diff options
| author | dartraiden <wowemuh@gmail.com> | 2024-05-24 23:43:03 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2024-05-24 23:43:03 +0300 |
| commit | ff76fe6c8f1e3b34c5571437612a038077f29860 (patch) | |
| tree | 0ae912a13465fa5658253185d4eeab21d6ecdfde /libs/libcurl/src/vquic/vquic-tls.c | |
| parent | 174bf88b63eaf4b49c00894a3f14fbf9194cae02 (diff) | |
libcurl: update to 8.8.0
Diffstat (limited to 'libs/libcurl/src/vquic/vquic-tls.c')
| -rw-r--r-- | libs/libcurl/src/vquic/vquic-tls.c | 387 |
1 files changed, 58 insertions, 329 deletions
diff --git a/libs/libcurl/src/vquic/vquic-tls.c b/libs/libcurl/src/vquic/vquic-tls.c index 2a5f243e5d..df8a4f5c19 100644 --- a/libs/libcurl/src/vquic/vquic-tls.c +++ b/libs/libcurl/src/vquic/vquic-tls.c @@ -24,7 +24,7 @@ #include "curl_setup.h"
-#if defined(ENABLE_QUIC) && \
+#if defined(USE_HTTP3) && \
(defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_WOLFSSL))
#ifdef USE_OPENSSL
@@ -61,277 +61,12 @@ #define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
#endif
-#ifdef USE_OPENSSL
-#define QUIC_CIPHERS \
- "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_" \
- "POLY1305_SHA256:TLS_AES_128_CCM_SHA256"
-#define QUIC_GROUPS "P-256:X25519:P-384:P-521"
-#elif defined(USE_GNUTLS)
-#define QUIC_PRIORITY \
- "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:" \
- "+CHACHA20-POLY1305:+AES-128-CCM:-GROUP-ALL:+GROUP-SECP256R1:" \
- "+GROUP-X25519:+GROUP-SECP384R1:+GROUP-SECP521R1:" \
- "%DISABLE_TLS13_COMPAT_MODE"
-#elif defined(USE_WOLFSSL)
+#if defined(USE_WOLFSSL)
+
#define QUIC_CIPHERS \
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_" \
"POLY1305_SHA256:TLS_AES_128_CCM_SHA256"
#define QUIC_GROUPS "P-256:P-384:P-521"
-#endif
-
-
-#ifdef USE_OPENSSL
-
-static void keylog_callback(const SSL *ssl, const char *line)
-{
- (void)ssl;
- Curl_tls_keylog_write_line(line);
-}
-
-static CURLcode curl_ossl_init_ctx(struct quic_tls_ctx *ctx,
- struct Curl_cfilter *cf,
- struct Curl_easy *data,
- Curl_vquic_tls_ctx_setup *ctx_setup)
-{
- struct ssl_primary_config *conn_config;
- CURLcode result = CURLE_FAILED_INIT;
-
- DEBUGASSERT(!ctx->ssl_ctx);
-#ifdef USE_OPENSSL_QUIC
- ctx->ssl_ctx = SSL_CTX_new(OSSL_QUIC_client_method());
-#else
- ctx->ssl_ctx = SSL_CTX_new(TLS_method());
-#endif
- if(!ctx->ssl_ctx) {
- result = CURLE_OUT_OF_MEMORY;
- goto out;
- }
- conn_config = Curl_ssl_cf_get_primary_config(cf);
- if(!conn_config) {
- result = CURLE_FAILED_INIT;
- goto out;
- }
-
- if(ctx_setup) {
- result = ctx_setup(ctx, cf, data);
- if(result)
- goto out;
- }
-
- SSL_CTX_set_default_verify_paths(ctx->ssl_ctx);
-
- {
- const char *curves = conn_config->curves ?
- conn_config->curves : QUIC_GROUPS;
- if(!SSL_CTX_set1_curves_list(ctx->ssl_ctx, curves)) {
- failf(data, "failed setting curves list for QUIC: '%s'", curves);
- return CURLE_SSL_CIPHER;
- }
- }
-
-#ifndef OPENSSL_IS_BORINGSSL
- {
- const char *ciphers13 = conn_config->cipher_list13 ?
