUsageIdentifier[i])) {
2896                found = TRUE;
2897                break;
2898              }
2899            }
2900
2901            if(!found)
2902              continue;
2903          }
2904        }
2905        else
2906          continue;
2907      }
2908      else
2909        continue;
2910
2911      x509 = d2i_X509(NULL, &encoded_cert, (long)pContext->cbCertEncoded);
2912      if(!x509)
2913        continue;
2914
2915      /* Try to import the certificate. This may fail for legitimate reasons
2916         such as duplicate certificate, which is allowed by MS but not
2917         OpenSSL. */
2918      if(X509_STORE_add_cert(store, x509) == 1) {
2919        VERBOSE(++imported);
2920#ifdef DEBUGBUILD
2921        infof(data, "SSL: Imported cert");
2922#endif
2923        *padded = TRUE;
2924      }
2925      X509_free(x509);
2926    }
2927
2928    curlx_free(enhkey_usage);
2929    CertFreeCertificateContext(pContext);
2930    CertCloseStore(hStore, 0);
2931
2932    CURL_TRC_CF(data, cf,
2933                "ossl_win_load_store() found: %zu imported: %zu certs in %s.",
2934                total, imported, win_store);
2935
2936    if(result)
2937      return result;
2938  }
2939
2940  return result;
2941}
2942
2943static CURLcode ossl_windows_load_anchors(struct Curl_cfilter *cf,
2944                                          struct Curl_easy *data,
2945                                          X509_STORE *store,
2946                                          bool *padded)
2947{
2948  /* Import certificates from the Windows root certificate store if
2949     requested.
2950     https://stackoverflow.com/questions/9507184/
2951     https://github.com/d3x0r/SACK/blob/ff15424d3c581b86d40f818532e5a400c516d39d/src/netlib/ssl_layer.c#L1410
2952     https://datatracker.ietf.org/doc/html/rfc5280 */
2953  const char *win_stores[] = {
2954    "ROOT",   /* Trusted Root Certification Authorities */
2955    "CA"      /* Intermediate Certification Authorities */
2956  };
2957  size_t i;
2958  CURLcode result = CURLE_OK;
2959
2960  *padded = FALSE;
2961  for(i = 0; i < CURL_ARRAYSIZE(win_stores); ++i) {
2962    bool store_added = FALSE;
2963    result = ossl_win_load_store(data, cf, win_stores[i], store, &store_added);
2964    if(result)
2965      return result;
2966    if(store_added) {
2967      CURL_TRC_CF(data, cf, "added trust anchors from Windows %s store",
2968                  win_stores[i]);
2969      *padded = TRUE;
2970    }
2971    else
2972      infof(data, "error importing Windows %s store, continuing anyway",
2973            win_stores[i]);
2974  }
2975  return result;
2976}
2977
2978#endif /* USE_WIN32_CRYPTO */
2979
2980static CURLcode ossl_load_trust_anchors(struct Curl_cfilter *cf,
2981                                        struct Curl_easy *data,
2982                                        struct ossl_ctx *octx,
2983                                        X509_STORE *store)
2984{
2985  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2986  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
2987  CURLcode result = CURLE_OK;
2988  const char * const ssl_cafile =
2989    /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
2990    (conn_config->ca_info_blob ? NULL : conn_config->CAfile);
2991  const char * const ssl_capath = conn_config->CApath;
2992  bool have_native_check = FALSE;
2993
2994  octx->store_is_empty = TRUE;
2995  if(ssl_config->native_ca_store) {
2996#ifdef USE_WIN32_CRYPTO
2997    bool added = FALSE;
2998    result = ossl_windows_load_anchors(cf, data, store, &added);
2999    if(result)
3000      return result;
3001    if(added) {
3002      infof(data, "  Native: Windows System Stores ROOT+CA");
3003      octx->store_is_empty = FALSE;
3004    }
3005#elif defined(USE_APPLE_SECTRUST)
3006    infof(data, "  Native: Apple SecTrust");
3007    have_native_check = TRUE;
3008#endif
3009  }
3010
3011  if(conn_config->ca_info_blob) {
3012    result = load_cacert_from_memory(store, conn_config->ca_info_blob);
3013    if(result) {
3014      failf(data, "error adding trust anchors from certificate blob: %d",
3015            result);
3016      return result;
3017    }
3018    infof(data, "  CA Blob from configuration");
3019    octx->store_is_empty = FALSE;
3020  }
3021
3022  if(ssl_cafile || ssl_capath) {
3023#ifdef HAVE_OPENSSL3
3024    /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
3025    if(ssl_cafile) {
3026      if(!X509_STORE_load_file(store, ssl_cafile)) {
3027        if(octx->store_is_empty && !have_native_check) {
3028          /* Fail if we insist on successfully verifying the server. */
3029          failf(data, "error adding trust anchors from file: %s", ssl_cafile);
3030          return CURLE_SSL_CACERT_BADFILE;
3031        }
3032        else
3033          infof(data, "error setting certificate file, continuing anyway");
3034      }
3035      infof(data, "  CAfile: %s", ssl_cafile);
3036      octx->store_is_empty = FALSE;
3037    }
3038    if(ssl_capath) {
3039      if(!X509_STORE_load_path(store, ssl_capath)) {
3040        if(octx->store_is_empty && !have_native_check) {
3041          /* Fail if we insist on successfully verifying the server. */
3042          failf(data, "error adding trust anchors from path: %s", ssl_capath);
3043          return CURLE_SSL_CACERT_BADFILE;
3044        }
3045        else
3046          infof(data, "error setting certificate path, continuing anyway");
3047      }
3048      infof(data, "  CApath: %s", ssl_capath);
3049      octx->store_is_empty = FALSE;
3050    }
3051#else
3052    /* tell OpenSSL where to find CA certificates that are used to verify the
3053       server's certificate. */
3054    if(!X509_STORE_load_locations(store, ssl_cafile, ssl_capath)) {
3055      if(octx->store_is_empty && !have_native_check) {
3056        /* Fail if we insist on successfully verifying the server. */
3057        failf(data, "error adding trust anchors from locations:"
3058              "  CAfile: %s CApath: %s",
3059              ssl_cafile ? ssl_cafile : "none",
3060              ssl_capath ? ssl_capath : "none");
3061        return CURLE_SSL_CACERT_BADFILE;
3062      }
3063      else {
3064        infof(data, "error setting certificate verify locations,"
3065              " continuing anyway");
3066      }
3067    }
3068    if(ssl_cafile)
3069      infof(data, "  CAfile: %s", ssl_cafile);
3070    if(ssl_capath)
3071      infof(data, "  CApath: %s", ssl_capath);
3072    octx->store_is_empty = FALSE;
3073#endif
3074  }
3075
3076#ifdef CURL_CA_FALLBACK
3077  if(octx->store_is_empty) {
3078    /* verifying the peer without any CA certificates does not
3079       work so use OpenSSL's built-in default as fallback */
3080    X509_STORE_set_default_paths(store);
3081    infof(data, "  OpenSSL default paths (fallback)");
3082    octx->store_is_empty = FALSE;
3083  }
3084#endif
3085  if(octx->store_is_empty && !have_native_check)
3086    infof(data, "  no trust anchors configured");
3087
3088  return result;
3089}
3090
3091static CURLcode ossl_populate_x509_store(struct Curl_cfilter *cf,
3092                                         struct Curl_easy *data,
3093                                         struct ossl_ctx *octx,
3094                                         X509_STORE *store)
3095{
3096  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3097  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3098  CURLcode result = CURLE_OK;
3099  X509_LOOKUP *lookup = NULL;
3100  const char * const ssl_crlfile = ssl_config->primary.CRLfile;
3101  unsigned long x509flags = 0;
3102
3103  CURL_TRC_CF(data, cf, "configuring OpenSSL's x509 trust store");
3104  if(!store)
3105    return CURLE_OUT_OF_MEMORY;
3106
3107  if(!conn_config->verifypeer) {
3108    infof(data, "SSL Trust: peer verification disabled");
3109    return CURLE_OK;
3110  }
3111
3112  infof(data, "SSL Trust Anchors:");
3113  result = ossl_load_trust_anchors(cf, data, octx, store);
3114  if(result)
3115    return result;
3116
3117  /* Does not make sense to load a CRL file without peer verification */
3118  if(ssl_crlfile) {
3119    /* tell OpenSSL where to find CRL file that is used to check certificate
3120     * revocation */
3121    lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
3122    if(!lookup ||
3123       (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM))) {
3124      failf(data, "error loading CRL file: %s", ssl_crlfile);
3125      return CURLE_SSL_CRL_BADFILE;
3126    }
3127    x509flags = X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
3128    infof(data, " CRLfile: %s", ssl_crlfile);
3129  }
3130
3131  /* Try building a chain using issuers in the trusted store first to avoid
3132     problems with server-sent legacy intermediates. Newer versions of
3133     OpenSSL do alternate chain checking by default but we do not know how to
3134     determine that in a reliable manner.
3135     https://web.archive.org/web/20190422050538/rt.openssl.org/Ticket/Display.html?id=3621
3136  */
3137  x509flags |= X509_V_FLAG_TRUSTED_FIRST;
3138
3139  if(!ssl_config->no_partialchain && !ssl_crlfile) {
3140    /* Have intermediate certificates in the trust store be treated as
3141       trust-anchors, in the same way as self-signed root CA certificates are.
3142       This allows users to verify servers using the intermediate cert only,
3143       instead of needing the whole chain.
3144
3145       Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
3146       cannot do partial chains with a CRL check.
