diff options
| author | dartraiden <wowemuh@gmail.com> | 2025-06-04 09:49:23 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2025-06-04 10:27:11 +0300 |
| commit | 86d1a677fd310d7d90d6f7545c02a4bd68e1d955 (patch) | |
| tree | 7fd5f46ef18038d10dcdf9fa19ffee547d51d6ad /libs/libcurl/src/vtls | |
| parent | e8e2a816fbbcec0d6a64496928fecff19c281d82 (diff) | |
libcurl: update to 8.14.0
Diffstat (limited to 'libs/libcurl/src/vtls')
34 files changed, 1023 insertions, 824 deletions
diff --git a/libs/libcurl/src/vtls/bearssl.c b/libs/libcurl/src/vtls/bearssl.c index bf3f77e8be..4df187dc50 100644 --- a/libs/libcurl/src/vtls/bearssl.c +++ b/libs/libcurl/src/vtls/bearssl.c @@ -21,7 +21,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_BEARSSL
@@ -29,20 +29,20 @@ #include "bearssl.h"
#include "cipher_suite.h"
-#include "urldata.h"
-#include "sendf.h"
-#include "inet_pton.h"
+#include "../urldata.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
#include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
-#include "connect.h"
-#include "select.h"
-#include "multiif.h"
-#include "curl_printf.h"
+#include "../connect.h"
+#include "../select.h"
+#include "../multiif.h"
+#include "../curl_printf.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
struct x509_context {
const br_x509_class *vtable;
diff --git a/libs/libcurl/src/vtls/bearssl.h b/libs/libcurl/src/vtls/bearssl.h index 76857f9419..aca1a7bd6a 100644 --- a/libs/libcurl/src/vtls/bearssl.h +++ b/libs/libcurl/src/vtls/bearssl.h @@ -24,7 +24,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_BEARSSL
diff --git a/libs/libcurl/src/vtls/cipher_suite.c b/libs/libcurl/src/vtls/cipher_suite.c index 202a1452b0..68bf3b6305 100644 --- a/libs/libcurl/src/vtls/cipher_suite.c +++ b/libs/libcurl/src/vtls/cipher_suite.c @@ -21,13 +21,13 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
#include "cipher_suite.h"
-#include "curl_printf.h"
-#include "strcase.h"
+#include "../curl_printf.h"
+#include "../strcase.h"
#include <string.h>
/*
diff --git a/libs/libcurl/src/vtls/cipher_suite.h b/libs/libcurl/src/vtls/cipher_suite.h index 8f3381d1b9..f25de29b52 100644 --- a/libs/libcurl/src/vtls/cipher_suite.h +++ b/libs/libcurl/src/vtls/cipher_suite.h @@ -24,7 +24,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_SECTRANSP) || defined(USE_MBEDTLS) || \
defined(USE_BEARSSL) || defined(USE_RUSTLS)
diff --git a/libs/libcurl/src/vtls/gtls.c b/libs/libcurl/src/vtls/gtls.c index 09b4e22352..1bd7793111 100644 --- a/libs/libcurl/src/vtls/gtls.c +++ b/libs/libcurl/src/vtls/gtls.c @@ -30,7 +30,7 @@ * since they were not present in 1.0.X.
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_GNUTLS
@@ -40,28 +40,28 @@ #include <gnutls/crypto.h>
#include <nettle/sha2.h>
-#include "urldata.h"
-#include "sendf.h"
-#include "inet_pton.h"
+#include "../urldata.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
#include "keylog.h"
#include "gtls.h"
#include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
-#include "vauth/vauth.h"
-#include "parsedate.h"
-#include "connect.h" /* for the connect timeout */
-#include "progress.h"
-#include "select.h"
-#include "strcase.h"
-#include "strdup.h"
-#include "warnless.h"
+#include "../vauth/vauth.h"
+#include "../parsedate.h"
+#include "../connect.h" /* for the connect timeout */
+#include "../progress.h"
+#include "../select.h"
+#include "../strcase.h"
+#include "../strdup.h"
+#include "../curlx/warnless.h"
#include "x509asn1.h"
-#include "multiif.h"
-#include "curl_printf.h"
-#include "curl_memory.h"
+#include "../multiif.h"
+#include "../curl_printf.h"
+#include "../curl_memory.h"
/* The last #include file should be: */
-#include "memdebug.h"
+#include "../memdebug.h"
/* Enable GnuTLS debugging by defining GTLSDEBUG */
/*#define GTLSDEBUG */
@@ -426,7 +426,7 @@ CURLcode Curl_gtls_shared_creds_create(struct Curl_easy *data, }
shared->refcount = 1;
- shared->time = Curl_now();
+ shared->time = curlx_now();
*pcreds = shared;
return CURLE_OK;
}
@@ -540,8 +540,8 @@ static bool gtls_shared_creds_expired(const struct Curl_easy *data, const struct gtls_shared_creds *sc)
{
const struct ssl_general_config *cfg = &data->set.general_ssl;
- struct curltime now = Curl_now();
- timediff_t elapsed_ms = Curl_timediff(now, sc->time);
+ struct curltime now = curlx_now();
+ timediff_t elapsed_ms = curlx_timediff(now, sc->time);
timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
if(timeout_ms < 0)
@@ -794,18 +794,18 @@ static CURLcode gtls_set_priority(struct Curl_cfilter *cf, CURLcode result = CURLE_OK;
int rc;
- Curl_dyn_init(&buf, 4096);
+ curlx_dyn_init(&buf, 4096);
#ifdef USE_GNUTLS_SRP
if(conn_config->username) {
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
- result = Curl_dyn_add(&buf, priority);
+ result = curlx_dyn_add(&buf, priority);
if(!result)
- result = Curl_dyn_add(&buf, ":" GNUTLS_SRP);
+ result = curlx_dyn_add(&buf, ":" GNUTLS_SRP);
if(result)
goto out;
- priority = Curl_dyn_ptr(&buf);
+ priority = curlx_dyn_ptr(&buf);
}
#endif
@@ -814,15 +814,15 @@ static CURLcode gtls_set_priority(struct Curl_cfilter *cf, (conn_config->cipher_list[0] == '-') ||
(conn_config->cipher_list[0] == '!')) {
/* add it to out own */
- if(!Curl_dyn_len(&buf)) { /* not added yet */
- result = Curl_dyn_add(&buf, priority);
+ if(!curlx_dyn_len(&buf)) { /* not added yet */
+ result = curlx_dyn_add(&buf, priority);
if(result)
goto out;
}
- result = Curl_dyn_addf(&buf, ":%s", conn_config->cipher_list);
+ result = curlx_dyn_addf(&buf, ":%s", conn_config->cipher_list);
if(result)
goto out;
- priority = Curl_dyn_ptr(&buf);
+ priority = curlx_dyn_ptr(&buf);
}
else /* replace our own completely */
priority = conn_config->cipher_list;
@@ -836,7 +836,7 @@ static CURLcode gtls_set_priority(struct Curl_cfilter *cf, }
out:
- Curl_dyn_free(&buf);
+ curlx_dyn_free(&buf);
return result;
}
diff --git a/libs/libcurl/src/vtls/gtls.h b/libs/libcurl/src/vtls/gtls.h index da1f57f8c8..dc8de777af 100644 --- a/libs/libcurl/src/vtls/gtls.h +++ b/libs/libcurl/src/vtls/gtls.h @@ -24,13 +24,13 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#include <curl/curl.h>
#ifdef USE_GNUTLS
#include <gnutls/gnutls.h>
-#include "timeval.h"
+#include "../curlx/timeval.h"
#ifdef HAVE_GNUTLS_SRP
/* the function exists */
diff --git a/libs/libcurl/src/vtls/hostcheck.c b/libs/libcurl/src/vtls/hostcheck.c index 79ed869e87..482725cb87 100644 --- a/libs/libcurl/src/vtls/hostcheck.c +++ b/libs/libcurl/src/vtls/hostcheck.c @@ -22,7 +22,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_OPENSSL) \
|| defined(USE_SCHANNEL)
@@ -34,15 +34,14 @@ #ifdef HAVE_NETINET_IN6_H
#include <netinet/in6.h>
#endif
-#include "curl_memrchr.h"
-
+#include "../curl_memrchr.h"
#include "hostcheck.h"
-#include "strcase.h"
-#include "hostip.h"
+#include "../strcase.h"
+#include "../hostip.h"
-#include "curl_memory.h"
+#include "../curl_memory.h"
/* The last #include file should be: */
-#include "memdebug.h"
+#include "../memdebug.h"
/* check the two input strings with given length, but do not
assume they end in nul-bytes */
diff --git a/libs/libcurl/src/vtls/keylog.c b/libs/libcurl/src/vtls/keylog.c index c922879d05..77321c9f76 100644 --- a/libs/libcurl/src/vtls/keylog.c +++ b/libs/libcurl/src/vtls/keylog.c @@ -21,7 +21,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_OPENSSL) || \
defined(USE_GNUTLS) || \
@@ -32,10 +32,11 @@ #include "keylog.h"
#include <curl/curl.h>
+#include "../escape.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
/* The fp for the open SSLKEYLOGFILE, or NULL if not open */
static FILE *keylog_file_fp;
@@ -114,10 +115,9 @@ Curl_tls_keylog_write(const char *label, const unsigned char client_random[CLIENT_RANDOM_SIZE],
const unsigned char *secret, size_t secretlen)
{
- const char *hex = "0123456789ABCDEF";
size_t pos, i;
- char line[KEYLOG_LABEL_MAXLEN + 1 + 2 * CLIENT_RANDOM_SIZE + 1 +
- 2 * SECRET_MAXLEN + 1 + 1];
+ unsigned char line[KEYLOG_LABEL_MAXLEN + 1 + 2 * CLIENT_RANDOM_SIZE + 1 +
+ 2 * SECRET_MAXLEN + 1 + 1];
if(!keylog_file_fp) {
return FALSE;
@@ -134,22 +134,22 @@ Curl_tls_keylog_write(const char *label, /* Client Random */
for(i = 0; i < CLIENT_RANDOM_SIZE; i++) {
- line[pos++] = hex[client_random[i] >> 4];
- line[pos++] = hex[client_random[i] & 0xF];
+ Curl_hexbyte(&line[pos], client_random[i], FALSE);
+ pos += 2;
}
line[pos++] = ' ';
/* Secret */
for(i = 0; i < secretlen; i++) {
- line[pos++] = hex[secret[i] >> 4];
- line[pos++] = hex[secret[i] & 0xF];
+ Curl_hexbyte(&line[pos], secret[i], FALSE);
+ pos += 2;
}
line[pos++] = '\n';
line[pos] = '\0';
/* Using fputs here instead of fprintf since libcurl's fprintf replacement
may not be thread-safe. */
- fputs(line, keylog_file_fp);
+ fputs((char *)line, keylog_file_fp);
return TRUE;
}
diff --git a/libs/libcurl/src/vtls/keylog.h b/libs/libcurl/src/vtls/keylog.h index 41e901db73..5b2df7fe8f 100644 --- a/libs/libcurl/src/vtls/keylog.h +++ b/libs/libcurl/src/vtls/keylog.h @@ -23,7 +23,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#define KEYLOG_LABEL_MAXLEN (sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET") - 1)
diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c index 851802f147..0404c83407 100644 --- a/libs/libcurl/src/vtls/mbedtls.c +++ b/libs/libcurl/src/vtls/mbedtls.c @@ -29,7 +29,7 @@ *
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_MBEDTLS
@@ -57,26 +57,26 @@ #endif /* MBEDTLS_VERSION_MAJOR >= 2 */
#include "cipher_suite.h"
-#include "strcase.h"
-#include "urldata.h"
-#include "sendf.h"
-#include "inet_pton.h"
+#include "../strcase.h"
+#include "../urldata.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
#include "mbedtls.h"
#include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
#include "x509asn1.h"
-#include "parsedate.h"
-#include "connect.h" /* for the connect timeout */
-#include "select.h"
-#include "multiif.h"
+#include "../parsedate.h"
+#include "../connect.h" /* for the connect timeout */
+#include "../select.h"
+#include "../multiif.h"
#include "mbedtls_threadlock.h"
-#include "strdup.h"
+#include "../strdup.h"
/* The last 3 #include files should be in this order */
-#include "curl_printf.h"
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_printf.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
/* ALPN for http2 */
#if defined(USE_HTTP2) && defined(MBEDTLS_SSL_ALPN)
@@ -273,7 +273,13 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data, #else
/* mbedTLS 3.2.0 (2022) introduced new methods for setting TLS version */
mbedtls_ssl_protocol_version ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
- mbedtls_ssl_protocol_version ver_max = MBEDTLS_SSL_VERSION_TLS1_2;
+ mbedtls_ssl_protocol_version ver_max =
+#ifdef HAS_TLS13_SUPPORT
+ MBEDTLS_SSL_VERSION_TLS1_3
+#else
+ MBEDTLS_SSL_VERSION_TLS1_2
+#endif
+ ;
#endif
switch(conn_config->version) {
@@ -292,7 +298,11 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data, case CURL_SSLVERSION_TLSv1_1:
#endif
case CURL_SSLVERSION_TLSv1_2:
- /* ver_min = MBEDTLS_SSL_VERSION_TLS1_2; */
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+ ver_min = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+#else
+ ver_min = MBEDTLS_SSL_VERSION_TLS1_2;
+#endif
break;
case CURL_SSLVERSION_TLSv1_3:
#ifdef HAS_TLS13_SUPPORT
@@ -314,7 +324,11 @@ mbed_set_ssl_version_min_max(struct Curl_easy *data, break;
#endif
case CURL_SSLVERSION_MAX_TLSv1_2:
- /* ver_max = MBEDTLS_SSL_VERSION_TLS1_2; */
+#if MBEDTLS_VERSION_NUMBER < 0x03020000
+ ver_max = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
+#else
+ ver_max = MBEDTLS_SSL_VERSION_TLS1_2;
+#endif
break;
#if MBEDTLS_VERSION_NUMBER < 0x03000000
case CURL_SSLVERSION_MAX_TLSv1_1:
diff --git a/libs/libcurl/src/vtls/mbedtls.h b/libs/libcurl/src/vtls/mbedtls.h index 91ede31e02..33ba492336 100644 --- a/libs/libcurl/src/vtls/mbedtls.h +++ b/libs/libcurl/src/vtls/mbedtls.h @@ -24,7 +24,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_MBEDTLS
diff --git a/libs/libcurl/src/vtls/mbedtls_threadlock.c b/libs/libcurl/src/vtls/mbedtls_threadlock.c index d6d20328a7..ed8531f9f1 100644 --- a/libs/libcurl/src/vtls/mbedtls_threadlock.c +++ b/libs/libcurl/src/vtls/mbedtls_threadlock.c @@ -22,7 +22,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_MBEDTLS) && \
((defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \
@@ -36,10 +36,10 @@ #endif
#include "mbedtls_threadlock.h"
-#include "curl_printf.h"
-#include "curl_memory.h"
+#include "../curl_printf.h"
+#include "../curl_memory.h"
/* The last #include file should be: */
-#include "memdebug.h"
+#include "../memdebug.h"
/* number of thread locks */
#define NUMT 2
diff --git a/libs/libcurl/src/vtls/mbedtls_threadlock.h b/libs/libcurl/src/vtls/mbedtls_threadlock.h index ae651c3866..e99b051cc0 100644 --- a/libs/libcurl/src/vtls/mbedtls_threadlock.h +++ b/libs/libcurl/src/vtls/mbedtls_threadlock.h @@ -24,7 +24,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_MBEDTLS
diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index 6044d4d073..b5ae754a96 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -27,7 +27,7 @@ * but vtls.c should ever call or use these functions.
