1: #ifndef HEADER_CURL_VTLS_H
2: #define HEADER_CURL_VTLS_H
3: /***************************************************************************
4: * _ _ ____ _
5: * Project ___| | | | _ \| |
6: * / __| | | | |_) | |
7: * | (__| |_| | _ <| |___
8: * \___|\___/|_| \_\_____|
9: *
10: * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
11: *
12: * This software is licensed as described in the file COPYING, which
13: * you should have received as part of this distribution. The terms
14: * are also available at https://curl.haxx.se/docs/copyright.html.
15: *
16: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17: * copies of the Software, and permit persons to whom the Software is
18: * furnished to do so, under the terms of the COPYING file.
19: *
20: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21: * KIND, either express or implied.
22: *
23: ***************************************************************************/
24: #include "curl_setup.h"
25:
26: struct connectdata;
27: struct ssl_connect_data;
28:
29: #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */
30: #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */
31: #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
32: #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
33: #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
34: #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
35:
36: struct Curl_ssl {
37: /*
38: * This *must* be the first entry to allow returning the list of available
39: * backends in curl_global_sslset().
40: */
41: curl_ssl_backend info;
42: unsigned int supports; /* bitfield, see above */
43: size_t sizeof_ssl_backend_data;
44:
45: int (*init)(void);
46: void (*cleanup)(void);
47:
48: size_t (*version)(char *buffer, size_t size);
49: int (*check_cxn)(struct connectdata *cxn);
50: int (*shut_down)(struct connectdata *conn, int sockindex);
51: bool (*data_pending)(const struct connectdata *conn,
52: int connindex);
53:
54: /* return 0 if a find random is filled in */
55: CURLcode (*random)(struct Curl_easy *data, unsigned char *entropy,
56: size_t length);
57: bool (*cert_status_request)(void);
58:
59: CURLcode (*connect_blocking)(struct connectdata *conn, int sockindex);
60: CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex,
61: bool *done);
62: void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info);
63: void (*close_one)(struct connectdata *conn, int sockindex);
64: void (*close_all)(struct Curl_easy *data);
65: void (*session_free)(void *ptr);
66:
67: CURLcode (*set_engine)(struct Curl_easy *data, const char *engine);
68: CURLcode (*set_engine_default)(struct Curl_easy *data);
69: struct curl_slist *(*engines_list)(struct Curl_easy *data);
70:
71: bool (*false_start)(void);
72:
73: CURLcode (*md5sum)(unsigned char *input, size_t inputlen,
74: unsigned char *md5sum, size_t md5sumlen);
75: CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen,
76: unsigned char *sha256sum, size_t sha256sumlen);
77: };
78:
79: #ifdef USE_SSL
80: extern const struct Curl_ssl *Curl_ssl;
81: #endif
82:
83: int Curl_none_init(void);
84: void Curl_none_cleanup(void);
85: int Curl_none_shutdown(struct connectdata *conn, int sockindex);
86: int Curl_none_check_cxn(struct connectdata *conn);
87: CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy,
88: size_t length);
89: void Curl_none_close_all(struct Curl_easy *data);
90: void Curl_none_session_free(void *ptr);
91: bool Curl_none_data_pending(const struct connectdata *conn, int connindex);
92: bool Curl_none_cert_status_request(void);
93: CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine);
94: CURLcode Curl_none_set_engine_default(struct Curl_easy *data);
95: struct curl_slist *Curl_none_engines_list(struct Curl_easy *data);
96: bool Curl_none_false_start(void);
97: bool Curl_ssl_tls13_ciphersuites(void);
98: CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
99: unsigned char *md5sum, size_t md5len);
100:
101: #include "openssl.h" /* OpenSSL versions */
102: #include "gtls.h" /* GnuTLS versions */
103: #include "nssg.h" /* NSS versions */
104: #include "gskit.h" /* Global Secure ToolKit versions */
105: #include "wolfssl.h" /* wolfSSL versions */
106: #include "schannel.h" /* Schannel SSPI version */
107: #include "sectransp.h" /* SecureTransport (Darwin) version */
108: #include "mbedtls.h" /* mbedTLS versions */
109: #include "mesalink.h" /* MesaLink versions */
110: #include "bearssl.h" /* BearSSL versions */
111:
112: #ifndef MAX_PINNED_PUBKEY_SIZE
113: #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
114: #endif
115:
116: #ifndef MD5_DIGEST_LENGTH
117: #ifndef LIBWOLFSSL_VERSION_HEX /* because WolfSSL borks this */
118: #define MD5_DIGEST_LENGTH 16 /* fixed size */
119: #endif
120: #endif
121:
122: #ifndef CURL_SHA256_DIGEST_LENGTH
123: #define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */
124: #endif
125:
126: /* see https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 */
127: #define ALPN_HTTP_1_1_LENGTH 8
128: #define ALPN_HTTP_1_1 "http/1.1"
129:
130: /* set of helper macros for the backends to access the correct fields. For the
131: proxy or for the remote host - to properly support HTTPS proxy */
132:
133: #define SSL_IS_PROXY() (CURLPROXY_HTTPS == conn->http_proxy.proxytype && \
134: ssl_connection_complete != conn->proxy_ssl[conn->sock[SECONDARYSOCKET] == \
135: CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
136: #define SSL_SET_OPTION(var) (SSL_IS_PROXY() ? data->set.proxy_ssl.var : \
137: data->set.ssl.var)
138: #define SSL_CONN_CONFIG(var) (SSL_IS_PROXY() ? \
139: conn->proxy_ssl_config.var : conn->ssl_config.var)
140:
141: bool Curl_ssl_config_matches(struct ssl_primary_config* data,
142: struct ssl_primary_config* needle);
143: bool Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