3147    */
3148    x509flags |= X509_V_FLAG_PARTIAL_CHAIN;
3149  }
3150  (void)X509_STORE_set_flags(store, x509flags);
3151
3152  return result;
3153}
3154
3155/* key to use at `multi->proto_hash` */
3156#define MPROTO_OSSL_X509_KEY  "tls:ossl:x509:share"
3157
3158struct ossl_x509_share {
3159  char *CAfile;         /* CAfile path used to generate X509 store */
3160  X509_STORE *store;    /* cached X509 store or NULL if none */
3161  struct curltime time; /* when the cached store was created */
3162  BIT(store_is_empty);  /* no certs/paths/blobs are in the store */
3163  BIT(no_partialchain); /* keep partial chain state */
3164};
3165
3166static void oss_x509_share_free(void *key, size_t key_len, void *p)
3167{
3168  struct ossl_x509_share *share = p;
3169  DEBUGASSERT(key_len == (sizeof(MPROTO_OSSL_X509_KEY) - 1));
3170  DEBUGASSERT(!memcmp(MPROTO_OSSL_X509_KEY, key, key_len));
3171  (void)key;
3172  (void)key_len;
3173  if(share->store) {
3174    X509_STORE_free(share->store);
3175  }
3176  curlx_free(share->CAfile);
3177  curlx_free(share);
3178}
3179
3180static bool ossl_cached_x509_store_expired(struct Curl_easy *data,
3181                                           const struct ossl_x509_share *mb)
3182{
3183  const struct ssl_general_config *cfg = &data->set.general_ssl;
3184  if(cfg->ca_cache_timeout < 0)
3185    return FALSE;
3186  else {
3187    timediff_t elapsed_ms = curlx_ptimediff_ms(Curl_pgrs_now(data), &mb->time);
3188    timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
3189
3190    return elapsed_ms >= timeout_ms;
3191  }
3192}
3193
3194static bool ossl_cached_x509_store_different(struct Curl_cfilter *cf,
3195                                             const struct Curl_easy *data,
3196                                             const struct ossl_x509_share *mb)
3197{
3198  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3199  struct ssl_config_data *ssl_config =
3200    Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
3201  if(mb->no_partialchain != ssl_config->no_partialchain)
3202    return TRUE;
3203  if(!mb->CAfile || !conn_config->CAfile)
3204    return mb->CAfile != conn_config->CAfile;
3205  return strcmp(mb->CAfile, conn_config->CAfile);
3206}
3207
3208static X509_STORE *ossl_get_cached_x509_store(struct Curl_cfilter *cf,
3209                                              struct Curl_easy *data,
3210                                              bool *pempty)
3211{
3212  struct Curl_multi *multi = data->multi;
3213  struct ossl_x509_share *share;
3214  X509_STORE *store = NULL;
3215
3216  DEBUGASSERT(multi);
3217  *pempty = TRUE;
3218  share = multi ? Curl_hash_pick(&multi->proto_hash,
3219                                 CURL_UNCONST(MPROTO_OSSL_X509_KEY),
3220                                 sizeof(MPROTO_OSSL_X509_KEY) - 1) : NULL;
3221  if(share && share->store &&
3222     !ossl_cached_x509_store_expired(data, share) &&
3223     !ossl_cached_x509_store_different(cf, data, share)) {
3224    store = share->store;
3225    *pempty = (bool)share->store_is_empty;
3226  }
3227
3228  return store;
3229}
3230
3231static void ossl_set_cached_x509_store(struct Curl_cfilter *cf,
3232                                       struct Curl_easy *data,
3233                                       X509_STORE *store,
3234                                       bool is_empty)
3235{
3236  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3237  struct Curl_multi *multi = data->multi;
3238  struct ossl_x509_share *share;
3239
3240  DEBUGASSERT(multi);
3241  if(!multi)
3242    return;
3243  share = Curl_hash_pick(&multi->proto_hash,
3244                         CURL_UNCONST(MPROTO_OSSL_X509_KEY),
3245                         sizeof(MPROTO_OSSL_X509_KEY) - 1);
3246
3247  if(!share) {
3248    share = curlx_calloc(1, sizeof(*share));
3249    if(!share)
3250      return;
3251    if(!Curl_hash_add2(&multi->proto_hash,
3252                       CURL_UNCONST(MPROTO_OSSL_X509_KEY),
3253                       sizeof(MPROTO_OSSL_X509_KEY) - 1,
3254                       share, oss_x509_share_free)) {
3255      curlx_free(share);
3256      return;
3257    }
3258  }
3259
3260  if(X509_STORE_up_ref(store)) {
3261    char *CAfile = NULL;
3262    struct ssl_config_data *ssl_config =
3263      Curl_ssl_cf_get_config(cf, CURL_UNCONST(data));
3264
3265    if(conn_config->CAfile) {
3266      CAfile = curlx_strdup(conn_config->CAfile);
3267      if(!CAfile) {
3268        X509_STORE_free(store);
3269        return;
3270      }
3271    }
3272
3273    if(share->store) {
3274      X509_STORE_free(share->store);
3275      curlx_free(share->CAfile);
3276    }
3277
3278    share->time = *Curl_pgrs_now(data);
3279    share->store = store;
3280    share->store_is_empty = is_empty;
3281    share->CAfile = CAfile;
3282    share->no_partialchain = ssl_config->no_partialchain;
3283  }
3284}
3285
3286CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
3287                                   struct Curl_easy *data,
3288                                   struct ossl_ctx *octx)
3289{
3290  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3291  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3292  CURLcode result = CURLE_OK;
3293  X509_STORE *cached_store;
3294  bool cache_criteria_met, is_empty;
3295
3296  /* Consider the X509 store cacheable if it comes exclusively from a CAfile,
3297     or no source is provided and we are falling back to OpenSSL's built-in
3298     default. */
3299  cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
3300    conn_config->verifypeer &&
3301    !conn_config->CApath &&
3302    !conn_config->ca_info_blob &&
3303    !ssl_config->primary.CRLfile &&
3304    !ssl_config->native_ca_store;
3305
3306  ERR_set_mark();
3307
3308  cached_store = ossl_get_cached_x509_store(cf, data, &is_empty);
3309  if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) {
3310    SSL_CTX_set_cert_store(octx->ssl_ctx, cached_store);
3311    octx->store_is_empty = is_empty;
3312  }
3313  else {
3314    X509_STORE *store = SSL_CTX_get_cert_store(octx->ssl_ctx);
3315
3316    result = ossl_populate_x509_store(cf, data, octx, store);
3317    if(result == CURLE_OK && cache_criteria_met) {
3318      ossl_set_cached_x509_store(cf, data, store, (bool)octx->store_is_empty);
3319    }
3320  }
3321
3322  ERR_pop_to_mark();
3323
3324  return result;
3325}
3326
3327static CURLcode
3328ossl_init_session_and_alpns(struct ossl_ctx *octx,
3329                            struct Curl_cfilter *cf,
3330                            struct Curl_easy *data,
3331                            struct ssl_peer *peer,
3332                            const struct alpn_spec *alpns_requested,
3333                            Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
3334{
3335  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3336  struct ssl_primary_config *conn_cfg = Curl_ssl_cf_get_primary_config(cf);
3337  struct alpn_spec alpns;
3338  CURLcode result;
3339
3340  Curl_alpn_copy(&alpns, alpns_requested);
3341
3342  octx->reused_session = FALSE;
3343  if(Curl_ssl_scache_use(cf, data) && !conn_cfg->verifystatus) {
3344    struct Curl_ssl_session *scs = NULL;
3345
3346    result = Curl_ssl_scache_take(cf, data, peer->scache_key, &scs);
3347    if(!result && scs && scs->sdata && scs->sdata_len) {
3348      const unsigned char *der_sessionid = scs->sdata;
3349      size_t der_sessionid_size = scs->sdata_len;
3350      SSL_SESSION *ssl_session = NULL;
3351
3352      /* If OpenSSL does not accept the session from the cache, this
3353       * is not an error. We continue without it. */
3354      ssl_session = d2i_SSL_SESSION(NULL, &der_sessionid,
3355                                    (long)der_sessionid_size);
3356      if(ssl_session) {
3357        if(!SSL_set_session(octx->ssl, ssl_session)) {
3358          VERBOSE(char error_buffer[256]);
3359          infof(data, "SSL: SSL_set_session not accepted, "
3360                "continuing without: %s",
3361                ossl_strerror(ERR_get_error(), error_buffer,
3362                              sizeof(error_buffer)));
3363        }
3364        else {
3365          if(conn_cfg->verifypeer &&
3366             (SSL_get_verify_result(octx->ssl) != X509_V_OK)) {
3367            /* Session was from unverified connection, cannot reuse here */
3368            SSL_set_session(octx->ssl, NULL);
3369            infof(data, "SSL session not peer verified, not reusing");
3370          }
3371          else {
3372            infof(data, "SSL reusing session with ALPN '%s'",
3373                  scs->alpn ? scs->alpn : "-");
3374            octx->reused_session = TRUE;
3375            infof(data, "SSL verify result: %lx",
3376                  SSL_get_verify_result(octx->ssl));
3377#ifdef HAVE_OPENSSL_EARLYDATA
3378            if(ssl_config->earlydata && scs->alpn &&
3379               SSL_SESSION_get_max_early_data(ssl_session) &&
3380               !cf->conn->bits.connect_only &&
3381               (SSL_version(octx->ssl) == TLS1_3_VERSION)) {
3382              bool do_early_data = FALSE;
3383              if(sess_reuse_cb) {
3384                result = sess_reuse_cb(cf, data, &alpns, scs, &do_early_data);
3385                if(result) {
3386                  SSL_SESSION_free(ssl_session);
3387                  return result;
3388                }
3389              }
3390              if(do_early_data) {
3391                /* We only try the ALPN protocol the session used before,
3392                 * otherwise we might send early data for the wrong protocol */
3393                Curl_alpn_restrict_to(&alpns, scs->alpn);
3394              }
3395            }
3396#else
3397            (void)ssl_config;
3398            (void)sess_reuse_cb;
3399#endif
3400          }
3401        }
3402        SSL_SESSION_free(ssl_session);
3403      }
3404      else {
3405        infof(data, "SSL session not accepted by OpenSSL, continuing without");
3406      }
3407    }
3408    Curl_ssl_scache_return(cf, data, peer->scache_key, scs);
3409  }
3410
3411  if(alpns.count) {
3412    struct alpn_proto_buf proto;
3413    memset(&proto, 0, sizeof(proto));
3414    result = Curl_alpn_to_proto_buf(&proto, &alpns);
3415    if(result) {
3416      failf(data, "Error determining ALPN");
3417      return CURLE_SSL_CONNECT_ERROR;
3418    }
3419    if(SSL_set_alpn_protos(octx->ssl, proto.data, proto.len)) {
3420      failf(data, "Error setting ALPN");
3421      return CURLE_SSL_CONNECT_ERROR;
3422    }
3423  }
3424
3425  return CURLE_OK;
3426}
3427
3428#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
3429bool Curl_ossl_need_httpsrr(struct Curl_easy *data)
3430{
3431  if(!CURLECH_ENABLED(data))
3432    return FALSE;
3433  if((data->set.tls_ech == CURLECH_GREASE) ||
3434     data->set.str[STRING_ECH_CONFIG])
3435    return FALSE;
3436  return TRUE;
3437}
3438
3439static CURLcode ossl_init_ech(struct ossl_ctx *octx,
3440                              struct Curl_cfilter *cf,
3441                              struct Curl_easy *data,
3442                              struct ssl_peer *peer)
3443{
3444  unsigned char *ech_config = NULL;
3445  size_t ech_config_len = 0;
3446  char *outername = data->set.str[STRING_ECH_PUBLIC];
3447  int trying_ech_now = 0;
3448  CURLcode result = CURLE_OK;
3449
3450  if(!CURLECH_ENABLED(data))
3451    return CURLE_OK;
3452
3453  if(data->set.tls_ech == CURLECH_GREASE) {
3454    infof(data, "ECH: will GREASE ClientHello");
3455#ifdef HAVE_BORINGSSL_LIKE
3456    SSL_set_enable_ech_grease(octx->ssl, 1);
3457#else
3458    SSL_set_options(octx->ssl, SSL_OP_ECH_GREASE);
3459#endif
3460  }
3461  else if(data->set.tls_ech && data->set.str[STRING_ECH_CONFIG]) {
3462#ifdef HAVE_BORINGSSL_LIKE
3463    /* have to do base64 decode here for BoringSSL */
3464    const char *b64 = data->set.str[STRING_ECH_CONFIG];
3465
3466    if(!b64) {
3467      infof(data, "ECH: ECHConfig from command line empty");
3468      return CURLE_SSL_CONNECT_ERROR;
3469    }
3470    ech_config_len = 2 * strlen(b64);
3471    result = curlx_base64_decode(b64, &ech_config, &ech_config_len);
3472    if(result || !ech_config) {
3473      infof(data, "ECH: cannot base64 decode ECHConfig from command line");
3474      if(data->set.tls_ech == CURLECH_HARD)
3475        return result;
3476    }
3477    if(SSL_set1_ech_config_list(octx->ssl, ech_config, ech_config_len) != 1) {
3478      infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
3479      if(data->set.tls_ech == CURLECH_HARD) {
3480        curlx_free(ech_config);
3481        return CURLE_SSL_CONNECT_ERROR;
3482      }
3483    }
3484    curlx_free(ech_config);
3485    trying_ech_now = 1;
3486#else
3487    ech_config = (unsigned char *)data->set.str[STRING_ECH_CONFIG];
3488    if(!ech_config) {
3489      infof(data, "ECH: ECHConfig from command line empty");
3490      return CURLE_SSL_CONNECT_ERROR;
3491    }
3492    ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]);
3493    if(SSL_set1_ech_config_list(octx->ssl, ech_config, ech_config_len) != 1) {
3494      infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
3495      if(data->set.tls_ech == CURLECH_HARD)
3496        return CURLE_SSL_CONNECT_ERROR;
3497    }
3498    else
3499      trying_ech_now = 1;
3500#endif /* HAVE_BORINGSSL_LIKE */
3501    infof(data, "ECH: ECHConfig from command line");
3502  }
3503  else {
3504    const struct Curl_https_rrinfo *rinfo =
3505      Curl_conn_dns_get_https(data, cf->sockindex);
3506
3507    if(rinfo && rinfo->echconfiglist) {
3508      const unsigned char *ecl = rinfo->echconfiglist;
3509      size_t elen = rinfo->echconfiglist_len;
3510
3511      infof(data, "ECH: ECHConfig from HTTPS RR");
3512      if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) {
3513        infof(data, "ECH: SSL_set1_ech_config_list failed");
3514        if(data->set.tls_ech == CURLECH_HARD)
3515          return CURLE_SSL_CONNECT_ERROR;
3516      }
3517      else {
3518        trying_ech_now = 1;
3519        infof(data, "ECH: imported ECHConfigList of length %zu", elen);
3520      }
3521    }
3522    else {
3523      infof(data, "ECH: requested but no ECHConfig available");
3524      if(data->set.tls_ech == CURLECH_HARD)
3525        return CURLE_SSL_CONNECT_ERROR;
3526    }
3527  }
3528#ifdef HAVE_BORINGSSL_LIKE
3529  (void)peer;
3530  if(trying_ech_now && outername) {
3531    infof(data, "ECH: setting public_name not supported with BoringSSL");
3532    return CURLE_SSL_CONNECT_ERROR;
3533  }
3534#else
3535  if(trying_ech_now && outername) {
3536    infof(data, "ECH: inner: '%s', outer: '%s'",
3537          peer->dest->hostname ? peer->dest->hostname : "NULL", outername);
3538    result = SSL_ech_set1_server_names(octx->ssl,
3539                                       peer->dest->hostname, outername,
3540                                       0 /* do send outer */);
