doylet/DN
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update networking layer w/ CURL and emscripten impl

Browse Source
This commit is contained in:
doylet
2025-11-08 01:50:36 +11:00
parent a17925904d
commit f6874dc55a
4105 changed files with 694617 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files
External/curl-8.17.0/lib/vtls/apple.c
Vendored
+297
View File
@@ -0,0 +1,297 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/* This file is for implementing all "generic" SSL functions that all libcurl
internals should use. It is then responsible for calling the proper
"backend" function.
SSL-functions in libcurl should call functions in this source file, and not
to any specific SSL-layer.
Curl_ssl_ - prefix for generic ones
Note that this source code uses the functions of the configured SSL
backend via the global Curl_ssl instance.
"SSL/TLS Strong Encryption: An Introduction"
https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
*/
#include "../curl_setup.h"
#include "../urldata.h"
#include "../cfilters.h"
#include "../curl_trc.h"
#include "vtls.h"
#include "apple.h"
#ifdef USE_APPLE_SECTRUST
#include <Security/Security.h>
#endif
/* The last #include files should be: */
#include "../curl_memory.h"
#include "../memdebug.h"
#ifdef USE_APPLE_SECTRUST
#define SSL_SYSTEM_VERIFIER
#if (defined(MAC_OS_X_VERSION_MAX_ALLOWED) \
&& MAC_OS_X_VERSION_MAX_ALLOWED >= 101400) \
|| (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) \
&& __IPHONE_OS_VERSION_MAX_ALLOWED >= 120000)
#define SUPPORTS_SecTrustEvaluateWithError 1
#endif
#if defined(SUPPORTS_SecTrustEvaluateWithError) \
&& ((defined(MAC_OS_X_VERSION_MIN_REQUIRED) \
&& MAC_OS_X_VERSION_MIN_REQUIRED >= 101400) \
|| (defined(__IPHONE_OS_VERSION_MIN_REQUIRED) \
&& __IPHONE_OS_VERSION_MIN_REQUIRED >= 120000))
#define REQUIRES_SecTrustEvaluateWithError 1
#endif
#if defined(SUPPORTS_SecTrustEvaluateWithError) \
&& !defined(HAVE_BUILTIN_AVAILABLE) \
&& !defined(REQUIRES_SecTrustEvaluateWithError)
#undef SUPPORTS_SecTrustEvaluateWithError
#endif
#if (defined(MAC_OS_X_VERSION_MAX_ALLOWED) \
&& MAC_OS_X_VERSION_MAX_ALLOWED >= 100900) \
|| (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) \
&& __IPHONE_OS_VERSION_MAX_ALLOWED >= 70000)
#define SUPPORTS_SecOCSP 1
#endif
CURLcode Curl_vtls_apple_verify(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
size_t num_certs,
Curl_vtls_get_cert_der *der_cb,
void *cb_user_data,
const unsigned char *ocsp_buf,
size_t ocsp_len)
{
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
CURLcode result = CURLE_OK;
SecTrustRef trust = NULL;
SecPolicyRef policy = NULL;
CFMutableArrayRef policies = NULL;
CFMutableArrayRef cert_array = NULL;
CFStringRef host_str = NULL;
CFErrorRef error = NULL;
OSStatus status = noErr;
CFStringRef error_ref = NULL;
char *err_desc = NULL;
size_t i;
if(conn_config->verifyhost) {
host_str = CFStringCreateWithCString(NULL,
peer->sni ? peer->sni : peer->hostname, kCFStringEncodingUTF8);
if(!host_str) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
}
policies = CFArrayCreateMutable(NULL, 2, &kCFTypeArrayCallBacks);
if(!policies) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
policy = SecPolicyCreateSSL(true, host_str);
if(!policy) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
CFArrayAppendValue(policies, policy);
CFRelease(policy);
policy = NULL;
#if defined(HAVE_BUILTIN_AVAILABLE) && defined(SUPPORTS_SecOCSP)
{
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
if(!ssl_config->no_revoke) {
if(__builtin_available(macOS 10.9, iOS 7, tvOS 9, watchOS 2, *)) {
/* Even without this set, validation will seemingly-unavoidably fail
* for certificates that trustd already knows to be revoked.
* This policy further allows trustd to consult CRLs and OCSP data
* to determine revocation status (which it may then cache). */
CFOptionFlags revocation_flags = kSecRevocationUseAnyAvailableMethod;
#if 0
/* `revoke_best_effort` is off by default in libcurl. When we
* add `kSecRevocationRequirePositiveResponse` to the Apple
* Trust policies, it interprets this as it NEEDs a confirmation
* of a cert being NOT REVOKED. Which not in general available for
* certificates on the internet.
* It seems that applications using this policy are expected to PIN
* their certificate public keys or verification will fail.
* This does not seem to be what we want here. */
if(!ssl_config->revoke_best_effort) {
revocation_flags |= kSecRevocationRequirePositiveResponse;
}
#endif
policy = SecPolicyCreateRevocation(revocation_flags);
if(!policy) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
CFArrayAppendValue(policies, policy);
}
}
}
#endif
cert_array = CFArrayCreateMutable(NULL, num_certs, &kCFTypeArrayCallBacks);
if(!cert_array) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
for(i = 0; i < num_certs; i++) {
SecCertificateRef cert;
CFDataRef certdata;
unsigned char *der;
size_t der_len;
result = der_cb(cf, data, cb_user_data, i, &der, &der_len);
if(result)
goto out;
certdata = CFDataCreate(NULL, der, (CFIndex)der_len);
if(!certdata) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
cert = SecCertificateCreateWithData(NULL, certdata);
CFRelease(certdata);
if(!cert) {
result = CURLE_OUT_OF_MEMORY;
goto out;
}
CFArrayAppendValue(cert_array, cert);
CFRelease(cert);
}
status = SecTrustCreateWithCertificates(cert_array, policies, &trust);
if(status != noErr || !trust) {
failf(data, "Apple SecTrust: failed to create validation trust");
result = CURLE_PEER_FAILED_VERIFICATION;
goto out;
}
#if defined(HAVE_BUILTIN_AVAILABLE) && defined(SUPPORTS_SecOCSP)
if(ocsp_len > 0) {
if(__builtin_available(macOS 10.9, iOS 7, tvOS 9, watchOS 2, *)) {
CFDataRef ocspdata =
CFDataCreate(NULL, ocsp_buf, (CFIndex)ocsp_len);
status = SecTrustSetOCSPResponse(trust, ocspdata);
CFRelease(ocspdata);
if(status != noErr) {
failf(data, "Apple SecTrust: failed to set OCSP response: %i",
(int)status);
result = CURLE_PEER_FAILED_VERIFICATION;
goto out;
}
}
}
#else
(void)ocsp_buf;
(void)ocsp_len;
#endif
#ifdef SUPPORTS_SecTrustEvaluateWithError
#if defined(HAVE_BUILTIN_AVAILABLE)
if(__builtin_available(macOS 10.14, iOS 12, tvOS 12, watchOS 5, *)) {
#else
if(1) {
#endif
result = SecTrustEvaluateWithError(trust, &error) ?
CURLE_OK : CURLE_PEER_FAILED_VERIFICATION;
if(error) {
CFIndex code = CFErrorGetCode(error);
error_ref = CFErrorCopyDescription(error);
if(error_ref) {
CFIndex size = CFStringGetMaximumSizeForEncoding(
CFStringGetLength(error_ref), kCFStringEncodingUTF8);
err_desc = malloc(size + 1);
if(err_desc) {
if(!CFStringGetCString(error_ref, err_desc, size,
kCFStringEncodingUTF8)) {
free(err_desc);
err_desc = NULL;
}
}
}
infof(data, "Apple SecTrust failure %ld%s%s", code,
err_desc ? ": " : "", err_desc ? err_desc : "");
}
}
else
#endif /* SUPPORTS_SecTrustEvaluateWithError */
{
#ifndef REQUIRES_SecTrustEvaluateWithError
SecTrustResultType sec_result;
status = SecTrustEvaluate(trust, &sec_result);
if(status != noErr) {
failf(data, "Apple SecTrust verification failed: error %i", (int)status);
}
else if((sec_result == kSecTrustResultUnspecified) ||
(sec_result == kSecTrustResultProceed)) {
/* "unspecified" means system-trusted with no explicit user setting */
result = CURLE_OK;
}
#endif /* REQUIRES_SecTrustEvaluateWithError */
}
out:
free(err_desc);
if(error_ref)
CFRelease(error_ref);
if(error)
CFRelease(error);
if(host_str)
CFRelease(host_str);
if(policies)
CFRelease(policies);
if(policy)
CFRelease(policy);
if(cert_array)
CFRelease(cert_array);
if(trust)
CFRelease(trust);
return result;
}
#endif /* USE_APPLE_SECTRUST */
External/curl-8.17.0/lib/vtls/apple.h
Vendored
+55
View File
@@ -0,0 +1,55 @@
#ifndef HEADER_CURL_VTLS_APPLE_H
#define HEADER_CURL_VTLS_APPLE_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Jan Venekamp, <jan@venekamp.net>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_APPLE_SECTRUST
struct Curl_cfilter;
struct Curl_easy;
struct ssl_peer;
/* Get the DER encoded i-th certificate in the server handshake */
typedef CURLcode Curl_vtls_get_cert_der(struct Curl_cfilter *cf,
struct Curl_easy *data,
void *user_data,
size_t i,
unsigned char **pder,
size_t *pder_len);
/* Ask Apple's Security framework to verify the certificate chain
* send by the peer. On CURLE_OK it has been verified.
*/
CURLcode Curl_vtls_apple_verify(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
size_t num_certs,
Curl_vtls_get_cert_der *der_cb,
void *cb_user_data,
const unsigned char *ocsp_buf,
size_t ocsp_len);
#endif /* USE_APPLE_SECTRUST */
#endif /* HEADER_CURL_VTLS_APPLE_H */
External/curl-8.17.0/lib/vtls/cipher_suite.c
Vendored
+710
View File
@@ -0,0 +1,710 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Jan Venekamp, <jan@venekamp.net>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include "cipher_suite.h"
#include <string.h>
/*
* To support the CURLOPT_SSL_CIPHER_LIST option on SSL backends
* that do not support it natively, but do support setting a list of
* IANA ids, we need a list of all supported cipher suite names
* (OpenSSL and IANA) to be able to look up the IANA ids.
*
* To keep the binary size of this list down we compress each entry
* down to 2 + 6 bytes using the C preprocessor.
*/
/*
* mbedTLS NOTE: mbedTLS has mbedtls_ssl_get_ciphersuite_id() to
* convert a string representation to an IANA id, we do not use that
* because it does not support "standard" OpenSSL cipher suite
* names, nor IANA names.
*/
/* NOTE: also see tests/unit/unit3205.c */
/* Text for cipher suite parts (max 64 entries),
keep indexes below in sync with this! */
static const char *cs_txt =
"\0"
"TLS" "\0"
"WITH" "\0"
"128" "\0"
"256" "\0"
"3DES" "\0"
"8" "\0"
"AES" "\0"
"AES128" "\0"
"AES256" "\0"
"CBC" "\0"
"CBC3" "\0"
"CCM" "\0"
"CCM8" "\0"
"CHACHA20" "\0"
"DES" "\0"
"DHE" "\0"
"ECDH" "\0"
"ECDHE" "\0"
"ECDSA" "\0"
"EDE" "\0" /* spellchecker:disable-line */
"GCM" "\0"
"MD5" "\0"
"NULL" "\0"
"POLY1305" "\0"
"PSK" "\0"
"RSA" "\0"
"SHA" "\0"
"SHA256" "\0"
"SHA384" "\0"
#ifdef USE_MBEDTLS
"ARIA" "\0"
"ARIA128" "\0"
"ARIA256" "\0"
"CAMELLIA" "\0"
"CAMELLIA128" "\0"
"CAMELLIA256" "\0"
#endif
;
/* Indexes of above cs_txt */
enum {
CS_TXT_IDX_,
CS_TXT_IDX_TLS,
CS_TXT_IDX_WITH,
CS_TXT_IDX_128,
CS_TXT_IDX_256,
CS_TXT_IDX_3DES,
CS_TXT_IDX_8,
CS_TXT_IDX_AES,
CS_TXT_IDX_AES128,
CS_TXT_IDX_AES256,
CS_TXT_IDX_CBC,
CS_TXT_IDX_CBC3,
CS_TXT_IDX_CCM,
CS_TXT_IDX_CCM8,
CS_TXT_IDX_CHACHA20,
CS_TXT_IDX_DES,
CS_TXT_IDX_DHE,
CS_TXT_IDX_ECDH,
CS_TXT_IDX_ECDHE,
CS_TXT_IDX_ECDSA,
CS_TXT_IDX_EDE, /* spellchecker:disable-line */
CS_TXT_IDX_GCM,
CS_TXT_IDX_MD5,
CS_TXT_IDX_NULL,
CS_TXT_IDX_POLY1305,
CS_TXT_IDX_PSK,
CS_TXT_IDX_RSA,
CS_TXT_IDX_SHA,
CS_TXT_IDX_SHA256,
CS_TXT_IDX_SHA384,
#ifdef USE_MBEDTLS
CS_TXT_IDX_ARIA,
CS_TXT_IDX_ARIA128,
CS_TXT_IDX_ARIA256,
CS_TXT_IDX_CAMELLIA,
CS_TXT_IDX_CAMELLIA128,
CS_TXT_IDX_CAMELLIA256,
#endif
CS_TXT_LEN,
};
#define CS_ZIP_IDX(a, b, c, d, e, f, g, h) \
{ \
(uint8_t) ((((a) << 2) & 0xFF) | ((b) & 0x3F) >> 4), \
(uint8_t) ((((b) << 4) & 0xFF) | ((c) & 0x3F) >> 2), \
(uint8_t) ((((c) << 6) & 0xFF) | ((d) & 0x3F)), \
(uint8_t) ((((e) << 2) & 0xFF) | ((f) & 0x3F) >> 4), \
(uint8_t) ((((f) << 4) & 0xFF) | ((g) & 0x3F) >> 2), \
(uint8_t) ((((g) << 6) & 0xFF) | ((h) & 0x3F)) \
}
#define CS_ENTRY(id, a, b, c, d, e, f, g, h) \
{ \
id, \
CS_ZIP_IDX( \
CS_TXT_IDX_ ## a, CS_TXT_IDX_ ## b, \
CS_TXT_IDX_ ## c, CS_TXT_IDX_ ## d, \
CS_TXT_IDX_ ## e, CS_TXT_IDX_ ## f, \
CS_TXT_IDX_ ## g, CS_TXT_IDX_ ## h \
) \
}
struct cs_entry {
uint16_t id;
uint8_t zip[6];
};
/* !checksrc! disable COMMANOSPACE all */
static const struct cs_entry cs_list [] = {
/* TLS 1.3 ciphers */
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
CS_ENTRY(0x1301, TLS,AES,128,GCM,SHA256,,,),
CS_ENTRY(0x1302, TLS,AES,256,GCM,SHA384,,,),
CS_ENTRY(0x1303, TLS,CHACHA20,POLY1305,SHA256,,,,),
CS_ENTRY(0x1304, TLS,AES,128,CCM,SHA256,,,),
CS_ENTRY(0x1305, TLS,AES,128,CCM,8,SHA256,,),
#endif
/* TLS 1.2 ciphers */
CS_ENTRY(0xC02B, TLS,ECDHE,ECDSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0xC02B, ECDHE,ECDSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0xC02C, TLS,ECDHE,ECDSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0xC02C, ECDHE,ECDSA,AES256,GCM,SHA384,,,),
CS_ENTRY(0xC02F, TLS,ECDHE,RSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0xC02F, ECDHE,RSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0xC030, TLS,ECDHE,RSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0xC030, ECDHE,RSA,AES256,GCM,SHA384,,,),
CS_ENTRY(0xCCA8, TLS,ECDHE,RSA,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCA8, ECDHE,RSA,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCA9, TLS,ECDHE,ECDSA,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCA9, ECDHE,ECDSA,CHACHA20,POLY1305,,,,),
#ifdef USE_MBEDTLS
CS_ENTRY(0x002F, TLS,RSA,WITH,AES,128,CBC,SHA,),
CS_ENTRY(0x002F, AES128,SHA,,,,,,),
CS_ENTRY(0x0035, TLS,RSA,WITH,AES,256,CBC,SHA,),
CS_ENTRY(0x0035, AES256,SHA,,,,,,),
CS_ENTRY(0x003C, TLS,RSA,WITH,AES,128,CBC,SHA256,),
CS_ENTRY(0x003C, AES128,SHA256,,,,,,),
CS_ENTRY(0x003D, TLS,RSA,WITH,AES,256,CBC,SHA256,),
CS_ENTRY(0x003D, AES256,SHA256,,,,,,),
CS_ENTRY(0x009C, TLS,RSA,WITH,AES,128,GCM,SHA256,),
CS_ENTRY(0x009C, AES128,GCM,SHA256,,,,,),
CS_ENTRY(0x009D, TLS,RSA,WITH,AES,256,GCM,SHA384,),
CS_ENTRY(0x009D, AES256,GCM,SHA384,,,,,),
CS_ENTRY(0xC004, TLS,ECDH,ECDSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC004, ECDH,ECDSA,AES128,SHA,,,,),
CS_ENTRY(0xC005, TLS,ECDH,ECDSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC005, ECDH,ECDSA,AES256,SHA,,,,),
CS_ENTRY(0xC009, TLS,ECDHE,ECDSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC009, ECDHE,ECDSA,AES128,SHA,,,,),
CS_ENTRY(0xC00A, TLS,ECDHE,ECDSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC00A, ECDHE,ECDSA,AES256,SHA,,,,),
CS_ENTRY(0xC00E, TLS,ECDH,RSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC00E, ECDH,RSA,AES128,SHA,,,,),