- conn_config->cipher_list13 : QUIC_CIPHERS;
- if(SSL_CTX_set_ciphersuites(ctx->ssl_ctx, ciphers13) != 1) {
- failf(data, "failed setting QUIC cipher suite: %s", ciphers13);
- return CURLE_SSL_CIPHER;
- }
- infof(data, "QUIC cipher selection: %s", ciphers13);
- }
-#endif
-
- /* Open the file if a TLS or QUIC backend has not done this before. */
- Curl_tls_keylog_open();
- if(Curl_tls_keylog_enabled()) {
- SSL_CTX_set_keylog_callback(ctx->ssl_ctx, keylog_callback);
- }
-
- /* OpenSSL always tries to verify the peer, this only says whether it should
- * fail to connect if the verification fails, or if it should continue
- * anyway. In the latter case the result of the verification is checked with
- * SSL_get_verify_result() below. */
- SSL_CTX_set_verify(ctx->ssl_ctx, conn_config->verifypeer ?
- SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
-
- /* give application a chance to interfere with SSL set up. */
- if(data->set.ssl.fsslctx) {
- /* When a user callback is installed to modify the SSL_CTX,
- * we need to do the full initialization before calling it.
- * See: #11800 */
- if(!ctx->x509_store_setup) {
- result = Curl_ssl_setup_x509_store(cf, data, ctx->ssl_ctx);
- if(result)
- goto out;
- ctx->x509_store_setup = TRUE;
- }
- Curl_set_in_callback(data, true);
- result = (*data->set.ssl.fsslctx)(data, ctx->ssl_ctx,
- data->set.ssl.fsslctxp);
- Curl_set_in_callback(data, false);
- if(result) {
- failf(data, "error signaled by ssl ctx callback");
- goto out;
- }
- }
- result = CURLE_OK;
-
-out:
- if(result && ctx->ssl_ctx) {
- SSL_CTX_free(ctx->ssl_ctx);
- ctx->ssl_ctx = NULL;
- }
- return result;
-}
-
-static CURLcode curl_ossl_set_client_cert(struct quic_tls_ctx *ctx,
- struct Curl_cfilter *cf,
- struct Curl_easy *data)
-{
- SSL_CTX *ssl_ctx = ctx->ssl_ctx;
- const struct ssl_config_data *ssl_config;
-
- ssl_config = Curl_ssl_cf_get_config(cf, data);
- DEBUGASSERT(ssl_config);
-
- if(ssl_config->primary.clientcert ||
- ssl_config->primary.cert_blob ||
- ssl_config->cert_type) {
- return Curl_ossl_set_client_cert(
- data, ssl_ctx, ssl_config->primary.clientcert,
- ssl_config->primary.cert_blob, ssl_config->cert_type,
- ssl_config->key, ssl_config->key_blob,
- ssl_config->key_type, ssl_config->key_passwd);
- }
-
- return CURLE_OK;
-}
-
-/** SSL callbacks ***/
-
-static CURLcode curl_ossl_init_ssl(struct quic_tls_ctx *ctx,
- struct Curl_easy *data,
- struct ssl_peer *peer,
- const char *alpn, size_t alpn_len,
- void *user_data)
-{
- DEBUGASSERT(!ctx->ssl);
- ctx->ssl = SSL_new(ctx->ssl_ctx);
-
- SSL_set_app_data(ctx->ssl, user_data);
- SSL_set_connect_state(ctx->ssl);
-#ifndef USE_OPENSSL_QUIC
- SSL_set_quic_use_legacy_codepoint(ctx->ssl, 0);
-#endif
-
- if(alpn)
- SSL_set_alpn_protos(ctx->ssl, (const uint8_t *)alpn, (int)alpn_len);
-
- if(peer->sni) {
- if(!SSL_set_tlsext_host_name(ctx->ssl, peer->sni)) {
- failf(data, "Failed set SNI");
- SSL_free(ctx->ssl);
- ctx->ssl = NULL;