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_QUICHE) || defined(USE_OPENSSL)
@@ -45,26 +45,27 @@ #undef OCSP_RESPONSE
#endif
-#include "urldata.h"
-#include "sendf.h"
-#include "formdata.h" /* for the boundary function */
-#include "url.h" /* for the ssl config check function */
-#include "inet_pton.h"
+#include "../urldata.h"
+#include "../sendf.h"
+#include "../formdata.h" /* for the boundary function */
+#include "../url.h" /* for the ssl config check function */
+#include "../curlx/inet_pton.h"
#include "openssl.h"
-#include "connect.h"
-#include "slist.h"
-#include "select.h"
+#include "../connect.h"
+#include "../slist.h"
+#include "../select.h"
#include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
-#include "vauth/vauth.h"
+#include "../vauth/vauth.h"
#include "keylog.h"
-#include "strcase.h"
+#include "../strcase.h"
#include "hostcheck.h"
-#include "multiif.h"
-#include "strdup.h"
-#include "strerror.h"
-#include "curl_printf.h"
+#include "../multiif.h"
+#include "../curlx/strparse.h"
+#include "../strdup.h"
+#include "../strerror.h"
+#include "../curl_printf.h"
#include <openssl/ssl.h>
#include <openssl/rand.h>
@@ -117,13 +118,15 @@ #include <openssl/store.h>
/* this is used in the following conditions to make them easier to read */
#define OPENSSL_HAS_PROVIDERS
+
+static void ossl_provider_cleanup(struct Curl_easy *data);
#endif
-#include "warnless.h"
+#include "../curlx/warnless.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
renegotiations when built with BoringSSL. Renegotiating is non-compliant
@@ -194,13 +197,24 @@ #endif
#endif
+/* Whether SSL_CTX_set1_sigalgs_list is available
+ * OpenSSL: supported since 1.0.2 (commit 0b362de5f575)
+ * BoringSSL: supported since 0.20240913.0 (commit 826ce15)
+ * LibreSSL: no
+ */
+#if (OPENSSL_VERSION_NUMBER >= 0x10002000L && \
+ !defined(LIBRESSL_VERSION_NUMBER))
+ #define HAVE_SSL_CTX_SET1_SIGALGS
+#endif
+
#ifdef LIBRESSL_VERSION_NUMBER
#define OSSL_PACKAGE "LibreSSL"
#elif defined(OPENSSL_IS_BORINGSSL)
#define OSSL_PACKAGE "BoringSSL"
#elif defined(OPENSSL_IS_AWSLC)
#define OSSL_PACKAGE "AWS-LC"
-#elif (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3)
+#elif (defined(USE_NGTCP2) && defined(USE_NGHTTP3) && \
+ !defined(OPENSSL_QUIC_API2)) || defined(USE_MSH3)
#define OSSL_PACKAGE "quictls"
#else
#define OSSL_PACKAGE "OpenSSL"
@@ -978,13 +992,13 @@ static CURLcode ossl_seed(struct Curl_easy *data) size_t len = sizeof(randb);
size_t i, i_max;
for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
- struct curltime tv = Curl_now();
+ struct curltime tv = curlx_now();
Curl_wait_ms(1);
tv.tv_sec *= (time_t)i + 1;
tv.tv_usec *= (int)i + 2;
- tv.tv_sec ^= ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
+ tv.tv_sec ^= ((curlx_now().tv_sec + (time_t)curlx_now().tv_usec) *
(time_t)(i + 3)) << 8;
- tv.tv_usec ^= (int) ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
+ tv.tv_usec ^= (int) ((curlx_now().tv_sec + (time_t)curlx_now().tv_usec) *
(time_t)(i + 4)) << 16;
memcpy(&randb[i * sizeof(struct curltime)], &tv,
sizeof(struct curltime));
@@ -1099,7 +1113,7 @@ static bool is_pkcs11_uri(const char *string) #endif
static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
-#if !defined(USE_OPENSSL_ENGINE) && defined(OPENSSL_HAS_PROVIDERS)
+#if defined(OPENSSL_HAS_PROVIDERS)
static CURLcode ossl_set_provider(struct Curl_easy *data,
const char *provider);
#endif
@@ -1352,7 +1366,8 @@ int cert_stuff(struct Curl_easy *data, }
}
break;
-#elif defined(OPENSSL_HAS_PROVIDERS)
+#endif
+#if defined(OPENSSL_HAS_PROVIDERS)
/* fall through to compatible provider */
case SSL_FILETYPE_PROVIDER:
{
@@ -1368,10 +1383,11 @@ int cert_stuff(struct Curl_easy *data, if(data->state.provider) {
/* Load the certificate from the provider */
- OSSL_STORE_CTX *store = NULL;
OSSL_STORE_INFO *info = NULL;
X509 *cert = NULL;
- store = OSSL_STORE_open(cert_file, NULL, NULL, NULL, NULL);
+ OSSL_STORE_CTX *store =
+ OSSL_STORE_open_ex(cert_file, data->state.libctx,
+ NULL, NULL, NULL, NULL, NULL, NULL);
if(!store) {
failf(data, "Failed to open OpenSSL store: %s",
ossl_strerror(ERR_get_error(), error_buffer,
@@ -1384,22 +1400,13 @@ int cert_stuff(struct Curl_easy *data, sizeof(error_buffer)));
}
- for(info = OSSL_STORE_load(store);
- info != NULL;
- info = OSSL_STORE_load(store)) {
+ info = OSSL_STORE_load(store);
+ if(info) {
int ossl_type = OSSL_STORE_INFO_get_type(info);
- if(ossl_type == OSSL_STORE_INFO_CERT) {
+ if(ossl_type == OSSL_STORE_INFO_CERT)
cert = OSSL_STORE_INFO_get1_CERT(info);
- }
- else {
- failf(data, "Ignoring object not matching our type: %d",
- ossl_type);
- OSSL_STORE_INFO_free(info);
- continue;
- }
OSSL_STORE_INFO_free(info);
- break;
}
OSSL_STORE_close(store);
if(!cert) {
@@ -1423,9 +1430,6 @@ int cert_stuff(struct Curl_easy *data, }
}
break;
-#else
- failf(data, "file type ENG nor PROV for certificate not implemented");
- return 0;
#endif
case SSL_FILETYPE_PKCS12:
@@ -1615,7 +1619,8 @@ fail: }
}
break;
-#elif defined(OPENSSL_HAS_PROVIDERS)
+#endif
+#if defined(OPENSSL_HAS_PROVIDERS)
/* fall through to compatible provider */
case SSL_FILETYPE_PROVIDER:
{
@@ -1646,7 +1651,9 @@ fail: UI_method_set_reader(ui_method, ssl_ui_reader);
UI_method_set_writer(ui_method, ssl_ui_writer);
- store = OSSL_STORE_open(key_file, ui_method, NULL, NULL, NULL);
+ store = OSSL_STORE_open_ex(key_file, data->state.libctx,
+ data->state.propq, ui_method, NULL, NULL,
+ NULL, NULL);
if(!store) {
failf(data, "Failed to open OpenSSL store: %s",
ossl_strerror(ERR_get_error(), error_buffer,
@@ -1659,22 +1666,13 @@ fail: sizeof(error_buffer)));
}
- for(info = OSSL_STORE_load(store);
- info != NULL;
- info = OSSL_STORE_load(store)) {
+ info = OSSL_STORE_load(store);
+ if(info) {
int ossl_type = OSSL_STORE_INFO_get_type(info);
- if(ossl_type == OSSL_STORE_INFO_PKEY) {
+ if(ossl_type == OSSL_STORE_INFO_PKEY)
priv_key = OSSL_STORE_INFO_get1_PKEY(info);
- }
- else {
- failf(data, "Ignoring object not matching our type: %d",
- ossl_type);
- OSSL_STORE_INFO_free(info);
- continue;
- }
OSSL_STORE_INFO_free(info);
- break;
}
OSSL_STORE_close(store);
UI_destroy_method(ui_method);
@@ -1700,9 +1698,6 @@ fail: }
}
break;
-#else
- failf(data, "file type ENG nor PROV for private key not implemented");
- return 0;
#endif
case SSL_FILETYPE_PKCS12:
@@ -1779,11 +1774,11 @@ static CURLcode x509_name_oneline(X509_NAME *a, struct dynbuf *d) CURLcode result = CURLE_OUT_OF_MEMORY;
if(bio_out) {
- Curl_dyn_reset(d);
+ curlx_dyn_reset(d);
rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
if(rc != -1) {
BIO_get_mem_ptr(bio_out, &biomem);
- result = Curl_dyn_addn(d, biomem->data, biomem->length);
+ result = curlx_dyn_addn(d, biomem->data, biomem->length);
BIO_free(bio_out);
}
}
@@ -1877,36 +1872,39 @@ static void ossl_cleanup(void) Curl_tls_keylog_close();
}
-/* Selects an OpenSSL crypto engine
+/* Selects an OpenSSL crypto engine or provider.
*/
-static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
+static CURLcode ossl_set_engine(struct Curl_easy *data, const char *name)
{
#ifdef USE_OPENSSL_ENGINE
- ENGINE *e = ENGINE_by_id(engine);
+ CURLcode result = CURLE_SSL_ENGINE_NOTFOUND;
+ ENGINE *e = ENGINE_by_id(name);
- if(!e) {
- failf(data, "SSL Engine '%s' not found", engine);
- return CURLE_SSL_ENGINE_NOTFOUND;
- }
+ if(e) {
- if(data->state.engine) {
- ENGINE_finish(data->state.engine);
- ENGINE_free(data->state.engine);
- data->state.engine = NULL;
- }
- if(!ENGINE_init(e)) {
- char buf[256];
-
- ENGINE_free(e);
- failf(data, "Failed to initialise SSL Engine '%s': %s",
- engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
- return CURLE_SSL_ENGINE_INITFAILED;
+ if(data->state.engine) {
+ ENGINE_finish(data->state.engine);
+ ENGINE_free(data->state.engine);
+ data->state.engine = NULL;
+ }
+ if(!ENGINE_init(e)) {
+ char buf[256];
+
+ ENGINE_free(e);
+ failf(data, "Failed to initialise SSL Engine '%s': %s",
+ name, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
+ result = CURLE_SSL_ENGINE_INITFAILED;
+ e = NULL;
+ }
+ data->state.engine = e;
+ return result;
}
- data->state.engine = e;
- return CURLE_OK;
+#endif
+#ifdef OPENSSL_HAS_PROVIDERS
+ return ossl_set_provider(data, name);
#else
- (void)engine;
- failf(data, "SSL Engine not supported");
+ (void)name;
+ failf(data, "OpenSSL engine not found");
return CURLE_SSL_ENGINE_NOTFOUND;
#endif
}
@@ -1955,33 +1953,97 @@ static struct curl_slist *ossl_engines_list(struct Curl_easy *data) return list;
}
-#if !defined(USE_OPENSSL_ENGINE) && defined(OPENSSL_HAS_PROVIDERS)
-/* Selects an OpenSSL crypto provider
+#if defined(OPENSSL_HAS_PROVIDERS)
+
+static void ossl_provider_cleanup(struct Curl_easy *data)
+{
+ if(data->state.baseprov) {
+ OSSL_PROVIDER_unload(data->state.baseprov);
+ data->state.baseprov = NULL;
+ }
+ if(data->state.provider) {
+ OSSL_PROVIDER_unload(data->state.provider);
+ data->state.provider = NULL;
+ }
+ OSSL_LIB_CTX_free(data->state.libctx);
+ data->state.libctx = NULL;
+ Curl_safefree(data->state.propq);
+ data->state.provider_loaded = FALSE;
+}
+
+#define MAX_PROVIDER_LEN 128 /* reasonable */
+
+/* Selects an OpenSSL crypto provider.
+ *
+ * A provider might need an associated property, a string passed on to
+ * OpenSSL. Specify this as [PROVIDER][:PROPERTY]: separate the name and the
+ * property with a colon. No colon means no property is set.
+ *
+ * An example provider + property looks like "tpm2:?provider=tpm2".
*/
-static CURLcode ossl_set_provider(struct Curl_easy *data, const char *provider)
+static CURLcode ossl_set_provider(struct Curl_easy *data, const char *iname)
{
- OSSL_PROVIDER *pkcs11_provider = NULL;
- char error_buffer[256];
+ char name[MAX_PROVIDER_LEN + 1];
+ struct Curl_str prov;
+ const char *propq = NULL;
- if(OSSL_PROVIDER_available(NULL, provider)) {
- /* already loaded through the configuration - no action needed */
- data->state.provider = TRUE;
+ if(!iname) {
+ /* clear and cleanup provider use */
+ ossl_provider_cleanup(data);
return CURLE_OK;
}
- if(data->state.provider_failed) {
- return CURLE_SSL_ENGINE_NOTFOUND;
+ if(curlx_str_until(&iname, &prov, MAX_PROVIDER_LEN, ':'))
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+
+ if(!curlx_str_single(&iname, ':'))
+ /* there was a colon, get the propq until the end of string */
+ propq = iname;
+
+ /* we need the name in a buffer, null-terminated */
+ memcpy(name, curlx_str(&prov), curlx_strlen(&prov));
+ name[curlx_strlen(&prov)] = 0;
+
+ if(!data->state.libctx) {
+ OSSL_LIB_CTX *libctx = OSSL_LIB_CTX_new();
+ if(!libctx)
+ return CURLE_OUT_OF_MEMORY;
+ if(propq) {
+ data->state.propq = strdup(propq);
+ if(!data->state.propq) {
+ OSSL_LIB_CTX_free(libctx);
+ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+ data->state.libctx = libctx;
}
- pkcs11_provider = OSSL_PROVIDER_try_load(NULL, provider, 1);
- if(!pkcs11_provider) {
+ if(OSSL_PROVIDER_available(data->state.libctx, name)) {
+ /* already loaded through the configuration - no action needed */
+ data->state.provider_loaded = TRUE;
+ return CURLE_OK;
+ }
+
+ data->state.provider =
+ OSSL_PROVIDER_try_load(data->state.libctx, name, 1);
+ if(!data->state.provider) {
+ char error_buffer[256];
failf(data, "Failed to initialize provider: %s",
ossl_strerror(ERR_get_error(), error_buffer,
sizeof(error_buffer)));
- /* Do not attempt to load it again */
- data->state.provider_failed = TRUE;
+ ossl_provider_cleanup(data);
+ return CURLE_SSL_ENGINE_NOTFOUND;
+ }
+
+ /* load the base provider as well */
+ data->state.baseprov =
+ OSSL_PROVIDER_try_load(data->state.libctx, "base", 1);
+ if(!data->state.baseprov) {
+ ossl_provider_cleanup(data);
+ failf(data, "Failed to load base");
return CURLE_SSL_ENGINE_NOTFOUND;
}
- data->state.provider = TRUE;
+ else
+ data->state.provider_loaded = TRUE;
return CURLE_OK;
}
#endif
@@ -2141,6 +2203,9 @@ static void ossl_close_all(struct Curl_easy *data) #else
(void)data;
#endif
+#ifdef OPENSSL_HAS_PROVIDERS
+ ossl_provider_cleanup(data);
+#endif
#ifndef HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED
/* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
so we need to clean it here in case the thread will be killed. All OpenSSL
@@ -3414,8 +3479,8 @@ ossl_cached_x509_store_expired(const struct Curl_easy *data, if(cfg->ca_cache_timeout < 0)
return FALSE;
else {
- struct curltime now = Curl_now();
- timediff_t elapsed_ms = Curl_timediff(now, mb->time);
+ struct curltime now = curlx_now();
