From dac458ddbf2b48168779821654a7e69cbd828c14 Mon Sep 17 00:00:00 2001 From: Curl Upstream Date: Wed, 21 Dec 2022 08:00:59 +0100 Subject: curl 2022-12-21 (c12fb3dd) Code extracted from: https://github.com/curl/curl.git at commit c12fb3ddaf48e709a7a4deaa55ec485e4df163ee (curl-7_87_0). --- CMake/OtherTests.cmake | 86 +- CMake/Platforms/WindowsCache.cmake | 2 - CMakeLists.txt | 16 +- include/curl/curl.h | 234 +++-- include/curl/curlver.h | 6 +- include/curl/easy.h | 2 +- include/curl/mprintf.h | 2 +- include/curl/multi.h | 8 +- include/curl/system.h | 22 +- include/curl/typecheck-gcc.h | 194 ++-- lib/CMakeLists.txt | 26 + lib/Makefile.inc | 6 +- lib/altsvc.c | 16 +- lib/asyn-ares.c | 9 - lib/asyn-thread.c | 19 +- lib/base64.c | 197 ++-- lib/c-hyper.c | 71 +- lib/cfilters.c | 502 ++++++++++ lib/cfilters.h | 315 ++++++ lib/connect.c | 459 ++++++--- lib/connect.h | 16 +- lib/cookie.c | 26 +- lib/curl_addrinfo.c | 5 - lib/curl_config.h.cmake | 12 - lib/curl_endian.h | 9 - lib/curl_fnmatch.c | 7 +- lib/curl_get_line.c | 30 +- lib/curl_ntlm_core.c | 9 +- lib/curl_ntlm_wb.c | 2 +- lib/curl_path.c | 14 +- lib/curl_range.c | 4 +- lib/curl_rtmp.c | 12 +- lib/curl_sasl.c | 11 +- lib/curl_setup.h | 10 +- lib/curl_setup_once.h | 5 +- lib/curl_sha256.h | 2 +- lib/curl_threads.c | 4 +- lib/dict.c | 2 +- lib/easy.c | 5 +- lib/easyoptions.c | 4 +- lib/escape.c | 2 +- lib/file.c | 25 +- lib/formdata.c | 22 +- lib/ftp.c | 250 ++--- lib/ftplistparser.c | 6 +- lib/getinfo.c | 8 +- lib/gopher.c | 7 +- lib/h2h3.c | 2 +- lib/h2h3.h | 2 +- lib/hostasyn.c | 4 - lib/hostip.c | 4 - lib/hostip.h | 5 - lib/hostip4.c | 15 +- lib/hostip6.c | 4 - lib/hostsyn.c | 4 - lib/hsts.c | 9 +- lib/http.c | 254 ++--- lib/http.h | 2 +- lib/http2.c | 14 +- lib/http2.h | 2 +- lib/http_aws_sigv4.c | 74 +- lib/http_chunks.c | 2 +- lib/http_digest.c | 2 +- lib/http_ntlm.c | 2 +- lib/http_proxy.c | 1884 ++++++++++++++++++++---------------- lib/http_proxy.h | 50 +- lib/idn.c | 193 ++++ lib/idn.h | 38 + lib/idn_win32.c | 121 --- lib/imap.c | 30 +- lib/krb5.c | 19 +- lib/ldap.c | 8 +- lib/md4.c | 73 +- lib/md5.c | 65 +- lib/mime.c | 34 +- lib/mime.h | 16 +- lib/mqtt.c | 4 +- lib/multi.c | 241 ++--- lib/multihandle.h | 8 + lib/nonblock.c | 3 - lib/noproxy.c | 69 +- lib/openldap.c | 6 +- lib/pingpong.c | 5 +- lib/pop3.c | 32 +- lib/rand.c | 4 + lib/rtsp.c | 32 +- lib/rtsp.h | 2 +- lib/sendf.c | 99 +- lib/sendf.h | 5 +- lib/setopt.c | 56 +- lib/setup-os400.h | 8 +- lib/sha256.c | 73 +- lib/smb.c | 25 +- lib/smtp.c | 53 +- lib/socks.c | 457 ++++++--- lib/socks.h | 30 +- lib/strcase.c | 49 +- lib/strcase.h | 8 +- lib/strtoofft.c | 1 + lib/telnet.c | 16 +- lib/transfer.c | 198 ++-- lib/transfer.h | 1 - lib/url.c | 448 +++------ lib/url.h | 22 - lib/urlapi.c | 2 +- lib/urldata.h | 114 +-- lib/vauth/digest.c | 12 +- lib/vauth/digest_sspi.c | 4 +- lib/vauth/krb5_sspi.c | 2 +- lib/vauth/ntlm.c | 2 - lib/vauth/ntlm.h | 3 - lib/vauth/vauth.h | 4 +- lib/version.c | 199 ++-- lib/vquic/ngtcp2.c | 160 +-- lib/vquic/ngtcp2.h | 7 +- lib/vquic/quiche.c | 5 +- lib/vssh/libssh.c | 18 +- lib/vssh/libssh2.c | 28 +- lib/vssh/wolfssh.c | 6 +- lib/vtls/bearssl.c | 186 ++-- lib/vtls/gskit.c | 223 +++-- lib/vtls/gtls.c | 662 +++++++------ lib/vtls/gtls.h | 41 +- lib/vtls/mbedtls.c | 238 +++-- lib/vtls/mbedtls_threadlock.c | 13 +- lib/vtls/mbedtls_threadlock.h | 2 +- lib/vtls/nss.c | 332 ++++--- lib/vtls/openssl.c | 1771 +++++++++++++++++++-------------- lib/vtls/rustls.c | 163 ++-- lib/vtls/schannel.c | 286 +++--- lib/vtls/schannel.h | 7 +- lib/vtls/schannel_verify.c | 24 +- lib/vtls/sectransp.c | 414 ++++---- lib/vtls/vtls.c | 753 ++++++++++---- lib/vtls/vtls.h | 255 ++--- lib/vtls/vtls_int.h | 190 ++++ lib/vtls/wolfssl.c | 367 ++++--- lib/vtls/x509asn1.c | 62 +- lib/vtls/x509asn1.h | 3 +- lib/ws.c | 369 ++++--- lib/ws.h | 6 +- 141 files changed, 8366 insertions(+), 6155 deletions(-) create mode 100644 lib/cfilters.c create mode 100644 lib/cfilters.h create mode 100644 lib/idn.c create mode 100644 lib/idn.h delete mode 100644 lib/idn_win32.c create mode 100644 lib/vtls/vtls_int.h diff --git a/CMake/OtherTests.cmake b/CMake/OtherTests.cmake index b3031f7..ed8d28a 100644 --- a/CMake/OtherTests.cmake +++ b/CMake/OtherTests.cmake @@ -85,51 +85,51 @@ endif() unset(CMAKE_TRY_COMPILE_TARGET_TYPE) -if(NOT DEFINED CMAKE_TOOLCHAIN_FILE) +if(NOT CMAKE_CROSSCOMPILING) if(NOT ${CMAKE_SYSTEM_NAME} MATCHES "Darwin" AND NOT ${CMAKE_SYSTEM_NAME} MATCHES "iOS") - # only try this on non-apple platforms - - # if not cross-compilation... - include(CheckCSourceRuns) - set(CMAKE_REQUIRED_FLAGS "") - if(HAVE_SYS_POLL_H) - set(CMAKE_REQUIRED_FLAGS "-DHAVE_SYS_POLL_H") - elseif(HAVE_POLL_H) - set(CMAKE_REQUIRED_FLAGS "-DHAVE_POLL_H") - endif() - check_c_source_runs(" - #include - #include - - #ifdef HAVE_SYS_POLL_H - # include - #elif HAVE_POLL_H - # include - #endif - - int main(void) - { - if(0 != poll(0, 0, 10)) { - return 1; /* fail */ - } - else { - /* detect the 10.12 poll() breakage */ - struct timeval before, after; - int rc; - size_t us; - - gettimeofday(&before, NULL); - rc = poll(NULL, 0, 500); - gettimeofday(&after, NULL); - - us = (after.tv_sec - before.tv_sec) * 1000000 + - (after.tv_usec - before.tv_usec); - - if(us < 400000) { - return 1; + # only try this on non-apple platforms + + # if not cross-compilation... + include(CheckCSourceRuns) + set(CMAKE_REQUIRED_FLAGS "") + if(HAVE_SYS_POLL_H) + set(CMAKE_REQUIRED_FLAGS "-DHAVE_SYS_POLL_H") + elseif(HAVE_POLL_H) + set(CMAKE_REQUIRED_FLAGS "-DHAVE_POLL_H") + endif() + check_c_source_runs(" + #include + #include + + #ifdef HAVE_SYS_POLL_H + # include + #elif HAVE_POLL_H + # include + #endif + + int main(void) + { + if(0 != poll(0, 0, 10)) { + return 1; /* fail */ + } + else { + /* detect the 10.12 poll() breakage */ + struct timeval before, after; + int rc; + size_t us; + + gettimeofday(&before, NULL); + rc = poll(NULL, 0, 500); + gettimeofday(&after, NULL); + + us = (after.tv_sec - before.tv_sec) * 1000000 + + (after.tv_usec - before.tv_usec); + + if(us < 400000) { + return 1; + } } - } - return 0; + return 0; }" HAVE_POLL_FINE) endif() endif() diff --git a/CMake/Platforms/WindowsCache.cmake b/CMake/Platforms/WindowsCache.cmake index 9a513bb..3cb4ffe 100644 --- a/CMake/Platforms/WindowsCache.cmake +++ b/CMake/Platforms/WindowsCache.cmake @@ -34,7 +34,6 @@ if(NOT UNIX) set(HAVE_NETDB_H 0) set(HAVE_NETINET_IN_H 0) set(HAVE_NET_IF_H 0) - set(HAVE_PROCESS_H 1) set(HAVE_PWD_H 0) set(HAVE_SETJMP_H 1) set(HAVE_SIGNAL_H 1) @@ -71,7 +70,6 @@ if(NOT UNIX) set(HAVE_UTIME 1) set(HAVE_RAND_EGD 0) set(HAVE_GMTIME_R 0) - set(HAVE_GETADDRINFO_THREADSAFE 1) set(HAVE_GETHOSTBYNAME_R 0) set(HAVE_SIGNAL 1) diff --git a/CMakeLists.txt b/CMakeLists.txt index 62fee8e..b435207 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -126,7 +126,7 @@ cmake_dependent_option(ENABLE_THREADED_RESOLVER "Set to ON to enable threaded DN option(ENABLE_DEBUG "Set to ON to enable curl debug features" OFF) option(ENABLE_CURLDEBUG "Set to ON to build with TrackMemory feature enabled" OFF) -if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_COMPILER_IS_CLANG) +if(CMAKE_COMPILER_IS_GNUCC OR CMAKE_C_COMPILER_ID MATCHES "Clang") if(PICKY_COMPILER) foreach(_CCOPT -pedantic -Wall -W -Wpointer-arith -Wwrite-strings -Wunused -Wshadow -Winline -Wnested-externs -Wmissing-declarations -Wmissing-prototypes -Wfloat-equal -Wsign-compare -Wundef -Wendif-labels -Wstrict-prototypes -Wdeclaration-after-statement -Wstrict-aliasing=3 -Wcast-align -Wtype-limits -Wold-style-declaration -Wmissing-parameter-type -Wempty-body -Wclobbered -Wignored-qualifiers -Wconversion -Wvla -Wdouble-promotion -Wenum-conversion -Warith-conversion) # surprisingly, CHECK_C_COMPILER_FLAG needs a new variable to store each new @@ -704,7 +704,6 @@ if(WIN32) option(USE_WIN32_IDN "Use WinIDN for IDN support" OFF) if(USE_WIN32_IDN) list(APPEND CURL_LIBS "normaliz") - set(WANT_IDN_PROTOTYPES ON) endif() endif() @@ -852,6 +851,7 @@ if(CURL_USE_GSSAPI) include_directories(${GSS_INCLUDE_DIR}) link_directories(${GSS_LINK_DIRECTORIES}) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${GSS_COMPILER_FLAGS}") + string(REPLACE ";" " " GSS_LINKER_FLAGS "${GSS_LINKER_FLAGS}") set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${GSS_LINKER_FLAGS}") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${GSS_LINKER_FLAGS}") set(CMAKE_STATIC_LINKER_FLAGS "${CMAKE_STATIC_LINKER_FLAGS} ${GSS_LINKER_FLAGS}") @@ -975,8 +975,6 @@ check_include_file_concat("sys/utime.h" HAVE_SYS_UTIME_H) check_include_file_concat("sys/xattr.h" HAVE_SYS_XATTR_H) check_include_file_concat("arpa/inet.h" HAVE_ARPA_INET_H) check_include_file_concat("arpa/tftp.h" HAVE_ARPA_TFTP_H) -check_include_file_concat("assert.h" HAVE_ASSERT_H) -check_include_file_concat("errno.h" HAVE_ERRNO_H) check_include_file_concat("fcntl.h" HAVE_FCNTL_H) check_include_file_concat("idn2.h" HAVE_IDN2_H) check_include_file_concat("ifaddrs.h" HAVE_IFADDRS_H) @@ -1007,7 +1005,6 @@ check_include_file_concat("time.h" HAVE_TIME_H) check_include_file_concat("unistd.h" HAVE_UNISTD_H) check_include_file_concat("utime.h" HAVE_UTIME_H) -check_include_file_concat("process.h" HAVE_PROCESS_H) check_include_file_concat("stddef.h" HAVE_STDDEF_H) check_include_file_concat("stdint.h" HAVE_STDINT_H) check_include_file_concat("sys/utsname.h" HAVE_SYS_UTSNAME_H) @@ -1079,8 +1076,8 @@ check_symbol_exists(_strtoi64 "${CURL_INCLUDES}" HAVE__STRTOI64) check_symbol_exists(strerror_r "${CURL_INCLUDES}" HAVE_STRERROR_R) check_symbol_exists(siginterrupt "${CURL_INCLUDES}" HAVE_SIGINTERRUPT) check_symbol_exists(getaddrinfo "${CURL_INCLUDES}" HAVE_GETADDRINFO) -if(NOT HAVE_GETADDRINFO) - set(HAVE_GETADDRINFO_THREADSAFE OFF) +if(WIN32) + set(HAVE_GETADDRINFO_THREADSAFE ${HAVE_GETADDRINFO}) endif() check_symbol_exists(freeaddrinfo "${CURL_INCLUDES}" HAVE_FREEADDRINFO) check_symbol_exists(pipe "${CURL_INCLUDES}" HAVE_PIPE) @@ -1465,7 +1462,10 @@ _add_if("TLS-SRP" USE_TLS_SRP) _add_if("HTTP2" USE_NGHTTP2) _add_if("HTTP3" USE_NGTCP2 OR USE_QUICHE) _add_if("MultiSSL" CURL_WITH_MULTI_SSL) -_add_if("HTTPS-proxy" SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS OR USE_NSS)) +# TODO wolfSSL only support this from v5.0.0 onwards +_add_if("HTTPS-proxy" SSL_ENABLED AND (USE_OPENSSL OR USE_GNUTLS OR USE_NSS + OR USE_SCHANNEL OR USE_RUSTLS OR USE_BEARSSL OR + USE_MBEDTLS OR USE_SECTRANSP)) _add_if("unicode" ENABLE_UNICODE) _add_if("threadsafe" HAVE_ATOMIC OR (WIN32 AND HAVE_WIN32_WINNT GREATER_EQUAL 0x600)) diff --git a/include/curl/curl.h b/include/curl/curl.h index e28dd0b..139df99 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -33,6 +33,22 @@ #define CURL_STRICTER #endif +/* Compile-time deprecation macros. */ +#if defined(__GNUC__) && (__GNUC__ >= 6) && \ + !defined(__INTEL_COMPILER) && \ + !defined(CURL_DISABLE_DEPRECATION) && !defined(BUILDING_LIBCURL) +#define CURL_DEPRECATED(version, message) \ + __attribute__((deprecated("since " # version ". " message))) +#define CURL_IGNORE_DEPRECATION(statements) \ + _Pragma("GCC diagnostic push") \ + _Pragma("GCC diagnostic ignored \"-Wdeprecated-declarations\"") \ + statements \ + _Pragma("GCC diagnostic pop") +#else +#define CURL_DEPRECATED(version, message) +#define CURL_IGNORE_DEPRECATION(statements) statements +#endif + #include "curlver.h" /* libcurl version defines */ #include "system.h" /* determine things run-time */ @@ -76,7 +92,7 @@ defined(__CYGWIN__) || defined(AMIGA) || defined(__NuttX__) || \ (defined(__FreeBSD_version) && (__FreeBSD_version < 800000)) || \ (defined(__MidnightBSD_version) && (__MidnightBSD_version < 100000)) || \ - defined(__sun__) + defined(__sun__) || defined(__serenity__) #include #endif @@ -145,11 +161,11 @@ typedef enum { CURLSSLBACKEND_NSS = 3, CURLSSLBACKEND_OBSOLETE4 = 4, /* Was QSOSSL. */ CURLSSLBACKEND_GSKIT = 5, - CURLSSLBACKEND_POLARSSL = 6, + CURLSSLBACKEND_POLARSSL CURL_DEPRECATED(7.69.0, "") = 6, CURLSSLBACKEND_WOLFSSL = 7, CURLSSLBACKEND_SCHANNEL = 8, CURLSSLBACKEND_SECURETRANSPORT = 9, - CURLSSLBACKEND_AXTLS = 10, /* never used since 7.63.0 */ + CURLSSLBACKEND_AXTLS CURL_DEPRECATED(7.61.0, "") = 10, CURLSSLBACKEND_MBEDTLS = 11, CURLSSLBACKEND_MESALINK = 12, CURLSSLBACKEND_BEARSSL = 13, @@ -256,6 +272,10 @@ typedef int (*curl_xferinfo_callback)(void *clientp, will signal libcurl to pause receiving on the current transfer. */ #define CURL_WRITEFUNC_PAUSE 0x10000001 +/* This is a magic return code for the write callback that, when returned, + will signal an error from the callback. */ +#define CURL_WRITEFUNC_ERROR 0xFFFFFFFF + typedef size_t (*curl_write_callback)(char *buffer, size_t size, size_t nitems, @@ -368,7 +388,7 @@ typedef int (*curl_seek_callback)(void *instream, #define CURL_READFUNC_PAUSE 0x10000001 /* Return code for when the trailing headers' callback has terminated - without any errors*/ + without any errors */ #define CURL_TRAILERFUNC_OK 0 /* Return code for when was an error in the trailing header's list and we want to abort the request */ @@ -450,7 +470,7 @@ typedef void *(*curl_calloc_callback)(size_t nmemb, size_t size); #define CURL_DID_MEMORY_FUNC_TYPEDEFS #endif -/* the kind of data that is passed to information_callback*/ +/* the kind of data that is passed to information_callback */ typedef enum { CURLINFO_TEXT = 0, CURLINFO_HEADER_IN, /* 1 */ @@ -698,7 +718,7 @@ typedef enum { #define CURLOPT_WRITEINFO CURLOPT_OBSOLETE40 #define CURLOPT_CLOSEPOLICY CURLOPT_OBSOLETE72 -#endif /*!CURL_NO_OLDIES*/ +#endif /* !CURL_NO_OLDIES */ /* * Proxy error codes. Returned in CURLINFO_PROXY_ERROR if CURLE_PROXY was @@ -843,7 +863,7 @@ enum curl_khstat { CURLKHSTAT_DEFER, /* do not accept it, but we can't answer right now. Causes a CURLE_PEER_FAILED_VERIFICATION error but the connection will be left intact etc */ - CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key*/ + CURLKHSTAT_FINE_REPLACE, /* accept and replace the wrong key */ CURLKHSTAT_LAST /* not for use, only a marker for last-in-list */ }; @@ -864,13 +884,13 @@ typedef int /* CURLOPT_SSH_KEYDATA */ typedef int - (*curl_sshhostkeycallback) (void *clientp,/* custom pointer passed*/ + (*curl_sshhostkeycallback) (void *clientp,/* custom pointer passed */ /* with CURLOPT_SSH_HOSTKEYDATA */ int keytype, /* CURLKHTYPE */ - const char *key, /*hostkey to check*/ - size_t keylen); /*length of the key*/ - /*return CURLE_OK to accept*/ - /*or something else to refuse*/ + const char *key, /* hostkey to check */ + size_t keylen); /* length of the key */ + /* return CURLE_OK to accept */ + /* or something else to refuse */ /* parameter for the CURLOPT_USE_SSL option */ @@ -932,7 +952,7 @@ typedef enum { #define CURLFTPSSL_ALL CURLUSESSL_ALL #define CURLFTPSSL_LAST CURLUSESSL_LAST #define curl_ftpssl curl_usessl -#endif /*!CURL_NO_OLDIES*/ +#endif /* !CURL_NO_OLDIES */ /* parameter for the CURLOPT_FTP_SSL_CCC option */ typedef enum { @@ -1058,6 +1078,7 @@ typedef CURLSTScode (*curl_hstswrite_callback)(CURL *easy, #define CURLOPT(na,t,nu) na = t + nu +#define CURLOPTDEPRECATED(na,t,nu,v,m) na CURL_DEPRECATED(v,m) = t + nu /* CURLOPT aliases that make no run-time difference */ @@ -1119,7 +1140,7 @@ typedef enum { /* Time-out the read operation after this amount of seconds */ CURLOPT(CURLOPT_TIMEOUT, CURLOPTTYPE_LONG, 13), - /* If the CURLOPT_INFILE is used, this can be used to inform libcurl about + /* If CURLOPT_READDATA is used, this can be used to inform libcurl about * how large the file being sent really is. That allows better error * checking and better verifies that the upload was successful. -1 means * unknown size. @@ -1171,7 +1192,8 @@ typedef enum { CURLOPT(CURLOPT_HTTPHEADER, CURLOPTTYPE_SLISTPOINT, 23), /* This points to a linked list of post entries, struct curl_httppost */ - CURLOPT(CURLOPT_HTTPPOST, CURLOPTTYPE_OBJECTPOINT, 24), + CURLOPTDEPRECATED(CURLOPT_HTTPPOST, CURLOPTTYPE_OBJECTPOINT, 24, + 7.56.0, "Use CURLOPT_MIMEPOST"), /* name of the file keeping your private SSL-certificate */ CURLOPT(CURLOPT_SSLCERT, CURLOPTTYPE_STRINGPOINT, 25), @@ -1261,7 +1283,8 @@ typedef enum { CURLOPT(CURLOPT_TRANSFERTEXT, CURLOPTTYPE_LONG, 53), /* HTTP PUT */ - CURLOPT(CURLOPT_PUT, CURLOPTTYPE_LONG, 54), + CURLOPTDEPRECATED(CURLOPT_PUT, CURLOPTTYPE_LONG, 54, + 7.12.1, "Use CURLOPT_UPLOAD"), /* 55 = OBSOLETE */ @@ -1269,7 +1292,8 @@ typedef enum { * Function that will be called instead of the internal progress display * function. This function should be defined as the curl_progress_callback * prototype defines. */ - CURLOPT(CURLOPT_PROGRESSFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 56), + CURLOPTDEPRECATED(CURLOPT_PROGRESSFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 56, + 7.32.0, "Use CURLOPT_XFERINFOFUNCTION"), /* Data passed to the CURLOPT_PROGRESSFUNCTION and CURLOPT_XFERINFOFUNCTION callbacks */ @@ -1286,7 +1310,7 @@ typedef enum { /* size of the POST input data, if strlen() is not good to use */ CURLOPT(CURLOPT_POSTFIELDSIZE, CURLOPTTYPE_LONG, 60), - /* tunnel non-http operations through a HTTP proxy */ + /* tunnel non-http operations through an HTTP proxy */ CURLOPT(CURLOPT_HTTPPROXYTUNNEL, CURLOPTTYPE_LONG, 61), /* Set the interface string to use as outgoing network interface */ @@ -1337,10 +1361,12 @@ typedef enum { /* Set to a file name that contains random data for libcurl to use to seed the random engine when doing SSL connects. */ - CURLOPT(CURLOPT_RANDOM_FILE, CURLOPTTYPE_STRINGPOINT, 76), + CURLOPTDEPRECATED(CURLOPT_RANDOM_FILE, CURLOPTTYPE_STRINGPOINT, 76, + 7.84.0, "Serves no purpose anymore"), /* Set to the Entropy Gathering Daemon socket pathname */ - CURLOPT(CURLOPT_EGDSOCKET, CURLOPTTYPE_STRINGPOINT, 77), + CURLOPTDEPRECATED(CURLOPT_EGDSOCKET, CURLOPTTYPE_STRINGPOINT, 77, + 7.84.0, "Serves no purpose anymore"), /* Time-out connect operations after this amount of seconds, if connects are OK within this time, then fine... This only aborts the connect phase. */ @@ -1395,7 +1421,8 @@ typedef enum { /* Non-zero value means to use the global dns cache */ /* DEPRECATED, do not use! */ - CURLOPT(CURLOPT_DNS_USE_GLOBAL_CACHE, CURLOPTTYPE_LONG, 91), + CURLOPTDEPRECATED(CURLOPT_DNS_USE_GLOBAL_CACHE, CURLOPTTYPE_LONG, 91, + 7.11.1, "Use CURLOPT_SHARE"), /* DNS cache timeout */ CURLOPT(CURLOPT_DNS_CACHE_TIMEOUT, CURLOPTTYPE_LONG, 92), @@ -1550,8 +1577,10 @@ typedef enum { */ CURLOPT(CURLOPT_FTPSSLAUTH, CURLOPTTYPE_VALUES, 129), - CURLOPT(CURLOPT_IOCTLFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 130), - CURLOPT(CURLOPT_IOCTLDATA, CURLOPTTYPE_CBPOINT, 131), + CURLOPTDEPRECATED(CURLOPT_IOCTLFUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 130, + 7.18.0, "Use CURLOPT_SEEKFUNCTION"), + CURLOPTDEPRECATED(CURLOPT_IOCTLDATA, CURLOPTTYPE_CBPOINT, 131, + 7.18.0, "Use CURLOPT_SEEKDATA"), /* 132 OBSOLETE. Gone in 7.16.0 */ /* 133 OBSOLETE. Gone in 7.16.0 */ @@ -1590,16 +1619,22 @@ typedef enum { /* Function that will be called to convert from the network encoding (instead of using the iconv calls in libcurl) */ - CURLOPT(CURLOPT_CONV_FROM_NETWORK_FUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 142), + CURLOPTDEPRECATED(CURLOPT_CONV_FROM_NETWORK_FUNCTION, + CURLOPTTYPE_FUNCTIONPOINT, 142, + 7.82.0, "Serves no purpose anymore"), /* Function that will be called to convert to the network encoding (instead of using the iconv calls in libcurl) */ - CURLOPT(CURLOPT_CONV_TO_NETWORK_FUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 143), + CURLOPTDEPRECATED(CURLOPT_CONV_TO_NETWORK_FUNCTION, + CURLOPTTYPE_FUNCTIONPOINT, 143, + 7.82.0, "Serves no purpose anymore"), /* Function that will be called to convert from UTF8 (instead of using the iconv calls in libcurl) Note that this is used only for SSL certificate processing */ - CURLOPT(CURLOPT_CONV_FROM_UTF8_FUNCTION, CURLOPTTYPE_FUNCTIONPOINT, 144), + CURLOPTDEPRECATED(CURLOPT_CONV_FROM_UTF8_FUNCTION, + CURLOPTTYPE_FUNCTIONPOINT, 144, + 7.82.0, "Serves no purpose anymore"), /* if the connection proceeds too quickly then need to slow it down */ /* limit-rate: maximum number of bytes per second to send or receive */ @@ -1700,7 +1735,9 @@ typedef enum { /* Socks Service */ /* DEPRECATED, do not use! */ - CURLOPT(CURLOPT_SOCKS5_GSSAPI_SERVICE, CURLOPTTYPE_STRINGPOINT, 179), + CURLOPTDEPRECATED(CURLOPT_SOCKS5_GSSAPI_SERVICE, + CURLOPTTYPE_STRINGPOINT, 179, + 7.49.0, "Use CURLOPT_PROXY_SERVICE_NAME"), /* Socks Service */ CURLOPT(CURLOPT_SOCKS5_GSSAPI_NEC, CURLOPTTYPE_LONG, 180), @@ -1709,12 +1746,14 @@ typedef enum { transfer, which thus helps the app which takes URLs from users or other external inputs and want to restrict what protocol(s) to deal with. Defaults to CURLPROTO_ALL. */ - CURLOPT(CURLOPT_PROTOCOLS, CURLOPTTYPE_LONG, 181), + CURLOPTDEPRECATED(CURLOPT_PROTOCOLS, CURLOPTTYPE_LONG, 181, + 7.85.0, "Use CURLOPT_PROTOCOLS_STR"), /* set the bitmask for the protocols that libcurl is allowed to follow to, as a subset of the CURLOPT_PROTOCOLS ones. That means the protocol needs to be set in both bitmasks to be allowed to get redirected to. */ - CURLOPT(CURLOPT_REDIR_PROTOCOLS, CURLOPTTYPE_LONG, 182), + CURLOPTDEPRECATED(CURLOPT_REDIR_PROTOCOLS, CURLOPTTYPE_LONG, 182, + 7.85.0, "Use CURLOPT_REDIR_PROTOCOLS_STR"), /* set the SSH knownhost file name to use */ CURLOPT(CURLOPT_SSH_KNOWNHOSTS, CURLOPTTYPE_STRINGPOINT, 183), @@ -1859,12 +1898,13 @@ typedef enum { CURLOPT(CURLOPT_LOGIN_OPTIONS, CURLOPTTYPE_STRINGPOINT, 224), /* Enable/disable TLS NPN extension (http2 over ssl might fail without) */ - CURLOPT(CURLOPT_SSL_ENABLE_NPN, CURLOPTTYPE_LONG, 225), + CURLOPTDEPRECATED(CURLOPT_SSL_ENABLE_NPN, CURLOPTTYPE_LONG, 225, + 7.86.0, "Has no function"), /* Enable/disable TLS ALPN extension (http2 over ssl might fail without) */ CURLOPT(CURLOPT_SSL_ENABLE_ALPN, CURLOPTTYPE_LONG, 226), - /* Time to wait for a response to a HTTP request containing an + /* Time to wait for a response to an HTTP request containing an * Expect: 100-continue header before sending the data anyway. */ CURLOPT(CURLOPT_EXPECT_100_TIMEOUT_MS, CURLOPTTYPE_LONG, 227), @@ -2157,6 +2197,12 @@ typedef enum { /* websockets options */ CURLOPT(CURLOPT_WS_OPTIONS, CURLOPTTYPE_LONG, 320), + /* CA cache timeout */ + CURLOPT(CURLOPT_CA_CACHE_TIMEOUT, CURLOPTTYPE_LONG, 321), + + /* Can leak things, gonna exit() soon */ + CURLOPT(CURLOPT_QUICK_EXIT, CURLOPTTYPE_LONG, 322), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; @@ -2444,30 +2490,32 @@ CURL_EXTERN CURLcode curl_mime_headers(curl_mimepart *part, int take_ownership); typedef enum { - CURLFORM_NOTHING, /********* the first one is unused ************/ - CURLFORM_COPYNAME, - CURLFORM_PTRNAME, - CURLFORM_NAMELENGTH, - CURLFORM_COPYCONTENTS, - CURLFORM_PTRCONTENTS, - CURLFORM_CONTENTSLENGTH, - CURLFORM_FILECONTENT, - CURLFORM_ARRAY, + /********* the first one is unused ************/ + CURLFORM_NOTHING CURL_DEPRECATED(7.56.0, ""), + CURLFORM_COPYNAME CURL_DEPRECATED(7.56.0, "Use curl_mime_name()"), + CURLFORM_PTRNAME CURL_DEPRECATED(7.56.0, "Use curl_mime_name()"), + CURLFORM_NAMELENGTH CURL_DEPRECATED(7.56.0, ""), + CURLFORM_COPYCONTENTS CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), + CURLFORM_PTRCONTENTS CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), + CURLFORM_CONTENTSLENGTH CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), + CURLFORM_FILECONTENT CURL_DEPRECATED(7.56.0, "Use curl_mime_data_cb()"), + CURLFORM_ARRAY CURL_DEPRECATED(7.56.0, ""), CURLFORM_OBSOLETE, - CURLFORM_FILE, + CURLFORM_FILE CURL_DEPRECATED(7.56.0, "Use curl_mime_filedata()"), - CURLFORM_BUFFER, - CURLFORM_BUFFERPTR, - CURLFORM_BUFFERLENGTH, + CURLFORM_BUFFER CURL_DEPRECATED(7.56.0, "Use curl_mime_filename()"), + CURLFORM_BUFFERPTR CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), + CURLFORM_BUFFERLENGTH CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), - CURLFORM_CONTENTTYPE, - CURLFORM_CONTENTHEADER, - CURLFORM_FILENAME, + CURLFORM_CONTENTTYPE CURL_DEPRECATED(7.56.0, "Use curl_mime_type()"), + CURLFORM_CONTENTHEADER CURL_DEPRECATED(7.56.0, "Use curl_mime_headers()"), + CURLFORM_FILENAME CURL_DEPRECATED(7.56.0, "Use curl_mime_filename()"), CURLFORM_END, CURLFORM_OBSOLETE2, - CURLFORM_STREAM, - CURLFORM_CONTENTLEN, /* added in 7.46.0, provide a curl_off_t length */ + CURLFORM_STREAM CURL_DEPRECATED(7.56.0, "Use curl_mime_data_cb()"), + CURLFORM_CONTENTLEN /* added in 7.46.0, provide a curl_off_t length */ + CURL_DEPRECATED(7.56.0, "Use curl_mime_data()"), CURLFORM_LASTENTRY /* the last unused */ } CURLformoption; @@ -2495,15 +2543,16 @@ struct curl_forms { * ***************************************************************************/ typedef enum { - CURL_FORMADD_OK, /* first, no error */ + CURL_FORMADD_OK CURL_DEPRECATED(7.56.0, ""), /* 1st, no error */ - CURL_FORMADD_MEMORY, - CURL_FORMADD_OPTION_TWICE, - CURL_FORMADD_NULL, - CURL_FORMADD_UNKNOWN_OPTION, - CURL_FORMADD_INCOMPLETE, - CURL_FORMADD_ILLEGAL_ARRAY, - CURL_FORMADD_DISABLED, /* libcurl was built with this disabled */ + CURL_FORMADD_MEMORY CURL_DEPRECATED(7.56.0, ""), + CURL_FORMADD_OPTION_TWICE CURL_DEPRECATED(7.56.0, ""), + CURL_FORMADD_NULL CURL_DEPRECATED(7.56.0, ""), + CURL_FORMADD_UNKNOWN_OPTION CURL_DEPRECATED(7.56.0, ""), + CURL_FORMADD_INCOMPLETE CURL_DEPRECATED(7.56.0, ""), + CURL_FORMADD_ILLEGAL_ARRAY CURL_DEPRECATED(7.56.0, ""), + /* libcurl was built with form api disabled */ + CURL_FORMADD_DISABLED CURL_DEPRECATED(7.56.0, ""), CURL_FORMADD_LAST /* last */ } CURLFORMcode; @@ -2517,9 +2566,10 @@ typedef enum { * adds one part that together construct a full post. Then use * CURLOPT_HTTPPOST to send it off to libcurl. */ -CURL_EXTERN CURLFORMcode curl_formadd(struct curl_httppost **httppost, - struct curl_httppost **last_post, - ...); +CURL_EXTERN CURLFORMcode CURL_DEPRECATED(7.56.0, "Use curl_mime_init()") +curl_formadd(struct curl_httppost **httppost, + struct curl_httppost **last_post, + ...); /* * callback function for curl_formget() @@ -2542,8 +2592,9 @@ typedef size_t (*curl_formget_callback)(void *arg, const char *buf, * the curl_formget_callback function. * Returns 0 on success. */ -CURL_EXTERN int curl_formget(struct curl_httppost *form, void *arg, - curl_formget_callback append); +CURL_EXTERN int CURL_DEPRECATED(7.56.0, "") +curl_formget(struct curl_httppost *form, void *arg, + curl_formget_callback append); /* * NAME curl_formfree() * @@ -2551,7 +2602,8 @@ CURL_EXTERN int curl_formget(struct curl_httppost *form, void *arg, * * Free a multipart formpost previously built with curl_formadd(). */ -CURL_EXTERN void curl_formfree(struct curl_httppost *form); +CURL_EXTERN void CURL_DEPRECATED(7.56.0, "Use curl_mime_free()") +curl_formfree(struct curl_httppost *form); /* * NAME curl_getenv() @@ -2720,8 +2772,8 @@ CURL_EXTERN CURLsslset curl_global_sslset(curl_sslbackend id, const char *name, * Appends a string to a linked list. If no list exists, it will be created * first. Returns the new list, after appending. */ -CURL_EXTERN struct curl_slist *curl_slist_append(struct curl_slist *, - const char *); +CURL_EXTERN struct curl_slist *curl_slist_append(struct curl_slist *list, + const char *data); /* * NAME curl_slist_free_all() @@ -2730,7 +2782,7 @@ CURL_EXTERN struct curl_slist *curl_slist_append(struct curl_slist *, * * free a previously built curl_slist. */ -CURL_EXTERN void curl_slist_free_all(struct curl_slist *); +CURL_EXTERN void curl_slist_free_all(struct curl_slist *list); /* * NAME curl_getdate() @@ -2778,22 +2830,35 @@ typedef enum { CURLINFO_NAMELOOKUP_TIME = CURLINFO_DOUBLE + 4, CURLINFO_CONNECT_TIME = CURLINFO_DOUBLE + 5, CURLINFO_PRETRANSFER_TIME = CURLINFO_DOUBLE + 6, - CURLINFO_SIZE_UPLOAD = CURLINFO_DOUBLE + 7, + CURLINFO_SIZE_UPLOAD CURL_DEPRECATED(7.55.0, "Use CURLINFO_SIZE_UPLOAD_T") + = CURLINFO_DOUBLE + 7, CURLINFO_SIZE_UPLOAD_T = CURLINFO_OFF_T + 7, - CURLINFO_SIZE_DOWNLOAD = CURLINFO_DOUBLE + 8, + CURLINFO_SIZE_DOWNLOAD + CURL_DEPRECATED(7.55.0, "Use CURLINFO_SIZE_DOWNLOAD_T") + = CURLINFO_DOUBLE + 8, CURLINFO_SIZE_DOWNLOAD_T = CURLINFO_OFF_T + 8, - CURLINFO_SPEED_DOWNLOAD = CURLINFO_DOUBLE + 9, + CURLINFO_SPEED_DOWNLOAD + CURL_DEPRECATED(7.55.0, "Use CURLINFO_SPEED_DOWNLOAD_T") + = CURLINFO_DOUBLE + 9, CURLINFO_SPEED_DOWNLOAD_T = CURLINFO_OFF_T + 9, - CURLINFO_SPEED_UPLOAD = CURLINFO_DOUBLE + 10, + CURLINFO_SPEED_UPLOAD + CURL_DEPRECATED(7.55.0, "Use CURLINFO_SPEED_UPLOAD_T") + = CURLINFO_DOUBLE + 10, CURLINFO_SPEED_UPLOAD_T = CURLINFO_OFF_T + 10, CURLINFO_HEADER_SIZE = CURLINFO_LONG + 11, CURLINFO_REQUEST_SIZE = CURLINFO_LONG + 12, CURLINFO_SSL_VERIFYRESULT = CURLINFO_LONG + 13, CURLINFO_FILETIME = CURLINFO_LONG + 14, CURLINFO_FILETIME_T = CURLINFO_OFF_T + 14, - CURLINFO_CONTENT_LENGTH_DOWNLOAD = CURLINFO_DOUBLE + 15, + CURLINFO_CONTENT_LENGTH_DOWNLOAD + CURL_DEPRECATED(7.55.0, + "Use CURLINFO_CONTENT_LENGTH_DOWNLOAD_T") + = CURLINFO_DOUBLE + 15, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T = CURLINFO_OFF_T + 15, - CURLINFO_CONTENT_LENGTH_UPLOAD = CURLINFO_DOUBLE + 16, + CURLINFO_CONTENT_LENGTH_UPLOAD + CURL_DEPRECATED(7.55.0, + "Use CURLINFO_CONTENT_LENGTH_UPLOAD_T") + = CURLINFO_DOUBLE + 16, CURLINFO_CONTENT_LENGTH_UPLOAD_T = CURLINFO_OFF_T + 16, CURLINFO_STARTTRANSFER_TIME = CURLINFO_DOUBLE + 17, CURLINFO_CONTENT_TYPE = CURLINFO_STRING + 18, @@ -2807,7 +2872,8 @@ typedef enum { CURLINFO_NUM_CONNECTS = CURLINFO_LONG + 26, CURLINFO_SSL_ENGINES = CURLINFO_SLIST + 27, CURLINFO_COOKIELIST = CURLINFO_SLIST + 28, - CURLINFO_LASTSOCKET = CURLINFO_LONG + 29, + CURLINFO_LASTSOCKET CURL_DEPRECATED(7.45.0, "Use CURLINFO_ACTIVESOCKET") + = CURLINFO_LONG + 29, CURLINFO_FTP_ENTRY_PATH = CURLINFO_STRING + 30, CURLINFO_REDIRECT_URL = CURLINFO_STRING + 31, CURLINFO_PRIMARY_IP = CURLINFO_STRING + 32, @@ -2821,12 +2887,14 @@ typedef enum { CURLINFO_PRIMARY_PORT = CURLINFO_LONG + 40, CURLINFO_LOCAL_IP = CURLINFO_STRING + 41, CURLINFO_LOCAL_PORT = CURLINFO_LONG + 42, - CURLINFO_TLS_SESSION = CURLINFO_PTR + 43, + CURLINFO_TLS_SESSION CURL_DEPRECATED(7.48.0, "Use CURLINFO_TLS_SSL_PTR") + = CURLINFO_PTR + 43, CURLINFO_ACTIVESOCKET = CURLINFO_SOCKET + 44, CURLINFO_TLS_SSL_PTR = CURLINFO_PTR + 45, CURLINFO_HTTP_VERSION = CURLINFO_LONG + 46, CURLINFO_PROXY_SSL_VERIFYRESULT = CURLINFO_LONG + 47, - CURLINFO_PROTOCOL = CURLINFO_LONG + 48, + CURLINFO_PROTOCOL CURL_DEPRECATED(7.85.0, "Use CURLINFO_SCHEME") + = CURLINFO_LONG + 48, CURLINFO_SCHEME = CURLINFO_STRING + 49, CURLINFO_TOTAL_TIME_T = CURLINFO_OFF_T + 50, CURLINFO_NAMELOOKUP_TIME_T = CURLINFO_OFF_T + 51, @@ -2927,8 +2995,9 @@ typedef enum { } CURLSHoption; CURL_EXTERN CURLSH *curl_share_init(void); -CURL_EXTERN CURLSHcode curl_share_setopt(CURLSH *, CURLSHoption option, ...); -CURL_EXTERN CURLSHcode curl_share_cleanup(CURLSH *); +CURL_EXTERN CURLSHcode curl_share_setopt(CURLSH *share, CURLSHoption option, + ...); +CURL_EXTERN CURLSHcode curl_share_cleanup(CURLSH *share); /**************************************************************************** * Structures for querying information about the curl library at runtime. @@ -2945,6 +3014,7 @@ typedef enum { CURLVERSION_EIGHTH, CURLVERSION_NINTH, CURLVERSION_TENTH, + CURLVERSION_ELEVENTH, CURLVERSION_LAST /* never actually use this */ } CURLversion; @@ -2953,7 +3023,7 @@ typedef enum { meant to be a built-in version number for what kind of struct the caller expects. If the struct ever changes, we redefine the NOW to another enum from above. */ -#define CURLVERSION_NOW CURLVERSION_TENTH +#define CURLVERSION_NOW CURLVERSION_ELEVENTH struct curl_version_info_data { CURLversion age; /* age of the returned struct */ @@ -3009,6 +3079,10 @@ struct curl_version_info_data { /* These fields were added in CURLVERSION_TENTH */ const char *gsasl_version; /* human readable string. */ + + /* These fields were added in CURLVERSION_ELEVENTH */ + /* feature_names is terminated by an entry with a NULL feature name */ + const char * const *feature_names; }; typedef struct curl_version_info_data curl_version_info_data; @@ -3102,7 +3176,7 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask); #define CURLPAUSE_CONT (CURLPAUSE_RECV_CONT|CURLPAUSE_SEND_CONT) #ifdef __cplusplus -} +} /* end of extern "C" */ #endif /* unfortunately, the easy.h and multi.h include files need options and info @@ -3129,6 +3203,6 @@ CURL_EXTERN CURLcode curl_easy_pause(CURL *handle, int bitmask); #define curl_share_setopt(share,opt,param) curl_share_setopt(share,opt,param) #define curl_multi_setopt(handle,opt,param) curl_multi_setopt(handle,opt,param) #endif /* __STDC__ >= 1 */ -#endif /* gcc >= 4.3 && !__cplusplus */ +#endif /* gcc >= 4.3 && !__cplusplus && !CURL_DISABLE_TYPECHECK */ #endif /* CURLINC_CURL_H */ diff --git a/include/curl/curlver.h b/include/curl/curlver.h index 5b5a238..3487d1b 100644 --- a/include/curl/curlver.h +++ b/include/curl/curlver.h @@ -32,12 +32,12 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.86.0-DEV" +#define LIBCURL_VERSION "7.87.0-DEV" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 -#define LIBCURL_VERSION_MINOR 86 +#define LIBCURL_VERSION_MINOR 87 #define LIBCURL_VERSION_PATCH 0 /* This is the numeric version of the libcurl version number, meant for easier @@ -59,7 +59,7 @@ CURL_VERSION_BITS() macro since curl's own configure script greps for it and needs it to contain the full number. */ -#define LIBCURL_VERSION_NUM 0x075600 +#define LIBCURL_VERSION_NUM 0x075700 /* * This is the date and time when the full source package was created. The diff --git a/include/curl/easy.h b/include/curl/easy.h index 9c7e63a..98ee888 100644 --- a/include/curl/easy.h +++ b/include/curl/easy.h @@ -119,7 +119,7 @@ CURL_EXTERN CURLcode curl_easy_send(CURL *curl, const void *buffer, CURL_EXTERN CURLcode curl_easy_upkeep(CURL *curl); #ifdef __cplusplus -} +} /* end of extern "C" */ #endif #endif diff --git a/include/curl/mprintf.h b/include/curl/mprintf.h index cb948dc..06ef5c6 100644 --- a/include/curl/mprintf.h +++ b/include/curl/mprintf.h @@ -46,7 +46,7 @@ CURL_EXTERN char *curl_maprintf(const char *format, ...); CURL_EXTERN char *curl_mvaprintf(const char *format, va_list args); #ifdef __cplusplus -} +} /* end of extern "C" */ #endif #endif /* CURLINC_MPRINTF_H */ diff --git a/include/curl/multi.h b/include/curl/multi.h index 2f3ec37..c956d28 100644 --- a/include/curl/multi.h +++ b/include/curl/multi.h @@ -318,16 +318,16 @@ typedef int (*curl_multi_timer_callback)(CURLM *multi, /* multi handle */ void *userp); /* private callback pointer */ -CURL_EXTERN CURLMcode curl_multi_socket(CURLM *multi_handle, curl_socket_t s, - int *running_handles); +CURL_EXTERN CURLMcode CURL_DEPRECATED(7.19.5, "Use curl_multi_socket_action()") +curl_multi_socket(CURLM *multi_handle, curl_socket_t s, int *running_handles); CURL_EXTERN CURLMcode curl_multi_socket_action(CURLM *multi_handle, curl_socket_t s, int ev_bitmask, int *running_handles); -CURL_EXTERN CURLMcode curl_multi_socket_all(CURLM *multi_handle, - int *running_handles); +CURL_EXTERN CURLMcode CURL_DEPRECATED(7.19.5, "Use curl_multi_socket_action()") +curl_multi_socket_all(CURLM *multi_handle, int *running_handles); #ifndef CURL_ALLOW_OLD_MULTI_SOCKET /* This macro below was added in 7.16.3 to push users who recompile to use diff --git a/include/curl/system.h b/include/curl/system.h index 8d56b8a..11db51e 100644 --- a/include/curl/system.h +++ b/include/curl/system.h @@ -164,13 +164,33 @@ # endif # define CURL_TYPEOF_CURL_SOCKLEN_T unsigned int -#elif defined(__MWERKS__) +#elif defined(macintosh) +# include +# if TYPE_LONGLONG +# define CURL_TYPEOF_CURL_OFF_T long long +# define CURL_FORMAT_CURL_OFF_T "lld" +# define CURL_FORMAT_CURL_OFF_TU "llu" +# define CURL_SUFFIX_CURL_OFF_T LL +# define CURL_SUFFIX_CURL_OFF_TU ULL +# else +# define CURL_TYPEOF_CURL_OFF_T long +# define CURL_FORMAT_CURL_OFF_T "ld" +# define CURL_FORMAT_CURL_OFF_TU "lu" +# define CURL_SUFFIX_CURL_OFF_T L +# define CURL_SUFFIX_CURL_OFF_TU UL +# endif +# define CURL_TYPEOF_CURL_SOCKLEN_T unsigned int + +#elif defined(__TANDEM) +# if ! defined(__LP64) + /* Required for 32-bit NonStop builds only. */ # define CURL_TYPEOF_CURL_OFF_T long long # define CURL_FORMAT_CURL_OFF_T "lld" # define CURL_FORMAT_CURL_OFF_TU "llu" # define CURL_SUFFIX_CURL_OFF_T LL # define CURL_SUFFIX_CURL_OFF_TU ULL # define CURL_TYPEOF_CURL_SOCKLEN_T int +# endif #elif defined(_WIN32_WCE) # define CURL_TYPEOF_CURL_OFF_T __int64 diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index 2dabcb4..bf655bb 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -42,107 +42,113 @@ */ #define curl_easy_setopt(handle, option, value) \ __extension__({ \ - __typeof__(option) _curl_opt = option; \ + CURL_IGNORE_DEPRECATION(__typeof__(option) _curl_opt = option;) \ if(__builtin_constant_p(_curl_opt)) { \ - if(curlcheck_long_option(_curl_opt)) \ - if(!curlcheck_long(value)) \ - _curl_easy_setopt_err_long(); \ - if(curlcheck_off_t_option(_curl_opt)) \ - if(!curlcheck_off_t(value)) \ - _curl_easy_setopt_err_curl_off_t(); \ - if(curlcheck_string_option(_curl_opt)) \ - if(!curlcheck_string(value)) \ - _curl_easy_setopt_err_string(); \ - if(curlcheck_write_cb_option(_curl_opt)) \ - if(!curlcheck_write_cb(value)) \ - _curl_easy_setopt_err_write_callback(); \ - if((_curl_opt) == CURLOPT_RESOLVER_START_FUNCTION) \ - if(!curlcheck_resolver_start_callback(value)) \ - _curl_easy_setopt_err_resolver_start_callback(); \ - if((_curl_opt) == CURLOPT_READFUNCTION) \ - if(!curlcheck_read_cb(value)) \ - _curl_easy_setopt_err_read_cb(); \ - if((_curl_opt) == CURLOPT_IOCTLFUNCTION) \ - if(!curlcheck_ioctl_cb(value)) \ - _curl_easy_setopt_err_ioctl_cb(); \ - if((_curl_opt) == CURLOPT_SOCKOPTFUNCTION) \ - if(!curlcheck_sockopt_cb(value)) \ - _curl_easy_setopt_err_sockopt_cb(); \ - if((_curl_opt) == CURLOPT_OPENSOCKETFUNCTION) \ - if(!curlcheck_opensocket_cb(value)) \ - _curl_easy_setopt_err_opensocket_cb(); \ - if((_curl_opt) == CURLOPT_PROGRESSFUNCTION) \ - if(!curlcheck_progress_cb(value)) \ - _curl_easy_setopt_err_progress_cb(); \ - if((_curl_opt) == CURLOPT_DEBUGFUNCTION) \ - if(!curlcheck_debug_cb(value)) \ - _curl_easy_setopt_err_debug_cb(); \ - if((_curl_opt) == CURLOPT_SSL_CTX_FUNCTION) \ - if(!curlcheck_ssl_ctx_cb(value)) \ - _curl_easy_setopt_err_ssl_ctx_cb(); \ - if(curlcheck_conv_cb_option(_curl_opt)) \ - if(!curlcheck_conv_cb(value)) \ - _curl_easy_setopt_err_conv_cb(); \ - if((_curl_opt) == CURLOPT_SEEKFUNCTION) \ - if(!curlcheck_seek_cb(value)) \ - _curl_easy_setopt_err_seek_cb(); \ - if(curlcheck_cb_data_option(_curl_opt)) \ - if(!curlcheck_cb_data(value)) \ - _curl_easy_setopt_err_cb_data(); \ - if((_curl_opt) == CURLOPT_ERRORBUFFER) \ - if(!curlcheck_error_buffer(value)) \ - _curl_easy_setopt_err_error_buffer(); \ - if((_curl_opt) == CURLOPT_STDERR) \ - if(!curlcheck_FILE(value)) \ - _curl_easy_setopt_err_FILE(); \ - if(curlcheck_postfields_option(_curl_opt)) \ - if(!curlcheck_postfields(value)) \ - _curl_easy_setopt_err_postfields(); \ - if((_curl_opt) == CURLOPT_HTTPPOST) \ - if(!curlcheck_arr((value), struct curl_httppost)) \ - _curl_easy_setopt_err_curl_httpost(); \ - if((_curl_opt) == CURLOPT_MIMEPOST) \ - if(!curlcheck_ptr((value), curl_mime)) \ - _curl_easy_setopt_err_curl_mimepost(); \ - if(curlcheck_slist_option(_curl_opt)) \ - if(!curlcheck_arr((value), struct curl_slist)) \ - _curl_easy_setopt_err_curl_slist(); \ - if((_curl_opt) == CURLOPT_SHARE) \ - if(!curlcheck_ptr((value), CURLSH)) \ - _curl_easy_setopt_err_CURLSH(); \ + (void) option; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_long_option(_curl_opt)) \ + if(!curlcheck_long(value)) \ + _curl_easy_setopt_err_long(); \ + if(curlcheck_off_t_option(_curl_opt)) \ + if(!curlcheck_off_t(value)) \ + _curl_easy_setopt_err_curl_off_t(); \ + if(curlcheck_string_option(_curl_opt)) \ + if(!curlcheck_string(value)) \ + _curl_easy_setopt_err_string(); \ + if(curlcheck_write_cb_option(_curl_opt)) \ + if(!curlcheck_write_cb(value)) \ + _curl_easy_setopt_err_write_callback(); \ + if((_curl_opt) == CURLOPT_RESOLVER_START_FUNCTION) \ + if(!curlcheck_resolver_start_callback(value)) \ + _curl_easy_setopt_err_resolver_start_callback(); \ + if((_curl_opt) == CURLOPT_READFUNCTION) \ + if(!curlcheck_read_cb(value)) \ + _curl_easy_setopt_err_read_cb(); \ + if((_curl_opt) == CURLOPT_IOCTLFUNCTION) \ + if(!curlcheck_ioctl_cb(value)) \ + _curl_easy_setopt_err_ioctl_cb(); \ + if((_curl_opt) == CURLOPT_SOCKOPTFUNCTION) \ + if(!curlcheck_sockopt_cb(value)) \ + _curl_easy_setopt_err_sockopt_cb(); \ + if((_curl_opt) == CURLOPT_OPENSOCKETFUNCTION) \ + if(!curlcheck_opensocket_cb(value)) \ + _curl_easy_setopt_err_opensocket_cb(); \ + if((_curl_opt) == CURLOPT_PROGRESSFUNCTION) \ + if(!curlcheck_progress_cb(value)) \ + _curl_easy_setopt_err_progress_cb(); \ + if((_curl_opt) == CURLOPT_DEBUGFUNCTION) \ + if(!curlcheck_debug_cb(value)) \ + _curl_easy_setopt_err_debug_cb(); \ + if((_curl_opt) == CURLOPT_SSL_CTX_FUNCTION) \ + if(!curlcheck_ssl_ctx_cb(value)) \ + _curl_easy_setopt_err_ssl_ctx_cb(); \ + if(curlcheck_conv_cb_option(_curl_opt)) \ + if(!curlcheck_conv_cb(value)) \ + _curl_easy_setopt_err_conv_cb(); \ + if((_curl_opt) == CURLOPT_SEEKFUNCTION) \ + if(!curlcheck_seek_cb(value)) \ + _curl_easy_setopt_err_seek_cb(); \ + if(curlcheck_cb_data_option(_curl_opt)) \ + if(!curlcheck_cb_data(value)) \ + _curl_easy_setopt_err_cb_data(); \ + if((_curl_opt) == CURLOPT_ERRORBUFFER) \ + if(!curlcheck_error_buffer(value)) \ + _curl_easy_setopt_err_error_buffer(); \ + if((_curl_opt) == CURLOPT_STDERR) \ + if(!curlcheck_FILE(value)) \ + _curl_easy_setopt_err_FILE(); \ + if(curlcheck_postfields_option(_curl_opt)) \ + if(!curlcheck_postfields(value)) \ + _curl_easy_setopt_err_postfields(); \ + if((_curl_opt) == CURLOPT_HTTPPOST) \ + if(!curlcheck_arr((value), struct curl_httppost)) \ + _curl_easy_setopt_err_curl_httpost(); \ + if((_curl_opt) == CURLOPT_MIMEPOST) \ + if(!curlcheck_ptr((value), curl_mime)) \ + _curl_easy_setopt_err_curl_mimepost(); \ + if(curlcheck_slist_option(_curl_opt)) \ + if(!curlcheck_arr((value), struct curl_slist)) \ + _curl_easy_setopt_err_curl_slist(); \ + if((_curl_opt) == CURLOPT_SHARE) \ + if(!curlcheck_ptr((value), CURLSH)) \ + _curl_easy_setopt_err_CURLSH(); \ + ) \ } \ curl_easy_setopt(handle, _curl_opt, value); \ }) /* wraps curl_easy_getinfo() with typechecking */ #define curl_easy_getinfo(handle, info, arg) \ - __extension__({ \ - __typeof__(info) _curl_info = info; \ + __extension__({ \ + CURL_IGNORE_DEPRECATION(__typeof__(info) _curl_info = info;) \ if(__builtin_constant_p(_curl_info)) { \ - if(curlcheck_string_info(_curl_info)) \ - if(!curlcheck_arr((arg), char *)) \ - _curl_easy_getinfo_err_string(); \ - if(curlcheck_long_info(_curl_info)) \ - if(!curlcheck_arr((arg), long)) \ - _curl_easy_getinfo_err_long(); \ - if(curlcheck_double_info(_curl_info)) \ - if(!curlcheck_arr((arg), double)) \ - _curl_easy_getinfo_err_double(); \ - if(curlcheck_slist_info(_curl_info)) \ - if(!curlcheck_arr((arg), struct curl_slist *)) \ - _curl_easy_getinfo_err_curl_slist(); \ - if(curlcheck_tlssessioninfo_info(_curl_info)) \ - if(!curlcheck_arr((arg), struct curl_tlssessioninfo *)) \ - _curl_easy_getinfo_err_curl_tlssesssioninfo(); \ - if(curlcheck_certinfo_info(_curl_info)) \ - if(!curlcheck_arr((arg), struct curl_certinfo *)) \ - _curl_easy_getinfo_err_curl_certinfo(); \ - if(curlcheck_socket_info(_curl_info)) \ - if(!curlcheck_arr((arg), curl_socket_t)) \ - _curl_easy_getinfo_err_curl_socket(); \ - if(curlcheck_off_t_info(_curl_info)) \ - if(!curlcheck_arr((arg), curl_off_t)) \ - _curl_easy_getinfo_err_curl_off_t(); \ + (void) info; \ + CURL_IGNORE_DEPRECATION( \ + if(curlcheck_string_info(_curl_info)) \ + if(!curlcheck_arr((arg), char *)) \ + _curl_easy_getinfo_err_string(); \ + if(curlcheck_long_info(_curl_info)) \ + if(!curlcheck_arr((arg), long)) \ + _curl_easy_getinfo_err_long(); \ + if(curlcheck_double_info(_curl_info)) \ + if(!curlcheck_arr((arg), double)) \ + _curl_easy_getinfo_err_double(); \ + if(curlcheck_slist_info(_curl_info)) \ + if(!curlcheck_arr((arg), struct curl_slist *)) \ + _curl_easy_getinfo_err_curl_slist(); \ + if(curlcheck_tlssessioninfo_info(_curl_info)) \ + if(!curlcheck_arr((arg), struct curl_tlssessioninfo *)) \ + _curl_easy_getinfo_err_curl_tlssesssioninfo(); \ + if(curlcheck_certinfo_info(_curl_info)) \ + if(!curlcheck_arr((arg), struct curl_certinfo *)) \ + _curl_easy_getinfo_err_curl_certinfo(); \ + if(curlcheck_socket_info(_curl_info)) \ + if(!curlcheck_arr((arg), curl_socket_t)) \ + _curl_easy_getinfo_err_curl_socket(); \ + if(curlcheck_off_t_info(_curl_info)) \ + if(!curlcheck_arr((arg), curl_off_t)) \ + _curl_easy_getinfo_err_curl_off_t(); \ + ) \ } \ curl_easy_getinfo(handle, _curl_info, arg); \ }) @@ -436,7 +442,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, (CURLINFO_OFF_T < (info)) -/* typecheck helpers -- check whether given expression has requested type*/ +/* typecheck helpers -- check whether given expression has requested type */ /* For pointers, you can use the curlcheck_ptr/curlcheck_arr macros, * otherwise define a new macro. Search for __builtin_types_compatible_p diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt index 8cea346..5ca5357 100644 --- a/lib/CMakeLists.txt +++ b/lib/CMakeLists.txt @@ -98,11 +98,37 @@ endif() target_link_libraries(${LIB_NAME} PRIVATE ${CURL_LIBS}) +transform_makefile_inc("Makefile.soname" "${CMAKE_CURRENT_BINARY_DIR}/Makefile.soname.cmake") +include(${CMAKE_CURRENT_BINARY_DIR}/Makefile.soname.cmake) + set_target_properties(${LIB_NAME} PROPERTIES COMPILE_DEFINITIONS BUILDING_LIBCURL OUTPUT_NAME ${LIBCURL_OUTPUT_NAME} ) +if(CMAKE_SYSTEM_NAME STREQUAL "AIX" OR + CMAKE_SYSTEM_NAME STREQUAL "Linux" OR + CMAKE_SYSTEM_NAME STREQUAL "GNU/kFreeBSD" OR + + # FreeBSD comes with the a.out and elf flavours + # but a.out was supported up to version 3.x and + # elf from 3.x. I cannot imagine someone runnig + # CMake on those ancient systems + CMAKE_SYSTEM_NAME STREQUAL "FreeBSD" OR + + CMAKE_SYSTEM_NAME STREQUAL "Haiku") + + math(EXPR CMAKESONAME "${VERSIONCHANGE} - ${VERSIONDEL}") + set(CMAKEVERSION "${CMAKESONAME}.${VERSIONDEL}.${VERSIONADD}") + + set_target_properties(${LIB_NAME} PROPERTIES + VERSION ${CMAKEVERSION} + SOVERSION ${CMAKESONAME} + ) + +endif() + + if(HIDES_CURL_PRIVATE_SYMBOLS) set_property(TARGET ${LIB_NAME} APPEND PROPERTY COMPILE_DEFINITIONS "CURL_HIDDEN_SYMBOLS") set_property(TARGET ${LIB_NAME} APPEND PROPERTY COMPILE_FLAGS ${CURL_CFLAG_SYMBOLS_HIDE}) diff --git a/lib/Makefile.inc b/lib/Makefile.inc index b2d2e9e..9eafa93 100644 --- a/lib/Makefile.inc +++ b/lib/Makefile.inc @@ -74,6 +74,7 @@ LIB_VTLS_HFILES = \ vtls/schannel.h \ vtls/sectransp.h \ vtls/vtls.h \ + vtls/vtls_int.h \ vtls/wolfssl.h \ vtls/x509asn1.h @@ -105,6 +106,7 @@ LIB_CFILES = \ base64.c \ bufref.c \ c-hyper.c \ + cfilters.c \ conncache.c \ connect.c \ content_encoding.c \ @@ -160,7 +162,7 @@ LIB_CFILES = \ http_ntlm.c \ http_proxy.c \ http_aws_sigv4.c \ - idn_win32.c \ + idn.c \ if2ip.c \ imap.c \ inet_ntop.c \ @@ -227,6 +229,7 @@ LIB_HFILES = \ asyn.h \ bufref.h \ c-hyper.h \ + cfilters.h \ conncache.h \ connect.h \ content_encoding.h \ @@ -290,6 +293,7 @@ LIB_HFILES = \ http_ntlm.h \ http_proxy.h \ http_aws_sigv4.h \ + idn.h \ if2ip.h \ imap.h \ inet_ntop.h \ diff --git a/lib/altsvc.c b/lib/altsvc.c index 7bca840..ec18e38 100644 --- a/lib/altsvc.c +++ b/lib/altsvc.c @@ -517,15 +517,21 @@ CURLcode Curl_altsvc_parse(struct Curl_easy *data, dsthost = srchost; } if(*p == ':') { - /* a port number */ - unsigned long port = strtoul(++p, &end_ptr, 10); - if(port > USHRT_MAX || end_ptr == p || *end_ptr != '\"') { + unsigned long port = 0; + p++; + if(ISDIGIT(*p)) + /* a port number */ + port = strtoul(p, &end_ptr, 10); + else + end_ptr = (char *)p; /* not left uninitialized */ + if(!port || port > USHRT_MAX || end_ptr == p || *end_ptr != '\"') { infof(data, "Unknown alt-svc port number, ignoring."); valid = FALSE; } - else + else { dstport = curlx_ultous(port); - p = end_ptr; + p = end_ptr; + } } if(*p++ != '\"') break; diff --git a/lib/asyn-ares.c b/lib/asyn-ares.c index 33edba1..4436da3 100644 --- a/lib/asyn-ares.c +++ b/lib/asyn-ares.c @@ -47,15 +47,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c index 8b375eb..705f0f6 100644 --- a/lib/asyn-thread.c +++ b/lib/asyn-thread.c @@ -44,19 +44,8 @@ #include #endif -#if defined(USE_THREADS_POSIX) -# ifdef HAVE_PTHREAD_H -# include -# endif -#elif defined(USE_THREADS_WIN32) -# ifdef HAVE_PROCESS_H -# include -# endif -#endif - -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) +# include #endif #ifdef HAVE_GETADDRINFO @@ -75,7 +64,6 @@ #include "inet_ntop.h" #include "curl_threads.h" #include "connect.h" -#include "socketpair.