- return CURLE_QUIC_CONNECT_ERROR;
- }
- }
- return CURLE_OK;
-}
-
-#elif defined(USE_GNUTLS)
-static int keylog_callback(gnutls_session_t session, const char *label,
- const gnutls_datum_t *secret)
-{
- gnutls_datum_t crandom;
- gnutls_datum_t srandom;
-
- gnutls_session_get_random(session, &crandom, &srandom);
- if(crandom.size != 32) {
- return -1;
- }
-
- Curl_tls_keylog_write(label, crandom.data, secret->data, secret->size);
- return 0;
-}
-
-static CURLcode curl_gtls_init_ctx(struct quic_tls_ctx *ctx,
- struct Curl_cfilter *cf,
- struct Curl_easy *data,
- struct ssl_peer *peer,
- const char *alpn, size_t alpn_len,
- Curl_vquic_tls_ctx_setup *ctx_setup,
- void *user_data)
-{
- struct ssl_primary_config *conn_config;
- CURLcode result;
- gnutls_datum_t alpns[5];
- /* this will need some attention when HTTPS proxy over QUIC get fixed */
- long * const pverifyresult = &data->set.ssl.certverifyresult;
- int rc;
-
- conn_config = Curl_ssl_cf_get_primary_config(cf);
- if(!conn_config)
- return CURLE_FAILED_INIT;
-
- DEBUGASSERT(ctx->gtls == NULL);
- ctx->gtls = calloc(1, sizeof(*(ctx->gtls)));
- if(!ctx->gtls)
- return CURLE_OUT_OF_MEMORY;
-
- result = gtls_client_init(data, conn_config, &data->set.ssl,
- peer, ctx->gtls, pverifyresult);
- if(result)
- return result;
-
- gnutls_session_set_ptr(ctx->gtls->session, user_data);
-
- if(ctx_setup) {
- result = ctx_setup(ctx, cf, data);
- if(result)
- return result;
- }
-
- rc = gnutls_priority_set_direct(ctx->gtls->session, QUIC_PRIORITY, NULL);
- if(rc < 0) {
- CURL_TRC_CF(data, cf, "gnutls_priority_set_direct failed: %s\n",
- gnutls_strerror(rc));
- return CURLE_QUIC_CONNECT_ERROR;
- }
-
- /* Open the file if a TLS or QUIC backend has not done this before. */
- Curl_tls_keylog_open();
- if(Curl_tls_keylog_enabled()) {
- gnutls_session_set_keylog_function(ctx->gtls->session, keylog_callback);
- }
-
- /* convert the ALPN string from our arguments to a list of strings
- * that gnutls wants and will convert internally back to this very
- * string for sending to the server. nice. */
- if(alpn) {
- size_t i, alen = alpn_len;
- unsigned char *s = (unsigned char *)alpn;
- unsigned char slen;
- for(i = 0; (i < ARRAYSIZE(alpns)) && alen; ++i) {
- slen = s[0];
- if(slen >= alen)
- return CURLE_FAILED_INIT;
- alpns[i].data = s + 1;
- alpns[i].size = slen;
- s += slen + 1;
- alen -= (size_t)slen + 1;
- }
- if(alen) /* not all alpn chars used, wrong format or too many */
- return CURLE_FAILED_INIT;
- if(i) {
- gnutls_alpn_set_protocols(ctx->gtls->session,
- alpns, (unsigned int)i,
- GNUTLS_ALPN_MANDATORY);
- }
- }
-
- return CURLE_OK;
-}
-#elif defined(USE_WOLFSSL)
#if defined(HAVE_SECRET_CALLBACK)
static void keylog_callback(const WOLFSSL *ssl, const char *line)
@@ -341,10 +76,11 @@ static void keylog_callback(const WOLFSSL *ssl, const char *line) }
#endif
-static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx,