+ timediff_t elapsed_ms = curlx_timediff(now, mb->time);
timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
return elapsed_ms >= timeout_ms;
@@ -3497,7 +3562,7 @@ static void ossl_set_cached_x509_store(struct Curl_cfilter *cf, free(share->CAfile);
}
- share->time = Curl_now();
+ share->time = curlx_now();
share->store = store;
share->CAfile = CAfile;
}
@@ -3549,43 +3614,299 @@ CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf, }
#endif /* HAVE_SSL_X509_STORE_SHARE */
-CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
+
+static CURLcode
+ossl_init_session_and_alpns(struct ossl_ctx *octx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const struct alpn_spec *alpns_requested,
- Curl_ossl_ctx_setup_cb *cb_setup,
- void *cb_user_data,
- Curl_ossl_new_session_cb *cb_new_session,
- void *ssl_user_data,
Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
{
- CURLcode result = CURLE_OK;
- const char *ciphers;
- const SSL_METHOD *req_method = NULL;
- ctx_option_t ctx_options = 0;
- struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
- unsigned int ssl_version_min = conn_config->version;
- char * const ssl_cert = ssl_config->primary.clientcert;
- const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
- const char * const ssl_cert_type = ssl_config->cert_type;
- const bool verifypeer = conn_config->verifypeer;
- char error_buffer[256];
struct alpn_spec alpns;
-
- /* Make funny stuff to get random input */
- result = ossl_seed(data);
- if(result)
- return result;
+ char error_buffer[256];
+ CURLcode result;
Curl_alpn_copy(&alpns, alpns_requested);
- ssl_config->certverifyresult = !X509_V_OK;
+ octx->reused_session = FALSE;
+ if(ssl_config->primary.cache_session) {
+ struct Curl_ssl_session *scs = NULL;
+
+ result = Curl_ssl_scache_take(cf, data, peer->scache_key, &scs);
+ if(!result && scs && scs->sdata && scs->sdata_len) {
+ const unsigned char *der_sessionid = scs->sdata;
+ size_t der_sessionid_size = scs->sdata_len;
+ SSL_SESSION *ssl_session = NULL;
+
+ /* If OpenSSL does not accept the session from the cache, this
+ * is not an error. We just continue without it. */
+ ssl_session = d2i_SSL_SESSION(NULL, &der_sessionid,
+ (long)der_sessionid_size);
+ if(ssl_session) {
+ if(!SSL_set_session(octx->ssl, ssl_session)) {
+ infof(data, "SSL: SSL_set_session not accepted, "
+ "continuing without: %s",
+ ossl_strerror(ERR_get_error(), error_buffer,
+ sizeof(error_buffer)));
+ }
+ else {
+ infof(data, "SSL reusing session with ALPN '%s'",
+ scs->alpn ? scs->alpn : "-");
+ octx->reused_session = TRUE;
+#ifdef HAVE_OPENSSL_EARLYDATA
+ if(ssl_config->earlydata && scs->alpn &&
+ SSL_SESSION_get_max_early_data(ssl_session) &&
+ !cf->conn->connect_only &&
+ (SSL_version(octx->ssl) == TLS1_3_VERSION)) {
+ bool do_early_data = FALSE;
+ if(sess_reuse_cb) {
+ result = sess_reuse_cb(cf, data, &alpns, scs, &do_early_data);
+ if(result)
+ return result;
+ }
+ if(do_early_data) {
+ /* We only try the ALPN protocol the session used before,
+ * otherwise we might send early data for the wrong protocol */
+ Curl_alpn_restrict_to(&alpns, scs->alpn);
+ }
+ }
+#else
+ (void)sess_reuse_cb;
+#endif
+ }
+ SSL_SESSION_free(ssl_session);
+ }
+ else {
+ infof(data, "SSL session not accepted by OpenSSL, continuing without");
+ }
+ }
+ Curl_ssl_scache_return(cf, data, peer->scache_key, scs);
+ }
+
+#ifdef HAS_ALPN_OPENSSL
+ if(alpns.count) {
+ struct alpn_proto_buf proto;
+ memset(&proto, 0, sizeof(proto));
+ result = Curl_alpn_to_proto_buf(&proto, &alpns);
+ if(result) {
+ failf(data, "Error determining ALPN");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ if(SSL_set_alpn_protos(octx->ssl, proto.data, (int)proto.len)) {
+ failf(data, "Error setting ALPN");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+#endif
+
+ return CURLE_OK;
+}
+
+#ifdef USE_ECH_OPENSSL
+static CURLcode ossl_init_ech(struct ossl_ctx *octx,
+ struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct ssl_peer *peer)
+{
+ unsigned char *ech_config = NULL;
+ size_t ech_config_len = 0;
+ char *outername = data->set.str[STRING_ECH_PUBLIC];
+ int trying_ech_now = 0;
+ CURLcode result;
+
+ if(!ECH_ENABLED(data))
+ return CURLE_OK;
+
+ if(data->set.tls_ech & CURLECH_GREASE) {
+ infof(data, "ECH: will GREASE ClientHello");
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ SSL_set_enable_ech_grease(octx->ssl, 1);
+# else
+ SSL_set_options(octx->ssl, SSL_OP_ECH_GREASE);
+# endif
+ }
+ else if(data->set.tls_ech & CURLECH_CLA_CFG) {
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ /* have to do base64 decode here for BoringSSL */
+ const char *b64 = data->set.str[STRING_ECH_CONFIG];
+
+ if(!b64) {
+ infof(data, "ECH: ECHConfig from command line empty");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ ech_config_len = 2 * strlen(b64);
+ result = curlx_base64_decode(b64, &ech_config, &ech_config_len);
+ if(result || !ech_config) {
+ infof(data, "ECH: cannot base64 decode ECHConfig from command line");
+ if(data->set.tls_ech & CURLECH_HARD)
+ return result;
+ }
+ if(SSL_set1_ech_config_list(octx->ssl, ech_config,
+ ech_config_len) != 1) {
+ infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
+ if(data->set.tls_ech & CURLECH_HARD) {
+ free(ech_config);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+ free(ech_config);
+ trying_ech_now = 1;
+# else
+ ech_config = (unsigned char *) data->set.str[STRING_ECH_CONFIG];
+ if(!ech_config) {
+ infof(data, "ECH: ECHConfig from command line empty");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]);
+ if(SSL_set1_ech_config_list(octx->ssl, ech_config,
+ ech_config_len) != 1) {
+ infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
+ if(data->set.tls_ech & CURLECH_HARD)
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ else
+ trying_ech_now = 1;
+# endif
+ infof(data, "ECH: ECHConfig from command line");
+ }
+ else {
+ struct Curl_dns_entry *dns = NULL;
+
+ if(peer->hostname)
+ dns = Curl_dnscache_get(data, peer->hostname, peer->port,
+ cf->conn->ip_version);
+ if(!dns) {
+ infof(data, "ECH: requested but no DNS info available");
+ if(data->set.tls_ech & CURLECH_HARD)
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ else {
+ struct Curl_https_rrinfo *rinfo = NULL;
+
+ rinfo = dns->hinfo;
+ if(rinfo && rinfo->echconfiglist) {
+ unsigned char *ecl = rinfo->echconfiglist;
+ size_t elen = rinfo->echconfiglist_len;
+
+ infof(data, "ECH: ECHConfig from DoH HTTPS RR");
+ if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) {
+ infof(data, "ECH: SSL_set1_ech_config_list failed");
+ if(data->set.tls_ech & CURLECH_HARD)
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ else {
+ trying_ech_now = 1;
+ infof(data, "ECH: imported ECHConfigList of length %zu", elen);
+ }
+ }
+ else {
+ infof(data, "ECH: requested but no ECHConfig available");
+ if(data->set.tls_ech & CURLECH_HARD)
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ Curl_resolv_unlink(data, &dns);
+ }
+ }
+# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
+ if(trying_ech_now && outername) {
+ infof(data, "ECH: setting public_name not supported with BoringSSL");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+# else
+ if(trying_ech_now && outername) {
+ infof(data, "ECH: inner: '%s', outer: '%s'",
+ peer->hostname ? peer->hostname : "NULL", outername);
+ result = SSL_ech_set1_server_names(octx->ssl,
+ peer->hostname, outername,
+ 0 /* do send outer */);
+ if(result != 1) {
+ infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result);
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+# endif /* OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC */
+ if(trying_ech_now
+ && SSL_set_min_proto_version(octx->ssl, TLS1_3_VERSION) != 1) {
+ infof(data, "ECH: cannot force TLSv1.3 [ERROR]");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ return CURLE_OK;
+}
+#endif /* USE_ECH_OPENSSL */
+
+
+static CURLcode ossl_init_ssl(struct ossl_ctx *octx,
+ struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct ssl_peer *peer,
+ const struct alpn_spec *alpns_requested,
+ void *ssl_user_data,
+ Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
+{
+ /* Let's make an SSL structure */
+ if(octx->ssl)
+ SSL_free(octx->ssl);
+ octx->ssl = SSL_new(octx->ssl_ctx);
+ if(!octx->ssl) {
+ failf(data, "SSL: could not create a context (handle)");
+ return CURLE_OUT_OF_MEMORY;
+ }
+
+ SSL_set_app_data(octx->ssl, ssl_user_data);
+
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
+ if(Curl_ssl_cf_get_primary_config(cf)->verifystatus)
+ SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
+#endif
+
+#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \
+ defined(ALLOW_RENEG)
+ SSL_set_renegotiate_mode(octx->ssl, ssl_renegotiate_freely);
+#endif
+
+ SSL_set_connect_state(octx->ssl);
+
+ octx->server_cert = NULL;
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ if(peer->sni) {
+ if(!SSL_set_tlsext_host_name(octx->ssl, peer->sni)) {
+ failf(data, "Failed set SNI");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+
+#ifdef USE_ECH_OPENSSL
+ {
+ CURLcode result = ossl_init_ech(octx, cf, data, peer);
+ if(result)
+ return result;
+ }
+#endif /* USE_ECH_OPENSSL */
+
+#endif
+
+ return ossl_init_session_and_alpns(octx, cf, data, peer,
+ alpns_requested, sess_reuse_cb);
+}
+
+
+static CURLcode ossl_init_method(struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct ssl_peer *peer,
+ const SSL_METHOD **pmethod,
+ unsigned int *pssl_version_min)
+{
+ struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
+
+ *pmethod = NULL;
+ *pssl_version_min = conn_config->version;
switch(peer->transport) {
case TRNSPRT_TCP:
/* check to see if we have been told to use an explicit SSL/TLS version */
- switch(ssl_version_min) {
+ switch(*pssl_version_min) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
case CURL_SSLVERSION_TLSv1_0:
@@ -3594,9 +3915,9 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, case CURL_SSLVERSION_TLSv1_3:
/* it will be handled later with the context options */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
- req_method = TLS_client_method();
+ *pmethod = TLS_client_method();
#else
- req_method = SSLv23_client_method();
+ *pmethod = SSLv23_client_method();
#endif
break;
case CURL_SSLVERSION_SSLv2:
@@ -3611,7 +3932,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, }
break;
case TRNSPRT_QUIC:
- ssl_version_min = CURL_SSLVERSION_TLSv1_3;
+ *pssl_version_min = CURL_SSLVERSION_TLSv1_3;
if(conn_config->version_max &&
(conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
failf(data, "QUIC needs at least TLS version 1.3");
@@ -3619,11 +3940,11 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, }
#ifdef USE_OPENSSL_QUIC
- req_method = OSSL_QUIC_client_method();
+ *pmethod = OSSL_QUIC_client_method();
#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
- req_method = TLS_method();
+ *pmethod = TLS_method();
#else
- req_method = SSLv23_client_method();
+ *pmethod = SSLv23_client_method();
#endif
break;
default:
@@ -3631,9 +3952,53 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, return CURLE_SSL_CONNECT_ERROR;
}
+ return *pmethod ? CURLE_OK : CURLE_SSL_CONNECT_ERROR;
+}
+
+
+CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
+ struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct ssl_peer *peer,
+ const struct alpn_spec *alpns_requested,
+ Curl_ossl_ctx_setup_cb *cb_setup,
+ void *cb_user_data,
+ Curl_ossl_new_session_cb *cb_new_session,
+ void *ssl_user_data,
+ Curl_ossl_init_session_reuse_cb *sess_reuse_cb)
+{
+ CURLcode result = CURLE_OK;
+ const char *ciphers;
+ const SSL_METHOD *req_method = NULL;
+ ctx_option_t ctx_options = 0;
+ struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
+ struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
+ char * const ssl_cert = ssl_config->primary.clientcert;
+ const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
+ const char * const ssl_cert_type = ssl_config->cert_type;
+ const bool verifypeer = conn_config->verifypeer;
+ unsigned int ssl_version_min;
+ char error_buffer[256];
+
+ /* Make funny stuff to get random input */
+ result = ossl_seed(data);
+ if(result)
+ return result;
+
+ ssl_config->certverifyresult = !X509_V_OK;
+
+ result = ossl_init_method(cf, data, peer, &req_method, &ssl_version_min);
+ if(result)
+ return result;
+ DEBUGASSERT(req_method);
DEBUGASSERT(!octx->ssl_ctx);
- octx->ssl_ctx = SSL_CTX_new(req_method);
+ octx->ssl_ctx =
+#ifdef OPENSSL_HAS_PROVIDERS
+ data->state.libctx ?