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" #include "curl_memory.h" @@ -541,7 +529,8 @@ void Curl_resolver_kill(struct Curl_easy *data) /* If we're still resolving, we must wait for the threads to fully clean up, unfortunately. Otherwise, we can simply cancel to clean up any resolver data. */ - if(td && td->thread_hnd != curl_thread_t_null) + if(td && td->thread_hnd != curl_thread_t_null + && (data->set.quick_exit != 1L)) (void)thread_wait_resolv(data, NULL, FALSE); else Curl_resolver_cancel(data); diff --git a/lib/base64.c b/lib/base64.c index 52654c2..bacd627 100644 --- a/lib/base64.c +++ b/lib/base64.c @@ -37,8 +37,7 @@ #include "warnless.h" #include "curl_base64.h" -/* The last 3 #include files should be in this order */ -#include "curl_printf.h" +/* The last 2 #include files should be in this order */ #include "curl_memory.h" #include "memdebug.h" @@ -52,39 +51,12 @@ static const char base64[]= static const char base64url[]= "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; -static size_t decodeQuantum(unsigned char *dest, const char *src) -{ - size_t padding = 0; - const char *s; - unsigned long i, x = 0; - - for(i = 0, s = src; i < 4; i++, s++) { - if(*s == '=') { - x <<= 6; - padding++; - } - else { - const char *p = strchr(base64, *s); - if(p) - x = (x << 6) + curlx_uztoul(p - base64); - else - return 0; - } - } - - if(padding < 1) - dest[2] = curlx_ultouc(x & 0xFFUL); - - x >>= 8; - if(padding < 2) - dest[1] = curlx_ultouc(x & 0xFFUL); - - x >>= 8; - dest[0] = curlx_ultouc(x & 0xFFUL); - - return 3 - padding; -} - +static const unsigned char decodetable[] = +{ 62, 255, 255, 255, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 255, 255, 255, + 255, 255, 255, 255, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, 25, 255, 255, 255, 255, 255, 255, 26, 27, 28, + 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, + 48, 49, 50, 51 }; /* * Curl_base64_decode() * @@ -106,10 +78,11 @@ CURLcode Curl_base64_decode(const char *src, size_t padding = 0; size_t i; size_t numQuantums; + size_t fullQuantums; size_t rawlen = 0; - const char *padptr; unsigned char *pos; unsigned char *newstr; + unsigned char lookup[256]; *outptr = NULL; *outlen = 0; @@ -119,21 +92,18 @@ CURLcode Curl_base64_decode(const char *src, if(!srclen || srclen % 4) return CURLE_BAD_CONTENT_ENCODING; - /* Find the position of any = padding characters */ - padptr = strchr(src, '='); - if(padptr) { + /* srclen is at least 4 here */ + while(src[srclen - 1 - padding] == '=') { + /* count padding characters */ padding++; /* A maximum of two = padding characters is allowed */ - if(padptr[1] == '=') - padding++; - - /* Check the = padding characters weren't part way through the input */ - if(padptr + padding != src + srclen) + if(padding > 2) return CURLE_BAD_CONTENT_ENCODING; } /* Calculate the number of quantums */ numQuantums = srclen / 4; + fullQuantums = numQuantums - (padding ? 1 : 0); /* Calculate the size of the decoded string */ rawlen = (numQuantums * 3) - padding; @@ -145,17 +115,59 @@ CURLcode Curl_base64_decode(const char *src, pos = newstr; - /* Decode the quantums */ - for(i = 0; i < numQuantums; i++) { - size_t result = decodeQuantum(pos, src); - if(!result) { - free(newstr); - - return CURLE_BAD_CONTENT_ENCODING; + memset(lookup, 0xff, sizeof(lookup)); + memcpy(&lookup['+'], decodetable, sizeof(decodetable)); + /* replaces + { + unsigned char c; + const unsigned char *p = (const unsigned char *)base64; + for(c = 0; *p; c++, p++) + lookup[*p] = c; + } + */ + + /* Decode the complete quantums first */ + for(i = 0; i < fullQuantums; i++) { + unsigned char val; + unsigned int x = 0; + int j; + + for(j = 0; j < 4; j++) { + val = lookup[(unsigned char)*src++]; + if(val == 0xff) /* bad symbol */ + goto bad; + x = (x << 6) | val; } - - pos += result; - src += 4; + pos[2] = x & 0xff; + pos[1] = (x >> 8) & 0xff; + pos[0] = (x >> 16) & 0xff; + pos += 3; + } + if(padding) { + /* this means either 8 or 16 bits output */ + unsigned char val; + unsigned int x = 0; + int j; + size_t padc = 0; + for(j = 0; j < 4; j++) { + if(*src == '=') { + x <<= 6; + src++; + if(++padc > padding) + /* this is a badly placed '=' symbol! */ + goto bad; + } + else { + val = lookup[(unsigned char)*src++]; + if(val == 0xff) /* bad symbol */ + goto bad; + x = (x << 6) | val; + } + } + if(padding == 1) + pos[1] = (x >> 8) & 0xff; + pos[0] = (x >> 16) & 0xff; + pos += 3 - padding; } /* Zero terminate */ @@ -166,81 +178,60 @@ CURLcode Curl_base64_decode(const char *src, *outlen = rawlen; return CURLE_OK; + bad: + free(newstr); + return CURLE_BAD_CONTENT_ENCODING; } static CURLcode base64_encode(const char *table64, const char *inputbuff, size_t insize, char **outptr, size_t *outlen) { - unsigned char ibuf[3]; - unsigned char obuf[4]; - int i; - int inputparts; char *output; char *base64data; - const char *indata = inputbuff; + const unsigned char *in = (unsigned char *)inputbuff; const char *padstr = &table64[64]; /* Point to padding string. */ *outptr = NULL; *outlen = 0; if(!insize) - insize = strlen(indata); + insize = strlen(inputbuff); #if SIZEOF_SIZE_T == 4 if(insize > UINT_MAX/4) return CURLE_OUT_OF_MEMORY; #endif - base64data = output = malloc(insize * 4 / 3 + 4); + base64data = output = malloc((insize + 2) / 3 * 4 + 1); if(!output) return CURLE_OUT_OF_MEMORY; - while(insize > 0) { - for(i = inputparts = 0; i < 3; i++) { - if(insize > 0) { - inputparts++; - ibuf[i] = (unsigned char) *indata; - indata++; - insize--; + while(insize >= 3) { + *output++ = table64[ in[0] >> 2 ]; + *output++ = table64[ ((in[0] & 0x03) << 4) | (in[1] >> 4) ]; + *output++ = table64[ ((in[1] & 0x0F) << 2) | ((in[2] & 0xC0) >> 6) ]; + *output++ = table64[ in[2] & 0x3F ]; + insize -= 3; + in += 3; + } + if(insize) { + /* this is only one or two bytes now */ + *output++ = table64[ in[0] >> 2 ]; + if(insize == 1) { + *output++ = table64[ ((in[0] & 0x03) << 4) ]; + if(*padstr) { + *output++ = *padstr; + *output++ = *padstr; } - else - ibuf[i] = 0; } - - obuf[0] = (unsigned char) ((ibuf[0] & 0xFC) >> 2); - obuf[1] = (unsigned char) (((ibuf[0] & 0x03) << 4) | \ - ((ibuf[1] & 0xF0) >> 4)); - obuf[2] = (unsigned char) (((ibuf[1] & 0x0F) << 2) | \ - ((ibuf[2] & 0xC0) >> 6)); - obuf[3] = (unsigned char) (ibuf[2] & 0x3F); - - switch(inputparts) { - case 1: /* only one byte read */ - i = msnprintf(output, 5, "%c%c%s%s", - table64[obuf[0]], - table64[obuf[1]], - padstr, - padstr); - break; - - case 2: /* two bytes read */ - i = msnprintf(output, 5, "%c%c%c%s", - table64[obuf[0]], - table64[obuf[1]], - table64[obuf[2]], - padstr); - break; - - default: - i = msnprintf(output, 5, "%c%c%c%c", - table64[obuf[0]], - table64[obuf[1]], - table64[obuf[2]], - table64[obuf[3]]); - break; + else { + /* insize == 2 */ + *output++ = table64[ ((in[0] & 0x03) << 4) | ((in[1] & 0xF0) >> 4) ]; + *output++ = table64[ ((in[1] & 0x0F) << 2) ]; + if(*padstr) + *output++ = *padstr; } - output += i; } /* Zero terminate */ diff --git a/lib/c-hyper.c b/lib/c-hyper.c index 86abcdb..65f5581 100644 --- a/lib/c-hyper.c +++ b/lib/c-hyper.c @@ -163,6 +163,10 @@ static int hyper_each_header(void *userdata, writetype = CLIENTWRITE_HEADER; if(data->set.include_header) writetype |= CLIENTWRITE_BODY; + if(data->state.hconnect) + writetype |= CLIENTWRITE_CONNECT; + if(data->req.httpcode/100 == 1) + writetype |= CLIENTWRITE_1XX; result = Curl_client_write(data, writetype, headp, len); if(result) { data->state.hresult = CURLE_ABORTED_BY_CALLBACK; @@ -170,8 +174,8 @@ static int hyper_each_header(void *userdata, } } - data->info.header_size += (long)len; - data->req.headerbytecount += (long)len; + data->info.header_size += (curl_off_t)len; + data->req.headerbytecount += (curl_off_t)len; return HYPER_ITER_CONTINUE; } @@ -245,7 +249,7 @@ static int hyper_body_chunk(void *userdata, const hyper_buf *chunk) } /* - * Hyper does not consider the status line, the first line in a HTTP/1 + * Hyper does not consider the status line, the first line in an HTTP/1 * response, to be a header. The libcurl API does. This function sends the * status line in the header callback. */ static CURLcode status_line(struct Curl_easy *data, @@ -260,23 +264,25 @@ static CURLcode status_line(struct Curl_easy *data, int writetype; vstr = http_version == HYPER_HTTP_VERSION_1_1 ? "1.1" : (http_version == HYPER_HTTP_VERSION_2 ? "2" : "1.0"); - conn->httpversion = - http_version == HYPER_HTTP_VERSION_1_1 ? 11 : - (http_version == HYPER_HTTP_VERSION_2 ? 20 : 10); - if(http_version == HYPER_HTTP_VERSION_1_0) - data->state.httpwant = CURL_HTTP_VERSION_1_0; - - if(data->state.hconnect) - /* CONNECT */ - data->info.httpproxycode = http_status; /* We need to set 'httpcodeq' for functions that check the response code in a single place. */ data->req.httpcode = http_status; - result = Curl_http_statusline(data, conn); - if(result) - return result; + if(data->state.hconnect) + /* CONNECT */ + data->info.httpproxycode = http_status; + else { + conn->httpversion = + http_version == HYPER_HTTP_VERSION_1_1 ? 11 : + (http_version == HYPER_HTTP_VERSION_2 ? 20 : 10); + if(http_version == HYPER_HTTP_VERSION_1_0) + data->state.httpwant = CURL_HTTP_VERSION_1_0; + + result = Curl_http_statusline(data, conn); + if(result) + return result; + } Curl_dyn_reset(&data->state.headerb); @@ -299,9 +305,8 @@ static CURLcode status_line(struct Curl_easy *data, if(result) return result; } - data->info.header_size += (long)len; - data->req.headerbytecount += (long)len; - data->req.httpcode = http_status; + data->info.header_size += (curl_off_t)len; + data->req.headerbytecount += (curl_off_t)len; return CURLE_OK; } @@ -415,8 +420,10 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data, break; } else if(h->endtask == task) { - /* end of transfer */ + /* end of transfer, forget the task handled, we might get a + * new one with the same address in the future. */ *done = TRUE; + h->endtask = NULL; infof(data, "hyperstream is done"); if(!k->bodywrites) { /* hyper doesn't always call the body write callback */ @@ -679,7 +686,7 @@ static int uploadpostfields(void *userdata, hyper_context *ctx, return HYPER_POLL_ERROR; } /* increasing the writebytecount here is a little premature but we - don't know exactly when the body is sent*/ + don't know exactly when the body is sent */ data->req.writebytecount += (size_t)data->req.p.http->postsize; Curl_pgrsSetUploadCounter(data, data->req.writebytecount); data->req.upload_done = TRUE; @@ -692,6 +699,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, { size_t fillcount; struct Curl_easy *data = (struct Curl_easy *)userdata; + struct connectdata *conn = (struct connectdata *)data->conn; CURLcode result; (void)ctx; @@ -706,7 +714,15 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, return HYPER_POLL_PENDING; } - result = Curl_fillreadbuffer(data, data->set.upload_buffer_size, &fillcount); + if(data->req.upload_chunky && conn->bits.authneg) { + fillcount = 0; + data->req.upload_chunky = FALSE; + result = CURLE_OK; + } + else { + result = Curl_fillreadbuffer(data, data->set.upload_buffer_size, + &fillcount); + } if(result) { data->state.hresult = result; return HYPER_POLL_ERROR; @@ -732,7 +748,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, return HYPER_POLL_ERROR; } /* increasing the writebytecount here is a little premature but we - don't know exactly when the body is sent*/ + don't know exactly when the body is sent */ data->req.writebytecount += fillcount; Curl_pgrsSetUploadCounter(data, fillcount); } @@ -740,7 +756,7 @@ static int uploadstreamed(void *userdata, hyper_context *ctx, } /* - * bodysend() sets up headers in the outgoing request for a HTTP transfer that + * bodysend() sets up headers in the outgoing request for an HTTP transfer that * sends a body */ @@ -845,7 +861,7 @@ static void http1xx_cb(void *arg, struct hyper_response *resp) } /* - * Curl_http() gets called from the generic multi_do() function when a HTTP + * Curl_http() gets called from the generic multi_do() function when an HTTP * request is to be performed. This creates and sends a properly constructed * HTTP request. */ @@ -1159,7 +1175,12 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) Curl_debug(data, CURLINFO_HEADER_OUT, (char *)"\r\n", 2); - data->req.upload_chunky = FALSE; + if(data->req.upload_chunky && conn->bits.authneg) { + data->req.upload_chunky = TRUE; + } + else { + data->req.upload_chunky = FALSE; + } sendtask = hyper_clientconn_send(client, req); if(!sendtask) { failf(data, "hyper_clientconn_send"); diff --git a/lib/cfilters.c b/lib/cfilters.c new file mode 100644 index 0000000..bcb33da --- /dev/null +++ b/lib/cfilters.c @@ -0,0 +1,502 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + +#include "curl_setup.h" + +#include "urldata.h" +#include "strerror.h" +#include "cfilters.h" +#include "connect.h" +#include "url.h" /* for Curl_safefree() */ +#include "sendf.h" +#include "sockaddr.h" /* required for Curl_sockaddr_storage */ +#include "multiif.h" +#include "progress.h" +#include "warnless.h" +#include "http_proxy.h" +#include "socks.h" +#include "vtls/vtls.h" + +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" +#include "curl_memory.h" +#include "memdebug.h" + +#ifndef ARRAYSIZE +#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) +#endif + + +void Curl_cf_def_destroy_this(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + (void)cf; + (void)data; +} + +CURLcode Curl_cf_def_setup(struct Curl_cfilter *cf, + struct Curl_easy *data, + const struct Curl_dns_entry *remotehost) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->setup(cf->next, data, remotehost); +} + +void Curl_cf_def_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + (void)cf; + (void)data; +} + +void Curl_cf_def_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + (void)cf; + (void)data; +} + +void Curl_cf_def_close(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + DEBUGASSERT(cf->next); + cf->connected = FALSE; + cf->next->cft->close(cf->next, data); +} + +CURLcode Curl_cf_def_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->connect(cf->next, data, blocking, done); +} + +void Curl_cf_def_get_host(struct Curl_cfilter *cf, struct Curl_easy *data, + const char **phost, const char **pdisplay_host, + int *pport) +{ + DEBUGASSERT(cf->next); + cf->next->cft->get_host(cf->next, data, phost, pdisplay_host, pport); +} + +int Curl_cf_def_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->get_select_socks(cf->next, data, socks); +} + +bool Curl_cf_def_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->has_data_pending(cf->next, data); +} + +ssize_t Curl_cf_def_send(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *buf, size_t len, CURLcode *err) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->do_send(cf->next, data, buf, len, err); +} + +ssize_t Curl_cf_def_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *err) +{ + DEBUGASSERT(cf->next); + return cf->next->cft->do_recv(cf->next, data, buf, len, err); +} + +void Curl_conn_cf_discard_all(struct Curl_easy *data, + struct connectdata *conn, int index) +{ + struct Curl_cfilter *cfn, *cf = conn->cfilter[index]; + + if(cf) { + conn->cfilter[index] = NULL; + while(cf) { + cfn = cf->next; + cf->cft->destroy(cf, data); + free(cf); + cf = cfn; + } + } +} + +void Curl_conn_close(struct Curl_easy *data, int index) +{ + struct Curl_cfilter *cf; + + DEBUGASSERT(data->conn); + /* it is valid to call that without filters being present */ + cf = data->conn->cfilter[index]; + if(cf) { + cf->cft->close(cf, data); + } +} + +ssize_t Curl_conn_recv(struct Curl_easy *data, int num, char *buf, + size_t len, CURLcode *code) +{ + struct Curl_cfilter *cf; + ssize_t nread; + + DEBUGASSERT(data); + DEBUGASSERT(data->conn); + cf = data->conn->cfilter[num]; + while(cf && !cf->connected) { + cf = cf->next; + } + if(cf) { + nread = cf->cft->do_recv(cf, data, buf, len, code); + /* DEBUGF(infof(data, "Curl_conn_recv(handle=%p, index=%d)" + "-> %ld, err=%d", data, num, nread, *code));*/ + return nread; + } + failf(data, "no filter connected, conn=%ld, sockindex=%d", + data->conn->connection_id, num); + *code = CURLE_FAILED_INIT; + return -1; +} + +ssize_t Curl_conn_send(struct Curl_easy *data, int num, + const void *mem, size_t len, CURLcode *code) +{ + struct Curl_cfilter *cf; + ssize_t nwritten; + + DEBUGASSERT(data); + DEBUGASSERT(data->conn); + cf = data->conn->cfilter[num]; + while(cf && !cf->connected) { + cf = cf->next; + } + if(cf) { + nwritten = cf->cft->do_send(cf, data, mem, len, code); + /* DEBUGF(infof(data, "Curl_conn_send(handle=%p, index=%d, len=%ld)" + " -> %ld, err=%d", data, num, len, nwritten, *code));*/ + return nwritten; + } + failf(data, "no filter connected, conn=%ld, sockindex=%d", + data->conn->connection_id, num); + *code = CURLE_FAILED_INIT; + return -1; +} + +CURLcode Curl_cf_create(struct Curl_cfilter **pcf, + const struct Curl_cftype *cft, + void *ctx) +{ + struct Curl_cfilter *cf; + CURLcode result = CURLE_OUT_OF_MEMORY; + + DEBUGASSERT(cft); + cf = calloc(sizeof(*cf), 1); + if(!cf) + goto out; + + cf->cft = cft; + cf->ctx = ctx; + result = CURLE_OK; +out: + *pcf = cf; + return result; +} + +void Curl_conn_cf_add(struct Curl_easy *data, + struct connectdata *conn, + int index, + struct Curl_cfilter *cf) +{ + (void)data; + DEBUGASSERT(conn); + DEBUGASSERT(!cf->conn); + DEBUGASSERT(!cf->next); + + DEBUGF(infof(data, CMSGI(conn, index, "cf_add(filter=%s)"), + cf->cft->name)); + cf->next = conn->cfilter[index]; + cf->conn = conn; + cf->sockindex = index; + conn->cfilter[index] = cf; +} + +void Curl_conn_cf_discard(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + struct Curl_cfilter **pprev = &cf->conn->cfilter[cf->sockindex]; + + /* remove from chain if still in there */ + DEBUGASSERT(cf); + while (*pprev) { + if (*pprev == cf) { + *pprev = cf->next; + break; + } + pprev = &((*pprev)->next); + } + cf->cft->destroy(cf, data); + free(cf); +} + +ssize_t Curl_conn_cf_send(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *buf, size_t len, CURLcode *err) +{ + return cf->cft->do_send(cf, data, buf, len, err); +} + +ssize_t Curl_conn_cf_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *err) +{ + return cf->cft->do_recv(cf, data, buf, len, err); +} + +CURLcode Curl_conn_setup(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + const struct Curl_dns_entry *remotehost, + int ssl_mode) +{ + struct Curl_cfilter *cf; + CURLcode result; + + DEBUGASSERT(data); + /* If no filter is set, we have the "default" setup of connection filters. + * The filter chain from botton to top will be: + * - SOCKET socket filter for outgoing connection to remotehost + * if http_proxy tunneling is engaged: + * - SSL if proxytype is CURLPROXY_HTTPS + * - HTTP_PROXY_TUNNEL + * otherwise, if socks_proxy is engaged: + * - SOCKS_PROXY_TUNNEL + * - SSL if conn->handler has PROTOPT_SSL + */ + if(!conn->cfilter[sockindex]) { + DEBUGF(infof(data, DMSGI(data, sockindex, "setup, init filter chain"))); + result = Curl_conn_socket_set(data, conn, sockindex); + if(result) + goto out; + +#ifndef CURL_DISABLE_PROXY + if(conn->bits.socksproxy) { + result = Curl_conn_socks_proxy_add(data, conn, sockindex); + if(result) + goto out; + } + + if(conn->bits.httpproxy) { +#ifdef USE_SSL + if(conn->http_proxy.proxytype == CURLPROXY_HTTPS) { + result = Curl_ssl_cfilter_proxy_add(data, conn, sockindex); + if(result) + goto out; + } +#endif /* USE_SSL */ + +#if !defined(CURL_DISABLE_HTTP) + if(conn->bits.tunnel_proxy) { + result = Curl_conn_http_proxy_add(data, conn, sockindex); + if(result) + goto out; + } +#endif /* !CURL_DISABLE_HTTP */ + } +#endif /* !CURL_DISABLE_PROXY */ + +#ifdef USE_SSL + if(ssl_mode == CURL_CF_SSL_ENABLE + || (ssl_mode != CURL_CF_SSL_DISABLE + && conn->handler->flags & PROTOPT_SSL)) { + result = Curl_ssl_cfilter_add(data, conn, sockindex); + if(result) + goto out; + } +#else + (void)ssl_mode; +#endif /* USE_SSL */ + +#if !defined(CURL_DISABLE_PROXY) && !defined(CURL_DISABLE_HTTP) + if(data->set.haproxyprotocol) { + result = Curl_conn_haproxy_add(data, conn, sockindex); + if(result) + goto out; + } +#endif /* !CURL_DISABLE_PROXY && !CURL_DISABLE_HTTP */ + + } + DEBUGASSERT(conn->cfilter[sockindex]); + cf = data->conn->cfilter[sockindex]; + result = cf->cft->setup(cf, data, remotehost); + +out: + return result; +} + +CURLcode Curl_conn_connect(struct Curl_easy *data, + int sockindex, + bool blocking, + bool *done) +{ + struct Curl_cfilter *cf; + CURLcode result; + + DEBUGASSERT(data); + + cf = data->conn->cfilter[sockindex]; + DEBUGASSERT(cf); + result = cf->cft->connect(cf, data, blocking, done); + + DEBUGF(infof(data, DMSGI(data, sockindex, "connect(block=%d)-> %d, done=%d"), + blocking, result, *done)); + return result; +} + +bool Curl_conn_is_connected(struct connectdata *conn, int sockindex) +{ + struct Curl_cfilter *cf; + + cf = conn->cfilter[sockindex]; + return cf && cf->connected; +} + +bool Curl_conn_is_ip_connected(struct Curl_easy *data, int sockindex) +{ + struct Curl_cfilter *cf; + + cf = data->conn->cfilter[sockindex]; + while(cf) { + if(cf->connected) + return TRUE; + if(cf->cft->flags & CF_TYPE_IP_CONNECT) + return FALSE; + cf = cf->next; + } + return FALSE; +} + +bool Curl_conn_is_ssl(struct Curl_easy *data, int sockindex) +{ + struct Curl_cfilter *cf = data->conn? data->conn->cfilter[sockindex] : NULL; + + (void)data; + for(; cf; cf = cf->next) { + if(cf->cft->flags & CF_TYPE_SSL) + return TRUE; + if(cf->cft->flags & CF_TYPE_IP_CONNECT) + return FALSE; + } + return FALSE; +} + + +bool Curl_conn_data_pending(struct Curl_easy *data, int sockindex) +{ + struct Curl_cfilter *cf; + + (void)data; + DEBUGASSERT(data); + DEBUGASSERT(data->conn); + if(Curl_recv_has_postponed_data(data->conn, sockindex)) + return TRUE; + + cf = data->conn->cfilter[sockindex]; + while(cf && !cf->connected) { + cf = cf->next; + } + if(cf) { + return cf->cft->has_data_pending(cf, data); + } + return FALSE; +} + +int Curl_conn_get_select_socks(struct Curl_easy *data, int sockindex, + curl_socket_t *socks) +{ + struct Curl_cfilter *cf; + + DEBUGASSERT(data); + DEBUGASSERT(data->conn); + cf = data->conn->cfilter[sockindex]; + if(cf) { + return cf->cft->get_select_socks(cf, data, socks); + } + return GETSOCK_BLANK; +} + +void Curl_conn_attach_data(struct connectdata *conn, + struct Curl_easy *data) +{ + size_t i; + struct Curl_cfilter *cf; + + for(i = 0; i < ARRAYSIZE(conn->cfilter); ++i) { + cf = conn->cfilter[i]; + if(cf) { + while(cf) { + cf->cft->attach_data(cf, data); + cf = cf->next; + } + } + } +} + +void Curl_conn_detach_data(struct connectdata *conn, + struct Curl_easy *data) +{ + size_t i; + struct Curl_cfilter *cf; + + for(i = 0; i < ARRAYSIZE(conn->cfilter); ++i) { + cf = conn->cfilter[i]; + if(cf) { + while(cf) { + cf->cft->detach_data(cf, data); + cf = cf->next; + } + } + } +} + +void Curl_conn_get_host(struct Curl_easy *data, int sockindex, + const char **phost, const char **pdisplay_host, + int *pport) +{ + struct Curl_cfilter *cf; + + DEBUGASSERT(data->conn); + cf = data->conn->cfilter[sockindex]; + if(cf) { + cf->cft->get_host(cf, data, phost, pdisplay_host, pport); + } + else { + /* Some filter ask during shutdown for this, mainly for debugging + * purposes. We hand out the defaults, however this is not always + * accurate, as the connction might be tunneled, etc. But all that + * state is already gone here. */ + *phost = data->conn->host.name; + *pdisplay_host = data->conn->host.dispname; + *pport = data->conn->remote_port; + } +} + + diff --git a/lib/cfilters.h b/lib/cfilters.h new file mode 100644 index 0000000..4b81b42 --- /dev/null +++ b/lib/cfilters.h @@ -0,0 +1,315 @@ +#ifndef HEADER_CURL_CFILTERS_H +#define HEADER_CURL_CFILTERS_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + + +struct Curl_cfilter; +struct Curl_easy; +struct Curl_dns_entry; +struct connectdata; + +/* Callback to destroy resources held by this filter instance. + * Implementations MUST NOT chain calls to cf->next. + */ +typedef void Curl_cft_destroy_this(struct Curl_cfilter *cf, + struct Curl_easy *data); + +/* Setup the connection for `data`, using destination `remotehost`. + */ +typedef CURLcode Curl_cft_setup(struct Curl_cfilter *cf, + struct Curl_easy *data, + const struct Curl_dns_entry *remotehost); +typedef void Curl_cft_close(struct Curl_cfilter *cf, + struct Curl_easy *data); + +typedef CURLcode Curl_cft_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done); + +/* Return the hostname and port the connection goes to. + * This may change with the connection state of filters when tunneling + * is involved. + * @param cf the filter to ask + * @param data the easy handle currently active + * @param phost on return, points to the relevant, real hostname. + * this is owned by the connection. + * @param pdisplay_host on return, points to the printable hostname. + * this is owned by the connection. + * @param pport on return, contains the port number + */ +typedef void Curl_cft_get_host(struct Curl_cfilter *cf, + struct Curl_easy *data, + const char **phost, + const char **pdisplay_host, + int *pport); + +/* Filters may return sockets and fdset flags they are waiting for. + * The passes array has room for up to MAX_SOCKSPEREASYHANDLE sockets. + * @return read/write fdset for index in socks + * or GETSOCK_BLANK when nothing to wait on + */ +typedef int Curl_cft_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks); + +typedef bool Curl_cft_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data); + +typedef ssize_t Curl_cft_send(struct Curl_cfilter *cf, + struct Curl_easy *data, /* transfer */ + const void *buf, /* data to write */ + size_t len, /* amount to write */ + CURLcode *err); /* error to return */ + +typedef ssize_t Curl_cft_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, /* transfer */ + char *buf, /* store data here */ + size_t len, /* amount to read */ + CURLcode *err); /* error to return */ + +typedef void Curl_cft_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data); +typedef void Curl_cft_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data); + +/** + * The easy handle `data` is being detached (no longer served) + * by connection `conn`. All filters are informed to release any resources + * related to `data`. + * Note: there may be several `data` attached to a connection at the same + * time. + */ +void Curl_conn_detach(struct connectdata *conn, struct Curl_easy *data); + +#define CF_TYPE_IP_CONNECT (1 << 0) +#define CF_TYPE_SSL (1 << 1) + +/* A connection filter type, e.g. specific implementation. */ +struct Curl_cftype { + const char *name; /* name of the filter type */ + long flags; /* flags of filter type */ + Curl_cft_destroy_this *destroy; /* destroy resources of this cf */ + Curl_cft_setup *setup; /* setup for a connection */ + Curl_cft_connect *connect; /* establish connection */ + Curl_cft_close *close; /* close conn */ + Curl_cft_get_host *get_host; /* host filter talks to */ + Curl_cft_get_select_socks *get_select_socks;/* sockets to select on */ + Curl_cft_data_pending *has_data_pending;/* conn has data pending */ + Curl_cft_send *do_send; /* send data */ + Curl_cft_recv *do_recv; /* receive data */ + Curl_cft_attach_data *attach_data; /* data is being handled here */ + Curl_cft_detach_data *detach_data; /* data is no longer handled here */ +}; + +/* A connection filter instance, e.g. registered at a connection */ +struct Curl_cfilter { + const struct Curl_cftype *cft; /* the type providing implementation */ + struct Curl_cfilter *next; /* next filter in chain */ + void *ctx; /* filter type specific settings */ + struct connectdata *conn; /* the connection this filter belongs to */ + int sockindex; /* TODO: like to get rid off this */ + BIT(connected); /* != 0 iff this filter is connected */ +}; + +/* Default implementations for the type functions, implementing nop. */ +void Curl_cf_def_destroy_this(struct Curl_cfilter *cf, + struct Curl_easy *data); + +/* Default implementations for the type functions, implementing pass-through + * the filter chain. */ +CURLcode Curl_cf_def_setup(struct Curl_cfilter *cf, + struct Curl_easy *data, + const struct Curl_dns_entry *remotehost); +void Curl_cf_def_close(struct Curl_cfilter *cf, struct Curl_easy *data); +CURLcode Curl_cf_def_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done); +void Curl_cf_def_get_host(struct Curl_cfilter *cf, struct Curl_easy *data, + const char **phost, const char **pdisplay_host, + int *pport); +int Curl_cf_def_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks); +bool Curl_cf_def_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data); +ssize_t Curl_cf_def_send(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *buf, size_t len, CURLcode *err); +ssize_t Curl_cf_def_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *err); +void Curl_cf_def_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data); +void Curl_cf_def_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data); + +/** + * Create a new filter instance, unattached to the filter chain. + * Use Curl_conn_cf_add() to add it to the chain. + * @param pcf on success holds the created instance + * @parm cft the filter type + * @param ctx the type specific context to use + */ +CURLcode Curl_cf_create(struct Curl_cfilter **pcf, + const struct Curl_cftype *cft, + void *ctx); + +/** + * Add a filter instance to the `sockindex` filter chain at connection + * `data->conn`. The filter must not already be attached. It is inserted at + * the start of the chain (top). + */ +void Curl_conn_cf_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + struct Curl_cfilter *cf); + +/** + * Remove and destroy all filters at chain `sockindex` on connection `conn`. + */ +void Curl_conn_cf_discard_all(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + +/** + * Discard, e.g. remove and destroy a specific filter instance. + * If the filter is attached to a connection, it will be removed before + * it is destroyed. + */ +void Curl_conn_cf_discard(struct Curl_cfilter *cf, struct Curl_easy *data); + + +ssize_t Curl_conn_cf_send(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *buf, size_t len, CURLcode *err); +ssize_t Curl_conn_cf_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *err); + +#define CURL_CF_SSL_DEFAULT -1 +#define CURL_CF_SSL_DISABLE 0 +#define CURL_CF_SSL_ENABLE 1 + +/** + * Setup the filter chain at `sockindex` in connection `conn`, invoking + * the instance `setup(remotehost)` methods. If no filter chain is + * installed yet, inspects the configuration in `data` to install a + * suitable filter chain. + */ +CURLcode Curl_conn_setup(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + const struct Curl_dns_entry *remotehost, + int ssl_mode); + +/** + * Bring the filter chain at `sockindex` for connection `data->conn` into + * connected state. Which will set `*done` to TRUE. + * This can be called on an already connected chain with no side effects. + * When not `blocking`, calls may return without error and `*done != TRUE`, + * while the individual filters negotiated the connection. + */ +CURLcode Curl_conn_connect(struct Curl_easy *data, int sockindex, + bool blocking, bool *done); + +/** + * Check if the filter chain at `sockindex` for connection `conn` is + * completely connected. + */ +bool Curl_conn_is_connected(struct connectdata *conn, int sockindex); + +/** + * Determine if we have reached the remote host on IP level, e.g. + * have a TCP connection. This turns TRUE before a possible SSL + * handshake has been started/done. + */ +bool Curl_conn_is_ip_connected(struct Curl_easy *data, int sockindex); + +/** + * Determine if the connection is using SSL to the remote host + * (or will be once connected). This will return FALSE, if SSL + * is only used in proxying and not for the tunnel itself. + */ +bool Curl_conn_is_ssl(struct Curl_easy *data, int sockindex); + +/** + * Close the filter chain at `sockindex` for connection `data->conn`. + * Filters remain in place and may be connected again afterwards. + */ +void Curl_conn_close(struct Curl_easy *data, int sockindex); + +/** + * Return if data is pending in some connection filter at chain + * `sockindex` for connection `data->conn`. + */ +bool Curl_conn_data_pending(struct Curl_easy *data, + int sockindex); + +/** + * Get any select fd flags and the socket filters at chain `sockindex` + * at connection `conn` might be waiting for. + */ +int Curl_conn_get_select_socks(struct Curl_easy *data, int sockindex, + curl_socket_t *socks); + +/** + * Receive data through the filter chain at `sockindex` for connection + * `data->conn`. Copy at most `len` bytes into `buf`. Return the + * actuel number of bytes copied or a negative value on error. + * The error code is placed into `*code`. + */ +ssize_t Curl_conn_recv(struct Curl_easy *data, int sockindex, char *buf, + size_t len, CURLcode *code); + +/** + * Send `len` bytes of data from `buf` through the filter chain `sockindex` + * at connection `data->conn`. Return the actual number of bytes written + * or a negative value on error. + * The error code is placed into `*code`. + */ +ssize_t Curl_conn_send(struct Curl_easy *data, int sockindex, + const void *buf, size_t len, CURLcode *code); + +/** + * The easy handle `data` is being attached (served) by connection `conn`. + * All filters are informed to adapt to handling `data`. + * Note: there may be several `data` attached to a connection at the same + * time. + */ +void Curl_conn_attach_data(struct connectdata *conn, + struct Curl_easy *data); + +/** + * The easy handle `data` is being detached (no longer served) + * by connection `conn`. All filters are informed to release any resources + * related to `data`. + * Note: there may be several `data` attached to a connection at the same + * time. + */ +void Curl_conn_detach_data(struct connectdata *conn, + struct Curl_easy *data); + +void Curl_conn_get_host(struct Curl_easy *data, int sockindex, + const char **phost, const char **pdisplay_host, + int *pport); + + +#endif /* HEADER_CURL_CFILTERS_H */ diff --git a/lib/connect.c b/lib/connect.c index ac007c6..af04138 100644 --- a/lib/connect.c +++ b/lib/connect.c @@ -48,13 +48,6 @@ #include #endif -#if (defined(HAVE_IOCTL_FIONBIO) && defined(NETWARE)) -#include -#endif -#ifdef NETWARE -#undef in_addr_t -#define in_addr_t unsigned long -#endif #ifdef __VMS #include #include @@ -64,6 +57,7 @@ #include "sendf.h" #include "if2ip.h" #include "strerror.h" +#include "cfilters.h" #include "connect.h" #include "select.h" #include "url.h" /* for Curl_safefree() */ @@ -79,7 +73,6 @@ #include "share.h" #include "version_win32.h" #include "quic.h" -#include "socks.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -237,10 +230,9 @@ timediff_t Curl_timeleft(struct Curl_easy *data, return timeout_ms; } -static CURLcode bindlocal(struct Curl_easy *data, +static CURLcode bindlocal(struct Curl_easy *data, struct connectdata *conn, curl_socket_t sockfd, int af, unsigned int scope) { - struct connectdata *conn = data->conn; struct Curl_sockaddr_storage sa; struct sockaddr *sock = (struct sockaddr *)&sa; /* bind to this address */ curl_socklen_t sizeof_sa = 0; /* size of the data sock points to */ @@ -398,18 +390,23 @@ static CURLcode bindlocal(struct Curl_easy *data, #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID char *scope_ptr = strchr(myhost, '%'); if(scope_ptr) - *(scope_ptr++) = 0; + *(scope_ptr++) = '\0'; #endif if(Curl_inet_pton(AF_INET6, myhost, &si6->sin6_addr) > 0) { si6->sin6_family = AF_INET6; si6->sin6_port = htons(port); #ifdef HAVE_SOCKADDR_IN6_SIN6_SCOPE_ID - if(scope_ptr) + if(scope_ptr) { /* The "myhost" string either comes from Curl_if2ip or from Curl_printable_address. The latter returns only numeric scope IDs and the former returns none at all. So the scope ID, if present, is known to be numeric */ - si6->sin6_scope_id = atoi(scope_ptr); + unsigned long scope_id = strtoul(scope_ptr, NULL, 10); + if(scope_id > UINT_MAX) + return CURLE_UNSUPPORTED_PROTOCOL; + + si6->sin6_scope_id = (unsigned int)scope_id; + } #endif } sizeof_sa = sizeof(struct sockaddr_in6); @@ -771,123 +768,45 @@ void Curl_updateconninfo(struct Curl_easy *data, struct connectdata *conn, Curl_persistconninfo(data, conn, local_ip, local_port); } -/* After a TCP connection to the proxy has been verified, this function does - the next magic steps. If 'done' isn't set TRUE, it is not done yet and - must be called again. - - Note: this function's sub-functions call failf() - -*/ -static CURLcode connect_SOCKS(struct Curl_easy *data, int sockindex, - bool *done) -{ - CURLcode result = CURLE_OK; -#ifndef CURL_DISABLE_PROXY - CURLproxycode pxresult = CURLPX_OK; - struct connectdata *conn = data->conn; - if(conn->bits.socksproxy) { - /* for the secondary socket (FTP), use the "connect to host" - * but ignore the "connect to port" (use the secondary port) - */ - const char * const host = - conn->bits.httpproxy ? - conn->http_proxy.host.name : - conn->bits.conn_to_host ? - conn->conn_to_host.name : - sockindex == SECONDARYSOCKET ? - conn->secondaryhostname : conn->host.name; - const int port = - conn->bits.httpproxy ? (int)conn->http_proxy.port : - sockindex == SECONDARYSOCKET ? conn->secondary_port : - conn->bits.conn_to_port ? conn->conn_to_port : - conn->remote_port; - switch(conn->socks_proxy.proxytype) { - case CURLPROXY_SOCKS5: - case CURLPROXY_SOCKS5_HOSTNAME: - pxresult = Curl_SOCKS5(conn->socks_proxy.user, conn->socks_proxy.passwd, - host, port, sockindex, data, done); - break; - - case CURLPROXY_SOCKS4: - case CURLPROXY_SOCKS4A: - pxresult = Curl_SOCKS4(conn->socks_proxy.user, host, port, sockindex, - data, done); - break; - - default: - failf(data, "unknown proxytype option given"); - result = CURLE_COULDNT_CONNECT; - } /* switch proxytype */ - if(pxresult) { - result = CURLE_PROXY; - data->info.pxcode = pxresult; - } - } - else -#else - (void)data; - (void)sockindex; -#endif /* CURL_DISABLE_PROXY */ - *done = TRUE; /* no SOCKS proxy, so consider us connected */ - - return result; -} - /* - * post_SOCKS() is called after a successful connect to the peer, which - * *could* be a SOCKS proxy + * post_connect() is called after a successful connect to the peer */ -static void post_SOCKS(struct Curl_easy *data, +static void post_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex, - bool *connected) + int sockindex) { - conn->bits.tcpconnect[sockindex] = TRUE; - - *connected = TRUE; - if(sockindex == FIRSTSOCKET) - Curl_pgrsTime(data, TIMER_CONNECT); /* connect done */ Curl_updateconninfo(data, conn, conn->sock[sockindex]); Curl_verboseconnect(data, conn); data->info.numconnects++; /* to track the number of connections made */ } /* - * Curl_is_connected() checks if the socket has connected. + * is_connected() checks if the socket has connected. */ - -CURLcode Curl_is_connected(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, - bool *connected) +static CURLcode is_connected(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + bool *connected) { CURLcode result = CURLE_OK; timediff_t allow; int error = 0; struct curltime now; int rc = 0; - unsigned int i; + int i; DEBUGASSERT(sockindex >= FIRSTSOCKET && sockindex <= SECONDARYSOCKET); *connected = FALSE; /* a very negative world view is best */ - if(conn->bits.tcpconnect[sockindex]) { - /* we are connected already! */ - *connected = TRUE; - return CURLE_OK; - } - now = Curl_now(); - if(SOCKS_STATE(conn->cnnct.state)) { - /* still doing SOCKS */ - result = connect_SOCKS(data, sockindex, connected); - if(!result && *connected) - post_SOCKS(data, conn, sockindex, connected); - return result; - } - + /* Check if any of the conn->tempsock we use for establishing connections + * succeeded and, if so, close any ongoing other ones. + * Transfer the successful conn->tempsock to conn->sock[sockindex] + * and set conn->tempsock to CURL_SOCKET_BAD. + * If transport is QUIC, we need to shutdown the ongoing 'other' + * connect attempts in a QUIC appropriate way. */ for(i = 0; i<2; i++) { const int other = i ^ 1; if(conn->tempsock[i] == CURL_SOCKET_BAD) @@ -901,7 +820,7 @@ CURLcode Curl_is_connected(struct Curl_easy *data, conn->sock[sockindex] = conn->tempsock[i]; conn->ip_addr = conn->tempaddr[i]; conn->tempsock[i] = CURL_SOCKET_BAD; - post_SOCKS(data, conn, sockindex, connected); + post_connect(data, conn, sockindex); connkeep(conn, "HTTP/3 default"); if(conn->tempsock[other] != CURL_SOCKET_BAD) Curl_quic_disconnect(data, conn, other); @@ -963,14 +882,7 @@ CURLcode Curl_is_connected(struct Curl_easy *data, conn->tempsock[other] = CURL_SOCKET_BAD; } - /* see if we need to kick off any SOCKS proxy magic once we - connected */ - result = connect_SOCKS(data, sockindex, connected); - if(result || !