CS_ENTRY(0xC00F, TLS,ECDH,RSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC00F, ECDH,RSA,AES256,SHA,,,,),
CS_ENTRY(0xC013, TLS,ECDHE,RSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC013, ECDHE,RSA,AES128,SHA,,,,),
CS_ENTRY(0xC014, TLS,ECDHE,RSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC014, ECDHE,RSA,AES256,SHA,,,,),
CS_ENTRY(0xC023, TLS,ECDHE,ECDSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0xC023, ECDHE,ECDSA,AES128,SHA256,,,,),
CS_ENTRY(0xC024, TLS,ECDHE,ECDSA,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0xC024, ECDHE,ECDSA,AES256,SHA384,,,,),
CS_ENTRY(0xC025, TLS,ECDH,ECDSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0xC025, ECDH,ECDSA,AES128,SHA256,,,,),
CS_ENTRY(0xC026, TLS,ECDH,ECDSA,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0xC026, ECDH,ECDSA,AES256,SHA384,,,,),
CS_ENTRY(0xC027, TLS,ECDHE,RSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0xC027, ECDHE,RSA,AES128,SHA256,,,,),
CS_ENTRY(0xC028, TLS,ECDHE,RSA,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0xC028, ECDHE,RSA,AES256,SHA384,,,,),
CS_ENTRY(0xC029, TLS,ECDH,RSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0xC029, ECDH,RSA,AES128,SHA256,,,,),
CS_ENTRY(0xC02A, TLS,ECDH,RSA,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0xC02A, ECDH,RSA,AES256,SHA384,,,,),
CS_ENTRY(0xC02D, TLS,ECDH,ECDSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0xC02D, ECDH,ECDSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0xC02E, TLS,ECDH,ECDSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0xC02E, ECDH,ECDSA,AES256,GCM,SHA384,,,),
CS_ENTRY(0xC031, TLS,ECDH,RSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0xC031, ECDH,RSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0xC032, TLS,ECDH,RSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0xC032, ECDH,RSA,AES256,GCM,SHA384,,,),
#endif
#ifdef USE_MBEDTLS
CS_ENTRY(0x0001, TLS,RSA,WITH,NULL,MD5,,,),
CS_ENTRY(0x0001, NULL,MD5,,,,,,),
CS_ENTRY(0x0002, TLS,RSA,WITH,NULL,SHA,,,),
CS_ENTRY(0x0002, NULL,SHA,,,,,,),
CS_ENTRY(0x002C, TLS,PSK,WITH,NULL,SHA,,,),
CS_ENTRY(0x002C, PSK,NULL,SHA,,,,,),
CS_ENTRY(0x002D, TLS,DHE,PSK,WITH,NULL,SHA,,),
CS_ENTRY(0x002D, DHE,PSK,NULL,SHA,,,,),
CS_ENTRY(0x002E, TLS,RSA,PSK,WITH,NULL,SHA,,),
CS_ENTRY(0x002E, RSA,PSK,NULL,SHA,,,,),
CS_ENTRY(0x0033, TLS,DHE,RSA,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0033, DHE,RSA,AES128,SHA,,,,),
CS_ENTRY(0x0039, TLS,DHE,RSA,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0039, DHE,RSA,AES256,SHA,,,,),
CS_ENTRY(0x003B, TLS,RSA,WITH,NULL,SHA256,,,),
CS_ENTRY(0x003B, NULL,SHA256,,,,,,),
CS_ENTRY(0x0067, TLS,DHE,RSA,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x0067, DHE,RSA,AES128,SHA256,,,,),
CS_ENTRY(0x006B, TLS,DHE,RSA,WITH,AES,256,CBC,SHA256),
CS_ENTRY(0x006B, DHE,RSA,AES256,SHA256,,,,),
CS_ENTRY(0x008C, TLS,PSK,WITH,AES,128,CBC,SHA,),
CS_ENTRY(0x008C, PSK,AES128,CBC,SHA,,,,),
CS_ENTRY(0x008D, TLS,PSK,WITH,AES,256,CBC,SHA,),
CS_ENTRY(0x008D, PSK,AES256,CBC,SHA,,,,),
CS_ENTRY(0x0090, TLS,DHE,PSK,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0090, DHE,PSK,AES128,CBC,SHA,,,),
CS_ENTRY(0x0091, TLS,DHE,PSK,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0091, DHE,PSK,AES256,CBC,SHA,,,),
CS_ENTRY(0x0094, TLS,RSA,PSK,WITH,AES,128,CBC,SHA),
CS_ENTRY(0x0094, RSA,PSK,AES128,CBC,SHA,,,),
CS_ENTRY(0x0095, TLS,RSA,PSK,WITH,AES,256,CBC,SHA),
CS_ENTRY(0x0095, RSA,PSK,AES256,CBC,SHA,,,),
CS_ENTRY(0x009E, TLS,DHE,RSA,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x009E, DHE,RSA,AES128,GCM,SHA256,,,),
CS_ENTRY(0x009F, TLS,DHE,RSA,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x009F, DHE,RSA,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00A8, TLS,PSK,WITH,AES,128,GCM,SHA256,),
CS_ENTRY(0x00A8, PSK,AES128,GCM,SHA256,,,,),
CS_ENTRY(0x00A9, TLS,PSK,WITH,AES,256,GCM,SHA384,),
CS_ENTRY(0x00A9, PSK,AES256,GCM,SHA384,,,,),
CS_ENTRY(0x00AA, TLS,DHE,PSK,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00AA, DHE,PSK,AES128,GCM,SHA256,,,),
CS_ENTRY(0x00AB, TLS,DHE,PSK,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00AB, DHE,PSK,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00AC, TLS,RSA,PSK,WITH,AES,128,GCM,SHA256),
CS_ENTRY(0x00AC, RSA,PSK,AES128,GCM,SHA256,,,),
CS_ENTRY(0x00AD, TLS,RSA,PSK,WITH,AES,256,GCM,SHA384),
CS_ENTRY(0x00AD, RSA,PSK,AES256,GCM,SHA384,,,),
CS_ENTRY(0x00AE, TLS,PSK,WITH,AES,128,CBC,SHA256,),
CS_ENTRY(0x00AE, PSK,AES128,CBC,SHA256,,,,),
CS_ENTRY(0x00AF, TLS,PSK,WITH,AES,256,CBC,SHA384,),
CS_ENTRY(0x00AF, PSK,AES256,CBC,SHA384,,,,),
CS_ENTRY(0x00B0, TLS,PSK,WITH,NULL,SHA256,,,),
CS_ENTRY(0x00B0, PSK,NULL,SHA256,,,,,),
CS_ENTRY(0x00B1, TLS,PSK,WITH,NULL,SHA384,,,),
CS_ENTRY(0x00B1, PSK,NULL,SHA384,,,,,),
CS_ENTRY(0x00B2, TLS,DHE,PSK,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x00B2, DHE,PSK,AES128,CBC,SHA256,,,),
CS_ENTRY(0x00B3, TLS,DHE,PSK,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0x00B3, DHE,PSK,AES256,CBC,SHA384,,,),
CS_ENTRY(0x00B4, TLS,DHE,PSK,WITH,NULL,SHA256,,),
CS_ENTRY(0x00B4, DHE,PSK,NULL,SHA256,,,,),
CS_ENTRY(0x00B5, TLS,DHE,PSK,WITH,NULL,SHA384,,),
CS_ENTRY(0x00B5, DHE,PSK,NULL,SHA384,,,,),
CS_ENTRY(0x00B6, TLS,RSA,PSK,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0x00B6, RSA,PSK,AES128,CBC,SHA256,,,),
CS_ENTRY(0x00B7, TLS,RSA,PSK,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0x00B7, RSA,PSK,AES256,CBC,SHA384,,,),
CS_ENTRY(0x00B8, TLS,RSA,PSK,WITH,NULL,SHA256,,),
CS_ENTRY(0x00B8, RSA,PSK,NULL,SHA256,,,,),
CS_ENTRY(0x00B9, TLS,RSA,PSK,WITH,NULL,SHA384,,),
CS_ENTRY(0x00B9, RSA,PSK,NULL,SHA384,,,,),
CS_ENTRY(0xC001, TLS,ECDH,ECDSA,WITH,NULL,SHA,,),
CS_ENTRY(0xC001, ECDH,ECDSA,NULL,SHA,,,,),
CS_ENTRY(0xC006, TLS,ECDHE,ECDSA,WITH,NULL,SHA,,),
CS_ENTRY(0xC006, ECDHE,ECDSA,NULL,SHA,,,,),
CS_ENTRY(0xC00B, TLS,ECDH,RSA,WITH,NULL,SHA,,),
CS_ENTRY(0xC00B, ECDH,RSA,NULL,SHA,,,,),
CS_ENTRY(0xC010, TLS,ECDHE,RSA,WITH,NULL,SHA,,),
CS_ENTRY(0xC010, ECDHE,RSA,NULL,SHA,,,,),
CS_ENTRY(0xC035, TLS,ECDHE,PSK,WITH,AES,128,CBC,SHA),
CS_ENTRY(0xC035, ECDHE,PSK,AES128,CBC,SHA,,,),
CS_ENTRY(0xC036, TLS,ECDHE,PSK,WITH,AES,256,CBC,SHA),
CS_ENTRY(0xC036, ECDHE,PSK,AES256,CBC,SHA,,,),
CS_ENTRY(0xCCAB, TLS,PSK,WITH,CHACHA20,POLY1305,SHA256,,),
CS_ENTRY(0xCCAB, PSK,CHACHA20,POLY1305,,,,,),
#endif
#ifdef USE_MBEDTLS
CS_ENTRY(0xC09C, TLS,RSA,WITH,AES,128,CCM,,),
CS_ENTRY(0xC09C, AES128,CCM,,,,,,),
CS_ENTRY(0xC09D, TLS,RSA,WITH,AES,256,CCM,,),
CS_ENTRY(0xC09D, AES256,CCM,,,,,,),
CS_ENTRY(0xC0A0, TLS,RSA,WITH,AES,128,CCM,8,),
CS_ENTRY(0xC0A0, AES128,CCM8,,,,,,),
CS_ENTRY(0xC0A1, TLS,RSA,WITH,AES,256,CCM,8,),
CS_ENTRY(0xC0A1, AES256,CCM8,,,,,,),
CS_ENTRY(0xC0AC, TLS,ECDHE,ECDSA,WITH,AES,128,CCM,),
CS_ENTRY(0xC0AC, ECDHE,ECDSA,AES128,CCM,,,,),
CS_ENTRY(0xC0AD, TLS,ECDHE,ECDSA,WITH,AES,256,CCM,),
CS_ENTRY(0xC0AD, ECDHE,ECDSA,AES256,CCM,,,,),
CS_ENTRY(0xC0AE, TLS,ECDHE,ECDSA,WITH,AES,128,CCM,8),
CS_ENTRY(0xC0AE, ECDHE,ECDSA,AES128,CCM8,,,,),
CS_ENTRY(0xC0AF, TLS,ECDHE,ECDSA,WITH,AES,256,CCM,8),
CS_ENTRY(0xC0AF, ECDHE,ECDSA,AES256,CCM8,,,,),
#endif
#ifdef USE_MBEDTLS
/* entries marked ns are "non-standard", they are not in OpenSSL */
CS_ENTRY(0x0041, TLS,RSA,WITH,CAMELLIA,128,CBC,SHA,),
CS_ENTRY(0x0041, CAMELLIA128,SHA,,,,,,),
CS_ENTRY(0x0045, TLS,DHE,RSA,WITH,CAMELLIA,128,CBC,SHA),
CS_ENTRY(0x0045, DHE,RSA,CAMELLIA128,SHA,,,,),
CS_ENTRY(0x0084, TLS,RSA,WITH,CAMELLIA,256,CBC,SHA,),
CS_ENTRY(0x0084, CAMELLIA256,SHA,,,,,,),
CS_ENTRY(0x0088, TLS,DHE,RSA,WITH,CAMELLIA,256,CBC,SHA),
CS_ENTRY(0x0088, DHE,RSA,CAMELLIA256,SHA,,,,),
CS_ENTRY(0x00BA, TLS,RSA,WITH,CAMELLIA,128,CBC,SHA256,),
CS_ENTRY(0x00BA, CAMELLIA128,SHA256,,,,,,),
CS_ENTRY(0x00BE, TLS,DHE,RSA,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0x00BE, DHE,RSA,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0x00C0, TLS,RSA,WITH,CAMELLIA,256,CBC,SHA256,),
CS_ENTRY(0x00C0, CAMELLIA256,SHA256,,,,,,),
CS_ENTRY(0x00C4, TLS,DHE,RSA,WITH,CAMELLIA,256,CBC,SHA256),
CS_ENTRY(0x00C4, DHE,RSA,CAMELLIA256,SHA256,,,,),
CS_ENTRY(0xC037, TLS,ECDHE,PSK,WITH,AES,128,CBC,SHA256),
CS_ENTRY(0xC037, ECDHE,PSK,AES128,CBC,SHA256,,,),
CS_ENTRY(0xC038, TLS,ECDHE,PSK,WITH,AES,256,CBC,SHA384),
CS_ENTRY(0xC038, ECDHE,PSK,AES256,CBC,SHA384,,,),
CS_ENTRY(0xC039, TLS,ECDHE,PSK,WITH,NULL,SHA,,),
CS_ENTRY(0xC039, ECDHE,PSK,NULL,SHA,,,,),
CS_ENTRY(0xC03A, TLS,ECDHE,PSK,WITH,NULL,SHA256,,),
CS_ENTRY(0xC03A, ECDHE,PSK,NULL,SHA256,,,,),
CS_ENTRY(0xC03B, TLS,ECDHE,PSK,WITH,NULL,SHA384,,),
CS_ENTRY(0xC03B, ECDHE,PSK,NULL,SHA384,,,,),
CS_ENTRY(0xC03C, TLS,RSA,WITH,ARIA,128,CBC,SHA256,),
CS_ENTRY(0xC03C, ARIA128,SHA256,,,,,,), /* ns */
CS_ENTRY(0xC03D, TLS,RSA,WITH,ARIA,256,CBC,SHA384,),
CS_ENTRY(0xC03D, ARIA256,SHA384,,,,,,), /* ns */
CS_ENTRY(0xC044, TLS,DHE,RSA,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC044, DHE,RSA,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC045, TLS,DHE,RSA,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC045, DHE,RSA,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC048, TLS,ECDHE,ECDSA,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC048, ECDHE,ECDSA,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC049, TLS,ECDHE,ECDSA,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC049, ECDHE,ECDSA,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC04A, TLS,ECDH,ECDSA,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC04A, ECDH,ECDSA,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC04B, TLS,ECDH,ECDSA,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC04B, ECDH,ECDSA,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC04C, TLS,ECDHE,RSA,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC04C, ECDHE,ARIA128,SHA256,,,,,), /* ns */
CS_ENTRY(0xC04D, TLS,ECDHE,RSA,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC04D, ECDHE,ARIA256,SHA384,,,,,), /* ns */
CS_ENTRY(0xC04E, TLS,ECDH,RSA,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC04E, ECDH,ARIA128,SHA256,,,,,), /* ns */
CS_ENTRY(0xC04F, TLS,ECDH,RSA,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC04F, ECDH,ARIA256,SHA384,,,,,), /* ns */
CS_ENTRY(0xC050, TLS,RSA,WITH,ARIA,128,GCM,SHA256,),
CS_ENTRY(0xC050, ARIA128,GCM,SHA256,,,,,),
CS_ENTRY(0xC051, TLS,RSA,WITH,ARIA,256,GCM,SHA384,),
CS_ENTRY(0xC051, ARIA256,GCM,SHA384,,,,,),
CS_ENTRY(0xC052, TLS,DHE,RSA,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC052, DHE,RSA,ARIA128,GCM,SHA256,,,),
CS_ENTRY(0xC053, TLS,DHE,RSA,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC053, DHE,RSA,ARIA256,GCM,SHA384,,,),
CS_ENTRY(0xC05C, TLS,ECDHE,ECDSA,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC05C, ECDHE,ECDSA,ARIA128,GCM,SHA256,,,),
CS_ENTRY(0xC05D, TLS,ECDHE,ECDSA,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC05D, ECDHE,ECDSA,ARIA256,GCM,SHA384,,,),
CS_ENTRY(0xC05E, TLS,ECDH,ECDSA,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC05E, ECDH,ECDSA,ARIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC05F, TLS,ECDH,ECDSA,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC05F, ECDH,ECDSA,ARIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC060, TLS,ECDHE,RSA,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC060, ECDHE,ARIA128,GCM,SHA256,,,,),
CS_ENTRY(0xC061, TLS,ECDHE,RSA,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC061, ECDHE,ARIA256,GCM,SHA384,,,,),
CS_ENTRY(0xC062, TLS,ECDH,RSA,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC062, ECDH,ARIA128,GCM,SHA256,,,,), /* ns */
CS_ENTRY(0xC063, TLS,ECDH,RSA,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC063, ECDH,ARIA256,GCM,SHA384,,,,), /* ns */
CS_ENTRY(0xC064, TLS,PSK,WITH,ARIA,128,CBC,SHA256,),
CS_ENTRY(0xC064, PSK,ARIA128,SHA256,,,,,), /* ns */
CS_ENTRY(0xC065, TLS,PSK,WITH,ARIA,256,CBC,SHA384,),
CS_ENTRY(0xC065, PSK,ARIA256,SHA384,,,,,), /* ns */
CS_ENTRY(0xC066, TLS,DHE,PSK,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC066, DHE,PSK,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC067, TLS,DHE,PSK,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC067, DHE,PSK,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC068, TLS,RSA,PSK,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC068, RSA,PSK,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC069, TLS,RSA,PSK,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC069, RSA,PSK,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC06A, TLS,PSK,WITH,ARIA,128,GCM,SHA256,),
CS_ENTRY(0xC06A, PSK,ARIA128,GCM,SHA256,,,,),
CS_ENTRY(0xC06B, TLS,PSK,WITH,ARIA,256,GCM,SHA384,),
CS_ENTRY(0xC06B, PSK,ARIA256,GCM,SHA384,,,,),
CS_ENTRY(0xC06C, TLS,DHE,PSK,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC06C, DHE,PSK,ARIA128,GCM,SHA256,,,),
CS_ENTRY(0xC06D, TLS,DHE,PSK,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC06D, DHE,PSK,ARIA256,GCM,SHA384,,,),
CS_ENTRY(0xC06E, TLS,RSA,PSK,WITH,ARIA,128,GCM,SHA256),
CS_ENTRY(0xC06E, RSA,PSK,ARIA128,GCM,SHA256,,,),
CS_ENTRY(0xC06F, TLS,RSA,PSK,WITH,ARIA,256,GCM,SHA384),
CS_ENTRY(0xC06F, RSA,PSK,ARIA256,GCM,SHA384,,,),
CS_ENTRY(0xC070, TLS,ECDHE,PSK,WITH,ARIA,128,CBC,SHA256),
CS_ENTRY(0xC070, ECDHE,PSK,ARIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC071, TLS,ECDHE,PSK,WITH,ARIA,256,CBC,SHA384),
CS_ENTRY(0xC071, ECDHE,PSK,ARIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC072, TLS,ECDHE,ECDSA,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC072, ECDHE,ECDSA,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0xC073, TLS,ECDHE,ECDSA,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC073, ECDHE,ECDSA,CAMELLIA256,SHA384,,,,),
CS_ENTRY(0xC074, TLS,ECDH,ECDSA,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC074, ECDH,ECDSA,CAMELLIA128,SHA256,,,,), /* ns */
CS_ENTRY(0xC075, TLS,ECDH,ECDSA,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC075, ECDH,ECDSA,CAMELLIA256,SHA384,,,,), /* ns */
CS_ENTRY(0xC076, TLS,ECDHE,RSA,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC076, ECDHE,RSA,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0xC077, TLS,ECDHE,RSA,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC077, ECDHE,RSA,CAMELLIA256,SHA384,,,,),