+ SSL_CTX_new_ex(data->state.libctx, data->state.propq, req_method):
+#endif
+ SSL_CTX_new(req_method);
if(!octx->ssl_ctx) {
failf(data, "SSL: could not create a context: %s",
@@ -3751,18 +4116,6 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, SSL_CTX_set_mode(octx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
- if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
- if(!result &&
- !cert_stuff(data, octx->ssl_ctx,
- ssl_cert, ssl_cert_blob, ssl_cert_type,
- ssl_config->key, ssl_config->key_blob,
- ssl_config->key_type, ssl_config->key_passwd))
- result = CURLE_SSL_CERTPROBLEM;
- if(result)
- /* failf() is already done in cert_stuff() */
- return result;
- }
-
ciphers = conn_config->cipher_list;
if(!ciphers && (peer->transport != TRNSPRT_QUIC))
ciphers = DEFAULT_CIPHER_SELECTION;
@@ -3789,6 +4142,18 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, }
#endif
+ if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
+ if(!result &&
+ !cert_stuff(data, octx->ssl_ctx,
+ ssl_cert, ssl_cert_blob, ssl_cert_type,
+ ssl_config->key, ssl_config->key_blob,
+ ssl_config->key_type, ssl_config->key_passwd))
+ result = CURLE_SSL_CERTPROBLEM;
+ if(result)
+ /* failf() is already done in cert_stuff() */
+ return result;
+ }
+
#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
/* OpenSSL 1.1.1 requires clients to opt-in for PHA */
SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);
@@ -3809,6 +4174,21 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, }
}
+#ifdef HAVE_SSL_CTX_SET1_SIGALGS
+#define OSSL_SIGALG_CAST(x) OSSL_CURVE_CAST(x)
+ {
+ const char *signature_algorithms = conn_config->signature_algorithms;
+ if(signature_algorithms) {
+ if(!SSL_CTX_set1_sigalgs_list(octx->ssl_ctx,
+ OSSL_SIGALG_CAST(signature_algorithms))) {
+ failf(data, "failed setting signature algorithms: '%s'",
+ signature_algorithms);
+ return CURLE_SSL_CIPHER;
+ }
+ }
+ }
+#endif
+
#ifdef USE_OPENSSL_SRP
if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
char * const ssl_username = ssl_config->primary.username;
@@ -3880,234 +4260,8 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, }
}
- /* Let's make an SSL structure */
- if(octx->ssl)
- SSL_free(octx->ssl);
- octx->ssl = SSL_new(octx->ssl_ctx);
- if(!octx->ssl) {
- failf(data, "SSL: could not create a context (handle)");
- return CURLE_OUT_OF_MEMORY;
- }
-
- SSL_set_app_data(octx->ssl, ssl_user_data);
-
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_OCSP)
- if(conn_config->verifystatus)
- SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
-#endif
-
-#if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \
- defined(ALLOW_RENEG)
- SSL_set_renegotiate_mode(octx->ssl, ssl_renegotiate_freely);
-#endif
-
- SSL_set_connect_state(octx->ssl);
-
- octx->server_cert = 0x0;
-#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- if(peer->sni) {
- if(!SSL_set_tlsext_host_name(octx->ssl, peer->sni)) {
- failf(data, "Failed set SNI");
- return CURLE_SSL_CONNECT_ERROR;
- }
- }
-
-#ifdef USE_ECH_OPENSSL
- if(ECH_ENABLED(data)) {
- unsigned char *ech_config = NULL;
- size_t ech_config_len = 0;
- char *outername = data->set.str[STRING_ECH_PUBLIC];
- int trying_ech_now = 0;
-
- if(data->set.tls_ech & CURLECH_GREASE) {
- infof(data, "ECH: will GREASE ClientHello");
-# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
- SSL_set_enable_ech_grease(octx->ssl, 1);
-# else
- SSL_set_options(octx->ssl, SSL_OP_ECH_GREASE);
-# endif
- }
- else if(data->set.tls_ech & CURLECH_CLA_CFG) {
-# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
- /* have to do base64 decode here for BoringSSL */
- const char *b64 = data->set.str[STRING_ECH_CONFIG];
-
- if(!b64) {
- infof(data, "ECH: ECHConfig from command line empty");
- return CURLE_SSL_CONNECT_ERROR;
- }
- ech_config_len = 2 * strlen(b64);
- result = Curl_base64_decode(b64, &ech_config, &ech_config_len);
- if(result || !ech_config) {
- infof(data, "ECH: cannot base64 decode ECHConfig from command line");
- if(data->set.tls_ech & CURLECH_HARD)
- return result;
- }
- if(SSL_set1_ech_config_list(octx->ssl, ech_config,
- ech_config_len) != 1) {
- infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
- if(data->set.tls_ech & CURLECH_HARD) {
- free(ech_config);
- return CURLE_SSL_CONNECT_ERROR;
- }
- }
- free(ech_config);
- trying_ech_now = 1;
-# else
- ech_config = (unsigned char *) data->set.str[STRING_ECH_CONFIG];
- if(!ech_config) {
- infof(data, "ECH: ECHConfig from command line empty");
- return CURLE_SSL_CONNECT_ERROR;
- }
- ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]);
- if(SSL_set1_ech_config_list(octx->ssl, ech_config,
- ech_config_len) != 1) {
- infof(data, "ECH: SSL_ECH_set1_ech_config_list failed");
- if(data->set.tls_ech & CURLECH_HARD)
- return CURLE_SSL_CONNECT_ERROR;
- }
- else
- trying_ech_now = 1;
-# endif
- infof(data, "ECH: ECHConfig from command line");
- }
- else {
- struct Curl_dns_entry *dns = NULL;
-
- if(peer->hostname)
- dns = Curl_fetch_addr(data, peer->hostname, peer->port);
- if(!dns) {
- infof(data, "ECH: requested but no DNS info available");
- if(data->set.tls_ech & CURLECH_HARD)
- return CURLE_SSL_CONNECT_ERROR;
- }
- else {
- struct Curl_https_rrinfo *rinfo = NULL;
-
- rinfo = dns->hinfo;
- if(rinfo && rinfo->echconfiglist) {
- unsigned char *ecl = rinfo->echconfiglist;
- size_t elen = rinfo->echconfiglist_len;
-
- infof(data, "ECH: ECHConfig from DoH HTTPS RR");
- if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) {
- infof(data, "ECH: SSL_set1_ech_config_list failed");
- if(data->set.tls_ech & CURLECH_HARD)
- return CURLE_SSL_CONNECT_ERROR;
- }
- else {
- trying_ech_now = 1;
- infof(data, "ECH: imported ECHConfigList of length %zu", elen);
- }
- }
- else {
- infof(data, "ECH: requested but no ECHConfig available");
- if(data->set.tls_ech & CURLECH_HARD)
- return CURLE_SSL_CONNECT_ERROR;
- }
- Curl_resolv_unlink(data, &dns);
- }
- }
-# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
- if(trying_ech_now && outername) {
- infof(data, "ECH: setting public_name not supported with BoringSSL");
- return CURLE_SSL_CONNECT_ERROR;
- }
-# else
- if(trying_ech_now && outername) {
- infof(data, "ECH: inner: '%s', outer: '%s'",
- peer->hostname ? peer->hostname : "NULL", outername);
- result = SSL_ech_set1_server_names(octx->ssl,
- peer->hostname, outername,
- 0 /* do send outer */);
- if(result != 1) {
- infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result);
- return CURLE_SSL_CONNECT_ERROR;
- }
- }
-# endif /* OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC */
- if(trying_ech_now
- && SSL_set_min_proto_version(octx->ssl, TLS1_3_VERSION) != 1) {
- infof(data, "ECH: cannot force TLSv1.3 [ERROR]");
- return CURLE_SSL_CONNECT_ERROR;
- }
- }
-#endif /* USE_ECH_OPENSSL */
-
-#endif
-
- octx->reused_session = FALSE;
- if(ssl_config->primary.cache_session) {
- struct Curl_ssl_session *scs = NULL;
-
- result = Curl_ssl_scache_take(cf, data, peer->scache_key, &scs);
- if(!result && scs && scs->sdata && scs->sdata_len) {
- const unsigned char *der_sessionid = scs->sdata;
- size_t der_sessionid_size = scs->sdata_len;
- SSL_SESSION *ssl_session = NULL;
-
- /* If OpenSSL does not accept the session from the cache, this
- * is not an error. We just continue without it. */
- ssl_session = d2i_SSL_SESSION(NULL, &der_sessionid,
- (long)der_sessionid_size);
- if(ssl_session) {
- if(!SSL_set_session(octx->ssl, ssl_session)) {
- infof(data, "SSL: SSL_set_session not accepted, "
- "continuing without: %s",
- ossl_strerror(ERR_get_error(), error_buffer,
- sizeof(error_buffer)));
- }
- else {
- infof(data, "SSL reusing session with ALPN '%s'",
- scs->alpn ? scs->alpn : "-");
- octx->reused_session = TRUE;
-#ifdef HAVE_OPENSSL_EARLYDATA
- if(ssl_config->earlydata && scs->alpn &&
- SSL_SESSION_get_max_early_data(ssl_session) &&
- !cf->conn->connect_only &&
- (SSL_version(octx->ssl) == TLS1_3_VERSION)) {
- bool do_early_data = FALSE;
- if(sess_reuse_cb) {
- result = sess_reuse_cb(cf, data, &alpns, scs, &do_early_data);
- if(result)
- return result;
- }
- if(do_early_data) {
- /* We only try the ALPN protocol the session used before,
- * otherwise we might send early data for the wrong protocol */
- Curl_alpn_restrict_to(&alpns, scs->alpn);
- }
- }
-#else
- (void)sess_reuse_cb;
-#endif
- }
- SSL_SESSION_free(ssl_session);
- }
- else {
- infof(data, "SSL session not accepted by OpenSSL, continuing without");
- }
- }
- Curl_ssl_scache_return(cf, data, peer->scache_key, scs);
- }
-
-#ifdef HAS_ALPN_OPENSSL
- if(alpns.count) {
- struct alpn_proto_buf proto;
- memset(&proto, 0, sizeof(proto));
- result = Curl_alpn_to_proto_buf(&proto, &alpns);
- if(result) {
- failf(data, "Error determining ALPN");
- return CURLE_SSL_CONNECT_ERROR;
- }
- if(SSL_set_alpn_protos(octx->ssl, proto.data, (int)proto.len)) {
- failf(data, "Error setting ALPN");
- return CURLE_SSL_CONNECT_ERROR;
- }
- }
-#endif
-
- return CURLE_OK;
+ return ossl_init_ssl(octx, cf, data, peer, alpns_requested,
+ ssl_user_data, sess_reuse_cb);
}
static CURLcode ossl_on_session_reuse(struct Curl_cfilter *cf,
@@ -4225,7 +4379,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, char *b64str = NULL;
size_t blen = 0;
- result = Curl_base64_encode((const char *)rcs, rcl, &b64str, &blen);
+ result = curlx_base64_encode((const char *)rcs, rcl, &b64str, &blen);
if(!result && b64str) {
infof(data, "ECH: retry_configs %s", b64str);
free(b64str);
@@ -4656,7 +4810,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, DEBUGASSERT(octx);
- Curl_dyn_init(&dname, MAX_CERT_NAME_LENGTH);
+ curlx_dyn_init(&dname, MAX_CERT_NAME_LENGTH);
if(!mem) {
failf(data,
@@ -4686,7 +4840,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, result = x509_name_oneline(X509_get_subject_name(octx->server_cert),
&dname);
- infof(data, " subject: %s", result ? "[NONE]" : Curl_dyn_ptr(&dname));
+ infof(data, " subject: %s", result ? "[NONE]" : curlx_dyn_ptr(&dname));
#ifndef CURL_DISABLE_VERBOSE_STRINGS
{
@@ -4711,7 +4865,7 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, if(result) {
X509_free(octx->server_cert);
octx->server_cert = NULL;
- Curl_dyn_free(&dname);
+ curlx_dyn_free(&dname);
return result;
}
}
@@ -4724,8 +4878,8 @@ CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, result = CURLE_PEER_FAILED_VERIFICATION;
}
else {
- infof(data, " issuer: %s", Curl_dyn_ptr(&dname));
- Curl_dyn_free(&dname);
+ infof(data, " issuer: %s", curlx_dyn_ptr(&dname));
+ curlx_dyn_free(&dname);
/* We could do all sorts of certificate verification stuff here before
deallocating the certificate. */
@@ -5308,10 +5462,10 @@ static CURLcode ossl_get_channel_binding(struct Curl_easy *data, int sockindex, }
/* Append "tls-server-end-point:" */
- if(Curl_dyn_addn(binding, prefix, sizeof(prefix) - 1) != CURLE_OK)
+ if(curlx_dyn_addn(binding, prefix, sizeof(prefix) - 1) != CURLE_OK)
return CURLE_OUT_OF_MEMORY;
/* Append digest */
- if(Curl_dyn_addn(binding, buf, length))
+ if(curlx_dyn_addn(binding, buf, length))
return CURLE_OUT_OF_MEMORY;
return CURLE_OK;
@@ -5462,6 +5616,9 @@ const struct Curl_ssl Curl_ssl_openssl = { #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
SSLSUPP_TLS13_CIPHERSUITES |
#endif
+#ifdef HAVE_SSL_CTX_SET1_SIGALGS
+ SSLSUPP_SIGNATURE_ALGORITHMS |
+#endif
#ifdef USE_ECH_OPENSSL
SSLSUPP_ECH |
#endif
@@ -5483,7 +5640,7 @@ const struct Curl_ssl Curl_ssl_openssl = { ossl_get_internals, /* get_internals */
ossl_close, /* close_one */
ossl_close_all, /* close_all */
- ossl_set_engine, /* set_engine */
+ ossl_set_engine, /* set_engine or provider */
ossl_set_engine_default, /* set_engine_default */
ossl_engines_list, /* engines_list */
NULL, /* false_start */
diff --git a/libs/libcurl/src/vtls/openssl.h b/libs/libcurl/src/vtls/openssl.h index f72f6dea35..1ca175c942 100644 --- a/libs/libcurl/src/vtls/openssl.h +++ b/libs/libcurl/src/vtls/openssl.h @@ -24,7 +24,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_OPENSSL
/*
@@ -35,7 +35,7 @@ #include <openssl/ossl_typ.h>
#include <openssl/ssl.h>
-#include "urldata.h"
+#include "../urldata.h"
/*
* Whether SSL_CTX_set_keylog_callback is available.
diff --git a/libs/libcurl/src/vtls/rustls.c b/libs/libcurl/src/vtls/rustls.c index f8e668e17a..4876175212 100644 --- a/libs/libcurl/src/vtls/rustls.c +++ b/libs/libcurl/src/vtls/rustls.c @@ -24,22 +24,22 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_RUSTLS
-#include "curl_printf.h"
+#include "../curl_printf.h"
#include <rustls.h>
-#include "inet_pton.h"
-#include "urldata.h"
-#include "sendf.h"
+#include "../curlx/inet_pton.h"
+#include "../urldata.h"
+#include "../sendf.h"
#include "vtls.h"
#include "vtls_int.h"
#include "rustls.h"
#include "keylog.h"
-#include "strerror.h"
+#include "../strerror.h"
#include "cipher_suite.h"
#include "x509asn1.h"
@@ -417,7 +417,7 @@ read_file_into(const char *filename, uint8_t buf[256];
const size_t rr = fread(buf, 1, sizeof(buf), f);
if(rr == 0 ||
- CURLE_OK != Curl_dyn_addn(out, buf, rr)) {
+ CURLE_OK != curlx_dyn_addn(out, buf, rr)) {
fclose(f);
return 0;
}
@@ -692,7 +692,7 @@ init_config_builder_verifier_crl( struct dynbuf crl_contents;
rustls_result rr;
- Curl_dyn_init(&crl_contents, DYN_CRLFILE_SIZE);
+ curlx_dyn_init(&crl_contents, DYN_CRLFILE_SIZE);
if(!read_file_into(conn_config->CRLfile, &crl_contents)) {
failf(data, "rustls: failed to read revocation list file");
result = CURLE_SSL_CRL_BADFILE;
@@ -701,8 +701,8 @@ init_config_builder_verifier_crl( rr = rustls_web_pki_server_cert_verifier_builder_add_crl(
builder,
- Curl_dyn_uptr(&crl_contents),
- Curl_dyn_len(&crl_contents));
+ curlx_dyn_uptr(&crl_contents),
+ curlx_dyn_len(&crl_contents));
if(rr != RUSTLS_RESULT_OK) {
rustls_failf(data, rr, "failed to parse revocation list");
result = CURLE_SSL_CRL_BADFILE;
@@ -710,7 +710,7 @@ init_config_builder_verifier_crl( }
cleanup:
- Curl_dyn_free(&crl_contents);
+ curlx_dyn_free(&crl_contents);
return result;
}
@@ -868,8 +868,8 @@ init_config_builder_client_auth(struct Curl_easy *data, return CURLE_SSL_CERTPROBLEM;
}
- Curl_dyn_init(&cert_contents, SIZE_MAX);
- Curl_dyn_init(&key_contents, SIZE_MAX);
+ curlx_dyn_init(&cert_contents, DYN_CERTFILE_SIZE);
+ curlx_dyn_init(&key_contents, DYN_KEYFILE_SIZE);
if(!read_file_into(conn_config->clientcert, &cert_contents)) {
failf(data, "rustls: failed to read client certificate file: '%s'",
@@ -884,10 +884,10 @@ init_config_builder_client_auth(struct Curl_easy *data, goto cleanup;
}
- rr = rustls_certified_key_build(Curl_dyn_uptr(&cert_contents),
- Curl_dyn_len(&cert_contents),
- Curl_dyn_uptr(&key_contents),
- Curl_dyn_len(&key_contents),
+ rr = rustls_certified_key_build(curlx_dyn_uptr(&cert_contents),
+ curlx_dyn_len(&cert_contents),
+ curlx_dyn_uptr(&key_contents),
+ curlx_dyn_len(&key_contents),
&certified_key);
if(rr != RUSTLS_RESULT_OK) {
rustls_failf(data, rr, "rustls: failed to build certified key");
@@ -915,8 +915,8 @@ init_config_builder_client_auth(struct Curl_easy *data, }
cleanup:
- Curl_dyn_free(&cert_contents);
- Curl_dyn_free(&key_contents);
+ curlx_dyn_free(&cert_contents);
+ curlx_dyn_free(&key_contents);
if(certified_key) {
rustls_certified_key_free(certified_key);
}
@@ -961,8 +961,7 @@ init_config_builder_ech(struct Curl_easy *data, return CURLE_OK;
}
- if(data->set.tls_ech & CURLECH_CLA_CFG
- && data->set.str[STRING_ECH_CONFIG]) {
+ if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
const char *b64 = data->set.str[STRING_ECH_CONFIG];
size_t decode_result;
if(!b64) {
@@ -971,7 +970,7 @@ init_config_builder_ech(struct Curl_easy *data, goto cleanup;
}
/* rustls-ffi expects the raw TLS encoded ECHConfigList bytes */
- decode_result = Curl_base64_decode(b64, &ech_config, &ech_config_len);
+ decode_result = curlx_base64_decode(b64, &ech_config, &ech_config_len);
if(decode_result || !ech_config) {
infof(data, "rustls: cannot base64 decode ECHConfig from command line");
result = CURLE_SSL_CONNECT_ERROR;
@@ -980,10 +979,8 @@ init_config_builder_ech(struct Curl_easy *data, }
else {
if(connssl->peer.hostname) {
- dns = Curl_fetch_addr(
- data,
- connssl->peer.hostname,
- connssl->peer.port);
+ dns = Curl_dnscache_get(data, connssl->peer.hostname,
+ connssl->peer.port, data->conn->ip_version);
}
if(!dns) {
failf(data, "rustls: ECH requested but no DNS info available");
@@ -1010,6 +1007,10 @@ init_config_builder_ech(struct Curl_easy *data, goto cleanup;
}
cleanup:
+ /* if we base64 decoded, we can free now */
+ if(data->set.tls_ech & CURLECH_CLA_CFG && data->set.str[STRING_ECH_CONFIG]) {
+ free(ech_config);
+ }
if(dns) {
Curl_resolv_unlink(data, &dns);
}
diff --git a/libs/libcurl/src/vtls/rustls.h b/libs/libcurl/src/vtls/rustls.h index d7c56de190..5e084eb785 100644 --- a/libs/libcurl/src/vtls/rustls.h +++ b/libs/libcurl/src/vtls/rustls.h @@ -25,7 +25,7 @@ #ifndef HEADER_CURL_RUSTLS_H
#define HEADER_CURL_RUSTLS_H
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_RUSTLS
diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c index f685011aca..a8b12d65e9 100644 --- a/libs/libcurl/src/vtls/schannel.c +++ b/libs/libcurl/src/vtls/schannel.c @@ -29,7 +29,7 @@ * but vtls.c should ever call or use these functions.