*connected) - return result; - - post_SOCKS(data, conn, sockindex, connected); - + *connected = TRUE; return CURLE_OK; } } @@ -1207,7 +1119,7 @@ static CURLcode singleipconnect(struct Curl_easy *data, return result; /* store remote address and port used in this connection attempt */ - if(!Curl_addr2string((struct sockaddr*)&addr.sa_addr, addr.addrlen, + if(!Curl_addr2string(&addr.sa_addr, addr.addrlen, ipaddress, &port)) { /* malformed address or bug in inet_ntop, try next address */ failf(data, "sa_addr inet_ntop() failed with errno %d: %s", @@ -1261,8 +1173,8 @@ static CURLcode singleipconnect(struct Curl_easy *data, || addr.family == AF_INET6 #endif ) { - result = bindlocal(data, sockfd, addr.family, - Curl_ipv6_scope((struct sockaddr*)&addr.sa_addr)); + result = bindlocal(data, conn, sockfd, addr.family, + Curl_ipv6_scope(&addr.sa_addr)); if(result) { Curl_closesocket(data, conn, sockfd); /* close socket and bail out */ if(result == CURLE_UNSUPPORTED_PROTOCOL) { @@ -1521,12 +1433,13 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, /* * Check if a connection seems to be alive. */ -bool Curl_connalive(struct connectdata *conn) +bool Curl_connalive(struct Curl_easy *data, struct connectdata *conn) { + (void)data; /* First determine if ssl */ - if(conn->ssl[FIRSTSOCKET].use) { + if(Curl_conn_is_ssl(data, FIRSTSOCKET)) { /* use the SSL context */ - if(!Curl_ssl_check_cxn(conn)) + if(!Curl_ssl_check_cxn(data, conn)) return false; /* FIN received */ } /* Minix 3.1 doesn't support any flags on recv; just assume socket is OK */ @@ -1714,16 +1627,306 @@ void Curl_conncontrol(struct connectdata *conn, } } -/* Data received can be cached at various levels, so check them all here. */ -bool Curl_conn_data_pending(struct connectdata *conn, int sockindex) +typedef enum { + SCFST_INIT, + SCFST_WAITING, + SCFST_DONE +} cf_connect_state; + +struct socket_cf_ctx { + const struct Curl_dns_entry *remotehost; + cf_connect_state state; +}; + +static int socket_cf_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) +{ + struct connectdata *conn = cf->conn; + int i, s, rc = GETSOCK_BLANK; + + (void)data; + if(cf->connected) { + return rc; + } + + for(i = s = 0; i<2; i++) { + if(conn->tempsock[i] != CURL_SOCKET_BAD) { + socks[s] = conn->tempsock[i]; + rc |= GETSOCK_WRITESOCK(s); +#ifdef ENABLE_QUIC + if(conn->transport == TRNSPRT_QUIC) + /* when connecting QUIC, we want to read the socket too */ + rc |= GETSOCK_READSOCK(s); +#endif + s++; + } + } + + return rc; +} + +static CURLcode socket_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + struct connectdata *conn = cf->conn; + int sockindex = cf->sockindex; + struct socket_cf_ctx *ctx = cf->ctx; + CURLcode result = CURLE_OK; + + if(cf->connected) { + *done = TRUE; + return CURLE_OK; + } + + (void)blocking; + DEBUGASSERT(ctx); + *done = FALSE; + switch(ctx->state) { + case SCFST_INIT: + DEBUGASSERT(CURL_SOCKET_BAD == conn->sock[sockindex]); + DEBUGASSERT(!cf->connected); + result = Curl_connecthost(data, conn, ctx->remotehost); + if(!result) + ctx->state = SCFST_WAITING; + break; + case SCFST_WAITING: + result = is_connected(data, conn, sockindex, done); + if(!result && *done) { + Curl_pgrsTime(data, TIMER_CONNECT); /* we're connected already */ + if(Curl_conn_is_ssl(data, FIRSTSOCKET) || + (conn->handler->protocol & PROTO_FAMILY_SSH)) + Curl_pgrsTime(data, TIMER_APPCONNECT); /* we're connected already */ + post_connect(data, conn, sockindex); + ctx->state = SCFST_DONE; + cf->connected = TRUE; + } + break; + case SCFST_DONE: + *done = TRUE; + break; + } + return result; +} + +static CURLcode socket_cf_setup(struct Curl_cfilter *cf, + struct Curl_easy *data, + const struct Curl_dns_entry *remotehost) +{ + struct socket_cf_ctx *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx); + if(ctx->remotehost != remotehost) { + if(ctx->remotehost) { + /* switching dns entry? TODO: reset? */ + } + ctx->remotehost = remotehost; + } + DEBUGF(infof(data, CFMSG(cf, "setup(remotehost=%s)"), + cf->conn->hostname_resolve)); + return CURLE_OK; +} + +static void socket_cf_close(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + int sockindex = cf->sockindex; + struct socket_cf_ctx *ctx = cf->ctx; + + DEBUGASSERT(ctx); + /* close possibly still open sockets */ + if(CURL_SOCKET_BAD != cf->conn->sock[sockindex]) { + Curl_closesocket(data, cf->conn, cf->conn->sock[sockindex]); + cf->conn->sock[sockindex] = CURL_SOCKET_BAD; + } + if(CURL_SOCKET_BAD != cf->conn->tempsock[sockindex]) { + Curl_closesocket(data, cf->conn, cf->conn->tempsock[sockindex]); + cf->conn->tempsock[sockindex] = CURL_SOCKET_BAD; + } + cf->connected = FALSE; + ctx->state = SCFST_INIT; +} + +static void socket_cf_get_host(struct Curl_cfilter *cf, + struct Curl_easy *data, + const char **phost, + const char **pdisplay_host, + int *pport) +{ + (void)data; + *phost = cf->conn->host.name; + *pdisplay_host = cf->conn->host.dispname; + *pport = cf->conn->port; +} + +static bool socket_cf_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { int readable; + (void)data; + DEBUGASSERT(cf); + + readable = SOCKET_READABLE(cf->conn->sock[cf->sockindex], 0); + return (readable > 0 && (readable & CURL_CSELECT_IN)); +} + +static ssize_t socket_cf_send(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *buf, size_t len, CURLcode *err) +{ + ssize_t nwritten; + nwritten = Curl_send_plain(data, cf->sockindex, buf, len, err); + return nwritten; +} + +static ssize_t socket_cf_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *err) +{ + ssize_t nread; + nread = Curl_recv_plain(data, cf->sockindex, buf, len, err); + return nread; +} + +static void socket_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + struct socket_cf_ctx *state = cf->ctx; + + (void)data; + if(cf->connected) { + socket_cf_close(cf, data); + } + /* release any resources held in state */ + Curl_safefree(state); +} + +static const struct Curl_cftype cft_socket = { + "SOCKET", + CF_TYPE_IP_CONNECT, + socket_cf_destroy, + socket_cf_setup, + socket_cf_connect, + socket_cf_close, + socket_cf_get_host, + socket_cf_get_select_socks, + socket_cf_data_pending, + socket_cf_send, + socket_cf_recv, + Curl_cf_def_attach_data, + Curl_cf_def_detach_data, +}; + +CURLcode Curl_conn_socket_set(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) +{ + CURLcode result; + struct Curl_cfilter *cf = NULL; + struct socket_cf_ctx *scf_ctx = NULL; + + /* Need to be first */ DEBUGASSERT(conn); + DEBUGASSERT(!conn->cfilter[sockindex]); + scf_ctx = calloc(sizeof(*scf_ctx), 1); + if(!scf_ctx) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } + result = Curl_cf_create(&cf, &cft_socket, scf_ctx); + if(result) + goto out; + Curl_conn_cf_add(data, conn, sockindex, cf); - if(Curl_ssl_data_pending(conn, sockindex) || - Curl_recv_has_postponed_data(conn, sockindex)) - return true; +out: + if(result) { + Curl_safefree(cf); + Curl_safefree(scf_ctx); + } + return result; +} - readable = SOCKET_READABLE(conn->sock[sockindex], 0); - return (readable > 0 && (readable & CURL_CSELECT_IN)); +static CURLcode socket_accept_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + /* we start accepted, if we ever close, we cannot go on */ + (void)data; + (void)blocking; + if(cf->connected) { + *done = TRUE; + return CURLE_OK; + } + return CURLE_FAILED_INIT; +} + +static CURLcode socket_accept_cf_setup(struct Curl_cfilter *cf, + struct Curl_easy *data, + const struct Curl_dns_entry *remotehost) +{ + /* we start accepted, if we ever close, we cannot go on */ + (void)data; + (void)remotehost; + if(cf->connected) { + return CURLE_OK; + } + return CURLE_FAILED_INIT; +} + +static const struct Curl_cftype cft_socket_accept = { + "SOCKET-ACCEPT", + CF_TYPE_IP_CONNECT, + socket_cf_destroy, + socket_accept_cf_setup, + socket_accept_cf_connect, + socket_cf_close, + socket_cf_get_host, /* TODO: not accurate */ + Curl_cf_def_get_select_socks, + socket_cf_data_pending, + socket_cf_send, + socket_cf_recv, + Curl_cf_def_attach_data, + Curl_cf_def_detach_data, +}; + +CURLcode Curl_conn_socket_accepted_set(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, curl_socket_t *s) +{ + CURLcode result; + struct Curl_cfilter *cf = NULL; + struct socket_cf_ctx *scf_ctx = NULL; + + cf = conn->cfilter[sockindex]; + if(cf && cf->cft == &cft_socket_accept) { + /* already an accept filter installed, just replace the socket */ + scf_ctx = cf->ctx; + result = CURLE_OK; + } + else { + /* replace any existing */ + Curl_conn_cf_discard_all(data, conn, sockindex); + scf_ctx = calloc(sizeof(*scf_ctx), 1); + if(!scf_ctx) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } + result = Curl_cf_create(&cf, &cft_socket_accept, scf_ctx); + if(result) + goto out; + Curl_conn_cf_add(data, conn, sockindex, cf); + } + + /* close any existing socket and replace */ + Curl_closesocket(data, conn, conn->sock[sockindex]); + conn->sock[sockindex] = *s; + conn->bits.sock_accepted = TRUE; + cf->connected = TRUE; + scf_ctx->state = SCFST_DONE; + +out: + if(result) { + Curl_safefree(cf); + Curl_safefree(scf_ctx); + } + return result; } diff --git a/lib/connect.h b/lib/connect.h index 582ff08..1e90a85 100644 --- a/lib/connect.h +++ b/lib/connect.h @@ -29,11 +29,6 @@ #include "sockaddr.h" #include "timeval.h" -CURLcode Curl_is_connected(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, - bool *connected); - CURLcode Curl_connecthost(struct Curl_easy *data, struct connectdata *conn, const struct Curl_dns_entry *host); @@ -61,7 +56,7 @@ bool Curl_addr2string(struct sockaddr *sa, curl_socklen_t salen, /* * Check if a connection seems to be alive. */ -bool Curl_connalive(struct connectdata *conn); +bool Curl_connalive(struct Curl_easy *data, struct connectdata *conn); #ifdef USE_WINSOCK /* When you run a program that uses the Windows Sockets API, you may @@ -153,6 +148,13 @@ void Curl_conncontrol(struct connectdata *conn, #define connkeep(x,y) Curl_conncontrol(x, CONNCTRL_KEEP) #endif -bool Curl_conn_data_pending(struct connectdata *conn, int sockindex); +CURLcode Curl_conn_socket_set(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + +CURLcode Curl_conn_socket_accepted_set(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + curl_socket_t *s); #endif /* HEADER_CURL_CONNECT_H */ diff --git a/lib/cookie.c b/lib/cookie.c index 8eaedee..bccf2e8 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -300,12 +300,11 @@ static char *sanitize_cookie_path(const char *cookie_path) /* some stupid site sends path attribute with '"'. */ len = strlen(new_path); if(new_path[0] == '\"') { - memmove((void *)new_path, (const void *)(new_path + 1), len); + memmove(new_path, new_path + 1, len); len--; } if(len && (new_path[len - 1] == '\"')) { - new_path[len - 1] = 0x0; - len--; + new_path[--len] = 0x0; } /* RFC6265 5.2.4 The Path Attribute */ @@ -515,7 +514,7 @@ Curl_cookie_add(struct Curl_easy *data, return NULL; /* bail out if we're this low on memory */ if(httpheader) { - /* This line was read off a HTTP-header */ + /* This line was read off an HTTP-header */ char name[MAX_NAME]; char what[MAX_NAME]; const char *ptr; @@ -605,9 +604,9 @@ Curl_cookie_add(struct Curl_easy *data, * only test for names where that can possibly be true. */ if(nlen > 3 && name[0] == '_' && name[1] == '_') { - if(!strncmp("__Secure-", name, 9)) + if(strncasecompare("__Secure-", name, 9)) co->prefix |= COOKIE_PREFIX__SECURE; - else if(!strncmp("__Host-", name, 7)) + else if(strncasecompare("__Host-", name, 7)) co->prefix |= COOKIE_PREFIX__HOST; } @@ -780,10 +779,16 @@ Curl_cookie_add(struct Curl_easy *data, offt = curlx_strtoofft((*co->maxage == '\"')? &co->maxage[1]:&co->maxage[0], NULL, 10, &co->expires); - if(offt == CURL_OFFT_FLOW) + switch(offt) { + case CURL_OFFT_FLOW: /* overflow, used max value */ co->expires = CURL_OFF_T_MAX; - else if(!offt) { + break; + case CURL_OFFT_INVAL: + /* negative or otherwise bad, expire */ + co->expires = 1; + break; + case CURL_OFFT_OK: if(!co->expires) /* already expired */ co->expires = 1; @@ -792,6 +797,7 @@ Curl_cookie_add(struct Curl_easy *data, co->expires = CURL_OFF_T_MAX; else co->expires += now; + break; } } else if(co->expirestr) { @@ -864,7 +870,7 @@ Curl_cookie_add(struct Curl_easy *data, } else { /* - * This line is NOT a HTTP header style line, we do offer support for + * This line is NOT an HTTP header style line, we do offer support for * reading the odd netscape cookies-file format here */ char *ptr; @@ -1258,7 +1264,7 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, fp = NULL; } else { - fp = fopen(file, FOPEN_READTEXT); + fp = fopen(file, "rb"); if(!fp) infof(data, "WARNING: failed to open cookie file \"%s\"", file); } diff --git a/lib/curl_addrinfo.c b/lib/curl_addrinfo.c index 72e778b..bcea883 100644 --- a/lib/curl_addrinfo.c +++ b/lib/curl_addrinfo.c @@ -47,11 +47,6 @@ # include #endif -#if defined(NETWARE) && defined(__NOVELL_LIBC__) -# undef in_addr_t -# define in_addr_t unsigned long -#endif - #include #include "curl_addrinfo.h" diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index 3ba1492..8f8964e 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -150,9 +150,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ARPA_TFTP_H 1 -/* Define to 1 if you have the header file. */ -#cmakedefine HAVE_ASSERT_H 1 - /* Define to 1 if you have _Atomic support. */ #cmakedefine HAVE_ATOMIC 1 @@ -174,9 +171,6 @@ /* Define to 1 if you have the `closesocket' function. */ #cmakedefine HAVE_CLOSESOCKET 1 -/* Define to 1 if you have the header file. */ -#cmakedefine HAVE_ERRNO_H 1 - /* Define to 1 if you have the fcntl function. */ #cmakedefine HAVE_FCNTL 1 @@ -595,9 +589,6 @@ /* Define to 1 if you have the ws2tcpip.h header file. */ #cmakedefine HAVE_WS2TCPIP_H 1 -/* Define if you have the header file. */ -#cmakedefine HAVE_PROCESS_H 1 - /* Define to 1 if you need the lber.h header file even with ldap.h */ #cmakedefine NEED_LBER_H 1 @@ -790,8 +781,5 @@ ${SIZEOF_TIME_T_CODE} /* to enable Windows IDN */ #cmakedefine USE_WIN32_IDN 1 -/* to make the compiler know the prototypes of Windows IDN APIs */ -#cmakedefine WANT_IDN_PROTOTYPES 1 - /* Define to 1 to enable websocket support. */ #cmakedefine USE_WEBSOCKETS 1 diff --git a/lib/curl_endian.h b/lib/curl_endian.h index 758d55f..08d52e7 100644 --- a/lib/curl_endian.h +++ b/lib/curl_endian.h @@ -33,13 +33,4 @@ unsigned int Curl_read32_le(const unsigned char *buf); /* Converts a 16-bit integer from big endian */ unsigned short Curl_read16_be(const unsigned char *buf); -#if (SIZEOF_CURL_OFF_T > 4) -/* Converts a 64-bit integer to little endian */ -#if defined(HAVE_LONGLONG) -void Curl_write64_le(const long long value, unsigned char *buffer); -#else -void Curl_write64_le(const __int64 value, unsigned char *buffer); -#endif -#endif - #endif /* HEADER_CURL_ENDIAN_H */ diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c index 0dd1eb5..b8a85a9 100644 --- a/lib/curl_fnmatch.c +++ b/lib/curl_fnmatch.c @@ -76,9 +76,9 @@ static int parsekeyword(unsigned char **pattern, unsigned char *charset) parsekey_state state = CURLFNM_PKW_INIT; #define KEYLEN 10 char keyword[KEYLEN] = { 0 }; - int found = FALSE; int i; unsigned char *p = *pattern; + bool found = FALSE; for(i = 0; !found; i++) { char c = *p++; if(i >= KEYLEN) @@ -368,14 +368,13 @@ int Curl_fnmatch(void *ptr, const char *pattern, const char *string) */ int Curl_fnmatch(void *ptr, const char *pattern, const char *string) { - int rc; (void)ptr; /* the argument is specified by the curl_fnmatch_callback prototype, but not used by Curl_fnmatch() */ if(!pattern || !string) { return CURL_FNMATCH_FAIL; } - rc = fnmatch(pattern, string, 0); - switch(rc) { + + switch(fnmatch(pattern, string, 0)) { case 0: return CURL_FNMATCH_MATCH; case FNM_NOMATCH: diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c index 22e3705..0d8c285 100644 --- a/lib/curl_get_line.c +++ b/lib/curl_get_line.c @@ -41,17 +41,41 @@ char *Curl_get_line(char *buf, int len, FILE *input) bool partial = FALSE; while(1) { char *b = fgets(buf, len, input); + if(b) { size_t rlen = strlen(b); - if(rlen && (b[rlen-1] == '\n')) { + + if(!rlen) + break; + + if(b[rlen-1] == '\n') { + /* b is \n terminated */ if(partial) { partial = FALSE; continue; } return b; } - /* read a partial, discard the next piece that ends with newline */ - partial = TRUE; + else if(feof(input)) { + if(partial) + /* Line is already too large to return, ignore rest */ + break; + + if(rlen + 1 < (size_t) len) { + /* b is EOF terminated, insert missing \n */ + b[rlen] = '\n'; + b[rlen + 1] = '\0'; + return b; + } + else + /* Maximum buffersize reached + EOF + * This line is impossible to add a \n to so we'll ignore it + */ + break; + } + else + /* Maximum buffersize reached */ + partial = TRUE; } else break; diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 38e193c..690f8f7 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -186,9 +186,9 @@ static void setup_des_key(const unsigned char *key_56, #elif defined(USE_NSS) /* - * Expands a 56 bit key KEY_56 to 64 bit and encrypts 64 bit of data, using - * the expanded key. The caller is responsible for giving 64 bit of valid - * data is IN and (at least) 64 bit large buffer as OUT. + * encrypt_des() expands a 56 bit key KEY_56 to 64 bit and encrypts 64 bit of + * data, using the expanded key. IN should point to 64 bits of source data, + * OUT to a 64 bit output buffer. */ static bool encrypt_des(const unsigned char *in, unsigned char *out, const unsigned char *key_56) @@ -658,7 +658,8 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_resp(unsigned char *ntlmv2hash, LONGQUARTET(tw.dwLowDateTime), LONGQUARTET(tw.dwHighDateTime)); memcpy(ptr + 32, challenge_client, 8); - memcpy(ptr + 44, ntlm->target_info, ntlm->target_info_len); + if(ntlm->target_info_len) + memcpy(ptr + 44, ntlm->target_info, ntlm->target_info_len); /* Concatenate the Type 2 challenge with the BLOB and do HMAC MD5 */ memcpy(ptr + 8, &ntlm->nonce[0], 8); diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c index 33dcf0c..fcf5075 100644 --- a/lib/curl_ntlm_wb.c +++ b/lib/curl_ntlm_wb.c @@ -385,7 +385,7 @@ CURLcode Curl_output_ntlm_wb(struct Curl_easy *data, struct connectdata *conn, bool proxy) { /* point to the address of the pointer that holds the string to send to the - server, which is for a plain host or for a HTTP proxy */ + server, which is for a plain host or for an HTTP proxy */ char **allocuserpwd; /* point to the name and password for this */ const char *userp; diff --git a/lib/curl_path.c b/lib/curl_path.c index b55e830..f00e3ee 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c @@ -71,10 +71,14 @@ CURLcode Curl_getworkingpath(struct Curl_easy *data, /* It is referenced to the home directory, so strip the leading '/' */ memcpy(real_path, homedir, homelen); - real_path[homelen] = '/'; - real_path[homelen + 1] = '\0'; + /* Only add a trailing '/' if homedir does not end with one */ + if(homelen == 0 || real_path[homelen - 1] != '/') { + real_path[homelen] = '/'; + homelen++; + real_path[homelen] = '\0'; + } if(working_path_len > 3) { - memcpy(real_path + homelen + 1, working_path + 3, + memcpy(real_path + homelen, working_path + 3, 1 + working_path_len -3); } } @@ -148,15 +152,12 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) break; } if(cp[i] == '\0') { /* End of string */ - /*error("Unterminated quote");*/ goto fail; } if(cp[i] == '\\') { /* Escaped characters */ i++; if(cp[i] != '\'' && cp[i] != '\"' && cp[i] != '\\') { - /*error("Bad escaped character '\\%c'", - cp[i]);*/ goto fail; } } @@ -164,7 +165,6 @@ CURLcode Curl_get_pathname(const char **cpp, char **path, char *homedir) } if(j == 0) { - /*error("Empty quotes");*/ goto fail; } *cpp = cp + i + strspn(cp + i, WHITESPACE); diff --git a/lib/curl_range.c b/lib/curl_range.c index dd92d05..4999936 100644 --- a/lib/curl_range.c +++ b/lib/curl_range.c @@ -44,12 +44,12 @@ CURLcode Curl_range(struct Curl_easy *data) if(data->state.use_range && data->state.range) { CURLofft from_t; CURLofft to_t; - from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from); + from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from); if(from_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; - to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); + to_t = curlx_strtoofft(ptr, &ptr2, 10, &to); if(to_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; if((to_t == CURL_OFFT_INVAL) && !from_t) { diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c index b0c3710..1932cb4 100644 --- a/lib/curl_rtmp.c +++ b/lib/curl_rtmp.c @@ -85,7 +85,7 @@ const struct Curl_handler Curl_handler_rtmp = { PORT_RTMP, /* defport */ CURLPROTO_RTMP, /* protocol */ CURLPROTO_RTMP, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; const struct Curl_handler Curl_handler_rtmpt = { @@ -108,7 +108,7 @@ const struct Curl_handler Curl_handler_rtmpt = { PORT_RTMPT, /* defport */ CURLPROTO_RTMPT, /* protocol */ CURLPROTO_RTMPT, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; const struct Curl_handler Curl_handler_rtmpe = { @@ -131,7 +131,7 @@ const struct Curl_handler Curl_handler_rtmpe = { PORT_RTMP, /* defport */ CURLPROTO_RTMPE, /* protocol */ CURLPROTO_RTMPE, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; const struct Curl_handler Curl_handler_rtmpte = { @@ -154,7 +154,7 @@ const struct Curl_handler Curl_handler_rtmpte = { PORT_RTMPT, /* defport */ CURLPROTO_RTMPTE, /* protocol */ CURLPROTO_RTMPTE, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; const struct Curl_handler Curl_handler_rtmps = { @@ -177,7 +177,7 @@ const struct Curl_handler Curl_handler_rtmps = { PORT_RTMPS, /* defport */ CURLPROTO_RTMPS, /* protocol */ CURLPROTO_RTMP, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; const struct Curl_handler Curl_handler_rtmpts = { @@ -200,7 +200,7 @@ const struct Curl_handler Curl_handler_rtmpts = { PORT_RTMPS, /* defport */ CURLPROTO_RTMPTS, /* protocol */ CURLPROTO_RTMPT, /* family */ - PROTOPT_NONE /* flags*/ + PROTOPT_NONE /* flags */ }; static CURLcode rtmp_setup_connection(struct Curl_easy *data, diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 9684ee4..46ee800 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -44,6 +44,7 @@ #include "curl_base64.h" #include "curl_md5.h" #include "vauth/vauth.h" +#include "cfilters.h" #include "vtls/vtls.h" #include "curl_hmac.h" #include "curl_sasl.h" @@ -340,8 +341,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, struct bufref resp; saslstate state1 = SASL_STOP; saslstate state2 = SASL_FINAL; - const char * const hostname = SSL_HOST_NAME(); - const long int port = SSL_HOST_PORT(); + const char *hostname, *disp_hostname; + int port; #if defined(USE_KERBEROS5) || defined(USE_NTLM) const char *service = data->set.str[STRING_SERVICE_NAME] ? data->set.str[STRING_SERVICE_NAME] : @@ -350,6 +351,7 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct Curl_easy *data, const char *oauth_bearer = data->set.str[STRING_BEARER]; struct bufref nullmsg; + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); Curl_bufref_init(&nullmsg); Curl_bufref_init(&resp); sasl->force_ir = force_ir; /* Latch for future use */ @@ -525,8 +527,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, struct connectdata *conn = data->conn; saslstate newstate = SASL_FINAL; struct bufref resp; - const char * const hostname = SSL_HOST_NAME(); - const long int port = SSL_HOST_PORT(); + const char *hostname, *disp_hostname; + int port; #if !defined(CURL_DISABLE_CRYPTO_AUTH) || defined(USE_KERBEROS5) || \ defined(USE_NTLM) const char *service = data->set.str[STRING_SERVICE_NAME] ? @@ -536,6 +538,7 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, const char *oauth_bearer = data->set.str[STRING_BEARER]; struct bufref serverdata; + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); Curl_bufref_init(&serverdata); Curl_bufref_init(&resp); *progress = SASL_INPROGRESS; diff --git a/lib/curl_setup.h b/lib/curl_setup.h index ac27b13..434b86c 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -92,7 +92,7 @@ # endif #endif -#if defined(macintosh) && defined(__MRC__) +#ifdef macintosh # include "config-mac.h" #endif @@ -112,6 +112,10 @@ # include "config-plan9.h" #endif +#ifdef MSDOS +# include "config-dos.h" +#endif + #endif /* HAVE_CONFIG_H */ /* ================================================================ */ @@ -318,9 +322,7 @@ #endif #include -#ifdef HAVE_ASSERT_H #include -#endif #ifdef __TANDEM /* for ns*-tandem-nsk systems */ # if ! defined __LP64 @@ -693,7 +695,7 @@ # define UNUSED_PARAM __attribute__((__unused__)) # define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) #else -# define UNUSED_PARAM /*NOTHING*/ +# define UNUSED_PARAM /* NOTHING */ # define WARN_UNUSED_RESULT #endif diff --git a/lib/curl_setup_once.h b/lib/curl_setup_once.h index f09b00f..ac4a7f1 100644 --- a/lib/curl_setup_once.h +++ b/lib/curl_setup_once.h @@ -34,10 +34,7 @@ #include #include #include - -#ifdef HAVE_ERRNO_H #include -#endif #ifdef HAVE_SYS_TYPES_H #include @@ -287,7 +284,7 @@ typedef unsigned int bit; */ #undef DEBUGASSERT -#if defined(DEBUGBUILD) && defined(HAVE_ASSERT_H) +#if defined(DEBUGBUILD) #define DEBUGASSERT(x) assert(x) #else #define DEBUGASSERT(x) do { } while(0) diff --git a/lib/curl_sha256.h b/lib/curl_sha256.h index 754c761..39523af 100644 --- a/lib/curl_sha256.h +++ b/lib/curl_sha256.h @@ -33,7 +33,7 @@ extern const struct HMAC_params Curl_HMAC_SHA256[1]; #ifdef USE_WOLFSSL /* SHA256_DIGEST_LENGTH is an enum value in wolfSSL. Need to import it from - * sha.h*/ + * sha.h */ #include #include #else diff --git a/lib/curl_threads.c b/lib/curl_threads.c index eb8e136..dff6167 100644 --- a/lib/curl_threads.c +++ b/lib/curl_threads.c @@ -31,9 +31,7 @@ # include # endif #elif defined(USE_THREADS_WIN32) -# ifdef HAVE_PROCESS_H -# include -# endif +# include #endif #include "curl_threads.h" diff --git a/lib/dict.c b/lib/dict.c index 6f7678f..993373e 100644 --- a/lib/dict.c +++ b/lib/dict.c @@ -319,4 +319,4 @@ static CURLcode dict_do(struct Curl_easy *data, bool *done) return CURLE_OK; } -#endif /*CURL_DISABLE_DICT*/ +#endif /* CURL_DISABLE_DICT */ diff --git a/lib/easy.c b/lib/easy.c index b8ac1ef..d7f93be 100644 --- a/lib/easy.c +++ b/lib/easy.c @@ -71,7 +71,6 @@ #include "mime.h" #include "amigaos.h" #include "warnless.h" -#include "multiif.h" #include "sigpipe.h" #include "vssh/ssh.h" #include "setopt.h" @@ -829,7 +828,7 @@ static CURLcode dupset(struct Curl_easy *dst, struct Curl_easy *src) /* Copy src->set into dst->set first, then deal with the strings afterwards */ dst->set = src->set; - Curl_mime_initpart(&dst->set.mimepost, dst); + Curl_mime_initpart(&dst->set.mimepost); /* clear all string pointers first */ memset(dst->set.str, 0, STRING_LAST * sizeof(char *)); @@ -863,7 +862,7 @@ static CURLcode dupset(struct Curl_easy *dst, struct Curl_easy *src) } /* Duplicate mime data. */ - result = Curl_mime_duppart(&dst->set.mimepost, &src->set.mimepost); + result = Curl_mime_duppart(dst, &dst->set.mimepost, &src->set.mimepost); if(src->set.resolve) dst->state.resolve = dst->set.resolve; diff --git a/lib/easyoptions.c b/lib/easyoptions.c index e59b63a..03b814e 100644 --- a/lib/easyoptions.c +++ b/lib/easyoptions.c @@ -42,6 +42,7 @@ struct curl_easyoption Curl_easyopts[] = { {"CAINFO", CURLOPT_CAINFO, CURLOT_STRING, 0}, {"CAINFO_BLOB", CURLOPT_CAINFO_BLOB, CURLOT_BLOB, 0}, {"CAPATH", CURLOPT_CAPATH, CURLOT_STRING, 0}, + {"CA_CACHE_TIMEOUT", CURLOPT_CA_CACHE_TIMEOUT, CURLOT_LONG, 0}, {"CERTINFO", CURLOPT_CERTINFO, CURLOT_LONG, 0}, {"CHUNK_BGN_FUNCTION", CURLOPT_CHUNK_BGN_FUNCTION, CURLOT_FUNCTION, 0}, {"CHUNK_DATA", CURLOPT_CHUNK_DATA, CURLOT_CBPTR, 0}, @@ -241,6 +242,7 @@ struct curl_easyoption Curl_easyopts[] = { CURLOT_STRING, 0}, {"PROXY_TRANSFER_MODE", CURLOPT_PROXY_TRANSFER_MODE, CURLOT_LONG, 0}, {"PUT", CURLOPT_PUT, CURLOT_LONG, 0}, + {"QUICK_EXIT", CURLOPT_QUICK_EXIT, CURLOT_LONG, 0}, {"QUOTE", CURLOPT_QUOTE, CURLOT_SLIST, 0}, {"RANDOM_FILE", CURLOPT_RANDOM_FILE, CURLOT_STRING, 0}, {"RANGE", CURLOPT_RANGE, CURLOT_STRING, 0}, @@ -368,6 +370,6 @@ struct curl_easyoption Curl_easyopts[] = { */ int Curl_easyopts_check(void) { - return ((CURLOPT_LASTENTRY%10000) != (320 + 1)); + return ((CURLOPT_LASTENTRY%10000) != (322 + 1)); } #endif diff --git a/lib/escape.c b/lib/escape.c index da7e552..ed59838 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -202,7 +202,7 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string, char *str = NULL; (void)data; if(length >= 0) { - size_t inputlen = length; + size_t inputlen = (size_t)length; size_t outputlen; CURLcode res = Curl_urldecode(string, inputlen, &str, &outputlen, REJECT_NADA); diff --git a/lib/file.c b/lib/file.c index d82d57b..3f642be 100644 --- a/lib/file.c +++ b/lib/file.c @@ -150,9 +150,19 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) char *actual_path; #endif size_t real_path_len; + CURLcode result; + + if(file->path) { + /* already connected. + * the handler->connect_it() is normally only called once, but + * FILE does a special check on setting up the connection which + * calls this explicitly. */ + *done = TRUE; + return CURLE_OK; + } - CURLcode result = Curl_urldecode(data->state.up.path, 0, &real_path, - &real_path_len, REJECT_ZERO); + result = Curl_urldecode(data->state.up.path, 0, &real_path, + &real_path_len, REJECT_ZERO); if(result) return result; @@ -226,6 +236,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done) file->path = real_path; #endif #endif + Curl_safefree(file->freepath); file->freepath = real_path; /* free this when done */ file->fd = fd; @@ -329,7 +340,7 @@ static CURLcode file_upload(struct Curl_easy *data) while(!result) { size_t nread; - size_t nwrite; + ssize_t nwrite; size_t readcount; result = Curl_fillreadbuffer(data, data->set.buffer_size, &readcount); if(result) @@ -340,7 +351,7 @@ static CURLcode file_upload(struct Curl_easy *data) nread = readcount; - /*skip bytes before resume point*/ + /* skip bytes before resume point */ if(data->state.resume_from) { if((curl_off_t)nread <= data->state.resume_from) { data->state.resume_from -= nread; @@ -358,7 +369,7 @@ static CURLcode file_upload(struct Curl_easy *data) /* write the data to the target */ nwrite = write(fd, buf2, nread); - if(nwrite != nread) { + if((size_t)nwrite != nread) { result = CURLE_SEND_ERROR; break; } @@ -471,13 +482,13 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) tm->tm_hour, tm->tm_min, tm->tm_sec, - data->set.opt_no_body ? "": "\r\n"); + data->req.no_body ? "": "\r\n"); result = Curl_client_write(data, CLIENTWRITE_HEADER, header, headerlen); if(result) return result; /* set the file size to make it available post transfer */ Curl_pgrsSetDownloadSize(data, expected_size); - if(data->set.opt_no_body) + if(data->req.no_body) return result; } diff --git a/lib/formdata.c b/lib/formdata.c index 46542b4..b30e8de 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -59,7 +59,7 @@ * * AddHttpPost() * - * Adds a HttpPost structure to the list, if parent_post is given becomes + * Adds an HttpPost structure to the list, if parent_post is given becomes * a subpost of parent_post instead of a direct list element. * * Returns newly allocated HttpPost on success and NULL if malloc failed. @@ -135,15 +135,13 @@ static struct FormInfo *AddFormInfo(char *value, { struct FormInfo *form_info; form_info = calloc(1, sizeof(struct FormInfo)); - if(form_info) { - if(value) - form_info->value = value; - if(contenttype) - form_info->contenttype = contenttype; - form_info->flags = HTTPPOST_FILENAME; - } - else + if(!form_info) return NULL; + if(value) + form_info->value = value; + if(contenttype) + form_info->contenttype = contenttype; + form_info->flags = HTTPPOST_FILENAME; if(parent_form_info) { /* now, point our 'more' to the original 'more' */ @@ -199,7 +197,7 @@ static struct FormInfo *AddFormInfo(char *value, * CURL_FORMADD_MEMORY if the allocation of a FormInfo struct failed * CURL_FORMADD_UNKNOWN_OPTION if an unknown option was used * CURL_FORMADD_INCOMPLETE if the some FormInfo is not complete (or error) - * CURL_FORMADD_MEMORY if a HttpPost struct cannot be allocated + * CURL_FORMADD_MEMORY if an HttpPost struct cannot be allocated * CURL_FORMADD_MEMORY if some allocation for string copying failed. * CURL_FORMADD_ILLEGAL_ARRAY if an illegal option is used in an array * @@ -717,10 +715,10 @@ int curl_formget(struct curl_httppost *form, void *arg, CURLcode result; curl_mimepart toppart; - Curl_mime_initpart(&toppart, NULL); /* default form is empty */ + Curl_mime_initpart(&toppart); /* default form is empty */ result = Curl_getformdata(NULL, &toppart, form, NULL); if(!result) - result = Curl_mime_prepare_headers(&toppart, "multipart/form-data", + result = Curl_mime_prepare_headers(NULL, &toppart, "multipart/form-data", NULL, MIMESTRATEGY_FORM); while(!result) { diff --git a/lib/ftp.c b/lib/ftp.c index f1a25b2..8f0ac2e 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -43,11 +43,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -65,6 +60,7 @@ #include "strtoofft.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "strerror.h" #include "inet_ntop.h" @@ -74,7 +70,6 @@ #include "sockaddr.h" /* required for Curl_sockaddr_storage */ #include "multiif.h" #include "url.h" -#include "strcase.h" #include "speedcheck.h" #include "warnless.h" #include "http_proxy.h" @@ -219,14 +214,8 @@ const struct Curl_handler Curl_handler_ftps = { static void close_secondarysocket(struct Curl_easy *data, struct connectdata *conn) { - if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) { - Curl_closesocket(data, conn, conn->sock[SECONDARYSOCKET]); - conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD; - } - conn->bits.tcpconnect[SECONDARYSOCKET] = FALSE; -#ifndef CURL_DISABLE_PROXY - conn->bits.proxy_ssl_connected[SECONDARYSOCKET] = FALSE; -#endif + Curl_conn_close(data, SECONDARYSOCKET); + Curl_conn_cf_discard_all(data, conn, SECONDARYSOCKET); } /* @@ -278,13 +267,13 @@ static CURLcode AcceptServerConnect(struct Curl_easy *data) struct sockaddr_in add; #endif curl_socklen_t size = (curl_socklen_t) sizeof(add); + CURLcode result; if(0 == getsockname(sock, (struct sockaddr *) &add, &size)) { size = sizeof(add); s = accept(sock, (struct sockaddr *) &add, &size); } - Curl_closesocket(data, conn, sock); /* close the first socket */ if(CURL_SOCKET_BAD == s) { failf(data, "Error accept()ing server connect"); @@ -295,9 +284,11 @@ static CURLcode AcceptServerConnect(struct Curl_easy *data) not needing DO_MORE anymore */ conn->bits.do_more = FALSE; - conn->sock[SECONDARYSOCKET] = s; (void)curlx_nonblock(s, TRUE); /* enable non-blocking */ - conn->bits.sock_accepted = TRUE; + /* Replace any filter on SECONDARY with one listeing on this socket */ + result = Curl_conn_socket_accepted_set(data, conn, SECONDARYSOCKET, &s); + if(result) + return result; if(data->set.fsockopt) { int error = 0; @@ -441,15 +432,12 @@ static CURLcode InitiateTransfer(struct Curl_easy *data) { CURLcode result = CURLE_OK; struct connectdata *conn = data->conn; + bool connected; - if(conn->bits.ftp_use_data_ssl) { - /* since we only have a plaintext TCP connection here, we must now - * do the TLS stuff */ - infof(data, "Doing the SSL/TLS handshake on the data stream"); - result = Curl_ssl_connect(data, conn, SECONDARYSOCKET); - if(result) - return result; - } + DEBUGF(infof(data, "ftp InitiateTransfer()")); + result = Curl_conn_connect(data, SECONDARYSOCKET, TRUE, &connected); + if(result || !connected) + return result; if(conn->proto.ftpc.state_saved == FTP_STOR) { /* When we know we're uploading a specified file, we can get the file @@ -497,22 +485,23 @@ static CURLcode AllowServerConnect(struct Curl_easy *data, bool *connected) if(timeout_ms < 0) { /* if a timeout was already reached, bail out */ failf(data, "Accept timeout occurred while waiting server connect"); - return CURLE_FTP_ACCEPT_TIMEOUT; + result = CURLE_FTP_ACCEPT_TIMEOUT; + goto out; } /* see if the connection request is already here */ result = ReceivedServerConnect(data, connected); if(result) - return result; + goto out; if(*connected) { result = AcceptServerConnect(data); if(result) - return result; + goto out; result = InitiateTransfer(data); if(result) - return result; + goto out; } else { /* Add timeout to multi handle and break out of the loop */ @@ -521,6 +510,8 @@ static CURLcode AllowServerConnect(struct Curl_easy *data, bool *connected) EXPIRE_FTP_ACCEPT); } +out: + DEBUGF(infof(data, "ftp AllowServerConnect() -> %d", result)); return result; } @@ -672,7 +663,7 @@ CURLcode Curl_GetFTPResponse(struct Curl_easy *data, * wait for more data anyway. */ } - else if(!Curl_conn_data_pending(conn, FIRSTSOCKET)) { + else if(!Curl_conn_data_pending(data, FIRSTSOCKET)) { switch(SOCKET_READABLE(sockfd, interval_ms)) { case -1: /* select() error, stop reading */ failf(data, "FTP response aborted due to select/poll error: %d", @@ -821,8 +812,10 @@ static int ftp_domore_getsock(struct Curl_easy *data, * handle ordinary commands. */ - if(SOCKS_STATE(conn->cnnct.state)) - return Curl_SOCKS_getsock(conn, socks, SECONDARYSOCKET); + DEBUGF(infof(data, "ftp_domore_getsock()")); + if(conn->cfilter[SECONDARYSOCKET] + && !Curl_conn_is_connected(conn, SECONDARYSOCKET)) + return Curl_conn_get_select_socks(data, SECONDARYSOCKET, socks); if(FTP_STOP == ftpc->state) { int bits = GETSOCK_READSOCK(0); @@ -917,7 +910,7 @@ typedef enum { static CURLcode ftp_state_use_port(struct Curl_easy *data, ftpport fcmd) /* start with this */ { - CURLcode result = CURLE_OK; + CURLcode result = CURLE_FTP_PORT_FAILED; struct connectdata *conn = data->conn; struct ftp_conn *ftpc = &conn->proto.ftpc; curl_socket_t portsock = CURL_SOCKET_BAD; @@ -966,8 +959,10 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, char *port_sep = NULL; addr = calloc(addrlen + 1, 1); - if(!addr) - return CURLE_OUT_OF_MEMORY; + if(!addr) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } #ifdef ENABLE_IPV6 if(*string_ftpport == '[') { @@ -1027,7 +1022,6 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(port_min > port_max) port_min = port_max = 0; - if(*addr != '\0') { /* attempt to get the address of the given interface name */ switch(Curl_if2ip(conn->ip_addr->ai_family, @@ -1041,7 +1035,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, host = addr; break; case IF2IP_AF_NOT_SUPPORTED: - return CURLE_FTP_PORT_FAILED; + goto out; case IF2IP_FOUND: host = hbuf; /* use the hbuf for host name */ } @@ -1059,8 +1053,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(getsockname(conn->sock[FIRSTSOCKET], sa, &sslen)) { failf(data, "getsockname() failed: %s", Curl_strerror(SOCKERRNO, buffer, sizeof(buffer))); - free(addr); - return CURLE_FTP_PORT_FAILED; + goto out; } switch(sa->sa_family) { #ifdef ENABLE_IPV6 @@ -1072,8 +1065,9 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, r = Curl_inet_ntop(sa->sa_family, &sa4->sin_addr, hbuf, sizeof(hbuf)); break; } - if(!r) - return CURLE_FTP_PORT_FAILED; + if(!r) { + goto out; + } host = hbuf; /* use this host name */ possibly_non_local = FALSE; /* we know it is local now */ } @@ -1093,11 +1087,9 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(!res) { failf(data, "failed to resolve the address provided to PORT: %s", host); - free(addr); - return CURLE_FTP_PORT_FAILED; + goto out; } - free(addr); host = NULL; /* step 2, create a socket for the requested address */ @@ -1105,8 +1097,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, portsock = CURL_SOCKET_BAD; error = 0; for(ai = res; ai; ai = ai->ai_next) { - result = Curl_socket(data, ai, NULL, &portsock); - if(result) { + if(Curl_socket(data, ai, NULL, &portsock)) { error = SOCKERRNO; continue; } @@ -1115,8 +1106,9 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(!ai) { failf(data, "socket failure: %s", Curl_strerror(error, buffer, sizeof(buffer))); - return CURLE_FTP_PORT_FAILED; + goto out; } + DEBUGF(infof(data, "ftp_state_use_port(), opened socket")); /* step 3, bind to a suitable local address */ @@ -1145,8 +1137,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(getsockname(conn->sock[FIRSTSOCKET], sa, &sslen)) { failf(data, "getsockname() failed: %s", Curl_strerror(SOCKERRNO, buffer, sizeof(buffer))); - Curl_closesocket(data, conn, portsock); - return CURLE_FTP_PORT_FAILED; + goto out; } port = port_min; possibly_non_local = FALSE; /* don't try this again */ @@ -1155,8 +1146,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(error != EADDRINUSE && error != EACCES) { failf(data, "bind(port=%hu) failed: %s", port, Curl_strerror(error, buffer, sizeof(buffer))); - Curl_closesocket(data, conn, portsock); - return CURLE_FTP_PORT_FAILED; + goto out; } } else @@ -1165,31 +1155,30 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, port++; } - /* maybe all ports were in use already*/ + /* maybe all ports were in use already */ if(port > port_max) { failf(data, "bind() failed, we ran out of ports"); - Curl_closesocket(data, conn, portsock); - return CURLE_FTP_PORT_FAILED; + goto out; } /* get the name again after the bind() so that we can extract the port number it uses now */ sslen = sizeof(ss); - if(getsockname(portsock, (struct sockaddr *)sa, &sslen)) { + if(getsockname(portsock, sa, &sslen)) { failf(data, "getsockname() failed: %s", Curl_strerror(SOCKERRNO, buffer, sizeof(buffer))); - Curl_closesocket(data, conn, portsock); - return CURLE_FTP_PORT_FAILED; + goto out; } + DEBUGF(infof(data, "ftp_state_use_port(), socket bound to port %d", port)); /* step 4, listen on the socket */ if(listen(portsock, 1)) { failf(data, "socket failure: %s", Curl_strerror(SOCKERRNO, buffer, sizeof(buffer))); - Curl_closesocket(data, conn, portsock); - return CURLE_FTP_PORT_FAILED; + goto out; } + DEBUGF(infof(data, "ftp_state_use_port(), listening on %d", port)); /* step 5, send the proper FTP command */ @@ -1242,12 +1231,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(result) { failf(data, "Failure sending EPRT command: %s", curl_easy_strerror(result)); - Curl_closesocket(data, conn, portsock); - /* don't retry using PORT */ - ftpc->count1 = PORT; - /* bail out */ - state(data, FTP_STOP); - return result; + goto out; } break; } @@ -1273,10 +1257,7 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, if(result) { failf(data, "Failure sending PORT command: %s", curl_easy_strerror(result)); - Curl_closesocket(data, conn, portsock); - /* bail out */ - state(data, FTP_STOP); - return result; + goto out; } break; } @@ -1285,23 +1266,21 @@ static CURLcode ftp_state_use_port(struct Curl_easy *data, /* store which command was sent */ ftpc->count1 = fcmd; - close_secondarysocket(data, conn); - - /* we set the secondary socket variable to this for now, it is only so that - the cleanup function will close it in case we fail before the true - secondary stuff is made */ - conn->sock[SECONDARYSOCKET] = portsock; - - /* this tcpconnect assignment below is a hackish work-around to make the - multi interface with active FTP work - as it will not wait for a - (passive) connect in Curl_is_connected(). - - The *proper* fix is to make sure that the active connection from the - server is done in a non-blocking way. Currently, it is still BLOCKING. - */ - conn->bits.tcpconnect[SECONDARYSOCKET] = TRUE; - + /* Replace any filter on SECONDARY with one listeing on this socket */ + result = Curl_conn_socket_accepted_set(data, conn, SECONDARYSOCKET, + &portsock); + if(result) + goto out; + portsock = CURL_SOCKET_BAD; /* now held in filter */ state(data, FTP_PORT); + +out: + if(result) { + state(data, FTP_STOP); + } + if(portsock != CURL_SOCKET_BAD) + Curl_closesocket(data, conn, portsock); + free(addr); return result; } @@ -1525,7 +1504,7 @@ static CURLcode ftp_state_type(struct Curl_easy *data) /* If we have selected NOBODY and HEADER, it means that we only want file information. Which in FTP can't be much more than the file size and date. */ - if(data->set.opt_no_body && ftpc->file && + if(data->req.no_body && ftpc->file && ftp_need_type(conn, data->state.prefer_ascii)) { /* The SIZE command is _not_ RFC 959 specified, and therefore many servers may not support it! It is however the only way we have to get a file's @@ -1804,6 +1783,8 @@ static CURLcode ftp_epsv_disable(struct Curl_easy *data, infof(data, "Failed EPSV attempt. Disabling EPSV"); /* disable it for next transfer */ conn->bits.ftp_use_epsv = FALSE; + Curl_conn_close(data, SECONDARYSOCKET); + Curl_conn_cf_discard_all(data, conn, SECONDARYSOCKET); data->state.errorbuf = FALSE; /* allow error message to get rewritten */ result = Curl_pp_sendf(data, &conn->proto.ftpc.pp, "%s", "PASV"); @@ -1951,7 +1932,7 @@ static CURLcode ftp_state_pasv_resp(struct Curl_easy *data, */ const char * const host_name = conn->bits.socksproxy ? conn->socks_proxy.host.name : conn->http_proxy.host.name; - rc = Curl_resolv(data, host_name, (int)conn->port, FALSE, &addr); + rc = Curl_resolv(data, host_name, conn->port, FALSE, &addr); if(rc == CURLRESOLV_PENDING) /* BLOCKING, ignores the return code but 'addr' will be NULL in case of failure */ @@ -1993,8 +1974,9 @@ static CURLcode ftp_state_pasv_resp(struct Curl_easy *data, } } - conn->bits.tcpconnect[SECONDARYSOCKET] = FALSE; - result = Curl_connecthost(data, conn, addr); + result = Curl_conn_setup(data, conn, SECONDARYSOCKET, addr, + conn->bits.ftp_use_data_ssl? + CURL_CF_SSL_ENABLE : CURL_CF_SSL_DISABLE); if(result) { Curl_resolv_unlock(data, addr); /* we're done using this address */ @@ -2092,9 +2074,9 @@ static CURLcode ftp_state_mdtm_resp(struct Curl_easy *data, #ifdef CURL_FTP_HTTPSTYLE_HEAD /* If we asked for a time of the file and we actually got one as well, - we "emulate" a HTTP-style header in our output. */ + we "emulate" an HTTP-style header in our output. */ - if(data->set.opt_no_body && + if(data->req.no_body && ftpc->file && data->set.get_filetime && (data->info.filetime >= 0) ) { @@ -2210,6 +2192,7 @@ static CURLcode ftp_state_retr(struct Curl_easy *data, struct connectdata *conn = data->conn; struct ftp_conn *ftpc = &conn->proto.ftpc; + DEBUGF(infof(data, "ftp_state_retr()")); if(data->set.max_filesize && (filesize > data->set.max_filesize)) { failf(data, "Maximum file size exceeded"); return CURLE_FILESIZE_EXCEEDED; @@ -2310,7 +2293,7 @@ static CURLcode ftp_state_size_resp(struct Curl_easy *data, else fdigit = start; /* ignores parsing errors, which will make the size remain unknown */ - (void)curlx_strtoofft(fdigit, NULL, 0, &filesize); + (void)curlx_strtoofft(fdigit, NULL, 10, &filesize); } else if(ftpcode == 550) { /* "No such file or directory" */ @@ -2465,6 +2448,7 @@ static CURLcode ftp_state_get_resp(struct Curl_easy *data, if((instate != FTP_LIST) && !data->state.prefer_ascii && + !data->set.ignorecl && (ftp->downloadsize < 1)) { /* * It seems directory listings either don't show the size or very @@ -2495,7 +2479,7 @@ static CURLcode ftp_state_get_resp(struct Curl_easy *data, if(bytes) { ++bytes; /* get the number! */ - (void)curlx_strtoofft(bytes, NULL, 0, &size); + (void)curlx_strtoofft(bytes, NULL, 10, &size); } } } @@ -2756,8 +2740,16 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, */ if((ftpcode == 234) || (ftpcode == 334)) { - /* Curl_ssl_connect is BLOCKING */ - result = Curl_ssl_connect(data, conn, FIRSTSOCKET); + /* this was BLOCKING, keep it so for now */ + bool done; + if(!Curl_conn_is_ssl(data, FIRSTSOCKET)) { + result = Curl_ssl_cfilter_add(data, conn, FIRSTSOCKET); + if(result) { + /* we failed and bail out */ + return CURLE_USE_SSL_FAILED; + } + } + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, &done); if(!result) { conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ @@ -2823,7 +2815,7 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, case FTP_CCC: if(ftpcode < 500) { /* First shut down the SSL layer (note: this call will block) */ - result = Curl_ssl_shutdown(data, conn, FIRSTSOCKET); + result = Curl_ssl_cfilter_remove(data, FIRSTSOCKET); if(result) failf(data, "Failed to clear the command channel (CCC)"); @@ -3167,7 +3159,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, if(conn->handler->flags & PROTOPT_SSL) { /* BLOCKING */ - result = Curl_ssl_connect(data, conn, FIRSTSOCKET); + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); if(result) return result; conn->bits.ftp_use_control_ssl = TRUE; @@ -3310,14 +3302,6 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, } } - if(conn->ssl[SECONDARYSOCKET].use) { - /* The secondary socket is using SSL so we must close down that part - first before we close the socket for real */ - Curl_ssl_close(data, conn, SECONDARYSOCKET); - - /* Note that we keep "use" set to TRUE since that (next) connection is - still requested to use SSL */ - } close_secondarysocket(data, conn); } @@ -3571,23 +3555,15 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) * complete */ struct FTP *ftp = NULL; - /* if the second connection isn't done yet, wait for it */ - if(!conn->bits.tcpconnect[SECONDARYSOCKET]) { - if(Curl_connect_ongoing(conn)) { - /* As we're in TUNNEL_CONNECT state now, we know the proxy name and port - aren't used so we blank their arguments. */ - result = Curl_proxyCONNECT(data, SECONDARYSOCKET, NULL, 0); - - return result; - } - - result = Curl_is_connected(data, conn, SECONDARYSOCKET, &connected); - - /* Ready to do more? */ - if(connected) { - DEBUGF(infof(data, "DO-MORE connected phase starts")); - } - else { + /* if the second connection isn't done yet, wait for it to have + * connected to the remote host. When using proxy tunneling, this + * means the tunnel needs to have been establish. However, we + * can not expect the remote host to talk to us in any way yet. + * So, when using ftps: the SSL handshake will not start until we + * tell the remote server that we are there. */ + if(conn->cfilter[SECONDARYSOCKET]) { + result = Curl_conn_connect(data, SECONDARYSOCKET, FALSE, &connected); + if(result || !Curl_conn_is_ip_connected(data, SECONDARYSOCKET)) { if(result && (ftpc->count1 == 0)) { *completep = -1; /* go back to DOING please */ /* this is a EPSV connect failing, try PASV instead */ @@ -3597,19 +3573,6 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep) } } -#ifndef CURL_DISABLE_PROXY - result = Curl_proxy_connect(data, SECONDARYSOCKET); - if(result) - return result; - - if(CONNECT_SECONDARYSOCKET_PROXY_SSL()) - return result; - - if(conn->bits.tunnel_proxy && conn->bits.httpproxy && - Curl_connect_ongoing(conn)) - return result; -#endif - /* Curl_proxy_connect might have moved the protocol state */ ftp = data->req.p.ftp; @@ -3739,11 +3702,10 @@ CURLcode ftp_perform(struct Curl_easy *data, { /* this is FTP and no proxy */ CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; DEBUGF(infof(data, "DO phase starts")); - if(data->set.opt_no_body) { + if(data->req.no_body) { /* requested no body means no transfer... */ struct FTP *ftp = data->req.p.ftp; ftp->transfer = PPTRANSFER_INFO; @@ -3759,7 +3721,7 @@ CURLcode ftp_perform(struct Curl_easy *data, /* run the state-machine */ result = ftp_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[SECONDARYSOCKET]; + *connected = Curl_conn_is_connected(data->conn, SECONDARYSOCKET); infof(data, "ftp_perform ends with SECONDARY: %d", *connected); @@ -4168,7 +4130,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) /* get path before last slash, except for / */ size_t dirlen = slashPos - rawPath; if(dirlen == 0) - dirlen++; + dirlen = 1; ftpc->dirs = calloc(1, sizeof(ftpc->dirs[0])); if(!ftpc->dirs) { @@ -4195,13 +4157,14 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) /* current position: begin of next path component */ const char *curPos = rawPath; - int dirAlloc = 0; /* number of entries allocated for the 'dirs' array */ + /* number of entries allocated for the 'dirs' array */ + size_t dirAlloc = 0; const char *str = rawPath; for(; *str != 0; ++str) if (*str == '/') ++dirAlloc; - if(dirAlloc > 0) { + if(dirAlloc) { ftpc->dirs = calloc(dirAlloc, sizeof(ftpc->dirs[0])); if(!ftpc->dirs) { free(rawPath); @@ -4231,7 +4194,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data) curPos = slashPos + 1; } } - DEBUGASSERT(ftpc->dirdepth <= dirAlloc); + DEBUGASSERT((size_t)ftpc->dirdepth <= dirAlloc); fileName = curPos; /* the rest is the file name (or empty) */ } break; @@ -4374,6 +4337,7 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, { char *type; struct FTP *ftp; + CURLcode result = CURLE_OK; data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); if(!ftp) @@ -4415,7 +4379,7 @@ static CURLcode ftp_setup_connection(struct Curl_easy *data, ftp->downloadsize = 0; conn->proto.ftpc.known_filesize = -1; /* unknown size for now */ - return CURLE_OK; + return result; } #endif /* CURL_DISABLE_FTP */ diff --git a/lib/ftplistparser.c b/lib/ftplistparser.c index 40f5f3f..3d529ef 100644 --- a/lib/ftplistparser.c +++ b/lib/ftplistparser.c @@ -205,9 +205,9 @@ CURLcode Curl_ftp_parselist_geterror(struct ftp_parselist_data *pl_data) #define FTP_LP_MALFORMATED_PERM 0x01000000 -static int ftp_pl_get_permission(const char *str) +static unsigned int ftp_pl_get_permission(const char *str) { - int permissions = 0; + unsigned int permissions = 0; /* USER */ if(str[0] == 'r') permissions |= 1 << 8; @@ -334,7 +334,7 @@ size_t Curl_ftp_parselist(char *buffer, size_t size, size_t nmemb, struct ftp_parselist_data *parser = ftpwc->parser; struct fileinfo *infop; struct curl_fileinfo *finfo; - unsigned long i = 0; + size_t i = 0; CURLcode result; size_t retsize = bufflen; diff --git a/lib/getinfo.c b/lib/getinfo.c index c3556b3..3a24c65 100644 --- a/lib/getinfo.c +++ b/lib/getinfo.c @@ -533,13 +533,7 @@ static CURLcode getinfo_slist(struct Curl_easy *data, CURLINFO info, #ifdef USE_SSL if(conn && tsi->backend != CURLSSLBACKEND_NONE) { - unsigned int i; - for(i = 0; i < (sizeof(conn->ssl) / sizeof(conn->ssl[0])); ++i) { - if(conn->ssl[i].use) { - tsi->internals = Curl_ssl->get_internals(&conn->ssl[i], info); - break; - } - } + tsi->internals = Curl_ssl_get_internals(data, FIRSTSOCKET, info, 0); } #endif } diff --git a/lib/gopher.c b/lib/gopher.c index 01f4bde..6fbb7de 100644 --- a/lib/gopher.c +++ b/lib/gopher.c @@ -30,6 +30,7 @@ #include #include "transfer.h" #include "sendf.h" +#include "cfilters.h" #include "connect.h" #include "progress.h" #include "gopher.h" @@ -117,7 +118,9 @@ static CURLcode gopher_connect(struct Curl_easy *data, bool *done) static CURLcode gopher_connecting(struct Curl_easy *data, bool *done) { struct connectdata *conn = data->conn; - CURLcode result = Curl_ssl_connect(data, conn, FIRSTSOCKET); + CURLcode result; + + result = Curl_conn_connect(data, FIRSTSOCKET, TRUE, done); if(result) connclose(conn, "Failed TLS connection"); *done = TRUE; @@ -236,4 +239,4 @@ static CURLcode gopher_do(struct Curl_easy *data, bool *done) Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); return CURLE_OK; } -#endif /*CURL_DISABLE_GOPHER*/ +#endif /* CURL_DISABLE_GOPHER */ diff --git a/lib/h2h3.c b/lib/h2h3.c index 50254ad..3a9288d 100644 --- a/lib/h2h3.c +++ b/lib/h2h3.c @@ -36,7 +36,7 @@ /* * Curl_pseudo_headers() creates the array with pseudo headers to be - * used in a HTTP/2 or HTTP/3 request. + * used in an HTTP/2 or HTTP/3 request. */ #if defined(USE_NGHTTP2) || defined(ENABLE_QUIC) diff --git a/lib/h2h3.h b/lib/h2h3.h index 84caec5..c35b706 100644 --- a/lib/h2h3.h +++ b/lib/h2h3.h @@ -45,7 +45,7 @@ struct h2h3req { /* * Curl_pseudo_headers() creates the array with pseudo headers to be - * used in a HTTP/2 or HTTP/3 request. Returns an allocated struct. + * used in an HTTP/2 or HTTP/3 request. Returns an allocated struct. * Free it with Curl_pseudo_free(). */ CURLcode Curl_pseudo_headers(struct Curl_easy *data, diff --git a/lib/hostasyn.c b/lib/hostasyn.c index 0bfbe2e..df50d13 100644 --- a/lib/hostasyn.c +++ b/lib/hostasyn.c @@ -43,10 +43,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" diff --git a/lib/hostip.c b/lib/hostip.c index 941ecac..dd427a2 100644 --- a/lib/hostip.c +++ b/lib/hostip.c @@ -48,10 +48,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" diff --git a/lib/hostip.h b/lib/hostip.h index 9d31707..3b1d814 100644 --- a/lib/hostip.h +++ b/lib/hostip.h @@ -34,11 +34,6 @@ #include #endif -#ifdef NETWARE -#undef in_addr_t -#define in_addr_t unsigned long -#endif - /* Allocate enough memory to hold the full name information structs and * everything. OSF1 is known to require at least 8872 bytes. The buffer * required for storing all possible aliases and IP numbers is according to diff --git a/lib/hostip4.c b/lib/hostip4.c index 1dd54e8..109bd1e 100644 --- a/lib/hostip4.c +++ b/lib/hostip4.c @@ -43,10 +43,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" @@ -125,14 +121,15 @@ struct Curl_addrinfo *Curl_getaddrinfo(struct Curl_easy *data, struct Curl_addrinfo *Curl_ipv4_resolve_r(const char *hostname, int port) { -#if !defined(HAVE_GETADDRINFO_THREADSAFE) && defined(HAVE_GETHOSTBYNAME_R_3) +#if !