CS_ENTRY(0xC078, TLS,ECDH,RSA,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC078, ECDH,CAMELLIA128,SHA256,,,,,), /* ns */
CS_ENTRY(0xC079, TLS,ECDH,RSA,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC079, ECDH,CAMELLIA256,SHA384,,,,,), /* ns */
CS_ENTRY(0xC07A, TLS,RSA,WITH,CAMELLIA,128,GCM,SHA256,),
CS_ENTRY(0xC07A, CAMELLIA128,GCM,SHA256,,,,,), /* ns */
CS_ENTRY(0xC07B, TLS,RSA,WITH,CAMELLIA,256,GCM,SHA384,),
CS_ENTRY(0xC07B, CAMELLIA256,GCM,SHA384,,,,,), /* ns */
CS_ENTRY(0xC07C, TLS,DHE,RSA,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC07C, DHE,RSA,CAMELLIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC07D, TLS,DHE,RSA,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC07D, DHE,RSA,CAMELLIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC086, TLS,ECDHE,ECDSA,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC086, ECDHE,ECDSA,CAMELLIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC087, TLS,ECDHE,ECDSA,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC087, ECDHE,ECDSA,CAMELLIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC088, TLS,ECDH,ECDSA,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC088, ECDH,ECDSA,CAMELLIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC089, TLS,ECDH,ECDSA,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC089, ECDH,ECDSA,CAMELLIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC08A, TLS,ECDHE,RSA,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC08A, ECDHE,CAMELLIA128,GCM,SHA256,,,,), /* ns */
CS_ENTRY(0xC08B, TLS,ECDHE,RSA,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC08B, ECDHE,CAMELLIA256,GCM,SHA384,,,,), /* ns */
CS_ENTRY(0xC08C, TLS,ECDH,RSA,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC08C, ECDH,CAMELLIA128,GCM,SHA256,,,,), /* ns */
CS_ENTRY(0xC08D, TLS,ECDH,RSA,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC08D, ECDH,CAMELLIA256,GCM,SHA384,,,,), /* ns */
CS_ENTRY(0xC08E, TLS,PSK,WITH,CAMELLIA,128,GCM,SHA256,),
CS_ENTRY(0xC08E, PSK,CAMELLIA128,GCM,SHA256,,,,), /* ns */
CS_ENTRY(0xC08F, TLS,PSK,WITH,CAMELLIA,256,GCM,SHA384,),
CS_ENTRY(0xC08F, PSK,CAMELLIA256,GCM,SHA384,,,,), /* ns */
CS_ENTRY(0xC090, TLS,DHE,PSK,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC090, DHE,PSK,CAMELLIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC091, TLS,DHE,PSK,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC091, DHE,PSK,CAMELLIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC092, TLS,RSA,PSK,WITH,CAMELLIA,128,GCM,SHA256),
CS_ENTRY(0xC092, RSA,PSK,CAMELLIA128,GCM,SHA256,,,), /* ns */
CS_ENTRY(0xC093, TLS,RSA,PSK,WITH,CAMELLIA,256,GCM,SHA384),
CS_ENTRY(0xC093, RSA,PSK,CAMELLIA256,GCM,SHA384,,,), /* ns */
CS_ENTRY(0xC094, TLS,PSK,WITH,CAMELLIA,128,CBC,SHA256,),
CS_ENTRY(0xC094, PSK,CAMELLIA128,SHA256,,,,,),
CS_ENTRY(0xC095, TLS,PSK,WITH,CAMELLIA,256,CBC,SHA384,),
CS_ENTRY(0xC095, PSK,CAMELLIA256,SHA384,,,,,),
CS_ENTRY(0xC096, TLS,DHE,PSK,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC096, DHE,PSK,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0xC097, TLS,DHE,PSK,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC097, DHE,PSK,CAMELLIA256,SHA384,,,,),
CS_ENTRY(0xC098, TLS,RSA,PSK,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC098, RSA,PSK,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0xC099, TLS,RSA,PSK,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC099, RSA,PSK,CAMELLIA256,SHA384,,,,),
CS_ENTRY(0xC09A, TLS,ECDHE,PSK,WITH,CAMELLIA,128,CBC,SHA256),
CS_ENTRY(0xC09A, ECDHE,PSK,CAMELLIA128,SHA256,,,,),
CS_ENTRY(0xC09B, TLS,ECDHE,PSK,WITH,CAMELLIA,256,CBC,SHA384),
CS_ENTRY(0xC09B, ECDHE,PSK,CAMELLIA256,SHA384,,,,),
CS_ENTRY(0xC09E, TLS,DHE,RSA,WITH,AES,128,CCM,),
CS_ENTRY(0xC09E, DHE,RSA,AES128,CCM,,,,),
CS_ENTRY(0xC09F, TLS,DHE,RSA,WITH,AES,256,CCM,),
CS_ENTRY(0xC09F, DHE,RSA,AES256,CCM,,,,),
CS_ENTRY(0xC0A2, TLS,DHE,RSA,WITH,AES,128,CCM,8),
CS_ENTRY(0xC0A2, DHE,RSA,AES128,CCM8,,,,),
CS_ENTRY(0xC0A3, TLS,DHE,RSA,WITH,AES,256,CCM,8),
CS_ENTRY(0xC0A3, DHE,RSA,AES256,CCM8,,,,),
CS_ENTRY(0xC0A4, TLS,PSK,WITH,AES,128,CCM,,),
CS_ENTRY(0xC0A4, PSK,AES128,CCM,,,,,),
CS_ENTRY(0xC0A5, TLS,PSK,WITH,AES,256,CCM,,),
CS_ENTRY(0xC0A5, PSK,AES256,CCM,,,,,),
CS_ENTRY(0xC0A6, TLS,DHE,PSK,WITH,AES,128,CCM,),
CS_ENTRY(0xC0A6, DHE,PSK,AES128,CCM,,,,),
CS_ENTRY(0xC0A7, TLS,DHE,PSK,WITH,AES,256,CCM,),
CS_ENTRY(0xC0A7, DHE,PSK,AES256,CCM,,,,),
CS_ENTRY(0xC0A8, TLS,PSK,WITH,AES,128,CCM,8,),
CS_ENTRY(0xC0A8, PSK,AES128,CCM8,,,,,),
CS_ENTRY(0xC0A9, TLS,PSK,WITH,AES,256,CCM,8,),
CS_ENTRY(0xC0A9, PSK,AES256,CCM8,,,,,),
CS_ENTRY(0xC0AA, TLS,PSK,DHE,WITH,AES,128,CCM,8),
CS_ENTRY(0xC0AA, DHE,PSK,AES128,CCM8,,,,),
CS_ENTRY(0xC0AB, TLS,PSK,DHE,WITH,AES,256,CCM,8),
CS_ENTRY(0xC0AB, DHE,PSK,AES256,CCM8,,,,),
CS_ENTRY(0xCCAA, TLS,DHE,RSA,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCAA, DHE,RSA,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCAC, TLS,ECDHE,PSK,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCAC, ECDHE,PSK,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCAD, TLS,DHE,PSK,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCAD, DHE,PSK,CHACHA20,POLY1305,,,,),
CS_ENTRY(0xCCAE, TLS,RSA,PSK,WITH,CHACHA20,POLY1305,SHA256,),
CS_ENTRY(0xCCAE, RSA,PSK,CHACHA20,POLY1305,,,,),
#endif
};
#define CS_LIST_LEN CURL_ARRAYSIZE(cs_list)
static int cs_str_to_zip(const char *cs_str, size_t cs_len,
uint8_t zip[6])
{
uint8_t indexes[8] = {0};
const char *entry, *cur;
const char *nxt = cs_str;
const char *end = cs_str + cs_len;
char separator = '-';
int idx, i = 0;
size_t len;
/* split the cipher string by '-' or '_' */
if(curl_strnequal(cs_str, "TLS", 3))
separator = '_';
do {
if(i == 8)
return -1;
/* determine the length of the part */
cur = nxt;
for(; nxt < end && *nxt != '\0' && *nxt != separator; nxt++);
len = nxt - cur;
/* lookup index for the part (skip empty string at 0) */
for(idx = 1, entry = cs_txt + 1; idx < CS_TXT_LEN; idx++) {
size_t elen = strlen(entry);
if(elen == len && curl_strnequal(entry, cur, len))
break;
entry += elen + 1;
}
if(idx == CS_TXT_LEN)
return -1;
indexes[i++] = (uint8_t) idx;
} while(nxt < end && *(nxt++) != '\0');
/* zip the 8 indexes into 48 bits */
zip[0] = (uint8_t) (indexes[0] << 2 | (indexes[1] & 0x3F) >> 4);
zip[1] = (uint8_t) (indexes[1] << 4 | (indexes[2] & 0x3F) >> 2);
zip[2] = (uint8_t) (indexes[2] << 6 | (indexes[3] & 0x3F));
zip[3] = (uint8_t) (indexes[4] << 2 | (indexes[5] & 0x3F) >> 4);
zip[4] = (uint8_t) (indexes[5] << 4 | (indexes[6] & 0x3F) >> 2);
zip[5] = (uint8_t) (indexes[6] << 6 | (indexes[7] & 0x3F));
return 0;
}
static int cs_zip_to_str(const uint8_t zip[6],
char *buf, size_t buf_size)
{
uint8_t indexes[8] = {0};
const char *entry;
char separator = '-';
int idx, i, r;
size_t len = 0;
/* unzip the 8 indexes */
indexes[0] = zip[0] >> 2;
indexes[1] = (uint8_t)(((zip[0] << 4) & 0x3F) | zip[1] >> 4);
indexes[2] = (uint8_t)(((zip[1] << 2) & 0x3F) | zip[2] >> 6);
indexes[3] = ((zip[2] << 0) & 0x3F);
indexes[4] = zip[3] >> 2;
indexes[5] = (uint8_t)(((zip[3] << 4) & 0x3F) | zip[4] >> 4);
indexes[6] = (uint8_t)(((zip[4] << 2) & 0x3F) | zip[5] >> 6);
indexes[7] = ((zip[5] << 0) & 0x3F);
if(indexes[0] == CS_TXT_IDX_TLS)
separator = '_';
for(i = 0; i < 8 && indexes[i] != 0 && len < buf_size; i++) {
if(indexes[i] >= CS_TXT_LEN)
return -1;
/* lookup the part string for the index (skip empty string at 0) */
for(idx = 1, entry = cs_txt + 1; idx < indexes[i]; idx++) {
size_t elen = strlen(entry);
entry += elen + 1;
}
/* append the part string to the buffer */
if(i > 0)
r = curl_msnprintf(&buf[len], buf_size - len, "%c%s", separator, entry);
else
r = curl_msnprintf(&buf[len], buf_size - len, "%s", entry);
if(r < 0)
return -1;
len += r;
}
return 0;
}
uint16_t Curl_cipher_suite_lookup_id(const char *cs_str, size_t cs_len)
{
size_t i;
uint8_t zip[6];
if(cs_len > 0 && cs_str_to_zip(cs_str, cs_len, zip) == 0) {
for(i = 0; i < CS_LIST_LEN; i++) {
if(memcmp(cs_list[i].zip, zip, sizeof(zip)) == 0)
return cs_list[i].id;
}
}
return 0;
}
static bool cs_is_separator(char c)
{
switch(c) {
case ' ':
case '\t':
case ':':
case ',':
case ';':
return TRUE;
default:;
}
return FALSE;
}
uint16_t Curl_cipher_suite_walk_str(const char **str, const char **end)
{
/* move string pointer to first non-separator or end of string */
for(; cs_is_separator(*str[0]); (*str)++);
/* move end pointer to next separator or end of string */
for(*end = *str; *end[0] != '\0' && !cs_is_separator(*end[0]); (*end)++);
return Curl_cipher_suite_lookup_id(*str, *end - *str);
}
int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
bool prefer_rfc)
{
size_t i, j = CS_LIST_LEN;
int r = -1;
for(i = 0; i < CS_LIST_LEN; i++) {
if(cs_list[i].id != id)
continue;
if((cs_list[i].zip[0] >> 2 != CS_TXT_IDX_TLS) == !prefer_rfc) {
j = i;
break;
}
if(j == CS_LIST_LEN)
j = i;
}
if(j < CS_LIST_LEN)
r = cs_zip_to_str(cs_list[j].zip, buf, buf_size);
if(r < 0)
curl_msnprintf(buf, buf_size, "TLS_UNKNOWN_0x%04x", id);
return r;
}
#endif /* defined(USE_MBEDTLS) || defined(USE_RUSTLS) */
External/curl-8.17.0/lib/vtls/cipher_suite.h
Vendored
+46
View File
@@ -0,0 +1,46 @@
#ifndef HEADER_CURL_CIPHER_SUITE_H
#define HEADER_CURL_CIPHER_SUITE_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Jan Venekamp, <jan@venekamp.net>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include <stdint.h>
/* Lookup IANA id for cipher suite string, returns 0 if not recognized */
uint16_t Curl_cipher_suite_lookup_id(const char *cs_str, size_t cs_len);
/* Walk over cipher suite string, update str and end pointers to next
cipher suite in string, returns IANA id of that suite if recognized */
uint16_t Curl_cipher_suite_walk_str(const char **str, const char **end);
/* Copy openssl or RFC name for cipher suite in supplied buffer.
Caller is responsible to supply sufficiently large buffer (size
of 64 should suffice), excess bytes are silently truncated. */
int Curl_cipher_suite_get_str(uint16_t id, char *buf, size_t buf_size,
bool prefer_rfc);
#endif /* defined(USE_MBEDTLS) || defined(USE_RUSTLS) */
#endif /* HEADER_CURL_CIPHER_SUITE_H */
External/curl-8.17.0/lib/vtls/gtls.c
Vendored
+2364
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/gtls.h
Vendored
+128
View File
@@ -0,0 +1,128 @@
#ifndef HEADER_CURL_GTLS_H
#define HEADER_CURL_GTLS_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#include <curl/curl.h>
#ifdef USE_GNUTLS
#include <gnutls/gnutls.h>
#include "../curlx/timeval.h"
#ifdef HAVE_GNUTLS_SRP
/* the function exists */
#ifdef USE_TLS_SRP
/* the functionality is not disabled */
#define USE_GNUTLS_SRP
#endif
#endif
struct Curl_easy;
struct Curl_cfilter;
struct alpn_spec;
struct ssl_primary_config;
struct ssl_config_data;
struct ssl_peer;
struct ssl_connect_data;
struct Curl_ssl_session;
int Curl_glts_get_ietf_proto(gnutls_session_t session);
struct gtls_shared_creds {
gnutls_certificate_credentials_t creds;
char *CAfile; /* CAfile path used to generate X509 store */
struct curltime time; /* when the shared creds was created */
size_t refcount;
BIT(trust_setup); /* x509 anchors + CRLs have been set up */
};
CURLcode Curl_gtls_shared_creds_create(struct Curl_easy *data,
struct gtls_shared_creds **pcreds);
CURLcode Curl_gtls_shared_creds_up_ref(struct gtls_shared_creds *creds);
void Curl_gtls_shared_creds_free(struct gtls_shared_creds **pcreds);
struct gtls_ctx {
gnutls_session_t session;
struct gtls_shared_creds *shared_creds;
#ifdef USE_GNUTLS_SRP
gnutls_srp_client_credentials_t srp_client_cred;
#endif
CURLcode io_result; /* result of last IO cfilter operation */
BIT(sent_shutdown);
};
size_t Curl_gtls_version(char *buffer, size_t size);
typedef CURLcode Curl_gtls_ctx_setup_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
void *user_data);
typedef CURLcode Curl_gtls_init_session_reuse_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct alpn_spec *alpns,
struct Curl_ssl_session *scs,
bool *do_early_data);
CURLcode Curl_gtls_ctx_init(struct gtls_ctx *gctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const struct alpn_spec *alpns,
Curl_gtls_ctx_setup_cb *cb_setup,
void *cb_user_data,
void *ssl_user_data,
Curl_gtls_init_session_reuse_cb *sess_reuse_cb);
CURLcode Curl_gtls_client_trust_setup(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct gtls_ctx *gtls);
CURLcode Curl_gtls_verifyserver(struct Curl_cfilter *cf,
struct Curl_easy *data,
gnutls_session_t session,
struct ssl_primary_config *config,
struct ssl_config_data *ssl_config,
struct ssl_peer *peer,
const char *pinned_key);
/* Extract TLS session and place in cache, if configured. */
CURLcode Curl_gtls_cache_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
gnutls_session_t session,
curl_off_t valid_until,
const char *alpn,
unsigned char *quic_tp,
size_t quic_tp_len);
/* Report properties of a successful handshake */
void Curl_gtls_report_handshake(struct Curl_easy *data,
struct gtls_ctx *gctx);
extern const struct Curl_ssl Curl_ssl_gnutls;
#endif /* USE_GNUTLS */
#endif /* HEADER_CURL_GTLS_H */
External/curl-8.17.0/lib/vtls/hostcheck.c
Vendored
+132
View File
@@ -0,0 +1,132 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_OPENSSL) || defined(USE_SCHANNEL)
/* these backends use functions from this file */
#ifdef HAVE_NETINET_IN_H
#include <netinet/in.h>
#endif
#ifdef HAVE_NETINET_IN6_H
#include <netinet/in6.h>
#endif
#include "../curl_memrchr.h"
#include "hostcheck.h"
#include "../hostip.h"
#include "../curl_memory.h"
/* The last #include file should be: */
#include "../memdebug.h"
/* check the two input strings with given length, but do not
assume they end in nul-bytes */
static bool pmatch(const char *hostname, size_t hostlen,
const char *pattern, size_t patternlen)
{
if(hostlen != patternlen)
return FALSE;
return curl_strnequal(hostname, pattern, hostlen);
}
/*
* Match a hostname against a wildcard pattern.