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SCHANNEL
@@ -42,25 +42,25 @@ #include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
-#include "strcase.h"
-#include "sendf.h"
-#include "connect.h" /* for the connect timeout */
-#include "strerror.h"
-#include "select.h" /* for the socket readiness */
-#include "inet_pton.h" /* for IP addr SNI check */
-#include "curl_multibyte.h"
-#include "warnless.h"
+#include "../strcase.h"
+#include "../sendf.h"
+#include "../connect.h" /* for the connect timeout */
+#include "../strerror.h"
+#include "../select.h" /* for the socket readiness */
+#include "../curlx/inet_pton.h" /* for IP addr SNI check */
+#include "../curlx/multibyte.h"
+#include "../curlx/warnless.h"
#include "x509asn1.h"
-#include "curl_printf.h"
-#include "multiif.h"
-#include "system_win32.h"
-#include "version_win32.h"
-#include "rand.h"
-#include "strparse.h"
+#include "../curl_printf.h"
+#include "../multiif.h"
+#include "../system_win32.h"
+#include "../curlx/version_win32.h"
+#include "../rand.h"
+#include "../curlx/strparse.h"
/* The last #include file should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
/* Some verbose debug messages are wrapped by SCH_DEV() instead of DEBUGF()
* and only shown if CURL_SCHANNEL_DEV_DEBUG was defined at build time. These
@@ -151,6 +151,10 @@ #define PKCS12_NO_PERSIST_KEY 0x00008000
#endif
+#ifndef CERT_FIND_HAS_PRIVATE_KEY
+#define CERT_FIND_HAS_PRIVATE_KEY (21 << CERT_COMPARE_SHIFT)
+#endif
+
/* ALPN requires version 8.1 of the Windows SDK, which was
shipped with Visual Studio 2013, aka _MSC_VER 1800:
https://technet.microsoft.com/en-us/library/hh831771%28v=ws.11%29.aspx
@@ -377,7 +381,7 @@ set_ssl_ciphers(SCHANNEL_CRED *schannel_cred, char *ciphers, int algCount = 0;
while(startCur && (0 != *startCur) && (algCount < NUM_CIPHERS)) {
curl_off_t alg;
- if(Curl_str_number(&startCur, &alg, INT_MAX) || !alg)
+ if(curlx_str_number(&startCur, &alg, INT_MAX) || !alg)
alg = get_alg_id_by_name(startCur);
if(alg)
@@ -611,6 +615,7 @@ schannel_acquire_credential_handle(struct Curl_cfilter *cf, WCHAR* pszPassword;
size_t pwd_len = 0;
int str_w_len = 0;
+ int cert_find_flags;
const char *cert_showfilename_error = blob ?
"(memory blob)" : data->set.ssl.primary.clientcert;
curlx_unicodefree(cert_path);
@@ -682,9 +687,17 @@ schannel_acquire_credential_handle(struct Curl_cfilter *cf, return CURLE_SSL_CERTPROBLEM;
}
+ /* CERT_FIND_HAS_PRIVATE_KEY is only available in Windows 8 / Server
+ 2012, (NT v6.2). For earlier versions we use CURL_FIND_ANY. */
+ if(curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
+ VERSION_GREATER_THAN_EQUAL))
+ cert_find_flags = CERT_FIND_HAS_PRIVATE_KEY;
+ else
+ cert_find_flags = CERT_FIND_ANY;
+
client_certs[0] = CertFindCertificateInStore(
cert_store, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0,
- CERT_FIND_ANY, NULL, NULL);
+ cert_find_flags, NULL, NULL);
if(!client_certs[0]) {
failf(data, "schannel: Failed to get certificate from file %s"
@@ -2619,8 +2632,8 @@ HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf, negative timeout means retain forever. */
timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
if(timeout_ms >= 0) {
- now = Curl_now();
- elapsed_ms = Curl_timediff(now, share->time);
+ now = curlx_now();
+ elapsed_ms = curlx_timediff(now, share->time);
if(elapsed_ms >= timeout_ms) {
return NULL;
}
@@ -2719,7 +2732,7 @@ bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf, }
free(share->CAfile);
- share->time = Curl_now();
+ share->time = curlx_now();
share->cert_store = cert_store;
share->CAinfo_blob_size = CAinfo_blob_size;
share->CAfile = CAfile;
diff --git a/libs/libcurl/src/vtls/schannel.h b/libs/libcurl/src/vtls/schannel.h index e901eacfbd..a0fb515aa7 100644 --- a/libs/libcurl/src/vtls/schannel.h +++ b/libs/libcurl/src/vtls/schannel.h @@ -24,7 +24,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SCHANNEL
@@ -50,10 +50,10 @@ #include <schnlsp.h>
#include <schannel.h>
-#include "curl_sspi.h"
+#include "../curl_sspi.h"
-#include "cfilters.h"
-#include "urldata.h"
+#include "../cfilters.h"
+#include "../urldata.h"
/* <wincrypt.h> has been included via the above <schnlsp.h>.
* Or in case of ldap.c, it was included via <winldap.h>.
diff --git a/libs/libcurl/src/vtls/schannel_int.h b/libs/libcurl/src/vtls/schannel_int.h index 52d6fd5214..410a4808a2 100644 --- a/libs/libcurl/src/vtls/schannel_int.h +++ b/libs/libcurl/src/vtls/schannel_int.h @@ -24,7 +24,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SCHANNEL
@@ -150,17 +150,17 @@ struct schannel_ssl_backend_data { cannot be decrypted without another recv() (that is, status is
SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
more bytes into encdata then set this back to false. */
- bool encdata_is_incomplete;
unsigned long req_flags, ret_flags;
CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
- bool recv_sspi_close_notify; /* true if connection closed by close_notify */
- bool recv_connection_closed; /* true if connection closed, regardless how */
- bool recv_renegotiating; /* true if recv is doing renegotiation */
- bool use_alpn; /* true if ALPN is used for this connection */
+ BIT(recv_sspi_close_notify); /* true if connection closed by close_notify */
+ BIT(recv_connection_closed); /* true if connection closed, regardless how */
+ BIT(recv_renegotiating); /* true if recv is doing renegotiation */
+ BIT(use_alpn); /* true if ALPN is used for this connection */
#ifdef HAS_MANUAL_VERIFY_API
- bool use_manual_cred_validation; /* true if manual cred validation is used */
+ BIT(use_manual_cred_validation); /* true if manual cred validation is used */
#endif
BIT(sent_shutdown);
+ BIT(encdata_is_incomplete);
};
/* key to use at `multi->proto_hash` */
diff --git a/libs/libcurl/src/vtls/schannel_verify.c b/libs/libcurl/src/vtls/schannel_verify.c index 26b3805cc6..69d79182cf 100644 --- a/libs/libcurl/src/vtls/schannel_verify.c +++ b/libs/libcurl/src/vtls/schannel_verify.c @@ -29,7 +29,7 @@ * only be invoked by code in schannel.c.
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SCHANNEL
#ifndef USE_WINDOWS_SSPI
@@ -39,19 +39,20 @@ #include "schannel.h"
#include "schannel_int.h"
-#include "inet_pton.h"
+#include "../curlx/inet_pton.h"
#include "vtls.h"
#include "vtls_int.h"
-#include "sendf.h"
-#include "strerror.h"
-#include "curl_multibyte.h"
-#include "curl_printf.h"
+#include "../sendf.h"
+#include "../strerror.h"
+#include "../curlx/winapi.h"
+#include "../curlx/multibyte.h"
+#include "../curl_printf.h"
#include "hostcheck.h"
-#include "version_win32.h"
+#include "../curlx/version_win32.h"
/* The last #include file should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
#define BACKEND ((struct schannel_ssl_backend_data *)connssl->backend)
@@ -174,7 +175,7 @@ static CURLcode add_certs_data_to_store(HCERTSTORE trust_store, NULL,
NULL,
(const void **)&cert_context)) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to extract certificate from CA file "
"'%s': %s",
@@ -203,7 +204,7 @@ static CURLcode add_certs_data_to_store(HCERTSTORE trust_store, NULL);
CertFreeCertificateContext(cert_context);
if(!add_cert_result) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to add certificate from CA file '%s' "
"to certificate store: %s",
@@ -251,7 +252,7 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, ca_file_tstr = curlx_convert_UTF8_to_tchar(ca_file);
if(!ca_file_tstr) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: invalid path name for CA file '%s': %s",
ca_file,
@@ -273,7 +274,7 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, FILE_ATTRIBUTE_NORMAL,
NULL);
if(ca_file_handle == INVALID_HANDLE_VALUE) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to open CA file '%s': %s",
ca_file,
@@ -283,7 +284,7 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, }
if(!GetFileSizeEx(ca_file_handle, &file_size)) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to determine size of CA file '%s': %s",
ca_file,
@@ -313,7 +314,7 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
bytes_to_read, &bytes_read, NULL)) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to read from CA file '%s': %s",
ca_file,
@@ -614,7 +615,7 @@ CURLcode Curl_verify_host(struct Curl_cfilter *cf, &pCertContextServer);
if((sspi_status != SEC_E_OK) || !pCertContextServer) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
goto cleanup;
@@ -770,7 +771,7 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, &pCertContextServer);
if((sspi_status != SEC_E_OK) || !pCertContextServer) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
result = CURLE_PEER_FAILED_VERIFICATION;
@@ -806,7 +807,7 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, CERT_STORE_CREATE_NEW_FLAG,
NULL);
if(!trust_store) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: failed to create certificate store: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
@@ -853,7 +854,7 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, CertCreateCertificateChainEngine(
(CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
if(!create_engine_result) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to create certificate chain engine: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
@@ -878,7 +879,7 @@ CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, CERT_CHAIN_REVOCATION_CHECK_CHAIN),
NULL,
&pChainContext)) {
- char buffer[STRERROR_LEN];
+ char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: CertGetCertificateChain failed: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
pChainContext = NULL;
diff --git a/libs/libcurl/src/vtls/sectransp.c b/libs/libcurl/src/vtls/sectransp.c index 9cb51f2c53..d05dd8a3f8 100644 --- a/libs/libcurl/src/vtls/sectransp.c +++ b/libs/libcurl/src/vtls/sectransp.c @@ -28,18 +28,18 @@ * TLS/SSL layer. No code but vtls.c should ever call or use these functions.
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SECTRANSP
-#include "urldata.h" /* for the Curl_easy definition */
-#include "curl_base64.h"
-#include "strparse.h"
-#include "multiif.h"
-#include "strcase.h"
+#include "../urldata.h" /* for the Curl_easy definition */
+#include "../curlx/base64.h"
+#include "../curlx/strparse.h"
+#include "../multiif.h"
+#include "../strcase.h"
#include "x509asn1.h"
#include "vtls_scache.h"
-#include "strerror.h"
+#include "../strerror.h"
#include "cipher_suite.h"
#ifdef __clang__
@@ -134,19 +134,19 @@ #include <sys/sysctl.h>
#endif /* CURL_BUILD_MAC */
-#include "sendf.h"
-#include "inet_pton.h"
-#include "connect.h"
-#include "select.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
+#include "../connect.h"
+#include "../select.h"
#include "vtls.h"
#include "vtls_int.h"
#include "sectransp.h"
-#include "curl_printf.h"
-#include "strdup.h"
+#include "../curl_printf.h"
+#include "../strdup.h"
-#include "curl_memory.h"
+#include "../curl_memory.h"
/* The last #include file should be: */
-#include "memdebug.h"
+#include "../memdebug.h"
/* From MacTypes.h (which we cannot include because it is not present in
@@ -352,9 +352,9 @@ CF_INLINE void GetDarwinVersionNumber(int *major, int *minor) curl_off_t fnum;
curl_off_t snum;
/* Parse the version: */
- if(!Curl_str_number(&os, &fnum, INT_MAX) &&
- !Curl_str_single(&os, '.') &&
- !Curl_str_number(&os, &snum, INT_MAX)) {
+ if(!curlx_str_number(&os, &fnum, INT_MAX) &&
+ !curlx_str_single(&os, '.') &&
+ !curlx_str_number(&os, &snum, INT_MAX)) {
*major = (int)fnum;
*minor = (int)snum;
}
@@ -1092,8 +1092,8 @@ static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf, return result;
if(connssl->alpn) {
-#if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && \
- defined(HAVE_BUILTIN_AVAILABLE)
+#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11
+#ifdef HAVE_BUILTIN_AVAILABLE
if(__builtin_available(macOS 10.13.4, iOS 11, tvOS 11, *)) {
#else
if(&SSLSetALPNProtocols && &SSLCopyALPNProtocols) {
@@ -1119,6 +1119,7 @@ static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf, Curl_alpn_to_proto_str(&proto, connssl->alpn);
infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
}
+#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */
}
if(ssl_config->key) {
@@ -1434,7 +1435,7 @@ static long pem_to_der(const char *in, unsigned char **out, size_t *outlen) }
b64[j] = '\0';
- err = Curl_base64_decode((const char *)b64, out, outlen);
+ err = curlx_base64_decode((const char *)b64, out, outlen);
free(b64);
if(err) {
free(*out);
@@ -1453,7 +1454,7 @@ static int read_cert(const char *file, unsigned char **out, size_t *outlen) unsigned char buf[512];
struct dynbuf certs;
- Curl_dyn_init(&certs, MAX_CERTS_SIZE);
+ curlx_dyn_init(&certs, MAX_CERTS_SIZE);
fd = open(file, 0);
if(fd < 0)
@@ -1465,18 +1466,18 @@ static int read_cert(const char *file, unsigned char **out, size_t *outlen) break;
if(n < 0) {
close(fd);
- Curl_dyn_free(&certs);
+ curlx_dyn_free(&certs);
return -1;
}
- if(Curl_dyn_addn(&certs, buf, n)) {
+ if(curlx_dyn_addn(&certs, buf, n)) {
close(fd);
return -1;
}
}
close(fd);
- *out = Curl_dyn_uptr(&certs);
- *outlen = Curl_dyn_len(&certs);
+ *out = curlx_dyn_uptr(&certs);
+ *outlen = curlx_dyn_len(&certs);
return 0;
}
@@ -2092,8 +2093,8 @@ check_handshake: }
if(connssl->alpn) {
-#if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && \
- defined(HAVE_BUILTIN_AVAILABLE)
+#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11
+#ifdef HAVE_BUILTIN_AVAILABLE
if(__builtin_available(macOS 10.13.4, iOS 11, tvOS 11, *)) {
#else
if(&SSLSetALPNProtocols && &SSLCopyALPNProtocols) {
@@ -2124,6 +2125,7 @@ check_handshake: if(alpnArr)
CFRelease(alpnArr);
}
+#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */
}
return CURLE_OK;
diff --git a/libs/libcurl/src/vtls/sectransp.h b/libs/libcurl/src/vtls/sectransp.h index 3b79169ab3..9011f17508 100644 --- a/libs/libcurl/src/vtls/sectransp.h +++ b/libs/libcurl/src/vtls/sectransp.h @@ -24,7 +24,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SECTRANSP