144: struct ssl_primary_config *dest);
145: void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc);
146: int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks);
147:
148: int Curl_ssl_backend(void);
149:
150: #ifdef USE_SSL
151: int Curl_ssl_init(void);
152: void Curl_ssl_cleanup(void);
153: CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex);
154: CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn,
155: int sockindex,
156: bool *done);
157: /* tell the SSL stuff to close down all open information regarding
158: connections (and thus session ID caching etc) */
159: void Curl_ssl_close_all(struct Curl_easy *data);
160: void Curl_ssl_close(struct connectdata *conn, int sockindex);
161: CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex);
162: CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
163: /* Sets engine as default for all SSL operations */
164: CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
165: struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data);
166:
167: /* init the SSL session ID cache */
168: CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t);
169: size_t Curl_ssl_version(char *buffer, size_t size);
170: bool Curl_ssl_data_pending(const struct connectdata *conn,
171: int connindex);
172: int Curl_ssl_check_cxn(struct connectdata *conn);
173:
174: /* Certificate information list handling. */
175:
176: void Curl_ssl_free_certinfo(struct Curl_easy *data);
177: CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num);
178: CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum,
179: const char *label, const char *value,
180: size_t valuelen);
181: CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum,
182: const char *label, const char *value);
183:
184: /* Functions to be used by SSL library adaptation functions */
185:
186: /* Lock session cache mutex.
187: * Call this before calling other Curl_ssl_*session* functions
188: * Caller should unlock this mutex as soon as possible, as it may block
189: * other SSL connection from making progress.
190: * The purpose of explicitly locking SSL session cache data is to allow
191: * individual SSL engines to manage session lifetime in their specific way.
192: */
193: void Curl_ssl_sessionid_lock(struct connectdata *conn);
194:
195: /* Unlock session cache mutex */
196: void Curl_ssl_sessionid_unlock(struct connectdata *conn);
197:
198: /* extract a session ID
199: * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
200: * Caller must make sure that the ownership of returned sessionid object
201: * is properly taken (e.g. its refcount is incremented
202: * under sessionid mutex).
203: */
204: bool Curl_ssl_getsessionid(struct connectdata *conn,
205: void **ssl_sessionid,
206: size_t *idsize, /* set 0 if unknown */
207: int sockindex);
208: /* add a new session ID
209: * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
210: * Caller must ensure that it has properly shared ownership of this sessionid
211: * object with cache (e.g. incrementing refcount on success)
212: */
213: CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
214: void *ssl_sessionid,
215: size_t idsize,
216: int sockindex);
217: /* Kill a single session ID entry in the cache
218: * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
219: * This will call engine-specific curlssl_session_free function, which must
220: * take sessionid object ownership from sessionid cache
221: * (e.g. decrement refcount).
222: */
223: void Curl_ssl_kill_session(struct curl_ssl_session *session);
224: /* delete a session from the cache
225: * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
226: * This will call engine-specific curlssl_session_free function, which must
227: * take sessionid object ownership from sessionid cache
228: * (e.g. decrement refcount).
229: */
230: void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);
231:
232: /* get N random bytes into the buffer */
233: CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
234: size_t length);
235: CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */
236: size_t tmplen,
237: unsigned char *md5sum, /* output */
238: size_t md5len);
239: /* Check pinned public key. */
240: CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
241: const char *pinnedpubkey,
242: const unsigned char *pubkey, size_t pubkeylen);
243:
244: bool Curl_ssl_cert_status_request(void);
245:
246: bool Curl_ssl_false_start(void);
247:
248: #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
249:
250: #else /* if not USE_SSL */
251:
252: /* When SSL support is not present, just define away these function calls */
253: #define Curl_ssl_init() 1
254: #define Curl_ssl_cleanup() Curl_nop_stmt
255: #define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN
256: #define Curl_ssl_close_all(x) Curl_nop_stmt
257: #define Curl_ssl_close(x,y) Curl_nop_stmt
258: #define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN
259: #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
260: #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
261: #define Curl_ssl_engines_list(x) NULL
262: #define Curl_ssl_send(a,b,c,d,e) -1
263: #define Curl_ssl_recv(a,b,c,d,e) -1
264: #define Curl_ssl_initsessions(x,y) CURLE_OK
265: #define Curl_ssl_data_pending(x,y) 0
266: #define Curl_ssl_check_cxn(x) 0
267: #define Curl_ssl_free_certinfo(x) Curl_nop_stmt
268: #define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN
269: #define Curl_ssl_kill_session(x) Curl_nop_stmt
270: #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
271: #define Curl_ssl_cert_status_request() FALSE
272: #define Curl_ssl_false_start() FALSE
273: #define Curl_ssl_tls13_ciphersuites() FALSE
274: #endif
275:
276: #endif /* HEADER_CURL_VTLS_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to vtls.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vtls