3541    if(result != 1) {
3542      infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result);
3543      return CURLE_SSL_CONNECT_ERROR;
3544    }
3545  }
3546#endif /* HAVE_BORINGSSL_LIKE */
3547  if(trying_ech_now &&
3548     SSL_set_min_proto_version(octx->ssl, TLS1_3_VERSION) != 1) {
3549    infof(data, "ECH: cannot force TLSv1.3 [ERROR]");
3550    return CURLE_SSL_CONNECT_ERROR;
3551  }
3552
3553  return CURLE_OK;
3554}
3555#else /* HAVE_SSL_SET1_ECH_CONFIG_LIST */
3556bool Curl_ossl_need_httpsrr(struct Curl_easy *data)
3557{
3558  (void)data;
3559  return FALSE;
3560}
3561#endif /* else HAVE_SSL_SET1_ECH_CONFIG_LIST */
3562
3563static CURLcode ossl_init_ssl(struct ossl_ctx *octx,
3564                              struct Curl_cfilter *cf,
3565                              struct Curl_easy *data,
3566                              struct ssl_peer *peer,
3567                              const struct alpn_spec *alpns_requested,
3568                              void *ssl_user_data,
3569                              Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
3570{
3571  /* Let's make an SSL structure */
3572  if(octx->ssl)
3573    SSL_free(octx->ssl);
3574  octx->ssl = SSL_new(octx->ssl_ctx);
3575  if(!octx->ssl) {
3576    failf(data, "SSL: could not create a context (handle)");
3577    return CURLE_OUT_OF_MEMORY;
3578  }
3579
3580  SSL_set_app_data(octx->ssl, ssl_user_data);
3581
3582#ifndef OPENSSL_NO_OCSP
3583  if(Curl_ssl_cf_get_primary_config(cf)->verifystatus)
3584    SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
3585#endif
3586
3587  SSL_set_connect_state(octx->ssl);
3588
3589  if(peer->sni) {
3590    if(!SSL_set_tlsext_host_name(octx->ssl, peer->sni)) {
3591      failf(data, "Failed set SNI");
3592      return CURLE_SSL_CONNECT_ERROR;
3593    }
3594  }
3595
3596#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
3597  {
3598    CURLcode result = ossl_init_ech(octx, cf, data, peer);
3599    if(result)
3600      return result;
3601  }
3602#endif /* HAVE_SSL_SET1_ECH_CONFIG_LIST */
3603
3604  return ossl_init_session_and_alpns(octx, cf, data, peer,
3605                                     alpns_requested, sess_reuse_cb);
3606}
3607
3608static CURLcode ossl_init_method(struct Curl_cfilter *cf,
3609                                 struct Curl_easy *data,
3610                                 struct ssl_peer *peer,
3611                                 const SSL_METHOD **pmethod,
3612                                 unsigned int *pssl_version_min)
3613{
3614  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3615
3616  *pmethod = NULL;
3617  *pssl_version_min = conn_config->version;
3618  DEBUGASSERT(conn_config->version != CURL_SSLVERSION_DEFAULT);
3619  switch(peer->transport) {
3620  case TRNSPRT_TCP:
3621    /* check to see if we have been told to use an explicit SSL/TLS version */
3622    switch(*pssl_version_min) {
3623    case CURL_SSLVERSION_TLSv1:
3624    case CURL_SSLVERSION_TLSv1_0:
3625    case CURL_SSLVERSION_TLSv1_1:
3626    case CURL_SSLVERSION_TLSv1_2:
3627    case CURL_SSLVERSION_TLSv1_3:
3628      /* it is handled later with the context options */
3629      *pmethod = TLS_client_method();
3630      break;
3631    case CURL_SSLVERSION_SSLv2:
3632      failf(data, "No SSLv2 support");
3633      return CURLE_NOT_BUILT_IN;
3634    case CURL_SSLVERSION_SSLv3:
3635      failf(data, "No SSLv3 support");
3636      return CURLE_NOT_BUILT_IN;
3637    default:
3638      failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3639      return CURLE_SSL_CONNECT_ERROR;
3640    }
3641    break;
3642  case TRNSPRT_QUIC:
3643    *pssl_version_min = CURL_SSLVERSION_TLSv1_3;
3644    if(conn_config->version_max &&
3645       (conn_config->version_max != CURL_SSLVERSION_MAX_DEFAULT) &&
3646       (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
3647      failf(data, "QUIC needs at least TLS version 1.3");
3648      return CURLE_SSL_CONNECT_ERROR;
3649    }
3650
3651    *pmethod = TLS_method();
3652    break;
3653  default:
3654    failf(data, "unsupported transport %d in SSL init", peer->transport);
3655    return CURLE_SSL_CONNECT_ERROR;
3656  }
3657
3658  return *pmethod ? CURLE_OK : CURLE_SSL_CONNECT_ERROR;
3659}
3660
3661CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
3662                            struct Curl_cfilter *cf,
3663                            struct Curl_easy *data,
3664                            struct ssl_peer *peer,
3665                            const struct alpn_spec *alpns_requested,
3666                            Curl_ossl_ctx_setup_cb *cb_setup,
3667                            void *cb_user_data,
3668                            Curl_ossl_new_session_cb *cb_new_session,
3669                            void *ssl_user_data,
3670                            Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
3671{
3672  CURLcode result = CURLE_OK;
3673  const char *ciphers;
3674  const SSL_METHOD *req_method = NULL;
3675  ctx_option_t ctx_options = 0;
3676  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3677  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3678  char * const ssl_cert = ssl_config->primary.clientcert;
3679  const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
3680  const char * const ssl_cert_type = ssl_config->cert_type;
3681  unsigned int ssl_version_min;
3682  char error_buffer[256];
3683
3684  /* Make funny stuff to get random input */
3685  result = ossl_seed(data);
3686  if(result)
3687    return result;
3688
3689  ssl_config->certverifyresult = !X509_V_OK;
3690
3691  result = ossl_init_method(cf, data, peer, &req_method, &ssl_version_min);
3692  if(result)
3693    return result;
3694  DEBUGASSERT(req_method);
3695
3696  DEBUGASSERT(!octx->ssl_ctx);
3697  octx->ssl_ctx =
3698#ifdef OPENSSL_HAS_PROVIDERS
3699    data->state.libctx ?
3700    SSL_CTX_new_ex(data->state.libctx, data->state.propq, req_method):
3701#endif
3702    SSL_CTX_new(req_method);
3703
3704  if(!octx->ssl_ctx) {
3705    failf(data, "SSL: could not create a context: %s",
3706          ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer)));
3707    return CURLE_OUT_OF_MEMORY;
3708  }
3709
3710  if(cb_setup) {
3711    result = cb_setup(cf, data, cb_user_data);
3712    if(result)
3713      return result;
3714  }
3715
3716  if(data->set.fdebug && data->set.verbose) {
3717    /* the SSL trace callback is only used for verbose logging */
3718    SSL_CTX_set_msg_callback(octx->ssl_ctx, ossl_trace);
3719    SSL_CTX_set_msg_callback_arg(octx->ssl_ctx, cf);
3720  }
3721
3722  /* OpenSSL contains code to work around lots of bugs and flaws in various
3723     SSL-implementations. SSL_CTX_set_options() is used to enabled those
3724     work-arounds. The man page for this option states that SSL_OP_ALL enables
3725     all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
3726     enable the bug workaround options if compatibility with somewhat broken
3727     implementations is desired."
3728
3729     The "-no_ticket" option was introduced in OpenSSL 0.9.8j. it is a flag to
3730     disable "rfc4507bis session ticket support". rfc4507bis was later turned
3731     into the proper RFC5077: https://datatracker.ietf.org/doc/html/rfc5077
3732
3733     The enabled extension concerns the session management. I wonder how often
3734     libcurl stops a connection and then resumes a TLS session. Also, sending
3735     the session data is some overhead. I suggest that you use your proposed
3736     patch (which explicitly disables TICKET).
3737
3738     If someone writes an application with libcurl and OpenSSL who wants to
3739     enable the feature, one can do this in the SSL callback.
3740
3741     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
3742     interoperability with web server Netscape Enterprise Server 2.0.1 which
3743     was released back in 1996.
3744
3745     Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
3746     become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
3747     CVE-2010-4180 when using previous OpenSSL versions we no longer enable
3748     this option regardless of OpenSSL version and SSL_OP_ALL definition.
3749
3750     OpenSSL added a work-around for an SSL 3.0/TLS 1.0 CBC vulnerability:
3751     https://web.archive.org/web/20240114184648/openssl.org/~bodo/tls-cbc.txt.
3752     In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around
3753     despite the fact that SSL_OP_ALL is documented to do "rather harmless"
3754     workarounds. In order to keep the secure work-around, the
3755     SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set.
3756  */
3757
3758  ctx_options = SSL_OP_ALL | SSL_OP_NO_TICKET | SSL_OP_NO_COMPRESSION;
3759
3760  /* mitigate CVE-2010-4180 */
3761  ctx_options &= ~(ctx_option_t)SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
3762
3763  /* unless the user explicitly asks to allow the protocol vulnerability we
3764     use the work-around */
3765  if(!ssl_config->enable_beast)
3766    ctx_options &= ~(ctx_option_t)SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
3767
3768  DEBUGASSERT(ssl_version_min != CURL_SSLVERSION_DEFAULT);
3769  switch(ssl_version_min) {
3770  case CURL_SSLVERSION_SSLv2:
3771  case CURL_SSLVERSION_SSLv3:
3772    return CURLE_NOT_BUILT_IN;
3773
3774    /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
3775  case CURL_SSLVERSION_TLSv1:   /* TLS >= version 1.0 */
3776  case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */
3777  case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */
3778  case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */
3779  case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */
3780    /* asking for any TLS version as the minimum, means no SSL versions
3781       allowed */
3782    ctx_options |= SSL_OP_NO_SSLv2;
3783    ctx_options |= SSL_OP_NO_SSLv3;
3784
3785    result = ossl_set_ssl_version_min_max(cf, octx->ssl_ctx, ssl_version_min);
3786    if(result)
3787      return result;
3788    break;
3789
3790  default:
3791    failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3792    return CURLE_SSL_CONNECT_ERROR;
3793  }
3794
3795  SSL_CTX_set_options(octx->ssl_ctx, ctx_options);
3796  SSL_CTX_set_read_ahead(octx->ssl_ctx, 1);
3797
3798  /* Max TLS1.2 record size 0x4000 + 0x800.
3799     OpenSSL supports processing "jumbo TLS record" (8 TLS records) in one go
3800     for some algorithms, so match that here.
3801     Experimentation shows that a slightly larger buffer is needed
3802     to avoid short reads.
3803
3804     However using a large buffer (8 packets) actually decreases performance.
3805     4 packets is better.
3806   */
3807#ifdef HAVE_SSL_CTX_SET_DEFAULT_READ_BUFFER_LEN
3808  SSL_CTX_set_default_read_buffer_len(octx->ssl_ctx, 0x401e * 4);
3809#endif
3810
3811  /* We do retry writes sometimes from another buffer address */
3812  SSL_CTX_set_mode(octx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3813
3814  ciphers = conn_config->cipher_list;
3815  if(!ciphers && (peer->transport != TRNSPRT_QUIC))
3816    ciphers = NULL;
3817  if(ciphers && (ssl_version_min < CURL_SSLVERSION_TLSv1_3)) {
3818    if(!SSL_CTX_set_cipher_list(octx->ssl_ctx, ciphers)) {
3819      failf(data, "failed setting cipher list: %s", ciphers);
3820      return CURLE_SSL_CIPHER;
3821    }
3822    infof(data, "Cipher selection: %s", ciphers);
3823  }
3824
3825#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
3826  {
3827    const char *ciphers13 = conn_config->cipher_list13;
3828    if(ciphers13 &&
3829       (!conn_config->version_max ||
3830        (conn_config->version_max == CURL_SSLVERSION_MAX_DEFAULT) ||
3831        (conn_config->version_max >= CURL_SSLVERSION_MAX_TLSv1_3))) {
3832      if(!SSL_CTX_set_ciphersuites(octx->ssl_ctx, ciphers13)) {
3833        failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);
3834        return CURLE_SSL_CIPHER;
3835      }
3836      infof(data, "TLS 1.3 cipher selection: %s", ciphers13);
3837    }
3838  }
3839#endif
3840
3841  if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
3842    result = client_cert(data, octx->ssl_ctx,
3843                         ssl_cert, ssl_cert_blob, ssl_cert_type,
3844                         ssl_config->key, ssl_config->key_blob,
3845                         ssl_config->key_type, ssl_config->key_passwd);
3846    if(result)
3847      /* failf() is already done in client_cert() */
3848      return result;
3849  }
3850
3851#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
3852  /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
3853  SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);
3854#endif
3855
3856  {
3857    const char *curves = conn_config->curves;
3858    if(curves) {
3859#ifdef HAVE_BORINGSSL_LIKE
3860#define OSSL_CURVE_CAST(x) (x)
3861#else
3862#define OSSL_CURVE_CAST(x) (char *)CURL_UNCONST(x)
3863#endif
3864      if(!SSL_CTX_set1_curves_list(octx->ssl_ctx, OSSL_CURVE_CAST(curves))) {
3865        failf(data, "failed setting curves list: '%s'", curves);
3866        return CURLE_SSL_CIPHER;
3867      }
3868    }
3869  }
3870
3871#ifdef HAVE_SSL_CTX_SET1_SIGALGS
3872#define OSSL_SIGALG_CAST(x) OSSL_CURVE_CAST(x)
3873  {
3874    const char *signature_algorithms = conn_config->signature_algorithms;
3875    if(signature_algorithms) {
3876      if(!SSL_CTX_set1_sigalgs_list(octx->ssl_ctx,
3877                                    OSSL_SIGALG_CAST(signature_algorithms))) {
3878        failf(data, "failed setting signature algorithms: '%s'",
3879              signature_algorithms);
3880        return CURLE_SSL_CIPHER;
3881      }
3882    }
3883  }
3884#endif
3885
3886#if defined(HAVE_OPENSSL_SRP) && defined(USE_TLS_SRP)
3887  if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
3888    char * const ssl_username = ssl_config->primary.username;
3889    char * const ssl_password = ssl_config->primary.password;
3890    infof(data, "Using TLS-SRP username: %s", ssl_username);
3891
3892    if(!SSL_CTX_set_srp_username(octx->ssl_ctx, ssl_username)) {
3893      failf(data, "Unable to set SRP username");
3894      return CURLE_BAD_FUNCTION_ARGUMENT;
3895    }
3896    if(!SSL_CTX_set_srp_password(octx->ssl_ctx, ssl_password)) {
3897      failf(data, "failed setting SRP password");
3898      return CURLE_BAD_FUNCTION_ARGUMENT;
3899    }
3900    if(!conn_config->cipher_list) {
3901      infof(data, "Setting cipher list SRP");
3902
3903      if(!SSL_CTX_set_cipher_list(octx->ssl_ctx, "SRP")) {
3904        failf(data, "failed setting SRP cipher list");
3905        return CURLE_SSL_CIPHER;
3906      }
3907    }
3908  }
3909#endif /* HAVE_OPENSSL_SRP && USE_TLS_SRP */
3910
3911  /* OpenSSL always tries to verify the peer. By setting the failure mode
3912   * to NONE, we allow the connect to complete, regardless of the outcome.