(defined(HAVE_GETADDRINFO) && defined(HAVE_GETADDRINFO_THREADSAFE)) && \ + defined(HAVE_GETHOSTBYNAME_R_3) int res; #endif struct Curl_addrinfo *ai = NULL; struct hostent *h = NULL; struct hostent *buf = NULL; -#if defined(HAVE_GETADDRINFO_THREADSAFE) +#if defined(HAVE_GETADDRINFO) && defined(HAVE_GETADDRINFO_THREADSAFE) struct addrinfo hints; char sbuf[12]; char *sbufptr = NULL; @@ -280,14 +277,16 @@ struct Curl_addrinfo *Curl_ipv4_resolve_r(const char *hostname, h = NULL; /* set return code to NULL */ free(buf); } -#else /* HAVE_GETADDRINFO_THREADSAFE || HAVE_GETHOSTBYNAME_R */ +#else /* (HAVE_GETADDRINFO && HAVE_GETADDRINFO_THREADSAFE) || + HAVE_GETHOSTBYNAME_R */ /* * Here is code for platforms that don't have a thread safe * getaddrinfo() nor gethostbyname_r() function or for which * gethostbyname() is the preferred one. */ h = gethostbyname((void *)hostname); -#endif /* HAVE_GETADDRINFO_THREADSAFE || HAVE_GETHOSTBYNAME_R */ +#endif /* (HAVE_GETADDRINFO && HAVE_GETADDRINFO_THREADSAFE) || + HAVE_GETHOSTBYNAME_R */ if(h) { ai = Curl_he2ai(h, port); diff --git a/lib/hostip6.c b/lib/hostip6.c index c62c254..af8bc23 100644 --- a/lib/hostip6.c +++ b/lib/hostip6.c @@ -43,10 +43,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" diff --git a/lib/hostsyn.c b/lib/hostsyn.c index ee54363..73d1e50 100644 --- a/lib/hostsyn.c +++ b/lib/hostsyn.c @@ -43,10 +43,6 @@ #include #endif -#ifdef HAVE_PROCESS_H -#include -#endif - #include "urldata.h" #include "sendf.h" #include "hostip.h" diff --git a/lib/hsts.c b/lib/hsts.c index e3b686e..c449120 100644 --- a/lib/hsts.c +++ b/lib/hsts.c @@ -39,7 +39,6 @@ #include "parsedate.h" #include "fopen.h" #include "rename.h" -#include "strtoofft.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -158,7 +157,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, do { while(*p && ISBLANK(*p)) p++; - if(Curl_strncasecompare("max-age=", p, 8)) { + if(strncasecompare("max-age=", p, 8)) { bool quoted = FALSE; CURLofft offt; char *endp; @@ -187,7 +186,7 @@ CURLcode Curl_hsts_parse(struct hsts *h, const char *hostname, } gotma = TRUE; } - else if(Curl_strncasecompare("includesubdomains", p, 17)) { + else if(strncasecompare("includesubdomains", p, 17)) { if(gotinc) return CURLE_BAD_FUNCTION_ARGUMENT; subdomains = TRUE; @@ -278,11 +277,11 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, if(ntail < hlen) { size_t offs = hlen - ntail; if((hostname[offs-1] == '.') && - Curl_strncasecompare(&hostname[offs], sts->host, ntail)) + strncasecompare(&hostname[offs], sts->host, ntail)) return sts; } } - if(Curl_strcasecompare(hostname, sts->host)) + if(strcasecompare(hostname, sts->host)) return sts; } } diff --git a/lib/http.c b/lib/http.c index f57859e..1b75022 100644 --- a/lib/http.c +++ b/lib/http.c @@ -80,6 +80,7 @@ #include "http_proxy.h" #include "warnless.h" #include "http2.h" +#include "cfilters.h" #include "connect.h" #include "strdup.h" #include "altsvc.h" @@ -101,18 +102,6 @@ static int http_getsock_do(struct Curl_easy *data, curl_socket_t *socks); static bool http_should_fail(struct Curl_easy *data); -#ifndef CURL_DISABLE_PROXY -static CURLcode add_haproxy_protocol_header(struct Curl_easy *data); -#endif - -#ifdef USE_SSL -static CURLcode https_connecting(struct Curl_easy *data, bool *done); -static int https_getsock(struct Curl_easy *data, - struct connectdata *conn, - curl_socket_t *socks); -#else -#define https_connecting(x,y) CURLE_COULDNT_CONNECT -#endif static CURLcode http_setup_conn(struct Curl_easy *data, struct connectdata *conn); #ifdef USE_WEBSOCKETS @@ -184,9 +173,9 @@ const struct Curl_handler Curl_handler_https = { Curl_http_done, /* done */ ZERO_NULL, /* do_more */ Curl_http_connect, /* connect_it */ - https_connecting, /* connecting */ + NULL, /* connecting */ ZERO_NULL, /* doing */ - https_getsock, /* proto_getsock */ + NULL, /* proto_getsock */ http_getsock_do, /* doing_getsock */ ZERO_NULL, /* domore_getsock */ ZERO_NULL, /* perform_getsock */ @@ -209,9 +198,9 @@ const struct Curl_handler Curl_handler_wss = { Curl_http_done, /* done */ ZERO_NULL, /* do_more */ Curl_http_connect, /* connect_it */ - https_connecting, /* connecting */ + NULL, /* connecting */ ZERO_NULL, /* doing */ - https_getsock, /* proto_getsock */ + NULL, /* proto_getsock */ http_getsock_do, /* doing_getsock */ ZERO_NULL, /* domore_getsock */ ZERO_NULL, /* perform_getsock */ @@ -229,6 +218,41 @@ const struct Curl_handler Curl_handler_wss = { #endif +static CURLcode h3_setup_conn(struct Curl_easy *data, + struct connectdata *conn) +{ +#ifdef ENABLE_QUIC + /* We want HTTP/3 directly, setup the filter chain ourself, + * overriding the default behaviour. */ + DEBUGASSERT(conn->transport == TRNSPRT_QUIC); + + if(!(conn->handler->flags & PROTOPT_SSL)) { + failf(data, "HTTP/3 requested for non-HTTPS URL"); + return CURLE_URL_MALFORMAT; + } +#ifndef CURL_DISABLE_PROXY + if(conn->bits.socksproxy) { + failf(data, "HTTP/3 is not supported over a SOCKS proxy"); + return CURLE_URL_MALFORMAT; + } + if(conn->bits.httpproxy && conn->bits.tunnel_proxy) { + failf(data, "HTTP/3 is not supported over a HTTP proxy"); + return CURLE_URL_MALFORMAT; + } +#endif + + DEBUGF(infof(data, "HTTP/3 direct conn setup(conn #%ld, index=%d)", + conn->connection_id, FIRSTSOCKET)); + return Curl_conn_socket_set(data, conn, FIRSTSOCKET); + +#else /* ENABLE_QUIC */ + (void)conn; + (void)data; + DEBUGF(infof(data, "QUIC is not supported in this build")); + return CURLE_NOT_BUILT_IN; +#endif /* !ENABLE_QUIC */ +} + static CURLcode http_setup_conn(struct Curl_easy *data, struct connectdata *conn) { @@ -241,18 +265,15 @@ static CURLcode http_setup_conn(struct Curl_easy *data, if(!http) return CURLE_OUT_OF_MEMORY; - Curl_mime_initpart(&http->form, data); + Curl_mime_initpart(&http->form); data->req.p.http = http; if(data->state.httpwant == CURL_HTTP_VERSION_3) { - if(conn->handler->flags & PROTOPT_SSL) - /* Only go HTTP/3 directly on HTTPS URLs. It needs a UDP socket and does - the QUIC dance. */ - conn->transport = TRNSPRT_QUIC; - else { - failf(data, "HTTP/3 requested for non-HTTPS URL"); - return CURLE_URL_MALFORMAT; - } + conn->transport = TRNSPRT_QUIC; + } + + if(conn->transport == TRNSPRT_QUIC) { + return h3_setup_conn(data, conn); } else { if(!CONN_INUSE(conn)) @@ -555,7 +576,7 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data, } } - conn->bits.rewindaftersend = FALSE; /* default */ + data->state.rewindbeforesend = FALSE; /* default */ if((expectsend == -1) || (expectsend > bytessent)) { #if defined(USE_NTLM) @@ -572,8 +593,8 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data, /* rewind data when completely done sending! */ if(!conn->bits.authneg && (conn->writesockfd != CURL_SOCKET_BAD)) { - conn->bits.rewindaftersend = TRUE; - infof(data, "Rewind stream after send"); + data->state.rewindbeforesend = TRUE; + infof(data, "Rewind stream before next send"); } return CURLE_OK; @@ -600,8 +621,8 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data, /* rewind data when completely done sending! */ if(!conn->bits.authneg && (conn->writesockfd != CURL_SOCKET_BAD)) { - conn->bits.rewindaftersend = TRUE; - infof(data, "Rewind stream after send"); + data->state.rewindbeforesend = TRUE; + infof(data, "Rewind stream before next send"); } return CURLE_OK; @@ -625,9 +646,11 @@ static CURLcode http_perhapsrewind(struct Curl_easy *data, closure so we can safely do the rewind right now */ } - if(bytessent) - /* we rewind now at once since if we already sent something */ - return Curl_readrewind(data); + if(bytessent) { + /* mark for rewind since if we already sent something */ + data->state.rewindbeforesend = TRUE; + infof(data, "Please rewind output before next send"); + } return CURLE_OK; } @@ -650,7 +673,7 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) if(!data->set.str[STRING_BEARER]) authmask &= (unsigned long)~CURLAUTH_BEARER; - if(100 <= data->req.httpcode && 199 >= data->req.httpcode) + if(100 <= data->req.httpcode && data->req.httpcode <= 199) /* this is a transient response code, ignore */ return CURLE_OK; @@ -684,7 +707,7 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) if(pickhost || pickproxy) { if((data->state.httpreq != HTTPREQ_GET) && (data->state.httpreq != HTTPREQ_HEAD) && - !conn->bits.rewindaftersend) { + !data->state.rewindbeforesend) { result = http_perhapsrewind(data, conn); if(result) return result; @@ -1241,7 +1264,7 @@ static size_t readmoredata(char *buffer, /* nothing to return */ return 0; - /* make sure that a HTTP request is never sent away chunked! */ + /* make sure that an HTTP request is never sent away chunked! */ data->req.forbidchunk = (http->sending == HTTPSEND_REQUEST)?TRUE:FALSE; if(data->set.max_send_speed && @@ -1539,48 +1562,13 @@ Curl_compareheader(const char *headerline, /* line to check */ */ CURLcode Curl_http_connect(struct Curl_easy *data, bool *done) { - CURLcode result; struct connectdata *conn = data->conn; /* We default to persistent connections. We set this already in this connect function to make the re-use checks properly be able to check this bit. */ connkeep(conn, "HTTP default"); -#ifndef CURL_DISABLE_PROXY - /* the CONNECT procedure might not have been completed */ - result = Curl_proxy_connect(data, FIRSTSOCKET); - if(result) - return result; - - if(conn->bits.proxy_connect_closed) - /* this is not an error, just part of the connection negotiation */ - return CURLE_OK; - - if(CONNECT_FIRSTSOCKET_PROXY_SSL()) - return CURLE_OK; /* wait for HTTPS proxy SSL initialization to complete */ - - if(Curl_connect_ongoing(conn)) - /* nothing else to do except wait right now - we're not done here. */ - return CURLE_OK; - - if(data->set.haproxyprotocol) { - /* add HAProxy PROXY protocol header */ - result = add_haproxy_protocol_header(data); - if(result) - return result; - } -#endif - - if(conn->given->flags & PROTOPT_SSL) { - /* perform SSL initialization */ - result = https_connecting(data, done); - if(result) - return result; - } - else - *done = TRUE; - - return CURLE_OK; + return Curl_conn_connect(data, FIRSTSOCKET, FALSE, done); } /* this returns the socket to wait for in the DO and DOING state for the multi @@ -1596,75 +1584,6 @@ static int http_getsock_do(struct Curl_easy *data, return GETSOCK_WRITESOCK(0); } -#ifndef CURL_DISABLE_PROXY -static CURLcode add_haproxy_protocol_header(struct Curl_easy *data) -{ - struct dynbuf req; - CURLcode result; - const char *tcp_version; - DEBUGASSERT(data->conn); - Curl_dyn_init(&req, DYN_HAXPROXY); - -#ifdef USE_UNIX_SOCKETS - if(data->conn->unix_domain_socket) - /* the buffer is large enough to hold this! */ - result = Curl_dyn_addn(&req, STRCONST("PROXY UNKNOWN\r\n")); - else { -#endif - /* Emit the correct prefix for IPv6 */ - tcp_version = data->conn->bits.ipv6 ? "TCP6" : "TCP4"; - - result = Curl_dyn_addf(&req, "PROXY %s %s %s %i %i\r\n", - tcp_version, - data->info.conn_local_ip, - data->info.conn_primary_ip, - data->info.conn_local_port, - data->info.conn_primary_port); - -#ifdef USE_UNIX_SOCKETS - } -#endif - - if(!result) - result = Curl_buffer_send(&req, data, &data->info.request_size, - 0, FIRSTSOCKET); - return result; -} -#endif - -#ifdef USE_SSL -static CURLcode https_connecting(struct Curl_easy *data, bool *done) -{ - CURLcode result; - struct connectdata *conn = data->conn; - DEBUGASSERT((data) && (data->conn->handler->flags & PROTOPT_SSL)); - -#ifdef ENABLE_QUIC - if(conn->transport == TRNSPRT_QUIC) { - *done = TRUE; - return CURLE_OK; - } -#endif - - /* perform SSL initialization for this socket */ - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, FIRSTSOCKET, done); - if(result) - connclose(conn, "Failed HTTPS connection"); - - return result; -} - -static int https_getsock(struct Curl_easy *data, - struct connectdata *conn, - curl_socket_t *socks) -{ - (void)data; - if(conn->handler->flags & PROTOPT_SSL) - return Curl_ssl->getsock(conn, socks); - return GETSOCK_BLANK; -} -#endif /* USE_SSL */ - /* * Curl_http_done() gets called after a single HTTP request has been * performed. @@ -2096,7 +2015,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn, if(data->set.str[STRING_CUSTOMREQUEST]) request = data->set.str[STRING_CUSTOMREQUEST]; else { - if(data->set.opt_no_body) + if(data->req.no_body) request = "HEAD"; else { DEBUGASSERT((httpreq >= HTTPREQ_GET) && (httpreq <= HTTPREQ_HEAD)); @@ -2141,7 +2060,7 @@ CURLcode Curl_http_host(struct Curl_easy *data, struct connectdata *conn) { const char *ptr; if(!data->state.this_is_a_follow) { - /* Free to avoid leaking memory on multiple requests*/ + /* Free to avoid leaking memory on multiple requests */ free(data->state.first_host); data->state.first_host = strdup(conn->host.name); @@ -2384,7 +2303,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn, cthdr = "multipart/form-data"; curl_mime_headers(http->sendit, data->set.headers, 0); - result = Curl_mime_prepare_headers(http->sendit, cthdr, + result = Curl_mime_prepare_headers(data, http->sendit, cthdr, NULL, MIMESTRATEGY_FORM); curl_mime_headers(http->sendit, NULL, 0); if(!result) @@ -2795,7 +2714,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || strcasecompare("localhost", host) || !strcmp(host, "127.0.0.1") || - !strcmp(host, "[::1]") ? TRUE : FALSE; + !strcmp(host, "::1") ? TRUE : FALSE; Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, secure_context); @@ -2925,8 +2844,8 @@ CURLcode Curl_http_resume(struct Curl_easy *data, data->state.resume_from = 0; } - if(data->state.resume_from && !data->state.this_is_a_follow) { - /* do we still game? */ + if(data->state.resume_from && !data->state.followlocation) { + /* only act on the first request */ /* Now, let's read off the proper amount of bytes from the input. */ @@ -3027,14 +2946,14 @@ CURLcode Curl_http_firstwrite(struct Curl_easy *data, if(data->set.timecondition && !data->state.range) { /* A time condition has been set AND no ranges have been requested. This seems to be what chapter 13.3.4 of RFC 2616 defines to be the correct - action for a HTTP/1.1 client */ + action for an HTTP/1.1 client */ if(!Curl_meets_timecondition(data, k->timeofdoc)) { *done = TRUE; - /* We're simulating a http 304 from server so we return + /* We're simulating an HTTP 304 from server so we return what should have been returned from the server */ data->info.httpcode = 304; - infof(data, "Simulate a HTTP 304 response"); + infof(data, "Simulate an HTTP 304 response"); /* we abort the transfer before it is completed == we ruin the re-use ability. Close the connection */ streamclose(conn, "Simulated 304 handling"); @@ -3080,7 +2999,7 @@ CURLcode Curl_transferencode(struct Curl_easy *data) #ifndef USE_HYPER /* - * Curl_http() gets called from the generic multi_do() function when a HTTP + * Curl_http() gets called from the generic multi_do() function when an HTTP * request is to be performed. This creates and sends a properly constructed * HTTP request. */ @@ -3117,7 +3036,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) /* continue with HTTP/1.1 when explicitly requested */ break; default: - /* Check if user wants to use HTTP/2 with clear TCP*/ + /* Check if user wants to use HTTP/2 with clear TCP */ #ifdef USE_NGHTTP2 if(data->state.httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) { #ifndef CURL_DISABLE_PROXY @@ -3140,7 +3059,7 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) } } else { - /* prepare for a http2 request */ + /* prepare for an http2 request */ result = Curl_http2_setup(data, conn); if(result) return result; @@ -3497,7 +3416,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, STRCONST("Proxy-Connection:"), STRCONST("keep-alive"))) { /* - * When a HTTP/1.0 reply comes when using a proxy, the + * When an HTTP/1.0 reply comes when using a proxy, the * 'Proxy-Connection: keep-alive' line tells us the * connection will be kept alive for our pleasure. * Default action for 1.0 is to close. @@ -3511,7 +3430,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, STRCONST("Proxy-Connection:"), STRCONST("close"))) { /* - * We get a HTTP/1.1 response from a proxy and it says it'll + * We get an HTTP/1.1 response from a proxy and it says it'll * close down after this transfer. */ connclose(conn, "Proxy-Connection: asked to close after done"); @@ -3523,7 +3442,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, STRCONST("Connection:"), STRCONST("keep-alive"))) { /* - * A HTTP/1.0 reply with the 'Connection: keep-alive' line + * An HTTP/1.0 reply with the 'Connection: keep-alive' line * tells us the connection will be kept alive for our * pleasure. Default action for 1.0 is to close. * @@ -3634,7 +3553,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, conn->handler->protocol&(CURLPROTO_HTTPS|CURLPROTO_WSS) || strcasecompare("localhost", host) || !strcmp(host, "127.0.0.1") || - !strcmp(host, "[::1]") ? TRUE : FALSE; + !strcmp(host, "::1") ? TRUE : FALSE; Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); @@ -3708,6 +3627,9 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, result = http_perhapsrewind(data, conn); if(result) return result; + + /* mark the next request as a followed location: */ + data->state.this_is_a_follow = TRUE; } } } @@ -3724,7 +3646,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, #endif )) { CURLcode check = - Curl_hsts_parse(data->hsts, data->state.up.hostname, + Curl_hsts_parse(data->hsts, conn->host.name, headp + strlen("Strict-Transport-Security:")); if(check) infof(data, "Illegal STS header skipped"); @@ -3751,7 +3673,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, result = Curl_altsvc_parse(data, data->asi, headp + strlen("Alt-Svc:"), id, conn->host.name, - curlx_uitous(conn->remote_port)); + curlx_uitous((unsigned int)conn->remote_port)); if(result) return result; } @@ -4012,7 +3934,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, switch(k->httpcode) { case 100: /* - * We have made a HTTP PUT or POST and this is 1.1-lingo + * We have made an HTTP PUT or POST and this is 1.1-lingo * that tells us that the server is OK with this and ready * to receive the data. * However, we'll get more headers now so we must get @@ -4176,7 +4098,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, if(k->httpcode >= 300) { if((!conn->bits.authneg) && !conn->bits.close && - !conn->bits.rewindaftersend) { + !data->state.rewindbeforesend) { /* * General treatment of errors when about to send data. Including : * "417 Expectation Failed", while waiting for 100-continue. @@ -4186,7 +4108,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, * something else should've considered the big picture and we * avoid this check. * - * rewindaftersend indicates that something has told libcurl to + * rewindbeforesend indicates that something has told libcurl to * continue sending even if it gets discarded */ @@ -4235,9 +4157,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, } } - if(conn->bits.rewindaftersend) { - /* We rewind after a complete send, so thus we continue - sending now */ + if(data->state.rewindbeforesend && + (conn->writesockfd != CURL_SOCKET_BAD)) { + /* We rewind before next send, continue sending now */ infof(data, "Keep sending data to get tossed away"); k->keepon |= KEEP_SEND; } @@ -4250,7 +4172,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, * If we requested a "no body", this is a good time to get * out and return home. */ - if(data->set.opt_no_body) + if(data->req.no_body) *stop_reading = TRUE; #ifndef CURL_DISABLE_RTSP else if((conn->handler->protocol & CURLPROTO_RTSP) && diff --git a/lib/http.h b/lib/http.h index f7cbb34..ecfe4ee 100644 --- a/lib/http.h +++ b/lib/http.h @@ -317,7 +317,7 @@ struct http_conn { uint8_t binsettings[H2_BINSETTINGS_LEN]; size_t binlen; /* length of the binsettings data */ - /* We associate the connnectdata struct with the connection, but we need to + /* We associate the connectdata struct with the connection, but we need to make sure we can identify the current "driving" transfer. This is a work-around for the lack of nghttp2_session_set_user_data() in older nghttp2 versions that we want to support. (Added in 1.31.0) */ diff --git a/lib/http2.c b/lib/http2.c index b7409b0..b9d3245 100644 --- a/lib/http2.c +++ b/lib/http2.c @@ -109,7 +109,7 @@ static int http2_getsock(struct Curl_easy *data, sock[0] = conn->sock[FIRSTSOCKET]; if(!(k->keepon & KEEP_RECV_PAUSE)) - /* Unless paused - in a HTTP/2 connection we can basically always get a + /* Unless paused - in an HTTP/2 connection we can basically always get a frame so we should always be ready for one */ bitmap |= GETSOCK_READSOCK(FIRSTSOCKET); @@ -191,7 +191,7 @@ static bool http2_connisdead(struct Curl_easy *data, struct connectdata *conn) } else if(sval & CURL_CSELECT_IN) { /* readable with no error. could still be closed */ - dead = !Curl_connalive(conn); + dead = !Curl_connalive(data, conn); if(!dead) { /* This happens before we've sent off a request and the connection is not in use by any other transfer, there shouldn't be any data here, @@ -1024,9 +1024,9 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, if(!check) /* no memory */ return NGHTTP2_ERR_CALLBACK_FAILURE; - if(!Curl_strcasecompare(check, (const char *)value) && + if(!strcasecompare(check, (const char *)value) && ((conn->remote_port != conn->given->defport) || - !Curl_strcasecompare(conn->host.name, (const char *)value))) { + !strcasecompare(conn->host.name, (const char *)value))) { /* This is push is not for the same authority that was asked for in * the URL. RFC 7540 section 8.2 says: "A client MUST treat a * PUSH_PROMISE for which the server is not authoritative as a stream @@ -1120,7 +1120,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, /* nghttp2 guarantees that namelen > 0, and :status was already received, and this is not pseudo-header field . */ - /* convert to a HTTP1-style header */ + /* convert to an HTTP1-style header */ result = Curl_dyn_addn(&stream->header_recvbuf, name, namelen); if(result) return NGHTTP2_ERR_CALLBACK_FAILURE; @@ -1351,7 +1351,7 @@ static CURLcode http2_init(struct Curl_easy *data, struct connectdata *conn) } /* - * Append headers to ask for a HTTP1.1 to HTTP2 upgrade. + * Append headers to ask for an HTTP1.1 to HTTP2 upgrade. */ CURLcode Curl_http2_request_upgrade(struct dynbuf *req, struct Curl_easy *data) @@ -2307,7 +2307,7 @@ void Curl_http2_cleanup_dependencies(struct Curl_easy *data) Curl_http2_remove_child(data->set.stream_depends_on, data); } -/* Only call this function for a transfer that already got a HTTP/2 +/* Only call this function for a transfer that already got an HTTP/2 CURLE_HTTP2_STREAM error! */ bool Curl_h2_http_1_1_error(struct Curl_easy *data) { diff --git a/lib/http2.h b/lib/http2.h index f039059..966bf75 100644 --- a/lib/http2.h +++ b/lib/http2.h @@ -73,7 +73,7 @@ bool Curl_h2_http_1_1_error(struct Curl_easy *data); #define Curl_http2_init_state(x) #define Curl_http2_init_userset(x) #define Curl_http2_done(x,y) -#define Curl_http2_done_sending(x,y) +#define Curl_http2_done_sending(x,y) (void)y #define Curl_http2_add_child(x, y, z) #define Curl_http2_remove_child(x, y) #define Curl_http2_cleanup_dependencies(x) diff --git a/lib/http_aws_sigv4.c b/lib/http_aws_sigv4.c index 440eb38..8c6d1c9 100644 --- a/lib/http_aws_sigv4.c +++ b/lib/http_aws_sigv4.c @@ -32,8 +32,6 @@ #include "http_aws_sigv4.h" #include "curl_sha256.h" #include "transfer.h" - -#include "strcase.h" #include "parsedate.h" #include "sendf.h" @@ -118,7 +116,7 @@ static void trim_headers(struct curl_slist *head) } } -/* maximum lenth for the aws sivg4 parts */ +/* maximum length for the aws sivg4 parts */ #define MAX_SIGV4_LEN 64 #define MAX_SIGV4_LEN_TXT "64" @@ -268,6 +266,40 @@ fail: return ret; } +#define CONTENT_SHA256_KEY_LEN (MAX_SIGV4_LEN + sizeof("X--Content-Sha256")) + +/* try to parse a payload hash from the content-sha256 header */ +static char *parse_content_sha_hdr(struct Curl_easy *data, + const char *provider1, + size_t *value_len) +{ + char key[CONTENT_SHA256_KEY_LEN]; + size_t key_len; + char *value; + size_t len; + + key_len = msnprintf(key, sizeof(key), "x-%s-content-sha256", provider1); + + value = Curl_checkheaders(data, key, key_len); + if(!value) + return NULL; + + value = strchr(value, ':'); + if(!value) + return NULL; + ++value; + + while(*value && ISBLANK(*value)) + ++value; + + len = strlen(value); + while(len > 0 && ISBLANK(value[len-1])) + --len; + + *value_len = len; + return value; +} + CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) { CURLcode ret = CURLE_OUT_OF_MEMORY; @@ -286,6 +318,8 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) struct dynbuf canonical_headers; struct dynbuf signed_headers; char *date_header = NULL; + char *payload_hash = NULL; + size_t payload_hash_len = 0; const char *post_data = data->set.postfields; size_t post_data_len = 0; unsigned char sha_hash[32]; @@ -308,7 +342,7 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) return CURLE_OK; } - /* we init thoses buffers here, so goto fail will free initialized dynbuf */ + /* we init those buffers here, so goto fail will free initialized dynbuf */ Curl_dyn_init(&canonical_headers, CURL_MAX_HTTP_HEADER); Curl_dyn_init(&signed_headers, CURL_MAX_HTTP_HEADER); @@ -403,17 +437,23 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) memcpy(date, timestamp, sizeof(date)); date[sizeof(date) - 1] = 0; - if(post_data) { - if(data->set.postfieldsize < 0) - post_data_len = strlen(post_data); - else - post_data_len = (size_t)data->set.postfieldsize; - } - if(Curl_sha256it(sha_hash, (const unsigned char *) post_data, - post_data_len)) - goto fail; + payload_hash = parse_content_sha_hdr(data, provider1, &payload_hash_len); - sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex)); + if(!payload_hash) { + if(post_data) { + if(data->set.postfieldsize < 0) + post_data_len = strlen(post_data); + else + post_data_len = (size_t)data->set.postfieldsize; + } + if(Curl_sha256it(sha_hash, (const unsigned char *) post_data, + post_data_len)) + goto fail; + + sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex)); + payload_hash = sha_hex; + payload_hash_len = strlen(sha_hex); + } { Curl_HttpReq httpreq; @@ -427,13 +467,13 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) "%s\n" /* CanonicalQueryString */ "%s\n" /* CanonicalHeaders */ "%s\n" /* SignedHeaders */ - "%s", /* HashedRequestPayload in hex */ + "%.*s", /* HashedRequestPayload in hex */ method, data->state.up.path, data->state.up.query ? data->state.up.query : "", Curl_dyn_ptr(&canonical_headers), Curl_dyn_ptr(&signed_headers), - sha_hex); + (int)payload_hash_len, payload_hash); if(!canonical_request) goto fail; } @@ -460,7 +500,7 @@ CURLcode Curl_output_aws_sigv4(struct Curl_easy *data, bool proxy) /* * Google allows using RSA key instead of HMAC, so this code might change - * in the future. For now we ony support HMAC. + * in the future. For now we only support HMAC. */ str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */ "%s\n" /* RequestDateTime */ diff --git a/lib/http_chunks.c b/lib/http_chunks.c index 0b83685..c344e6d 100644 --- a/lib/http_chunks.c +++ b/lib/http_chunks.c @@ -113,7 +113,7 @@ CHUNKcode Curl_httpchunk_read(struct Curl_easy *data, *wrote = 0; /* nothing's written yet */ /* the original data is written to the client, but we go on with the - chunk read process, to properly calculate the content length*/ + chunk read process, to properly calculate the content length */ if(data->set.http_te_skip && !k->ignorebody) { result = Curl_client_write(data, CLIENTWRITE_BODY, datap, datalen); if(result) { diff --git a/lib/http_digest.c b/lib/http_digest.c index a71c6b7..f015f78 100644 --- a/lib/http_digest.c +++ b/lib/http_digest.c @@ -81,7 +81,7 @@ CURLcode Curl_output_digest(struct Curl_easy *data, bool have_chlg; /* Point to the address of the pointer that holds the string to send to the - server, which is for a plain host or for a HTTP proxy */ + server, which is for a plain host or for an HTTP proxy */ char **allocuserpwd; /* Point to the name and password for this */ diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c index 5a6a977..a19cc0d 100644 --- a/lib/http_ntlm.c +++ b/lib/http_ntlm.c @@ -134,7 +134,7 @@ CURLcode Curl_output_ntlm(struct Curl_easy *data, bool proxy) struct bufref ntlmmsg; /* point to the address of the pointer that holds the string to send to the - server, which is for a plain host or for a HTTP proxy */ + server, which is for a plain host or for an HTTP proxy */ char **allocuserpwd; /* point to the username, password, service and host */ diff --git a/lib/http_proxy.c b/lib/http_proxy.c index cc20b3a..e30730a 100644 --- a/lib/http_proxy.c +++ b/lib/http_proxy.c @@ -37,6 +37,7 @@ #include "url.h" #include "select.h" #include "progress.h" +#include "cfilters.h" #include "connect.h" #include "curlx.h" #include "vtls/vtls.h" @@ -48,179 +49,192 @@ #include "curl_memory.h" #include "memdebug.h" -/* - * Perform SSL initialization for HTTPS proxy. Sets - * proxy_ssl_connected connection bit when complete. Can be - * called multiple times. - */ -static CURLcode https_proxy_connect(struct Curl_easy *data, int sockindex) +typedef enum { + TUNNEL_INIT, /* init/default/no tunnel state */ + TUNNEL_CONNECT, /* CONNECT request is being send */ + TUNNEL_RECEIVE, /* CONNECT answer is being received */ + TUNNEL_RESPONSE, /* CONNECT response received completely */ + TUNNEL_ESTABLISHED, + TUNNEL_FAILED +} tunnel_state; + +/* struct for HTTP CONNECT tunneling */ +struct tunnel_state { + int sockindex; + const char *hostname; + int remote_port; + struct HTTP http_proxy; + struct HTTP *prot_save; + struct dynbuf rcvbuf; + struct dynbuf req; + size_t nsend; + size_t headerlines; + enum keeponval { + KEEPON_DONE, + KEEPON_CONNECT, + KEEPON_IGNORE + } keepon; + curl_off_t cl; /* size of content to read and ignore */ + tunnel_state tunnel_state; + BIT(chunked_encoding); + BIT(close_connection); +}; + + +static bool tunnel_is_established(struct tunnel_state *ts) { -#ifdef USE_SSL - struct connectdata *conn = data->conn; - CURLcode result = CURLE_OK; - DEBUGASSERT(conn->http_proxy.proxytype == CURLPROXY_HTTPS); - if(!conn->bits.proxy_ssl_connected[sockindex]) { - /* perform SSL initialization for this socket */ - result = - Curl_ssl_connect_nonblocking(data, conn, TRUE, sockindex, - &conn->bits.proxy_ssl_connected[sockindex]); - if(result) - /* a failed connection is marked for closure to prevent (bad) re-use or - similar */ - connclose(conn, "TLS handshake failed"); - } - return result; -#else - (void) data; - (void) sockindex; - return CURLE_NOT_BUILT_IN; -#endif + return ts && (ts->tunnel_state == TUNNEL_ESTABLISHED); } -CURLcode Curl_proxy_connect(struct Curl_easy *data, int sockindex) +static bool tunnel_is_failed(struct tunnel_state *ts) { - struct connectdata *conn = data->conn; - if(conn->http_proxy.proxytype == CURLPROXY_HTTPS) { - const CURLcode result = https_proxy_connect(data, sockindex); - if(result) - return result; - if(!conn->bits.proxy_ssl_connected[sockindex]) - return result; /* wait for HTTPS proxy SSL initialization to complete */ - } - - if(conn->bits.tunnel_proxy && conn->bits.httpproxy) { -#ifndef CURL_DISABLE_PROXY - /* for [protocol] tunneled through HTTP proxy */ - const char *hostname; - int remote_port; - CURLcode result; - - /* We want "seamless" operations through HTTP proxy tunnel */ - - /* for the secondary socket (FTP), use the "connect to host" - * but ignore the "connect to port" (use the secondary port) - */ - - if(conn->bits.conn_to_host) - hostname = conn->conn_to_host.name; - else if(sockindex == SECONDARYSOCKET) - hostname = conn->secondaryhostname; - else - hostname = conn->host.name; - - if(sockindex == SECONDARYSOCKET) - remote_port = conn->secondary_port; - else if(conn->bits.conn_to_port) - remote_port = conn->conn_to_port; - else - remote_port = conn->remote_port; - - result = Curl_proxyCONNECT(data, sockindex, hostname, remote_port); - if(CURLE_OK != result) - return result; - Curl_safefree(data->state.aptr.proxyuserpwd); -#else - return CURLE_NOT_BUILT_IN; -#endif - } - /* no HTTP tunnel proxy, just return */ - return CURLE_OK; + return ts && (ts->tunnel_state == TUNNEL_FAILED); } -bool Curl_connect_complete(struct connectdata *conn) +static CURLcode tunnel_reinit(struct tunnel_state *ts, + struct connectdata *conn, + struct Curl_easy *data) { - return !conn->connect_state || - (conn->connect_state->tunnel_state >= TUNNEL_COMPLETE); -} + (void)data; + DEBUGASSERT(ts); + Curl_dyn_reset(&ts->rcvbuf); + Curl_dyn_reset(&ts->req); + ts->tunnel_state = TUNNEL_INIT; + ts->keepon = KEEPON_CONNECT; + ts->cl = 0; + ts->close_connection = FALSE; + + if(conn->bits.conn_to_host) + ts->hostname = conn->conn_to_host.name; + else if(ts->sockindex == SECONDARYSOCKET) + ts->hostname = conn->secondaryhostname; + else + ts->hostname = conn->host.name; + + if(ts->sockindex == SECONDARYSOCKET) + ts->remote_port = conn->secondary_port; + else if(conn->bits.conn_to_port) + ts->remote_port = conn->conn_to_port; + else + ts->remote_port = conn->remote_port; -bool Curl_connect_ongoing(struct connectdata *conn) -{ - return conn->connect_state && - (conn->connect_state->tunnel_state <= TUNNEL_COMPLETE); + return CURLE_OK; } -/* when we've sent a CONNECT to a proxy, we should rather either wait for the - socket to become readable to be able to get the response headers or if - we're still sending the request, wait for write. */ -int Curl_connect_getsock(struct connectdata *conn) +static CURLcode tunnel_init(struct tunnel_state **pts, + struct Curl_easy *data, + struct connectdata *conn, + int sockindex) { - struct HTTP *http; - DEBUGASSERT(conn); - DEBUGASSERT(conn->connect_state); - http = &conn->connect_state->http_proxy; - - if(http->sending == HTTPSEND_REQUEST) - return GETSOCK_WRITESOCK(0); - - return GETSOCK_READSOCK(0); -} + struct tunnel_state *ts; + CURLcode result; -static CURLcode connect_init(struct Curl_easy *data, bool reinit) -{ - struct http_connect_state *s; - struct connectdata *conn = data->conn; if(conn->handler->flags & PROTOPT_NOTCPPROXY) { failf(data, "%s cannot be done over CONNECT", conn->handler->scheme); return CURLE_UNSUPPORTED_PROTOCOL; } - if(!reinit) { - CURLcode result; - DEBUGASSERT(!conn->connect_state); - /* we might need the upload buffer for streaming a partial request */ - result = Curl_get_upload_buffer(data); - if(result) - return result; - s = calloc(1, sizeof(struct http_connect_state)); - if(!s) - return CURLE_OUT_OF_MEMORY; - infof(data, "allocate connect buffer"); - conn->connect_state = s; - Curl_dyn_init(&s->rcvbuf, DYN_PROXY_CONNECT_HEADERS); - - /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the - * member conn->proto.http; we want [protocol] through HTTP and we have - * to change the member temporarily for connecting to the HTTP - * proxy. After Curl_proxyCONNECT we have to set back the member to the - * original pointer - * - * This function might be called several times in the multi interface case - * if the proxy's CONNECT response is not instant. - */ - s->prot_save = data->req.p.http; - data->req.p.http = &s->http_proxy; - connkeep(conn, "HTTP proxy CONNECT"); - } - else { - DEBUGASSERT(conn->connect_state); - s = conn->connect_state; - Curl_dyn_reset(&s->rcvbuf); - } - s->tunnel_state = TUNNEL_INIT; - s->keepon = KEEPON_CONNECT; - s->cl = 0; - s->close_connection = FALSE; - return CURLE_OK; + /* we might need the upload buffer for streaming a partial request */ + result = Curl_get_upload_buffer(data); + if(result) + return result; + + ts = calloc(1, sizeof(*ts)); + if(!ts) + return CURLE_OUT_OF_MEMORY; + + ts->sockindex = sockindex; + infof(data, "allocate connect buffer"); + + Curl_dyn_init(&ts->rcvbuf, DYN_PROXY_CONNECT_HEADERS); + Curl_dyn_init(&ts->req, DYN_HTTP_REQUEST); + + /* Curl_proxyCONNECT is based on a pointer to a struct HTTP at the + * member conn->proto.http; we want [protocol] through HTTP and we have + * to change the member temporarily for connecting to the HTTP + * proxy. After Curl_proxyCONNECT we have to set back the member to the + * original pointer + * + * This function might be called several times in the multi interface case + * if the proxy's CONNECT response is not instant. + */ + ts->prot_save = data->req.p.http; + data->req.p.http = &ts->http_proxy; + *pts = ts; + connkeep(conn, "HTTP proxy CONNECT"); + return tunnel_reinit(ts, conn, data); } -void Curl_connect_done(struct Curl_easy *data) +static void tunnel_go_state(struct Curl_cfilter *cf, + struct tunnel_state *ts, + tunnel_state new_state, + struct Curl_easy *data) { - struct connectdata *conn = data->conn; - struct http_connect_state *s = conn->connect_state; - if(s && (s->tunnel_state != TUNNEL_EXIT)) { - s->tunnel_state = TUNNEL_EXIT; - Curl_dyn_free(&s->rcvbuf); - Curl_dyn_free(&s->req); + if(ts->tunnel_state == new_state) + return; + /* leaving this one */ + switch(ts->tunnel_state) { + case TUNNEL_CONNECT: + data->req.ignorebody = FALSE; + break; + default: + break; + } + /* entering this one */ + switch(new_state) { + case TUNNEL_INIT: + tunnel_reinit(ts, cf->conn, data); + break; + + case TUNNEL_CONNECT: + ts->tunnel_state = TUNNEL_CONNECT; + ts->keepon = KEEPON_CONNECT; + Curl_dyn_reset(&ts->rcvbuf); + break; + + case TUNNEL_RECEIVE: + ts->tunnel_state = TUNNEL_RECEIVE; + break; + + case TUNNEL_RESPONSE: + ts->tunnel_state = TUNNEL_RESPONSE; + break; + case TUNNEL_ESTABLISHED: + infof(data, "CONNECT phase completed"); + data->state.authproxy.done = TRUE; + data->state.authproxy.multipass = FALSE; + /* FALLTHROUGH */ + case TUNNEL_FAILED: + ts->tunnel_state = new_state; + Curl_dyn_reset(&ts->rcvbuf); + Curl_dyn_reset(&ts->req); /* restore the protocol pointer */ - data->req.p.http = s->prot_save; + data->req.p.http = ts->prot_save; data->info.httpcode = 0; /* clear it as it might've been used for the proxy */ - data->req.ignorebody = FALSE; + /* If a proxy-authorization header was used for the proxy, then we should + make sure that it isn't accidentally used for the document request + after we've connected. So let's free and clear it here. */ + Curl_safefree(data->state.aptr.proxyuserpwd); + data->state.aptr.proxyuserpwd = NULL; #ifdef USE_HYPER data->state.hconnect = FALSE; #endif - infof(data, "CONNECT phase completed"); + break; + } +} + +static void tunnel_free(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + struct tunnel_state *ts = cf->ctx; + if(ts) { + tunnel_go_state(cf, ts, TUNNEL_FAILED, data); + Curl_dyn_free(&ts->rcvbuf); + Curl_dyn_free(&ts->req); + free(ts); + cf->ctx = NULL; } } @@ -257,821 +271,1013 @@ static CURLcode CONNECT_host(struct Curl_easy *data, } #ifndef USE_HYPER -static CURLcode CONNECT(struct Curl_easy *data, - int sockindex, - const char *hostname, - int remote_port) +static CURLcode start_CONNECT(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts) { - int subversion = 0; - struct SingleRequest *k = &data->req; + char *hostheader = NULL; + char *host = NULL; + const char *httpv; CURLcode result; - struct connectdata *conn = data->conn; - curl_socket_t tunnelsocket = conn->sock[sockindex]; - struct http_connect_state *s = conn->connect_state; - struct HTTP *http = data->req.p.http; - char *linep; - size_t perline; -#define SELECT_OK 0 -#define SELECT_ERROR 1 + infof(data, "Establish HTTP proxy tunnel to %s:%d", + ts->hostname, ts->remote_port); + + /* This only happens if we've looped here due to authentication + reasons, and we don't really use the newly cloned URL here + then. Just free() it. */ + Curl_safefree(data->req.newurl); + + result = CONNECT_host(data, conn, + ts->hostname, ts->remote_port, + &hostheader, &host); + if(result) + goto out; + + /* Setup the proxy-authorization header, if any */ + result = Curl_http_output_auth(data, conn, "CONNECT", HTTPREQ_GET, + hostheader, TRUE); + if(result) + goto out; + + httpv = (conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0) ? "1.0" : "1.1"; + + result = + Curl_dyn_addf(&ts->req, + "CONNECT %s HTTP/%s\r\n" + "%s" /* Host: */ + "%s", /* Proxy-Authorization */ + hostheader, + httpv, + host?host:"", + data->state.aptr.proxyuserpwd? + data->state.aptr.proxyuserpwd:""); + if(result) + goto out; + + if(!Curl_checkProxyheaders(data, conn, STRCONST("User-Agent")) + && data->set.str[STRING_USERAGENT]) + result = Curl_dyn_addf(&ts->req, "User-Agent: %s\r\n", + data->set.str[STRING_USERAGENT]); + if(result) + goto out; + + if(!Curl_checkProxyheaders(data, conn, STRCONST("Proxy-Connection"))) + result = Curl_dyn_addn(&ts->req, + STRCONST("Proxy-Connection: Keep-Alive\r\n")); + if(result) + goto out; + + result = Curl_add_custom_headers(data, TRUE, &ts->req); + if(result) + goto out; + + /* CRLF terminate the request */ + result = Curl_dyn_addn(&ts->req, STRCONST("\r\n")); + if(result) + goto out; + + /* Send the connect request to the proxy */ + result = Curl_buffer_send(&ts->req, data, &data->info.request_size, 0, + ts->sockindex); + ts->headerlines = 0; + +out: + if(result) + failf(data, "Failed sending CONNECT to proxy"); + free(host); + free(hostheader); + return result; +} - if(Curl_connect_complete(conn)) - return CURLE_OK; /* CONNECT is already completed */ +static CURLcode send_CONNECT(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts, + bool *done) +{ + struct SingleRequest *k = &data->req; + struct HTTP *http = data->req.p.http; + CURLcode result = CURLE_OK; - conn->bits.proxy_connect_closed = FALSE; + if(http->sending != HTTPSEND_REQUEST) + goto out; - do { - timediff_t check; - if(TUNNEL_INIT == s->tunnel_state) { - /* BEGIN CONNECT PHASE */ - struct dynbuf *req = &s->req; - char *hostheader = NULL; - char *host = NULL; + if(!ts->nsend) { + size_t fillcount; + k->upload_fromhere = data->state.ulbuf; + result = Curl_fillreadbuffer(data, data->set.upload_buffer_size, + &fillcount); + if(result) + goto out; + ts->nsend = fillcount; + } + if(ts->nsend) { + ssize_t bytes_written; + /* write to socket (send away data) */ + result = Curl_write(data, + conn->writesockfd, /* socket to send to */ + k->upload_fromhere, /* buffer pointer */ + ts->nsend, /* buffer size */ + &bytes_written); /* actually sent */ + if(result) + goto out; + /* send to debug callback! */ + Curl_debug(data, CURLINFO_HEADER_OUT, + k->upload_fromhere, bytes_written); - infof(data, "Establish HTTP proxy tunnel to %s:%d", - hostname, remote_port); + ts->nsend -= bytes_written; + k->upload_fromhere += bytes_written; + } + if(!ts->nsend) + http->sending = HTTPSEND_NADA; - /* This only happens if we've looped here due to authentication - reasons, and we don't really use the newly cloned URL here - then. Just free() it. */ - Curl_safefree(data->req.newurl); +out: + if(result) + failf(data, "Failed sending CONNECT to proxy"); + *done = (http->sending != HTTPSEND_REQUEST); + return result; +} - /* initialize send-buffer */ - Curl_dyn_init(req, DYN_HTTP_REQUEST); +static CURLcode on_resp_header(struct Curl_easy *data, + struct tunnel_state *ts, + const char *header) +{ + CURLcode result = CURLE_OK; + struct SingleRequest *k = &data->req; + int subversion = 0; - result = CONNECT_host(data, conn, - hostname, remote_port, &hostheader, &host); - if(result) - return result; + if((checkprefix("WWW-Authenticate:", header) && + (401 == k->httpcode)) || + (checkprefix("Proxy-authenticate:", header) && + (407 == k->httpcode))) { - /* Setup the proxy-authorization header, if any */ - result = Curl_http_output_auth(data, conn, "CONNECT", HTTPREQ_GET, - hostheader, TRUE); - - if(!result) { - const char *httpv = - (conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0) ? "1.0" : "1.1"; - - result = - Curl_dyn_addf(req, - "CONNECT %s HTTP/%s\r\n" - "%s" /* Host: */ - "%s", /* Proxy-Authorization */ - hostheader, - httpv, - host?host:"", - data->state.aptr.proxyuserpwd? - data->state.aptr.proxyuserpwd:""); - - if(!result && !Curl_checkProxyheaders(data, - conn, STRCONST("User-Agent")) && - data->set.str[STRING_USERAGENT]) - result = Curl_dyn_addf(req, "User-Agent: %s\r\n", - data->set.str[STRING_USERAGENT]); - - if(!result && !Curl_checkProxyheaders(data, conn, - STRCONST("Proxy-Connection"))) - result = Curl_dyn_addn(req, - STRCONST("Proxy-Connection: Keep-Alive\r\n")); - - if(!result) - result = Curl_add_custom_headers(data, TRUE, req); - - if(!result) - /* CRLF terminate the request */ - result = Curl_dyn_addn(req, STRCONST("\r\n")); - - if(!result) { - /* Send the connect request to the proxy */ - result = Curl_buffer_send(req, data, &data->info.request_size, 0, - sockindex); - s->headerlines = 0; - } - if(result) - failf(data, "Failed sending CONNECT to proxy"); - } - free(host); - free(hostheader); - if(result) - return result; + bool proxy = (k->httpcode == 407) ? TRUE : FALSE; + char *auth = Curl_copy_header_value(header); + if(!auth) + return CURLE_OUT_OF_MEMORY; - s->tunnel_state = TUNNEL_CONNECT; - } /* END CONNECT PHASE */ + DEBUGF(infof(data, "CONNECT: fwd auth header '%s'", + header)); + result = Curl_http_input_auth(data, proxy, auth); - check = Curl_timeleft(data, NULL, TRUE); - if(check <= 0) { - failf(data, "Proxy CONNECT aborted due to timeout"); - return CURLE_OPERATION_TIMEDOUT; + free(auth); + + if(result) + return result; + } + else if(checkprefix("Content-Length:", header)) { + if(k->httpcode/100 == 2) { + /* A client MUST ignore any Content-Length or Transfer-Encoding + header fields received in a successful response to CONNECT. + "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */ + infof(data, "Ignoring Content-Length in CONNECT %03d response", + k->httpcode); + } + else { + (void)curlx_strtoofft(header + strlen("Content-Length:"), + NULL, 10, &ts->cl); + } + } + else if(Curl_compareheader(header, + STRCONST("Connection:"), STRCONST("close"))) + ts->close_connection = TRUE; + else if(checkprefix("Transfer-Encoding:", header)) { + if(k->httpcode/100 == 2) { + /* A client MUST ignore any Content-Length or Transfer-Encoding + header fields received in a successful response to CONNECT. + "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */ + infof(data, "Ignoring Transfer-Encoding in " + "CONNECT %03d response", k->httpcode); } + else if(Curl_compareheader(header, + STRCONST("Transfer-Encoding:"), + STRCONST("chunked"))) { + infof(data, "CONNECT responded chunked"); + ts->chunked_encoding = TRUE; + /* init our chunky engine */ + Curl_httpchunk_init(data); + } + } + else if(Curl_compareheader(header, + STRCONST("Proxy-Connection:"), + STRCONST("close"))) + ts->close_connection = TRUE; + else if(2 == sscanf(header, "HTTP/1.