* E.g.
* "foo.host.com" matches "*.host.com".
*
* We use the matching rule described in RFC6125, section 6.4.3.
* https://datatracker.ietf.org/doc/html/rfc6125#section-6.4.3
*
* In addition: ignore trailing dots in the hostnames and wildcards, so that
* the names are used normalized. This is what the browsers do.
*
* Do not allow wildcard matching on IP numbers. There are apparently
* certificates being used with an IP address in the CN field, thus making no
* apparent distinction between a name and an IP. We need to detect the use of
* an IP address and not wildcard match on such names.
*
* Only match on "*" being used for the leftmost label, not "a*", "a*b" nor
* "*b".
*
* Return TRUE on a match. FALSE if not.
*
* @unittest: 1397
*/
static bool hostmatch(const char *hostname,
size_t hostlen,
const char *pattern,
size_t patternlen)
{
const char *pattern_label_end;
DEBUGASSERT(pattern);
DEBUGASSERT(patternlen);
DEBUGASSERT(hostname);
DEBUGASSERT(hostlen);
/* normalize pattern and hostname by stripping off trailing dots */
if(hostname[hostlen-1]=='.')
hostlen--;
if(pattern[patternlen-1]=='.')
patternlen--;
if(strncmp(pattern, "*.", 2))
return pmatch(hostname, hostlen, pattern, patternlen);
/* detect IP address as hostname and fail the match if so */
else if(Curl_host_is_ipnum(hostname))
return FALSE;
/* We require at least 2 dots in the pattern to avoid too wide wildcard
match. */
pattern_label_end = memchr(pattern, '.', patternlen);
if(!pattern_label_end ||
(memrchr(pattern, '.', patternlen) == pattern_label_end))
return pmatch(hostname, hostlen, pattern, patternlen);
else {
const char *hostname_label_end = memchr(hostname, '.', hostlen);
if(hostname_label_end) {
size_t skiphost = hostname_label_end - hostname;
size_t skiplen = pattern_label_end - pattern;
return pmatch(hostname_label_end, hostlen - skiphost,
pattern_label_end, patternlen - skiplen);
}
}
return FALSE;
}
/*
* Curl_cert_hostcheck() returns TRUE if a match and FALSE if not.
*/
bool Curl_cert_hostcheck(const char *match, size_t matchlen,
const char *hostname, size_t hostlen)
{
if(match && *match && hostname && *hostname)
return hostmatch(hostname, hostlen, match, matchlen);
return FALSE;
}
#endif /* OPENSSL or SCHANNEL */
External/curl-8.17.0/lib/vtls/hostcheck.h
Vendored
+37
View File
@@ -0,0 +1,37 @@
#ifndef HEADER_CURL_HOSTCHECK_H
#define HEADER_CURL_HOSTCHECK_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include <curl/curl.h>
#if defined(USE_OPENSSL) || defined(USE_SCHANNEL)
/* returns TRUE if there is a match */
bool Curl_cert_hostcheck(const char *match_pattern, size_t matchlen,
const char *hostname, size_t hostlen);
#endif
#endif /* HEADER_CURL_HOSTCHECK_H */
External/curl-8.17.0/lib/vtls/keylog.c
Vendored
+157
View File
@@ -0,0 +1,157 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_OPENSSL) || \
defined(USE_GNUTLS) || \
defined(USE_WOLFSSL) || \
(defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || \
defined(USE_QUICHE) || \
defined(USE_RUSTLS)
#include "keylog.h"
#include <curl/curl.h>
#include "../escape.h"
#include "../curlx/fopen.h"
/* The last #include files should be: */
#include "../curl_memory.h"
#include "../memdebug.h"
/* The fp for the open SSLKEYLOGFILE, or NULL if not open */
static FILE *keylog_file_fp;
void
Curl_tls_keylog_open(void)
{
char *keylog_file_name;
if(!keylog_file_fp) {
keylog_file_name = curl_getenv("SSLKEYLOGFILE");
if(keylog_file_name) {
keylog_file_fp = curlx_fopen(keylog_file_name, FOPEN_APPENDTEXT);
if(keylog_file_fp) {
#ifdef _WIN32
if(setvbuf(keylog_file_fp, NULL, _IONBF, 0))
#else
if(setvbuf(keylog_file_fp, NULL, _IOLBF, 4096))
#endif
{
curlx_fclose(keylog_file_fp);
keylog_file_fp = NULL;
}
}
Curl_safefree(keylog_file_name);
}
}
}
void
Curl_tls_keylog_close(void)
{
if(keylog_file_fp) {
curlx_fclose(keylog_file_fp);
keylog_file_fp = NULL;
}
}
bool
Curl_tls_keylog_enabled(void)
{
return keylog_file_fp != NULL;
}
bool
Curl_tls_keylog_write_line(const char *line)
{
/* The current maximum valid keylog line length LF and NUL is 195. */
size_t linelen;
char buf[256];
if(!keylog_file_fp || !line) {
return FALSE;
}
linelen = strlen(line);
if(linelen == 0 || linelen > sizeof(buf) - 2) {
/* Empty line or too big to fit in an LF and NUL. */
return FALSE;
}
memcpy(buf, line, linelen);
if(line[linelen - 1] != '\n') {
buf[linelen++] = '\n';
}
buf[linelen] = '\0';
/* Using fputs here instead of fprintf since libcurl's fprintf replacement
may not be thread-safe. */
fputs(buf, keylog_file_fp);
return TRUE;
}
bool
Curl_tls_keylog_write(const char *label,
const unsigned char client_random[CLIENT_RANDOM_SIZE],
const unsigned char *secret, size_t secretlen)
{
size_t pos, i;
unsigned char line[KEYLOG_LABEL_MAXLEN + 1 + 2 * CLIENT_RANDOM_SIZE + 1 +
2 * SECRET_MAXLEN + 1 + 1];
if(!keylog_file_fp) {
return FALSE;
}
pos = strlen(label);
if(pos > KEYLOG_LABEL_MAXLEN || !secretlen || secretlen > SECRET_MAXLEN) {
/* Should never happen - sanity check anyway. */
return FALSE;
}
memcpy(line, label, pos);
line[pos++] = ' ';
/* Client Random */
for(i = 0; i < CLIENT_RANDOM_SIZE; i++) {
Curl_hexbyte(&line[pos], client_random[i]);
pos += 2;
}
line[pos++] = ' ';
/* Secret */
for(i = 0; i < secretlen; i++) {
Curl_hexbyte(&line[pos], secret[i]);
pos += 2;
}
line[pos++] = '\n';
line[pos] = '\0';
/* Using fputs here instead of fprintf since libcurl's fprintf replacement
may not be thread-safe. */
fputs((char *)line, keylog_file_fp);
return TRUE;
}
#endif /* TLS or QUIC backend */
External/curl-8.17.0/lib/vtls/keylog.h
Vendored
+69
View File
@@ -0,0 +1,69 @@
#ifndef HEADER_CURL_KEYLOG_H
#define HEADER_CURL_KEYLOG_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#define KEYLOG_LABEL_MAXLEN (sizeof("CLIENT_HANDSHAKE_TRAFFIC_SECRET") - 1)
#define CLIENT_RANDOM_SIZE 32
/*
* The master secret in TLS 1.2 and before is always 48 bytes. In TLS 1.3, the
* secret size depends on the cipher suite's hash function which is 32 bytes
* for SHA-256 and 48 bytes for SHA-384.
*/
#define SECRET_MAXLEN 48
/*
* Opens the TLS key log file if requested by the user. The SSLKEYLOGFILE
* environment variable specifies the output file.
*/
void Curl_tls_keylog_open(void);
/*
* Closes the TLS key log file if not already.
*/
void Curl_tls_keylog_close(void);
/*
* Returns true if the user successfully enabled the TLS key log file.
*/
bool Curl_tls_keylog_enabled(void);
/*
* Appends a key log file entry.
* Returns true iff the key log file is open and a valid entry was provided.
*/
bool Curl_tls_keylog_write(const char *label,
const unsigned char client_random[32],
const unsigned char *secret, size_t secretlen);
/*
* Appends a line to the key log file, ensure it is terminated by an LF.
* Returns true iff the key log file is open and a valid line was provided.
*/
bool Curl_tls_keylog_write_line(const char *line);
#endif /* HEADER_CURL_KEYLOG_H */
External/curl-8.17.0/lib/vtls/mbedtls.c
Vendored
+1556
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/mbedtls.h
Vendored
+34
View File
@@ -0,0 +1,34 @@
#ifndef HEADER_CURL_MBEDTLS_H
#define HEADER_CURL_MBEDTLS_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) Hoi-Ho Chan, <hoiho.chan@gmail.com>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_MBEDTLS
extern const struct Curl_ssl Curl_ssl_mbedtls;
#endif /* USE_MBEDTLS */
#endif /* HEADER_CURL_MBEDTLS_H */
External/curl-8.17.0/lib/vtls/mbedtls_threadlock.c
Vendored
+134
View File
@@ -0,0 +1,134 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) Hoi-Ho Chan, <hoiho.chan@gmail.com>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_MBEDTLS) && \
((defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \
defined(_WIN32))
#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)
# include <pthread.h>
# define MBEDTLS_MUTEX_T pthread_mutex_t
#elif defined(_WIN32)
# define MBEDTLS_MUTEX_T HANDLE
#endif
#include "mbedtls_threadlock.h"
/* The last 2 #include files should be: */
#include "../curl_memory.h"
#include "../memdebug.h"
/* number of thread locks */
#define NUMT 2
/* This array will store all of the mutexes available to Mbedtls. */
static MBEDTLS_MUTEX_T *mutex_buf = NULL;
int Curl_mbedtlsthreadlock_thread_setup(void)
{
int i;
mutex_buf = calloc(1, NUMT * sizeof(MBEDTLS_MUTEX_T));
if(!mutex_buf)
return 0; /* error, no number of threads defined */
for(i = 0; i < NUMT; i++) {
#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)
if(pthread_mutex_init(&mutex_buf[i], NULL))
return 0; /* pthread_mutex_init failed */
#elif defined(_WIN32)
mutex_buf[i] = CreateMutex(0, FALSE, 0);
if(mutex_buf[i] == 0)
return 0; /* CreateMutex failed */
#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */
}
return 1; /* OK */
}
int Curl_mbedtlsthreadlock_thread_cleanup(void)
{
int i;
if(!mutex_buf)
return 0; /* error, no threads locks defined */
for(i = 0; i < NUMT; i++) {
#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)
if(pthread_mutex_destroy(&mutex_buf[i]))
return 0; /* pthread_mutex_destroy failed */
#elif defined(_WIN32)
if(!CloseHandle(mutex_buf[i]))
return 0; /* CloseHandle failed */
#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */
}
free(mutex_buf);
mutex_buf = NULL;
return 1; /* OK */
}
int Curl_mbedtlsthreadlock_lock_function(int n)
{
if(n < NUMT) {
#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)
if(pthread_mutex_lock(&mutex_buf[n])) {
DEBUGF(curl_mfprintf(stderr, "Error: "
"mbedtlsthreadlock_lock_function failed\n"));
return 0; /* pthread_mutex_lock failed */
}
#elif defined(_WIN32)
if(WaitForSingleObject(mutex_buf[n], INFINITE) == WAIT_FAILED) {
DEBUGF(curl_mfprintf(stderr, "Error: "
"mbedtlsthreadlock_lock_function failed\n"));
return 0; /* pthread_mutex_lock failed */
}
#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */
}
return 1; /* OK */
}
int Curl_mbedtlsthreadlock_unlock_function(int n)
{
if(n < NUMT) {
#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)
if(pthread_mutex_unlock(&mutex_buf[n])) {
DEBUGF(curl_mfprintf(stderr, "Error: "
"mbedtlsthreadlock_unlock_function failed\n"));
return 0; /* pthread_mutex_unlock failed */
}
#elif defined(_WIN32)
if(!ReleaseMutex(mutex_buf[n])) {
DEBUGF(curl_mfprintf(stderr, "Error: "
"mbedtlsthreadlock_unlock_function failed\n"));
return 0; /* pthread_mutex_lock failed */
}
#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */
}
return 1; /* OK */
}
#endif /* USE_MBEDTLS */
External/curl-8.17.0/lib/vtls/mbedtls_threadlock.h
Vendored
+50
View File
@@ -0,0 +1,50 @@
#ifndef HEADER_CURL_MBEDTLS_THREADLOCK_H
#define HEADER_CURL_MBEDTLS_THREADLOCK_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) Hoi-Ho Chan, <hoiho.chan@gmail.com>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_MBEDTLS
#if (defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \
defined(_WIN32)
int Curl_mbedtlsthreadlock_thread_setup(void);
int Curl_mbedtlsthreadlock_thread_cleanup(void);
int Curl_mbedtlsthreadlock_lock_function(int n);
int Curl_mbedtlsthreadlock_unlock_function(int n);
#else
#define Curl_mbedtlsthreadlock_thread_setup() 1
#define Curl_mbedtlsthreadlock_thread_cleanup() 1
#define Curl_mbedtlsthreadlock_lock_function(x) 1
#define Curl_mbedtlsthreadlock_unlock_function(x) 1
#endif /* (USE_THREADS_POSIX && HAVE_PTHREAD_H) || _WIN32 */
#endif /* USE_MBEDTLS */
#endif /* HEADER_CURL_MBEDTLS_THREADLOCK_H */
External/curl-8.17.0/lib/vtls/openssl.c
Vendored
+5921
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/openssl.h
Vendored
+158
View File
@@ -0,0 +1,158 @@
#ifndef HEADER_CURL_SSLUSE_H
#define HEADER_CURL_SSLUSE_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_OPENSSL
/*
* This header should only be needed to get included by vtls.c, openssl.c
* and ngtcp2.c
*/
#include <openssl/opensslv.h>
#include <openssl/ossl_typ.h>
#include <openssl/ssl.h>
#include "../urldata.h"
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#define HAVE_OPENSSL3 /* non-fork OpenSSL 3.x or later */
#endif
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
#define HAVE_BORINGSSL_LIKE
#endif
/*
* Whether SSL_CTX_set_keylog_callback is available.
* OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
* BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
* LibreSSL: not supported. 3.5.0+ has a stub function that does nothing.
*/
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
!defined(LIBRESSL_VERSION_NUMBER)) || defined(HAVE_BORINGSSL_LIKE)
#define HAVE_KEYLOG_CALLBACK
#endif
/* Check for OpenSSL 1.1.1 which has early data support. */
#undef HAVE_OPENSSL_EARLYDATA
#if defined(TLS1_3_VERSION) && !defined(HAVE_BORINGSSL_LIKE)
#define HAVE_OPENSSL_EARLYDATA
#endif
struct alpn_spec;
struct ssl_peer;
struct Curl_ssl_session;
/* Struct to hold a curl OpenSSL instance */
struct ossl_ctx {
/* these ones requires specific SSL-types */
SSL_CTX* ssl_ctx;
SSL* ssl;
BIO_METHOD *bio_method;
CURLcode io_result; /* result of last BIO cfilter operation */
/* blocked writes need to retry with same length, remember it */
int blocked_ssl_write_len;
#ifndef HAVE_KEYLOG_CALLBACK
/* Set to true once a valid keylog entry has been created to avoid dupes.
This is a bool and not a bitfield because it is passed by address. */
bool keylog_done;
#endif
BIT(x509_store_setup); /* x509 store has been set up */
BIT(store_is_empty); /* no certs/paths/blobs in x509 store */
BIT(reused_session); /* session-ID was reused for this */
};
size_t Curl_ossl_version(char *buffer, size_t size);
typedef CURLcode Curl_ossl_ctx_setup_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
void *user_data);
typedef int Curl_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid);
typedef CURLcode Curl_ossl_init_session_reuse_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct alpn_spec *alpns,
struct Curl_ssl_session *scs,
bool *do_early_data);
CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const struct alpn_spec *alpns,
Curl_ossl_ctx_setup_cb *cb_setup,
void *cb_user_data,
Curl_ossl_new_session_cb *cb_new_session,
void *ssl_user_data,
Curl_ossl_init_session_reuse_cb *sess_reuse_cb);
#ifndef HAVE_OPENSSL3
#define SSL_get1_peer_certificate SSL_get_peer_certificate
#endif
extern const struct Curl_ssl Curl_ssl_openssl;
/**
* Setup the OpenSSL X509_STORE in `ssl_ctx` for the cfilter `cf` and
* easy handle `data`. Will allow reuse of a shared cache if suitable
* and configured.
*/
CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ossl_ctx *octx);
CURLcode Curl_ossl_ctx_configure(struct Curl_cfilter *cf,
struct Curl_easy *data,
SSL_CTX *ssl_ctx);
/*
* Add a new session to the cache. Takes ownership of the session.
*/
CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
SSL_SESSION *ssl_sessionid,
int ietf_tls_id,
const char *alpn,
unsigned char *quic_tp,
size_t quic_tp_len);
/*
* Get the server cert, verify it and show it, etc., only call failf() if
* ssl config verifypeer or -host is set. Otherwise all this is for
* informational purposes only!