3913   * We then explicitly check the result and may try alternatives like
3914   * Apple's SecTrust for verification. */
3915  SSL_CTX_set_verify(octx->ssl_ctx, SSL_VERIFY_NONE, NULL);
3916
3917  /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */
3918#if !defined(HAVE_KEYLOG_UPSTREAM) && defined(HAVE_KEYLOG_CALLBACK)
3919  if(Curl_tls_keylog_enabled()) {
3920    SSL_CTX_set_keylog_callback(octx->ssl_ctx, ossl_keylog_callback);
3921  }
3922#endif
3923
3924  if(cb_new_session) {
3925    /* Enable the session cache because it is a prerequisite for the
3926     * "new session" callback. Use the "external storage" mode to prevent
3927     * OpenSSL from creating an internal session cache.
3928     */
3929    SSL_CTX_set_session_cache_mode(octx->ssl_ctx,
3930                                   SSL_SESS_CACHE_CLIENT |
3931                                   SSL_SESS_CACHE_NO_INTERNAL);
3932    SSL_CTX_sess_set_new_cb(octx->ssl_ctx, cb_new_session);
3933  }
3934
3935  /* give application a chance to interfere with SSL set up. */
3936  if(data->set.ssl.fsslctx) {
3937    /* When a user callback is installed to modify the SSL_CTX,
3938     * we need to do the full initialization before calling it.
3939     * See: #11800 */
3940    if(!octx->x509_store_setup) {
3941      result = Curl_ssl_setup_x509_store(cf, data, octx);
3942      if(result)
3943        return result;
3944      octx->x509_store_setup = TRUE;
3945    }
3946    Curl_set_in_callback(data, TRUE);
3947    result = (*data->set.ssl.fsslctx)(data, octx->ssl_ctx,
3948                                      data->set.ssl.fsslctxp);
3949    Curl_set_in_callback(data, FALSE);
3950    if(result) {
3951      failf(data, "error signaled by ssl ctx callback");
3952      return result;
3953    }
3954  }
3955
3956  return ossl_init_ssl(octx, cf, data, peer, alpns_requested,
3957                       ssl_user_data, sess_reuse_cb);
3958}
3959
3960static CURLcode ossl_on_session_reuse(struct Curl_cfilter *cf,
3961                                      struct Curl_easy *data,
3962                                      struct alpn_spec *alpns,
3963                                      struct Curl_ssl_session *scs,
3964                                      bool *do_early_data)
3965{
3966  struct ssl_connect_data *connssl = cf->ctx;
3967
3968  connssl->earlydata_max = scs->earlydata_max;
3969
3970  return Curl_on_session_reuse(cf, data, alpns, scs, do_early_data,
3971                               connssl->earlydata_max);
3972}
3973
3974void Curl_ossl_report_handshake(struct Curl_easy *data, struct ossl_ctx *octx)
3975{
3976#ifdef CURLVERBOSE
3977  if(Curl_trc_is_verbose(data)) {
3978    int psigtype_nid = NID_undef;
3979    const char *negotiated_group_name = NULL;
3980
3981#ifdef HAVE_OPENSSL3
3982    SSL_get_peer_signature_type_nid(octx->ssl, &psigtype_nid);
3983#if OPENSSL_VERSION_NUMBER >= 0x30200000L
3984    negotiated_group_name = SSL_get0_group_name(octx->ssl);
3985#else
3986    negotiated_group_name =
3987      OBJ_nid2sn(SSL_get_negotiated_group(octx->ssl) & 0x0000FFFF);
3988#endif
3989#endif
3990
3991    /* Informational message */
3992    infof(data, "SSL connection using %s / %s / %s / %s",
3993          SSL_get_version(octx->ssl),
3994          SSL_get_cipher(octx->ssl),
3995          negotiated_group_name ? negotiated_group_name : "[blank]",
3996          OBJ_nid2sn(psigtype_nid));
3997  }
3998#else
3999  (void)data;
4000  (void)octx;
4001#endif /* CURLVERBOSE */
4002}
4003
4004static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
4005                                   struct Curl_easy *data)
4006{
4007  struct ssl_connect_data *connssl = cf->ctx;
4008  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4009  BIO *bio;
4010  CURLcode result;
4011
4012  DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
4013  DEBUGASSERT(octx);
4014
4015  result = Curl_ossl_ctx_init(octx, cf, data, &connssl->peer,
4016                              connssl->alpn, NULL, NULL,
4017                              ossl_new_session_cb, cf,
4018                              ossl_on_session_reuse);
4019  if(result)
4020    return result;
4021
4022  octx->bio_method = ossl_bio_cf_method_create();
4023  if(!octx->bio_method)
4024    return CURLE_OUT_OF_MEMORY;
4025  bio = BIO_new(octx->bio_method);
4026  if(!bio)
4027    return CURLE_OUT_OF_MEMORY;
4028
4029  BIO_set_data(bio, cf);
4030#ifdef HAVE_SSL_SET0_WBIO
4031  /* with OpenSSL v1.1.1 we get an alternative to SSL_set_bio() that works
4032   * without backward compat quirks. Every call takes one reference, so we
4033   * up it and pass. SSL* then owns and frees it.
4034   * We check on the function in configure, since LibreSSL and friends
4035   * each have their own versions to add support for this. */
4036  BIO_up_ref(bio);
4037  SSL_set0_rbio(octx->ssl, bio);
4038  SSL_set0_wbio(octx->ssl, bio);
4039#else
4040  SSL_set_bio(octx->ssl, bio, bio);
4041#endif
4042
4043  if(connssl->alpn && (connssl->state != ssl_connection_deferred)) {
4044    struct alpn_proto_buf proto;
4045    memset(&proto, 0, sizeof(proto));
4046    Curl_alpn_to_proto_str(&proto, connssl->alpn);
4047    infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
4048  }
4049
4050  connssl->connecting_state = ssl_connect_2;
4051  return CURLE_OK;
4052}
4053
4054#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
4055/* If we have retry configs, then trace those out */
4056static int ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL *ssl,
4057                                        int reason)
4058{
4059  CURLcode result = CURLE_OK;
4060  size_t rcl = 0;
4061  int rv = 1;
4062#ifndef HAVE_BORINGSSL_LIKE
4063  char *inner = NULL;
4064  uint8_t *rcs = NULL;
4065  char *outer = NULL;
4066#else
4067  const char *inner = NULL;
4068  const uint8_t *rcs = NULL;
4069  const char *outer = NULL;
4070  size_t out_name_len = 0;
4071  int servername_type = 0;
4072#endif
4073  NOVERBOSE((void)reason);
4074
4075  /* nothing to trace if not doing ECH */
4076  if(!CURLECH_ENABLED(data))
4077    return rv;
4078#ifndef HAVE_BORINGSSL_LIKE
4079  rv = SSL_ech_get1_retry_config(ssl, &rcs, &rcl);
4080#else
4081  SSL_get0_ech_retry_configs(ssl, &rcs, &rcl);
4082  rv = (int)rcl;
4083#endif
4084
4085  if(rv && rcs) {
4086    char *b64str = NULL;
4087    size_t blen = 0;
4088
4089    result = curlx_base64_encode(rcs, rcl, &b64str, &blen);
4090    if(!result && b64str) {
4091      infof(data, "ECH: retry_configs %s", b64str);
4092      curlx_free(b64str);
4093#ifndef HAVE_BORINGSSL_LIKE
4094      rv = SSL_ech_get1_status(ssl, &inner, &outer);
4095      infof(data, "ECH: retry_configs for %s from %s, %d %d",
4096            inner ? inner : "NULL", outer ? outer : "NULL", reason, rv);
4097#else
4098      rv = SSL_ech_accepted(ssl);
4099      servername_type = SSL_get_servername_type(ssl);
4100      inner = SSL_get_servername(ssl, servername_type);
4101      SSL_get0_ech_name_override(ssl, &outer, &out_name_len);
4102      infof(data, "ECH: retry_configs for %s from %s, %d %d",
4103            inner ? inner : "NULL", outer ? outer : "NULL", reason, rv);
4104#endif
4105    }
4106  }
4107  else
4108    infof(data, "ECH: no retry_configs (rv = %d)", rv);
4109#ifndef HAVE_BORINGSSL_LIKE
4110  OPENSSL_free(inner);
4111  OPENSSL_free(rcs);
4112  OPENSSL_free(outer);
4113#endif
4114  return rv;
4115}
4116
4117#endif
4118
4119static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
4120                                   struct Curl_easy *data)
4121{
4122  int err;
4123  struct ssl_connect_data *connssl = cf->ctx;
4124  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4125  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
4126  DEBUGASSERT(ssl_connect_2 == connssl->connecting_state);
4127  DEBUGASSERT(octx);
4128
4129  connssl->io_need = CURL_SSL_IO_NEED_NONE;
4130  ERR_clear_error();
4131
4132  err = SSL_connect(octx->ssl);
4133
4134  if(!octx->x509_store_setup) {
4135    /* After having send off the ClientHello, we prepare the x509
4136     * store to verify the coming certificate from the server */
4137    CURLcode result = Curl_ssl_setup_x509_store(cf, data, octx);
4138    if(result)
4139      return result;
4140    octx->x509_store_setup = TRUE;
4141  }
4142
4143#if !defined(HAVE_KEYLOG_UPSTREAM) && !defined(HAVE_KEYLOG_CALLBACK)
4144  /* If key logging is enabled, wait for the handshake to complete and then
4145   * proceed with logging secrets (for TLS 1.2 or older).