diff --git a/libs/libcurl/src/vtls/vtls.c b/libs/libcurl/src/vtls/vtls.c index 0247d77577..37aaea9358 100644 --- a/libs/libcurl/src/vtls/vtls.c +++ b/libs/libcurl/src/vtls/vtls.c @@ -38,7 +38,7 @@ https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
@@ -50,8 +50,8 @@ #include <fcntl.h>
#endif
-#include "urldata.h"
-#include "cfilters.h"
+#include "../urldata.h"
+#include "../cfilters.h"
#include "vtls.h" /* generic SSL protos etc */
#include "vtls_int.h"
@@ -66,28 +66,28 @@ #include "bearssl.h" /* BearSSL versions */
#include "rustls.h" /* Rustls versions */
-#include "slist.h"
-#include "sendf.h"
-#include "strcase.h"
-#include "url.h"
-#include "progress.h"
-#include "share.h"
-#include "multiif.h"
-#include "timeval.h"
-#include "curl_md5.h"
-#include "curl_sha256.h"
-#include "warnless.h"
-#include "curl_base64.h"
-#include "curl_printf.h"
-#include "inet_pton.h"
-#include "connect.h"
-#include "select.h"
-#include "strdup.h"
-#include "rand.h"
+#include "../slist.h"
+#include "../sendf.h"
+#include "../strcase.h"
+#include "../url.h"
+#include "../progress.h"
+#include "../share.h"
+#include "../multiif.h"
+#include "../curlx/timeval.h"
+#include "../curl_md5.h"
+#include "../curl_sha256.h"
+#include "../curlx/warnless.h"
+#include "../curlx/base64.h"
+#include "../curl_printf.h"
+#include "../curlx/inet_pton.h"
+#include "../connect.h"
+#include "../select.h"
+#include "../strdup.h"
+#include "../rand.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
#define CLONE_STRING(var) \
@@ -215,6 +215,7 @@ match_ssl_primary_config(struct Curl_easy *data, strcasecompare(c1->cipher_list, c2->cipher_list) &&
strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
strcasecompare(c1->curves, c2->curves) &&
+ strcasecompare(c1->signature_algorithms, c2->signature_algorithms) &&
strcasecompare(c1->CRLfile, c2->CRLfile) &&
strcasecompare(c1->pinned_key, c2->pinned_key))
return TRUE;
@@ -259,6 +260,7 @@ static bool clone_ssl_primary_config(struct ssl_primary_config *source, CLONE_STRING(cipher_list13);
CLONE_STRING(pinned_key);
CLONE_STRING(curves);
+ CLONE_STRING(signature_algorithms);
CLONE_STRING(CRLfile);
#ifdef USE_TLS_SRP
CLONE_STRING(username);
@@ -281,6 +283,7 @@ static void free_primary_ssl_config(struct ssl_primary_config *sslc) Curl_safefree(sslc->ca_info_blob);
Curl_safefree(sslc->issuercert_blob);
Curl_safefree(sslc->curves);
+ Curl_safefree(sslc->signature_algorithms);
Curl_safefree(sslc->CRLfile);
#ifdef USE_TLS_SRP
Curl_safefree(sslc->username);
@@ -299,6 +302,8 @@ CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data) data->set.str[STRING_SSL_CIPHER_LIST];
data->set.ssl.primary.cipher_list13 =
data->set.str[STRING_SSL_CIPHER13_LIST];
+ data->set.ssl.primary.signature_algorithms =
+ data->set.str[STRING_SSL_SIGNATURE_ALGORITHMS];
data->set.ssl.primary.pinned_key =
data->set.str[STRING_SSL_PINNEDPUBLICKEY];
data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
@@ -611,17 +616,17 @@ CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, DEBUGASSERT(certnum < ci->num_of_certs);
- Curl_dyn_init(&build, CURL_X509_STR_MAX);
+ curlx_dyn_init(&build, CURL_X509_STR_MAX);
- if(Curl_dyn_add(&build, label) ||
- Curl_dyn_addn(&build, ":", 1) ||
- Curl_dyn_addn(&build, value, valuelen))
+ if(curlx_dyn_add(&build, label) ||
+ curlx_dyn_addn(&build, ":", 1) ||
+ curlx_dyn_addn(&build, value, valuelen))
return CURLE_OUT_OF_MEMORY;
nl = Curl_slist_append_nodup(ci->certinfo[certnum],
- Curl_dyn_ptr(&build));
+ curlx_dyn_ptr(&build));
if(!nl) {
- Curl_dyn_free(&build);
+ curlx_dyn_free(&build);
curl_slist_free_all(ci->certinfo[certnum]);
result = CURLE_OUT_OF_MEMORY;
}
@@ -658,7 +663,7 @@ static CURLcode pubkey_pem_to_der(const char *pem, if(!pem)
return CURLE_BAD_CONTENT_ENCODING;
- Curl_dyn_init(&pbuf, MAX_PINNED_PUBKEY_SIZE);
+ curlx_dyn_init(&pbuf, MAX_PINNED_PUBKEY_SIZE);
begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
if(!begin_pos)
@@ -686,16 +691,19 @@ static CURLcode pubkey_pem_to_der(const char *pem, */
while(pem_count < pem_len) {
if('\n' != pem[pem_count] && '\r' != pem[pem_count]) {
- result = Curl_dyn_addn(&pbuf, &pem[pem_count], 1);
+ result = curlx_dyn_addn(&pbuf, &pem[pem_count], 1);
if(result)
return result;
}
++pem_count;
}
- result = Curl_base64_decode(Curl_dyn_ptr(&pbuf), der, der_len);
-
- Curl_dyn_free(&pbuf);
+ if(curlx_dyn_len(&pbuf)) {
+ result = curlx_base64_decode(curlx_dyn_ptr(&pbuf), der, der_len);
+ curlx_dyn_free(&pbuf);
+ }
+ else
+ result = CURLE_BAD_CONTENT_ENCODING;
return result;
}
@@ -739,9 +747,9 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
if(!encode)
- encode = Curl_base64_encode((char *)sha256sumdigest,
- CURL_SHA256_DIGEST_LENGTH, &encoded,
- &encodedlen);
+ encode = curlx_base64_encode((char *)sha256sumdigest,
+ CURL_SHA256_DIGEST_LENGTH, &encoded,
+ &encodedlen);
Curl_safefree(sha256sumdigest);
if(encode)
@@ -796,7 +804,7 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, if(!fp)
return result;
- Curl_dyn_init(&buf, MAX_PINNED_PUBKEY_SIZE);
+ curlx_dyn_init(&buf, MAX_PINNED_PUBKEY_SIZE);
/* Determine the file's size */
if(fseek(fp, 0, SEEK_END))
@@ -824,14 +832,14 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, size_t want = left > sizeof(buffer) ? sizeof(buffer) : left;
if(want != fread(buffer, 1, want, fp))
goto end;
- if(Curl_dyn_addn(&buf, buffer, want))
+ if(curlx_dyn_addn(&buf, buffer, want))
goto end;
left -= want;
} while(left);
/* If the sizes are the same, it cannot be base64 encoded, must be der */
if(pubkeylen == size) {
- if(!memcmp(pubkey, Curl_dyn_ptr(&buf), pubkeylen))
+ if(!memcmp(pubkey, curlx_dyn_ptr(&buf), pubkeylen))
result = CURLE_OK;
goto end;
}
@@ -840,7 +848,7 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, * Otherwise we will assume it is PEM and try to decode it
* after placing null terminator
*/
- pem_read = pubkey_pem_to_der(Curl_dyn_ptr(&buf), &pem_ptr, &pem_len);
+ pem_read = pubkey_pem_to_der(curlx_dyn_ptr(&buf), &pem_ptr, &pem_len);
/* if it was not read successfully, exit */
if(pem_read)
goto end;
@@ -852,7 +860,7 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
result = CURLE_OK;
end:
- Curl_dyn_free(&buf);
+ curlx_dyn_free(&buf);
Curl_safefree(pem_ptr);
fclose(fp);
}
@@ -1346,7 +1354,7 @@ static CURLcode ssl_cf_connect(struct Curl_cfilter *cf, if(!result && *done) {
cf->connected = TRUE;
if(connssl->state == ssl_connection_complete)
- connssl->handshake_done = Curl_now();
+ connssl->handshake_done = curlx_now();
/* Connection can be deferred when sending early data */
DEBUGASSERT(connssl->state == ssl_connection_complete ||
connssl->state == ssl_connection_deferred);
@@ -1661,8 +1669,14 @@ static CURLcode cf_ssl_create(struct Curl_cfilter **pcf, DEBUGASSERT(data->conn);
+#ifdef CURL_DISABLE_HTTP
+ /* We only support ALPN for HTTP so far. */
+ DEBUGASSERT(!conn->bits.tls_enable_alpn);
+ ctx = cf_ctx_new(data, NULL);
+#else
ctx = cf_ctx_new(data, alpn_get_spec(data->state.http_neg.wanted,
conn->bits.tls_enable_alpn));
+#endif
if(!ctx) {
result = CURLE_OUT_OF_MEMORY;
goto out;
diff --git a/libs/libcurl/src/vtls/vtls.h b/libs/libcurl/src/vtls/vtls.h index 3c438a2dba..0617758f92 100644 --- a/libs/libcurl/src/vtls/vtls.h +++ b/libs/libcurl/src/vtls/vtls.h @@ -23,7 +23,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
struct connectdata;
struct ssl_config_data;
@@ -42,9 +42,10 @@ struct dynbuf; #define SSLSUPP_ECH (1<<7)
#define SSLSUPP_CA_CACHE (1<<8)
#define SSLSUPP_CIPHER_LIST (1<<9) /* supports TLS 1.0-1.2 ciphersuites */
+#define SSLSUPP_SIGNATURE_ALGORITHMS (1<<10) /* supports TLS sigalgs */
#ifdef USE_ECH
-# include "curl_base64.h"
+# include "../curlx/base64.h"
# define ECH_ENABLED(__data__) \
(__data__->set.tls_ech && \
!(__data__->set.tls_ech & CURLECH_DISABLE)\
diff --git a/libs/libcurl/src/vtls/vtls_int.h b/libs/libcurl/src/vtls/vtls_int.h index 59657883df..e4a9e35325 100644 --- a/libs/libcurl/src/vtls/vtls_int.h +++ b/libs/libcurl/src/vtls/vtls_int.h @@ -23,9 +23,9 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
-#include "cfilters.h"
-#include "urldata.h"
+#include "../curl_setup.h"
+#include "../cfilters.h"
+#include "../urldata.h"
#include "vtls.h"
#ifdef USE_SSL
diff --git a/libs/libcurl/src/vtls/vtls_scache.c b/libs/libcurl/src/vtls/vtls_scache.c index d06c6cf9f9..d2d2718e51 100644 --- a/libs/libcurl/src/vtls/vtls_scache.c +++ b/libs/libcurl/src/vtls/vtls_scache.c @@ -22,7 +22,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SSL
@@ -36,28 +36,28 @@ #include <fcntl.h>
#endif
-#include "urldata.h"
-#include "cfilters.h"
+#include "../urldata.h"
+#include "../cfilters.h"
#include "vtls.h" /* generic SSL protos etc */
#include "vtls_int.h"
#include "vtls_scache.h"
#include "vtls_spack.h"
-#include "strcase.h"
-#include "url.h"
-#include "llist.h"
-#include "share.h"
-#include "curl_trc.h"
-#include "curl_sha256.h"
-#include "rand.h"
-#include "warnless.h"
-#include "curl_printf.h"
-#include "strdup.h"
+#include "../strcase.h"
+#include "../url.h"
+#include "../llist.h"
+#include "../share.h"
+#include "../curl_trc.h"
+#include "../curl_sha256.h"
+#include "../rand.h"
+#include "../curlx/warnless.h"
+#include "../curl_printf.h"
+#include "../strdup.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
static bool cf_ssl_peer_key_is_global(const char *peer_key);
@@ -387,24 +387,24 @@ static CURLcode cf_ssl_peer_key_add_path(struct dynbuf *buf, * the path as is. */
#ifdef UNDER_CE
(void)is_local;
- return Curl_dyn_addf(buf, ":%s-%s", name, path);
+ return curlx_dyn_addf(buf, ":%s-%s", name, path);
#elif defined(_WIN32)
char abspath[_MAX_PATH];
if(_fullpath(abspath, path, _MAX_PATH))
- return Curl_dyn_addf(buf, ":%s-%s", name, abspath);
+ return curlx_dyn_addf(buf, ":%s-%s", name, abspath);
*is_local = TRUE;
#elif defined(HAVE_REALPATH)
if(path[0] != '/') {
char *abspath = realpath(path, NULL);
if(abspath) {
- CURLcode r = Curl_dyn_addf(buf, ":%s-%s", name, abspath);
+ CURLcode r = curlx_dyn_addf(buf, ":%s-%s", name, abspath);
(free)(abspath); /* allocated by libc, free without memdebug */
return r;
}
*is_local = TRUE;
}
#endif
- return Curl_dyn_addf(buf, ":%s-%s", name, path);
+ return curlx_dyn_addf(buf, ":%s-%s", name, path);
}
return CURLE_OK;
}
@@ -418,14 +418,14 @@ static CURLcode cf_ssl_peer_key_add_hash(struct dynbuf *buf, unsigned char hash[CURL_SHA256_DIGEST_LENGTH];
size_t i;
- r = Curl_dyn_addf(buf, ":%s-", name);
+ r = curlx_dyn_addf(buf, ":%s-", name);
if(r)
goto out;
r = Curl_sha256it(hash, blob->data, blob->len);
if(r)
goto out;
for(i = 0; i < CURL_SHA256_DIGEST_LENGTH; ++i) {
- r = Curl_dyn_addf(buf, "%02x", hash[i]);
+ r = curlx_dyn_addf(buf, "%02x", hash[i]);
if(r)
goto out;
}
@@ -457,9 +457,9 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf, CURLcode r;
*ppeer_key = NULL;
- Curl_dyn_init(&buf, 10 * 1024);
+ curlx_dyn_init(&buf, 10 * 1024);
- r = Curl_dyn_addf(&buf, "%s:%d", peer->hostname, peer->port);
+ r = curlx_dyn_addf(&buf, "%s:%d", peer->hostname, peer->port);
if(r)
goto out;
@@ -467,72 +467,72 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf, case TRNSPRT_TCP:
break;
case TRNSPRT_UDP:
- r = Curl_dyn_add(&buf, ":UDP");
+ r = curlx_dyn_add(&buf, ":UDP");
break;
case TRNSPRT_QUIC:
- r = Curl_dyn_add(&buf, ":QUIC");
+ r = curlx_dyn_add(&buf, ":QUIC");
break;
case TRNSPRT_UNIX:
- r = Curl_dyn_add(&buf, ":UNIX");
+ r = curlx_dyn_add(&buf, ":UNIX");
break;
default:
- r = Curl_dyn_addf(&buf, ":TRNSPRT-%d", peer->transport);
+ r = curlx_dyn_addf(&buf, ":TRNSPRT-%d", peer->transport);
break;
}
if(r)
goto out;
if(!ssl->verifypeer) {
- r = Curl_dyn_add(&buf, ":NO-VRFY-PEER");
+ r = curlx_dyn_add(&buf, ":NO-VRFY-PEER");
if(r)
goto out;
}
if(!ssl->verifyhost) {
- r = Curl_dyn_add(&buf, ":NO-VRFY-HOST");
+ r = curlx_dyn_add(&buf, ":NO-VRFY-HOST");
if(r)
goto out;
}
if(ssl->verifystatus) {
- r = Curl_dyn_add(&buf, ":VRFY-STATUS");
+ r = curlx_dyn_add(&buf, ":VRFY-STATUS");
if(r)
goto out;
}
if(!ssl->verifypeer || !ssl->verifyhost) {
if(cf->conn->bits.conn_to_host) {
- r = Curl_dyn_addf(&buf, ":CHOST-%s", cf->conn->conn_to_host.name);
+ r = curlx_dyn_addf(&buf, ":CHOST-%s", cf->conn->conn_to_host.name);
if(r)
goto out;
}
if(cf->conn->bits.conn_to_port) {
- r = Curl_dyn_addf(&buf, ":CPORT-%d", cf->conn->conn_to_port);
+ r = curlx_dyn_addf(&buf, ":CPORT-%d", cf->conn->conn_to_port);
if(r)
goto out;
}
}
if(ssl->version || ssl->version_max) {
- r = Curl_dyn_addf(&buf, ":TLSVER-%d-%d", ssl->version,
+ r = curlx_dyn_addf(&buf, ":TLSVER-%d-%d", ssl->version,
(ssl->version_max >> 16));
if(r)
goto out;
}
if(ssl->ssl_options) {
- r = Curl_dyn_addf(&buf, ":TLSOPT-%x", ssl->ssl_options);
+ r = curlx_dyn_addf(&buf, ":TLSOPT-%x", ssl->ssl_options);
if(r)
goto out;
}
if(ssl->cipher_list) {
- r = Curl_dyn_addf(&buf, ":CIPHER-%s", ssl->cipher_list);
+ r = curlx_dyn_addf(&buf, ":CIPHER-%s", ssl->cipher_list);
if(r)
goto out;
}
if(ssl->cipher_list13) {
- r = Curl_dyn_addf(&buf, ":CIPHER13-%s", ssl->cipher_list13);
+ r = curlx_dyn_addf(&buf, ":CIPHER13-%s", ssl->cipher_list13);
if(r)
goto out;
}
if(ssl->curves) {
- r = Curl_dyn_addf(&buf, ":CURVES-%s", ssl->curves);
+ r = curlx_dyn_addf(&buf, ":CURVES-%s", ssl->curves);
if(r)
goto out;
}
@@ -566,19 +566,19 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf, }
}
if(ssl->pinned_key && ssl->pinned_key[0]) {
- r = Curl_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
+ r = curlx_dyn_addf(&buf, ":Pinned-%s", ssl->pinned_key);
if(r)
goto out;
}
if(ssl->clientcert && ssl->clientcert[0]) {
- r = Curl_dyn_add(&buf, ":CCERT");
+ r = curlx_dyn_add(&buf, ":CCERT");
if(r)
goto out;
}
#ifdef USE_TLS_SRP
if(ssl->username || ssl->password) {
- r = Curl_dyn_add(&buf, ":SRP-AUTH");
+ r = curlx_dyn_add(&buf, ":SRP-AUTH");
if(r)
goto out;
}
@@ -588,22 +588,22 @@ CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf, r = CURLE_FAILED_INIT;
goto out;
}
- r = Curl_dyn_addf(&buf, ":IMPL-%s", tls_id);
+ r = curlx_dyn_addf(&buf, ":IMPL-%s", tls_id);
if(r)
goto out;
- r = Curl_dyn_addf(&buf, is_local ?