*/
CURLcode Curl_ossl_check_peer_cert(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ossl_ctx *octx,
struct ssl_peer *peer);
/* Report properties of a successful handshake */
void Curl_ossl_report_handshake(struct Curl_easy *data,
struct ossl_ctx *octx);
#endif /* USE_OPENSSL */
#endif /* HEADER_CURL_SSLUSE_H */
External/curl-8.17.0/lib/vtls/rustls.c
Vendored
+1442
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/rustls.h
Vendored
+35
View File
@@ -0,0 +1,35 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Jacob Hoffman-Andrews,
* <github@hoffman-andrews.com>
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#ifndef HEADER_CURL_RUSTLS_H
#define HEADER_CURL_RUSTLS_H
#include "../curl_setup.h"
#ifdef USE_RUSTLS
extern const struct Curl_ssl Curl_ssl_rustls;
#endif /* USE_RUSTLS */
#endif /* HEADER_CURL_RUSTLS_H */
External/curl-8.17.0/lib/vtls/schannel.c
Vendored
+2931
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/schannel.h
Vendored
+86
View File
@@ -0,0 +1,86 @@
#ifndef HEADER_CURL_SCHANNEL_H
#define HEADER_CURL_SCHANNEL_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_SCHANNEL
#ifdef _MSC_VER
#pragma warning(push)
#pragma warning(disable:4201)
#endif
#include <subauth.h>
#ifdef _MSC_VER
#pragma warning(pop)
#endif
/* Wincrypt must be included before anything that could include OpenSSL. */
#ifdef USE_WIN32_CRYPTO
#include <wincrypt.h>
/* Undefine wincrypt conflicting symbols for BoringSSL. */
#undef X509_NAME
#undef X509_EXTENSIONS
#undef PKCS7_ISSUER_AND_SERIAL
#undef PKCS7_SIGNER_INFO
#undef OCSP_REQUEST
#undef OCSP_RESPONSE
#endif
#include <schnlsp.h>
#include <schannel.h>
#include "../curl_sspi.h"
#include "../cfilters.h"
#include "../urldata.h"
/* <wincrypt.h> has been included via the above <schnlsp.h>.
* Or in case of ldap.c, it was included via <winldap.h>.
* And since <wincrypt.h> has this:
* #define X509_NAME ((LPCSTR) 7)
*
* And in BoringSSL's <openssl/base.h> there is:
* typedef struct X509_name_st X509_NAME;
* etc.
*
* this will cause all kinds of C-preprocessing paste errors in
* BoringSSL's <openssl/x509.h>: So just undefine those defines here
* (and only here).
*/
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
# undef X509_NAME
# undef X509_CERT_PAIR
# undef X509_EXTENSIONS
#endif
extern const struct Curl_ssl Curl_ssl_schannel;
CURLcode Curl_verify_host(struct Curl_cfilter *cf,
struct Curl_easy *data);
CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
struct Curl_easy *data);
#endif /* USE_SCHANNEL */
#endif /* HEADER_CURL_SCHANNEL_H */
External/curl-8.17.0/lib/vtls/schannel_int.h
Vendored
+168
View File
@@ -0,0 +1,168 @@
#ifndef HEADER_CURL_SCHANNEL_INT_H
#define HEADER_CURL_SCHANNEL_INT_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Marc Hoersken, <info@marc-hoersken.de>, et al.
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_SCHANNEL
#include "vtls.h"
#include "../curl_sha256.h"
#if defined(_MSC_VER) && (_MSC_VER <= 1600)
/* Workaround for warning:
'type cast' : conversion from 'int' to 'LPCSTR' of greater size */
#undef CERT_STORE_PROV_MEMORY
#undef CERT_STORE_PROV_SYSTEM_A
#undef CERT_STORE_PROV_SYSTEM_W
#define CERT_STORE_PROV_MEMORY ((LPCSTR)(size_t)2)
#define CERT_STORE_PROV_SYSTEM_A ((LPCSTR)(size_t)9)
#define CERT_STORE_PROV_SYSTEM_W ((LPCSTR)(size_t)10)
#endif
/* Offered by mingw-w64 v8+, MS SDK ~10+/~VS2022+ */
#ifndef SCH_CREDENTIALS_VERSION
#define SCH_CREDENTIALS_VERSION 0x00000005
typedef enum _eTlsAlgorithmUsage {
TlsParametersCngAlgUsageKeyExchange,
TlsParametersCngAlgUsageSignature,
TlsParametersCngAlgUsageCipher,
TlsParametersCngAlgUsageDigest,
TlsParametersCngAlgUsageCertSig
} eTlsAlgorithmUsage;
/* !checksrc! disable TYPEDEFSTRUCT 1 */
typedef struct _CRYPTO_SETTINGS {
eTlsAlgorithmUsage eAlgorithmUsage;
UNICODE_STRING strCngAlgId;
DWORD cChainingModes;
PUNICODE_STRING rgstrChainingModes; /* spellchecker:disable-line */
DWORD dwMinBitLength;
DWORD dwMaxBitLength;
} CRYPTO_SETTINGS, * PCRYPTO_SETTINGS;
/* !checksrc! disable TYPEDEFSTRUCT 1 */
typedef struct _TLS_PARAMETERS {
DWORD cAlpnIds;
PUNICODE_STRING rgstrAlpnIds; /* spellchecker:disable-line */
DWORD grbitDisabledProtocols;
DWORD cDisabledCrypto;
PCRYPTO_SETTINGS pDisabledCrypto;
DWORD dwFlags;
} TLS_PARAMETERS, * PTLS_PARAMETERS;
/* !checksrc! disable TYPEDEFSTRUCT 1 */
typedef struct _SCH_CREDENTIALS {
DWORD dwVersion;
DWORD dwCredFormat;
DWORD cCreds;
PCCERT_CONTEXT* paCred;
HCERTSTORE hRootStore;
DWORD cMappers;
struct _HMAPPER **aphMappers;
DWORD dwSessionLifespan;
DWORD dwFlags;
DWORD cTlsParameters;
PTLS_PARAMETERS pTlsParameters;
} SCH_CREDENTIALS, * PSCH_CREDENTIALS;
#define SCH_CRED_MAX_SUPPORTED_PARAMETERS 16
#define SCH_CRED_MAX_SUPPORTED_ALPN_IDS 16
#define SCH_CRED_MAX_SUPPORTED_CRYPTO_SETTINGS 16
#define SCH_CRED_MAX_SUPPORTED_CHAINING_MODES 16
#endif /* SCH_CREDENTIALS_VERSION */
struct Curl_schannel_cred {
CredHandle cred_handle;
TCHAR *sni_hostname;
HCERTSTORE client_cert_store;
int refcount;
};
struct Curl_schannel_ctxt {
CtxtHandle ctxt_handle;
};
struct schannel_ssl_backend_data {
struct Curl_schannel_cred *cred;
struct Curl_schannel_ctxt *ctxt;
SecPkgContext_StreamSizes stream_sizes;
size_t encdata_length, decdata_length;
size_t encdata_offset, decdata_offset;
unsigned char *encdata_buffer, *decdata_buffer;
/* encdata_is_incomplete: if encdata contains only a partial record that
cannot be decrypted without another recv() (that is, status is
SEC_E_INCOMPLETE_MESSAGE) then set this true. after an recv() adds
more bytes into encdata then set this back to false. */
unsigned long req_flags, ret_flags;
CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
struct schannel_renegotiate_state {
bool started;
struct curltime start_time;
int io_need;
} renegotiate_state;
BIT(recv_sspi_close_notify); /* true if connection closed by close_notify */
BIT(recv_connection_closed); /* true if connection closed, regardless how */
BIT(recv_renegotiating); /* true if recv is doing renegotiation */
BIT(use_alpn); /* true if ALPN is used for this connection */
BIT(use_manual_cred_validation); /* true if manual cred validation is used */
BIT(sent_shutdown);
BIT(encdata_is_incomplete);
};
struct schannel_cert_share {
unsigned char CAinfo_blob_digest[CURL_SHA256_DIGEST_LENGTH];
size_t CAinfo_blob_size; /* CA info blob size */
char *CAfile; /* CAfile path used to generate
certificate store */
HCERTSTORE cert_store; /* cached certificate store or
NULL if none */
struct curltime time; /* when the cached store was created */
};
/*
* size of the structure: 20 bytes.
*/
struct num_ip_data {
DWORD size; /* 04 bytes */
union {
struct in_addr ia; /* 04 bytes */
struct in6_addr ia6; /* 16 bytes */
} bData;
};
HCERTSTORE Curl_schannel_get_cached_cert_store(struct Curl_cfilter *cf,
const struct Curl_easy *data);
bool Curl_schannel_set_cached_cert_store(struct Curl_cfilter *cf,
const struct Curl_easy *data,
HCERTSTORE cert_store);
#endif /* USE_SCHANNEL */
#endif /* HEADER_CURL_SCHANNEL_INT_H */
External/curl-8.17.0/lib/vtls/schannel_verify.c
Vendored
+956
View File
@@ -0,0 +1,956 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Marc Hoersken, <info@marc-hoersken.de>
* Copyright (C) Mark Salisbury, <mark.salisbury@hp.com>
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
/*
* Source file for Schannel-specific certificate verification. This code should
* only be invoked by code in schannel.c.
*/
#include "../curl_setup.h"
#ifdef USE_SCHANNEL
#ifndef USE_WINDOWS_SSPI
# error "cannot compile SCHANNEL support without SSPI."
#endif
#include "schannel.h"
#include "schannel_int.h"
#include "../curlx/inet_pton.h"
#include "vtls.h"
#include "vtls_int.h"
#include "../sendf.h"
#include "../strerror.h"
#include "../curlx/winapi.h"
#include "../curlx/multibyte.h"
#include "hostcheck.h"
#include "../curlx/version_win32.h"
/* The last #include file should be: */
#include "../curl_memory.h"
#include "../memdebug.h"
#define BACKEND ((struct schannel_ssl_backend_data *)connssl->backend)
#ifdef __MINGW32CE__
#define CERT_QUERY_OBJECT_BLOB 0x00000002
#define CERT_QUERY_CONTENT_CERT 1
#define CERT_QUERY_CONTENT_FLAG_CERT (1 << CERT_QUERY_CONTENT_CERT)
#define CERT_QUERY_FORMAT_BINARY 1
#define CERT_QUERY_FORMAT_BASE64_ENCODED 2
#define CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED 3
#define CERT_QUERY_FORMAT_FLAG_ALL \
(1 << CERT_QUERY_FORMAT_BINARY) | \
(1 << CERT_QUERY_FORMAT_BASE64_ENCODED) | \
(1 << CERT_QUERY_FORMAT_ASN_ASCII_HEX_ENCODED)
#define CERT_CHAIN_REVOCATION_CHECK_CHAIN 0x20000000
#define CERT_NAME_DISABLE_IE4_UTF8_FLAG 0x00010000
#define CERT_TRUST_IS_OFFLINE_REVOCATION 0x01000000
#endif /* __MINGW32CE__ */
#define MAX_CAFILE_SIZE 1048576 /* 1 MiB */
#define BEGIN_CERT "-----BEGIN CERTIFICATE-----"
#define END_CERT "\n-----END CERTIFICATE-----"
struct cert_chain_engine_config_win8 {
DWORD cbSize;
HCERTSTORE hRestrictedRoot;
HCERTSTORE hRestrictedTrust;
HCERTSTORE hRestrictedOther;
DWORD cAdditionalStore;
HCERTSTORE *rghAdditionalStore;
DWORD dwFlags;
DWORD dwUrlRetrievalTimeout;
DWORD MaximumCachedCertificates;
DWORD CycleDetectionModulus;
HCERTSTORE hExclusiveRoot;
HCERTSTORE hExclusiveTrustedPeople;
DWORD dwExclusiveFlags;
};
/* Offered by mingw-w64 v4+. MS SDK ~10+/~VS2017+. */
#ifndef CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG
#define CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG 0x00000001
#endif
/* Legacy structure to supply size to Win7 clients */
struct cert_chain_engine_config_win7 {
DWORD cbSize;
HCERTSTORE hRestrictedRoot;
HCERTSTORE hRestrictedTrust;
HCERTSTORE hRestrictedOther;
DWORD cAdditionalStore;
HCERTSTORE *rghAdditionalStore;
DWORD dwFlags;
DWORD dwUrlRetrievalTimeout;
DWORD MaximumCachedCertificates;
DWORD CycleDetectionModulus;
HCERTSTORE hExclusiveRoot;
HCERTSTORE hExclusiveTrustedPeople;
};
#ifndef UNDER_CE
static int is_cr_or_lf(char c)
{
return c == '\r' || c == '\n';
}
/* Search the substring needle,needlelen into string haystack,haystacklen
* Strings do not need to be terminated by a '\0'.
* Similar of macOS/Linux memmem (not available on Visual Studio).
* Return position of beginning of first occurrence or NULL if not found
*/
static const char *c_memmem(const void *haystack, size_t haystacklen,
const void *needle, size_t needlelen)
{
const char *p;
char first;
const char *str_limit = (const char *)haystack + haystacklen;
if(!needlelen || needlelen > haystacklen)
return NULL;
first = *(const char *)needle;
for(p = (const char *)haystack; p <= (str_limit - needlelen); p++)
if(((*p) == first) && (memcmp(p, needle, needlelen) == 0))
return p;
return NULL;
}
static CURLcode add_certs_data_to_store(HCERTSTORE trust_store,
const char *ca_buffer,
size_t ca_buffer_size,
const char *ca_file_text,
struct Curl_easy *data)
{
const size_t begin_cert_len = strlen(BEGIN_CERT);
const size_t end_cert_len = strlen(END_CERT);
CURLcode result = CURLE_OK;
int num_certs = 0;
bool more_certs = 1;
const char *current_ca_file_ptr = ca_buffer;
const char *ca_buffer_limit = ca_buffer + ca_buffer_size;
while(more_certs && (current_ca_file_ptr < ca_buffer_limit)) {
const char *begin_cert_ptr = c_memmem(current_ca_file_ptr,
ca_buffer_limit-current_ca_file_ptr,
BEGIN_CERT,
begin_cert_len);
if(!begin_cert_ptr || !is_cr_or_lf(begin_cert_ptr[begin_cert_len])) {
more_certs = 0;
}
else {
const char *end_cert_ptr = c_memmem(begin_cert_ptr,
ca_buffer_limit-begin_cert_ptr,
END_CERT,
end_cert_len);
if(!end_cert_ptr) {
failf(data,
"schannel: CA file '%s' is not correctly formatted",
ca_file_text);
result = CURLE_SSL_CACERT_BADFILE;
more_certs = 0;
}
else {
CERT_BLOB cert_blob;
const CERT_CONTEXT *cert_context = NULL;
BOOL add_cert_result = FALSE;
DWORD actual_content_type = 0;
DWORD cert_size = (DWORD)
((end_cert_ptr + end_cert_len) - begin_cert_ptr);
cert_blob.pbData = (BYTE *)CURL_UNCONST(begin_cert_ptr);
cert_blob.cbData = cert_size;
if(!CryptQueryObject(CERT_QUERY_OBJECT_BLOB,
&cert_blob,
CERT_QUERY_CONTENT_FLAG_CERT,
CERT_QUERY_FORMAT_FLAG_ALL,
0,
NULL,
&actual_content_type,
NULL,
NULL,
NULL,
(const void **)&cert_context)) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to extract certificate from CA file "
"'%s': %s",
ca_file_text,
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
more_certs = 0;
}
else {
current_ca_file_ptr = begin_cert_ptr + cert_size;
/* Sanity check that the cert_context object is the right type */
if(CERT_QUERY_CONTENT_CERT != actual_content_type) {
failf(data,
"schannel: unexpected content type '%lu' when extracting "
"certificate from CA file '%s'",
actual_content_type, ca_file_text);
result = CURLE_SSL_CACERT_BADFILE;
more_certs = 0;
}
else {
add_cert_result =
CertAddCertificateContextToStore(trust_store,
cert_context,
CERT_STORE_ADD_ALWAYS,
NULL);
CertFreeCertificateContext(cert_context);
if(!add_cert_result) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to add certificate from CA file '%s' "
"to certificate store: %s",
ca_file_text,
curlx_winapi_strerror(GetLastError(), buffer,
sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
more_certs = 0;
}
else {
num_certs++;
}
}
}
}
}
}
if(result == CURLE_OK) {
if(!num_certs) {
infof(data,
"schannel: did not add any certificates from CA file '%s'",
ca_file_text);
}
else {
infof(data,
"schannel: added %d certificate(s) from CA file '%s'",
num_certs, ca_file_text);
}
}
return result;
}
static CURLcode add_certs_file_to_store(HCERTSTORE trust_store,
const char *ca_file,
struct Curl_easy *data)
{
CURLcode result;
HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
LARGE_INTEGER file_size;
char *ca_file_buffer = NULL;
TCHAR *ca_file_tstr = NULL;
size_t ca_file_bufsize = 0;
DWORD total_bytes_read = 0;
ca_file_tstr = curlx_convert_UTF8_to_tchar(ca_file);
if(!ca_file_tstr) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: invalid path name for CA file '%s': %s",
ca_file,
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
goto cleanup;
}
/*
* Read the CA file completely into memory before parsing it. This
* optimizes for the common case where the CA file will be relatively
* small ( < 1 MiB ).
*/
ca_file_handle = CreateFile(ca_file_tstr,
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(ca_file_handle == INVALID_HANDLE_VALUE) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to open CA file '%s': %s",
ca_file,
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
goto cleanup;
}
if(!GetFileSizeEx(ca_file_handle, &file_size)) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to determine size of CA file '%s': %s",
ca_file,
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
goto cleanup;
}
if(file_size.QuadPart > MAX_CAFILE_SIZE) {
failf(data,
"schannel: CA file exceeds max size of %u bytes",
MAX_CAFILE_SIZE);
result = CURLE_SSL_CACERT_BADFILE;
goto cleanup;
}
ca_file_bufsize = (size_t)file_size.QuadPart;
ca_file_buffer = (char *)malloc(ca_file_bufsize + 1);
if(!ca_file_buffer) {
result = CURLE_OUT_OF_MEMORY;
goto cleanup;
}
while(total_bytes_read < ca_file_bufsize) {
DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read);
DWORD bytes_read = 0;
if(!ReadFile(ca_file_handle, ca_file_buffer + total_bytes_read,
bytes_to_read, &bytes_read, NULL)) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to read from CA file '%s': %s",
ca_file,
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
goto cleanup;
}
if(bytes_read == 0) {
/* Premature EOF -- adjust the bufsize to the new value */
ca_file_bufsize = total_bytes_read;
}
else {
total_bytes_read += bytes_read;
}
}
/* null-terminate the buffer */
ca_file_buffer[ca_file_bufsize] = '\0';
result = add_certs_data_to_store(trust_store,
ca_file_buffer, ca_file_bufsize,
ca_file,
data);
cleanup:
if(ca_file_handle != INVALID_HANDLE_VALUE) {
CloseHandle(ca_file_handle);
}
Curl_safefree(ca_file_buffer);
curlx_unicodefree(ca_file_tstr);
return result;
}
/*
* Returns the number of characters necessary to populate all the host_names.