4146   */
4147  if(Curl_tls_keylog_enabled() && !octx->keylog_done)
4148    ossl_log_tls12_secret(octx->ssl, &octx->keylog_done);
4149#endif
4150
4151  /* 1  is fine
4152     0  is "not successful but was shut down controlled"
4153     <0 is "handshake was not successful, because a fatal error occurred" */
4154  if(err != 1) {
4155    int detail = SSL_get_error(octx->ssl, err);
4156    CURL_TRC_CF(data, cf, "SSL_connect() -> err=%d, detail=%d", err, detail);
4157
4158    if(SSL_ERROR_WANT_READ == detail) {
4159      CURL_TRC_CF(data, cf, "SSL_connect() -> want recv");
4160      connssl->io_need = CURL_SSL_IO_NEED_RECV;
4161      return CURLE_AGAIN;
4162    }
4163    if(SSL_ERROR_WANT_WRITE == detail) {
4164      CURL_TRC_CF(data, cf, "SSL_connect() -> want send");
4165      connssl->io_need = CURL_SSL_IO_NEED_SEND;
4166      return CURLE_AGAIN;
4167    }
4168#ifdef SSL_ERROR_WANT_ASYNC
4169    if(SSL_ERROR_WANT_ASYNC == detail) {
4170      CURL_TRC_CF(data, cf, "SSL_connect() -> want async");
4171      connssl->io_need = CURL_SSL_IO_NEED_RECV;
4172      return CURLE_AGAIN;
4173    }
4174#endif
4175#ifdef SSL_ERROR_WANT_RETRY_VERIFY
4176    if(SSL_ERROR_WANT_RETRY_VERIFY == detail) {
4177      CURL_TRC_CF(data, cf, "SSL_connect() -> want retry_verify");
4178      Curl_xfer_pause_recv(data, TRUE);
4179      return CURLE_AGAIN;
4180    }
4181#endif
4182    else {
4183      /* untreated error */
4184      sslerr_t errdetail;
4185      char error_buffer[256] = "";
4186      CURLcode result;
4187      long lerr;
4188      int lib;
4189      int reason;
4190
4191      /* the connection failed, we are not waiting for anything else. */
4192      connssl->connecting_state = ssl_connect_2;
4193
4194      /* Get the earliest error code from the thread's error queue and remove
4195         the entry. */
4196      errdetail = ERR_get_error();
4197
4198      /* Extract which lib and reason */
4199      lib = ERR_GET_LIB(errdetail);
4200      reason = ERR_GET_REASON(errdetail);
4201
4202      if((lib == ERR_LIB_SSL) &&
4203         ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED)
4204/* Missing from OpenSSL 4+ OPENSSL_NO_DEPRECATED_3_0 builds */
4205#ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED
4206          || (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED)
4207#endif
4208         )) {
4209        result = CURLE_PEER_FAILED_VERIFICATION;
4210
4211        lerr = SSL_get_verify_result(octx->ssl);
4212        if(lerr != X509_V_OK) {
4213          ssl_config->certverifyresult = lerr;
4214          failf(data, "SSL certificate problem: %s",
4215                X509_verify_cert_error_string(lerr));
4216        }
4217        else
4218          failf(data, "%s", "SSL certificate verification failed");
4219      }
4220#ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
4221      /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
4222         OpenSSL version above v1.1.1, not AWS-LC, BoringSSL, or LibreSSL */
4223      else if((lib == ERR_LIB_SSL) &&
4224              (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
4225        /* If client certificate is required, communicate the
4226           error to client */
4227        result = CURLE_SSL_CLIENTCERT;
4228        failf(data, "TLS cert problem: %s",
4229              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4230      }
4231#endif
4232#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
4233      else if((lib == ERR_LIB_SSL) &&
4234#ifndef HAVE_BORINGSSL_LIKE
4235              (reason == SSL_R_ECH_REQUIRED)) {
4236#else
4237              (reason == SSL_R_ECH_REJECTED)) {
4238#endif /* HAVE_BORINGSSL_LIKE */
4239
4240        /* trace retry_configs if we got some */
4241        ossl_trace_ech_retry_configs(data, octx->ssl, reason);
4242
4243        result = CURLE_ECH_REQUIRED;
4244        failf(data, "ECH required: %s",
4245              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4246      }
4247#endif
4248      else {
4249        result = CURLE_SSL_CONNECT_ERROR;
4250        failf(data, "TLS connect error: %s",
4251              ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4252      }
4253
4254      /* detail is already set to the SSL error above */
4255
4256      /* If we e.g. use SSLv2 request-method and the server does not like us
4257       * (RST connection, etc.), OpenSSL gives no explanation whatsoever and
4258       * the SO_ERROR is also lost.
4259       */
4260      if(result == CURLE_SSL_CONNECT_ERROR && errdetail == 0) {
4261        char extramsg[80] = "";
4262        int sockerr = SOCKERRNO;
4263
4264        if(sockerr && detail == SSL_ERROR_SYSCALL)
4265          curlx_strerror(sockerr, extramsg, sizeof(extramsg));
4266        failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%d ",
4267              extramsg[0] ? extramsg : SSL_ERROR_to_str(detail),
4268              connssl->peer.dest->hostname, connssl->peer.dest->port);
4269      }
4270
4271      return result;
4272    }
4273  }
4274  else {
4275    /* we connected fine, we are not waiting for anything else. */
4276    connssl->connecting_state = ssl_connect_3;
4277    Curl_ossl_report_handshake(data, octx);
4278
4279#if defined(HAVE_SSL_SET1_ECH_CONFIG_LIST) && !defined(HAVE_BORINGSSL_LIKE)
4280    if(CURLECH_ENABLED(data)) {
4281      char *inner = NULL, *outer = NULL;
4282      int rv;
4283      VERBOSE(const char *status);
4284
4285      rv = SSL_ech_get1_status(octx->ssl, &inner, &outer);
4286      switch(rv) {
4287      case SSL_ECH_STATUS_SUCCESS:
4288        VERBOSE(status = "succeeded");
4289        break;
4290      case SSL_ECH_STATUS_GREASE_ECH:
4291        VERBOSE(status = "sent GREASE, got retry-configs");
4292        break;
4293      case SSL_ECH_STATUS_GREASE:
4294        VERBOSE(status = "sent GREASE");
4295        break;
4296      case SSL_ECH_STATUS_NOT_TRIED:
4297        VERBOSE(status = "not attempted");
4298        break;
4299      case SSL_ECH_STATUS_NOT_CONFIGURED:
4300        VERBOSE(status = "not configured");
4301        break;
4302      case SSL_ECH_STATUS_BACKEND:
4303        VERBOSE(status = "backend (unexpected)");
4304        break;
4305      case SSL_ECH_STATUS_FAILED:
4306        VERBOSE(status = "failed");
4307        break;
4308      case SSL_ECH_STATUS_BAD_CALL:
4309        VERBOSE(status = "bad call (unexpected)");
4310        break;
4311      case SSL_ECH_STATUS_BAD_NAME: {
4312        struct ssl_primary_config *conn_config =
4313          Curl_ssl_cf_get_primary_config(cf);
4314        if(!conn_config->verifypeer && !conn_config->verifyhost &&
4315           inner && !strcmp(inner, connssl->peer.dest->hostname)) {
4316          VERBOSE(status = "bad name (tolerated without peer verification)");
4317          rv = SSL_ECH_STATUS_SUCCESS;
4318        }
4319        else {
4320          VERBOSE(status = "bad name (unexpected)");
4321        }
4322        break;
4323      }
4324      default:
4325        VERBOSE(status = "unexpected status");
4326        infof(data, "ECH: unexpected status %d", rv);
4327      }
4328      infof(data, "ECH: result: status is %s, inner is %s, outer is %s",
4329            (status ? status : "NULL"),
4330            (inner ? inner : "NULL"),
4331            (outer ? outer : "NULL"));
4332      OPENSSL_free(inner);
4333      OPENSSL_free(outer);
4334      if(rv == SSL_ECH_STATUS_GREASE_ECH) {
4335        /* trace retry_configs if we got some */
4336        ossl_trace_ech_retry_configs(data, octx->ssl, 0);
4337      }
4338      if(rv != SSL_ECH_STATUS_SUCCESS && (data->set.tls_ech == CURLECH_HARD)) {
4339        infof(data, "ECH: ech-hard failed");
4340        return CURLE_SSL_CONNECT_ERROR;
4341      }
4342    }
4343    else {
4344      infof(data, "ECH: result: status is not attempted");
4345    }
4346#endif /* HAVE_SSL_SET1_ECH_CONFIG_LIST && !HAVE_BORINGSSL_LIKE */
4347
4348    /* Sets data and len to negotiated protocol, len is 0 if no protocol was
4349     * negotiated
4350     */
4351    if(connssl->alpn) {
4352      const unsigned char *neg_protocol;
4353      unsigned int len;
4354      SSL_get0_alpn_selected(octx->ssl, &neg_protocol, &len);
4355
4356      return Curl_alpn_set_negotiated(cf, data, connssl, neg_protocol, len);
4357    }
4358
4359    return CURLE_OK;
4360  }
4361}
4362
4363/*
4364 * Heavily modified from:
4365 * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
4366 */
4367static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509 *cert,
4368                                         const char *pinnedpubkey)
4369{
4370  /* Scratch */
4371  int len1 = 0, len2 = 0;
4372  unsigned char *buff1 = NULL, *temp = NULL;
4373
4374  /* Result is returned to caller */
4375  CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
4376
4377  /* if a path was not specified, do not pin */
4378  if(!pinnedpubkey)
4379    return CURLE_OK;
4380
4381  if(!cert)
4382    return result;
4383
4384  do {
4385    /* Get the subjectPublicKeyInfo */
4386    /* https://groups.google.com/group/mailing.openssl.users/browse_thread/thread/d61858dae102c6c7 */
4387    len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
4388    if(len1 < 1)
4389      break; /* failed */
4390
4391    buff1 = temp = curlx_malloc(len1);
4392    if(!buff1)
4393      break; /* failed */
4394
4395    /* https://docs.openssl.org/master/man3/d2i_X509/ */
4396    len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
4397
4398    /*
4399     * These checks are verifying we got back the same values as when we
4400     * sized the buffer. it is pretty weak since they should always be the
4401     * same, but it gives us something to test.
4402     */
4403    if((len1 != len2) || !temp || ((temp - buff1) != len1))
4404      break; /* failed */
4405
4406    /* End Gyrations */
4407
4408    /* The one good exit point */
4409    result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
4410  } while(0);
4411
4412  if(buff1)
4413    curlx_free(buff1);
4414
4415  return result;
4416}
4417
4418#ifdef CURLVERBOSE
4419#if !defined(HAVE_BORINGSSL_LIKE) && \
4420  !(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3060000fL)
4421static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
4422{
4423  STACK_OF(X509) *certstack;
4424  long verify_result;
4425  int num_cert_levels;
4426  int cert_level;
4427
4428  if(!Curl_trc_is_verbose(data))
4429    return;
4430
4431  verify_result = SSL_get_verify_result(ssl);
4432  if(verify_result != X509_V_OK)
4433    certstack = SSL_get_peer_cert_chain(ssl);
4434  else
4435    certstack = SSL_get0_verified_chain(ssl);
4436  if(!certstack)
4437    return;
4438  num_cert_levels = sk_X509_num(certstack);
4439
4440  for(cert_level = 0; cert_level < num_cert_levels; cert_level++) {
4441    char cert_algorithm[80] = "";
4442    char group_name_final[80] = "";
4443    const X509_ALGOR *palg_cert = NULL;
4444    const ASN1_OBJECT *paobj_cert = NULL;
4445    X509 *current_cert;
4446    EVP_PKEY *current_pkey;
4447    int key_bits;
4448    int key_sec_bits;
4449    int get_group_name;
4450    const char *type_name;
4451
4452    current_cert = sk_X509_value(certstack, cert_level);
4453    if(!current_cert)
4454      continue;
4455
4456    current_pkey = X509_get0_pubkey(current_cert);
4457    if(!current_pkey)
4458      continue;
4459
4460    X509_get0_signature(NULL, &palg_cert, current_cert);
4461    X509_ALGOR_get0(&paobj_cert, NULL, NULL, palg_cert);
4462    OBJ_obj2txt(cert_algorithm, sizeof(cert_algorithm), paobj_cert, 0);
4463
4464    key_bits = EVP_PKEY_bits(current_pkey);
4465#ifndef HAVE_OPENSSL3
4466#define EVP_PKEY_get_security_bits EVP_PKEY_security_bits
4467#endif
4468    key_sec_bits = EVP_PKEY_get_security_bits(current_pkey);
4469#ifdef HAVE_OPENSSL3
4470    {
4471      char group_name[80] = "";
4472      get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
4473                                               sizeof(group_name), NULL);
4474      curl_msnprintf(group_name_final, sizeof(group_name_final), "/%s",
4475                     group_name);
4476    }
4477    type_name = EVP_PKEY_get0_type_name(current_pkey);
4478#else
4479    get_group_name = 0;
4480    type_name = NULL;
4481#endif
4482
4483    infof(data, "  Certificate level %d: "
4484          "Public key type %s%s (%d/%d Bits/secBits), signed using %s",
4485          cert_level, type_name ? type_name : "?",
4486          get_group_name == 0 ? "" : group_name_final,
4487          key_bits, key_sec_bits, cert_algorithm);
4488  }
4489}
4490#else
4491#define infof_certstack(data, ssl)
4492#endif
4493#endif /* CURLVERBOSE */
4494
4495static CURLcode ossl_check_issuer(struct Curl_cfilter *cf,
4496                                  struct Curl_easy *data,
4497                                  X509 *server_cert)
4498{
4499  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
4500  X509 *issuer = NULL;
4501  BIO *fp = NULL;
4502  char err_buf[256] = "";
4503  bool verify_enabled = (conn_config->verifypeer || conn_config->verifyhost);
4504  CURLcode result = CURLE_OK;
4505
4506  /* e.g. match issuer name with provided issuer certificate */
4507  if(conn_config->issuercert_blob) {
4508    fp = BIO_new_mem_buf(conn_config->issuercert_blob->data,
4509                         (int)conn_config->issuercert_blob->len);
4510    if(!fp) {
4511      failf(data, "BIO_new_mem_buf NULL, " OSSL_PACKAGE " error %s",
4512            ossl_strerror(ERR_get_error(), err_buf, sizeof(err_buf)));
4513      result = CURLE_OUT_OF_MEMORY;
4514      goto out;
4515    }
4516  }
4517  else if(conn_config->issuercert) {
4518    fp = BIO_new(BIO_s_file());
4519    if(!fp) {
4520      failf(data, "BIO_new return NULL, " OSSL_PACKAGE " error %s",
4521            ossl_strerror(ERR_get_error(), err_buf, sizeof(err_buf)));
4522      result = CURLE_OUT_OF_MEMORY;
4523      goto out;
4524    }
4525
4526    if(BIO_read_filename(fp, conn_config->issuercert) <= 0) {
4527      if(verify_enabled)
4528        failf(data, "SSL: Unable to open issuer cert (%s)",
4529              conn_config->issuercert);
4530      result = CURLE_SSL_ISSUER_ERROR;
4531      goto out;
4532    }
4533  }
4534
4535  if(fp) {
4536    issuer = PEM_read_bio_X509(fp, NULL, ZERO_NULL, NULL);
4537    if(!issuer) {
4538      if(verify_enabled)
4539        failf(data, "SSL: Unable to read issuer cert (%s)",
4540              conn_config->issuercert);
4541      result = CURLE_SSL_ISSUER_ERROR;
4542      goto out;
4543    }
4544
4545    if(X509_check_issued(issuer, server_cert) != X509_V_OK) {
4546      if(verify_enabled)
4547        failf(data, "SSL: Certificate issuer check failed (%s)",
4548              conn_config->issuercert);
4549      result = CURLE_SSL_ISSUER_ERROR;
4550      goto out;
4551    }
4552
4553    infof(data, " SSL certificate issuer check ok (%s)",
4554          conn_config->issuercert);
4555  }
4556
4557out:
4558  if(fp)
4559    BIO_free(fp);
4560  if(issuer)
4561    X509_free(issuer);
4562  return result;
4563}
4564
4565static CURLcode ossl_check_pinned_key(struct Curl_cfilter *cf,
4566                                      struct Curl_easy *data,
4567                                      X509 *server_cert)
4568{
4569  const char *ptr;
4570  CURLcode result = CURLE_OK;
4571
4572  (void)cf;
4573#ifndef CURL_DISABLE_PROXY
4574  ptr = Curl_ssl_cf_is_proxy(cf) ?