%d %d", + &subversion, + &k->httpcode)) { + /* store the HTTP code from the proxy */ + data->info.httpproxycode = k->httpcode; + } + return result; +} + +static CURLcode recv_CONNECT_resp(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts, + bool *done) +{ + CURLcode result = CURLE_OK; + struct SingleRequest *k = &data->req; + curl_socket_t tunnelsocket = conn->sock[ts->sockindex]; + char *linep; + size_t perline; + int error; + +#define SELECT_OK 0 +#define SELECT_ERROR 1 + + error = SELECT_OK; + *done = FALSE; + + if(!Curl_conn_data_pending(data, ts->sockindex)) + return CURLE_OK; + + while(ts->keepon) { + ssize_t gotbytes; + char byte; - if(!Curl_conn_data_pending(conn, sockindex) && !http->sending) - /* return so we'll be called again polling-style */ + /* Read one byte at a time to avoid a race condition. Wait at most one + second before looping to ensure continuous pgrsUpdates. */ + result = Curl_read(data, tunnelsocket, &byte, 1, &gotbytes); + if(result == CURLE_AGAIN) + /* socket buffer drained, return */ return CURLE_OK; - /* at this point, the tunnel_connecting phase is over. */ - - if(http->sending == HTTPSEND_REQUEST) { - if(!s->nsend) { - size_t fillcount; - k->upload_fromhere = data->state.ulbuf; - result = Curl_fillreadbuffer(data, data->set.upload_buffer_size, - &fillcount); - if(result) - return result; - s->nsend = fillcount; + if(Curl_pgrsUpdate(data)) + return CURLE_ABORTED_BY_CALLBACK; + + if(result) { + ts->keepon = KEEPON_DONE; + break; + } + + if(gotbytes <= 0) { + if(data->set.proxyauth && data->state.authproxy.avail && + data->state.aptr.proxyuserpwd) { + /* proxy auth was requested and there was proxy auth available, + then deem this as "mere" proxy disconnect */ + ts->close_connection = TRUE; + infof(data, "Proxy CONNECT connection closed"); } - if(s->nsend) { - ssize_t bytes_written; - /* write to socket (send away data) */ - result = Curl_write(data, - conn->writesockfd, /* socket to send to */ - k->upload_fromhere, /* buffer pointer */ - s->nsend, /* buffer size */ - &bytes_written); /* actually sent */ - - if(!result) - /* send to debug callback! */ - Curl_debug(data, CURLINFO_HEADER_OUT, - k->upload_fromhere, bytes_written); - - s->nsend -= bytes_written; - k->upload_fromhere += bytes_written; - return result; + else { + error = SELECT_ERROR; + failf(data, "Proxy CONNECT aborted"); } - http->sending = HTTPSEND_NADA; - /* if nothing left to send, continue */ + ts->keepon = KEEPON_DONE; + break; } - { /* READING RESPONSE PHASE */ - int error = SELECT_OK; - - while(s->keepon) { - ssize_t gotbytes; - char byte; - - /* Read one byte at a time to avoid a race condition. Wait at most one - second before looping to ensure continuous pgrsUpdates. */ - result = Curl_read(data, tunnelsocket, &byte, 1, &gotbytes); - if(result == CURLE_AGAIN) - /* socket buffer drained, return */ - return CURLE_OK; - if(Curl_pgrsUpdate(data)) - return CURLE_ABORTED_BY_CALLBACK; + if(ts->keepon == KEEPON_IGNORE) { + /* This means we are currently ignoring a response-body */ - if(result) { - s->keepon = KEEPON_DONE; + if(ts->cl) { + /* A Content-Length based body: simply count down the counter + and make sure to break out of the loop when we're done! */ + ts->cl--; + if(ts->cl <= 0) { + ts->keepon = KEEPON_DONE; break; } - else if(gotbytes <= 0) { - if(data->set.proxyauth && data->state.authproxy.avail && - data->state.aptr.proxyuserpwd) { - /* proxy auth was requested and there was proxy auth available, - then deem this as "mere" proxy disconnect */ - conn->bits.proxy_connect_closed = TRUE; - infof(data, "Proxy CONNECT connection closed"); - } - else { - error = SELECT_ERROR; - failf(data, "Proxy CONNECT aborted"); - } - s->keepon = KEEPON_DONE; - break; - } - - if(s->keepon == KEEPON_IGNORE) { - /* This means we are currently ignoring a response-body */ - - if(s->cl) { - /* A Content-Length based body: simply count down the counter - and make sure to break out of the loop when we're done! */ - s->cl--; - if(s->cl <= 0) { - s->keepon = KEEPON_DONE; - s->tunnel_state = TUNNEL_COMPLETE; - break; - } - } - else { - /* chunked-encoded body, so we need to do the chunked dance - properly to know when the end of the body is reached */ - CHUNKcode r; - CURLcode extra; - ssize_t tookcareof = 0; - - /* now parse the chunked piece of data so that we can - properly tell when the stream ends */ - r = Curl_httpchunk_read(data, &byte, 1, &tookcareof, &extra); - if(r == CHUNKE_STOP) { - /* we're done reading chunks! */ - infof(data, "chunk reading DONE"); - s->keepon = KEEPON_DONE; - /* we did the full CONNECT treatment, go COMPLETE */ - s->tunnel_state = TUNNEL_COMPLETE; - } - } - continue; - } - - if(Curl_dyn_addn(&s->rcvbuf, &byte, 1)) { - failf(data, "CONNECT response too large"); - return CURLE_RECV_ERROR; + } + else { + /* chunked-encoded body, so we need to do the chunked dance + properly to know when the end of the body is reached */ + CHUNKcode r; + CURLcode extra; + ssize_t tookcareof = 0; + + /* now parse the chunked piece of data so that we can + properly tell when the stream ends */ + r = Curl_httpchunk_read(data, &byte, 1, &tookcareof, &extra); + if(r == CHUNKE_STOP) { + /* we're done reading chunks! */ + infof(data, "chunk reading DONE"); + ts->keepon = KEEPON_DONE; } + } + continue; + } - /* if this is not the end of a header line then continue */ - if(byte != 0x0a) - continue; - - s->headerlines++; - linep = Curl_dyn_ptr(&s->rcvbuf); - perline = Curl_dyn_len(&s->rcvbuf); /* amount of bytes in this line */ - - /* output debug if that is requested */ - Curl_debug(data, CURLINFO_HEADER_IN, linep, perline); + if(Curl_dyn_addn(&ts->rcvbuf, &byte, 1)) { + failf(data, "CONNECT response too large"); + return CURLE_RECV_ERROR; + } - if(!data->set.suppress_connect_headers) { - /* send the header to the callback */ - int writetype = CLIENTWRITE_HEADER | CLIENTWRITE_CONNECT | - (data->set.include_header ? CLIENTWRITE_BODY : 0) | - (s->headerlines == 1 ? CLIENTWRITE_STATUS : 0); + /* if this is not the end of a header line then continue */ + if(byte != 0x0a) + continue; - result = Curl_client_write(data, writetype, linep, perline); - if(result) - return result; - } + ts->headerlines++; + linep = Curl_dyn_ptr(&ts->rcvbuf); + perline = Curl_dyn_len(&ts->rcvbuf); /* amount of bytes in this line */ - data->info.header_size += (long)perline; - - /* Newlines are CRLF, so the CR is ignored as the line isn't - really terminated until the LF comes. Treat a following CR - as end-of-headers as well.*/ - - if(('\r' == linep[0]) || - ('\n' == linep[0])) { - /* end of response-headers from the proxy */ - - if((407 == k->httpcode) && !data->state.authproblem) { - /* If we get a 407 response code with content length - when we have no auth problem, we must ignore the - whole response-body */ - s->keepon = KEEPON_IGNORE; - - if(s->cl) { - infof(data, "Ignore %" CURL_FORMAT_CURL_OFF_T - " bytes of response-body", s->cl); - } - else if(s->chunked_encoding) { - CHUNKcode r; - CURLcode extra; - - infof(data, "Ignore chunked response-body"); - - /* We set ignorebody true here since the chunked decoder - function will acknowledge that. Pay attention so that this is - cleared again when this function returns! */ - k->ignorebody = TRUE; - - if(linep[1] == '\n') - /* this can only be a LF if the letter at index 0 was a CR */ - linep++; - - /* now parse the chunked piece of data so that we can properly - tell when the stream ends */ - r = Curl_httpchunk_read(data, linep + 1, 1, &gotbytes, - &extra); - if(r == CHUNKE_STOP) { - /* we're done reading chunks! */ - infof(data, "chunk reading DONE"); - s->keepon = KEEPON_DONE; - /* we did the full CONNECT treatment, go to COMPLETE */ - s->tunnel_state = TUNNEL_COMPLETE; - } - } - else { - /* without content-length or chunked encoding, we - can't keep the connection alive since the close is - the end signal so we bail out at once instead */ - s->keepon = KEEPON_DONE; - } - } - else - s->keepon = KEEPON_DONE; + /* output debug if that is requested */ + Curl_debug(data, CURLINFO_HEADER_IN, linep, perline); - if(s->keepon == KEEPON_DONE && !s->cl) - /* we did the full CONNECT treatment, go to COMPLETE */ - s->tunnel_state = TUNNEL_COMPLETE; + if(!data->set.suppress_connect_headers) { + /* send the header to the callback */ + int writetype = CLIENTWRITE_HEADER | CLIENTWRITE_CONNECT | + (data->set.include_header ? CLIENTWRITE_BODY : 0) | + (ts->headerlines == 1 ? CLIENTWRITE_STATUS : 0); - DEBUGASSERT(s->keepon == KEEPON_IGNORE || s->keepon == KEEPON_DONE); - continue; - } + result = Curl_client_write(data, writetype, linep, perline); + if(result) + return result; + } - if((checkprefix("WWW-Authenticate:", linep) && - (401 == k->httpcode)) || - (checkprefix("Proxy-authenticate:", linep) && - (407 == k->httpcode))) { + data->info.header_size += (long)perline; - bool proxy = (k->httpcode == 407) ? TRUE : FALSE; - char *auth = Curl_copy_header_value(linep); - if(!auth) - return CURLE_OUT_OF_MEMORY; + /* Newlines are CRLF, so the CR is ignored as the line isn't + really terminated until the LF comes. Treat a following CR + as end-of-headers as well.*/ - result = Curl_http_input_auth(data, proxy, auth); + if(('\r' == linep[0]) || + ('\n' == linep[0])) { + /* end of response-headers from the proxy */ - free(auth); + if((407 == k->httpcode) && !data->state.authproblem) { + /* If we get a 407 response code with content length + when we have no auth problem, we must ignore the + whole response-body */ + ts->keepon = KEEPON_IGNORE; - if(result) - return result; + if(ts->cl) { + infof(data, "Ignore %" CURL_FORMAT_CURL_OFF_T + " bytes of response-body", ts->cl); } - else if(checkprefix("Content-Length:", linep)) { - if(k->httpcode/100 == 2) { - /* A client MUST ignore any Content-Length or Transfer-Encoding - header fields received in a successful response to CONNECT. - "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */ - infof(data, "Ignoring Content-Length in CONNECT %03d response", - k->httpcode); - } - else { - (void)curlx_strtoofft(linep + - strlen("Content-Length:"), NULL, 10, &s->cl); + else if(ts->chunked_encoding) { + CHUNKcode r; + CURLcode extra; + + infof(data, "Ignore chunked response-body"); + + /* We set ignorebody true here since the chunked decoder + function will acknowledge that. Pay attention so that this is + cleared again when this function returns! */ + k->ignorebody = TRUE; + + if(linep[1] == '\n') + /* this can only be a LF if the letter at index 0 was a CR */ + linep++; + + /* now parse the chunked piece of data so that we can properly + tell when the stream ends */ + r = Curl_httpchunk_read(data, linep + 1, 1, &gotbytes, + &extra); + if(r == CHUNKE_STOP) { + /* we're done reading chunks! */ + infof(data, "chunk reading DONE"); + ts->keepon = KEEPON_DONE; } } - else if(Curl_compareheader(linep, - STRCONST("Connection:"), STRCONST("close"))) - s->close_connection = TRUE; - else if(checkprefix("Transfer-Encoding:", linep)) { - if(k->httpcode/100 == 2) { - /* A client MUST ignore any Content-Length or Transfer-Encoding - header fields received in a successful response to CONNECT. - "Successful" described as: 2xx (Successful). RFC 7231 4.3.6 */ - infof(data, "Ignoring Transfer-Encoding in " - "CONNECT %03d response", k->httpcode); - } - else if(Curl_compareheader(linep, - STRCONST("Transfer-Encoding:"), - STRCONST("chunked"))) { - infof(data, "CONNECT responded chunked"); - s->chunked_encoding = TRUE; - /* init our chunky engine */ - Curl_httpchunk_init(data); - } + else { + /* without content-length or chunked encoding, we + can't keep the connection alive since the close is + the end signal so we bail out at once instead */ + DEBUGF(infof(data, "CONNECT: no content-length or chunked")); + ts->keepon = KEEPON_DONE; } - else if(Curl_compareheader(linep, - STRCONST("Proxy-Connection:"), - STRCONST("close"))) - s->close_connection = TRUE; - else if(2 == sscanf(linep, "HTTP/1.%d %d", - &subversion, - &k->httpcode)) { - /* store the HTTP code from the proxy */ - data->info.httpproxycode = k->httpcode; - } - - Curl_dyn_reset(&s->rcvbuf); - } /* while there's buffer left and loop is requested */ - - if(Curl_pgrsUpdate(data)) - return CURLE_ABORTED_BY_CALLBACK; - - if(error) - return CURLE_RECV_ERROR; - - if(data->info.httpproxycode/100 != 2) { - /* Deal with the possibly already received authenticate - headers. 'newurl' is set to a new URL if we must loop. */ - result = Curl_http_auth_act(data); - if(result) - return result; - - if(conn->bits.close) - /* the connection has been marked for closure, most likely in the - Curl_http_auth_act() function and thus we can kill it at once - below */ - s->close_connection = TRUE; } - - if(s->close_connection && data->req.newurl) { - /* Connection closed by server. Don't use it anymore */ - Curl_closesocket(data, conn, conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; - break; + else { + ts->keepon = KEEPON_DONE; } - } /* END READING RESPONSE PHASE */ - /* If we are supposed to continue and request a new URL, which basically - * means the HTTP authentication is still going on so if the tunnel - * is complete we start over in INIT state */ - if(data->req.newurl && (TUNNEL_COMPLETE == s->tunnel_state)) { - connect_init(data, TRUE); /* reinit */ + DEBUGASSERT(ts->keepon == KEEPON_IGNORE + || ts->keepon == KEEPON_DONE); + continue; } - } while(data->req.newurl); - - if(data->info.httpproxycode/100 != 2) { - if(s->close_connection && data->req.newurl) { - conn->bits.proxy_connect_closed = TRUE; - infof(data, "Connect me again please"); - Curl_connect_done(data); - } - else { - free(data->req.newurl); - data->req.newurl = NULL; - /* failure, close this connection to avoid re-use */ - streamclose(conn, "proxy CONNECT failure"); - } + result = on_resp_header(data, ts, linep); + if(result) + return result; - /* to back to init state */ - s->tunnel_state = TUNNEL_INIT; + Curl_dyn_reset(&ts->rcvbuf); + } /* while there's buffer left and loop is requested */ - if(conn->bits.proxy_connect_closed) - /* this is not an error, just part of the connection negotiation */ - return CURLE_OK; - Curl_dyn_free(&s->rcvbuf); - failf(data, "Received HTTP code %d from proxy after CONNECT", - data->req.httpcode); - return CURLE_RECV_ERROR; + if(error) + result = CURLE_RECV_ERROR; + *done = (ts->keepon == KEEPON_DONE); + if(!result && *done && data->info.httpproxycode/100 != 2) { + /* Deal with the possibly already received authenticate + headers. 'newurl' is set to a new URL if we must loop. */ + result = Curl_http_auth_act(data); } - - s->tunnel_state = TUNNEL_COMPLETE; - - /* If a proxy-authorization header was used for the proxy, then we should - make sure that it isn't accidentally used for the document request - after we've connected. So let's free and clear it here. */ - Curl_safefree(data->state.aptr.proxyuserpwd); - data->state.aptr.proxyuserpwd = NULL; - - data->state.authproxy.done = TRUE; - data->state.authproxy.multipass = FALSE; - - infof(data, "Proxy replied %d to CONNECT request", - data->info.httpproxycode); - data->req.ignorebody = FALSE; /* put it (back) to non-ignore state */ - conn->bits.rewindaftersend = FALSE; /* make sure this isn't set for the - document request */ - Curl_dyn_free(&s->rcvbuf); - return CURLE_OK; + return result; } -#else + +#else /* USE_HYPER */ /* The Hyper version of CONNECT */ -static CURLcode CONNECT(struct Curl_easy *data, - int sockindex, - const char *hostname, - int remote_port) +static CURLcode start_CONNECT(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts) { - struct connectdata *conn = data->conn; struct hyptransfer *h = &data->hyp; - curl_socket_t tunnelsocket = conn->sock[sockindex]; - struct http_connect_state *s = conn->connect_state; - CURLcode result = CURLE_OUT_OF_MEMORY; + curl_socket_t tunnelsocket = conn->sock[ts->sockindex]; hyper_io *io = NULL; hyper_request *req = NULL; hyper_headers *headers = NULL; hyper_clientconn_options *options = NULL; hyper_task *handshake = NULL; hyper_task *task = NULL; /* for the handshake */ - hyper_task *sendtask = NULL; /* for the send */ hyper_clientconn *client = NULL; - hyper_error *hypererr = NULL; + hyper_task *sendtask = NULL; /* for the send */ char *hostheader = NULL; /* for CONNECT */ char *host = NULL; /* Host: */ + CURLcode result = CURLE_OUT_OF_MEMORY; - if(Curl_connect_complete(conn)) - return CURLE_OK; /* CONNECT is already completed */ + io = hyper_io_new(); + if(!io) { + failf(data, "Couldn't create hyper IO"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + /* tell Hyper how to read/write network data */ + hyper_io_set_userdata(io, data); + hyper_io_set_read(io, Curl_hyper_recv); + hyper_io_set_write(io, Curl_hyper_send); + conn->sockfd = tunnelsocket; + + data->state.hconnect = TRUE; + + /* create an executor to poll futures */ + if(!h->exec) { + h->exec = hyper_executor_new(); + if(!h->exec) { + failf(data, "Couldn't create hyper executor"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + } - conn->bits.proxy_connect_closed = FALSE; + options = hyper_clientconn_options_new(); + hyper_clientconn_options_set_preserve_header_case(options, 1); + hyper_clientconn_options_set_preserve_header_order(options, 1); - do { - switch(s->tunnel_state) { - case TUNNEL_INIT: - /* BEGIN CONNECT PHASE */ - io = hyper_io_new(); - if(!io) { - failf(data, "Couldn't create hyper IO"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - /* tell Hyper how to read/write network data */ - hyper_io_set_userdata(io, data); - hyper_io_set_read(io, Curl_hyper_recv); - hyper_io_set_write(io, Curl_hyper_send); - conn->sockfd = tunnelsocket; - - data->state.hconnect = TRUE; - - /* create an executor to poll futures */ - if(!h->exec) { - h->exec = hyper_executor_new(); - if(!h->exec) { - failf(data, "Couldn't create hyper executor"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - } + if(!options) { + failf(data, "Couldn't create hyper client options"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } - options = hyper_clientconn_options_new(); - hyper_clientconn_options_set_preserve_header_case(options, 1); - hyper_clientconn_options_set_preserve_header_order(options, 1); + hyper_clientconn_options_exec(options, h->exec); - if(!options) { - failf(data, "Couldn't create hyper client options"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } + /* "Both the `io` and the `options` are consumed in this function + call" */ + handshake = hyper_clientconn_handshake(io, options); + if(!handshake) { + failf(data, "Couldn't create hyper client handshake"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + io = NULL; + options = NULL; - hyper_clientconn_options_exec(options, h->exec); + if(HYPERE_OK != hyper_executor_push(h->exec, handshake)) { + failf(data, "Couldn't hyper_executor_push the handshake"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + handshake = NULL; /* ownership passed on */ - /* "Both the `io` and the `options` are consumed in this function - call" */ - handshake = hyper_clientconn_handshake(io, options); - if(!handshake) { - failf(data, "Couldn't create hyper client handshake"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - io = NULL; - options = NULL; + task = hyper_executor_poll(h->exec); + if(!task) { + failf(data, "Couldn't hyper_executor_poll the handshake"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } - if(HYPERE_OK != hyper_executor_push(h->exec, handshake)) { - failf(data, "Couldn't hyper_executor_push the handshake"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - handshake = NULL; /* ownership passed on */ + client = hyper_task_value(task); + hyper_task_free(task); + req = hyper_request_new(); + if(!req) { + failf(data, "Couldn't hyper_request_new"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + if(hyper_request_set_method(req, (uint8_t *)"CONNECT", + strlen("CONNECT"))) { + failf(data, "error setting method"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } - task = hyper_executor_poll(h->exec); - if(!task) { - failf(data, "Couldn't hyper_executor_poll the handshake"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } + infof(data, "Establish HTTP proxy tunnel to %s:%d", + ts->hostname, ts->remote_port); - client = hyper_task_value(task); - hyper_task_free(task); - req = hyper_request_new(); - if(!req) { - failf(data, "Couldn't hyper_request_new"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - if(hyper_request_set_method(req, (uint8_t *)"CONNECT", - strlen("CONNECT"))) { - failf(data, "error setting method"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } + /* This only happens if we've looped here due to authentication + reasons, and we don't really use the newly cloned URL here + then. Just free() it. */ + Curl_safefree(data->req.newurl); - infof(data, "Establish HTTP proxy tunnel to %s:%d", - hostname, remote_port); + result = CONNECT_host(data, conn, ts->hostname, ts->remote_port, + &hostheader, &host); + if(result) + goto error; - /* This only happens if we've looped here due to authentication - reasons, and we don't really use the newly cloned URL here - then. Just free() it. */ - Curl_safefree(data->req.newurl); + if(hyper_request_set_uri(req, (uint8_t *)hostheader, + strlen(hostheader))) { + failf(data, "error setting path"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + if(data->set.verbose) { + char *se = aprintf("CONNECT %s HTTP/1.1\r\n", hostheader); + if(!se) { + result = CURLE_OUT_OF_MEMORY; + goto error; + } + Curl_debug(data, CURLINFO_HEADER_OUT, se, strlen(se)); + free(se); + } + /* Setup the proxy-authorization header, if any */ + result = Curl_http_output_auth(data, conn, "CONNECT", HTTPREQ_GET, + hostheader, TRUE); + if(result) + goto error; + Curl_safefree(hostheader); + + /* default is 1.1 */ + if((conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0) && + (HYPERE_OK != hyper_request_set_version(req, + HYPER_HTTP_VERSION_1_0))) { + failf(data, "error setting HTTP version"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } - result = CONNECT_host(data, conn, hostname, remote_port, - &hostheader, &host); - if(result) - goto error; + headers = hyper_request_headers(req); + if(!headers) { + failf(data, "hyper_request_headers"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + if(host) { + result = Curl_hyper_header(data, headers, host); + if(result) + goto error; + Curl_safefree(host); + } - if(hyper_request_set_uri(req, (uint8_t *)hostheader, - strlen(hostheader))) { - failf(data, "error setting path"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } - if(data->set.verbose) { - char *se = aprintf("CONNECT %s HTTP/1.1\r\n", hostheader); - if(!se) { - result = CURLE_OUT_OF_MEMORY; - goto error; - } - Curl_debug(data, CURLINFO_HEADER_OUT, se, strlen(se)); - free(se); - } - /* Setup the proxy-authorization header, if any */ - result = Curl_http_output_auth(data, conn, "CONNECT", HTTPREQ_GET, - hostheader, TRUE); - if(result) - goto error; - Curl_safefree(hostheader); + if(data->state.aptr.proxyuserpwd) { + result = Curl_hyper_header(data, headers, + data->state.aptr.proxyuserpwd); + if(result) + goto error; + } - /* default is 1.1 */ - if((conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0) && - (HYPERE_OK != hyper_request_set_version(req, - HYPER_HTTP_VERSION_1_0))) { - failf(data, "error setting HTTP version"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } + if(!Curl_checkProxyheaders(data, conn, STRCONST("User-Agent")) && + data->set.str[STRING_USERAGENT]) { + struct dynbuf ua; + Curl_dyn_init(&ua, DYN_HTTP_REQUEST); + result = Curl_dyn_addf(&ua, "User-Agent: %s\r\n", + data->set.str[STRING_USERAGENT]); + if(result) + goto error; + result = Curl_hyper_header(data, headers, Curl_dyn_ptr(&ua)); + if(result) + goto error; + Curl_dyn_free(&ua); + } + + if(!Curl_checkProxyheaders(data, conn, STRCONST("Proxy-Connection"))) { + result = Curl_hyper_header(data, headers, + "Proxy-Connection: Keep-Alive"); + if(result) + goto error; + } + + result = Curl_add_custom_headers(data, TRUE, headers); + if(result) + goto error; + + sendtask = hyper_clientconn_send(client, req); + if(!sendtask) { + failf(data, "hyper_clientconn_send"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } + + if(HYPERE_OK != hyper_executor_push(h->exec, sendtask)) { + failf(data, "Couldn't hyper_executor_push the send"); + result = CURLE_OUT_OF_MEMORY; + goto error; + } - headers = hyper_request_headers(req); - if(!headers) { - failf(data, "hyper_request_headers"); +error: + free(host); + free(hostheader); + if(io) + hyper_io_free(io); + if(options) + hyper_clientconn_options_free(options); + if(handshake) + hyper_task_free(handshake); + if(client) + hyper_clientconn_free(client); + return result; +} + +static CURLcode send_CONNECT(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts, + bool *done) +{ + struct hyptransfer *h = &data->hyp; + hyper_task *task = NULL; + hyper_error *hypererr = NULL; + CURLcode result = CURLE_OK; + + (void)ts; + (void)conn; + do { + task = hyper_executor_poll(h->exec); + if(task) { + bool error = hyper_task_type(task) == HYPER_TASK_ERROR; + if(error) + hypererr = hyper_task_value(task); + hyper_task_free(task); + if(error) { + /* this could probably use a better error code? */ result = CURLE_OUT_OF_MEMORY; goto error; } - if(host) { - result = Curl_hyper_header(data, headers, host); - if(result) - goto error; - Curl_safefree(host); - } + } + } while(task); +error: + *done = (result == CURLE_OK); + if(hypererr) { + uint8_t errbuf[256]; + size_t errlen = hyper_error_print(hypererr, errbuf, sizeof(errbuf)); + failf(data, "Hyper: %.*s", (int)errlen, errbuf); + hyper_error_free(hypererr); + } + return result; +} - if(data->state.aptr.proxyuserpwd) { - result = Curl_hyper_header(data, headers, - data->state.aptr.proxyuserpwd); - if(result) - goto error; - } +static CURLcode recv_CONNECT_resp(struct Curl_easy *data, + struct connectdata *conn, + struct tunnel_state *ts, + bool *done) +{ + struct hyptransfer *h = &data->hyp; + CURLcode result; + int didwhat; + + (void)ts; + *done = FALSE; + result = Curl_hyper_stream(data, conn, &didwhat, done, + CURL_CSELECT_IN | CURL_CSELECT_OUT); + if(result || !*done) + return result; + if(h->exec) { + hyper_executor_free(h->exec); + h->exec = NULL; + } + if(h->read_waker) { + hyper_waker_free(h->read_waker); + h->read_waker = NULL; + } + if(h->write_waker) { + hyper_waker_free(h->write_waker); + h->write_waker = NULL; + } + return result; +} - if(!Curl_checkProxyheaders(data, conn, STRCONST("User-Agent")) && - data->set.str[STRING_USERAGENT]) { - struct dynbuf ua; - Curl_dyn_init(&ua, DYN_HTTP_REQUEST); - result = Curl_dyn_addf(&ua, "User-Agent: %s\r\n", - data->set.str[STRING_USERAGENT]); - if(result) - goto error; - result = Curl_hyper_header(data, headers, Curl_dyn_ptr(&ua)); - if(result) - goto error; - Curl_dyn_free(&ua); - } +#endif /* USE_HYPER */ - if(!Curl_checkProxyheaders(data, conn, STRCONST("Proxy-Connection"))) { - result = Curl_hyper_header(data, headers, - "Proxy-Connection: Keep-Alive"); - if(result) - goto error; - } +static CURLcode CONNECT(struct Curl_cfilter *cf, + struct Curl_easy *data, + struct tunnel_state *ts) +{ + struct connectdata *conn = cf->conn; + CURLcode result; + bool done; + + if(tunnel_is_established(ts)) + return CURLE_OK; + if(tunnel_is_failed(ts)) + return CURLE_RECV_ERROR; /* Need a cfilter close and new bootstrap */ + + do { + timediff_t check; - result = Curl_add_custom_headers(data, TRUE, headers); + check = Curl_timeleft(data, NULL, TRUE); + if(check <= 0) { + failf(data, "Proxy CONNECT aborted due to timeout"); + result = CURLE_OPERATION_TIMEDOUT; + goto out; + } + + switch(ts->tunnel_state) { + case TUNNEL_INIT: + /* Prepare the CONNECT request and make a first attempt to send. */ + result = start_CONNECT(data, cf->conn, ts); if(result) - goto error; + goto out; + tunnel_go_state(cf, ts, TUNNEL_CONNECT, data); + /* FALLTHROUGH */ - sendtask = hyper_clientconn_send(client, req); - if(!sendtask) { - failf(data, "hyper_clientconn_send"); - result = CURLE_OUT_OF_MEMORY; - goto error; - } + case TUNNEL_CONNECT: + /* see that the request is completely sent */ + result = send_CONNECT(data, cf->conn, ts, &done); + if(result || !done) + goto out; + tunnel_go_state(cf, ts, TUNNEL_RECEIVE, data); + /* FALLTHROUGH */ - if(HYPERE_OK != hyper_executor_push(h->exec, sendtask)) { - failf(data, "Couldn't hyper_executor_push the send"); - result = CURLE_OUT_OF_MEMORY; - goto error; + case TUNNEL_RECEIVE: + /* read what is there */ + result = recv_CONNECT_resp(data, cf->conn, ts, &done); + if(Curl_pgrsUpdate(data)) { + result = CURLE_ABORTED_BY_CALLBACK; + goto out; } + /* error or not complete yet. return for more multi-multi */ + if(result || !done) + goto out; + /* got it */ + tunnel_go_state(cf, ts, TUNNEL_RESPONSE, data); + /* FALLTHROUGH */ - hyper_clientconn_free(client); - - do { - task = hyper_executor_poll(h->exec); - if(task) { - bool error = hyper_task_type(task) == HYPER_TASK_ERROR; - if(error) - hypererr = hyper_task_value(task); - hyper_task_free(task); - if(error) { - /* this could probably use a better error code? */ - result = CURLE_OUT_OF_MEMORY; - goto error; - } + case TUNNEL_RESPONSE: + if(data->req.newurl) { + /* not the "final" response, we need to do a follow up request. + * If the other side indicated a connection close, or if someone + * else told us to close this connection, do so now. */ + if(ts->close_connection || conn->bits.close) { + /* Close the filter chain and trigger connect, non-blocking + * again, so the process is ongoing. This will + * a) the close resets our tunnel state + * b) the connect makes sure that there will be a socket + * to select on again. + * We return and expect to be called again. */ + infof(data, "Connect me again please"); + Curl_conn_close(data, cf->sockindex); + result = cf->next->cft->connect(cf->next, data, FALSE, &done); + goto out; } - } while(task); - s->tunnel_state = TUNNEL_CONNECT; - /* FALLTHROUGH */ - case TUNNEL_CONNECT: { - int didwhat; - bool done = FALSE; - result = Curl_hyper_stream(data, conn, &didwhat, &done, - CURL_CSELECT_IN | CURL_CSELECT_OUT); - if(result) - goto error; - if(!done) - break; - s->tunnel_state = TUNNEL_COMPLETE; - if(h->exec) { - hyper_executor_free(h->exec); - h->exec = NULL; + /* staying on this connection, reset state */ + tunnel_go_state(cf, ts, TUNNEL_INIT, data); } - if(h->read_waker) { - hyper_waker_free(h->read_waker); - h->read_waker = NULL; - } - if(h->write_waker) { - hyper_waker_free(h->write_waker); - h->write_waker = NULL; - } - } - break; - - default: break; - } - if(conn->bits.close && data->req.newurl) { - /* Connection closed by server. Don't use it anymore */ - Curl_closesocket(data, conn, conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; + default: break; } - /* If we are supposed to continue and request a new URL, which basically - * means the HTTP authentication is still going on so if the tunnel - * is complete we start over in INIT state */ - if(data->req.newurl && (TUNNEL_COMPLETE == s->tunnel_state)) { - infof(data, "CONNECT request done, loop to make another"); - connect_init(data, TRUE); /* reinit */ - } } while(data->req.newurl); + DEBUGASSERT(ts->tunnel_state == TUNNEL_RESPONSE); + if(data->info.httpproxycode/100 != 2) { + /* a non-2xx response and we have no next url to try. */ + free(data->req.newurl); + data->req.newurl = NULL; + /* failure, close this connection to avoid re-use */ + streamclose(conn, "proxy CONNECT failure"); + tunnel_go_state(cf, ts, TUNNEL_FAILED, data); + failf(data, "CONNECT tunnel failed, response %d", data->req.httpcode); + return CURLE_RECV_ERROR; + } + /* 2xx response, SUCCESS! */ + tunnel_go_state(cf, ts, TUNNEL_ESTABLISHED, data); + infof(data, "CONNECT tunnel established, response %d", + data->info.httpproxycode); result = CURLE_OK; - if(s->tunnel_state == TUNNEL_COMPLETE) { - if(data->info.httpproxycode/100 != 2) { - if(conn->bits.close && data->req.newurl) { - conn->bits.proxy_connect_closed = TRUE; - infof(data, "Connect me again please"); - Curl_connect_done(data); - } - else { - free(data->req.newurl); - data->req.newurl = NULL; - /* failure, close this connection to avoid re-use */ - streamclose(conn, "proxy CONNECT failure"); - Curl_closesocket(data, conn, conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; - } - /* to back to init state */ - s->tunnel_state = TUNNEL_INIT; +out: + if(result) + tunnel_go_state(cf, ts, TUNNEL_FAILED, data); + return result; +} - if(!conn->bits.proxy_connect_closed) { - failf(data, "Received HTTP code %d from proxy after CONNECT", - data->req.httpcode); - result = CURLE_RECV_ERROR; - } - } +static CURLcode http_proxy_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + CURLcode result; + struct tunnel_state *ts = cf->ctx; + + if(cf->connected) { + *done = TRUE; + return CURLE_OK; } - error: - free(host); - free(hostheader); - if(io) - hyper_io_free(io); - if(options) - hyper_clientconn_options_free(options); + result = cf->next->cft->connect(cf->next, data, blocking, done); + if(result || !*done) + return result; - if(handshake) - hyper_task_free(handshake); + /* TODO: can we do blocking? */ + /* We want "seamless" operations through HTTP proxy tunnel */ - if(hypererr) { - uint8_t errbuf[256]; - size_t errlen = hyper_error_print(hypererr, errbuf, sizeof(errbuf)); - failf(data, "Hyper: %.*s", (int)errlen, errbuf); - hyper_error_free(hypererr); + /* for the secondary socket (FTP), use the "connect to host" + * but ignore the "connect to port" (use the secondary port) + */ + *done = FALSE; + if(!ts) { + result = tunnel_init(&ts, data, cf->conn, cf->sockindex); + if(result) + return result; + cf->ctx = ts; + } + + result = CONNECT(cf, data, ts); + if(result) + goto out; + Curl_safefree(data->state.aptr.proxyuserpwd); + +out: + *done = (result == CURLE_OK) && tunnel_is_established(cf->ctx); + if (*done) { + cf->connected = TRUE; + tunnel_free(cf, data); } return result; } -#endif -void Curl_connect_free(struct Curl_easy *data) +static void http_proxy_cf_get_host(struct Curl_cfilter *cf, + struct Curl_easy *data, + const char **phost, + const char **pdisplay_host, + int *pport) +{ + (void)data; + if(!cf->connected) { + *phost = cf->conn->http_proxy.host.name; + *pdisplay_host = cf->conn->http_proxy.host.dispname; + *pport = (int)cf->conn->http_proxy.port; + } + else { + cf->next->cft->get_host(cf->next, data, phost, pdisplay_host, pport); + } +} + +static int http_proxy_cf_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) +{ + struct tunnel_state *ts = cf->ctx; + struct connectdata *conn = cf->conn; + int fds; + + DEBUGASSERT(conn); + fds = cf->next->cft->get_select_socks(cf->next, data, socks); + if(!fds && cf->next->connected && !cf->connected) { + /* If we are not connected, but the filter "below" is + * and not waiting on something, we are tunneling. */ + socks[0] = conn->sock[cf->sockindex]; + if(ts) { + /* when we've sent a CONNECT to a proxy, we should rather either + wait for the socket to become readable to be able to get the + response headers or if we're still sending the request, wait + for write. */ + if(ts->http_proxy.sending == HTTPSEND_REQUEST) + return GETSOCK_WRITESOCK(0); + return GETSOCK_READSOCK(0); + } + return GETSOCK_WRITESOCK(0); + } + return fds; +} + +static void http_proxy_cf_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + if(cf->ctx) { + tunnel_free(cf, data); + } +} + +static void http_proxy_cf_destroy(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + http_proxy_cf_detach_data(cf, data); +} + +static void http_proxy_cf_close(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct connectdata *conn = data->conn; - struct http_connect_state *s = conn->connect_state; - if(s) { - free(s); - conn->connect_state = NULL; + DEBUGASSERT(cf->next); + cf->connected = FALSE; + cf->next->cft->close(cf->next, data); + if(cf->ctx) { + tunnel_go_state(cf, cf->ctx, TUNNEL_INIT, data); } } -/* - * Curl_proxyCONNECT() requires that we're connected to a HTTP proxy. This - * function will issue the necessary commands to get a seamless tunnel through - * this proxy. After that, the socket can be used just as a normal socket. - */ -CURLcode Curl_proxyCONNECT(struct Curl_easy *data, - int sockindex, - const char *hostname, - int remote_port) +static const struct Curl_cftype cft_http_proxy = { + "HTTP-PROXY", + CF_TYPE_IP_CONNECT, + http_proxy_cf_destroy, + Curl_cf_def_setup, + http_proxy_cf_connect, + http_proxy_cf_close, + http_proxy_cf_get_host, + http_proxy_cf_get_select_socks, + Curl_cf_def_data_pending, + Curl_cf_def_send, + Curl_cf_def_recv, + Curl_cf_def_attach_data, + http_proxy_cf_detach_data, +}; + +CURLcode Curl_conn_http_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) { + struct Curl_cfilter *cf; CURLcode result; - struct connectdata *conn = data->conn; - if(!conn->connect_state) { - result = connect_init(data, FALSE); - if(result) - return result; + + result = Curl_cf_create(&cf, &cft_http_proxy, NULL); + if(!result) + Curl_conn_cf_add(data, conn, sockindex, cf); + return result; +} + + +static CURLcode send_haproxy_header(struct Curl_cfilter*cf, + struct Curl_easy *data) +{ + struct dynbuf req; + CURLcode result; + const char *tcp_version; + Curl_dyn_init(&req, DYN_HAXPROXY); + +#ifdef USE_UNIX_SOCKETS + if(cf->conn->unix_domain_socket) + /* the buffer is large enough to hold this! */ + result = Curl_dyn_addn(&req, STRCONST("PROXY UNKNOWN\r\n")); + else { +#endif /* USE_UNIX_SOCKETS */ + /* Emit the correct prefix for IPv6 */ + tcp_version = cf->conn->bits.ipv6 ? "TCP6" : "TCP4"; + + result = Curl_dyn_addf(&req, "PROXY %s %s %s %i %i\r\n", + tcp_version, + data->info.conn_local_ip, + data->info.conn_primary_ip, + data->info.conn_local_port, + data->info.conn_primary_port); + +#ifdef USE_UNIX_SOCKETS } - result = CONNECT(data, sockindex, hostname, remote_port); +#endif /* USE_UNIX_SOCKETS */ - if(result || Curl_connect_complete(conn)) - Curl_connect_done(data); + if(!result) + result = Curl_buffer_send(&req, data, &data->info.request_size, + 0, FIRSTSOCKET); + return result; +} + +static CURLcode haproxy_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + CURLcode result; + + if(cf->connected) { + *done = TRUE; + return CURLE_OK; + } + + result = cf->next->cft->connect(cf->next, data, blocking, done); + if(result || !*done) + return result; + result = send_haproxy_header(cf, data); + *done = (!result); + cf->connected = *done; return result; } -#else -void Curl_connect_free(struct Curl_easy *data) +static const struct Curl_cftype cft_haproxy = { + "HAPROXY", + 0, + Curl_cf_def_destroy_this, + Curl_cf_def_setup, + haproxy_cf_connect, + Curl_cf_def_close, + Curl_cf_def_get_host, + Curl_cf_def_get_select_socks, + Curl_cf_def_data_pending, + Curl_cf_def_send, + Curl_cf_def_recv, + Curl_cf_def_attach_data, + Curl_cf_def_detach_data, +}; + +CURLcode Curl_conn_haproxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) { - (void)data; + struct Curl_cfilter *cf; + CURLcode result; + + result = Curl_cf_create(&cf, &cft_haproxy, NULL); + if(!result) + Curl_conn_cf_add(data, conn, sockindex, cf); + return result; } -#endif /* CURL_DISABLE_PROXY */ +#endif /* !CURL_DISABLE_PROXY &6 ! CURL_DISABLE_HTTP */ diff --git a/lib/http_proxy.h b/lib/http_proxy.h index 1e650ee..dfdc0e7 100644 --- a/lib/http_proxy.h +++ b/lib/http_proxy.h @@ -28,54 +28,18 @@ #include "urldata.h" #if !defined(CURL_DISABLE_PROXY) && !defined(CURL_DISABLE_HTTP) -/* ftp can use this as well */ -CURLcode Curl_proxyCONNECT(struct Curl_easy *data, - int tunnelsocket, - const char *hostname, int remote_port); /* Default proxy timeout in milliseconds */ #define PROXY_TIMEOUT (3600*1000) -CURLcode Curl_proxy_connect(struct Curl_easy *data, int sockindex); +CURLcode Curl_conn_http_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); -bool Curl_connect_complete(struct connectdata *conn); -bool Curl_connect_ongoing(struct connectdata *conn); -int Curl_connect_getsock(struct connectdata *conn); -void Curl_connect_done(struct Curl_easy *data); +CURLcode Curl_conn_haproxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); -#else -#define Curl_proxyCONNECT(x,y,z,w) CURLE_NOT_BUILT_IN -#define Curl_proxy_connect(x,y) CURLE_OK -#define Curl_connect_complete(x) CURLE_OK -#define Curl_connect_ongoing(x) FALSE -#define Curl_connect_getsock(x) 0 -#define Curl_connect_done(x) -#endif - -void Curl_connect_free(struct Curl_easy *data); - -/* struct for HTTP CONNECT state data */ -struct http_connect_state { - struct HTTP http_proxy; - struct HTTP *prot_save; - struct dynbuf rcvbuf; - struct dynbuf req; - size_t nsend; - size_t headerlines; - enum keeponval { - KEEPON_DONE, - KEEPON_CONNECT, - KEEPON_IGNORE - } keepon; - curl_off_t cl; /* size of content to read and ignore */ - enum { - TUNNEL_INIT, /* init/default/no tunnel state */ - TUNNEL_CONNECT, /* CONNECT has been sent off */ - TUNNEL_COMPLETE, /* CONNECT response received completely */ - TUNNEL_EXIT - } tunnel_state; - BIT(chunked_encoding); - BIT(close_connection); -}; +#endif /* !CURL_DISABLE_PROXY && !CURL_DISABLE_HTTP */ #endif /* HEADER_CURL_HTTP_PROXY_H */ diff --git a/lib/idn.c b/lib/idn.c new file mode 100644 index 0000000..6255221 --- /dev/null +++ b/lib/idn.c @@ -0,0 +1,193 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + + /* + * IDN conversions + */ + +#include "curl_setup.h" +#include "urldata.h" +#include "idn.h" +#include "sendf.h" +#include "curl_multibyte.h" +#include "warnless.h" + +#ifdef USE_LIBIDN2 +#include + +#if defined(WIN32) && defined(UNICODE) +#define IDN2_LOOKUP(name, host, flags) \ + idn2_lookup_u8((const uint8_t *)name, (uint8_t **)host, flags) +#else +#define IDN2_LOOKUP(name, host, flags) \ + idn2_lookup_ul((const char *)name, (char **)host, flags) +#endif +#endif /* USE_LIBIDN2 */ + +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" +#include "curl_memory.h" +#include "memdebug.h" + +#ifdef USE_WIN32_IDN +/* using Windows kernel32 and normaliz libraries. */ + +#if !defined(_WIN32_WINNT) || _WIN32_WINNT < 0x600 +WINBASEAPI int WINAPI IdnToAscii(DWORD dwFlags, + const WCHAR *lpUnicodeCharStr, + int cchUnicodeChar, + WCHAR *lpASCIICharStr, + int cchASCIIChar); +WINBASEAPI int WINAPI IdnToUnicode(DWORD dwFlags, + const WCHAR *lpASCIICharStr, + int cchASCIIChar, + WCHAR *lpUnicodeCharStr, + int cchUnicodeChar); +#endif + +#define IDN_MAX_LENGTH 255 + +bool Curl_win32_idn_to_ascii(const char *in, char **out) +{ + bool success = FALSE; + + wchar_t *in_w = curlx_convert_UTF8_to_wchar(in); + if(in_w) { + wchar_t punycode[IDN_MAX_LENGTH]; + int chars = IdnToAscii(0, in_w, -1, punycode, IDN_MAX_LENGTH); + curlx_unicodefree(in_w); + if(chars) { + char *mstr = curlx_convert_wchar_to_UTF8(punycode); + if(mstr) { + *out = strdup(mstr); + curlx_unicodefree(mstr); + if(*out) + success = TRUE; + } + } + } + + return success; +} + +#endif /* USE_WIN32_IDN */ + +/* + * Helpers for IDNA conversions. + */ +bool Curl_is_ASCII_name(const char *hostname) +{ + /* get an UNSIGNED local version of the pointer */ + const unsigned char *ch = (const unsigned char *)hostname; + + if(!hostname) /* bad input, consider it ASCII! */ + return TRUE; + + while(*ch) { + if(*ch++ & 0x80) + return FALSE; + } + return TRUE; +} + +#ifdef USE_IDN +/* + * Curl_idn_decode() returns an allocated IDN decoded string if it was + * possible. NULL on error. + */ +static char *Curl_idn_decode(const char *input) +{ + char *decoded = NULL; +#ifdef USE_LIBIDN2 + if(idn2_check_version(IDN2_VERSION)) { + int flags = IDN2_NFC_INPUT +#if IDN2_VERSION_NUMBER >= 0x00140000 + /* IDN2_NFC_INPUT: Normalize input string using normalization form C. + IDN2_NONTRANSITIONAL: Perform Unicode TR46 non-transitional + processing. */ + | IDN2_NONTRANSITIONAL +#endif + ; + int rc = IDN2_LOOKUP(input, &decoded, flags); + if(rc != IDN2_OK) + /* fallback to TR46 Transitional mode for better IDNA2003 + compatibility */ + rc = IDN2_LOOKUP(input, &decoded, IDN2_TRANSITIONAL); + if(rc != IDN2_OK) + decoded = NULL; + } +#elif defined(USE_WIN32_IDN) + if(!Curl_win32_idn_to_ascii(input, &decoded)) + decoded = NULL; +#endif + return decoded; +} + +/* + * Frees data allocated by idnconvert_hostname() + */ +void Curl_free_idnconverted_hostname(struct hostname *host) +{ +#if defined(USE_LIBIDN2) + if(host->encalloc) { + idn2_free(host->encalloc); /* must be freed with idn2_free() since this was + allocated by libidn */ + host->encalloc = NULL; + } +#elif defined(USE_WIN32_IDN) + free(host->encalloc); /* must be freed with free() since this was + allocated by Curl_win32_idn_to_ascii */ + host->encalloc = NULL; +#else + (void)host; +#endif +} + +#endif /* USE_IDN */ + +/* + * Perform any necessary IDN conversion of hostname + */ +CURLcode Curl_idnconvert_hostname(struct hostname *host) +{ + /* set the name we use to display the host name */ + host->dispname = host->name; + +#ifdef USE_IDN + /* Check name for non-ASCII and convert hostname if we can */ + if(!Curl_is_ASCII_name(host->name)) { + char *decoded = Curl_idn_decode(host->name); + if(decoded) { + /* successful */ + host->encalloc = decoded; + /* change the name pointer to point to the encoded hostname */ + host->name = host->encalloc; + } + else + return CURLE_URL_MALFORMAT; + } +#endif + return CURLE_OK; +} + diff --git a/lib/idn.h b/lib/idn.h new file mode 100644 index 0000000..2d04efc --- /dev/null +++ b/lib/idn.h @@ -0,0 +1,38 @@ +#ifndef HEADER_CURL_IDN_H +#define HEADER_CURL_IDN_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ + +#ifdef USE_WIN32_IDN +bool Curl_win32_idn_to_ascii(const char *in, char **out); +#endif /* USE_WIN32_IDN */ +bool Curl_is_ASCII_name(const char *hostname); +CURLcode Curl_idnconvert_hostname(struct hostname *host); +#if defined(USE_LIBIDN2) || defined(USE_WIN32_IDN) +#define USE_IDN +void Curl_free_idnconverted_hostname(struct hostname *host); +#else +#define Curl_free_idnconverted_hostname(x) +#endif +#endif /* HEADER_CURL_IDN_H */ diff --git a/lib/idn_win32.c b/lib/idn_win32.c deleted file mode 100644 index 2433d92..0000000 --- a/lib/idn_win32.c +++ /dev/null @@ -1,121 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - * SPDX-License-Identifier: curl - * - ***************************************************************************/ - - /* - * IDN conversions using Windows kernel32 and normaliz libraries. - */ - -#include "curl_setup.h" - -#ifdef USE_WIN32_IDN - -#include "curl_multibyte.h" -#include "curl_memory.h" -#include "warnless.h" - - /* The last #include file should be: */ -#include "memdebug.h" - -#ifdef WANT_IDN_PROTOTYPES -# if defined(_SAL_VERSION) -WINNORMALIZEAPI int WINAPI -IdnToAscii(_In_ DWORD dwFlags, - _In_reads_(cchUnicodeChar) LPCWSTR lpUnicodeCharStr, - _In_ int cchUnicodeChar, - _Out_writes_opt_(cchASCIIChar) LPWSTR lpASCIICharStr, - _In_ int cchASCIIChar); -WINNORMALIZEAPI int WINAPI -IdnToUnicode(_In_ DWORD dwFlags, - _In_reads_(cchASCIIChar) LPCWSTR lpASCIICharStr, - _In_ int cchASCIIChar, - _Out_writes_opt_(cchUnicodeChar) LPWSTR lpUnicodeCharStr, - _In_ int cchUnicodeChar); -# else -WINBASEAPI int WINAPI IdnToAscii(DWORD dwFlags, - const WCHAR *lpUnicodeCharStr, - int cchUnicodeChar, - WCHAR *lpASCIICharStr, - int cchASCIIChar); -WINBASEAPI int WINAPI IdnToUnicode(DWORD dwFlags, - const WCHAR *lpASCIICharStr, - int cchASCIIChar, - WCHAR *lpUnicodeCharStr, - int cchUnicodeChar); -# endif -#endif - -#define IDN_MAX_LENGTH 255 - -bool Curl_win32_idn_to_ascii(const char *in, char **out); -bool Curl_win32_ascii_to_idn(const char *in, char **out); - -bool Curl_win32_idn_to_ascii(const char *in, char **out) -{ - bool success = FALSE; - - wchar_t *in_w = curlx_convert_UTF8_to_wchar(in); - if(in_w) { - wchar_t punycode[IDN_MAX_LENGTH]; - int chars = IdnToAscii(0, in_w, -1, punycode, IDN_MAX_LENGTH); - curlx_unicodefree(in_w); - if(chars) { - char *mstr = curlx_convert_wchar_to_UTF8(punycode); - if(mstr) { - *out = strdup(mstr); - curlx_unicodefree(mstr); - if(*out) - success = TRUE; - } - } - } - - return success; -} - -bool Curl_win32_ascii_to_idn(const char *in, char **out) -{ - bool success = FALSE; - - wchar_t *in_w = curlx_convert_UTF8_to_wchar(in); - if(in_w) { - size_t in_len = wcslen(in_w) + 1; - wchar_t unicode[IDN_MAX_LENGTH]; - int chars = IdnToUnicode(0, in_w, curlx_uztosi(in_len), - unicode, IDN_MAX_LENGTH); - curlx_unicodefree(in_w); - if(chars) { - char *mstr = curlx_convert_wchar_to_UTF8(unicode); - if(mstr) { - *out = strdup(mstr); - curlx_unicodefree(mstr); - if(*out) - success = TRUE; - } - } - } - - return success; -} - -#endif /* USE_WIN32_IDN */ diff --git a/lib/imap.c b/lib/imap.c index ffa08bf..bd4c6f2 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -56,11 +56,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -75,11 +70,11 @@ #include "strtoofft.