- CURL_SSLS_LOCAL_SUFFIX : CURL_SSLS_GLOBAL_SUFFIX);
+ r = curlx_dyn_addf(&buf, is_local ?
+ CURL_SSLS_LOCAL_SUFFIX : CURL_SSLS_GLOBAL_SUFFIX);
if(r)
goto out;
- *ppeer_key = Curl_dyn_take(&buf, &key_len);
+ *ppeer_key = curlx_dyn_take(&buf, &key_len);
/* we just added printable char, and dynbuf always 0 terminates,
* no need to track length */
out:
- Curl_dyn_free(&buf);
+ curlx_dyn_free(&buf);
return r;
}
@@ -1173,8 +1173,8 @@ CURLcode Curl_ssl_session_export(struct Curl_easy *data, Curl_ssl_scache_lock(data);
- Curl_dyn_init(&hbuf, (CURL_SHA256_DIGEST_LENGTH * 2) + 1);
- Curl_dyn_init(&sbuf, CURL_SSL_TICKET_MAX);
+ curlx_dyn_init(&hbuf, (CURL_SHA256_DIGEST_LENGTH * 2) + 1);
+ curlx_dyn_init(&sbuf, CURL_SSL_TICKET_MAX);
for(i = 0; scache && i < scache->peer_count; i++) {
peer = &scache->peers[i];
@@ -1183,7 +1183,7 @@ CURLcode Curl_ssl_session_export(struct Curl_easy *data, if(!peer->exportable)
continue;
- Curl_dyn_reset(&hbuf);
+ curlx_dyn_reset(&hbuf);
cf_scache_peer_remove_expired(peer, now);
n = Curl_llist_head(&peer->sessions);
if(n)
@@ -1195,22 +1195,22 @@ CURLcode Curl_ssl_session_export(struct Curl_easy *data, if(r)
goto out;
}
- if(!Curl_dyn_len(&hbuf)) {
- r = Curl_dyn_addn(&hbuf, peer->key_salt, sizeof(peer->key_salt));
+ if(!curlx_dyn_len(&hbuf)) {
+ r = curlx_dyn_addn(&hbuf, peer->key_salt, sizeof(peer->key_salt));
if(r)
goto out;
- r = Curl_dyn_addn(&hbuf, peer->key_hmac, sizeof(peer->key_hmac));
+ r = curlx_dyn_addn(&hbuf, peer->key_hmac, sizeof(peer->key_hmac));
if(r)
goto out;
}
- Curl_dyn_reset(&sbuf);
+ curlx_dyn_reset(&sbuf);
r = Curl_ssl_session_pack(data, s, &sbuf);
if(r)
goto out;
r = export_fn(data, userptr, peer->ssl_peer_key,
- Curl_dyn_uptr(&hbuf), Curl_dyn_len(&hbuf),
- Curl_dyn_uptr(&sbuf), Curl_dyn_len(&sbuf),
+ curlx_dyn_uptr(&hbuf), curlx_dyn_len(&hbuf),
+ curlx_dyn_uptr(&sbuf), curlx_dyn_len(&sbuf),
s->valid_until, s->ietf_tls_id,
s->alpn, s->earlydata_max);
if(r)
@@ -1226,8 +1226,8 @@ CURLcode Curl_ssl_session_export(struct Curl_easy *data, out:
Curl_ssl_scache_unlock(data);
- Curl_dyn_free(&hbuf);
- Curl_dyn_free(&sbuf);
+ curlx_dyn_free(&hbuf);
+ curlx_dyn_free(&sbuf);
return r;
}
diff --git a/libs/libcurl/src/vtls/vtls_scache.h b/libs/libcurl/src/vtls/vtls_scache.h index 3dea24024d..9bce4c36a5 100644 --- a/libs/libcurl/src/vtls/vtls_scache.h +++ b/libs/libcurl/src/vtls/vtls_scache.h @@ -23,9 +23,9 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
-#include "cfilters.h"
-#include "urldata.h"
+#include "../curl_setup.h"
+#include "../cfilters.h"
+#include "../urldata.h"
#ifdef USE_SSL
diff --git a/libs/libcurl/src/vtls/vtls_spack.c b/libs/libcurl/src/vtls/vtls_spack.c index b1bca85dbc..39555f226b 100644 --- a/libs/libcurl/src/vtls/vtls_spack.c +++ b/libs/libcurl/src/vtls/vtls_spack.c @@ -22,19 +22,19 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SSLS_EXPORT
-#include "urldata.h"
-#include "curl_trc.h"
+#include "../urldata.h"
+#include "../curl_trc.h"
#include "vtls_scache.h"
#include "vtls_spack.h"
-#include "strdup.h"
+#include "../strdup.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
#ifdef _MSC_VER
#if _MSC_VER >= 1600
@@ -64,7 +64,7 @@ typedef unsigned __int64 uint64_t; static CURLcode spack_enc8(struct dynbuf *buf, uint8_t b)
{
- return Curl_dyn_addn(buf, &b, 1);
+ return curlx_dyn_addn(buf, &b, 1);
}
static CURLcode
@@ -82,7 +82,7 @@ static CURLcode spack_enc16(struct dynbuf *buf, uint16_t val) uint8_t nval[2];
nval[0] = (uint8_t)(val >> 8);
nval[1] = (uint8_t)val;
- return Curl_dyn_addn(buf, nval, sizeof(nval));
+ return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
@@ -102,7 +102,7 @@ static CURLcode spack_enc32(struct dynbuf *buf, uint32_t val) nval[1] = (uint8_t)(val >> 16);
nval[2] = (uint8_t)(val >> 8);
nval[3] = (uint8_t)val;
- return Curl_dyn_addn(buf, nval, sizeof(nval));
+ return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
@@ -127,7 +127,7 @@ static CURLcode spack_enc64(struct dynbuf *buf, uint64_t val) nval[5] = (uint8_t)(val >> 16);
nval[6] = (uint8_t)(val >> 8);
nval[7] = (uint8_t)val;
- return Curl_dyn_addn(buf, nval, sizeof(nval));
+ return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
@@ -151,7 +151,7 @@ static CURLcode spack_encstr16(struct dynbuf *buf, const char *s) return CURLE_BAD_FUNCTION_ARGUMENT;
r = spack_enc16(buf, (uint16_t)slen);
if(!r) {
- r = Curl_dyn_addn(buf, s, slen);
+ r = curlx_dyn_addn(buf, s, slen);
}
return r;
}
@@ -181,7 +181,7 @@ static CURLcode spack_encdata16(struct dynbuf *buf, return CURLE_BAD_FUNCTION_ARGUMENT;
r = spack_enc16(buf, (uint16_t)data_len);
if(!r) {
- r = Curl_dyn_addn(buf, data, data_len);
+ r = curlx_dyn_addn(buf, data, data_len);
}
return r;
}
diff --git a/libs/libcurl/src/vtls/vtls_spack.h b/libs/libcurl/src/vtls/vtls_spack.h index 62f9da6944..e1dfc18200 100644 --- a/libs/libcurl/src/vtls/vtls_spack.h +++ b/libs/libcurl/src/vtls/vtls_spack.h @@ -23,7 +23,7 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_SSLS_EXPORT
diff --git a/libs/libcurl/src/vtls/wolfssl.c b/libs/libcurl/src/vtls/wolfssl.c index 3cd67a2fe5..fad04a997f 100644 --- a/libs/libcurl/src/vtls/wolfssl.c +++ b/libs/libcurl/src/vtls/wolfssl.c @@ -28,7 +28,7 @@ *
*/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_WOLFSSL
@@ -56,30 +56,30 @@ #include <limits.h>
-#include "urldata.h"
-#include "sendf.h"
-#include "inet_pton.h"
+#include "../urldata.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
#include "vtls.h"
#include "vtls_int.h"
#include "vtls_scache.h"
#include "keylog.h"
-#include "parsedate.h"
-#include "connect.h" /* for the connect timeout */
-#include "progress.h"
-#include "select.h"
-#include "strcase.h"
-#include "strdup.h"
+#include "../parsedate.h"
+#include "../connect.h" /* for the connect timeout */
+#include "../progress.h"
+#include "../select.h"
+#include "../strcase.h"
+#include "../strdup.h"
#include "x509asn1.h"
-#include "curl_printf.h"
-#include "multiif.h"
+#include "../curl_printf.h"
+#include "../multiif.h"
#include <wolfssl/ssl.h>
#include <wolfssl/error-ssl.h>
#include "wolfssl.h"
/* The last #include files should be: */
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
#ifdef HAVE_WOLFSSL_CTX_GENERATEECHCONFIG
#define USE_ECH_WOLFSSL
@@ -96,11 +96,11 @@ #endif
#endif
-#ifdef HAVE_WOLFSSL_BIO
+#ifdef HAVE_WOLFSSL_BIO_NEW
#define USE_BIO_CHAIN
-#ifdef HAVE_WOLFSSL_FULL_BIO
+#ifdef HAVE_WOLFSSL_BIO_SET_SHUTDOWN
#define USE_FULL_BIO
-#else /* HAVE_WOLFSSL_FULL_BIO */
+#else /* HAVE_WOLFSSL_BIO_SET_SHUTDOWN */
#undef USE_FULL_BIO
#endif
/* wolfSSL 5.7.4 and older do not have these symbols, but only the
@@ -114,7 +114,7 @@ #define wolfSSL_BIO_set_retry_read BIO_set_retry_read
#endif /* !WOLFSSL_BIO_CTRL_GET_CLOSE */
-#else /* HAVE_WOLFSSL_BIO */
+#else /* HAVE_WOLFSSL_BIO_NEW */
#undef USE_BIO_CHAIN
#endif
@@ -714,8 +714,8 @@ wssl_cached_x509_store_expired(const struct Curl_easy *data, const struct wssl_x509_share *mb)
{
const struct ssl_general_config *cfg = &data->set.general_ssl;
- struct curltime now = Curl_now();
- timediff_t elapsed_ms = Curl_timediff(now, mb->time);
+ struct curltime now = curlx_now();
+ timediff_t elapsed_ms = curlx_timediff(now, mb->time);
timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
if(timeout_ms < 0)
@@ -799,7 +799,7 @@ static void wssl_set_cached_x509_store(struct Curl_cfilter *cf, free(share->CAfile);
}
- share->time = Curl_now();
+ share->time = curlx_now();
share->store = store;
share->CAfile = CAfile;
}
@@ -871,14 +871,14 @@ wssl_add_default_ciphers(bool tls13, struct dynbuf *buf) continue;
/* if there already is data in the string, add colon separator */
- if(Curl_dyn_len(buf)) {
- CURLcode result = Curl_dyn_addn(buf, ":", 1);
+ if(curlx_dyn_len(buf)) {
+ CURLcode result = curlx_dyn_addn(buf, ":", 1);
if(result)
return result;
}
n = strlen(str);
- if(Curl_dyn_addn(buf, str, n))
+ if(curlx_dyn_addn(buf, str, n))
return CURLE_OUT_OF_MEMORY;
}
@@ -1067,19 +1067,19 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx, const char *ciphers12 = conn_config->cipher_list;
const char *ciphers13 = conn_config->cipher_list13;
struct dynbuf c;
- Curl_dyn_init(&c, MAX_CIPHER_LEN);
+ curlx_dyn_init(&c, MAX_CIPHER_LEN);
if(ciphers13)
- result = Curl_dyn_add(&c, ciphers13);
+ result = curlx_dyn_add(&c, ciphers13);
else
result = wssl_add_default_ciphers(TRUE, &c);
if(!result) {
if(ciphers12) {
- if(Curl_dyn_len(&c))
- result = Curl_dyn_addn(&c, ":", 1);
+ if(curlx_dyn_len(&c))
+ result = curlx_dyn_addn(&c, ":", 1);
if(!result)
- result = Curl_dyn_add(&c, ciphers12);
+ result = curlx_dyn_add(&c, ciphers12);
}
else
result = wssl_add_default_ciphers(FALSE, &c);
@@ -1087,14 +1087,14 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx, if(result)
goto out;
- if(!wolfSSL_CTX_set_cipher_list(wctx->ssl_ctx, Curl_dyn_ptr(&c))) {
- failf(data, "failed setting cipher list: %s", Curl_dyn_ptr(&c));
- Curl_dyn_free(&c);
+ if(!wolfSSL_CTX_set_cipher_list(wctx->ssl_ctx, curlx_dyn_ptr(&c))) {
+ failf(data, "failed setting cipher list: %s", curlx_dyn_ptr(&c));
+ curlx_dyn_free(&c);
result = CURLE_SSL_CIPHER;
goto out;
}
- infof(data, "Cipher selection: %s", Curl_dyn_ptr(&c));
- Curl_dyn_free(&c);
+ infof(data, "Cipher selection: %s", curlx_dyn_ptr(&c));
+ curlx_dyn_free(&c);
}
#endif
@@ -1352,9 +1352,7 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx, goto out;
}
if(data->set.tls_ech == CURLECH_GREASE) {
- infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
+ infof(data, "ECH: GREASE is done by default by wolfSSL: no need to ask");
}
if(data->set.tls_ech & CURLECH_CLA_CFG
&& data->set.str[STRING_ECH_CONFIG]) {
@@ -1379,7 +1377,8 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx, struct ssl_connect_data *connssl = cf->ctx;
struct Curl_dns_entry *dns = NULL;
- dns = Curl_fetch_addr(data, connssl->peer.hostname, connssl->peer.port);
+ dns = Curl_dnscache_get(data, connssl->peer.hostname, connssl->peer.port,
+ cf->conn->ip_version);
if(!dns) {
infof(data, "ECH: requested but no DNS info available");
if(data->set.tls_ech & CURLECH_HARD) {
@@ -1467,7 +1466,7 @@ wssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) if(result)
return result;
-#ifdef HAS_ALPN
+#ifdef HAVE_ALPN
if(connssl->alpn && (connssl->state != ssl_connection_deferred)) {
struct alpn_proto_buf proto;
memset(&proto, 0, sizeof(proto));
@@ -1527,10 +1526,10 @@ static char *wssl_strerror(unsigned long error, char *buf, return buf;
}
-static CURLcode wssl_verify_pinned(struct Curl_cfilter *cf,
- struct Curl_easy *data)
+CURLcode Curl_wssl_verify_pinned(struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct wssl_ctx *wssl)
{
- struct ssl_connect_data *connssl = cf->ctx;
#ifndef CURL_DISABLE_PROXY
const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf) ?