4575    data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
4576    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
4577#else
4578  ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
4579#endif
4580  if(ptr) {
4581    result = ossl_pkp_pin_peer_pubkey(data, server_cert, ptr);
4582    if(result)
4583      failf(data, "SSL: public key does not match pinned public key");
4584  }
4585  return result;
4586}
4587
4588#ifdef CURLVERBOSE
4589#define MAX_CERT_NAME_LENGTH 2048
4590static CURLcode ossl_infof_cert(struct Curl_cfilter *cf,
4591                                struct Curl_easy *data,
4592                                X509 *server_cert)
4593{
4594  BIO *mem = NULL;
4595  struct dynbuf dname;
4596  char err_buf[256] = "";
4597  char *buf;
4598  long len;
4599  CURLcode result = CURLE_OK;
4600
4601  if(!Curl_trc_is_verbose(data))
4602    return CURLE_OK;
4603
4604  curlx_dyn_init(&dname, MAX_CERT_NAME_LENGTH);
4605  mem = BIO_new(BIO_s_mem());
4606  if(!mem) {
4607    failf(data, "BIO_new return NULL, " OSSL_PACKAGE " error %s",
4608          ossl_strerror(ERR_get_error(), err_buf, sizeof(err_buf)));
4609    result = CURLE_OUT_OF_MEMORY;
4610    goto out;
4611  }
4612
4613  infof(data, "%s certificate:", Curl_ssl_cf_is_proxy(cf) ?
4614        "Proxy" : "Server");
4615
4616  result = x509_name_oneline(X509_get_subject_name(server_cert), &dname);
4617  infof(data, "  subject: %s", result ? "[NONE]" : curlx_dyn_ptr(&dname));
4618
4619  ASN1_TIME_print(mem, X509_get0_notBefore(server_cert));
4620  len = BIO_get_mem_data(mem, (char **)&buf);
4621  infof(data, "  start date: %.*s", (int)len, buf);
4622  (void)BIO_reset(mem);
4623
4624  ASN1_TIME_print(mem, X509_get0_notAfter(server_cert));
4625  len = BIO_get_mem_data(mem, (char **)&buf);
4626  infof(data, "  expire date: %.*s", (int)len, buf);
4627  (void)BIO_reset(mem);
4628
4629  result = x509_name_oneline(X509_get_issuer_name(server_cert), &dname);
4630  if(result) /* should be only fatal stuff like OOM */
4631    goto out;
4632  infof(data, "  issuer: %s", curlx_dyn_ptr(&dname));
4633
4634out:
4635  BIO_free(mem);
4636  curlx_dyn_free(&dname);
4637  return result;
4638}
4639#endif /* CURLVERBOSE */
4640
4641#ifdef USE_APPLE_SECTRUST
4642struct ossl_certs_ctx {
4643  STACK_OF(X509) *sk;
4644  size_t num_certs;
4645};
4646
4647static CURLcode ossl_chain_get_der(struct Curl_cfilter *cf,
4648                                   struct Curl_easy *data,
4649                                   void *user_data,
4650                                   size_t i,
4651                                   unsigned char **pder,
4652                                   size_t *pder_len)
4653{
4654  struct ossl_certs_ctx *chain = user_data;
4655  X509 *cert;
4656  int der_len;
4657
4658  (void)cf;
4659  (void)data;
4660  *pder_len = 0;
4661  *pder = NULL;
4662
4663  if(i >= chain->num_certs)
4664    return CURLE_TOO_LARGE;
4665  cert = sk_X509_value(chain->sk, (int)i);
4666  if(!cert)
4667    return CURLE_FAILED_INIT;
4668  der_len = i2d_X509(cert, pder);
4669  if(der_len < 0)
4670    return CURLE_FAILED_INIT;
4671  *pder_len = (size_t)der_len;
4672  return CURLE_OK;
4673}
4674
4675static CURLcode ossl_apple_verify(struct Curl_cfilter *cf,
4676                                  struct Curl_easy *data,
4677                                  struct ossl_ctx *octx,
4678                                  struct ssl_peer *peer,
4679                                  bool *pverified)
4680{
4681  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
4682  struct ossl_certs_ctx chain;
4683  CURLcode result;
4684
4685  memset(&chain, 0, sizeof(chain));
4686  chain.sk = SSL_get_peer_cert_chain(octx->ssl);
4687  chain.num_certs = chain.sk ? sk_X509_num(chain.sk) : 0;
4688
4689  if(!chain.num_certs &&
4690     (conn_config->verifypeer || conn_config->verifyhost)) {
4691    if(!octx->reused_session) {
4692      failf(data, "SSL: could not get peer certificate chain");
4693      result = CURLE_PEER_FAILED_VERIFICATION;
4694    }
4695    else {
4696      /* when session was reused, there is no peer cert chain */
4697      *pverified = FALSE;
4698      return CURLE_OK;
4699    }
4700  }
4701  else {
4702#ifdef HAVE_BORINGSSL_LIKE
4703    const uint8_t *ocsp_data = NULL;
4704#else
4705    unsigned char *ocsp_data = NULL;
4706#endif
4707    long ocsp_len = 0;
4708    bool ocsp_missing = FALSE;
4709    if(conn_config->verifystatus && !octx->reused_session)
4710      ocsp_len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &ocsp_data);
4711
4712    /* SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP
4713       response data or -1 if there is no OCSP response data. */
4714    if(ocsp_len < 0) {
4715      ocsp_len = 0; /* no data available */
4716      ocsp_missing = TRUE;
4717    }
4718    result = Curl_vtls_apple_verify(cf, data, peer, chain.num_certs,
4719                                    ossl_chain_get_der, &chain,
4720                                    ocsp_data, ocsp_len);
4721    if(!result && ocsp_missing && conn_config->verifystatus &&
4722       !octx->reused_session) {
4723      /* verified, but OCSP stapling is required and server sent none */
4724      *pverified = TRUE;
4725      failf(data, "No OCSP response received");
4726      return CURLE_SSL_INVALIDCERTSTATUS;
4727    }
4728  }
4729  *pverified = !result;
4730  return result;
4731}
4732#endif /* USE_APPLE_SECTRUST */
4733
4734CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf,
4735                                   struct Curl_easy *data,
4736                                   struct ossl_ctx *octx,
4737                                   struct ssl_peer *peer)
4738{
4739  struct connectdata *conn = cf->conn;
4740  struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
4741  struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
4742  CURLcode result = CURLE_OK;
4743  long ossl_verify;
4744  X509 *server_cert;
4745  bool verified = FALSE;
4746#if !defined(OPENSSL_NO_OCSP) && defined(USE_APPLE_SECTRUST)
4747  bool sectrust_verified = FALSE;
4748#endif
4749
4750  if(data->set.ssl.certinfo && !octx->reused_session) {
4751    /* asked to gather certificate info. Reused sessions do not have cert
4752       chains */
4753    result = ossl_certchain(data, octx->ssl);
4754    if(result)
4755      return result;
4756  }
4757
4758  server_cert = SSL_get1_peer_certificate(octx->ssl);
4759  if(!server_cert) {
4760    /* no verification at all, this maybe acceptable */
4761    if(!(conn_config->verifypeer || conn_config->verifyhost))
4762      goto out;
4763
4764    failf(data, "SSL: could not get peer certificate");
4765    result = CURLE_PEER_FAILED_VERIFICATION;
4766    goto out;
4767  }
4768
4769#ifdef CURLVERBOSE
4770  result = ossl_infof_cert(cf, data, server_cert);
4771  if(result)
4772    goto out;
4773  infof_certstack(data, octx->ssl);
4774#endif
4775
4776  if(conn_config->verifyhost) {
4777    result = ossl_verifyhost(data, conn, peer, server_cert);
4778    if(result)
4779      goto out;
4780  }
4781  /* `verifyhost` is either OK or not requested from here on */
4782
4783  ossl_verify = SSL_get_verify_result(octx->ssl);
4784  ssl_config->certverifyresult = ossl_verify;
4785  infof(data, "OpenSSL verify result: %lx", ossl_verify);
4786
4787  verified = (ossl_verify == X509_V_OK);
4788  if(verified)
4789    infof(data, "SSL certificate verified via OpenSSL.");
4790
4791#ifdef USE_APPLE_SECTRUST
4792  if(!verified && conn_config->verifypeer && ssl_config->native_ca_store) {
4793    /* we verify using Apple SecTrust *unless* OpenSSL already verified.
4794     * This may happen if the application intercepted the OpenSSL callback
4795     * and installed its own. */
4796    result = ossl_apple_verify(cf, data, octx, peer, &verified);
4797    if(result && (result != CURLE_PEER_FAILED_VERIFICATION))
4798      goto out; /* unexpected error */
4799    if(verified) {
4800      infof(data, "SSL certificate verified via Apple SecTrust.");
4801      ssl_config->certverifyresult = X509_V_OK;
4802#ifndef OPENSSL_NO_OCSP
4803      sectrust_verified = TRUE;
4804#endif
4805    }
4806  }
4807#endif
4808
4809  if(!verified) {
4810    /* no trust established, report the OpenSSL status */
4811    if(conn_config->verifypeer) {
4812      failf(data, "SSL certificate OpenSSL verify result: %s (%ld)",
4813            X509_verify_cert_error_string(ossl_verify), ossl_verify);
4814      result = CURLE_PEER_FAILED_VERIFICATION;
4815      goto out;
4816    }
4817    infof(data, " SSL certificate verification failed, continuing anyway!");
4818  }
4819
4820#ifndef OPENSSL_NO_OCSP
4821  if(conn_config->verifystatus &&
4822#ifdef USE_APPLE_SECTRUST
4823     !sectrust_verified && /* already verified via apple sectrust, cannot
4824                            * verifystate via OpenSSL in that case as it
4825                            * does not have the trust anchors */
4826#endif
4827     !octx->reused_session) {
4828    /* do not do this after Session ID reuse */
4829    result = verifystatus(cf, data, octx);
4830    if(result)
4831      goto out;
4832  }
4833#endif
4834
4835  result = ossl_check_issuer(cf, data, server_cert);
4836  if(result)
4837    goto out;
4838
4839  result = ossl_check_pinned_key(cf, data, server_cert);
4840
4841out:
4842  X509_free(server_cert);
4843  return result;
4844}
4845
4846static CURLcode ossl_connect_step3(struct Curl_cfilter *cf,
4847                                   struct Curl_easy *data)
4848{
4849  CURLcode result = CURLE_OK;
4850  struct ssl_connect_data *connssl = cf->ctx;
4851  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4852
4853  DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
4854
4855  /*
4856   * We check certificates to authenticate the server; otherwise we risk
4857   * man-in-the-middle attack; NEVERTHELESS, if we are told explicitly not to
4858   * verify the peer, ignore faults and failures from the server cert
4859   * operations.