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "select.h" #include "multiif.h" #include "url.h" -#include "strcase.h" #include "bufref.h" #include "curl_sasl.h" #include "warnless.h" @@ -479,9 +474,15 @@ static CURLcode imap_perform_upgrade_tls(struct Curl_easy *data, { /* Start the SSL connection */ struct imap_conn *imapc = &conn->proto.imapc; - CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &imapc->ssldone); + CURLcode result; + if(!Curl_conn_is_ssl(data, FIRSTSOCKET)) { + result = Curl_ssl_cfilter_add(data, conn, FIRSTSOCKET); + if(result) + goto out; + } + + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &imapc->ssldone); if(!result) { if(imapc->state != IMAP_UPGRADETLS) state(data, IMAP_UPGRADETLS); @@ -491,7 +492,7 @@ static CURLcode imap_perform_upgrade_tls(struct Curl_easy *data, result = imap_perform_capability(data, conn); } } - +out: return result; } @@ -776,7 +777,7 @@ static CURLcode imap_perform_append(struct Curl_easy *data) /* Add external headers and mime version. */ curl_mime_headers(&data->set.mimepost, data->set.headers, 0); - result = Curl_mime_prepare_headers(&data->set.mimepost, NULL, + result = Curl_mime_prepare_headers(data, &data->set.mimepost, NULL, NULL, MIMESTRATEGY_MAIL); if(!result) @@ -951,7 +952,7 @@ static CURLcode imap_state_capability_resp(struct Curl_easy *data, line += wordlen; } } - else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { + else if(data->set.use_ssl && !Curl_conn_is_ssl(data, FIRSTSOCKET)) { /* PREAUTH is not compatible with STARTTLS. */ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { /* Switch to TLS connection now */ @@ -1385,8 +1386,7 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) struct imap_conn *imapc = &conn->proto.imapc; if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &imapc->ssldone); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &imapc->ssldone); if(result || !imapc->ssldone) return result; } @@ -1561,7 +1561,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, DEBUGF(infof(data, "DO phase starts")); - if(data->set.opt_no_body) { + if(data->req.no_body) { /* Requested no body means no transfer */ imap->transfer = PPTRANSFER_INFO; } @@ -1603,7 +1603,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected, /* Run the state-machine */ result = imap_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(conn, FIRSTSOCKET); if(*dophase_done) DEBUGF(infof(data, "DO phase is complete")); diff --git a/lib/krb5.c b/lib/krb5.c index 1c993c1..08a6825 100644 --- a/lib/krb5.c +++ b/lib/krb5.c @@ -41,6 +41,9 @@ #ifdef HAVE_NETDB_H #include #endif +#ifdef HAVE_ARPA_INET_H +#include +#endif #include "urldata.h" #include "curl_base64.h" @@ -451,14 +454,14 @@ static int ftp_send_command(struct Curl_easy *data, const char *message, ...) /* Read |len| from the socket |fd| and store it in |to|. Return a CURLcode saying whether an error occurred or CURLE_OK if |len| was read. */ static CURLcode -socket_read(curl_socket_t fd, void *to, size_t len) +socket_read(struct Curl_easy *data, curl_socket_t fd, void *to, size_t len) { char *to_p = to; CURLcode result; ssize_t nread = 0; while(len > 0) { - result = Curl_read_plain(fd, to_p, len, &nread); + result = Curl_read_plain(data, fd, to_p, len, &nread); if(!result) { len -= nread; to_p += nread; @@ -499,15 +502,15 @@ socket_write(struct Curl_easy *data, curl_socket_t fd, const void *to, return CURLE_OK; } -static CURLcode read_data(struct connectdata *conn, - curl_socket_t fd, +static CURLcode read_data(struct Curl_easy *data, curl_socket_t fd, struct krb5buffer *buf) { + struct connectdata *conn = data->conn; int len; CURLcode result; int nread; - result = socket_read(fd, &len, sizeof(len)); + result = socket_read(data, fd, &len, sizeof(len)); if(result) return result; @@ -522,7 +525,7 @@ static CURLcode read_data(struct connectdata *conn, if(!len || !buf->data) return CURLE_OUT_OF_MEMORY; - result = socket_read(fd, buf->data, len); + result = socket_read(data, fd, buf->data, len); if(result) return result; nread = conn->mech->decode(conn->app_data, buf->data, len, @@ -557,7 +560,7 @@ static ssize_t sec_recv(struct Curl_easy *data, int sockindex, /* Handle clear text response. */ if(conn->sec_complete == 0 || conn->data_prot == PROT_CLEAR) - return sread(fd, buffer, len); + return Curl_recv_plain(data, sockindex, buffer, len, err); if(conn->in_buffer.eof_flag) { conn->in_buffer.eof_flag = 0; @@ -570,7 +573,7 @@ static ssize_t sec_recv(struct Curl_easy *data, int sockindex, buffer += bytes_read; while(len > 0) { - if(read_data(conn, fd, &conn->in_buffer)) + if(read_data(data, fd, &conn->in_buffer)) return -1; if(conn->in_buffer.size == 0) { if(bytes_read > 0) diff --git a/lib/ldap.c b/lib/ldap.c index b073349..92006d6 100644 --- a/lib/ldap.c +++ b/lib/ldap.c @@ -565,8 +565,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) goto quit; } - result = Curl_client_write(data, CLIENTWRITE_BODY, (char *) name, - name_len); + result = Curl_client_write(data, CLIENTWRITE_BODY, name, name_len); if(result) { FREE_ON_WINLDAP(name); ldap_memfree(dn); @@ -622,8 +621,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) goto quit; } - result = Curl_client_write(data, CLIENTWRITE_BODY, - (char *) attr, attr_len); + result = Curl_client_write(data, CLIENTWRITE_BODY, attr, attr_len); if(result) { ldap_value_free_len(vals); FREE_ON_WINLDAP(attr); @@ -648,7 +646,7 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) dlsize += attr_len + 3; if((attr_len > 7) && - (strcmp(";binary", (char *) attr + (attr_len - 7)) == 0)) { + (strcmp(";binary", attr + (attr_len - 7)) == 0)) { /* Binary attribute, encode to base64. */ result = Curl_base64_encode(vals[i]->bv_val, vals[i]->bv_len, &val_b64, &val_b64_sz); diff --git a/lib/md4.c b/lib/md4.c index e976fe7..c13b080 100644 --- a/lib/md4.c +++ b/lib/md4.c @@ -26,10 +26,11 @@ #if !defined(CURL_DISABLE_CRYPTO_AUTH) +#include + #include "curl_md4.h" #include "warnless.h" - #ifdef USE_OPENSSL #include #if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) && \ @@ -53,21 +54,44 @@ #else #include #endif - #if(MBEDTLS_VERSION_NUMBER >= 0x02070000) #define HAS_MBEDTLS_RESULT_CODE_BASED_FUNCTIONS #endif #endif /* USE_MBEDTLS */ #if defined(USE_GNUTLS) - #include +/* When OpenSSL or wolfSSL is available, we use their MD4 functions. */ +#elif defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4) +#include +#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4) +#include +#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ + (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \ + defined(__MAC_OS_X_VERSION_MIN_ALLOWED) && \ + (__MAC_OS_X_VERSION_MIN_ALLOWED < 101500)) || \ + (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ + (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) +#define AN_APPLE_OS +#include +#elif defined(USE_WIN32_CRYPTO) +#include +#elif(defined(USE_MBEDTLS) && defined(MBEDTLS_MD4_C)) +#include +#endif +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" #include "curl_memory.h" - -/* The last #include file should be: */ #include "memdebug.h" + +#if defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4) + +#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4) + +#elif defined(USE_GNUTLS) + typedef struct md4_ctx MD4_CTX; static void MD4_Init(MD4_CTX *ctx) @@ -85,27 +109,7 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx) md4_digest(ctx, MD4_DIGEST_SIZE, result); } -/* When OpenSSL or wolfSSL is available, we use their MD4 functions. */ -#elif defined(USE_WOLFSSL) && !defined(WOLFSSL_NO_MD4) -#include - -#elif defined(USE_OPENSSL) && !defined(OPENSSL_NO_MD4) -#include - -#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ - (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \ - defined(__MAC_OS_X_VERSION_MIN_ALLOWED) && \ - (__MAC_OS_X_VERSION_MIN_ALLOWED < 101500)) || \ - (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ - (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) - -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - +#elif defined(AN_APPLE_OS) typedef CC_MD4_CTX MD4_CTX; static void MD4_Init(MD4_CTX *ctx) @@ -125,13 +129,6 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx) #elif defined(USE_WIN32_CRYPTO) -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - struct md4_ctx { HCRYPTPROV hCryptProv; HCRYPTHASH hHash; @@ -171,13 +168,6 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx) #elif(defined(USE_MBEDTLS) && defined(MBEDTLS_MD4_C)) -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - struct md4_ctx { void *data; unsigned long size; @@ -255,9 +245,6 @@ static void MD4_Final(unsigned char *result, MD4_CTX *ctx) * compile-time configuration. */ - -#include - /* Any 32-bit or wider unsigned integer data type will do */ typedef unsigned int MD4_u32plus; diff --git a/lib/md5.c b/lib/md5.c index 5be6399..9610e0c 100644 --- a/lib/md5.c +++ b/lib/md5.c @@ -26,6 +26,7 @@ #ifndef CURL_DISABLE_CRYPTO_AUTH +#include #include #include "curl_md5.h" @@ -56,12 +57,32 @@ #endif #if defined(USE_GNUTLS) - #include +#elif defined(USE_OPENSSL_MD5) +#include +#elif defined(USE_WOLFSSL_MD5) +#include +#elif defined(USE_MBEDTLS) +#include +#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ + (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \ + defined(__MAC_OS_X_VERSION_MIN_ALLOWED) && \ + (__MAC_OS_X_VERSION_MIN_ALLOWED < 101500)) || \ + (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ + (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) +#define AN_APPLE_OS +#include +#elif defined(USE_WIN32_CRYPTO) +#include +#endif + +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" #include "curl_memory.h" -/* The last #include file should be: */ #include "memdebug.h" +#if defined(USE_GNUTLS) + typedef struct md5_ctx my_md5_ctx; static CURLcode my_md5_init(my_md5_ctx *ctx) @@ -84,17 +105,6 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) #elif defined(USE_OPENSSL_MD5) || defined(USE_WOLFSSL_MD5) -/* When OpenSSL or wolfSSL is available, we use their MD5 functions. */ -#if defined(USE_OPENSSL_MD5) -#include -#elif defined(USE_WOLFSSL_MD5) -#include -#endif - -#include "curl_memory.h" -/* The last #include file should be: */ -#include "memdebug.h" - typedef MD5_CTX my_md5_ctx; static CURLcode my_md5_init(my_md5_ctx *ctx) @@ -119,13 +129,6 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) #elif defined(USE_MBEDTLS) -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - typedef mbedtls_md5_context my_md5_ctx; static CURLcode my_md5_init(my_md5_ctx *ctx) @@ -162,12 +165,7 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) #endif } -#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ - (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040) && \ - defined(__MAC_OS_X_VERSION_MIN_ALLOWED) && \ - (__MAC_OS_X_VERSION_MIN_ALLOWED < 101500)) || \ - (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ - (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) +#elif defined(AN_APPLE_OS) /* For Apple operating systems: CommonCrypto has the functions we need. These functions are available on Tiger and later, as well as iOS 2.0 @@ -175,11 +173,7 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) Declaring the functions as static like this seems to be a bit more reliable than defining COMMON_DIGEST_FOR_OPENSSL on older cats. */ -# include # define my_md5_ctx CC_MD5_CTX -#include "curl_memory.h" -/* The last #include file should be: */ -#include "memdebug.h" static CURLcode my_md5_init(my_md5_ctx *ctx) { @@ -203,11 +197,6 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) #elif defined(USE_WIN32_CRYPTO) -#include -#include "curl_memory.h" -/* The last #include file should be: */ -#include "memdebug.h" - struct md5_ctx { HCRYPTPROV hCryptProv; HCRYPTHASH hHash; @@ -288,12 +277,6 @@ static void my_md5_final(unsigned char *digest, my_md5_ctx *ctx) * compile-time configuration. */ -#include - -/* The last #include files should be: */ -#include "curl_memory.h" -#include "memdebug.h" - /* Any 32-bit or wider unsigned integer data type will do */ typedef unsigned int MD5_u32plus; diff --git a/lib/mime.c b/lib/mime.c index 042141f..e3f2821d 100644 --- a/lib/mime.c +++ b/lib/mime.c @@ -1175,7 +1175,7 @@ void Curl_mime_cleanpart(curl_mimepart *part) Curl_safefree(part->mimetype); Curl_safefree(part->name); Curl_safefree(part->filename); - Curl_mime_initpart(part, part->easy); + Curl_mime_initpart(part); } /* Recursively delete a mime handle and its parts. */ @@ -1195,7 +1195,8 @@ void curl_mime_free(curl_mime *mime) } } -CURLcode Curl_mime_duppart(curl_mimepart *dst, const curl_mimepart *src) +CURLcode Curl_mime_duppart(struct Curl_easy *data, + curl_mimepart *dst, const curl_mimepart *src) { curl_mime *mime; curl_mimepart *d; @@ -1224,13 +1225,13 @@ CURLcode Curl_mime_duppart(curl_mimepart *dst, const curl_mimepart *src) case MIMEKIND_MULTIPART: /* No one knows about the cloned subparts, thus always attach ownership to the part. */ - mime = curl_mime_init(dst->easy); + mime = curl_mime_init(data); res = mime? curl_mime_subparts(dst, mime): CURLE_OUT_OF_MEMORY; /* Duplicate subparts. */ for(s = ((curl_mime *) src->arg)->firstpart; !res && s; s = s->nextpart) { d = curl_mime_addpart(mime); - res = d? Curl_mime_duppart(d, s): CURLE_OUT_OF_MEMORY; + res = d? Curl_mime_duppart(data, d, s): CURLE_OUT_OF_MEMORY; } break; default: /* Invalid kind: should not occur. */ @@ -1282,7 +1283,6 @@ curl_mime *curl_mime_init(struct Curl_easy *easy) mime = (curl_mime *) malloc(sizeof(*mime)); if(mime) { - mime->easy = easy; mime->parent = NULL; mime->firstpart = NULL; mime->lastpart = NULL; @@ -1302,10 +1302,9 @@ curl_mime *curl_mime_init(struct Curl_easy *easy) } /* Initialize a mime part. */ -void Curl_mime_initpart(curl_mimepart *part, struct Curl_easy *easy) +void Curl_mime_initpart(curl_mimepart *part) { memset((char *) part, 0, sizeof(*part)); - part->easy = easy; part->lastreadstatus = 1; /* Successful read status. */ mimesetstate(&part->state, MIMESTATE_BEGIN, NULL); } @@ -1321,7 +1320,7 @@ curl_mimepart *curl_mime_addpart(curl_mime *mime) part = (curl_mimepart *) malloc(sizeof(*part)); if(part) { - Curl_mime_initpart(part, mime->easy); + Curl_mime_initpart(part); part->parent = mime; if(mime->lastpart) @@ -1551,10 +1550,6 @@ CURLcode Curl_mime_set_subparts(curl_mimepart *part, cleanup_part_content(part); if(subparts) { - /* Must belong to the same data handle. */ - if(part->easy && subparts->easy && part->easy != subparts->easy) - return CURLE_BAD_FUNCTION_ARGUMENT; - /* Should not have been attached already. */ if(subparts->parent) return CURLE_BAD_FUNCTION_ARGUMENT; @@ -1565,8 +1560,7 @@ CURLcode Curl_mime_set_subparts(curl_mimepart *part, while(root->parent && root->parent->parent) root = root->parent->parent; if(subparts == root) { - if(part->easy) - failf(part->easy, "Can't add itself as a subpart"); + /* Can't add as a subpart of itself. */ return CURLE_BAD_FUNCTION_ARGUMENT; } } @@ -1636,7 +1630,7 @@ static size_t slist_size(struct curl_slist *s, static curl_off_t multipart_size(curl_mime *mime) { curl_off_t size; - size_t boundarysize; + curl_off_t boundarysize; curl_mimepart *part; if(!mime) @@ -1766,7 +1760,8 @@ static bool content_type_match(const char *contenttype, return FALSE; } -CURLcode Curl_mime_prepare_headers(curl_mimepart *part, +CURLcode Curl_mime_prepare_headers(struct Curl_easy *data, + curl_mimepart *part, const char *contenttype, const char *disposition, enum mimestrategy strategy) @@ -1835,12 +1830,12 @@ CURLcode Curl_mime_prepare_headers(curl_mimepart *part, char *filename = NULL; if(part->name) { - name = escape_string(part->easy, part->name, strategy); + name = escape_string(data, part->name, strategy); if(!name) ret = CURLE_OUT_OF_MEMORY; } if(!ret && part->filename) { - filename = escape_string(part->easy, part->filename, strategy); + filename = escape_string(data, part->filename, strategy); if(!filename) ret = CURLE_OUT_OF_MEMORY; } @@ -1897,7 +1892,8 @@ CURLcode Curl_mime_prepare_headers(curl_mimepart *part, if(content_type_match(contenttype, STRCONST("multipart/form-data"))) disposition = "form-data"; for(subpart = mime->firstpart; subpart; subpart = subpart->nextpart) { - ret = Curl_mime_prepare_headers(subpart, NULL, disposition, strategy); + ret = Curl_mime_prepare_headers(data, subpart, NULL, + disposition, strategy); if(ret) return ret; } diff --git a/lib/mime.h b/lib/mime.h index bafde29..b9ea0f1 100644 --- a/lib/mime.h +++ b/lib/mime.h @@ -99,7 +99,6 @@ struct mime_state { /* A mime multipart. */ struct curl_mime { - struct Curl_easy *easy; /* The associated easy handle. */ curl_mimepart *parent; /* Parent part. */ curl_mimepart *firstpart; /* First part. */ curl_mimepart *lastpart; /* Last part. */ @@ -109,7 +108,6 @@ struct curl_mime { /* A mime part. */ struct curl_mimepart { - struct Curl_easy *easy; /* The associated easy handle. */ curl_mime *parent; /* Parent mime structure. */ curl_mimepart *nextpart; /* Forward linked list. */ enum mimekind kind; /* The part kind. */ @@ -139,14 +137,16 @@ CURLcode Curl_mime_add_header(struct curl_slist **slp, const char *fmt, ...); !defined(CURL_DISABLE_IMAP)) /* Prototypes. */ -void Curl_mime_initpart(struct curl_mimepart *part, struct Curl_easy *easy); +void Curl_mime_initpart(struct curl_mimepart *part); void Curl_mime_cleanpart(struct curl_mimepart *part); -CURLcode Curl_mime_duppart(struct curl_mimepart *dst, +CURLcode Curl_mime_duppart(struct Curl_easy *data, + struct curl_mimepart *dst, const curl_mimepart *src); CURLcode Curl_mime_set_subparts(struct curl_mimepart *part, struct curl_mime *subparts, int take_ownership); -CURLcode Curl_mime_prepare_headers(struct curl_mimepart *part, +CURLcode Curl_mime_prepare_headers(struct Curl_easy *data, + struct curl_mimepart *part, const char *contenttype, const char *disposition, enum mimestrategy strategy); @@ -159,11 +159,11 @@ void Curl_mime_unpause(struct curl_mimepart *part); #else /* if disabled */ -#define Curl_mime_initpart(x,y) +#define Curl_mime_initpart(x) #define Curl_mime_cleanpart(x) -#define Curl_mime_duppart(x,y) CURLE_OK /* Nothing to duplicate. Succeed */ +#define Curl_mime_duppart(x,y,z) CURLE_OK /* Nothing to duplicate. Succeed */ #define Curl_mime_set_subparts(a,b,c) CURLE_NOT_BUILT_IN -#define Curl_mime_prepare_headers(a,b,c,d) CURLE_NOT_BUILT_IN +#define Curl_mime_prepare_headers(a,b,c,d,e) CURLE_NOT_BUILT_IN #define Curl_mime_size(x) (curl_off_t) -1 #define Curl_mime_read NULL #define Curl_mime_rewind(x) ((void)x, CURLE_NOT_BUILT_IN) diff --git a/lib/mqtt.c b/lib/mqtt.c index 4f3d143..8ba826f 100644 --- a/lib/mqtt.c +++ b/lib/mqtt.c @@ -242,7 +242,7 @@ static int init_connpack(char *packet, char *remain, int remain_pos) /* keep-alive 0 = disabled */ packet[remain_pos + 9] = 0x00; packet[remain_pos + 10] = 0x3c; - /*end of variable header*/ + /* end of variable header */ return remain_pos + 10; } @@ -251,7 +251,7 @@ static CURLcode mqtt_connect(struct Curl_easy *data) CURLcode result = CURLE_OK; int pos = 0; int rc = 0; - /*remain length*/ + /* remain length */ int remain_pos = 0; char remain[4] = {0}; size_t packetlen = 0; diff --git a/lib/multi.c b/lib/multi.c index 51acba7..b96ee7c 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -29,6 +29,7 @@ #include "urldata.h" #include "transfer.h" #include "url.h" +#include "cfilters.h" #include "connect.h" #include "progress.h" #include "easyif.h" @@ -160,7 +161,7 @@ static void mstate(struct Curl_easy *data, CURLMstate state NULL, /* TUNNELING */ NULL, /* PROTOCONNECT */ NULL, /* PROTOCONNECTING */ - Curl_connect_free, /* DO */ + NULL, /* DO */ NULL, /* DOING */ NULL, /* DOING_MORE */ before_perform, /* DID */ @@ -709,6 +710,11 @@ static CURLcode multi_done(struct Curl_easy *data, #endif ) || conn->bits.close || (premature && !(conn->handler->flags & PROTOPT_STREAM))) { + DEBUGF(infof(data, "multi_done, not re-using connection=%ld, forbid=%d" + ", close=%d, premature=%d, stream=%d", + conn->connection_id, + data->set.reuse_forbid, conn->bits.close, premature, + (conn->handler->flags & PROTOPT_STREAM))); connclose(conn, "disconnecting"); Curl_conncache_remove_conn(data, conn, FALSE); CONNCACHE_UNLOCK(data); @@ -948,9 +954,8 @@ void Curl_detach_connection(struct Curl_easy *data) { struct connectdata *conn = data->conn; if(conn) { - Curl_connect_done(data); /* if mid-CONNECT, shut it down */ + Curl_conn_detach_data(conn, data); Curl_llist_remove(&conn->easyq, &data->conn_queue, NULL); - Curl_ssl_detach_conn(data, conn); } data->conn = NULL; } @@ -968,53 +973,9 @@ void Curl_attach_connection(struct Curl_easy *data, data->conn = conn; Curl_llist_insert_next(&conn->easyq, conn->easyq.tail, data, &data->conn_queue); + Curl_conn_attach_data(conn, data); if(conn->handler->attach) conn->handler->attach(data, conn); - Curl_ssl_associate_conn(data, conn); -} - -static int waitconnect_getsock(struct connectdata *conn, - curl_socket_t *sock) -{ - int i; - int s = 0; - int rc = 0; - -#ifdef USE_SSL -#ifndef CURL_DISABLE_PROXY - if(CONNECT_FIRSTSOCKET_PROXY_SSL()) - return Curl_ssl->getsock(conn, sock); -#endif -#endif - - if(SOCKS_STATE(conn->cnnct.state)) - return Curl_SOCKS_getsock(conn, sock, FIRSTSOCKET); - - for(i = 0; i<2; i++) { - if(conn->tempsock[i] != CURL_SOCKET_BAD) { - sock[s] = conn->tempsock[i]; - rc |= GETSOCK_WRITESOCK(s); -#ifdef ENABLE_QUIC - if(conn->transport == TRNSPRT_QUIC) - /* when connecting QUIC, we want to read the socket too */ - rc |= GETSOCK_READSOCK(s); -#endif - s++; - } - } - - return rc; -} - -static int waitproxyconnect_getsock(struct connectdata *conn, - curl_socket_t *sock) -{ - sock[0] = conn->sock[FIRSTSOCKET]; - - if(conn->connect_state) - return Curl_connect_getsock(conn); - - return GETSOCK_WRITESOCK(0); } static int domore_getsock(struct Curl_easy *data, @@ -1076,10 +1037,8 @@ static int multi_getsock(struct Curl_easy *data, return doing_getsock(data, conn, socks); case MSTATE_TUNNELING: - return waitproxyconnect_getsock(conn, socks); - case MSTATE_CONNECTING: - return waitconnect_getsock(conn, socks); + return Curl_conn_get_select_socks(data, FIRSTSOCKET, socks); case MSTATE_DOING_MORE: return domore_getsock(data, conn, socks); @@ -1737,7 +1696,8 @@ static CURLcode protocol_connect(struct Curl_easy *data, *protocol_done = FALSE; - if(conn->bits.tcpconnect[FIRSTSOCKET] && conn->bits.protoconnstart) { + if(Curl_conn_is_connected(conn, FIRSTSOCKET) + && conn->bits.protoconnstart) { /* We already are connected, get back. This may happen when the connect worked fine in the first call, like when we connect to a local server or proxy. Note that we don't know if the protocol is actually done. @@ -1751,21 +1711,6 @@ static CURLcode protocol_connect(struct Curl_easy *data, } if(!conn->bits.protoconnstart) { -#ifndef CURL_DISABLE_PROXY - result = Curl_proxy_connect(data, FIRSTSOCKET); - if(result) - return result; - - if(CONNECT_FIRSTSOCKET_PROXY_SSL()) - /* wait for HTTPS proxy SSL initialization to complete */ - return CURLE_OK; - - if(conn->bits.tunnel_proxy && conn->bits.httpproxy && - Curl_connect_ongoing(conn)) - /* when using an HTTP tunnel proxy, await complete tunnel establishment - before proceeding further. Return CURLE_OK so we'll be called again */ - return CURLE_OK; -#endif if(conn->handler->connect_it) { /* is there a protocol-specific connect() procedure? */ @@ -1785,6 +1730,90 @@ static CURLcode protocol_connect(struct Curl_easy *data, } /* + * readrewind() rewinds the read stream. This is typically used for HTTP + * POST/PUT with multi-pass authentication when a sending was denied and a + * resend is necessary. + */ +static CURLcode readrewind(struct Curl_easy *data) +{ + struct connectdata *conn = data->conn; + curl_mimepart *mimepart = &data->set.mimepost; + DEBUGASSERT(conn); + + data->state.rewindbeforesend = FALSE; /* we rewind now */ + + /* explicitly switch off sending data on this connection now since we are + about to restart a new transfer and thus we want to avoid inadvertently + sending more data on the existing connection until the next transfer + starts */ + data->req.keepon &= ~KEEP_SEND; + + /* We have sent away data. If not using CURLOPT_POSTFIELDS or + CURLOPT_HTTPPOST, call app to rewind + */ + if(conn->handler->protocol & PROTO_FAMILY_HTTP) { + struct HTTP *http = data->req.p.http; + + if(http->sendit) + mimepart = http->sendit; + } + if(data->set.postfields || + (data->state.httpreq == HTTPREQ_GET) || + (data->state.httpreq == HTTPREQ_HEAD)) + ; /* no need to rewind */ + else if(data->state.httpreq == HTTPREQ_POST_MIME || + data->state.httpreq == HTTPREQ_POST_FORM) { + CURLcode result = Curl_mime_rewind(mimepart); + if(result) { + failf(data, "Cannot rewind mime/post data"); + return result; + } + } + else { + if(data->set.seek_func) { + int err; + + Curl_set_in_callback(data, true); + err = (data->set.seek_func)(data->set.seek_client, 0, SEEK_SET); + Curl_set_in_callback(data, false); + if(err) { + failf(data, "seek callback returned error %d", (int)err); + return CURLE_SEND_FAIL_REWIND; + } + } + else if(data->set.ioctl_func) { + curlioerr err; + + Curl_set_in_callback(data, true); + err = (data->set.ioctl_func)(data, CURLIOCMD_RESTARTREAD, + data->set.ioctl_client); + Curl_set_in_callback(data, false); + infof(data, "the ioctl callback returned %d", (int)err); + + if(err) { + failf(data, "ioctl callback returned error %d", (int)err); + return CURLE_SEND_FAIL_REWIND; + } + } + else { + /* If no CURLOPT_READFUNCTION is used, we know that we operate on a + given FILE * stream and we can actually attempt to rewind that + ourselves with fseek() */ + if(data->state.fread_func == (curl_read_callback)fread) { + if(-1 != fseek(data->state.in, 0, SEEK_SET)) + /* successful rewind */ + return CURLE_OK; + } + + /* no callback set or failure above, makes us fail at once */ + failf(data, "necessary data rewind wasn't possible"); + return CURLE_SEND_FAIL_REWIND; + } + } + return CURLE_OK; +} + +/* * Curl_preconnect() is called immediately before a connect starts. When a * redirect is followed, this is then called multiple times during a single * transfer. @@ -1796,6 +1825,7 @@ CURLcode Curl_preconnect(struct Curl_easy *data) if(!data->state.buffer) return CURLE_OUT_OF_MEMORY; } + return CURLE_OK; } @@ -1901,7 +1931,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, if(data->set.connecttimeout) Curl_expire(data, data->set.connecttimeout, EXPIRE_CONNECTTIMEOUT); - result = Curl_connect(data, &async, &protocol_connected); + result = Curl_connect(data, &async, &connected); if(CURLE_NO_CONNECTION_AVAILABLE == result) { /* There was no connection available. We will go to the pending state and wait for an available connection. */ @@ -1929,15 +1959,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, WAITDO or DO! */ rc = CURLM_CALL_MULTI_PERFORM; - if(protocol_connected) - multistate(data, MSTATE_DO); + if(connected) + multistate(data, MSTATE_PROTOCONNECT); else { -#ifndef CURL_DISABLE_HTTP - if(Curl_connect_ongoing(data->conn)) - multistate(data, MSTATE_TUNNELING); - else -#endif - multistate(data, MSTATE_CONNECTING); + multistate(data, MSTATE_CONNECTING); } } } @@ -1989,7 +2014,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, if(dns) { /* Perform the next step in the connection phase, and then move on to the WAITCONNECT state */ - result = Curl_once_resolved(data, &protocol_connected); + result = Curl_once_resolved(data, &connected); if(result) /* if Curl_once_resolved() returns failure, the connection struct @@ -1998,15 +2023,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, else { /* call again please so that we get the next socket setup */ rc = CURLM_CALL_MULTI_PERFORM; - if(protocol_connected) - multistate(data, MSTATE_DO); + if(connected) + multistate(data, MSTATE_PROTOCONNECT); else { -#ifndef CURL_DISABLE_HTTP - if(Curl_connect_ongoing(data->conn)) - multistate(data, MSTATE_TUNNELING); - else -#endif - multistate(data, MSTATE_CONNECTING); + multistate(data, MSTATE_CONNECTING); } } } @@ -2035,16 +2055,9 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, else #endif if(!result) { - if( -#ifndef CURL_DISABLE_PROXY - (data->conn->http_proxy.proxytype != CURLPROXY_HTTPS || - data->conn->bits.proxy_ssl_connected[FIRSTSOCKET]) && -#endif - Curl_connect_complete(data->conn)) { - rc = CURLM_CALL_MULTI_PERFORM; - /* initiate protocol connect phase */ - multistate(data, MSTATE_PROTOCONNECT); - } + rc = CURLM_CALL_MULTI_PERFORM; + /* initiate protocol connect phase */ + multistate(data, MSTATE_PROTOCONNECT); } else stream_error = TRUE; @@ -2054,27 +2067,10 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, case MSTATE_CONNECTING: /* awaiting a completion of an asynch TCP connect */ DEBUGASSERT(data->conn); - result = Curl_is_connected(data, data->conn, FIRSTSOCKET, &connected); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &connected); if(connected && !result) { -#ifndef CURL_DISABLE_HTTP - if( -#ifndef CURL_DISABLE_PROXY - (data->conn->http_proxy.proxytype == CURLPROXY_HTTPS && - !data->conn->bits.proxy_ssl_connected[FIRSTSOCKET]) || -#endif - Curl_connect_ongoing(data->conn)) { - multistate(data, MSTATE_TUNNELING); - break; - } -#endif rc = CURLM_CALL_MULTI_PERFORM; -#ifndef CURL_DISABLE_PROXY - multistate(data, - data->conn->bits.tunnel_proxy? - MSTATE_TUNNELING : MSTATE_PROTOCONNECT); -#else multistate(data, MSTATE_PROTOCONNECT); -#endif } else if(result) { /* failure detected */ @@ -2086,7 +2082,19 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, break; case MSTATE_PROTOCONNECT: - result = protocol_connect(data, &protocol_connected); + if(data->state.rewindbeforesend) + result = readrewind(data); + + if(!result && data->conn->bits.reuse) { + /* ftp seems to hang when protoconnect on reused connection + * since we handle PROTOCONNECT in general inside the filers, it + * seems wrong to restart this on a reused connection. */ + multistate(data, MSTATE_DO); + rc = CURLM_CALL_MULTI_PERFORM; + break; + } + if(!result) + result = protocol_connect(data, &protocol_connected); if(!result && !protocol_connected) /* switch to waiting state */ multistate(data, MSTATE_PROTOCONNECTING); @@ -2770,6 +2778,11 @@ CURLMcode curl_multi_cleanup(struct Curl_multi *multi) wakeup_close(multi->wakeup_pair[1]); #endif #endif + +#ifdef USE_SSL + Curl_free_multi_ssl_backend_data(multi->ssl_backend_data); +#endif + free(multi); return CURLM_OK; diff --git a/lib/multihandle.h b/lib/multihandle.h index a997784..5a83656 100644 --- a/lib/multihandle.h +++ b/lib/multihandle.h @@ -79,6 +79,10 @@ typedef enum { /* value for MAXIMUM CONCURRENT STREAMS upper limit */ #define INITIAL_MAX_CONCURRENT_STREAMS ((1U << 31) - 1) +/* Curl_multi SSL backend-specific data; declared differently by each SSL + backend */ +struct multi_ssl_backend_data; + /* This is the struct known as CURLM on the outside */ struct Curl_multi { /* First a simple identifier to easier detect if a user mix up @@ -118,6 +122,10 @@ struct Curl_multi { times of all currently set timers */ struct Curl_tree *timetree; +#if defined(USE_SSL) + struct multi_ssl_backend_data *ssl_backend_data; +#endif + /* 'sockhash' is the lookup hash for socket descriptor => easy handles (note the pluralis form, there can be more than one easy handle waiting on the same actual socket) */ diff --git a/lib/nonblock.c b/lib/nonblock.c index ce73af3..8447b6f 100644 --- a/lib/nonblock.c +++ b/lib/nonblock.c @@ -31,9 +31,6 @@ #include #endif -#if (defined(HAVE_IOCTL_FIONBIO) && defined(NETWARE)) -#include -#endif #ifdef __VMS #include #include diff --git a/lib/noproxy.c b/lib/noproxy.c index 81f1e09..9b13fe8 100644 --- a/lib/noproxy.c +++ b/lib/noproxy.c @@ -34,6 +34,10 @@ #include #endif +#ifdef HAVE_ARPA_INET_H +#include +#endif + /* * Curl_cidr4_match() returns TRUE if the given IPv4 address is within the * specified CIDR address range. @@ -117,6 +121,13 @@ enum nametype { ****************************************************************/ bool Curl_check_noproxy(const char *name, const char *no_proxy) { + /* + * If we don't have a hostname at all, like for example with a FILE + * transfer, we have nothing to interrogate the noproxy list with. + */ + if(!name || name[0] == '\0') + return FALSE; + /* no_proxy=domain1.dom,host.domain2.dom * (a comma-separated list of hosts which should * not be proxied, or an asterisk to override @@ -149,9 +160,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) } else { unsigned int address; + namelen = strlen(name); if(1 == Curl_inet_pton(AF_INET, name, &address)) type = TYPE_IPV4; - namelen = strlen(name); + else { + /* ignore trailing dots in the host name */ + if(name[namelen - 1] == '.') + namelen--; + } } while(*p) { @@ -173,33 +189,50 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy) if(tokenlen) { switch(type) { case TYPE_HOST: - if(*token == '.') { - ++token; - --tokenlen; - /* tailmatch */ - match = (tokenlen <= namelen) && - strncasecompare(token, name + (namelen - tokenlen), namelen); + /* ignore trailing dots in the token to check */ + if(token[tokenlen - 1] == '.') + tokenlen--; + + if(tokenlen && (*token == '.')) { + /* ignore leading token dot as well */ + token++; + tokenlen--; } - else - match = (tokenlen == namelen) && - strncasecompare(token, name, namelen); + /* A: example.com matches 'example.com' + B: www.example.com matches 'example.com' + C: nonexample.com DOES NOT match 'example.com' + */ + if(tokenlen == namelen) + /* case A, exact match */ + match = strncasecompare(token, name, namelen); + else if(tokenlen < namelen) { + /* case B, tailmatch domain */ + match = (name[namelen - tokenlen - 1] == '.') && + strncasecompare(token, name + (namelen - tokenlen), + tokenlen); + } + /* case C passes through, not a match */ break; case TYPE_IPV4: /* FALLTHROUGH */ case TYPE_IPV6: { const char *check = token; - char *slash = strchr(check, '/'); + char *slash; unsigned int bits = 0; char checkip[128]; + if(tokenlen >= sizeof(checkip)) + /* this cannot match */ + break; + /* copy the check name to a temp buffer */ + memcpy(checkip, check, tokenlen); + checkip[tokenlen] = 0; + check = checkip; + + slash = strchr(check, '/'); /* if the slash is part of this token, use it */ - if(slash && (slash < &check[tokenlen])) { + if(slash) { bits = atoi(slash + 1); - /* copy the check name to a temp buffer */ - if(tokenlen >= sizeof(checkip)) - break; - memcpy(checkip, check, tokenlen); - checkip[ slash - check ] = 0; - check = checkip; + *slash = 0; /* null terminate there */ } if(type == TYPE_IPV6) match = Curl_cidr6_match(name, check, bits); diff --git a/lib/openldap.c b/lib/openldap.c index 3a93b67..ab81e57 100644 --- a/lib/openldap.c +++ b/lib/openldap.c @@ -47,6 +47,7 @@ #include "transfer.h" #include "curl_ldap.h" #include "curl_base64.h" +#include "cfilters.h" #include "connect.h" #include "curl_sasl.h" #include "strcase.h" @@ -500,8 +501,7 @@ static CURLcode oldap_ssl_connect(struct Curl_easy *data, ldapstate newstate) struct ldapconninfo *li = conn->proto.ldapc; bool ssldone = 0; - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &ssldone); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssldone); if(!result) { state(data, newstate); @@ -1153,7 +1153,7 @@ ldapsb_tls_ctrl(Sockbuf_IO_Desc *sbiod, int opt, void *arg) (void)arg; if(opt == LBER_SB_OPT_DATA_READY) { struct Curl_easy *data = sbiod->sbiod_pvt; - return Curl_ssl_data_pending(data->conn, FIRSTSOCKET); + return Curl_conn_data_pending(data, FIRSTSOCKET); } return 0; } diff --git a/lib/pingpong.c b/lib/pingpong.c index d4e6be9..9b95580 100644 --- a/lib/pingpong.c +++ b/lib/pingpong.c @@ -28,6 +28,7 @@ #include "curl_setup.h" #include "urldata.h" +#include "cfilters.h" #include "sendf.h" #include "select.h" #include "progress.h" @@ -102,12 +103,12 @@ CURLcode Curl_pp_statemach(struct Curl_easy *data, else interval_ms = 0; /* immediate */ - if(Curl_ssl_data_pending(conn, FIRSTSOCKET)) + if(Curl_conn_data_pending(data, FIRSTSOCKET)) rc = 1; else if(Curl_pp_moredata(pp)) /* We are receiving and there is data in the cache so just read it */ rc = 1; - else if(!pp->sendleft && Curl_ssl_data_pending(conn, FIRSTSOCKET)) + else if(!pp->sendleft && Curl_conn_data_pending(data, FIRSTSOCKET)) /* We are receiving and there is data ready in the SSL library */ rc = 1; else diff --git a/lib/pop3.c b/lib/pop3.c index 3151a3f..ce17f2a 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -58,11 +58,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -76,6 +71,7 @@ #include "strtoofft.