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
@@ -1541,7 +1540,6 @@ static CURLcode wssl_verify_pinned(struct Curl_cfilter *cf, if(pinnedpubkey) {
#ifdef KEEP_PEER_CERT
- struct wssl_ctx *wssl = (struct wssl_ctx *)connssl->backend;
WOLFSSL_X509 *x509;
const char *x509_der;
int x509_der_len;
@@ -1770,8 +1768,8 @@ static CURLcode wssl_handshake(struct Curl_cfilter *cf, char *b64str = NULL;
size_t blen = 0;
- result = Curl_base64_encode((const char *)echConfigs, echConfigsLen,
- &b64str, &blen);
+ result = curlx_base64_encode((const char *)echConfigs, echConfigsLen,
+ &b64str, &blen);
if(!result && b64str)
infof(data, "ECH: (not yet) retry_configs %s", b64str);
free(b64str);
@@ -2139,7 +2137,7 @@ static CURLcode wssl_connect(struct Curl_cfilter *cf, result = wssl->hs_result;
goto out;
}
- result = wssl_verify_pinned(cf, data);
+ result = Curl_wssl_verify_pinned(cf, data, wssl);
if(result) {
wssl->hs_result = result;
goto out;
diff --git a/libs/libcurl/src/vtls/wolfssl.h b/libs/libcurl/src/vtls/wolfssl.h index cf4bff8e2c..f5f30b2018 100644 --- a/libs/libcurl/src/vtls/wolfssl.h +++ b/libs/libcurl/src/vtls/wolfssl.h @@ -23,11 +23,11 @@ * SPDX-License-Identifier: curl
*
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#ifdef USE_WOLFSSL
-#include "urldata.h"
+#include "../urldata.h"
struct alpn_spec;
struct ssl_peer;
@@ -75,11 +75,6 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf, struct Curl_easy *data,
struct wssl_ctx *wssl);
-CURLcode Curl_wssl_setup_session(struct Curl_cfilter *cf,
- struct Curl_easy *data,
- struct wssl_ctx *wss,
- const char *ssl_peer_key);
-
CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
@@ -89,6 +84,10 @@ CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf, unsigned char *quic_tp,
size_t quic_tp_len);
+CURLcode Curl_wssl_verify_pinned(struct Curl_cfilter *cf,
+ struct Curl_easy *data,
+ struct wssl_ctx *wssl);
+
#endif /* USE_WOLFSSL */
#endif /* HEADER_CURL_WOLFSSL_H */
diff --git a/libs/libcurl/src/vtls/x509asn1.c b/libs/libcurl/src/vtls/x509asn1.c index 082b5191d9..d9c970d7d2 100644 --- a/libs/libcurl/src/vtls/x509asn1.c +++ b/libs/libcurl/src/vtls/x509asn1.c @@ -22,7 +22,7 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
@@ -39,22 +39,22 @@ #endif
#include <curl/curl.h>
-#include "urldata.h"
-#include "strcase.h"
-#include "curl_ctype.h"
+#include "../urldata.h"
+#include "../strcase.h"
+#include "../curl_ctype.h"
#include "hostcheck.h"
-#include "vtls/vtls.h"
-#include "vtls/vtls_int.h"
-#include "sendf.h"
-#include "inet_pton.h"
-#include "curl_base64.h"
+#include "vtls.h"
+#include "vtls_int.h"
+#include "../sendf.h"
+#include "../curlx/inet_pton.h"
+#include "../curlx/base64.h"
#include "x509asn1.h"
-#include "dynbuf.h"
+#include "../curlx/dynbuf.h"
/* The last 3 #include files should be in this order */
-#include "curl_printf.h"
-#include "curl_memory.h"
-#include "memdebug.h"
+#include "../curl_printf.h"
+#include "../curl_memory.h"
+#include "../memdebug.h"
/*
* Constants.
@@ -291,7 +291,7 @@ static CURLcode bool2str(struct dynbuf *store, {
if(end - beg != 1)
return CURLE_BAD_FUNCTION_ARGUMENT;
- return Curl_dyn_add(store, *beg ? "TRUE": "FALSE");
+ return curlx_dyn_add(store, *beg ? "TRUE": "FALSE");
}
/*
@@ -305,7 +305,7 @@ static CURLcode octet2str(struct dynbuf *store, CURLcode result = CURLE_OK;
while(!result && beg < end)
- result = Curl_dyn_addf(store, "%02x:", (unsigned char) *beg++);
+ result = curlx_dyn_addf(store, "%02x:", (unsigned char) *beg++);
return result;
}
@@ -344,7 +344,7 @@ static CURLcode int2str(struct dynbuf *store, do
val = (val << 8) | *(const unsigned char *) beg++;
while(beg < end);
- return Curl_dyn_addf(store, "%s%x", val >= 10 ? "0x" : "", val);
+ return curlx_dyn_addf(store, "%s%x", val >= 10 ? "0x" : "", val);
}
/*
@@ -387,7 +387,7 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) if(type == CURL_ASN1_UTF8_STRING) {
/* Just copy. */
if(inlength)
- result = Curl_dyn_addn(to, from, inlength);
+ result = curlx_dyn_addn(to, from, inlength);
}
else {
while(!result && (from < end)) {
@@ -426,7 +426,7 @@ utf8asn1str(struct dynbuf *to, int type, const char *from, const char *end) charsize++;
}
buf[0] = (char) wc;
- result = Curl_dyn_addn(to, buf, charsize);
+ result = curlx_dyn_addn(to, buf, charsize);
}
}
return result;
@@ -449,7 +449,7 @@ static CURLcode encodeOID(struct dynbuf *store, x = y / 40;
y -= x * 40;
- result = Curl_dyn_addf(store, "%u.%u", x, y);
+ result = curlx_dyn_addf(store, "%u.%u", x, y);
if(result)
return result;
@@ -462,7 +462,7 @@ static CURLcode encodeOID(struct dynbuf *store, y = *(const unsigned char *) beg++;
x = (x << 7) | (y & 0x7F);
} while(y & 0x80);
- result = Curl_dyn_addf(store, ".%u", x);
+ result = curlx_dyn_addf(store, ".%u", x);
}
return result;
}
@@ -480,16 +480,16 @@ static CURLcode OID2str(struct dynbuf *store, if(beg < end) {
if(symbolic) {
struct dynbuf buf;
- Curl_dyn_init(&buf, CURL_X509_STR_MAX);
+ curlx_dyn_init(&buf, CURL_X509_STR_MAX);
result = encodeOID(&buf, beg, end);
if(!result) {
- const struct Curl_OID *op = searchOID(Curl_dyn_ptr(&buf));
+ const struct Curl_OID *op = searchOID(curlx_dyn_ptr(&buf));
if(op)
- result = Curl_dyn_add(store, op->textoid);
+ result = curlx_dyn_add(store, op->textoid);
else
- result = Curl_dyn_add(store, Curl_dyn_ptr(&buf));
- Curl_dyn_free(&buf);
+ result = curlx_dyn_add(store, curlx_dyn_ptr(&buf));
+ curlx_dyn_free(&buf);
}
}
else
@@ -568,12 +568,12 @@ static CURLcode GTime2str(struct dynbuf *store, tzl = end - tzp;
}
- return Curl_dyn_addf(store,
- "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
- beg, beg + 4, beg + 6,
- beg + 8, beg + 10, sec1, sec2,
- fracl ? ".": "", (int)fracl, fracp,
- sep, (int)tzl, tzp);
+ return curlx_dyn_addf(store,
+ "%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
+ beg, beg + 4, beg + 6,
+ beg + 8, beg + 10, sec1, sec2,
+ fracl ? ".": "", (int)fracl, fracp,
+ sep, (int)tzl, tzp);
}
#ifdef UNITTESTS
@@ -622,10 +622,10 @@ static CURLcode UTime2str(struct dynbuf *store, tzp++;
tzl = end - tzp;
- return Curl_dyn_addf(store, "%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s",
- 20 - (*beg >= '5'), beg, beg + 2, beg + 4,
- beg + 6, beg + 8, sec,
- (int)tzl, tzp);
+ return curlx_dyn_addf(store, "%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s",
+ 20 - (*beg >= '5'), beg, beg + 2, beg + 4,
+ beg + 6, beg + 8, sec,
+ (int)tzl, tzp);
}
/*
@@ -658,7 +658,7 @@ static CURLcode ASN1tostr(struct dynbuf *store, result = octet2str(store, elem->beg, elem->end);
break;
case CURL_ASN1_NULL:
- result = Curl_dyn_addn(store, "", 1);
+ result = curlx_dyn_addn(store, "", 1);
break;
case CURL_ASN1_OBJECT_IDENTIFIER:
result = OID2str(store, elem->beg, elem->end, TRUE);
@@ -702,7 +702,7 @@ static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn) CURLcode result = CURLE_OK;
bool added = FALSE;
struct dynbuf temp;
- Curl_dyn_init(&temp, CURL_X509_STR_MAX);
+ curlx_dyn_init(&temp, CURL_X509_STR_MAX);
for(p1 = dn->beg; p1 < dn->end;) {
p1 = getASN1Element(&rdn, p1, dn->end);
@@ -725,12 +725,12 @@ static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn) result = CURLE_BAD_FUNCTION_ARGUMENT;
goto error;
}
- Curl_dyn_reset(&temp);
+ curlx_dyn_reset(&temp);
result = ASN1tostr(&temp, &oid, 0);
if(result)
goto error;
- str = Curl_dyn_ptr(&temp);
+ str = curlx_dyn_ptr(&temp);
if(!str) {
result = CURLE_BAD_FUNCTION_ARGUMENT;
@@ -743,20 +743,20 @@ static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn) ;
if(added) {
if(p3 - str > 2)
- result = Curl_dyn_addn(store, "/", 1);
+ result = curlx_dyn_addn(store, "/", 1);
else
- result = Curl_dyn_addn(store, ", ", 2);
+ result = curlx_dyn_addn(store, ", ", 2);
if(result)
goto error;
}
/* Encode attribute name. */
- result = Curl_dyn_add(store, str);
+ result = curlx_dyn_add(store, str);
if(result)
goto error;
/* Generate equal sign. */
- result = Curl_dyn_addn(store, "=", 1);
+ result = curlx_dyn_addn(store, "=", 1);
if(result)
goto error;
@@ -764,12 +764,12 @@ static CURLcode encodeDN(struct dynbuf *store, struct Curl_asn1Element *dn) result = ASN1tostr(store, &value, 0);
if(result)
goto error;
- Curl_dyn_reset(&temp);
+ curlx_dyn_reset(&temp);
added = TRUE; /* use separator for next */
}
}
error:
- Curl_dyn_free(&temp);
+ curlx_dyn_free(&temp);
return result;
}
@@ -947,8 +947,8 @@ static CURLcode ssl_push_certinfo_dyn(struct Curl_easy *data, const char *label,
struct dynbuf *ptr)
{
- size_t valuelen = Curl_dyn_len(ptr);
- char *value = Curl_dyn_ptr(ptr);
+ size_t valuelen = curlx_dyn_len(ptr);
+ char *value = curlx_dyn_ptr(ptr);
CURLcode result = Curl_ssl_push_certinfo_len(data, certnum, label,
value, valuelen);
@@ -966,7 +966,7 @@ static CURLcode do_pubkey_field(struct Curl_easy *data, int certnum, CURLcode result;
struct dynbuf out;
- Curl_dyn_init(&out, CURL_X509_STR_MAX);
+ curlx_dyn_init(&out, CURL_X509_STR_MAX);
/* Generate a certificate information record for the public key. */
@@ -974,7 +974,7 @@ static CURLcode do_pubkey_field(struct Curl_easy *data, int certnum, if(!result) {
if(data->set.ssl.certinfo)
result = ssl_push_certinfo_dyn(data, certnum, label, &out);
- Curl_dyn_free(&out);
+ curlx_dyn_free(&out);
}
return result;
}
@@ -1110,7 +1110,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(certnum)
return CURLE_OK;
- Curl_dyn_init(&out, CURL_X509_STR_MAX);
+ curlx_dyn_init(&out, CURL_X509_STR_MAX);
/* Prepare the certificate information for curl_easy_getinfo(). */
/* Extract the certificate ASN.1 elements. */
@@ -1126,7 +1126,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Issuer. */
result = DNtostr(&out, &cert.issuer);
@@ -1137,20 +1137,20 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Version (always fits in less than 32 bits). */
version = 0;
for(ptr = cert.version.beg; ptr < cert.version.end; ptr++)
version = (version << 8) | *(const unsigned char *) ptr;
if(data->set.ssl.certinfo) {
- result = Curl_dyn_addf(&out, "%x", version);
+ result = curlx_dyn_addf(&out, "%x", version);
if(result)
goto done;
result = ssl_push_certinfo_dyn(data, certnum, "Version", &out);
if(result)
goto done;
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
}
/* Serial number. */
@@ -1162,7 +1162,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Signature algorithm .*/
result = dumpAlgo(&out, ¶m, cert.signatureAlgorithm.beg,
@@ -1175,7 +1175,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Start Date. */
result = ASN1tostr(&out, &cert.notBefore, 0);
@@ -1186,7 +1186,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Expire Date. */
result = ASN1tostr(&out, &cert.notAfter, 0);
@@ -1197,7 +1197,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Public Key Algorithm. */
result = dumpAlgo(&out, ¶m, cert.subjectPublicKeyAlgorithm.beg,
@@ -1211,13 +1211,13 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, goto done;
}
- rc = do_pubkey(data, certnum, Curl_dyn_ptr(&out),
+ rc = do_pubkey(data, certnum, curlx_dyn_ptr(&out),
¶m, &cert.subjectPublicKey);
if(rc) {
result = CURLE_OUT_OF_MEMORY; /* the most likely error */
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Signature. */
result = ASN1tostr(&out, &cert.signature, 0);
@@ -1228,12 +1228,12 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, if(result)
goto done;
}
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Generate PEM certificate. */
- result = Curl_base64_encode(cert.certificate.beg,
- cert.certificate.end - cert.certificate.beg,
- &certptr, &clen);
+ result = curlx_base64_encode(cert.certificate.beg,
+ cert.certificate.end - cert.certificate.beg,
+ &certptr, &clen);
if(result)
goto done;
@@ -1246,22 +1246,22 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, -----END CERTIFICATE-----\n
*/
- Curl_dyn_reset(&out);
+ curlx_dyn_reset(&out);
/* Build the certificate string. */
- result = Curl_dyn_add(&out, "-----BEGIN CERTIFICATE-----\n");
+ result = curlx_dyn_add(&out, "-----BEGIN CERTIFICATE-----\n");
if(!result) {
size_t j = 0;
while(!result && (j < clen)) {
size_t chunksize = (clen - j) > 64 ? 64 : (clen - j);
- result = Curl_dyn_addn(&out, &certptr[j], chunksize);
+ result = curlx_dyn_addn(&out, &certptr[j], chunksize);
if(!result)
- result = Curl_dyn_addn(&out, "\n", 1);
+ result = curlx_dyn_addn(&out, "\n", 1);
j += chunksize;
}
if(!result)
- result = Curl_dyn_add(&out, "-----END CERTIFICATE-----\n");
+ result = curlx_dyn_add(&out, "-----END CERTIFICATE-----\n");
}
free(certptr);
if(!result)
@@ -1271,7 +1271,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, done:
if(result)
failf(data, "Failed extracting certificate chain");
- Curl_dyn_free(&out);
+ curlx_dyn_free(&out);
return result;
}
diff --git a/libs/libcurl/src/vtls/x509asn1.h b/libs/libcurl/src/vtls/x509asn1.h index 34ba802d0f..3b933cb231 100644 --- a/libs/libcurl/src/vtls/x509asn1.h +++ b/libs/libcurl/src/vtls/x509asn1.h @@ -25,14 +25,14 @@ *
***************************************************************************/
-#include "curl_setup.h"
+#include "../curl_setup.h"
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || \
defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
-#include "cfilters.h"
-#include "urldata.h"
+#include "../cfilters.h"
+#include "../urldata.h"
/*
* Types.
@@ -45,7 +45,7 @@ struct Curl_asn1Element { const char *end; /* Pointer to 1st byte after element. */
unsigned char class; /* ASN.1 element class. */
unsigned char tag; /* ASN.1 element tag. */
- bool constructed; /* Element is constructed. */
+ BIT(constructed); /* Element is constructed. */
};
/* X509 certificate: RFC 5280. */
|