4860   */
4861
4862  result = Curl_ossl_check_peer_cert(cf, data, octx, &connssl->peer);
4863  if(result)
4864    /* on error, remove sessions we might have in the pool */
4865    Curl_ssl_scache_remove_all(cf, data, connssl->peer.scache_key);
4866
4867  return result;
4868}
4869
4870#ifdef HAVE_OPENSSL_EARLYDATA
4871static CURLcode ossl_send_earlydata(struct Curl_cfilter *cf,
4872                                    struct Curl_easy *data)
4873{
4874  struct ssl_connect_data *connssl = cf->ctx;
4875  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4876  CURLcode result = CURLE_OK;
4877  const unsigned char *buf;
4878  size_t blen, nwritten;
4879  int rc;
4880
4881  DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sending);
4882  octx->io_result = CURLE_OK;
4883  while(Curl_bufq_peek(&connssl->earlydata, &buf, &blen)) {
4884    nwritten = 0;
4885    rc = SSL_write_early_data(octx->ssl, buf, blen, &nwritten);
4886    CURL_TRC_CF(data, cf, "SSL_write_early_data(len=%zu) -> %d, %zu",
4887                blen, rc, nwritten);
4888    if(rc <= 0) {
4889      long sslerror;
4890      char error_buffer[256];
4891      int err = SSL_get_error(octx->ssl, rc);
4892
4893      switch(err) {
4894      case SSL_ERROR_WANT_READ:
4895        connssl->io_need = CURL_SSL_IO_NEED_RECV;
4896        result = CURLE_AGAIN;
4897        goto out;
4898      case SSL_ERROR_WANT_WRITE:
4899        connssl->io_need = CURL_SSL_IO_NEED_SEND;
4900        result = CURLE_AGAIN;
4901        goto out;
4902      case SSL_ERROR_SYSCALL: {
4903        int sockerr = SOCKERRNO;
4904
4905        if(octx->io_result == CURLE_AGAIN) {
4906          result = CURLE_AGAIN;
4907          goto out;
4908        }
4909        sslerror = ERR_get_error();
4910        if(sslerror)
4911          ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
4912        else if(sockerr)
4913          curlx_strerror(sockerr, error_buffer, sizeof(error_buffer));
4914        else
4915          curl_msnprintf(error_buffer, sizeof(error_buffer), "%s",
4916                         SSL_ERROR_to_str(err));
4917
4918        failf(data, OSSL_PACKAGE " SSL_write:early_data: %s, errno %d",
4919              error_buffer, sockerr);
4920        result = CURLE_SEND_ERROR;
4921        goto out;
4922      }
4923      case SSL_ERROR_SSL: {
4924        /*  A failure in the SSL library occurred, usually a protocol error.
4925            The OpenSSL error queue contains more information on the error. */
4926        sslerror = ERR_get_error();
4927        failf(data, "SSL_write_early_data() error: %s",
4928              ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
4929        result = CURLE_SEND_ERROR;
4930        goto out;
4931      }
4932      default:
4933        /* a true error */
4934        failf(data, OSSL_PACKAGE " SSL_write_early_data: %s, errno %d",
4935              SSL_ERROR_to_str(err), SOCKERRNO);
4936        result = CURLE_SEND_ERROR;
4937        goto out;
4938      }
4939    }
4940    Curl_bufq_skip(&connssl->earlydata, nwritten);
4941  }
4942  /* sent everything there was */
4943  infof(data, "SSL sending %zu bytes of early data", connssl->earlydata_skip);
4944out:
4945  return result;
4946}
4947#endif /* HAVE_OPENSSL_EARLYDATA */
4948
4949static CURLcode ossl_connect(struct Curl_cfilter *cf,
4950                             struct Curl_easy *data,
4951                             bool *done)
4952{
4953  CURLcode result = CURLE_OK;
4954  struct ssl_connect_data *connssl = cf->ctx;
4955
4956  /* check if the connection has already been established */
4957  if(ssl_connection_complete == connssl->state) {
4958    *done = TRUE;
4959    return CURLE_OK;
4960  }
4961
4962  *done = FALSE;
4963  connssl->io_need = CURL_SSL_IO_NEED_NONE;
4964
4965  if(ssl_connect_1 == connssl->connecting_state) {
4966    if(Curl_ossl_need_httpsrr(data) &&
4967       !Curl_conn_dns_resolved_https(data, cf->sockindex)) {
4968      CURL_TRC_CF(data, cf, "need HTTPS-RR, delaying connect");
4969      return CURLE_OK;
4970    }
4971    CURL_TRC_CF(data, cf, "ossl_connect, step1");
4972    result = ossl_connect_step1(cf, data);
4973    if(result)
4974      goto out;
4975  }
4976
4977  if(ssl_connect_2 == connssl->connecting_state) {
4978    CURL_TRC_CF(data, cf, "ossl_connect, step2");
4979#ifdef HAVE_OPENSSL_EARLYDATA
4980    if(connssl->earlydata_state == ssl_earlydata_await) {
4981      goto out;
4982    }
4983    else if(connssl->earlydata_state == ssl_earlydata_sending) {
4984      result = ossl_send_earlydata(cf, data);
4985      if(result)
4986        goto out;
4987      connssl->earlydata_state = ssl_earlydata_sent;
4988    }
4989#endif
4990    DEBUGASSERT((connssl->earlydata_state == ssl_earlydata_none) ||
4991                (connssl->earlydata_state == ssl_earlydata_sent));
4992
4993    result = ossl_connect_step2(cf, data);
4994    if(result)
4995      goto out;
4996  }
4997
4998  if(ssl_connect_3 == connssl->connecting_state) {
4999    CURL_TRC_CF(data, cf, "ossl_connect, step3");
5000    result = ossl_connect_step3(cf, data);
5001    if(result)
5002      goto out;
5003    connssl->connecting_state = ssl_connect_done;
5004#ifdef HAVE_OPENSSL_EARLYDATA
5005    if(connssl->earlydata_state > ssl_earlydata_none) {
5006      struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5007      /* We should be in this state by now */
5008      DEBUGASSERT(connssl->earlydata_state == ssl_earlydata_sent);
5009      connssl->earlydata_state =
5010        (SSL_get_early_data_status(octx->ssl) == SSL_EARLY_DATA_ACCEPTED) ?
5011        ssl_earlydata_accepted : ssl_earlydata_rejected;
5012    }
5013#endif
5014  }
5015
5016  if(ssl_connect_done == connssl->connecting_state) {
5017    CURL_TRC_CF(data, cf, "ossl_connect, done");
5018    connssl->state = ssl_connection_complete;
5019  }
5020
5021out:
5022  if(result == CURLE_AGAIN) {
5023    *done = FALSE;
5024    return CURLE_OK;
5025  }
5026  *done = ((connssl->state == ssl_connection_complete) ||
5027           (connssl->state == ssl_connection_deferred));
5028  return result;
5029}
5030
5031static bool ossl_data_pending(struct Curl_cfilter *cf,
5032                              const struct Curl_easy *data)
5033{
5034  struct ssl_connect_data *connssl = cf->ctx;
5035  (void)data;
5036  return (bool)connssl->input_pending;
5037}
5038
5039static CURLcode ossl_send(struct Curl_cfilter *cf,
5040                          struct Curl_easy *data,
5041                          const void *mem,
5042                          size_t len,
5043                          size_t *pnwritten)
5044{
5045  /* SSL_write() is said to return 'int' while write() and send() returns
5046     'size_t' */
5047  int err;
5048  char error_buffer[256];
5049  sslerr_t sslerror;
5050  int memlen;
5051  struct ssl_connect_data *connssl = cf->ctx;
5052  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5053  CURLcode result = CURLE_OK;
5054  int nwritten;
5055
5056  DEBUGASSERT(octx);
5057  *pnwritten = 0;
5058  ERR_clear_error();
5059
5060  connssl->io_need = CURL_SSL_IO_NEED_NONE;
5061  memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
5062  if(octx->blocked_ssl_write_len && (octx->blocked_ssl_write_len != memlen)) {
5063    /* The previous SSL_write() call was blocked, using that length.
5064     * We need to use that again or OpenSSL freaks out. A shorter
5065     * length should not happen and is a bug in libcurl. */
5066    if(octx->blocked_ssl_write_len > memlen) {
5067      DEBUGASSERT(0);
5068      return CURLE_BAD_FUNCTION_ARGUMENT;
5069    }
5070    memlen = octx->blocked_ssl_write_len;
5071  }
5072  octx->blocked_ssl_write_len = 0;
5073  nwritten = SSL_write(octx->ssl, mem, memlen);
5074
5075  if(nwritten > 0)
5076    *pnwritten = (size_t)nwritten;
5077  else {
5078    err = SSL_get_error(octx->ssl, nwritten);
5079
5080    switch(err) {
5081    case SSL_ERROR_WANT_READ:
5082      connssl->io_need = CURL_SSL_IO_NEED_RECV;
5083      octx->blocked_ssl_write_len = memlen;
5084      result = CURLE_AGAIN;
5085      goto out;
5086    case SSL_ERROR_WANT_WRITE:
5087      result = CURLE_AGAIN;
5088      octx->blocked_ssl_write_len = memlen;
5089      goto out;
5090    case SSL_ERROR_SYSCALL: {
5091      int sockerr = SOCKERRNO;
5092
5093      if(octx->io_result == CURLE_AGAIN) {
5094        octx->blocked_ssl_write_len = memlen;
5095        result = CURLE_AGAIN;
5096        goto out;
5097      }
5098      sslerror = ERR_get_error();
5099      if(sslerror)
5100        ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
5101      else if(sockerr)
5102        curlx_strerror(sockerr, error_buffer, sizeof(error_buffer));
5103      else
5104        curl_msnprintf(error_buffer, sizeof(error_buffer), "%s",
5105                       SSL_ERROR_to_str(err));
5106
5107      failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
5108            error_buffer, sockerr);
5109      result = CURLE_SEND_ERROR;
5110      goto out;
5111    }
5112    case SSL_ERROR_SSL: {
5113      /*  A failure in the SSL library occurred, usually a protocol error.