+static CURLcode curl_wssl_init_ctx(struct curl_tls_ctx *ctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
- Curl_vquic_tls_ctx_setup *ctx_setup)
+ Curl_vquic_tls_ctx_setup *cb_setup,
+ void *cb_user_data)
{
struct ssl_primary_config *conn_config;
CURLcode result = CURLE_FAILED_INIT;
@@ -361,8 +97,8 @@ static CURLcode curl_wssl_init_ctx(struct quic_tls_ctx *ctx, goto out;
}
- if(ctx_setup) {
- result = ctx_setup(ctx, cf, data);
+ if(cb_setup) {
+ result = cb_setup(cf, data, cb_user_data);
if(result)
goto out;
}
@@ -458,7 +194,7 @@ out: /** SSL callbacks ***/
-static CURLcode curl_wssl_init_ssl(struct quic_tls_ctx *ctx,
+static CURLcode curl_wssl_init_ssl(struct curl_tls_ctx *ctx,
struct Curl_easy *data,
struct ssl_peer *peer,
const char *alpn, size_t alpn_len,
@@ -486,57 +222,50 @@ static CURLcode curl_wssl_init_ssl(struct quic_tls_ctx *ctx, }
#endif /* defined(USE_WOLFSSL) */
-CURLcode Curl_vquic_tls_init(struct quic_tls_ctx *ctx,
+CURLcode Curl_vquic_tls_init(struct curl_tls_ctx *ctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const char *alpn, size_t alpn_len,
- Curl_vquic_tls_ctx_setup *ctx_setup,
- void *user_data)
+ Curl_vquic_tls_ctx_setup *cb_setup,
+ void *cb_user_data, void *ssl_user_data)
{
CURLcode result;
#ifdef USE_OPENSSL
- result = curl_ossl_init_ctx(ctx, cf, data, ctx_setup);
- if(result)
- return result;
-
- result = curl_ossl_set_client_cert(ctx, cf, data);
- if(result)
- return result;
-
- return curl_ossl_init_ssl(ctx, data, peer, alpn, alpn_len, user_data);
+ (void)result;
+ return Curl_ossl_ctx_init(&ctx->ossl, cf, data, peer, TRNSPRT_QUIC,
+ (const unsigned char *)alpn, alpn_len,
+ cb_setup, cb_user_data, NULL, ssl_user_data);
#elif defined(USE_GNUTLS)
(void)result;
- return curl_gtls_init_ctx(ctx, cf, data, peer, alpn, alpn_len,
- ctx_setup, user_data);
+ return Curl_gtls_ctx_init(&ctx->gtls, cf, data, peer,
+ (const unsigned char *)alpn, alpn_len,
+ cb_setup, cb_user_data, ssl_user_data);
#elif defined(USE_WOLFSSL)
- result = curl_wssl_init_ctx(ctx, cf, data, ctx_setup);
+ result = curl_wssl_init_ctx(ctx, cf, data, cb_setup, cb_user_data);
if(result)
return result;
- return curl_wssl_init_ssl(ctx, data, peer, alpn, alpn_len, user_data);
+ return curl_wssl_init_ssl(ctx, data, peer, alpn, alpn_len, ssl_user_data);
#else
#error "no TLS lib in used, should not happen"
return CURLE_FAILED_INIT;
#endif
}
-void Curl_vquic_tls_cleanup(struct quic_tls_ctx *ctx)
+void Curl_vquic_tls_cleanup(struct curl_tls_ctx *ctx)
{
#ifdef USE_OPENSSL
- if(ctx->ssl)
- SSL_free(ctx->ssl);
- if(ctx->ssl_ctx)
- SSL_CTX_free(ctx->ssl_ctx);
+ if(ctx->ossl.ssl)
+ SSL_free(ctx->ossl.ssl);
+ if(ctx->ossl.ssl_ctx)
+ SSL_CTX_free(ctx->ossl.ssl_ctx);
#elif defined(USE_GNUTLS)
- if(ctx->gtls) {
- if(ctx->gtls->cred)
- gnutls_certificate_free_credentials(ctx->gtls->cred);
- if(ctx->gtls->session)
- gnutls_deinit(ctx->gtls->session);
- free(ctx->gtls);
- }
+ if(ctx->gtls.cred)
+ gnutls_certificate_free_credentials(ctx->gtls.cred);