* If host_names is not NULL, populate it with all the hostnames. Each string
* in the host_names is null-terminated and the last string is double
* null-terminated. If no DNS names are found, a single null-terminated empty
* string is returned.
*/
static DWORD cert_get_name_string(struct Curl_easy *data,
CERT_CONTEXT *cert_context,
LPTSTR host_names,
DWORD length,
PCERT_ALT_NAME_INFO alt_name_info,
BOOL Win8_compat)
{
DWORD actual_length = 0;
BOOL compute_content = FALSE;
LPTSTR current_pos = NULL;
DWORD i;
/* Offered by mingw-w64 v4+. MS SDK ~10+/~VS2017+. */
#ifdef CERT_NAME_SEARCH_ALL_NAMES_FLAG
/* CERT_NAME_SEARCH_ALL_NAMES_FLAG is available from Windows 8 onwards. */
if(Win8_compat) {
/* CertGetNameString will provide the 8-bit character string without
* any decoding */
DWORD name_flags =
CERT_NAME_DISABLE_IE4_UTF8_FLAG | CERT_NAME_SEARCH_ALL_NAMES_FLAG;
actual_length = CertGetNameString(cert_context,
CERT_NAME_DNS_TYPE,
name_flags,
NULL,
host_names,
length);
return actual_length;
}
#else
(void)cert_context;
(void)Win8_compat;
#endif
if(!alt_name_info)
return 0;
compute_content = host_names != NULL && length != 0;
/* Initialize default return values. */
actual_length = 1;
if(compute_content) {
*host_names = '\0';
}
current_pos = host_names;
/* Iterate over the alternate names and populate host_names. */
for(i = 0; i < alt_name_info->cAltEntry; i++) {
const CERT_ALT_NAME_ENTRY *entry = &alt_name_info->rgAltEntry[i];
wchar_t *dns_w = NULL;
size_t current_length = 0;
if(entry->dwAltNameChoice != CERT_ALT_NAME_DNS_NAME) {
continue;
}
if(!entry->pwszDNSName) {
infof(data, "schannel: Empty DNS name.");
continue;
}
current_length = wcslen(entry->pwszDNSName) + 1;
if(!compute_content) {
actual_length += (DWORD)current_length;
continue;
}
/* Sanity check to prevent buffer overrun. */
if((actual_length + current_length) > length) {
failf(data, "schannel: Not enough memory to list all hostnames.");
break;
}
dns_w = entry->pwszDNSName;
/* pwszDNSName is in ia5 string format and hence does not contain any
* non-ASCII characters. */
while(*dns_w != '\0') {
*current_pos++ = (TCHAR)(*dns_w++);
}
*current_pos++ = '\0';
actual_length += (DWORD)current_length;
}
if(compute_content) {
/* Last string has double null-terminator. */
*current_pos = '\0';
}
return actual_length;
}
/*
* Returns TRUE if the hostname is a numeric IPv4/IPv6 Address,
* and populates the buffer with IPv4/IPv6 info.
*/
static bool get_num_host_info(struct num_ip_data *ip_blob,
LPCSTR hostname)
{
struct in_addr ia;
struct in6_addr ia6;
bool result = FALSE;
int res = curlx_inet_pton(AF_INET, hostname, &ia);
if(res) {
ip_blob->size = sizeof(struct in_addr);
memcpy(&ip_blob->bData.ia, &ia, sizeof(struct in_addr));
result = TRUE;
}
else {
res = curlx_inet_pton(AF_INET6, hostname, &ia6);
if(res) {
ip_blob->size = sizeof(struct in6_addr);
memcpy(&ip_blob->bData.ia6, &ia6, sizeof(struct in6_addr));
result = TRUE;
}
}
return result;
}
static bool get_alt_name_info(struct Curl_easy *data,
PCCERT_CONTEXT ctx,
PCERT_ALT_NAME_INFO *alt_name_info,
LPDWORD alt_name_info_size)
{
bool result = FALSE;
PCERT_INFO cert_info = NULL;
PCERT_EXTENSION extension = NULL;
CRYPT_DECODE_PARA decode_para = { sizeof(CRYPT_DECODE_PARA), NULL, NULL };
if(!ctx) {
failf(data, "schannel: Null certificate context.");
return result;
}
cert_info = ctx->pCertInfo;
if(!cert_info) {
failf(data, "schannel: Null certificate info.");
return result;
}
extension = CertFindExtension(szOID_SUBJECT_ALT_NAME2,
cert_info->cExtension,
cert_info->rgExtension);
if(!extension) {
failf(data, "schannel: CertFindExtension() returned no extension.");
return result;
}
if(!CryptDecodeObjectEx(X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
szOID_SUBJECT_ALT_NAME2,
extension->Value.pbData,
extension->Value.cbData,
CRYPT_DECODE_ALLOC_FLAG | CRYPT_DECODE_NOCOPY_FLAG,
&decode_para,
alt_name_info,
alt_name_info_size)) {
failf(data,
"schannel: CryptDecodeObjectEx() returned no alternate name "
"information.");
return result;
}
result = TRUE;
return result;
}
#endif /* !UNDER_CE */
/* Verify the server's hostname */
CURLcode Curl_verify_host(struct Curl_cfilter *cf,
struct Curl_easy *data)
{
CURLcode result = CURLE_PEER_FAILED_VERIFICATION;
struct ssl_connect_data *connssl = cf->ctx;
CERT_CONTEXT *pCertContextServer = NULL;
#ifdef UNDER_CE
TCHAR cert_hostname_buff[256];
DWORD len;
/* This code does not support certificates with multiple alternative names.
* Right now we are only asking for the first preferred alternative name.
* Instead we would need to do all via CERT_NAME_SEARCH_ALL_NAMES_FLAG
* (If Windows CE supports that?) and run this section in a loop for each.
* https://learn.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa
* curl: (51) schannel: CertGetNameString() certificate hostname
* (.google.com) did not match connection (google.com)
*/
len = CertGetNameString(pCertContextServer,
CERT_NAME_DNS_TYPE,
CERT_NAME_DISABLE_IE4_UTF8_FLAG,
NULL,
cert_hostname_buff,
256);
if(len > 0) {
/* Comparing the cert name and the connection hostname encoded as UTF-8
* is acceptable since both values are assumed to use ASCII
* (or some equivalent) encoding
*/
char *cert_hostname = curlx_convert_tchar_to_UTF8(cert_hostname_buff);
if(!cert_hostname) {
result = CURLE_OUT_OF_MEMORY;
}
else{
const char *conn_hostname = connssl->peer.hostname;
if(Curl_cert_hostcheck(cert_hostname, strlen(cert_hostname),
conn_hostname, strlen(conn_hostname))) {
infof(data,
"schannel: connection hostname (%s) validated "
"against certificate name (%s)",
conn_hostname, cert_hostname);
result = CURLE_OK;
}
else{
failf(data,
"schannel: connection hostname (%s) "
"does not match certificate name (%s)",
conn_hostname, cert_hostname);
}
Curl_safefree(cert_hostname);
}
}
else {
failf(data,
"schannel: CertGetNameString did not provide any "
"certificate name information");
}
#else
SECURITY_STATUS sspi_status;
TCHAR *cert_hostname_buff = NULL;
size_t cert_hostname_buff_index = 0;
const char *conn_hostname = connssl->peer.hostname;
size_t hostlen = strlen(conn_hostname);
DWORD len = 0;
DWORD actual_len = 0;
PCERT_ALT_NAME_INFO alt_name_info = NULL;
DWORD alt_name_info_size = 0;
struct num_ip_data ip_blob = { 0 };
bool Win8_compat;
struct num_ip_data *p = &ip_blob;
DWORD i;
sspi_status =
Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
&pCertContextServer);
if((sspi_status != SEC_E_OK) || !pCertContextServer) {
char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
goto cleanup;
}
Win8_compat = curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL);
if(get_num_host_info(p, conn_hostname) || !Win8_compat) {
if(!get_alt_name_info(data, pCertContextServer,
&alt_name_info, &alt_name_info_size)) {
goto cleanup;
}
}
if(p->size && alt_name_info) {
for(i = 0; i < alt_name_info->cAltEntry; ++i) {
PCERT_ALT_NAME_ENTRY entry = &alt_name_info->rgAltEntry[i];
if(entry->dwAltNameChoice == CERT_ALT_NAME_IP_ADDRESS) {
if(entry->IPAddress.cbData == p->size) {
if(!memcmp(entry->IPAddress.pbData, &p->bData,
entry->IPAddress.cbData)) {
result = CURLE_OK;
infof(data,
"schannel: connection hostname (%s) matched cert's IP address!",
conn_hostname);
break;
}
}
}
}
}
else {
/* Determine the size of the string needed for the cert hostname */
len = cert_get_name_string(data, pCertContextServer,
NULL, 0, alt_name_info, Win8_compat);
if(len == 0) {
failf(data,
"schannel: CertGetNameString() returned no "
"certificate name information");
goto cleanup;
}
/* CertGetNameString guarantees that the returned name will not contain
* embedded null bytes. This appears to be undocumented behavior.
*/
cert_hostname_buff = (LPTSTR)malloc(len * sizeof(TCHAR));
if(!cert_hostname_buff) {
result = CURLE_OUT_OF_MEMORY;
goto cleanup;
}
actual_len = cert_get_name_string(data, pCertContextServer,
(LPTSTR)cert_hostname_buff, len,
alt_name_info, Win8_compat);
/* Sanity check */
if(actual_len != len) {
failf(data,
"schannel: CertGetNameString() returned certificate "
"name information of unexpected size");
goto cleanup;
}
/* cert_hostname_buff contains all DNS names, where each name is
* null-terminated and the last DNS name is double null-terminated. Due to
* this encoding, use the length of the buffer to iterate over all names.
*/
while(cert_hostname_buff_index < len &&
cert_hostname_buff[cert_hostname_buff_index] != TEXT('\0') &&
result == CURLE_PEER_FAILED_VERIFICATION) {
char *cert_hostname;
/* Comparing the cert name and the connection hostname encoded as UTF-8
* is acceptable since both values are assumed to use ASCII
* (or some equivalent) encoding
*/
cert_hostname = curlx_convert_tchar_to_UTF8(
&cert_hostname_buff[cert_hostname_buff_index]);
if(!cert_hostname) {
result = CURLE_OUT_OF_MEMORY;
}
else {
if(Curl_cert_hostcheck(cert_hostname, strlen(cert_hostname),
conn_hostname, hostlen)) {
infof(data, "schannel: connection hostname (%s) validated "
"against certificate name (%s)",
conn_hostname, cert_hostname);
result = CURLE_OK;
}
else {
size_t cert_hostname_len;
infof(data,
"schannel: connection hostname (%s) did not match "
"against certificate name (%s)",
conn_hostname, cert_hostname);
cert_hostname_len =
_tcslen(&cert_hostname_buff[cert_hostname_buff_index]);
/* Move on to next cert name */
cert_hostname_buff_index += cert_hostname_len + 1;
result = CURLE_PEER_FAILED_VERIFICATION;
}
curlx_unicodefree(cert_hostname);
}
}
if(result == CURLE_PEER_FAILED_VERIFICATION) {
failf(data,
"schannel: CertGetNameString() failed to match "
"connection hostname (%s) against server certificate names",
conn_hostname);
}
else if(result != CURLE_OK)
failf(data, "schannel: server certificate name verification failed");
}
cleanup:
LocalFree(alt_name_info);
Curl_safefree(cert_hostname_buff);
if(pCertContextServer)
CertFreeCertificateContext(pCertContextServer);
#endif /* !UNDER_CE */
return result;
}
/* Verify the server's certificate and hostname */
CURLcode Curl_verify_certificate(struct Curl_cfilter *cf,
struct Curl_easy *data)
{
struct ssl_connect_data *connssl = cf->ctx;
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
SECURITY_STATUS sspi_status;
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
const CERT_CHAIN_CONTEXT *pChainContext = NULL;
HCERTCHAINENGINE cert_chain_engine = NULL;
#ifndef UNDER_CE
HCERTSTORE trust_store = NULL;
HCERTSTORE own_trust_store = NULL;
#endif /* !UNDER_CE */
DEBUGASSERT(BACKEND);
sspi_status =
Curl_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
&pCertContextServer);
if((sspi_status != SEC_E_OK) || !pCertContextServer) {
char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: Failed to read remote certificate context: %s",
Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer)));
result = CURLE_PEER_FAILED_VERIFICATION;
}
#ifndef UNDER_CE
if(result == CURLE_OK &&
(conn_config->CAfile || conn_config->ca_info_blob) &&
BACKEND->use_manual_cred_validation) {
/*
* Create a chain engine that uses the certificates in the CA file as
* trusted certificates. This is only supported on Windows 7+.
*/
if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT,
VERSION_LESS_THAN)) {
failf(data, "schannel: this version of Windows is too old to support "
"certificate verification via CA bundle file.");
result = CURLE_SSL_CACERT_BADFILE;
}
else {
/* try cache */
trust_store = Curl_schannel_get_cached_cert_store(cf, data);
if(trust_store) {
infof(data, "schannel: reusing certificate store from cache");
}
else {
/* Open the certificate store */
trust_store = CertOpenStore(CERT_STORE_PROV_MEMORY,
0,
(HCRYPTPROV)NULL,
CERT_STORE_CREATE_NEW_FLAG,
NULL);
if(!trust_store) {
char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: failed to create certificate store: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
}
else {
const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
own_trust_store = trust_store;
if(ca_info_blob) {
result = add_certs_data_to_store(trust_store,
(const char *)ca_info_blob->data,
ca_info_blob->len,
"(memory blob)",
data);
}
else {
result = add_certs_file_to_store(trust_store,
conn_config->CAfile,
data);
}
if(result == CURLE_OK) {
if(Curl_schannel_set_cached_cert_store(cf, data, trust_store)) {
own_trust_store = NULL;
}
}
}
}
}
if(result == CURLE_OK) {
struct cert_chain_engine_config_win8 engine_config;
BOOL create_engine_result;
memset(&engine_config, 0, sizeof(engine_config));
engine_config.hExclusiveRoot = trust_store;
/* Win8/Server2012 allows us to match partial chains */
if(curlx_verify_windows_version(6, 2, 0, PLATFORM_WINNT,
VERSION_GREATER_THAN_EQUAL) &&
!ssl_config->no_partialchain) {
engine_config.cbSize = sizeof(engine_config);
engine_config.dwExclusiveFlags = CERT_CHAIN_EXCLUSIVE_ENABLE_CA_FLAG;
}
else
engine_config.cbSize = sizeof(struct cert_chain_engine_config_win7);
/* CertCreateCertificateChainEngine will check the expected size of the
* CERT_CHAIN_ENGINE_CONFIG structure and fail if the specified size
* does not match the expected size. When this occurs, it indicates that
* CAINFO is not supported on the version of Windows in use.
*/
create_engine_result =
CertCreateCertificateChainEngine(
(CERT_CHAIN_ENGINE_CONFIG *)&engine_config, &cert_chain_engine);
if(!create_engine_result) {
char buffer[WINAPI_ERROR_LEN];
failf(data,
"schannel: failed to create certificate chain engine: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
result = CURLE_SSL_CACERT_BADFILE;
}
}
}
#endif /* !UNDER_CE */
if(result == CURLE_OK) {
CERT_CHAIN_PARA ChainPara;
memset(&ChainPara, 0, sizeof(ChainPara));
ChainPara.cbSize = sizeof(ChainPara);
if(!CertGetCertificateChain(cert_chain_engine,
pCertContextServer,
NULL,
pCertContextServer->hCertStore,
&ChainPara,
(ssl_config->no_revoke ? 0 :
CERT_CHAIN_REVOCATION_CHECK_CHAIN),
NULL,
&pChainContext)) {
char buffer[WINAPI_ERROR_LEN];
failf(data, "schannel: failed to get the certificate chain: %s",
curlx_winapi_strerror(GetLastError(), buffer, sizeof(buffer)));
pChainContext = NULL;
result = CURLE_PEER_FAILED_VERIFICATION;
}
if(result == CURLE_OK) {
CERT_SIMPLE_CHAIN *pSimpleChain = pChainContext->rgpChain[0];
DWORD dwTrustErrorMask = ~(DWORD)(CERT_TRUST_IS_NOT_TIME_NESTED);
dwTrustErrorMask &= pSimpleChain->TrustStatus.dwErrorStatus;
if(data->set.ssl.revoke_best_effort) {
/* Ignore errors when root certificates are missing the revocation
* list URL, or when the list could not be downloaded because the
* server is currently unreachable. */
dwTrustErrorMask &= ~(DWORD)(CERT_TRUST_REVOCATION_STATUS_UNKNOWN |
CERT_TRUST_IS_OFFLINE_REVOCATION);
}
if(dwTrustErrorMask) {
if(dwTrustErrorMask & CERT_TRUST_IS_REVOKED)
failf(data, "schannel: trust for this certificate or one of "
"the certificates in the certificate chain has been revoked");
else if(dwTrustErrorMask & CERT_TRUST_IS_PARTIAL_CHAIN)
failf(data, "schannel: the certificate chain is incomplete");
else if(dwTrustErrorMask & CERT_TRUST_IS_UNTRUSTED_ROOT)
failf(data, "schannel: the certificate or certificate chain is "
"based on an untrusted root");
else if(dwTrustErrorMask & CERT_TRUST_IS_NOT_TIME_VALID)
failf(data, "schannel: this certificate or one of the certificates "
"in the certificate chain is not time valid");
else if(dwTrustErrorMask & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
failf(data, "schannel: the revocation status is unknown");
else
failf(data, "schannel: error 0x%08lx", dwTrustErrorMask);
result = CURLE_PEER_FAILED_VERIFICATION;
}
}
}
if(result == CURLE_OK) {
if(conn_config->verifyhost) {
result = Curl_verify_host(cf, data);
}
}
#ifndef UNDER_CE
if(cert_chain_engine) {
CertFreeCertificateChainEngine(cert_chain_engine);
}
if(own_trust_store) {
CertCloseStore(own_trust_store, 0);
}
#endif /* !UNDER_CE */
if(pChainContext)
CertFreeCertificateChain(pChainContext);
if(pCertContextServer)
CertFreeCertificateContext(pCertContextServer);
return result;
}
#endif /* USE_SCHANNEL */
External/curl-8.17.0/lib/vtls/vtls.c
Vendored
+2087
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/vtls.h
Vendored
+268
View File
@@ -0,0 +1,268 @@
#ifndef HEADER_CURL_VTLS_H
#define HEADER_CURL_VTLS_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
struct connectdata;
struct ssl_config_data;
struct ssl_primary_config;
struct Curl_cfilter;
struct Curl_easy;
struct dynbuf;
#define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */
#define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
#define SSLSUPP_CAINFO_BLOB (1<<6)
#define SSLSUPP_ECH (1<<7)
#define SSLSUPP_CA_CACHE (1<<8)
#define SSLSUPP_CIPHER_LIST (1<<9) /* supports TLS 1.0-1.2 ciphersuites */
#define SSLSUPP_SIGNATURE_ALGORITHMS (1<<10) /* supports TLS sigalgs */
#ifdef USE_ECH
# include "../curlx/base64.h"
# define ECH_ENABLED(__data__) \
(__data__->set.tls_ech && \
!(__data__->set.tls_ech & CURLECH_DISABLE)\
)
#endif /* USE_ECH */
#define ALPN_ACCEPTED "ALPN: server accepted "
#define VTLS_INFOF_NO_ALPN \
"ALPN: server did not agree on a protocol. Uses default."