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "select.h" #include "multiif.h" @@ -373,9 +369,15 @@ static CURLcode pop3_perform_upgrade_tls(struct Curl_easy *data, { /* Start the SSL connection */ struct pop3_conn *pop3c = &conn->proto.pop3c; - CURLcode result = - Curl_ssl_connect_nonblocking(data, conn, FALSE, FIRSTSOCKET, - &pop3c->ssldone); + CURLcode result; + + if(!Curl_conn_is_ssl(data, FIRSTSOCKET)) { + result = Curl_ssl_cfilter_add(data, conn, FIRSTSOCKET); + if(result) + goto out; + } + + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &pop3c->ssldone); if(!result) { if(pop3c->state != POP3_UPGRADETLS) @@ -386,7 +388,7 @@ static CURLcode pop3_perform_upgrade_tls(struct Curl_easy *data, result = pop3_perform_capa(data, conn); } } - +out: return result; } @@ -767,7 +769,7 @@ static CURLcode pop3_state_capa_resp(struct Curl_easy *data, int pop3code, if(pop3code != '+') pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) + if(!data->set.use_ssl || Curl_conn_is_ssl(data, FIRSTSOCKET)) result = pop3_perform_authentication(data, conn); else if(pop3code == '+' && pop3c->tls_supported) /* Switch to TLS connection now */ @@ -948,7 +950,7 @@ static CURLcode pop3_state_command_resp(struct Curl_easy *data, content so send it as such. Note that there may even be additional "headers" after the body */ - if(!data->set.opt_no_body) { + if(!data->req.no_body) { result = Curl_pop3_write(data, pp->cache, pp->cache_size); if(result) return result; @@ -1054,8 +1056,7 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) struct pop3_conn *pop3c = &conn->proto.pop3c; if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &pop3c->ssldone); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &pop3c->ssldone); if(result || !pop3c->ssldone) return result; } @@ -1192,12 +1193,11 @@ static CURLcode pop3_perform(struct Curl_easy *data, bool *connected, { /* This is POP3 and no proxy */ CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; struct POP3 *pop3 = data->req.p.pop3; DEBUGF(infof(data, "DO phase starts")); - if(data->set.opt_no_body) { + if(data->req.no_body) { /* Requested no body means no transfer */ pop3->transfer = PPTRANSFER_INFO; } @@ -1211,7 +1211,7 @@ static CURLcode pop3_perform(struct Curl_easy *data, bool *connected, /* Run the state-machine */ result = pop3_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) DEBUGF(infof(data, "DO phase is complete")); diff --git a/lib/rand.c b/lib/rand.c index 2e7e7e8..a549624 100644 --- a/lib/rand.c +++ b/lib/rand.c @@ -27,10 +27,14 @@ #ifdef HAVE_FCNTL_H #include #endif +#ifdef HAVE_ARPA_INET_H +#include +#endif #include #include "vtls/vtls.h" #include "sendf.h" +#include "timeval.h" #include "rand.h" /* The last 3 #include files should be in this order */ diff --git a/lib/rtsp.c b/lib/rtsp.c index 6d3bf97..75e620d 100644 --- a/lib/rtsp.c +++ b/lib/rtsp.c @@ -141,7 +141,7 @@ static CURLcode rtsp_setup_connection(struct Curl_easy *data, * Instead, if it is readable, run Curl_connalive() to peek at the socket * and distinguish between closed and data. */ -static bool rtsp_connisdead(struct connectdata *check) +static bool rtsp_connisdead(struct Curl_easy *data, struct connectdata *check) { int sval; bool ret_val = TRUE; @@ -157,7 +157,7 @@ static bool rtsp_connisdead(struct connectdata *check) } else if(sval & CURL_CSELECT_IN) { /* readable with no error. could still be closed */ - ret_val = !Curl_connalive(check); + ret_val = !Curl_connalive(data, check); } return ret_val; @@ -174,7 +174,7 @@ static unsigned int rtsp_conncheck(struct Curl_easy *data, (void)data; if(checks_to_perform & CONNCHECK_ISDEAD) { - if(rtsp_connisdead(conn)) + if(rtsp_connisdead(data, conn)) ret_val |= CONNRESULT_DEAD; } @@ -267,11 +267,23 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) rtsp->CSeq_sent = data->state.rtsp_next_client_CSeq; rtsp->CSeq_recv = 0; + /* Setup the first_* fields to allow auth details get sent + to this origin */ + + if(!data->state.first_host) { + data->state.first_host = strdup(conn->host.name); + if(!data->state.first_host) + return CURLE_OUT_OF_MEMORY; + + data->state.first_remote_port = conn->remote_port; + data->state.first_remote_protocol = conn->handler->protocol; + } + /* Setup the 'p_request' pointer to the proper p_request string * Since all RTSP requests are included here, there is no need to * support custom requests like HTTP. **/ - data->set.opt_no_body = TRUE; /* most requests don't contain a body */ + data->req.no_body = TRUE; /* most requests don't contain a body */ switch(rtspreq) { default: failf(data, "Got invalid RTSP request"); @@ -281,7 +293,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) break; case RTSPREQ_DESCRIBE: p_request = "DESCRIBE"; - data->set.opt_no_body = FALSE; + data->req.no_body = FALSE; break; case RTSPREQ_ANNOUNCE: p_request = "ANNOUNCE"; @@ -301,7 +313,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) case RTSPREQ_GET_PARAMETER: /* GET_PARAMETER's no_body status is determined later */ p_request = "GET_PARAMETER"; - data->set.opt_no_body = FALSE; + data->req.no_body = FALSE; break; case RTSPREQ_SET_PARAMETER: p_request = "SET_PARAMETER"; @@ -311,8 +323,8 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) break; case RTSPREQ_RECEIVE: p_request = ""; - /* Treat interleaved RTP as body*/ - data->set.opt_no_body = FALSE; + /* Treat interleaved RTP as body */ + data->req.no_body = FALSE; break; case RTSPREQ_LAST: failf(data, "Got invalid RTSP request: RTSPREQ_LAST"); @@ -561,7 +573,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done) else if(rtspreq == RTSPREQ_GET_PARAMETER) { /* Check for an empty GET_PARAMETER (heartbeat) request */ data->state.httpreq = HTTPREQ_HEAD; - data->set.opt_no_body = TRUE; + data->req.no_body = TRUE; } } @@ -650,7 +662,7 @@ static CURLcode rtsp_rtp_readwrite(struct Curl_easy *data, rtp_length = RTP_PKT_LENGTH(rtp); if(rtp_dataleft < rtp_length + 4) { - /* Need more - incomplete payload*/ + /* Need more - incomplete payload */ *readmore = TRUE; break; } diff --git a/lib/rtsp.h b/lib/rtsp.h index 377c828..fa6606a 100644 --- a/lib/rtsp.h +++ b/lib/rtsp.h @@ -62,7 +62,7 @@ struct RTSP { * HTTP functions can safely treat this as an HTTP struct, but RTSP aware * functions can also index into the later elements. */ - struct HTTP http_wrapper; /*wrap HTTP to do the heavy lifting */ + struct HTTP http_wrapper; /* wrap HTTP to do the heavy lifting */ long CSeq_sent; /* CSeq of this request */ long CSeq_recv; /* CSeq received */ diff --git a/lib/sendf.c b/lib/sendf.c index d26b7e7..6326240 100644 --- a/lib/sendf.c +++ b/lib/sendf.c @@ -38,6 +38,7 @@ #include "urldata.h" #include "sendf.h" +#include "cfilters.h" #include "connect.h" #include "vtls/vtls.h" #include "vssh/ssh.h" @@ -151,13 +152,15 @@ static CURLcode pre_receive_plain(struct Curl_easy *data, const curl_socket_t sockfd = conn->sock[num]; struct postponed_data * const psnd = &(conn->postponed[num]); size_t bytestorecv = psnd->allocated_size - psnd->recv_size; + ssize_t recvedbytes; + /* WinSock will destroy unread received data if send() is failed. To avoid lossage of received data, recv() must be performed before every send() if any incoming data is available. However, skip this, if buffer is already full. */ if((conn->handler->protocol&PROTO_FAMILY_HTTP) != 0 && - conn->recv[num] == Curl_recv_plain && + conn->recv[num] == Curl_conn_recv && (!psnd->buffer || bytestorecv)) { const int readymask = Curl_socket_check(sockfd, CURL_SOCKET_BAD, CURL_SOCKET_BAD, 0); @@ -176,16 +179,12 @@ static CURLcode pre_receive_plain(struct Curl_easy *data, #endif /* DEBUGBUILD */ bytestorecv = psnd->allocated_size; } - if(psnd->buffer) { - ssize_t recvedbytes; - DEBUGASSERT(psnd->bindsock == sockfd); - recvedbytes = sread(sockfd, psnd->buffer + psnd->recv_size, - bytestorecv); - if(recvedbytes > 0) - psnd->recv_size += recvedbytes; - } - else - psnd->allocated_size = 0; + + DEBUGASSERT(psnd->bindsock == sockfd); + recvedbytes = sread(sockfd, psnd->buffer + psnd->recv_size, + bytestorecv); + if(recvedbytes > 0) + psnd->recv_size += recvedbytes; } } return CURLE_OK; @@ -339,6 +338,7 @@ CURLcode Curl_write(struct Curl_easy *data, } } +/* Curl_send_plain sends raw data without a size restriction on 'len'. */ ssize_t Curl_send_plain(struct Curl_easy *data, int num, const void *mem, size_t len, CURLcode *code) { @@ -387,7 +387,6 @@ ssize_t Curl_send_plain(struct Curl_easy *data, int num, #endif ) { /* this is just a case of EWOULDBLOCK */ - bytes_written = 0; *code = CURLE_AGAIN; } else { @@ -404,7 +403,12 @@ ssize_t Curl_send_plain(struct Curl_easy *data, int num, /* * Curl_write_plain() is an internal write function that sends data to the * server using plain sockets only. Otherwise meant to have the exact same - * proto as Curl_write() + * proto as Curl_write(). + * + * This function wraps Curl_send_plain(). The only difference besides the + * prototype is '*written' (bytes written) is set to 0 on error. + * 'sockfd' must be one of the connection's two main sockets and the value of + * 'len' must not be changed. */ CURLcode Curl_write_plain(struct Curl_easy *data, curl_socket_t sockfd, @@ -416,13 +420,22 @@ CURLcode Curl_write_plain(struct Curl_easy *data, struct connectdata *conn = data->conn; int num; DEBUGASSERT(conn); + DEBUGASSERT(sockfd == conn->sock[FIRSTSOCKET] || + sockfd == conn->sock[SECONDARYSOCKET]); + if(sockfd != conn->sock[FIRSTSOCKET] && + sockfd != conn->sock[SECONDARYSOCKET]) + return CURLE_BAD_FUNCTION_ARGUMENT; + num = (sockfd == conn->sock[SECONDARYSOCKET]); *written = Curl_send_plain(data, num, mem, len, &result); + if(*written == -1) + *written = 0; return result; } +/* Curl_recv_plain receives raw data without a size restriction on 'len'. */ ssize_t Curl_recv_plain(struct Curl_easy *data, int num, char *buf, size_t len, CURLcode *code) { @@ -664,30 +677,39 @@ CURLcode Curl_client_write(struct Curl_easy *data, return chop_write(data, type, ptr, len); } -CURLcode Curl_read_plain(curl_socket_t sockfd, - char *buf, - size_t bytesfromsocket, - ssize_t *n) +/* + * Curl_read_plain() is an internal read function that reads data from the + * server using plain sockets only. Otherwise meant to have the exact same + * proto as Curl_read(). + * + * This function wraps Curl_recv_plain(). The only difference besides the + * prototype is '*n' (bytes read) is set to 0 on error. + * 'sockfd' must be one of the connection's two main sockets and the value of + * 'sizerequested' must not be changed. + */ +CURLcode Curl_read_plain(struct Curl_easy *data, /* transfer */ + curl_socket_t sockfd, /* read from this socket */ + char *buf, /* store read data here */ + size_t sizerequested, /* max amount to read */ + ssize_t *n) /* amount bytes read */ { - ssize_t nread = sread(sockfd, buf, bytesfromsocket); + CURLcode result; + struct connectdata *conn = data->conn; + int num; + DEBUGASSERT(conn); + DEBUGASSERT(sockfd == conn->sock[FIRSTSOCKET] || + sockfd == conn->sock[SECONDARYSOCKET]); + if(sockfd != conn->sock[FIRSTSOCKET] && + sockfd != conn->sock[SECONDARYSOCKET]) + return CURLE_BAD_FUNCTION_ARGUMENT; - if(-1 == nread) { - const int err = SOCKERRNO; - const bool return_error = -#ifdef USE_WINSOCK - WSAEWOULDBLOCK == err -#else - EWOULDBLOCK == err || EAGAIN == err || EINTR == err -#endif - ; - *n = 0; /* no data returned */ - if(return_error) - return CURLE_AGAIN; - return CURLE_RECV_ERROR; - } + num = (sockfd == conn->sock[SECONDARYSOCKET]); - *n = nread; - return CURLE_OK; + *n = Curl_recv_plain(data, num, buf, sizerequested, &result); + if(*n == -1) + *n = 0; + + return result; } /* @@ -720,11 +742,14 @@ CURLcode Curl_read(struct Curl_easy *data, /* transfer */ nread = conn->recv[num](data, num, buffertofill, bytesfromsocket, &result); if(nread < 0) - return result; + goto out; *n += nread; - - return CURLE_OK; + result = CURLE_OK; +out: + /* DEBUGF(infof(data, "Curl_read(handle=%p) -> %d, nread=%ld", + data, result, nread)); */ + return result; } /* return 0 on success */ diff --git a/lib/sendf.h b/lib/sendf.h index 7c4c128..8af5c46 100644 --- a/lib/sendf.h +++ b/lib/sendf.h @@ -61,9 +61,10 @@ CURLcode Curl_client_write(struct Curl_easy *data, int type, char *ptr, bool Curl_recv_has_postponed_data(struct connectdata *conn, int sockindex); /* internal read-function, does plain socket only */ -CURLcode Curl_read_plain(curl_socket_t sockfd, +CURLcode Curl_read_plain(struct Curl_easy *data, + curl_socket_t sockfd, char *buf, - size_t bytesfromsocket, + size_t sizerequested, ssize_t *n); ssize_t Curl_recv_plain(struct Curl_easy *data, int num, char *buf, diff --git a/lib/setopt.c b/lib/setopt.c index 5b59754..b77e95b 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -204,6 +204,15 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.dns_cache_timeout = (int)arg; break; + case CURLOPT_CA_CACHE_TIMEOUT: + arg = va_arg(param, long); + if(arg < -1) + return CURLE_BAD_FUNCTION_ARGUMENT; + else if(arg > INT_MAX) + arg = INT_MAX; + + data->set.general_ssl.ca_cache_timeout = (int)arg; + break; case CURLOPT_DNS_USE_GLOBAL_CACHE: /* deprecated */ break; @@ -220,7 +229,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #endif case CURLOPT_TLS13_CIPHERS: - if(Curl_ssl_tls13_ciphersuites()) { + if(Curl_ssl_supports(data, SSLSUPP_TLS13_CIPHERSUITES)) { /* set preferred list of TLS 1.3 cipher suites */ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST], va_arg(param, char *)); @@ -230,7 +239,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLS13_CIPHERS: - if(Curl_ssl_tls13_ciphersuites()) { + if(Curl_ssl_supports(data, SSLSUPP_TLS13_CIPHERSUITES)) { /* set preferred list of TLS 1.3 cipher suites for proxy */ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_PROXY], va_arg(param, char *)); @@ -406,7 +415,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < CURL_TIMECOND_NONE) || (arg >= CURL_TIMECOND_LAST)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.timecondition = (curl_TimeCond)arg; + data->set.timecondition = (unsigned char)(curl_TimeCond)arg; break; case CURLOPT_TIMEVALUE: /* @@ -598,7 +607,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_FOLLOWLOCATION: /* - * Follow Location: header hints on a HTTP-server. + * Follow Location: header hints on an HTTP-server. */ data->set.http_follow_location = (0 != va_arg(param, long)) ? TRUE : FALSE; break; @@ -914,7 +923,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_EXPECT_100_TIMEOUT_MS: /* - * Time to wait for a response to a HTTP request containing an + * Time to wait for a response to an HTTP request containing an * Expect: 100-continue header before sending the data anyway. */ arg = va_arg(param, long); @@ -1048,7 +1057,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < 0) || (arg > 65535)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.proxyport = arg; + data->set.proxyport = (unsigned short)arg; break; case CURLOPT_PROXYAUTH: @@ -1135,7 +1144,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < CURLPROXY_HTTP) || (arg > CURLPROXY_SOCKS5_HOSTNAME)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.proxytype = (curl_proxytype)arg; + data->set.proxytype = (unsigned char)(curl_proxytype)arg; break; case CURLOPT_PROXY_TRANSFER_MODE: @@ -1157,7 +1166,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; case CURLOPT_SOCKS5_AUTH: - data->set.socks5auth = va_arg(param, unsigned long); + data->set.socks5auth = (unsigned char)va_arg(param, unsigned long); if(data->set.socks5auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) result = CURLE_NOT_BUILT_IN; break; @@ -1234,7 +1243,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < CURLFTPMETHOD_DEFAULT) || (arg >= CURLFTPMETHOD_LAST)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.ftp_filemethod = (curl_ftpfile)arg; + data->set.ftp_filemethod = (unsigned char)(curl_ftpfile)arg; break; case CURLOPT_FTPPORT: /* @@ -1261,7 +1270,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < CURLFTPSSL_CCC_NONE) || (arg >= CURLFTPSSL_CCC_LAST)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.ftp_ccc = (curl_ftpccc)arg; + data->set.ftp_ccc = (unsigned char)(curl_ftpccc)arg; break; case CURLOPT_FTP_SKIP_PASV_IP: @@ -1289,7 +1298,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) arg = va_arg(param, long); if((arg < CURLFTPAUTH_DEFAULT) || (arg >= CURLFTPAUTH_LAST)) return CURLE_BAD_FUNCTION_ARGUMENT; - data->set.ftpsslauth = (curl_ftpauth)arg; + data->set.ftpsslauth = (unsigned char)(curl_ftpauth)arg; break; case CURLOPT_KRBLEVEL: /* @@ -1992,7 +2001,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Set a SSL_CTX callback */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_SSL_CTX) + if(Curl_ssl_supports(data, SSLSUPP_SSL_CTX)) data->set.ssl.fsslctx = va_arg(param, curl_ssl_ctx_callback); else #endif @@ -2003,7 +2012,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Set a SSL_CTX callback parameter pointer */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_SSL_CTX) + if(Curl_ssl_supports(data, SSLSUPP_SSL_CTX)) data->set.ssl.fsslctxp = va_arg(param, void *); else #endif @@ -2013,7 +2022,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) /* * Enable TLS false start. */ - if(!Curl_ssl_false_start()) { + if(!Curl_ssl_false_start(data)) { result = CURLE_NOT_BUILT_IN; break; } @@ -2022,7 +2031,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; case CURLOPT_CERTINFO: #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CERTINFO) + if(Curl_ssl_supports(data, SSLSUPP_CERTINFO)) data->set.ssl.certinfo = (0 != va_arg(param, long)) ? TRUE : FALSE; else #endif @@ -2034,7 +2043,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Specify file name of the public key in DER format. */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) + if(Curl_ssl_supports(data, SSLSUPP_PINNEDPUBKEY)) result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], va_arg(param, char *)); else @@ -2048,7 +2057,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Specify file name of the public key in DER format. */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) + if(Curl_ssl_supports(data, SSLSUPP_PINNEDPUBKEY)) result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY], va_arg(param, char *)); else @@ -2069,7 +2078,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Specify entire PEM of the CA certificate */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CAINFO_BLOB) + if(Curl_ssl_supports(data, SSLSUPP_CAINFO_BLOB)) result = Curl_setblobopt(&data->set.blobs[BLOB_CAINFO], va_arg(param, struct curl_blob *)); else @@ -2092,7 +2101,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * Specify entire PEM of the CA certificate */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CAINFO_BLOB) + if(Curl_ssl_supports(data, SSLSUPP_CAINFO_BLOB)) result = Curl_setblobopt(&data->set.blobs[BLOB_CAINFO_PROXY], va_arg(param, struct curl_blob *)); else @@ -2106,7 +2115,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * certificates which have been prepared using openssl c_rehash utility. */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CA_PATH) + if(Curl_ssl_supports(data, SSLSUPP_CA_PATH)) /* This does not work on windows. */ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH], va_arg(param, char *)); @@ -2121,7 +2130,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) * CA certificates which have been prepared using openssl c_rehash utility. */ #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CA_PATH) + if(Curl_ssl_supports(data, SSLSUPP_CA_PATH)) /* This does not work on windows. */ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_PROXY], va_arg(param, char *)); @@ -2205,7 +2214,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) else if(arg < READBUFFER_MIN) arg = READBUFFER_MIN; - data->set.buffer_size = (int)arg; + data->set.buffer_size = (unsigned int)arg; break; case CURLOPT_UPLOAD_BUFFERSIZE: @@ -3107,6 +3116,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) break; } #endif + case CURLOPT_QUICK_EXIT: + data->set.quick_exit = (0 != va_arg(param, long)) ? 1L:0L; + break; default: /* unknown tag and its companion, just ignore: */ result = CURLE_UNKNOWN_OPTION; diff --git a/lib/setup-os400.h b/lib/setup-os400.h index 6023ca2..7854397 100644 --- a/lib/setup-os400.h +++ b/lib/setup-os400.h @@ -49,11 +49,11 @@ extern int Curl_getaddrinfo_a(const char *nodename, struct addrinfo **res); #define getaddrinfo Curl_getaddrinfo_a - +/* Note socklen_t must be used as this is declared before curl_socklen_t */ extern int Curl_getnameinfo_a(const struct sockaddr *sa, - curl_socklen_t salen, - char *nodename, curl_socklen_t nodenamelen, - char *servname, curl_socklen_t servnamelen, + socklen_t salen, + char *nodename, socklen_t nodenamelen, + char *servname, socklen_t servnamelen, int flags); #define getnameinfo Curl_getnameinfo_a diff --git a/lib/sha256.c b/lib/sha256.c index 60720f5..c96a9fc 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -57,18 +57,6 @@ #endif #endif /* USE_MBEDTLS */ -/* Please keep the SSL backend-specific #if branches in this order: - * - * 1. USE_OPENSSL - * 2. USE_GNUTLS - * 3. USE_MBEDTLS - * 4. USE_COMMON_CRYPTO - * 5. USE_WIN32_CRYPTO - * - * This ensures that the same SSL branch gets activated throughout this source - * file even if multiple backends are enabled at the same time. - */ - #if defined(USE_OPENSSL_SHA256) /* When OpenSSL or wolfSSL is available is available we use their @@ -80,11 +68,39 @@ #include #endif -#include "curl_memory.h" +#elif defined(USE_GNUTLS) +#include +#elif defined(USE_MBEDTLS) +#include +#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ + (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \ + (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ + (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) +#include +#define AN_APPLE_OS +#elif defined(USE_WIN32_CRYPTO) +#include +#endif -/* The last #include file should be: */ +/* The last 3 #include files should be in this order */ +#include "curl_printf.h" +#include "curl_memory.h" #include "memdebug.h" +/* Please keep the SSL backend-specific #if branches in this order: + * + * 1. USE_OPENSSL + * 2. USE_GNUTLS + * 3. USE_MBEDTLS + * 4. USE_COMMON_CRYPTO + * 5. USE_WIN32_CRYPTO + * + * This ensures that the same SSL branch gets activated throughout this source + * file even if multiple backends are enabled at the same time. + */ + +#if defined(USE_OPENSSL_SHA256) + struct sha256_ctx { EVP_MD_CTX *openssl_ctx; }; @@ -115,13 +131,6 @@ static void my_sha256_final(unsigned char *digest, my_sha256_ctx *ctx) #elif defined(USE_GNUTLS) -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - typedef struct sha256_ctx my_sha256_ctx; static CURLcode my_sha256_init(my_sha256_ctx *ctx) @@ -144,13 +153,6 @@ static void my_sha256_final(unsigned char *digest, my_sha256_ctx *ctx) #elif defined(USE_MBEDTLS) -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - typedef mbedtls_sha256_context my_sha256_ctx; static CURLcode my_sha256_init(my_sha256_ctx *ctx) @@ -183,18 +185,7 @@ static void my_sha256_final(unsigned char *digest, my_sha256_ctx *ctx) #endif } -#elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ - (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \ - (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ - (__IPHONE_OS_VERSION_MAX_ALLOWED >= 20000)) - -#include - -#include "curl_memory.h" - -/* The last #include file should be: */ -#include "memdebug.h" - +#elif defined(AN_APPLE_OS) typedef CC_SHA256_CTX my_sha256_ctx; static CURLcode my_sha256_init(my_sha256_ctx *ctx) @@ -217,8 +208,6 @@ static void my_sha256_final(unsigned char *digest, my_sha256_ctx *ctx) #elif defined(USE_WIN32_CRYPTO) -#include - struct sha256_ctx { HCRYPTPROV hCryptProv; HCRYPTHASH hHash; diff --git a/lib/smb.c b/lib/smb.c index a62e858..48d5a2f 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -30,19 +30,15 @@ #define BUILDING_CURL_SMB_C -#ifdef HAVE_PROCESS_H -#include -#ifdef CURL_WINDOWS_APP +#ifdef WIN32 #define getpid GetCurrentProcessId -#elif defined(WIN32) -#define getpid _getpid -#endif #endif #include "smb.h" #include "urldata.h" #include "sendf.h" #include "multiif.h" +#include "cfilters.h" #include "connect.h" #include "progress.h" #include "transfer.h" @@ -62,8 +58,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); static CURLcode smb_do(struct Curl_easy *data, bool *done); static CURLcode smb_request_state(struct Curl_easy *data, bool *done); -static CURLcode smb_done(struct Curl_easy *data, CURLcode status, - bool premature); static CURLcode smb_disconnect(struct Curl_easy *data, struct connectdata *conn, bool dead); static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, @@ -78,7 +72,7 @@ const struct Curl_handler Curl_handler_smb = { "SMB", /* scheme */ smb_setup_connection, /* setup_connection */ smb_do, /* do_it */ - smb_done, /* done */ + ZERO_NULL, /* done */ ZERO_NULL, /* do_more */ smb_connect, /* connect_it */ smb_connection_state, /* connecting */ @@ -105,7 +99,7 @@ const struct Curl_handler Curl_handler_smbs = { "SMBS", /* scheme */ smb_setup_connection, /* setup_connection */ smb_do, /* do_it */ - smb_done, /* done */ + ZERO_NULL, /* done */ ZERO_NULL, /* do_more */ smb_connect, /* connect_it */ smb_connection_state, /* connecting */ @@ -671,8 +665,7 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) #ifdef USE_SSL if((conn->handler->flags & PROTOPT_SSL)) { bool ssl_done = FALSE; - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &ssl_done); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &ssl_done); if(result && result != CURLE_AGAIN) return result; if(!ssl_done) @@ -941,14 +934,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) return CURLE_OK; } -static CURLcode smb_done(struct Curl_easy *data, CURLcode status, - bool premature) -{ - (void) premature; - Curl_safefree(data->req.p.smb); - return status; -} - static CURLcode smb_disconnect(struct Curl_easy *data, struct connectdata *conn, bool dead) { diff --git a/lib/smtp.c b/lib/smtp.c index 6ebb41a..6d0783f4 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -60,11 +60,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -79,6 +74,7 @@ #include "strtoofft.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "select.h" #include "multiif.h" @@ -87,6 +83,7 @@ #include "bufref.h" #include "curl_sasl.h" #include "warnless.h" +#include "idn.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" #include "curl_memory.h" @@ -109,7 +106,7 @@ static CURLcode smtp_setup_connection(struct Curl_easy *data, static CURLcode smtp_parse_url_options(struct connectdata *conn); static CURLcode smtp_parse_url_path(struct Curl_easy *data); static CURLcode smtp_parse_custom_request(struct Curl_easy *data); -static CURLcode smtp_parse_address(struct Curl_easy *data, const char *fqma, +static CURLcode smtp_parse_address(const char *fqma, char **address, struct hostname *host); static CURLcode smtp_perform_auth(struct Curl_easy *data, const char *mech, const struct bufref *initresp); @@ -400,10 +397,15 @@ static CURLcode smtp_perform_upgrade_tls(struct Curl_easy *data) /* Start the SSL connection */ struct connectdata *conn = data->conn; struct smtp_conn *smtpc = &conn->proto.smtpc; - CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, - &smtpc->ssldone); + CURLcode result; + + if(!Curl_conn_is_ssl(data, FIRSTSOCKET)) { + result = Curl_ssl_cfilter_add(data, conn, FIRSTSOCKET); + if(result) + goto out; + } + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &smtpc->ssldone); if(!result) { if(smtpc->state != SMTP_UPGRADETLS) state(data, SMTP_UPGRADETLS); @@ -413,7 +415,7 @@ static CURLcode smtp_perform_upgrade_tls(struct Curl_easy *data) result = smtp_perform_ehlo(data); } } - +out: return result; } @@ -540,7 +542,7 @@ static CURLcode smtp_perform_command(struct Curl_easy *data) /* Parse the mailbox to verify into the local address and host name parts, converting the host name to an IDN A-label if necessary */ - result = smtp_parse_address(data, smtp->rcpt->data, + result = smtp_parse_address(smtp->rcpt->data, &address, &host); if(result) return result; @@ -614,7 +616,7 @@ static CURLcode smtp_perform_mail(struct Curl_easy *data) /* Parse the FROM mailbox into the local address and host name parts, converting the host name to an IDN A-label if necessary */ - result = smtp_parse_address(data, data->set.str[STRING_MAIL_FROM], + result = smtp_parse_address(data->set.str[STRING_MAIL_FROM], &address, &host); if(result) return result; @@ -652,7 +654,7 @@ static CURLcode smtp_perform_mail(struct Curl_easy *data) /* Parse the AUTH mailbox into the local address and host name parts, converting the host name to an IDN A-label if necessary */ - result = smtp_parse_address(data, data->set.str[STRING_MAIL_AUTH], + result = smtp_parse_address(data->set.str[STRING_MAIL_AUTH], &address, &host); if(result) { free(from); @@ -696,7 +698,7 @@ static CURLcode smtp_perform_mail(struct Curl_easy *data) /* Add external headers and mime version. */ curl_mime_headers(&data->set.mimepost, data->set.headers, 0); - result = Curl_mime_prepare_headers(&data->set.mimepost, NULL, + result = Curl_mime_prepare_headers(data, &data->set.mimepost, NULL, NULL, MIMESTRATEGY_MAIL); if(!result) @@ -789,7 +791,7 @@ static CURLcode smtp_perform_rcpt_to(struct Curl_easy *data) /* Parse the recipient mailbox into the local address and host name parts, converting the host name to an IDN A-label if necessary */ - result = smtp_parse_address(data, smtp->rcpt->data, + result = smtp_parse_address(smtp->rcpt->data, &address, &host); if(result) return result; @@ -888,7 +890,8 @@ static CURLcode smtp_state_ehlo_resp(struct Curl_easy *data, (void)instate; /* no use for this yet */ if(smtpcode/100 != 2 && smtpcode != 1) { - if(data->set.use_ssl <= CURLUSESSL_TRY || conn->ssl[FIRSTSOCKET].use) + if(data->set.use_ssl <= CURLUSESSL_TRY + || Curl_conn_is_ssl(data, FIRSTSOCKET)) result = smtp_perform_helo(data, conn); else { failf(data, "Remote access denied: %d", smtpcode); @@ -953,7 +956,7 @@ static CURLcode smtp_state_ehlo_resp(struct Curl_easy *data, } if(smtpcode != 1) { - if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { + if(data->set.use_ssl && !Curl_conn_is_ssl(data, FIRSTSOCKET)) { /* We don't have a SSL/TLS connection yet, but SSL is requested */ if(smtpc->tls_supported) /* Switch to TLS connection now */ @@ -1043,7 +1046,7 @@ static CURLcode smtp_state_command_resp(struct Curl_easy *data, int smtpcode, } else { /* Temporarily add the LF character back and send as body to the client */ - if(!data->set.opt_no_body) { + if(!data->req.no_body) { line[len] = '\n'; result = Curl_client_write(data, CLIENTWRITE_BODY, line, len + 1); line[len] = '\0'; @@ -1285,8 +1288,7 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) struct smtp_conn *smtpc = &conn->proto.smtpc; if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { - result = Curl_ssl_connect_nonblocking(data, conn, FALSE, - FIRSTSOCKET, &smtpc->ssldone); + result = Curl_conn_connect(data, FIRSTSOCKET, FALSE, &smtpc->ssldone); if(result || !smtpc->ssldone) return result; } @@ -1479,12 +1481,11 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, { /* This is SMTP and no proxy */ CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; struct SMTP *smtp = data->req.p.smtp; DEBUGF(infof(data, "DO phase starts")); - if(data->set.opt_no_body) { + if(data->req.no_body) { /* Requested no body means no transfer */ smtp->transfer = PPTRANSFER_INFO; } @@ -1519,7 +1520,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected, /* Run the state-machine */ result = smtp_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) DEBUGF(infof(data, "DO phase is complete")); @@ -1782,8 +1783,8 @@ static CURLcode smtp_parse_custom_request(struct Curl_easy *data) * calling function deems it to be) then the input will simply be returned in * the address part with the host name being NULL. */ -static CURLcode smtp_parse_address(struct Curl_easy *data, const char *fqma, - char **address, struct hostname *host) +static CURLcode smtp_parse_address(const char *fqma, char **address, + struct hostname *host) { CURLcode result = CURLE_OK; size_t length; @@ -1807,7 +1808,7 @@ static CURLcode smtp_parse_address(struct Curl_easy *data, const char *fqma, host->name = host->name + 1; /* Attempt to convert the host name to IDN ACE */ - (void) Curl_idnconvert_hostname(data, host); + (void) Curl_idnconvert_hostname(host); /* If Curl_idnconvert_hostname() fails then we shall attempt to continue and send the host name using UTF-8 rather than as 7-bit ACE (which is diff --git a/lib/socks.c b/lib/socks.c index 52c2988..d491e08 100644 --- a/lib/socks.c +++ b/lib/socks.c @@ -36,17 +36,52 @@ #include "urldata.h" #include "sendf.h" #include "select.h" +#include "cfilters.h" #include "connect.h" #include "timeval.h" #include "socks.h" #include "multiif.h" /* for getsock macros */ #include "inet_pton.h" +#include "url.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" #include "curl_memory.h" #include "memdebug.h" +/* for the (SOCKS) connect state machine */ +enum connect_t { + CONNECT_INIT, + CONNECT_SOCKS_INIT, /* 1 */ + CONNECT_SOCKS_SEND, /* 2 waiting to send more first data */ + CONNECT_SOCKS_READ_INIT, /* 3 set up read */ + CONNECT_SOCKS_READ, /* 4 read server response */ + CONNECT_GSSAPI_INIT, /* 5 */ + CONNECT_AUTH_INIT, /* 6 setup outgoing auth buffer */ + CONNECT_AUTH_SEND, /* 7 send auth */ + CONNECT_AUTH_READ, /* 8 read auth response */ + CONNECT_REQ_INIT, /* 9 init SOCKS "request" */ + CONNECT_RESOLVING, /* 10 */ + CONNECT_RESOLVED, /* 11 */ + CONNECT_RESOLVE_REMOTE, /* 12 */ + CONNECT_REQ_SEND, /* 13 */ + CONNECT_REQ_SENDING, /* 14 */ + CONNECT_REQ_READ, /* 15 */ + CONNECT_REQ_READ_MORE, /* 16 */ + CONNECT_DONE /* 17 connected fine to the remote or the SOCKS proxy */ +}; + +struct socks_state { + enum connect_t state; + ssize_t outstanding; /* send this many bytes more */ + unsigned char *outp; /* send from this pointer */ + + const char *hostname; + int remote_port; + const char *proxy_user; + const char *proxy_password; +}; + #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) /* * Helper read-from-socket functions. Does the same as Curl_read() but it @@ -77,7 +112,7 @@ int Curl_blockread_all(struct Curl_easy *data, /* transfer */ result = ~CURLE_OK; break; } - result = Curl_read_plain(sockfd, buf, buffersize, &nread); + result = Curl_read_plain(data, sockfd, buf, buffersize, &nread); if(CURLE_AGAIN == result) continue; if(result) @@ -104,21 +139,20 @@ int Curl_blockread_all(struct Curl_easy *data, /* transfer */ #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) #define DEBUG_AND_VERBOSE -#define sxstate(x,y) socksstate(x,y, __LINE__) +#define sxstate(x,d,y) socksstate(x,d,y, __LINE__) #else -#define sxstate(x,y) socksstate(x,y) +#define sxstate(x,d,y) socksstate(x,d,y) #endif /* always use this function to change state, to make debugging easier */ -static void socksstate(struct Curl_easy *data, +static void socksstate(struct socks_state *sx, struct Curl_easy *data, enum connect_t state #ifdef DEBUG_AND_VERBOSE , int lineno #endif ) { - struct connectdata *conn = data->conn; - enum connect_t oldstate = conn->cnnct.state; + enum connect_t oldstate = sx->state; #ifdef DEBUG_AND_VERBOSE /* synced with the state list in urldata.h */ static const char * const statename[] = { @@ -143,40 +177,21 @@ static void socksstate(struct Curl_easy *data, }; #endif + (void)data; if(oldstate == state) /* don't bother when the new state is the same as the old state */ return; - conn->cnnct.state = state; + sx->state = state; #ifdef DEBUG_AND_VERBOSE infof(data, - "SXSTATE: %s => %s conn %p; line %d", - statename[oldstate], statename[conn->cnnct.state], conn, + "SXSTATE: %s => %s; line %d", + statename[oldstate], statename[sx->state], lineno); #endif } -int Curl_SOCKS_getsock(struct connectdata *conn, curl_socket_t *sock, - int sockindex) -{ - int rc = 0; - sock[0] = conn->sock[sockindex]; - switch(conn->cnnct.state) { - case CONNECT_RESOLVING: - case CONNECT_SOCKS_READ: - case CONNECT_AUTH_READ: - case CONNECT_REQ_READ: - case CONNECT_REQ_READ_MORE: - rc = GETSOCK_READSOCK(0); - break; - default: - rc = GETSOCK_WRITESOCK(0); - break; - } - return rc; -} - /* * This function logs in to a SOCKS4 proxy and sends the specifics to the final * destination server. @@ -188,20 +203,16 @@ int Curl_SOCKS_getsock(struct connectdata *conn, curl_socket_t *sock, * Set protocol4a=true for "SOCKS 4A (Simple Extension to SOCKS 4 Protocol)" * Nonsupport "Identification Protocol (RFC1413)" */ -CURLproxycode Curl_SOCKS4(const char *proxy_user, - const char *hostname, - int remote_port, - int sockindex, - struct Curl_easy *data, - bool *done) +static CURLproxycode do_SOCKS4(struct Curl_cfilter *cf, + struct socks_state *sx, + struct Curl_easy *data) { - struct connectdata *conn = data->conn; + struct connectdata *conn = cf->conn; const bool protocol4a = (conn->socks_proxy.proxytype == CURLPROXY_SOCKS4A) ? TRUE : FALSE; unsigned char *socksreq = (unsigned char *)data->state.buffer; CURLcode result; - curl_socket_t sockfd = conn->sock[sockindex]; - struct connstate *sx = &conn->cnnct; + curl_socket_t sockfd = conn->sock[cf->sockindex]; struct Curl_dns_entry *dns = NULL; ssize_t actualread; ssize_t written; @@ -209,18 +220,16 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, /* make sure that the buffer is at least 600 bytes */ DEBUGASSERT(READBUFFER_MIN >= 600); - if(!SOCKS_STATE(sx->state) && !*done) - sxstate(data, CONNECT_SOCKS_INIT); - switch(sx->state) { case CONNECT_SOCKS_INIT: /* SOCKS4 can only do IPv4, insist! */ conn->ip_version = CURL_IPRESOLVE_V4; if(conn->bits.httpproxy) infof(data, "SOCKS4%s: connecting to HTTP proxy %s port %d", - protocol4a ? "a" : "", hostname, remote_port); + protocol4a ? "a" : "", sx->hostname, sx->remote_port); - infof(data, "SOCKS4 communication to %s:%d", hostname, remote_port); + infof(data, "SOCKS4 communication to %s:%d", + sx->hostname, sx->remote_port); /* * Compose socks4 request @@ -235,40 +244,40 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, socksreq[0] = 4; /* version (SOCKS4) */ socksreq[1] = 1; /* connect */ - socksreq[2] = (unsigned char)((remote_port >> 8) & 0xff); /* PORT MSB */ - socksreq[3] = (unsigned char)(remote_port & 0xff); /* PORT LSB */ + socksreq[2] = (unsigned char)((sx->remote_port >> 8) & 0xff); /* MSB */ + socksreq[3] = (unsigned char)(sx->remote_port & 0xff); /* LSB */ /* DNS resolve only for SOCKS4, not SOCKS4a */ if(!protocol4a) { enum resolve_t rc = - Curl_resolv(data, hostname, remote_port, FALSE, &dns); + Curl_resolv(data, sx->hostname, sx->remote_port, FALSE, &dns); if(rc == CURLRESOLV_ERROR) return CURLPX_RESOLVE_HOST; else if(rc == CURLRESOLV_PENDING) { - sxstate(data, CONNECT_RESOLVING); - infof(data, "SOCKS4 non-blocking resolve of %s", hostname); + sxstate(sx, data, CONNECT_RESOLVING); + infof(data, "SOCKS4 non-blocking resolve of %s", sx->hostname); return CURLPX_OK; } - sxstate(data, CONNECT_RESOLVED); + sxstate(sx, data, CONNECT_RESOLVED); goto CONNECT_RESOLVED; } /* socks4a doesn't resolve anything locally */ - sxstate(data, CONNECT_REQ_INIT); + sxstate(sx, data, CONNECT_REQ_INIT); goto CONNECT_REQ_INIT; case CONNECT_RESOLVING: /* check if we have the name resolved by now */ - dns = Curl_fetch_addr(data, hostname, (int)conn->port); + dns = Curl_fetch_addr(data, sx->hostname, (int)conn->port); if(dns) { #ifdef CURLRES_ASYNCH data->state.async.dns = dns; data->state.async.done = TRUE; #endif - infof(data, "Hostname '%s' was found", hostname); - sxstate(data, CONNECT_RESOLVED); + infof(data, "Hostname '%s' was found", sx->hostname); + sxstate(sx, data, CONNECT_RESOLVED); } else { result = Curl_resolv_check(data, &dns); @@ -309,11 +318,11 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, Curl_resolv_unlock(data, dns); /* not used anymore from now on */ } else - failf(data, "SOCKS4 connection to %s not supported", hostname); + failf(data, "SOCKS4 connection to %s not supported", sx->hostname); } else failf(data, "Failed to resolve \"%s\" for SOCKS4 connect.", - hostname); + sx->hostname); if(!hp) return CURLPX_RESOLVE_HOST; @@ -325,14 +334,14 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, * This is currently not supporting "Identification Protocol (RFC1413)". */ socksreq[8] = 0; /* ensure empty userid is NUL-terminated */ - if(proxy_user) { - size_t plen = strlen(proxy_user); + if(sx->proxy_user) { + size_t plen = strlen(sx->proxy_user); if(plen >= (size_t)data->set.buffer_size - 8) { failf(data, "Too long SOCKS proxy user name, can't use"); return CURLPX_LONG_USER; } /* copy the proxy name WITH trailing zero */ - memcpy(socksreq + 8, proxy_user, plen + 1); + memcpy(socksreq + 8, sx->proxy_user, plen + 1); } /* @@ -350,9 +359,9 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, socksreq[6] = 0; socksreq[7] = 1; /* append hostname */ - hostnamelen = strlen(hostname) + 1; /* length including NUL */ + hostnamelen = strlen(sx->hostname) + 1; /* length including NUL */ if(hostnamelen <= 255) - strcpy((char *)socksreq + packetsize, hostname); + strcpy((char *)socksreq + packetsize, sx->hostname); else { failf(data, "SOCKS4: too long host name"); return CURLPX_LONG_HOSTNAME; @@ -361,7 +370,7 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, } sx->outp = socksreq; sx->outstanding = packetsize; - sxstate(data, CONNECT_REQ_SENDING); + sxstate(sx, data, CONNECT_REQ_SENDING); } /* FALLTHROUGH */ case CONNECT_REQ_SENDING: @@ -382,12 +391,12 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, /* done sending! */ sx->outstanding = 8; /* receive data size */ sx->outp = socksreq; - sxstate(data, CONNECT_SOCKS_READ); + sxstate(sx, data, CONNECT_SOCKS_READ); /* FALLTHROUGH */ case CONNECT_SOCKS_READ: /* Receive response */ - result = Curl_read_plain(sockfd, (char *)sx->outp, + result = Curl_read_plain(data, sockfd, (char *)sx->outp, sx->outstanding, &actualread); if(result && (CURLE_AGAIN != result)) { failf(data, "SOCKS4: Failed receiving connect request ack: %s", @@ -405,7 +414,7 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, sx->outp += actualread; return CURLPX_OK; } - sxstate(data, CONNECT_DONE); + sxstate(sx, data, CONNECT_DONE); break; default: /* lots of unused states in SOCKS4 */ break; @@ -478,7 +487,6 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, return CURLPX_UNKNOWN_FAIL; } - *done = TRUE; return CURLPX_OK; /* Proxy was successful! */ } @@ -486,13 +494,9 @@ CURLproxycode Curl_SOCKS4(const char *proxy_user, * This function logs in to a SOCKS5 proxy and sends the specifics to the final * destination server. */ -CURLproxycode Curl_SOCKS5(const char *proxy_user, - const char *proxy_password, - const char *hostname, - int remote_port, - int sockindex, - struct Curl_easy *data, - bool *done) +static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, + struct socks_state *sx, + struct Curl_easy *data) { /* According to the RFC1928, section "6. Replies". This is what a SOCK5 @@ -510,31 +514,28 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, o REP Reply field: o X'00' succeeded */ - struct connectdata *conn = data->conn; + struct connectdata *conn = cf->conn; unsigned char *socksreq = (unsigned char *)data->state.buffer; char dest[256] = "unknown"; /* printable hostname:port */ int idx; ssize_t actualread; ssize_t written; CURLcode result; - curl_socket_t sockfd = conn->sock[sockindex]; + curl_socket_t sockfd = conn->sock[cf->sockindex]; bool socks5_resolve_local = (conn->socks_proxy.proxytype == CURLPROXY_SOCKS5) ? TRUE : FALSE; - const size_t hostname_len = strlen(hostname); + const size_t hostname_len = strlen(sx->hostname); ssize_t len = 0; - const unsigned long auth = data->set.socks5auth; + const unsigned char auth = data->set.socks5auth; bool allow_gssapi = FALSE; - struct connstate *sx = &conn->cnnct; struct Curl_dns_entry *dns = NULL; - if(!SOCKS_STATE(sx->state) && !*done) - sxstate(data, CONNECT_SOCKS_INIT); - + DEBUGASSERT(auth & (CURLAUTH_BASIC | CURLAUTH_GSSAPI)); switch(sx->state) { case CONNECT_SOCKS_INIT: if(conn->bits.httpproxy) infof(data, "SOCKS5: connecting to HTTP proxy %s port %d", - hostname, remote_port); + sx->hostname, sx->remote_port); /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ if(!socks5_resolve_local && hostname_len > 255) { @@ -545,11 +546,11 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) infof(data, - "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu", + "warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %u", auth); if(!(auth & CURLAUTH_BASIC)) /* disable username/password auth */ - proxy_user = NULL; + sx->proxy_user = NULL; #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) if(auth & CURLAUTH_GSSAPI) allow_gssapi = TRUE; @@ -561,23 +562,23 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, socksreq[idx++] = 0; /* no authentication */ if(allow_gssapi) socksreq[idx++] = 1; /* GSS-API */ - if(proxy_user) + if(sx->proxy_user) socksreq[idx++] = 2; /* username/password */ /* write the number of authentication methods */ socksreq[1] = (unsigned char) (idx - 2); - result = Curl_write_plain(data, sockfd, (char *)socksreq, idx, &written); + result = Curl_write_plain(data, sockfd, socksreq, idx, &written); if(result && (CURLE_AGAIN != result)) { failf(data, "Unable to send initial SOCKS5 request."); return CURLPX_SEND_CONNECT; } if(written != idx) { - sxstate(data, CONNECT_SOCKS_SEND); + sxstate(sx, data, CONNECT_SOCKS_SEND); sx->outstanding = idx - written; sx->outp = &socksreq[written]; return CURLPX_OK; } - sxstate(data, CONNECT_SOCKS_READ); + sxstate(sx, data, CONNECT_SOCKS_READ); goto CONNECT_SOCKS_READ_INIT; case CONNECT_SOCKS_SEND: result = Curl_write_plain(data, sockfd, (char *)sx->outp, @@ -599,7 +600,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, sx->outp = socksreq; /* store it here */ /* FALLTHROUGH */ case CONNECT_SOCKS_READ: - result = Curl_read_plain(sockfd, (char *)sx->outp, + result = Curl_read_plain(data, sockfd, (char *)sx->outp, sx->outstanding, &actualread); if(result && (CURLE_AGAIN != result)) { failf(data, "Unable to receive initial SOCKS5 response."); @@ -622,18 +623,18 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, } else if(socksreq[1] == 0) { /* DONE! No authentication needed. Send request. */ - sxstate(data, CONNECT_REQ_INIT); + sxstate(sx, data, CONNECT_REQ_INIT); goto CONNECT_REQ_INIT; } else if(socksreq[1] == 2) { /* regular name + password authentication */ - sxstate(data, CONNECT_AUTH_INIT); + sxstate(sx, data, CONNECT_AUTH_INIT); goto CONNECT_AUTH_INIT; } #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) else if(allow_gssapi && (socksreq[1] == 1)) { - sxstate(data, CONNECT_GSSAPI_INIT); - result = Curl_SOCKS5_gssapi_negotiate(sockindex, data); + sxstate(sx, data, CONNECT_GSSAPI_INIT); + result = Curl_SOCKS5_gssapi_negotiate(cf->sockindex, data); if(result) { failf(data, "Unable to negotiate SOCKS5 GSS-API context."); return CURLPX_GSSAPI; @@ -668,9 +669,9 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, case CONNECT_AUTH_INIT: { /* Needs user name and password */ size_t proxy_user_len, proxy_password_len; - if(proxy_user && proxy_password) { - proxy_user_len = strlen(proxy_user); - proxy_password_len = strlen(proxy_password); + if(sx->proxy_user && sx->proxy_password) { + proxy_user_len = strlen(sx->proxy_user); + proxy_password_len = strlen(sx->proxy_password); } else { proxy_user_len = 0; @@ -687,32 +688,32 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, len = 0; socksreq[len++] = 1; /* username/pw subnegotiation version */ socksreq[len++] = (unsigned char) proxy_user_len; - if(proxy_user && proxy_user_len) { + if(sx->proxy_user && proxy_user_len) { /* the length must fit in a single byte */ - if(proxy_user_len >= 255) { + if(proxy_user_len > 255) { failf(data, "Excessive user name length for proxy auth"); return CURLPX_LONG_USER; } - memcpy(socksreq + len, proxy_user, proxy_user_len); + memcpy(socksreq + len, sx->proxy_user, proxy_user_len); } len += proxy_user_len; socksreq[len++] = (unsigned char) proxy_password_len; - if(proxy_password && proxy_password_len) { + if(sx->proxy_password && proxy_password_len) { /* the length must fit in a single byte */ if(proxy_password_len > 255) { failf(data, "Excessive password length for proxy auth"); return CURLPX_LONG_PASSWD; } - memcpy(socksreq + len, proxy_password, proxy_password_len); + memcpy(socksreq + len, sx->proxy_password, proxy_password_len); } len += proxy_password_len; - sxstate(data, CONNECT_AUTH_SEND); + sxstate(sx, data, CONNECT_AUTH_SEND); sx->outstanding = len; sx->outp = socksreq; } /* FALLTHROUGH */ case CONNECT_AUTH_SEND: - result = Curl_write_plain(data, sockfd, (char *)sx->outp, + result = Curl_write_plain(data, sockfd, sx->outp, sx->outstanding, &written); if(result && (CURLE_AGAIN != result)) { failf(data, "Failed to send SOCKS5 sub-negotiation request."); @@ -726,10 +727,10 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, } sx->outp = socksreq; sx->outstanding = 2; - sxstate(data, CONNECT_AUTH_READ); + sxstate(sx, data, CONNECT_AUTH_READ); /* FALLTHROUGH */ case CONNECT_AUTH_READ: - result = Curl_read_plain(sockfd, (char *)sx->outp, + result = Curl_read_plain(data, sockfd, (char *)sx->outp, sx->outstanding, &actualread); if(result && (CURLE_AGAIN != result)) { failf(data, "Unable to receive SOCKS5 sub-negotiation response."); @@ -754,36 +755,36 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, } /* Everything is good so far, user was authenticated! */ - sxstate(data, CONNECT_REQ_INIT); + sxstate(sx, data, CONNECT_REQ_INIT); /* FALLTHROUGH */ CONNECT_REQ_INIT: case CONNECT_REQ_INIT: if(socks5_resolve_local) { - enum resolve_t rc = Curl_resolv(data, hostname, remote_port, + enum resolve_t rc = Curl_resolv(data, sx->hostname, sx->remote_port, FALSE, &dns); if(rc == CURLRESOLV_ERROR) return CURLPX_RESOLVE_HOST; if(rc == CURLRESOLV_PENDING) { - sxstate(data, CONNECT_RESOLVING); + sxstate(sx, data, CONNECT_RESOLVING); return CURLPX_OK; } - sxstate(data, CONNECT_RESOLVED); + sxstate(sx, data, CONNECT_RESOLVED); goto CONNECT_RESOLVED; } goto CONNECT_RESOLVE_REMOTE; case CONNECT_RESOLVING: /* check if we have the name resolved by now */ - dns = Curl_fetch_addr(data, hostname, remote_port); + dns = Curl_fetch_addr(data, sx->hostname, sx->remote_port); if(dns) { #ifdef CURLRES_ASYNCH data->state.async.dns = dns; data->state.async.done = TRUE; #endif - infof(data, "SOCKS5: hostname '%s' found", hostname); + infof(data, "SOCKS5: hostname '%s' found", sx->hostname); } if(!dns) { @@ -803,13 +804,13 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, hp = dns->addr; if(!hp) { failf(data, "Failed to resolve \"%s\" for SOCKS5 connect.", - hostname); + sx->hostname); return CURLPX_RESOLVE_HOST; } Curl_printable_address(hp, dest, sizeof(dest)); destlen = strlen(dest); - msnprintf(dest + destlen, sizeof(dest) - destlen, ":%d", remote_port); + msnprintf(dest + destlen, sizeof(dest) - destlen, ":%d", sx->remote_port); len = 0; socksreq[len++] = 5; /* version (SOCKS5) */ @@ -866,7 +867,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, #ifdef ENABLE_IPV6 if(conn->bits.ipv6_ip) { char ip6[16]; - if(1 != Curl_inet_pton(AF_INET6, hostname, ip6)) + if(1 != Curl_inet_pton(AF_INET6, sx->hostname, ip6)) return CURLPX_BAD_ADDRESS_TYPE; socksreq[len++] = 4; memcpy(&socksreq[len], ip6, sizeof(ip6)); @@ -874,7 +875,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, } else #endif - if(1 == Curl_inet_pton(AF_INET, hostname, ip4)) { + if(1 == Curl_inet_pton(AF_INET, sx->hostname, ip4)) { socksreq[len++] = 1; memcpy(&socksreq[len], ip4, sizeof(ip4)); len += sizeof(ip4); @@ -882,20 +883,20 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, else { socksreq[len++] = 3; socksreq[len++] = (char) hostname_len; /* one byte address length */ - memcpy(&socksreq[len], hostname, hostname_len); /* address w/o NULL */ + memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ len += hostname_len; } infof(data, "SOCKS5 connect to %s:%d (remotely resolved)", - hostname, remote_port); + sx->hostname, sx->remote_port); } /* FALLTHROUGH */ CONNECT_REQ_SEND: case CONNECT_REQ_SEND: /* PORT MSB */ - socksreq[len++] = (unsigned char)((remote_port >> 8) & 0xff); + socksreq[len++] = (unsigned char)((sx->remote_port >> 8) & 0xff); /* PORT LSB */ - socksreq[len++] = (unsigned char)(remote_port & 0xff); + socksreq[len++] = (unsigned char)(sx->remote_port & 0xff); #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) if(conn->socks5_gssapi_enctype) { @@ -905,7 +906,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, #endif sx->outp = socksreq; sx->outstanding = len; - sxstate(data, CONNECT_REQ_SENDING); + sxstate(sx, data, CONNECT_REQ_SENDING); /* FALLTHROUGH */ case CONNECT_REQ_SENDING: result = Curl_write_plain(data, sockfd, (char *)sx->outp, @@ -928,10 +929,10 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, #endif sx->outstanding = 10; /* minimum packet size is 10 */ sx->outp = socksreq; - sxstate(data, CONNECT_REQ_READ); + sxstate(sx, data, CONNECT_REQ_READ); /* FALLTHROUGH */ case CONNECT_REQ_READ: - result = Curl_read_plain(sockfd, (char *)sx->outp, + result = Curl_read_plain(data, sockfd, (char *)sx->outp, sx->outstanding, &actualread); if(result && (CURLE_AGAIN != result)) { failf(data, "Failed to receive SOCKS5 connect request ack."); @@ -958,7 +959,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, CURLproxycode rc = CURLPX_REPLY_UNASSIGNED; int code = socksreq[1]; failf(data, "Can't complete SOCKS5 connection to %s. (%d)", - hostname, (unsigned char)socksreq[1]); + sx->hostname, (unsigned char)socksreq[1]); if(code < 9) { /* RFC 1928 section 6 lists: */ static const CURLproxycode lookup[] = { @@ -1019,10 +1020,10 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, if(len > 10) { sx->outstanding = len - 10; /* get the rest */ sx->outp = &socksreq[10]; - sxstate(data, CONNECT_REQ_READ_MORE); + sxstate(sx, data, CONNECT_REQ_READ_MORE); } else { - sxstate(data, CONNECT_DONE); + sxstate(sx, data, CONNECT_DONE); break; } #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) @@ -1030,7 +1031,7 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, #endif /* FALLTHROUGH */ case CONNECT_REQ_READ_MORE: - result = Curl_read_plain(sockfd, (char *)sx->outp, + result = Curl_read_plain(data, sockfd, (char *)sx->outp, sx->outstanding, &actualread); if(result && (CURLE_AGAIN != result)) { failf(data, "Failed to receive SOCKS5 connect request ack."); @@ -1047,12 +1048,214 @@ CURLproxycode Curl_SOCKS5(const char *proxy_user, sx->outp += actualread; return CURLPX_OK; } - sxstate(data, CONNECT_DONE); + sxstate(sx, data, CONNECT_DONE); } infof(data, "SOCKS5 request granted."); - *done = TRUE; return CURLPX_OK; /* Proxy was successful! */ } +static CURLcode connect_SOCKS(struct Curl_cfilter *cf, + struct socks_state *sxstate, + struct Curl_easy *data) +{ + CURLcode result = CURLE_OK; + CURLproxycode pxresult = CURLPX_OK; + struct connectdata *conn = cf->conn; + + switch(conn->socks_proxy.proxytype) { + case CURLPROXY_SOCKS5: + case CURLPROXY_SOCKS5_HOSTNAME: + pxresult = do_SOCKS5(cf, sxstate, data); + break; + + case CURLPROXY_SOCKS4: + case CURLPROXY_SOCKS4A: + pxresult = do_SOCKS4(cf, sxstate, data); + break; + + default: + failf(data, "unknown proxytype option given"); + result = CURLE_COULDNT_CONNECT; + } /* switch proxytype */ + if(pxresult) { + result = CURLE_PROXY; + data->info.pxcode = pxresult; + } + + return result; +} + +static void socks_proxy_cf_free(struct Curl_cfilter *cf) +{ + struct socks_state *sxstate = cf->ctx; + if(sxstate) { + free(sxstate); + cf->ctx = NULL; + } +} + +/* After a TCP connection to the proxy has been verified, this function does + the next magic steps. If 'done' isn't set TRUE, it is not done yet and + must be called again. + + Note: this function's sub-functions call failf() + +*/ +static CURLcode socks_proxy_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + CURLcode result; + struct connectdata *conn = cf->conn; + int sockindex = cf->sockindex; + struct socks_state *sx = cf->ctx; + + if(cf->connected) { + *done = TRUE; + return CURLE_OK; + } + + result = cf->next->cft->connect(cf->next, data, blocking, done); + if(result || !