+ if(ctx->gtls.session)
+ gnutls_deinit(ctx->gtls.session);
#elif defined(USE_WOLFSSL)
if(ctx->ssl)
wolfSSL_free(ctx->ssl);
@@ -546,16 +275,22 @@ void Curl_vquic_tls_cleanup(struct quic_tls_ctx *ctx) memset(ctx, 0, sizeof(*ctx));
}
-CURLcode Curl_vquic_tls_before_recv(struct quic_tls_ctx *ctx,
+CURLcode Curl_vquic_tls_before_recv(struct curl_tls_ctx *ctx,
struct Curl_cfilter *cf,
struct Curl_easy *data)
{
#ifdef USE_OPENSSL
- if(!ctx->x509_store_setup) {
- CURLcode result = Curl_ssl_setup_x509_store(cf, data, ctx->ssl_ctx);
+ if(!ctx->ossl.x509_store_setup) {
+ CURLcode result = Curl_ssl_setup_x509_store(cf, data, ctx->ossl.ssl_ctx);
+ if(result)
+ return result;
+ ctx->ossl.x509_store_setup = TRUE;
+ }
+#elif defined(USE_GNUTLS)
+ if(!ctx->gtls.trust_setup) {
+ CURLcode result = Curl_gtls_client_trust_setup(cf, data, &ctx->gtls);
if(result)
return result;
- ctx->x509_store_setup = TRUE;
}
#else
(void)ctx; (void)cf; (void)data;
@@ -563,7 +298,7 @@ CURLcode Curl_vquic_tls_before_recv(struct quic_tls_ctx *ctx, return CURLE_OK;
}
-CURLcode Curl_vquic_tls_verify_peer(struct quic_tls_ctx *ctx,
+CURLcode Curl_vquic_tls_verify_peer(struct curl_tls_ctx *ctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer)
@@ -575,39 +310,33 @@ CURLcode Curl_vquic_tls_verify_peer(struct quic_tls_ctx *ctx, if(!conn_config)
return CURLE_FAILED_INIT;
- if(conn_config->verifyhost) {
#ifdef USE_OPENSSL
- X509 *server_cert;
- server_cert = SSL_get1_peer_certificate(ctx->ssl);
- if(!server_cert) {
- return CURLE_PEER_FAILED_VERIFICATION;
- }
- result = Curl_ossl_verifyhost(data, cf->conn, peer, server_cert);
- X509_free(server_cert);
- if(result)
- return result;
+ (void)conn_config;
+ result = Curl_oss_check_peer_cert(cf, data, &ctx->ossl, peer);
#elif defined(USE_GNUTLS)
- result = Curl_gtls_verifyserver(data, ctx->gtls->session,
+ if(conn_config->verifyhost) {
+ result = Curl_gtls_verifyserver(data, ctx->gtls.session,
conn_config, &data->set.ssl, peer,
data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
if(result)
return result;
+ }
#elif defined(USE_WOLFSSL)
- if(!peer->sni ||
- wolfSSL_check_domain_name(ctx->ssl, peer->sni) == SSL_FAILURE)
- return CURLE_PEER_FAILED_VERIFICATION;
-#endif
- infof(data, "Verified certificate just fine");
+ (void)data;
+ if(conn_config->verifyhost) {
+ if(peer->sni) {
+ WOLFSSL_X509* cert = wolfSSL_get_peer_certificate(ctx->ssl);
+ if(wolfSSL_X509_check_host(cert, peer->sni, strlen(peer->sni), 0, NULL)
+ == WOLFSSL_FAILURE) {
+ result = CURLE_PEER_FAILED_VERIFICATION;
+ }
+ wolfSSL_X509_free(cert);
+ }
+
}
- else
- infof(data, "Skipped certificate verification");
-#ifdef USE_OPENSSL
- if(data->set.ssl.certinfo)
- /* asked to gather certificate info */
- (void)Curl_ossl_certchain(data, ctx->ssl);
#endif
return result;
}
-#endif /* !ENABLE_QUIC && (USE_OPENSSL || USE_GNUTLS || USE_WOLFSSL) */
+#endif /* !USE_HTTP3 && (USE_OPENSSL || USE_GNUTLS || USE_WOLFSSL) */
|