#define VTLS_INFOF_ALPN_OFFER_1STR \
"ALPN: curl offers %s"
#define VTLS_INFOF_ALPN_ACCEPTED \
ALPN_ACCEPTED "%.*s"
#define VTLS_INFOF_NO_ALPN_DEFERRED \
"ALPN: deferred handshake for early data without specific protocol."
#define VTLS_INFOF_ALPN_DEFERRED \
"ALPN: deferred handshake for early data using '%.*s'."
/* IETF defined version numbers used in TLS protocol negotiation */
#define CURL_IETF_PROTO_UNKNOWN 0x0
#define CURL_IETF_PROTO_SSL3 0x0300
#define CURL_IETF_PROTO_TLS1 0x0301
#define CURL_IETF_PROTO_TLS1_1 0x0302
#define CURL_IETF_PROTO_TLS1_2 0x0303
#define CURL_IETF_PROTO_TLS1_3 0x0304
#define CURL_IETF_PROTO_DTLS1 0xFEFF
#define CURL_IETF_PROTO_DTLS1_2 0xFEFD
typedef enum {
CURL_SSL_PEER_DNS,
CURL_SSL_PEER_IPV4,
CURL_SSL_PEER_IPV6
} ssl_peer_type;
struct ssl_peer {
char *hostname; /* hostname for verification */
char *dispname; /* display version of hostname */
char *sni; /* SNI version of hostname or NULL if not usable */
char *scache_key; /* for lookups in session cache */
ssl_peer_type type; /* type of the peer information */
int port; /* port we are talking to */
int transport; /* one of TRNSPRT_* defines */
};
CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
const curl_ssl_backend ***avail);
#ifndef MAX_PINNED_PUBKEY_SIZE
#define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
#endif
curl_sslbackend Curl_ssl_backend(void);
/**
* Init ssl config for a new easy handle.
*/
void Curl_ssl_easy_config_init(struct Curl_easy *data);
/**
* Init the `data->set.ssl` and `data->set.proxy_ssl` for
* connection matching use.
*/
CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data);
/**
* Init SSL configs (main + proxy) for a new connection from the easy handle.
*/
CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
struct connectdata *conn);
/**
* Free allocated resources in SSL configs (main + proxy) for
* the given connection.
*/
void Curl_ssl_conn_config_cleanup(struct connectdata *conn);
/**
* Return TRUE iff SSL configuration from `data` is functionally the
* same as the one on `candidate`.
* @param proxy match the proxy SSL config or the main one
*/
bool Curl_ssl_conn_config_match(struct Curl_easy *data,
struct connectdata *candidate,
bool proxy);
/* Update certain connection SSL config flags after they have
* been changed on the easy handle. Will work for `verifypeer`,
* `verifyhost` and `verifystatus`. */
void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy);
/**
* Init SSL peer information for filter. Can be called repeatedly.
*/
CURLcode Curl_ssl_peer_init(struct ssl_peer *peer,
struct Curl_cfilter *cf,
const char *tls_id,
int transport);
/**
* Free all allocated data and reset peer information.
*/
void Curl_ssl_peer_cleanup(struct ssl_peer *peer);
#ifdef USE_SSL
int Curl_ssl_init(void);
void Curl_ssl_cleanup(void);
/* tell the SSL stuff to close down all open information regarding
connections (and thus session ID caching etc) */
void Curl_ssl_close_all(struct Curl_easy *data);
CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
/* Sets engine as default for all SSL operations */
CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data);
void Curl_ssl_version(char *buffer, size_t size);
/* Certificate information list handling. */
#define CURL_X509_STR_MAX 100000
void Curl_ssl_free_certinfo(struct Curl_easy *data);
CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num);
CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum,
const char *label, const char *value,
size_t valuelen);
CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum,
const char *label, const char *value);
/* Functions to be used by SSL library adaptation functions */
/* get N random bytes into the buffer */
CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
size_t length);
/* Check pinned public key. */
CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
const char *pinnedpubkey,
const unsigned char *pubkey, size_t pubkeylen);
bool Curl_ssl_cert_status_request(void);
/* The maximum size of the SSL channel binding is 85 bytes, as defined in
* RFC 5929, Section 4.1. The 'tls-server-end-point:' prefix is 21 bytes long,
* and SHA-512 is the longest supported hash algorithm, with a digest length of
* 64 bytes.
* The maximum size of the channel binding is therefore 21 + 64 = 85 bytes.
*/
#define SSL_CB_MAX_SIZE 85
/* Return the tls-server-end-point channel binding, including the
* 'tls-server-end-point:' prefix.
* If successful, the data is written to the dynbuf, and CURLE_OK is returned.
* The dynbuf MUST HAVE a minimum toobig size of SSL_CB_MAX_SIZE.
* If the dynbuf is too small, CURLE_OUT_OF_MEMORY is returned.
* If channel binding is not supported, binding stays empty and CURLE_OK is
* returned.
*/
CURLcode Curl_ssl_get_channel_binding(struct Curl_easy *data, int sockindex,
struct dynbuf *binding);
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
struct connectdata *conn,
int sockindex);
CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
struct Curl_easy *data);
CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
int sockindex, bool send_shutdown);
#ifndef CURL_DISABLE_PROXY
CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
struct Curl_easy *data);
#endif /* !CURL_DISABLE_PROXY */
/**
* True iff the underlying SSL implementation supports the option.
* Option is one of the defined SSLSUPP_* values.
* `data` maybe NULL for the features of the default implementation.
*/
bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option);
/**
* Get the ssl_config_data in `data` that is relevant for cfilter `cf`.
*/
struct ssl_config_data *Curl_ssl_cf_get_config(struct Curl_cfilter *cf,
struct Curl_easy *data);
/**
* Get the primary config relevant for the filter from its connection.
*/
struct ssl_primary_config *
Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf);
extern struct Curl_cftype Curl_cft_ssl;
#ifndef CURL_DISABLE_PROXY
extern struct Curl_cftype Curl_cft_ssl_proxy;
#endif
#else /* if not USE_SSL */
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
#define Curl_ssl_cleanup() Curl_nop_stmt
#define Curl_ssl_close_all(x) Curl_nop_stmt
#define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
#define Curl_ssl_engines_list(x) NULL
#define Curl_ssl_free_certinfo(x) Curl_nop_stmt
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE
#define Curl_ssl_supports(a,b) FALSE
#define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN
#define Curl_ssl_cfilter_remove(a,b,c) CURLE_OK
#define Curl_ssl_cf_get_config(a,b) NULL
#define Curl_ssl_cf_get_primary_config(a) NULL
#endif
#endif /* HEADER_CURL_VTLS_H */
External/curl-8.17.0/lib/vtls/vtls_int.h
Vendored
+208
View File
@@ -0,0 +1,208 @@
#ifndef HEADER_CURL_VTLS_INT_H
#define HEADER_CURL_VTLS_INT_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#include "../cfilters.h"
#include "../urldata.h"
#include "vtls.h"
#ifdef USE_SSL
struct Curl_ssl;
struct ssl_connect_data;
/* see https://www.iana.org/assignments/tls-extensiontype-values/ */
#define ALPN_HTTP_1_1_LENGTH 8
#define ALPN_HTTP_1_1 "http/1.1"
#define ALPN_H2_LENGTH 2
#define ALPN_H2 "h2"
#define ALPN_H3_LENGTH 2
#define ALPN_H3 "h3"
/* conservative sizes on the ALPN entries and count we are handling,
* we can increase these if we ever feel the need or have to accommodate
* ALPN strings from the "outside". */
#define ALPN_NAME_MAX 10
#define ALPN_ENTRIES_MAX 3
#define ALPN_PROTO_BUF_MAX (ALPN_ENTRIES_MAX * (ALPN_NAME_MAX + 1))
struct alpn_spec {
char entries[ALPN_ENTRIES_MAX][ALPN_NAME_MAX];
size_t count; /* number of entries */
};
struct alpn_proto_buf {
unsigned char data[ALPN_PROTO_BUF_MAX];
int len;
};
CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
const struct alpn_spec *spec);
CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
const struct alpn_spec *spec);
void Curl_alpn_restrict_to(struct alpn_spec *spec, const char *proto);
void Curl_alpn_copy(struct alpn_spec *dest, const struct alpn_spec *src);
CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_connect_data *connssl,
const unsigned char *proto,
size_t proto_len);
bool Curl_alpn_contains_proto(const struct alpn_spec *spec,
const char *proto);
/* enum for the nonblocking SSL connection state machine */
typedef enum {
ssl_connect_1,
ssl_connect_2,
ssl_connect_3,
ssl_connect_done
} ssl_connect_state;
typedef enum {
ssl_connection_none,
ssl_connection_deferred,
ssl_connection_negotiating,
ssl_connection_complete
} ssl_connection_state;
typedef enum {
ssl_earlydata_none,
ssl_earlydata_await,
ssl_earlydata_sending,
ssl_earlydata_sent,
ssl_earlydata_accepted,
ssl_earlydata_rejected
} ssl_earlydata_state;
#define CURL_SSL_IO_NEED_NONE (0)
#define CURL_SSL_IO_NEED_RECV (1<<0)
#define CURL_SSL_IO_NEED_SEND (1<<1)
/* Max earlydata payload we want to send */
#define CURL_SSL_EARLY_MAX (64*1024)
/* Information in each SSL cfilter context: cf->ctx */
struct ssl_connect_data {
const struct Curl_ssl *ssl_impl; /* TLS backend for this filter */
struct ssl_peer peer; /* peer the filter talks to */
const struct alpn_spec *alpn; /* ALPN to use or NULL for none */
void *backend; /* vtls backend specific props */
struct cf_call_data call_data; /* data handle used in current call */
struct curltime handshake_done; /* time when handshake finished */
struct {
char *alpn; /* ALPN value or NULL */
} negotiated;
struct bufq earlydata; /* earlydata to be send to peer */
size_t earlydata_max; /* max earlydata allowed by peer */
size_t earlydata_skip; /* sending bytes to skip when earlydata
* is accepted by peer */
ssl_connection_state state;
ssl_connect_state connecting_state;
ssl_earlydata_state earlydata_state;
int io_need; /* TLS signals special SEND/RECV needs */
BIT(use_alpn); /* if ALPN shall be used in handshake */
BIT(peer_closed); /* peer has closed connection */
BIT(prefs_checked); /* SSL preferences have been checked */
BIT(input_pending); /* data for SSL_read() may be available */
};
#undef CF_CTX_CALL_DATA
#define CF_CTX_CALL_DATA(cf) \
((struct ssl_connect_data *)(cf)->ctx)->call_data
/* Definitions for SSL Implementations */
struct Curl_ssl {
/*
* This *must* be the first entry to allow returning the list of available
* backends in curl_global_sslset().
*/
curl_ssl_backend info;
unsigned int supports; /* bitfield, see above */
size_t sizeof_ssl_backend_data;
int (*init)(void);
void (*cleanup)(void);
size_t (*version)(char *buffer, size_t size);
CURLcode (*shut_down)(struct Curl_cfilter *cf, struct Curl_easy *data,
bool send_shutdown, bool *done);
/* data_pending() shall return TRUE when it wants to get called again to
drain internal buffers and deliver data instead of waiting for the socket
to get readable */
bool (*data_pending)(struct Curl_cfilter *cf,
const struct Curl_easy *data);
/* return 0 if a find random is filled in */
CURLcode (*random)(struct Curl_easy *data, unsigned char *entropy,
size_t length);
bool (*cert_status_request)(void);
CURLcode (*do_connect)(struct Curl_cfilter *cf, struct Curl_easy *data,
bool *done);
/* During handshake/shutdown, adjust the pollset to include the socket
* for POLLOUT or POLLIN as needed. Mandatory. */
CURLcode (*adjust_pollset)(struct Curl_cfilter *cf, struct Curl_easy *data,
struct easy_pollset *ps);
void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info);
void (*close)(struct Curl_cfilter *cf, struct Curl_easy *data);
void (*close_all)(struct Curl_easy *data);
CURLcode (*set_engine)(struct Curl_easy *data, const char *engine);
CURLcode (*set_engine_default)(struct Curl_easy *data);
struct curl_slist *(*engines_list)(struct Curl_easy *data);
CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen,
unsigned char *sha256sum, size_t sha256sumlen);
CURLcode (*recv_plain)(struct Curl_cfilter *cf, struct Curl_easy *data,
char *buf, size_t len, size_t *pnread);
CURLcode (*send_plain)(struct Curl_cfilter *cf, struct Curl_easy *data,
const void *mem, size_t len, size_t *pnwritten);
CURLcode (*get_channel_binding)(struct Curl_easy *data, int sockindex,
struct dynbuf *binding);
};
extern const struct Curl_ssl *Curl_ssl;
CURLcode Curl_ssl_adjust_pollset(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct easy_pollset *ps);
/**
* Get the SSL filter below the given one or NULL if there is none.
*/
bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf);
#endif /* USE_SSL */
#endif /* HEADER_CURL_VTLS_INT_H */
External/curl-8.17.0/lib/vtls/vtls_scache.c
Vendored
+1236
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/vtls_scache.h
Vendored
+217
View File
@@ -0,0 +1,217 @@
#ifndef HEADER_CURL_VTLS_SCACHE_H
#define HEADER_CURL_VTLS_SCACHE_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#include "../cfilters.h"
#include "../urldata.h"
#ifdef USE_SSL
struct Curl_cfilter;
struct Curl_easy;
struct Curl_ssl_scache;
struct Curl_ssl_session;
struct ssl_peer;
/* RFC 8446 (TLSv1.3) restrict lifetime to one week max, for
* other, less secure versions, we restrict it to a day */
#define CURL_SCACHE_MAX_13_LIFETIME_SEC (60*60*24*7)
#define CURL_SCACHE_MAX_12_LIFETIME_SEC (60*60*24)
/* Create a session cache for up to max_peers endpoints with a total
* of up to max_sessions SSL sessions per peer */
CURLcode Curl_ssl_scache_create(size_t max_peers,
size_t max_sessions_per_peer,
struct Curl_ssl_scache **pscache);
void Curl_ssl_scache_destroy(struct Curl_ssl_scache *scache);
/* Create a key from peer and TLS configuration information that is
* unique for how the connection filter wants to establish a TLS
* connection to the peer.
* If the filter is a TLS proxy filter, it will use the proxy relevant
* information.
* @param cf the connection filter wanting to use it
* @param peer the peer the filter wants to talk to
* @param tls_id identifier of TLS implementation for sessions. Should
* include full version if session data from other versions
* is to be avoided.
* @param ppeer_key on successful return, the key generated
*/
CURLcode Curl_ssl_peer_key_make(struct Curl_cfilter *cf,
const struct ssl_peer *peer,
const char *tls_id,
char **ppeer_key);
/* Return if there is a session cache shall be used.
* An ssl session might not be configured or not available for
* "connect-only" transfers.
*/
bool Curl_ssl_scache_use(struct Curl_cfilter *cf, struct Curl_easy *data);
/* Lock session cache mutex.
* Call this before calling other Curl_ssl_*session* functions
* Caller should unlock this mutex as soon as possible, as it may block
* other SSL connection from making progress.
* The purpose of explicitly locking SSL session cache data is to allow
* individual SSL engines to manage session lifetime in their specific way.
*/
void Curl_ssl_scache_lock(struct Curl_easy *data);
/* Unlock session cache mutex */
void Curl_ssl_scache_unlock(struct Curl_easy *data);
/* Get TLS session object from the cache for the ssl_peer_ey.
* scache mutex must be locked (see Curl_ssl_scache_lock).
* Caller must make sure that the ownership of returned session object
* is properly taken (e.g. its refcount is incremented
* under scache mutex).
* @param cf the connection filter wanting to use it
* @param data the transfer involved
* @param ssl_peer_key the key for lookup
* @retval sobj the object for the peer key or NULL
*/
void *Curl_ssl_scache_get_obj(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key);
typedef void Curl_ssl_scache_obj_dtor(void *sobj);
/* Add a TLS session related object to the cache.
* Replaces an existing object with the same peer_key.
* scache mutex must be locked (see Curl_ssl_scache_lock).
* Call takes ownership of `sobj`, using `sobj_dtor_cb`
* to deallocate it. Is called in all outcomes, either right away or
* later when the session cache is cleaned up.
* Caller must ensure that it has properly shared ownership of `sobj`
* with cache (e.g. incrementing refcount on success)
* @param cf the connection filter wanting to use it
* @param data the transfer involved
* @param ssl_peer_key the key for lookup
* @param sobj the TLS session object
* @param sobj_free_cb callback to free the session objectt
*/
CURLcode Curl_ssl_scache_add_obj(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
void *sobj,
Curl_ssl_scache_obj_dtor *sobj_dtor_cb);
/* All about an SSL session ticket */
struct Curl_ssl_session {
const void *sdata; /* session ticket data, plain bytes */
size_t sdata_len; /* number of bytes in sdata */
curl_off_t valid_until; /* seconds since EPOCH until ticket expires */
int ietf_tls_id; /* TLS protocol identifier negotiated */
char *alpn; /* APLN TLS negotiated protocol string */
size_t earlydata_max; /* max 0-RTT data supported by peer */
const unsigned char *quic_tp; /* Optional QUIC transport param bytes */
size_t quic_tp_len; /* number of bytes in quic_tp */
struct Curl_llist_node list; /* internal storage handling */
};
/* Create a `session` instance. Does NOT need locking.