5114          The OpenSSL error queue contains more information on the error. */
5115      sslerror = ERR_get_error();
5116      failf(data, "SSL_write() error: %s",
5117            ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
5118      result = CURLE_SEND_ERROR;
5119      goto out;
5120    }
5121    default:
5122      /* a true error */
5123      failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
5124            SSL_ERROR_to_str(err), SOCKERRNO);
5125      result = CURLE_SEND_ERROR;
5126      goto out;
5127    }
5128  }
5129
5130out:
5131  return result;
5132}
5133
5134static CURLcode ossl_recv(struct Curl_cfilter *cf,
5135                          struct Curl_easy *data,   /* transfer */
5136                          char *buf,                /* store read data here */
5137                          size_t buffersize,        /* max amount to read */
5138                          size_t *pnread)
5139{
5140  char error_buffer[256];
5141  unsigned long sslerror;
5142  int buffsize;
5143  struct ssl_connect_data *connssl = cf->ctx;
5144  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5145  CURLcode result = CURLE_OK;
5146  int nread;
5147
5148  DEBUGASSERT(octx);
5149
5150  *pnread = 0;
5151  ERR_clear_error();
5152
5153  connssl->io_need = CURL_SSL_IO_NEED_NONE;
5154  buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
5155  nread = SSL_read(octx->ssl, buf, buffsize);
5156
5157  if(nread > 0)
5158    *pnread = (size_t)nread;
5159  else {
5160    /* failed SSL_read */
5161    int err = SSL_get_error(octx->ssl, nread);
5162
5163    switch(err) {
5164    case SSL_ERROR_NONE: /* this is not an error */
5165      break;
5166    case SSL_ERROR_ZERO_RETURN: /* no more data */
5167      /* close_notify alert */
5168      if(cf->sockindex == FIRSTSOCKET)
5169        /* mark the connection for close if it is indeed the control
5170           connection */
5171        CURL_TRC_CF(data, cf, "TLS close_notify");
5172      break;
5173    case SSL_ERROR_WANT_READ:
5174      connssl->io_need = CURL_SSL_IO_NEED_RECV;
5175      result = CURLE_AGAIN;
5176      goto out;
5177    case SSL_ERROR_WANT_WRITE:
5178      connssl->io_need = CURL_SSL_IO_NEED_SEND;
5179      result = CURLE_AGAIN;
5180      goto out;
5181    default:
5182      /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
5183         value/errno" */
5184      /* https://docs.openssl.org/master/man3/ERR_get_error/ */
5185      if(octx->io_result == CURLE_AGAIN) {
5186        result = CURLE_AGAIN;
5187        goto out;
5188      }
5189      sslerror = ERR_get_error();
5190      if((nread < 0) || sslerror) {
5191        /* If the return code was negative or there actually is an error in the
5192           queue */
5193        int sockerr = SOCKERRNO;
5194        if(sslerror)
5195          ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
5196        else if(sockerr && err == SSL_ERROR_SYSCALL)
5197          curlx_strerror(sockerr, error_buffer, sizeof(error_buffer));
5198        else
5199          curl_msnprintf(error_buffer, sizeof(error_buffer), "%s",
5200                         SSL_ERROR_to_str(err));
5201        failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
5202              error_buffer, sockerr);
5203        result = CURLE_RECV_ERROR;
5204        goto out;
5205      }
5206      else if(err == SSL_ERROR_SYSCALL) {
5207        if(octx->io_result) {
5208          /* logging handling in underlying filter already */
5209          result = octx->io_result;
5210        }
5211        else if(connssl->peer_closed) {
5212          failf(data, "Connection closed abruptly");
5213          result = CURLE_RECV_ERROR;
5214        }
5215        else {
5216          /* We should no longer get here nowadays, but handle
5217           * the error in case of some weirdness in the OSSL stack */
5218          int sockerr = SOCKERRNO;
5219          if(sockerr)
5220            curlx_strerror(sockerr, error_buffer, sizeof(error_buffer));
5221          else {
5222            curl_msnprintf(error_buffer, sizeof(error_buffer),
5223                           "Connection closed abruptly");
5224          }
5225          failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
5226                error_buffer, sockerr);
5227          result = CURLE_RECV_ERROR;
5228        }
5229        goto out;
5230      }
5231    }
5232  }
5233
5234out:
5235  if((!result && !*pnread) || (result == CURLE_AGAIN)) {
5236    /* This happens when:
5237     * - we read an EOF
5238     * - OpenSSLs buffers are empty, there is no more data
5239     * - OpenSSL read is blocked on writing something first
5240     * - an incomplete TLS packet is buffered that cannot be read
5241     *   until more data arrives */
5242    connssl->input_pending = FALSE;
5243  }
5244  CURL_TRC_CF(data, cf, "ossl_recv(len=%zu) -> %d, %zu (in_pending=%d)",
5245              buffersize, result, *pnread, connssl->input_pending);
5246  return result;
5247}
5248
5249static CURLcode ossl_get_channel_binding(struct Curl_easy *data,
5250                                         int sockindex,
5251                                         struct dynbuf *binding)
5252{
5253  X509 *cert;
5254  int mdnid;
5255  bool no_digest_acceptable = FALSE;
5256  const EVP_MD *algo_type = NULL;
5257  const char *algo_name = NULL;
5258  unsigned int length;
5259  unsigned char buf[EVP_MAX_MD_SIZE];
5260
5261  const char prefix[] = "tls-server-end-point:";
5262  struct connectdata *conn = data->conn;
5263  struct Curl_cfilter *cf = conn->cfilter[sockindex];
5264  struct ossl_ctx *octx = NULL;
5265  CURLcode result = CURLE_OK;
5266
5267  do {
5268    const struct Curl_cftype *cft = cf->cft;
5269    struct ssl_connect_data *connssl = cf->ctx;
5270
5271    if(cft->name && !strcmp(cft->name, "SSL")) {
5272      octx = (struct ossl_ctx *)connssl->backend;
5273      break;
5274    }
5275
5276    cf = cf->next;
5277  } while(cf);
5278
5279  if(!octx) {
5280    failf(data, "Failed to find the SSL filter");
5281    return CURLE_BAD_FUNCTION_ARGUMENT;
5282  }
5283
5284  cert = SSL_get1_peer_certificate(octx->ssl);
5285  if(!cert)
5286    /* No server certificate, do not do channel binding */
5287    return CURLE_OK;
5288
5289#ifdef HAVE_OPENSSL3
5290  {
5291    int pknid, secbits;
5292    uint32_t flags;
5293    EVP_PKEY *pkey = X509_get0_pubkey(cert);
5294
5295    if(!X509_get_signature_info(cert, &mdnid, &pknid, &secbits, &flags)) {
5296      failf(data, "certificate signature algorithm not recognized");
5297      result = CURLE_SSL_INVALIDCERTSTATUS;
5298      goto out;
5299    }
5300
5301    if(mdnid != NID_undef) {
5302      if(mdnid == NID_md5 || mdnid == NID_sha1) {
5303        algo_type = EVP_sha256();
5304      }
5305      else
5306        algo_type = EVP_get_digestbynid(mdnid);
5307    }
5308    else if(pkey && !EVP_PKEY_is_a(pkey, OBJ_nid2sn(pknid))) {
5309      /* The cert's pkey is different from the algorithm used to sign
5310       * the certificate. Since the reported `mdnid` is undefined, there
5311       * is no digest algorithm available here. This happens in PQC
5312       * and is accepted, resulting in no addition to the binding. */
5313      no_digest_acceptable = TRUE;
5314    }
5315    else if(pkey) {
5316      /* cert's pkey type is the same as the cert signer (or same family).
5317       * Ask for the mandatory/advisory digest algorithm for the pkey.
5318       */
5319      char mdname[128] = "";
5320      int rc = EVP_PKEY_get_default_digest_name(pkey, mdname, sizeof(mdname));
5321      bool md_is_undef = !strcmp(mdname, "UNDEF");
5322
5323      if(rc == 2 && md_is_undef) {
5324        /* OpenSSL declares "undef" the *mandatory* digest for this key.
5325         * This is some PQC shit, accept it, no addition to binding. */
5326        no_digest_acceptable = TRUE;
5327      }
5328      else if(rc > 0 && mdname[0] != '\0' && !md_is_undef) {
5329        infof(data, "Digest algorithm : %s%s (derived from public key)"
5330              ", but unavailable",
5331              mdname, rc == 2 ? " [mandatory]" : " [advisory]");
5332      }
5333    }
5334  }
5335#else /* HAVE_OPENSSL3 */
5336
5337  if(!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &mdnid, NULL)) {
5338    failf(data,
5339          "Unable to find digest NID for certificate signature algorithm");
5340    result = CURLE_SSL_INVALIDCERTSTATUS;
5341    goto out;
5342  }
5343
5344  /* https://datatracker.ietf.org/doc/html/rfc5929#section-4.1 */
5345  if(mdnid == NID_md5 || mdnid == NID_sha1) {
5346    algo_type = EVP_sha256();
5347  }
5348  else {
5349    algo_type = EVP_get_digestbynid(mdnid);
5350    if(!algo_type) {
5351      algo_name = OBJ_nid2sn(mdnid);
5352      failf(data, "Could not find digest algorithm %s (NID %d)",
5353            algo_name ? algo_name : "(null)", mdnid);
5354      result = CURLE_SSL_INVALIDCERTSTATUS;
5355      goto out;
5356    }
5357  }
5358
5359#endif /* HAVE_OPENSSL3, else */
5360
5361  if(!algo_type) {
5362    if(no_digest_acceptable) {
5363      infof(data, "certificate exposes no signing digest algorithm, "
5364            "nothing to add to channel binding");
5365      result = CURLE_OK;
5366      goto out;
5367    }
5368    /* unacceptable, something is wrong, fail */
5369    algo_name = OBJ_nid2sn(mdnid);
5370    failf(data, "Unable to find digest algorithm %s (NID %d) "
5371          "for channel binding", algo_name ? algo_name : "(null)", mdnid);
5372    result = CURLE_SSL_INVALIDCERTSTATUS;
5373    goto out;
5374  }
5375
5376  if(!X509_digest(cert, algo_type, buf, &length)) {
5377    failf(data, "X509_digest() failed for channel binding");
5378    result = CURLE_SSL_INVALIDCERTSTATUS;
5379    goto out;
5380  }
5381
5382  /* Append "tls-server-end-point:" */
5383  result = curlx_dyn_addn(binding, prefix, sizeof(prefix) - 1);
5384  if(result)
5385    goto out;
5386
5387  /* Append digest */
5388  result = curlx_dyn_addn(binding, buf, length);
5389
5390out:
5391  X509_free(cert);
5392  return result;
5393}
5394
5395size_t Curl_ossl_version(char *buffer, size_t size)
5396{
5397#ifdef LIBRESSL_VERSION_NUMBER
5398  char *p;
5399  size_t count;
5400  const char *ver = OpenSSL_version(OPENSSL_VERSION);
5401  const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */
5402  if(curl_strnequal(ver, expected, sizeof(expected) - 1)) {
5403    ver += sizeof(expected) - 1;
5404  }
5405  count = curl_msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver);
5406  for(p = buffer; *p; ++p) {
5407    if(ISBLANK(*p))
5408      *p = '_';
5409  }
5410  return count;
5411#elif defined(OPENSSL_IS_AWSLC)
5412  return curl_msnprintf(buffer, size, "%s/%s",
5413                        OSSL_PACKAGE, AWSLC_VERSION_NUMBER_STRING);
5414#elif defined(OPENSSL_IS_BORINGSSL)
5415#ifdef CURL_BORINGSSL_VERSION
5416  return curl_msnprintf(buffer, size, "%s/%s",
5417                        OSSL_PACKAGE, CURL_BORINGSSL_VERSION);
5418#else
5419  return curl_msnprintf(buffer, size, OSSL_PACKAGE);
5420#endif
5421#else /* OpenSSL 3+ */
5422  return curl_msnprintf(buffer, size, "%s/%s",
5423                        OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
5424#endif
5425}
5426
5427/* can be called with data == NULL */
5428static CURLcode ossl_random(struct Curl_easy *data,
5429                            unsigned char *entropy, size_t length)
5430{
5431  int rc;
5432  if(data) {
5433    if(ossl_seed(data)) /* Initiate the seed if not already done */
5434      return CURLE_FAILED_INIT; /* could not seed for some reason */
5435  }
5436  else {
5437    if(!rand_enough())
5438      return CURLE_FAILED_INIT;
5439  }
5440  /* RAND_bytes() returns 1 on success, 0 otherwise. */
5441  rc = RAND_bytes(entropy, (ossl_valsize_t)curlx_uztosi(length));
5442  return rc == 1 ? CURLE_OK : CURLE_FAILED_INIT;
5443}
5444
5445static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
5446                               size_t tmplen,
5447                               unsigned char *sha256sum /* output */,
5448                               size_t unused)
5449{
5450  EVP_MD_CTX *mdctx;
5451  unsigned int len = 0;
5452  (void)unused;
5453
5454  mdctx = EVP_MD_CTX_create();
5455  if(!mdctx)
5456    return CURLE_OUT_OF_MEMORY;
5457  if(!EVP_DigestInit(mdctx, EVP_sha256())) {
5458    EVP_MD_CTX_destroy(mdctx);
5459    return CURLE_FAILED_INIT;
5460  }
5461  EVP_DigestUpdate(mdctx, tmp, tmplen);
5462  EVP_DigestFinal_ex(mdctx, sha256sum, &len);
5463  EVP_MD_CTX_destroy(mdctx);
5464  return CURLE_OK;
5465}
5466
5467static bool ossl_cert_status_request(void)
5468{
5469#ifndef OPENSSL_NO_OCSP
5470  return TRUE;
5471#else
5472  return FALSE;
5473#endif
5474}
5475
5476static void *ossl_get_internals(struct ssl_connect_data *connssl,
5477                                CURLINFO info)
5478{
5479  /* Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. */
5480  struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5481  DEBUGASSERT(octx);
5482  return info == CURLINFO_TLS_SESSION ?
5483    (void *)octx->ssl_ctx : (void *)octx->ssl;
5484}
5485
5486const struct Curl_ssl Curl_ssl_openssl = {
5487  { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */
5488
5489  SSLSUPP_CA_PATH |
5490  SSLSUPP_CAINFO_BLOB |
5491  SSLSUPP_CERTINFO |
5492  SSLSUPP_PINNEDPUBKEY |
5493  SSLSUPP_SSL_CTX |
5494#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
5495  SSLSUPP_TLS13_CIPHERSUITES |
5496#endif
5497#ifdef HAVE_SSL_CTX_SET1_SIGALGS
5498  SSLSUPP_SIGNATURE_ALGORITHMS |
5499#endif
5500#ifdef HAVE_SSL_SET1_ECH_CONFIG_LIST
5501  SSLSUPP_ECH |
5502#endif
5503  SSLSUPP_CA_CACHE |
5504  SSLSUPP_HTTPS_PROXY |
5505  SSLSUPP_CIPHER_LIST |
5506  SSLSUPP_ISSUERCERT |
5507  SSLSUPP_ISSUERCERT_BLOB |
5508  SSLSUPP_SSL_EC_CURVES |
5509  SSLSUPP_CRLFILE,
5510
5511  sizeof(struct ossl_ctx),
5512
5513  ossl_init,                /* init */
5514  ossl_cleanup,             /* cleanup */
5515  Curl_ossl_version,        /* version */
5516  ossl_shutdown,            /* shutdown */
5517  ossl_data_pending,        /* data_pending */
5518  ossl_random,              /* random */
5519  ossl_cert_status_request, /* cert_status_request */
5520  ossl_connect,             /* connect */
5521  Curl_ssl_adjust_pollset,  /* adjust_pollset */
5522  ossl_get_internals,       /* get_internals */
5523  ossl_close,               /* close_one */
5524  ossl_close_all,           /* close_all */
5525  ossl_set_engine,          /* set_engine or provider */
5526  ossl_set_engine_default,  /* set_engine_default */
5527  ossl_engines_list,        /* engines_list */
5528  ossl_sha256sum,           /* sha256sum */
5529  ossl_recv,                /* recv decrypted data */
5530  ossl_send,                /* send data to encrypt */
5531  ossl_get_channel_binding  /* get_channel_binding */
5532};
5533
5534#endif /* USE_OPENSSL */