* Takes ownership of `sdata` and `sobj` regardless of return code.
* @param sdata bytes of SSL session data or NULL (sobj then required)
* @param sdata_len amount of session data bytes
* @param ietf_tls_id IETF protocol version, e.g. 0x304 for TLSv1.3
* @param alpn ALPN protocol selected or NULL
* @param valid_until seconds since EPOCH when session expires, pass 0
* in case this is not known.
* @param psession on return the scached session instance created
*/
CURLcode
Curl_ssl_session_create(void *sdata, size_t sdata_len,
int ietf_tls_id, const char *alpn,
curl_off_t valid_until,
size_t earlydata_max,
struct Curl_ssl_session **psession);
/* Variation of session creation with quic transport parameter bytes,
* Takes ownership of `quic_tp` regardless of return code. */
CURLcode
Curl_ssl_session_create2(void *sdata, size_t sdata_len,
int ietf_tls_id, const char *alpn,
curl_off_t valid_until,
size_t earlydata_max,
unsigned char *quic_tp, size_t quic_tp_len,
struct Curl_ssl_session **psession);
/* Destroy a `session` instance. Can be called with NULL.
* Does NOT need locking. */
void Curl_ssl_session_destroy(struct Curl_ssl_session *s);
/* Put the scache session into the cache. Does NOT need locking.
* Call takes ownership of `s` in all outcomes.
* @param cf the connection filter wanting to use it
* @param data the transfer involved
* @param ssl_peer_key the key for lookup
* @param s the scache session object
*/
CURLcode Curl_ssl_scache_put(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
struct Curl_ssl_session *s);
/* Take a matching scache session from the cache. Does NOT need locking.
* @param cf the connection filter wanting to use it
* @param data the transfer involved
* @param ssl_peer_key the key for lookup
* @param s on return, the scache session object or NULL
*/
CURLcode Curl_ssl_scache_take(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
struct Curl_ssl_session **ps);
/* Return a taken scache session to the cache. Does NOT need locking.
* Depending on TLS version and other criteria, it may cache it again
* or destroy it. Maybe called with a NULL session.
*/
void Curl_ssl_scache_return(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
struct Curl_ssl_session *s);
/* Remove all sessions and obj for the peer_key. Does NOT need locking. */
void Curl_ssl_scache_remove_all(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key);
#ifdef USE_SSLS_EXPORT
CURLcode Curl_ssl_session_import(struct Curl_easy *data,
const char *ssl_peer_key,
const unsigned char *shmac, size_t shmac_len,
const void *sdata, size_t sdata_len);
CURLcode Curl_ssl_session_export(struct Curl_easy *data,
curl_ssls_export_cb *export_fn,
void *userptr);
#endif /* USE_SSLS_EXPORT */
#endif /* USE_SSL */
#endif /* HEADER_CURL_VTLS_SCACHE_H */
External/curl-8.17.0/lib/vtls/vtls_spack.c
Vendored
+346
View File
@@ -0,0 +1,346 @@
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_SSL) && defined(USE_SSLS_EXPORT)
#include "../urldata.h"
#include "../curl_trc.h"
#include "vtls_scache.h"
#include "vtls_spack.h"
#include "../strdup.h"
/* The last #include files should be: */
#include "../curl_memory.h"
#include "../memdebug.h"
#ifdef _MSC_VER
#if _MSC_VER >= 1600
#include <stdint.h>
#else
typedef unsigned char uint8_t;
typedef unsigned __int16 uint16_t;
typedef unsigned __int32 uint32_t;
typedef unsigned __int64 uint64_t;
#endif
#endif /* _MSC_VER */
#ifndef UINT16_MAX
#define UINT16_MAX 0xffff
#endif
#ifndef UINT32_MAX
#define UINT32_MAX 0xffffffff
#endif
#define CURL_SPACK_VERSION 0x01
#define CURL_SPACK_IETF_ID 0x02
#define CURL_SPACK_VALID_UNTIL 0x03
#define CURL_SPACK_TICKET 0x04
#define CURL_SPACK_ALPN 0x05
#define CURL_SPACK_EARLYDATA 0x06
#define CURL_SPACK_QUICTP 0x07
static CURLcode spack_enc8(struct dynbuf *buf, uint8_t b)
{
return curlx_dyn_addn(buf, &b, 1);
}
static CURLcode
spack_dec8(uint8_t *val, const uint8_t **src, const uint8_t *end)
{
if(end - *src < 1)
return CURLE_READ_ERROR;
*val = **src;
*src += 1;
return CURLE_OK;
}
static CURLcode spack_enc16(struct dynbuf *buf, uint16_t val)
{
uint8_t nval[2];
nval[0] = (uint8_t)(val >> 8);
nval[1] = (uint8_t)val;
return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
spack_dec16(uint16_t *val, const uint8_t **src, const uint8_t *end)
{
if(end - *src < 2)
return CURLE_READ_ERROR;
*val = (uint16_t)((*src)[0] << 8 | (*src)[1]);
*src += 2;
return CURLE_OK;
}
static CURLcode spack_enc32(struct dynbuf *buf, uint32_t val)
{
uint8_t nval[4];
nval[0] = (uint8_t)(val >> 24);
nval[1] = (uint8_t)(val >> 16);
nval[2] = (uint8_t)(val >> 8);
nval[3] = (uint8_t)val;
return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
spack_dec32(uint32_t *val, const uint8_t **src, const uint8_t *end)
{
if(end - *src < 4)
return CURLE_READ_ERROR;
*val = (uint32_t)(*src)[0] << 24 | (uint32_t)(*src)[1] << 16 |
(uint32_t)(*src)[2] << 8 | (*src)[3];
*src += 4;
return CURLE_OK;
}
static CURLcode spack_enc64(struct dynbuf *buf, uint64_t val)
{
uint8_t nval[8];
nval[0] = (uint8_t)(val >> 56);
nval[1] = (uint8_t)(val >> 48);
nval[2] = (uint8_t)(val >> 40);
nval[3] = (uint8_t)(val >> 32); \
nval[4] = (uint8_t)(val >> 24);
nval[5] = (uint8_t)(val >> 16);
nval[6] = (uint8_t)(val >> 8);
nval[7] = (uint8_t)val;
return curlx_dyn_addn(buf, nval, sizeof(nval));
}
static CURLcode
spack_dec64(uint64_t *val, const uint8_t **src, const uint8_t *end)
{
if(end - *src < 8)
return CURLE_READ_ERROR;
*val = (uint64_t)(*src)[0] << 56 | (uint64_t)(*src)[1] << 48 |
(uint64_t)(*src)[2] << 40 | (uint64_t)(*src)[3] << 32 |
(uint64_t)(*src)[4] << 24 | (uint64_t)(*src)[5] << 16 |
(uint64_t)(*src)[6] << 8 | (*src)[7];
*src += 8;
return CURLE_OK;
}
static CURLcode spack_encstr16(struct dynbuf *buf, const char *s)
{
size_t slen = strlen(s);
CURLcode r;
if(slen > UINT16_MAX)
return CURLE_BAD_FUNCTION_ARGUMENT;
r = spack_enc16(buf, (uint16_t)slen);
if(!r) {
r = curlx_dyn_addn(buf, s, slen);
}
return r;
}
static CURLcode
spack_decstr16(char **val, const uint8_t **src, const uint8_t *end)
{
uint16_t slen;
CURLcode r;
*val = NULL;
r = spack_dec16(&slen, src, end);
if(r)
return r;
if(end - *src < slen)
return CURLE_READ_ERROR;
*val = Curl_memdup0((const char *)(*src), slen);
*src += slen;
return *val ? CURLE_OK : CURLE_OUT_OF_MEMORY;
}
static CURLcode spack_encdata16(struct dynbuf *buf,
const uint8_t *data, size_t data_len)
{
CURLcode r;
if(data_len > UINT16_MAX)
return CURLE_BAD_FUNCTION_ARGUMENT;
r = spack_enc16(buf, (uint16_t)data_len);
if(!r) {
r = curlx_dyn_addn(buf, data, data_len);
}
return r;
}
static CURLcode
spack_decdata16(uint8_t **val, size_t *val_len,
const uint8_t **src, const uint8_t *end)
{
uint16_t data_len;
CURLcode r;
*val = NULL;
r = spack_dec16(&data_len, src, end);
if(r)
return r;
if(end - *src < data_len)
return CURLE_READ_ERROR;
*val = Curl_memdup0((const char *)(*src), data_len);
*val_len = data_len;
*src += data_len;
return *val ? CURLE_OK : CURLE_OUT_OF_MEMORY;
}
CURLcode Curl_ssl_session_pack(struct Curl_easy *data,
struct Curl_ssl_session *s,
struct dynbuf *buf)
{
CURLcode r;
DEBUGASSERT(s->sdata);
DEBUGASSERT(s->sdata_len);
if(s->valid_until < 0)
return CURLE_BAD_FUNCTION_ARGUMENT;
r = spack_enc8(buf, CURL_SPACK_VERSION);
if(!r)
r = spack_enc8(buf, CURL_SPACK_TICKET);
if(!r)
r = spack_encdata16(buf, s->sdata, s->sdata_len);
if(!r)
r = spack_enc8(buf, CURL_SPACK_IETF_ID);
if(!r)
r = spack_enc16(buf, (uint16_t)s->ietf_tls_id);
if(!r)
r = spack_enc8(buf, CURL_SPACK_VALID_UNTIL);
if(!r)
r = spack_enc64(buf, (uint64_t)s->valid_until);
if(!r && s->alpn) {
r = spack_enc8(buf, CURL_SPACK_ALPN);
if(!r)
r = spack_encstr16(buf, s->alpn);
}
if(!r && s->earlydata_max) {
if(s->earlydata_max > UINT32_MAX)
r = CURLE_BAD_FUNCTION_ARGUMENT;
if(!r)
r = spack_enc8(buf, CURL_SPACK_EARLYDATA);
if(!r)
r = spack_enc32(buf, (uint32_t)s->earlydata_max);
}
if(!r && s->quic_tp && s->quic_tp_len) {
r = spack_enc8(buf, CURL_SPACK_QUICTP);
if(!r)
r = spack_encdata16(buf, s->quic_tp, s->quic_tp_len);
}
if(r)
CURL_TRC_SSLS(data, "error packing data: %d", r);
return r;
}
CURLcode Curl_ssl_session_unpack(struct Curl_easy *data,
const void *bufv, size_t buflen,
struct Curl_ssl_session **ps)
{
struct Curl_ssl_session *s = NULL;
const unsigned char *buf = (const unsigned char *)bufv;
const unsigned char *end = buf + buflen;
uint8_t val8, *pval8;
uint16_t val16;
uint32_t val32;
uint64_t val64;
CURLcode r;
DEBUGASSERT(buf);
DEBUGASSERT(buflen);
*ps = NULL;
r = spack_dec8(&val8, &buf, end);
if(r)
goto out;
if(val8 != CURL_SPACK_VERSION) {
r = CURLE_READ_ERROR;
goto out;
}
s = calloc(1, sizeof(*s));
if(!s) {
r = CURLE_OUT_OF_MEMORY;
goto out;
}
while(buf < end) {
r = spack_dec8(&val8, &buf, end);
if(r)
goto out;
switch(val8) {
case CURL_SPACK_ALPN:
r = spack_decstr16(&s->alpn, &buf, end);
if(r)
goto out;
break;
case CURL_SPACK_EARLYDATA:
r = spack_dec32(&val32, &buf, end);
if(r)
goto out;
s->earlydata_max = val32;
break;
case CURL_SPACK_IETF_ID:
r = spack_dec16(&val16, &buf, end);
if(r)
goto out;
s->ietf_tls_id = val16;
break;
case CURL_SPACK_QUICTP: {
r = spack_decdata16(&pval8, &s->quic_tp_len, &buf, end);
if(r)
goto out;
s->quic_tp = pval8;
break;
}
case CURL_SPACK_TICKET: {
r = spack_decdata16(&pval8, &s->sdata_len, &buf, end);
if(r)
goto out;
s->sdata = pval8;
break;
}
case CURL_SPACK_VALID_UNTIL:
r = spack_dec64(&val64, &buf, end);
if(r)
goto out;
s->valid_until = (curl_off_t)val64;
break;
default: /* unknown tag */
r = CURLE_READ_ERROR;
goto out;
}
}
out:
if(r) {
CURL_TRC_SSLS(data, "error unpacking data: %d", r);
Curl_ssl_session_destroy(s);
}
else
*ps = s;
return r;
}
#endif /* USE_SSL && USE_SSLS_EXPORT */
External/curl-8.17.0/lib/vtls/vtls_spack.h
Vendored
+43
View File
@@ -0,0 +1,43 @@
#ifndef HEADER_CURL_VTLS_SPACK_H
#define HEADER_CURL_VTLS_SPACK_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_SSL) && defined(USE_SSLS_EXPORT)
struct dynbuf;
struct Curl_ssl_session;
CURLcode Curl_ssl_session_pack(struct Curl_easy *data,
struct Curl_ssl_session *s,
struct dynbuf *buf);
CURLcode Curl_ssl_session_unpack(struct Curl_easy *data,
const void *bufv, size_t buflen,
struct Curl_ssl_session **ps);
#endif /* USE_SSL && USE_SSLS_EXPORT */
#endif /* HEADER_CURL_VTLS_SPACK_H */
External/curl-8.17.0/lib/vtls/wolfssl.c
Vendored
+2321
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/wolfssl.h
Vendored
+95
View File
@@ -0,0 +1,95 @@
#ifndef HEADER_CURL_WOLFSSL_H
#define HEADER_CURL_WOLFSSL_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#ifdef USE_WOLFSSL
#include "../urldata.h"
struct alpn_spec;
struct ssl_peer;
struct Curl_ssl_session;
struct WOLFSSL;
struct WOLFSSL_CTX;
struct WOLFSSL_SESSION;
extern const struct Curl_ssl Curl_ssl_wolfssl;
struct wssl_ctx {
struct WOLFSSL_CTX *ssl_ctx;
struct WOLFSSL *ssl;
CURLcode io_result; /* result of last BIO cfilter operation */
CURLcode hs_result; /* result of handshake */
int io_send_blocked_len; /* length of last BIO write that EAGAIN-ed */
BIT(x509_store_setup); /* x509 store has been set up */
BIT(shutting_down); /* TLS is being shut down */
};
size_t Curl_wssl_version(char *buffer, size_t size);
typedef CURLcode Curl_wssl_ctx_setup_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
void *user_data);
typedef CURLcode Curl_wssl_init_session_reuse_cb(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct alpn_spec *alpns,
struct Curl_ssl_session *scs,
bool *do_early_data);
CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
struct Curl_cfilter *cf,
struct Curl_easy *data,
struct ssl_peer *peer,
const struct alpn_spec *alpns,
Curl_wssl_ctx_setup_cb *cb_setup,
void *cb_user_data,
void *ssl_user_data,
Curl_wssl_init_session_reuse_cb *sess_reuse_cb);
CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct wssl_ctx *wssl);
CURLcode Curl_wssl_cache_session(struct Curl_cfilter *cf,
struct Curl_easy *data,
const char *ssl_peer_key,
struct WOLFSSL_SESSION *session,
int ietf_tls_id,
const char *alpn,
unsigned char *quic_tp,
size_t quic_tp_len);
CURLcode Curl_wssl_verify_pinned(struct Curl_cfilter *cf,
struct Curl_easy *data,
struct wssl_ctx *wssl);
void Curl_wssl_report_handshake(struct Curl_easy *data,
struct wssl_ctx *wssl);
#endif /* USE_WOLFSSL */
#endif /* HEADER_CURL_WOLFSSL_H */
External/curl-8.17.0/lib/vtls/x509asn1.c
Vendored
+1278
View File
File diff suppressed because it is too large Load Diff
External/curl-8.17.0/lib/vtls/x509asn1.h
Vendored
+95
View File
@@ -0,0 +1,95 @@
#ifndef HEADER_CURL_X509ASN1_H
#define HEADER_CURL_X509ASN1_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
* SPDX-License-Identifier: curl
*
***************************************************************************/
#include "../curl_setup.h"
#if defined(USE_GNUTLS) || defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \
defined(USE_MBEDTLS) || defined(USE_RUSTLS)
#include "../cfilters.h"
#include "../urldata.h"
/*
* Types.
*/
/* ASN.1 parsed element. */
struct Curl_asn1Element {
const char *header; /* Pointer to header byte. */
const char *beg; /* Pointer to element data. */
const char *end; /* Pointer to 1st byte after element. */
unsigned char eclass; /* ASN.1 element class. */
unsigned char tag; /* ASN.1 element tag. */
BIT(constructed); /* Element is constructed. */
};
/* X509 certificate: RFC 5280. */
struct Curl_X509certificate {
struct Curl_asn1Element certificate;
struct Curl_asn1Element version;
struct Curl_asn1Element serialNumber;
struct Curl_asn1Element signatureAlgorithm;
struct Curl_asn1Element signature;
struct Curl_asn1Element issuer;
struct Curl_asn1Element notBefore;
struct Curl_asn1Element notAfter;
struct Curl_asn1Element subject;
struct Curl_asn1Element subjectPublicKeyInfo;
struct Curl_asn1Element subjectPublicKeyAlgorithm;
struct Curl_asn1Element subjectPublicKey;
struct Curl_asn1Element issuerUniqueID;
struct Curl_asn1Element subjectUniqueID;
struct Curl_asn1Element extensions;
};
/*
* Prototypes.
*/
int Curl_parseX509(struct Curl_X509certificate *cert,
const char *beg, const char *end);
CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
#ifdef UNITTESTS
#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_MBEDTLS) || \
defined(USE_RUSTLS)
/* used by unit1656.c */
CURLcode Curl_x509_GTime2str(struct dynbuf *store,
const char *beg, const char *end);
/* used by unit1657.c */
CURLcode Curl_x509_getASN1Element(struct Curl_asn1Element *elem,
const char *beg, const char *end);
#endif
#endif
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_MBEDTLS or
USE_RUSTLS */
#endif /* HEADER_CURL_X509ASN1_H */