*done) + return result; + + if(!sx) { + sx = calloc(sizeof(*sx), 1); + if(!sx) + return CURLE_OUT_OF_MEMORY; + cf->ctx = sx; + } + + if(sx->state == CONNECT_INIT) { + /* for the secondary socket (FTP), use the "connect to host" + * but ignore the "connect to port" (use the secondary port) + */ + sxstate(sx, data, CONNECT_SOCKS_INIT); + sx->hostname = + conn->bits.httpproxy ? + conn->http_proxy.host.name : + conn->bits.conn_to_host ? + conn->conn_to_host.name : + sockindex == SECONDARYSOCKET ? + conn->secondaryhostname : conn->host.name; + sx->remote_port = + conn->bits.httpproxy ? (int)conn->http_proxy.port : + sockindex == SECONDARYSOCKET ? conn->secondary_port : + conn->bits.conn_to_port ? conn->conn_to_port : + conn->remote_port; + sx->proxy_user = conn->socks_proxy.user; + sx->proxy_password = conn->socks_proxy.passwd; + } + + result = connect_SOCKS(cf, sx, data); + if(!result && sx->state == CONNECT_DONE) { + cf->connected = TRUE; + Curl_updateconninfo(data, conn, conn->sock[cf->sockindex]); + Curl_verboseconnect(data, conn); + socks_proxy_cf_free(cf); + } + + *done = cf->connected; + return result; +} + +static int socks_cf_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) +{ + struct socks_state *sx = cf->ctx; + int fds; + + fds = cf->next->cft->get_select_socks(cf->next, data, socks); + if(!fds && cf->next->connected && !cf->connected && sx) { + /* If we are not connected, the filter below is and has nothing + * to wait on, we determine what to wait for. */ + socks[0] = cf->conn->sock[cf->sockindex]; + switch(sx->state) { + case CONNECT_RESOLVING: + case CONNECT_SOCKS_READ: + case CONNECT_AUTH_READ: + case CONNECT_REQ_READ: + case CONNECT_REQ_READ_MORE: + fds = GETSOCK_READSOCK(0); + break; + default: + fds = GETSOCK_WRITESOCK(0); + break; + } + } + return fds; +} + +static void socks_proxy_cf_close(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + + DEBUGASSERT(cf->next); + cf->connected = FALSE; + socks_proxy_cf_free(cf); + cf->next->cft->close(cf->next, data); +} + +static void socks_proxy_cf_destroy(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + (void)data; + socks_proxy_cf_free(cf); +} + +static void socks_proxy_cf_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + (void)data; + socks_proxy_cf_free(cf); +} + +static void socks_cf_get_host(struct Curl_cfilter *cf, + struct Curl_easy *data, + const char **phost, + const char **pdisplay_host, + int *pport) +{ + (void)data; + if(!cf->connected) { + *phost = cf->conn->socks_proxy.host.name; + *pdisplay_host = cf->conn->http_proxy.host.dispname; + *pport = (int)cf->conn->socks_proxy.port; + } + else { + cf->next->cft->get_host(cf->next, data, phost, pdisplay_host, pport); + } +} + +static const struct Curl_cftype cft_socks_proxy = { + "SOCKS-PROXYY", + CF_TYPE_IP_CONNECT, + socks_proxy_cf_destroy, + Curl_cf_def_setup, + socks_proxy_cf_connect, + socks_proxy_cf_close, + socks_cf_get_host, + socks_cf_get_select_socks, + Curl_cf_def_data_pending, + Curl_cf_def_send, + Curl_cf_def_recv, + Curl_cf_def_attach_data, + socks_proxy_cf_detach_data, +}; + +CURLcode Curl_conn_socks_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) +{ + struct Curl_cfilter *cf; + CURLcode result; + + result = Curl_cf_create(&cf, &cft_socks_proxy, NULL); + if(!result) + Curl_conn_cf_add(data, conn, sockindex, cf); + return result; +} + #endif /* CURL_DISABLE_PROXY */ diff --git a/lib/socks.h b/lib/socks.h index ff83aa5..2e2fa18 100644 --- a/lib/socks.h +++ b/lib/socks.h @@ -43,32 +43,6 @@ int Curl_blockread_all(struct Curl_easy *data, ssize_t buffersize, ssize_t *n); -int Curl_SOCKS_getsock(struct connectdata *conn, - curl_socket_t *sock, - int sockindex); -/* - * This function logs in to a SOCKS4(a) proxy and sends the specifics to the - * final destination server. - */ -CURLproxycode Curl_SOCKS4(const char *proxy_name, - const char *hostname, - int remote_port, - int sockindex, - struct Curl_easy *data, - bool *done); - -/* - * This function logs in to a SOCKS5 proxy and sends the specifics to the - * final destination server. - */ -CURLproxycode Curl_SOCKS5(const char *proxy_name, - const char *proxy_password, - const char *hostname, - int remote_port, - int sockindex, - struct Curl_easy *data, - bool *done); - #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI) /* * This function handles the SOCKS5 GSS-API negotiation and initialization @@ -77,6 +51,10 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, struct Curl_easy *data); #endif +CURLcode Curl_conn_socks_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + #endif /* CURL_DISABLE_PROXY */ #endif /* HEADER_CURL_SOCKS_H */ diff --git a/lib/strcase.c b/lib/strcase.c index 09d2a8a..7fb9c80 100644 --- a/lib/strcase.c +++ b/lib/strcase.c @@ -83,16 +83,13 @@ char Curl_raw_tolower(char in) } /* - * Curl_strcasecompare() is for doing "raw" case insensitive strings. This is - * meant to be locale independent and only compare strings we know are safe - * for this. See - * https://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for some - * further explanation to why this function is necessary. - * - * @unittest: 1301 + * curl_strequal() is for doing "raw" case insensitive strings. This is meant + * to be locale independent and only compare strings we know are safe for + * this. See https://daniel.haxx.se/blog/2008/10/15/strcasecmp-in-turkish/ for + * further explanations as to why this function is necessary. */ -int Curl_strcasecompare(const char *first, const char *second) +static int casecompare(const char *first, const char *second) { while(*first && *second) { if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) @@ -108,25 +105,22 @@ int Curl_strcasecompare(const char *first, const char *second) return !*first == !*second; } -int Curl_safe_strcasecompare(const char *first, const char *second) +/* --- public function --- */ +int curl_strequal(const char *first, const char *second) { if(first && second) /* both pointers point to something then compare them */ - return Curl_strcasecompare(first, second); + return casecompare(first, second); /* if both pointers are NULL then treat them as equal */ return (NULL == first && NULL == second); } -/* - * @unittest: 1301 - */ -int Curl_strncasecompare(const char *first, const char *second, size_t max) +static int ncasecompare(const char *first, const char *second, size_t max) { while(*first && *second && max) { - if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) { - break; - } + if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) + return 0; max--; first++; second++; @@ -137,6 +131,16 @@ int Curl_strncasecompare(const char *first, const char *second, size_t max) return Curl_raw_toupper(*first) == Curl_raw_toupper(*second); } +/* --- public function --- */ +int curl_strnequal(const char *first, const char *second, size_t max) +{ + if(first && second) + /* both pointers point to something then compare them */ + return ncasecompare(first, second, max); + + /* if both pointers are NULL then treat them as equal if max is non-zero */ + return (NULL == first && NULL == second && max); +} /* Copy an upper case version of the string from src to dest. The * strings may overlap. No more than n characters of the string are copied * (including any NUL) and the destination string will NOT be @@ -198,14 +202,3 @@ int Curl_timestrcmp(const char *a, const char *b) return a || b; return match; } - -/* --- public functions --- */ - -int curl_strequal(const char *first, const char *second) -{ - return Curl_strcasecompare(first, second); -} -int curl_strnequal(const char *first, const char *second, size_t max) -{ - return Curl_strncasecompare(first, second, max); -} diff --git a/lib/strcase.h b/lib/strcase.h index 65a5753..192e0da 100644 --- a/lib/strcase.h +++ b/lib/strcase.h @@ -35,12 +35,8 @@ * Result is 1 if text matches and 0 if not. */ -#define strcasecompare(a,b) Curl_strcasecompare(a,b) -#define strncasecompare(a,b,c) Curl_strncasecompare(a,b,c) - -int Curl_strcasecompare(const char *first, const char *second); -int Curl_safe_strcasecompare(const char *first, const char *second); -int Curl_strncasecompare(const char *first, const char *second, size_t max); +#define strcasecompare(a,b) curl_strequal(a,b) +#define strncasecompare(a,b,c) curl_strnequal(a,b,c) char Curl_raw_toupper(char in); char Curl_raw_tolower(char in); diff --git a/lib/strtoofft.c b/lib/strtoofft.c index 30deb8c..fb8d921 100644 --- a/lib/strtoofft.c +++ b/lib/strtoofft.c @@ -221,6 +221,7 @@ CURLofft curlx_strtoofft(const char *str, char **endp, int base, curl_off_t number; errno = 0; *num = 0; /* clear by default */ + DEBUGASSERT(base); /* starting now, avoid base zero */ while(*str && ISBLANK(*str)) str++; diff --git a/lib/telnet.c b/lib/telnet.c index 923c7f8..22bc81e 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -571,7 +571,7 @@ void rec_do(struct Curl_easy *data, int option) sendsuboption(data, option); } else if(tn->subnegotiation[option] == CURL_YES) { - /* send information to achieve this option*/ + /* send information to achieve this option */ tn->us[option] = CURL_YES; send_negotiation(data, CURL_WILL, option); sendsuboption(data, option); @@ -1200,7 +1200,7 @@ static CURLcode send_telnet_data(struct Curl_easy *data, j = 0; for(i = 0; i < nread; i++) { - outbuf[j++] = buffer[i]; + outbuf[j++] = (unsigned char)buffer[i]; if((unsigned char)buffer[i] == CURL_IAC) outbuf[j++] = CURL_IAC; } @@ -1248,9 +1248,6 @@ static CURLcode telnet_done(struct Curl_easy *data, curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; - - Curl_safefree(data->req.p.telnet); - return CURLE_OK; } @@ -1491,6 +1488,7 @@ static CURLcode telnet_do(struct Curl_easy *data, bool *done) } while(keepon) { + DEBUGF(infof(data, "telnet_do(handle=%p), poll %d fds", data, poll_cnt)); switch(Curl_poll(pfd, poll_cnt, interval_ms)) { case -1: /* error, stop reading */ keepon = FALSE; @@ -1509,6 +1507,14 @@ static CURLcode telnet_do(struct Curl_easy *data, bool *done) /* returned not-zero, this an error */ if(result) { keepon = FALSE; + /* TODO: in test 1452, macOS sees a ECONNRESET sometimes? + * Is this the telnet test server not shutting down the socket + * in a clean way? Seems to be timing related, happens more + * on slow debug build */ + if(data->state.os_errno == ECONNRESET) { + DEBUGF(infof(data, "telnet_do(handle=%p), unexpected ECONNRESET" + " on recv", data)); + } break; } /* returned zero but actually received 0 or less here, diff --git a/lib/transfer.c b/lib/transfer.c index 441da73..ba0410f 100644 --- a/lib/transfer.c +++ b/lib/transfer.c @@ -64,6 +64,7 @@ #include "content_encoding.h" #include "hostip.h" +#include "cfilters.h" #include "transfer.h" #include "sendf.h" #include "speedcheck.h" @@ -362,89 +363,7 @@ CURLcode Curl_fillreadbuffer(struct Curl_easy *data, size_t bytes, return CURLE_OK; } - -/* - * Curl_readrewind() rewinds the read stream. This is typically used for HTTP - * POST/PUT with multi-pass authentication when a sending was denied and a - * resend is necessary. - */ -CURLcode Curl_readrewind(struct Curl_easy *data) -{ - struct connectdata *conn = data->conn; - curl_mimepart *mimepart = &data->set.mimepost; - - conn->bits.rewindaftersend = FALSE; /* we rewind now */ - - /* explicitly switch off sending data on this connection now since we are - about to restart a new transfer and thus we want to avoid inadvertently - sending more data on the existing connection until the next transfer - starts */ - data->req.keepon &= ~KEEP_SEND; - - /* We have sent away data. If not using CURLOPT_POSTFIELDS or - CURLOPT_HTTPPOST, call app to rewind - */ - if(conn->handler->protocol & PROTO_FAMILY_HTTP) { - struct HTTP *http = data->req.p.http; - - if(http->sendit) - mimepart = http->sendit; - } - if(data->set.postfields) - ; /* do nothing */ - else if(data->state.httpreq == HTTPREQ_POST_MIME || - data->state.httpreq == HTTPREQ_POST_FORM) { - CURLcode result = Curl_mime_rewind(mimepart); - if(result) { - failf(data, "Cannot rewind mime/post data"); - return result; - } - } - else { - if(data->set.seek_func) { - int err; - - Curl_set_in_callback(data, true); - err = (data->set.seek_func)(data->set.seek_client, 0, SEEK_SET); - Curl_set_in_callback(data, false); - if(err) { - failf(data, "seek callback returned error %d", (int)err); - return CURLE_SEND_FAIL_REWIND; - } - } - else if(data->set.ioctl_func) { - curlioerr err; - - Curl_set_in_callback(data, true); - err = (data->set.ioctl_func)(data, CURLIOCMD_RESTARTREAD, - data->set.ioctl_client); - Curl_set_in_callback(data, false); - infof(data, "the ioctl callback returned %d", (int)err); - - if(err) { - failf(data, "ioctl callback returned error %d", (int)err); - return CURLE_SEND_FAIL_REWIND; - } - } - else { - /* If no CURLOPT_READFUNCTION is used, we know that we operate on a - given FILE * stream and we can actually attempt to rewind that - ourselves with fseek() */ - if(data->state.fread_func == (curl_read_callback)fread) { - if(-1 != fseek(data->state.in, 0, SEEK_SET)) - /* successful rewind */ - return CURLE_OK; - } - - /* no callback set or failure above, makes us fail at once */ - failf(data, "necessary data rewind wasn't possible"); - return CURLE_SEND_FAIL_REWIND; - } - } - return CURLE_OK; -} - -static int data_pending(const struct Curl_easy *data) +static int data_pending(struct Curl_easy *data) { struct connectdata *conn = data->conn; @@ -454,7 +373,7 @@ static int data_pending(const struct Curl_easy *data) #endif if(conn->handler->protocol&PROTO_FAMILY_FTP) - return Curl_ssl_data_pending(conn, SECONDARYSOCKET); + return Curl_conn_data_pending(data, SECONDARYSOCKET); /* in the case of libssh2, we can never be really sure that we have emptied its internal buffers so we MUST always try until we get EAGAIN back */ @@ -469,7 +388,7 @@ static int data_pending(const struct Curl_easy *data) a workaround, we return nonzero here to call http2_recv. */ ((conn->handler->protocol&PROTO_FAMILY_HTTP) && conn->httpversion >= 20) || #endif - Curl_ssl_data_pending(conn, FIRSTSOCKET); + Curl_conn_data_pending(data, FIRSTSOCKET); } /* @@ -569,11 +488,13 @@ static CURLcode readwrite_data(struct Curl_easy *data, result = Curl_read(data, conn->sockfd, buf, bytestoread, &nread); /* read would've blocked */ - if(CURLE_AGAIN == result) + if(CURLE_AGAIN == result) { + result = CURLE_OK; break; /* get out of loop */ + } if(result>0) - return result; + goto out; } else { /* read nothing but since we wanted nothing we consider this an OK @@ -619,7 +540,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, if(conn->handler->readwrite) { result = conn->handler->readwrite(data, conn, &nread, &readmore); if(result) - return result; + goto out; if(readmore) break; } @@ -632,13 +553,13 @@ static CURLcode readwrite_data(struct Curl_easy *data, bool stop_reading = FALSE; result = Curl_http_readwrite_headers(data, conn, &nread, &stop_reading); if(result) - return result; + goto out; if(conn->handler->readwrite && (k->maxdownload <= 0 && nread > 0)) { result = conn->handler->readwrite(data, conn, &nread, &readmore); if(result) - return result; + goto out; if(readmore) break; } @@ -665,11 +586,12 @@ static CURLcode readwrite_data(struct Curl_easy *data, is non-headers. */ if(!k->header && (nread > 0 || is_empty_data)) { - if(data->set.opt_no_body) { + if(data->req.no_body) { /* data arrives although we want none, bail out */ streamclose(conn, "ignoring body"); *done = TRUE; - return CURLE_WEIRD_SERVER_REPLY; + result = CURLE_WEIRD_SERVER_REPLY; + goto out; } #ifndef CURL_DISABLE_HTTP @@ -680,7 +602,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, /* HTTP-only checks */ result = Curl_http_firstwrite(data, conn, done); if(result || *done) - return result; + goto out; } } /* this is the first time we write a body part */ #endif /* CURL_DISABLE_HTTP */ @@ -717,10 +639,12 @@ static CURLcode readwrite_data(struct Curl_easy *data, if(CHUNKE_OK < res) { if(CHUNKE_PASSTHRU_ERROR == res) { failf(data, "Failed reading the chunked-encoded stream"); - return extra; + result = extra; + goto out; } failf(data, "%s in chunked-encoding", Curl_chunked_strerror(res)); - return CURLE_RECV_ERROR; + result = CURLE_RECV_ERROR; + goto out; } if(CHUNKE_STOP == res) { /* we're done reading chunks! */ @@ -796,7 +720,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, (size_t)k->maxdownload); if(result) - return result; + goto out; } if(k->badheader < HEADER_ALLBAD) { /* This switch handles various content encodings. If there's an @@ -821,7 +745,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, k->badheader = HEADER_NORMAL; /* taken care of now */ if(result) - return result; + goto out; } } /* if(!header and data to read) */ @@ -839,7 +763,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, result = conn->handler->readwrite(data, conn, &nread, &readmore); if(result) - return result; + goto out; if(readmore) k->keepon |= KEEP_RECV; /* we're not done reading */ @@ -874,7 +798,9 @@ static CURLcode readwrite_data(struct Curl_easy *data, k->keepon &= ~KEEP_SEND; /* no writing anymore either */ } - return CURLE_OK; +out: + DEBUGF(infof(data, "readwrite_data(handle=%p) -> %d", data, result)); + return result; } CURLcode Curl_done_sending(struct Curl_easy *data, @@ -887,11 +813,6 @@ CURLcode Curl_done_sending(struct Curl_easy *data, Curl_http2_done_sending(data, conn); Curl_quic_done_sending(data); - if(conn->bits.rewindaftersend) { - CURLcode result = Curl_readrewind(data); - if(result) - return result; - } return CURLE_OK; } @@ -1201,14 +1122,15 @@ CURLcode Curl_readwrite(struct connectdata *conn, if(select_res == CURL_CSELECT_ERR) { failf(data, "select/poll returned error"); - return CURLE_SEND_ERROR; + result = CURLE_SEND_ERROR; + goto out; } #ifdef USE_HYPER if(conn->datastream) { result = conn->datastream(data, conn, &didwhat, done, select_res); if(result || *done) - return result; + goto out; } else { #endif @@ -1218,7 +1140,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, if((k->keepon & KEEP_RECV) && (select_res & CURL_CSELECT_IN)) { result = readwrite_data(data, conn, k, &didwhat, done, comeback); if(result || *done) - return result; + goto out; } /* If we still have writing to do, we check if we have a writable socket. */ @@ -1227,7 +1149,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, result = readwrite_upload(data, conn, &didwhat); if(result) - return result; + goto out; } #ifdef USE_HYPER } @@ -1264,7 +1186,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, if(conn->transport == TRNSPRT_QUIC) { result = Curl_quic_idle(data); if(result) - return result; + goto out; } #endif } @@ -1274,7 +1196,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, else result = Curl_speedcheck(data, k->now); if(result) - return result; + goto out; if(k->keepon) { if(0 > Curl_timeleft(data, &k->now, FALSE)) { @@ -1291,7 +1213,8 @@ CURLcode Curl_readwrite(struct connectdata *conn, Curl_timediff(k->now, data->progress.t_startsingle), k->bytecount); } - return CURLE_OPERATION_TIMEDOUT; + result = CURLE_OPERATION_TIMEDOUT; + goto out; } } else { @@ -1300,7 +1223,7 @@ CURLcode Curl_readwrite(struct connectdata *conn, * returning. */ - if(!(data->set.opt_no_body) && (k->size != -1) && + if(!(data->req.no_body) && (k->size != -1) && (k->bytecount != k->size) && #ifdef CURL_DO_LINEEND_CONV /* Most FTP servers don't adjust their file SIZE response for CRLFs, @@ -1312,9 +1235,10 @@ CURLcode Curl_readwrite(struct connectdata *conn, !k->newurl) { failf(data, "transfer closed with %" CURL_FORMAT_CURL_OFF_T " bytes remaining to read", k->size - k->bytecount); - return CURLE_PARTIAL_FILE; + result = CURLE_PARTIAL_FILE; + goto out; } - if(!(data->set.opt_no_body) && k->chunk && + if(!(data->req.no_body) && k->chunk && (conn->chunk.state != CHUNK_STOP)) { /* * In chunked mode, return an error if the connection is closed prior to @@ -1326,17 +1250,22 @@ CURLcode Curl_readwrite(struct connectdata *conn, * */ failf(data, "transfer closed with outstanding read data remaining"); - return CURLE_PARTIAL_FILE; + result = CURLE_PARTIAL_FILE; + goto out; + } + if(Curl_pgrsUpdate(data)) { + result = CURLE_ABORTED_BY_CALLBACK; + goto out; } - if(Curl_pgrsUpdate(data)) - return CURLE_ABORTED_BY_CALLBACK; } /* Now update the "done" boolean we return */ *done = (0 == (k->keepon&(KEEP_RECV|KEEP_SEND| KEEP_RECV_PAUSE|KEEP_SEND_PAUSE))) ? TRUE : FALSE; - - return CURLE_OK; + result = CURLE_OK; +out: + DEBUGF(infof(data, "Curl_readwrite(handle=%p) -> %d", data, result)); + return result; } /* @@ -1367,7 +1296,6 @@ int Curl_single_getsock(struct Curl_easy *data, /* don't include HOLD and PAUSE connections */ if((data->req.keepon & KEEP_SENDBITS) == KEEP_SEND) { - if((conn->sockfd != conn->writesockfd) || bitmap == GETSOCK_BLANK) { /* only if they are not the same socket and we have a readable @@ -1511,7 +1439,7 @@ CURLcode Curl_pretransfer(struct Curl_easy *data) /* * Set user-agent. Used for HTTP, but since we can attempt to tunnel - * basically anything through a http proxy we can't limit this based on + * basically anything through an HTTP proxy we can't limit this based on * protocol. */ if(data->set.str[STRING_USERAGENT]) { @@ -1591,10 +1519,8 @@ CURLcode Curl_follow(struct Curl_easy *data, to URL */ } else { - /* mark the next request as a followed location: */ - data->state.this_is_a_follow = TRUE; - - data->state.followlocation++; /* count location-followers */ + data->state.followlocation++; /* count redirect-followings, including + auth reloads */ if(data->set.http_auto_referer) { CURLU *u; @@ -1743,7 +1669,7 @@ CURLcode Curl_follow(struct Curl_easy *data, * differently based on exactly what return code there was. * * News from 7.10.6: we can also get here on a 401 or 407, in case we act on - * a HTTP (proxy-) authentication scheme other than Basic. + * an HTTP (proxy-) authentication scheme other than Basic. */ switch(data->info.httpcode) { /* 401 - Act on a WWW-Authenticate, we keep on moving and do the @@ -1823,7 +1749,7 @@ CURLcode Curl_follow(struct Curl_easy *data, data->state.httpreq = HTTPREQ_GET; data->set.upload = false; infof(data, "Switch to %s", - data->set.opt_no_body?"HEAD":"GET"); + data->req.no_body?"HEAD":"GET"); } break; case 304: /* Not Modified */ @@ -1865,7 +1791,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) if((data->req.bytecount + data->req.headerbytecount == 0) && conn->bits.reuse && - (!data->set.opt_no_body || (conn->handler->protocol & PROTO_FAMILY_HTTP)) + (!data->req.no_body || (conn->handler->protocol & PROTO_FAMILY_HTTP)) #ifndef CURL_DISABLE_RTSP && (data->set.rtspreq != RTSPREQ_RECEIVE) #endif @@ -1911,14 +1837,10 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url) transferred! */ - if(conn->handler->protocol&PROTO_FAMILY_HTTP) { - if(data->req.writebytecount) { - CURLcode result = Curl_readrewind(data); - if(result) { - Curl_safefree(*url); - return result; - } - } + if((conn->handler->protocol&PROTO_FAMILY_HTTP) && + data->req.writebytecount) { + data->state.rewindbeforesend = TRUE; + infof(data, "state.rewindbeforesend = TRUE"); } } return CURLE_OK; @@ -1979,7 +1901,7 @@ Curl_setup_transfer( Curl_pgrsSetDownloadSize(data, size); } /* we want header and/or body, if neither then don't do this! */ - if(k->getheader || !data->set.opt_no_body) { + if(k->getheader || !data->req.no_body) { if(sockindex != -1) k->keepon |= KEEP_RECV; @@ -2015,6 +1937,6 @@ Curl_setup_transfer( k->keepon |= KEEP_SEND; } } /* if(writesockindex != -1) */ - } /* if(k->getheader || !data->set.opt_no_body) */ + } /* if(k->getheader || !data->req.no_body) */ } diff --git a/lib/transfer.h b/lib/transfer.h index 65fe68e..4092508 100644 --- a/lib/transfer.h +++ b/lib/transfer.h @@ -50,7 +50,6 @@ CURLcode Curl_readwrite(struct connectdata *conn, bool *comeback); int Curl_single_getsock(struct Curl_easy *data, struct connectdata *conn, curl_socket_t *socks); -CURLcode Curl_readrewind(struct Curl_easy *data); CURLcode Curl_fillreadbuffer(struct Curl_easy *data, size_t bytes, size_t *nreadp); CURLcode Curl_retry_request(struct Curl_easy *data, char **url); diff --git a/lib/url.c b/lib/url.c index be5ffca..3ab63a0 100644 --- a/lib/url.c +++ b/lib/url.c @@ -61,26 +61,9 @@ #include -#ifdef USE_LIBIDN2 -#include - -#if defined(WIN32) && defined(UNICODE) -#define IDN2_LOOKUP(name, host, flags) \ - idn2_lookup_u8((const uint8_t *)name, (uint8_t **)host, flags) -#else -#define IDN2_LOOKUP(name, host, flags) \ - idn2_lookup_ul((const char *)name, (char **)host, flags) -#endif - -#elif defined(USE_WIN32_IDN) -/* prototype for Curl_win32_idn_to_ascii() */ -bool Curl_win32_idn_to_ascii(const char *in, char **out); -#endif /* USE_LIBIDN2 */ - #include "doh.h" #include "urldata.h" #include "netrc.h" - #include "formdata.h" #include "mime.h" #include "vtls/vtls.h" @@ -107,6 +90,8 @@ bool Curl_win32_idn_to_ascii(const char *in, char **out); #include "system_win32.h" #include "hsts.h" #include "noproxy.h" +#include "cfilters.h" +#include "idn.h" /* And now for the protocols */ #include "ftp.h" @@ -140,7 +125,11 @@ bool Curl_win32_idn_to_ascii(const char *in, char **out); #include "curl_memory.h" #include "memdebug.h" -static void conn_free(struct connectdata *conn); +#ifndef ARRAYSIZE +#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0])) +#endif + +static void conn_free(struct Curl_easy *data, struct connectdata *conn); /* Some parts of the code (e.g. chunked encoding) assume this buffer has at * more than just a few bytes to play with. Don't let it become too small or @@ -539,6 +528,8 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) /* Set the default size of the SSL session ID cache */ set->general_ssl.max_ssl_sessions = 5; + /* Timeout every 24 hours by default */ + set->general_ssl.ca_cache_timeout = 24 * 60 * 60; set->proxyport = 0; set->proxytype = CURLPROXY_HTTP; /* defaults to HTTP proxy */ @@ -553,7 +544,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) /* make libcurl quiet by default: */ set->hide_progress = TRUE; /* CURLOPT_NOPROGRESS changes these */ - Curl_mime_initpart(&set->mimepost, data); + Curl_mime_initpart(&set->mimepost); /* * libcurl 7.10 introduced SSL verification *by default*! This needs to be @@ -648,6 +639,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) #endif ; Curl_http2_init_userset(set); + set->quick_exit = 0L; return result; } @@ -745,37 +737,28 @@ static void conn_reset_all_postponed_data(struct connectdata *conn) #endif /* ! USE_RECV_BEFORE_SEND_WORKAROUND */ -static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) +static void conn_shutdown(struct Curl_easy *data) { - DEBUGASSERT(conn); DEBUGASSERT(data); - infof(data, "Closing connection %ld", conn->connection_id); + infof(data, "Closing connection %ld", data->conn->connection_id); /* possible left-overs from the async name resolvers */ Curl_resolver_cancel(data); - /* close the SSL stuff before we close any sockets since they will/may - write to the sockets */ - Curl_ssl_close(data, conn, FIRSTSOCKET); -#ifndef CURL_DISABLE_FTP - Curl_ssl_close(data, conn, SECONDARYSOCKET); -#endif - - /* close possibly still open sockets */ - if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) - Curl_closesocket(data, conn, conn->sock[SECONDARYSOCKET]); - if(CURL_SOCKET_BAD != conn->sock[FIRSTSOCKET]) - Curl_closesocket(data, conn, conn->sock[FIRSTSOCKET]); - if(CURL_SOCKET_BAD != conn->tempsock[0]) - Curl_closesocket(data, conn, conn->tempsock[0]); - if(CURL_SOCKET_BAD != conn->tempsock[1]) - Curl_closesocket(data, conn, conn->tempsock[1]); + Curl_conn_close(data, SECONDARYSOCKET); + Curl_conn_close(data, FIRSTSOCKET); } -static void conn_free(struct connectdata *conn) +static void conn_free(struct Curl_easy *data, struct connectdata *conn) { + size_t i; + DEBUGASSERT(conn); + for(i = 0; i < ARRAYSIZE(conn->cfilter); ++i) { + Curl_conn_cf_discard_all(data, conn, (int)i); + } + Curl_free_idnconverted_hostname(&conn->host); Curl_free_idnconverted_hostname(&conn->conn_to_host); #ifndef CURL_DISABLE_PROXY @@ -799,7 +782,6 @@ static void conn_free(struct connectdata *conn) Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ Curl_safefree(conn->hostname_resolve); Curl_safefree(conn->secondaryhostname); - Curl_safefree(conn->connect_state); conn_reset_all_postponed_data(conn); Curl_llist_destroy(&conn->easyq, NULL); @@ -810,9 +792,6 @@ static void conn_free(struct connectdata *conn) Curl_safefree(conn->unix_domain_socket); #endif -#ifdef USE_SSL - Curl_safefree(conn->ssl_extra); -#endif free(conn); /* free all the connection oriented data */ } @@ -845,6 +824,8 @@ void Curl_disconnect(struct Curl_easy *data, /* the transfer must be detached from the connection */ DEBUGASSERT(!data->conn); + DEBUGF(infof(data, "Curl_disconnect(conn #%ld, dead=%d)", + conn->connection_id, dead_connection)); /* * If this connection isn't marked to force-close, leave it open if there * are other users of it @@ -877,12 +858,12 @@ void Curl_disconnect(struct Curl_easy *data, /* This is set if protocol-specific cleanups should be made */ conn->handler->disconnect(data, conn, dead_connection); - conn_shutdown(data, conn); + conn_shutdown(data); /* detach it again */ Curl_detach_connection(data); - conn_free(conn); + conn_free(data, conn); } /* @@ -914,7 +895,7 @@ static int IsMultiplexingPossible(const struct Curl_easy *handle, { int avail = 0; - /* If a HTTP protocol and multiplexing is enabled */ + /* If an HTTP protocol and multiplexing is enabled */ if((conn->handler->protocol & PROTO_FAMILY_HTTP) && (!conn->bits.protoconnstart || !conn->bits.close)) { @@ -933,7 +914,7 @@ proxy_info_matches(const struct proxy_info *data, { if((data->proxytype == needle->proxytype) && (data->port == needle->port) && - Curl_safe_strcasecompare(data->host.name, needle->host.name)) + strcasecompare(data->host.name, needle->host.name)) return TRUE; return FALSE; @@ -1197,7 +1178,7 @@ ConnectionExists(struct Curl_easy *data, size_t multiplexed = 0; /* - * Note that if we use a HTTP proxy in normal mode (no tunneling), we + * Note that if we use an HTTP proxy in normal mode (no tunneling), we * check connections to that proxy and not to the actual remote server. */ check = curr->ptr; @@ -1240,7 +1221,7 @@ ConnectionExists(struct Curl_easy *data, } } - if(check->sock[FIRSTSOCKET] == CURL_SOCKET_BAD) { + if(!Curl_conn_is_connected(check, FIRSTSOCKET)) { foundPendingCandidate = TRUE; /* Don't pick a connection that hasn't connected yet */ infof(data, "Connection #%ld isn't open enough, can't reuse", @@ -1306,15 +1287,11 @@ ConnectionExists(struct Curl_easy *data, if(!Curl_ssl_config_matches(&needle->proxy_ssl_config, &check->proxy_ssl_config)) continue; - if(check->proxy_ssl[FIRSTSOCKET].state != ssl_connection_complete) - continue; } if(!Curl_ssl_config_matches(&needle->ssl_config, &check->ssl_config)) continue; - if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) - continue; } } #endif @@ -1381,9 +1358,9 @@ ConnectionExists(struct Curl_easy *data, || !needle->bits.httpproxy || needle->bits.tunnel_proxy #endif ) { - /* The requested connection does not use a HTTP proxy or it uses SSL or - it is a non-SSL protocol tunneled or it is a non-SSL protocol which - is allowed to be upgraded via TLS */ + /* The requested connection does not use an HTTP proxy or it uses SSL + or it is a non-SSL protocol tunneled or it is a non-SSL protocol + which is allowed to be upgraded via TLS */ if((strcasecompare(needle->handler->scheme, check->handler->scheme) || (get_protocol_family(check->handler) == @@ -1408,14 +1385,6 @@ ConnectionExists(struct Curl_easy *data, check->connection_id)); continue; } - if(check->ssl[FIRSTSOCKET].state != ssl_connection_complete) { - foundPendingCandidate = TRUE; - DEBUGF(infof(data, - "Connection #%ld has not started SSL connect, " - "can't reuse", - check->connection_id)); - continue; - } } match = TRUE; } @@ -1566,111 +1535,6 @@ void Curl_verboseconnect(struct Curl_easy *data, #endif /* - * Helpers for IDNA conversions. - */ -bool Curl_is_ASCII_name(const char *hostname) -{ - /* get an UNSIGNED local version of the pointer */ - const unsigned char *ch = (const unsigned char *)hostname; - - if(!hostname) /* bad input, consider it ASCII! */ - return TRUE; - - while(*ch) { - if(*ch++ & 0x80) - return FALSE; - } - return TRUE; -} - -/* - * Perform any necessary IDN conversion of hostname - */ -CURLcode Curl_idnconvert_hostname(struct Curl_easy *data, - struct hostname *host) -{ -#ifndef USE_LIBIDN2 - (void)data; - (void)data; -#elif defined(CURL_DISABLE_VERBOSE_STRINGS) - (void)data; -#endif - - /* set the name we use to display the host name */ - host->dispname = host->name; - - /* Check name for non-ASCII and convert hostname to ACE form if we can */ - if(!Curl_is_ASCII_name(host->name)) { -#ifdef USE_LIBIDN2 - if(idn2_check_version(IDN2_VERSION)) { - char *ace_hostname = NULL; -#if IDN2_VERSION_NUMBER >= 0x00140000 - /* IDN2_NFC_INPUT: Normalize input string using normalization form C. - IDN2_NONTRANSITIONAL: Perform Unicode TR46 non-transitional - processing. */ - int flags = IDN2_NFC_INPUT | IDN2_NONTRANSITIONAL; -#else - int flags = IDN2_NFC_INPUT; -#endif - int rc = IDN2_LOOKUP(host->name, &ace_hostname, flags); - if(rc != IDN2_OK) - /* fallback to TR46 Transitional mode for better IDNA2003 - compatibility */ - rc = IDN2_LOOKUP(host->name, &ace_hostname, - IDN2_TRANSITIONAL); - if(rc == IDN2_OK) { - host->encalloc = (char *)ace_hostname; - /* change the name pointer to point to the encoded hostname */ - host->name = host->encalloc; - } - else { - failf(data, "Failed to convert %s to ACE; %s", host->name, - idn2_strerror(rc)); - return CURLE_URL_MALFORMAT; - } - } -#elif defined(USE_WIN32_IDN) - char *ace_hostname = NULL; - - if(Curl_win32_idn_to_ascii(host->name, &ace_hostname)) { - host->encalloc = ace_hostname; - /* change the name pointer to point to the encoded hostname */ - host->name = host->encalloc; - } - else { - char buffer[STRERROR_LEN]; - failf(data, "Failed to convert %s to ACE; %s", host->name, - Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); - return CURLE_URL_MALFORMAT; - } -#else - infof(data, "IDN support not present, can't parse Unicode domains"); -#endif - } - return CURLE_OK; -} - -/* - * Frees data allocated by idnconvert_hostname() - */ -void Curl_free_idnconverted_hostname(struct hostname *host) -{ -#if defined(USE_LIBIDN2) - if(host->encalloc) { - idn2_free(host->encalloc); /* must be freed with idn2_free() since this was - allocated by libidn */ - host->encalloc = NULL; - } -#elif defined(USE_WIN32_IDN) - free(host->encalloc); /* must be freed with free() since this was - allocated by Curl_win32_idn_to_ascii */ - host->encalloc = NULL; -#else - (void)host; -#endif -} - -/* * Allocate and initialize a new connectdata object. */ static struct connectdata *allocate_conn(struct Curl_easy *data) @@ -1679,45 +1543,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) if(!conn) return NULL; -#ifdef USE_SSL - /* The SSL backend-specific data (ssl_backend_data) objects are allocated as - a separate array to ensure suitable alignment. - Note that these backend pointers can be swapped by vtls (eg ssl backend - data becomes proxy backend data). */ - { - size_t onesize = Curl_ssl->sizeof_ssl_backend_data; - size_t totalsize = onesize; - char *ssl; - -#ifndef CURL_DISABLE_FTP - totalsize *= 2; -#endif -#ifndef CURL_DISABLE_PROXY - totalsize *= 2; -#endif - - ssl = calloc(1, totalsize); - if(!ssl) { - free(conn); - return NULL; - } - conn->ssl_extra = ssl; - conn->ssl[FIRSTSOCKET].backend = (void *)ssl; -#ifndef CURL_DISABLE_FTP - ssl += onesize; - conn->ssl[SECONDARYSOCKET].backend = (void *)ssl; -#endif -#ifndef CURL_DISABLE_PROXY - ssl += onesize; - conn->proxy_ssl[FIRSTSOCKET].backend = (void *)ssl; -#ifndef CURL_DISABLE_FTP - ssl += onesize; - conn->proxy_ssl[SECONDARYSOCKET].backend = (void *)ssl; -#endif -#endif - } -#endif - conn->handler = &Curl_handler_dummy; /* Be sure we have a handler defined already from start to avoid NULL situations and checks */ @@ -1825,9 +1650,6 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) Curl_llist_destroy(&conn->easyq, NULL); free(conn->localdev); -#ifdef USE_SSL - free(conn->ssl_extra); -#endif free(conn); return NULL; } @@ -2051,26 +1873,14 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, /************************************************************* * IDN-convert the hostnames *************************************************************/ - result = Curl_idnconvert_hostname(data, &conn->host); + result = Curl_idnconvert_hostname(&conn->host); if(result) return result; if(conn->bits.conn_to_host) { - result = Curl_idnconvert_hostname(data, &conn->conn_to_host); - if(result) - return result; - } -#ifndef CURL_DISABLE_PROXY - if(conn->bits.httpproxy) { - result = Curl_idnconvert_hostname(data, &conn->http_proxy.host); - if(result) - return result; - } - if(conn->bits.socksproxy) { - result = Curl_idnconvert_hostname(data, &conn->socks_proxy.host); + result = Curl_idnconvert_hostname(&conn->conn_to_host); if(result) return result; } -#endif #ifndef CURL_DISABLE_HSTS /* HSTS upgrade */ @@ -2433,7 +2243,7 @@ static CURLcode parse_proxy(struct Curl_easy *data, } #ifdef USE_SSL - if(!(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY)) + if(!Curl_ssl_supports(data, SSLSUPP_HTTPS_PROXY)) #endif if(proxytype == CURLPROXY_HTTPS) { failf(data, "Unsupported proxy \'%s\', libcurl is built without the " @@ -2449,7 +2259,7 @@ static CURLcode parse_proxy(struct Curl_easy *data, proxytype == CURLPROXY_SOCKS4; proxyinfo = sockstype ? &conn->socks_proxy : &conn->http_proxy; - proxyinfo->proxytype = proxytype; + proxyinfo->proxytype = (unsigned char)proxytype; /* Is there a username and password given in this proxy url? */ uc = curl_url_get(uhp, CURLUPART_USER, &proxyuser, CURLU_URLDECODE); @@ -2704,7 +2514,7 @@ static CURLcode create_conn_helper_init_proxy(struct Curl_easy *data, if(conn->http_proxy.host.rawalloc) { #ifdef CURL_DISABLE_HTTP - /* asking for a HTTP proxy is a bit funny when HTTP is disabled... */ + /* asking for an HTTP proxy is a bit funny when HTTP is disabled... */ result = CURLE_UNSUPPORTED_PROTOCOL; goto out; #else @@ -2721,7 +2531,7 @@ static CURLcode create_conn_helper_init_proxy(struct Curl_easy *data, #endif } else { - conn->bits.httpproxy = FALSE; /* not a HTTP proxy */ + conn->bits.httpproxy = FALSE; /* not an HTTP proxy */ conn->bits.tunnel_proxy = FALSE; /* no tunneling if not HTTP */ } @@ -3527,13 +3337,13 @@ static CURLcode resolve_server(struct Curl_easy *data, } /* - * Cleanup the connection just allocated before we can move along and use the - * previously existing one. All relevant data is copied over and old_conn is - * ready for freeing once this function returns. + * Cleanup the connection `temp`, just allocated for `data`, before using the + * previously `existing` one for `data`. All relevant info is copied over + * and `temp` is freed. */ static void reuse_conn(struct Curl_easy *data, - struct connectdata *old_conn, - struct connectdata *conn) + struct connectdata *temp, + struct connectdata *existing) { /* 'local_ip' and 'local_port' get filled with local's numerical ip address and port number whenever an outgoing connection is @@ -3541,66 +3351,66 @@ static void reuse_conn(struct Curl_easy *data, char local_ip[MAX_IPADR_LEN] = ""; int local_port = -1; - /* get the user+password information from the old_conn struct since it may + /* get the user+password information from the temp struct since it may * be new for this request even when we re-use an existing connection */ - if(old_conn->user) { + if(temp->user) { /* use the new user name and password though */ - Curl_safefree(conn->user); - Curl_safefree(conn->passwd); - conn->user = old_conn->user; - conn->passwd = old_conn->passwd; - old_conn->user = NULL; - old_conn->passwd = NULL; + Curl_safefree(existing->user); + Curl_safefree(existing->passwd); + existing->user = temp->user; + existing->passwd = temp->passwd; + temp->user = NULL; + temp->passwd = NULL; } #ifndef CURL_DISABLE_PROXY - conn->bits.proxy_user_passwd = old_conn->bits.proxy_user_passwd; - if(conn->bits.proxy_user_passwd) { + existing->bits.proxy_user_passwd = temp->bits.proxy_user_passwd; + if(existing->bits.proxy_user_passwd) { /* use the new proxy user name and proxy password though */ - Curl_safefree(conn->http_proxy.user); - Curl_safefree(conn->socks_proxy.user); - Curl_safefree(conn->http_proxy.passwd); - Curl_safefree(conn->socks_proxy.passwd); - conn->http_proxy.user = old_conn->http_proxy.user; - conn->socks_proxy.user = old_conn->socks_proxy.user; - conn->http_proxy.passwd = old_conn->http_proxy.passwd; - conn->socks_proxy.passwd = old_conn->socks_proxy.passwd; - old_conn->http_proxy.user = NULL; - old_conn->socks_proxy.user = NULL; - old_conn->http_proxy.passwd = NULL; - old_conn->socks_proxy.passwd = NULL; - } -#endif - - Curl_free_idnconverted_hostname(&conn->host); - Curl_free_idnconverted_hostname(&conn->conn_to_host); - Curl_safefree(conn->host.rawalloc); - Curl_safefree(conn->conn_to_host.rawalloc); - conn->host = old_conn->host; - old_conn->host.rawalloc = NULL; - old_conn->host.encalloc = NULL; - conn->conn_to_host = old_conn->conn_to_host; - old_conn->conn_to_host.rawalloc = NULL; - conn->conn_to_port = old_conn->conn_to_port; - conn->remote_port = old_conn->remote_port; - Curl_safefree(conn->hostname_resolve); - - conn->hostname_resolve = old_conn->hostname_resolve; - old_conn->hostname_resolve = NULL; + Curl_safefree(existing->http_proxy.user); + Curl_safefree(existing->socks_proxy.user); + Curl_safefree(existing->http_proxy.passwd); + Curl_safefree(existing->socks_proxy.passwd); + existing->http_proxy.user = temp->http_proxy.user; + existing->socks_proxy.user = temp->socks_proxy.user; + existing->http_proxy.passwd = temp->http_proxy.passwd; + existing->socks_proxy.passwd = temp->socks_proxy.passwd; + temp->http_proxy.user = NULL; + temp->socks_proxy.user = NULL; + temp->http_proxy.passwd = NULL; + temp->socks_proxy.passwd = NULL; + } +#endif + + Curl_free_idnconverted_hostname(&existing->host); + Curl_free_idnconverted_hostname(&existing->conn_to_host); + Curl_safefree(existing->host.rawalloc); + Curl_safefree(existing->conn_to_host.rawalloc); + existing->host = temp->host; + temp->host.rawalloc = NULL; + temp->host.encalloc = NULL; + existing->conn_to_host = temp->conn_to_host; + temp->conn_to_host.rawalloc = NULL; + existing->conn_to_port = temp->conn_to_port; + existing->remote_port = temp->remote_port; + Curl_safefree(existing->hostname_resolve); + + existing->hostname_resolve = temp->hostname_resolve; + temp->hostname_resolve = NULL; /* persist connection info in session handle */ - if(conn->transport == TRNSPRT_TCP) { - Curl_conninfo_local(data, conn->sock[FIRSTSOCKET], + if(existing->transport == TRNSPRT_TCP) { + Curl_conninfo_local(data, existing->sock[FIRSTSOCKET], local_ip, &local_port); } - Curl_persistconninfo(data, conn, local_ip, local_port); + Curl_persistconninfo(data, existing, local_ip, local_port); - conn_reset_all_postponed_data(old_conn); /* free buffers */ + conn_reset_all_postponed_data(temp); /* free buffers */ /* re-use init */ - conn->bits.reuse = TRUE; /* yes, we're re-using here */ + existing->bits.reuse = TRUE; /* yes, we're re-using here */ - conn_free(old_conn); + conn_free(data, temp); } /** @@ -3624,7 +3434,7 @@ static CURLcode create_conn(struct Curl_easy *data, { CURLcode result = CURLE_OK; struct connectdata *conn; - struct connectdata *conn_temp = NULL; + struct connectdata *existing = NULL; bool reuse; bool connections_available = TRUE; bool force_reuse = FALSE; @@ -3730,6 +3540,21 @@ static CURLcode create_conn(struct Curl_easy *data, if(result) goto out; + /************************************************************* + * IDN-convert the proxy hostnames + *************************************************************/ +#ifndef CURL_DISABLE_PROXY + if(conn->bits.httpproxy) { + result = Curl_idnconvert_hostname(&conn->http_proxy.host); + if(result) + return result; + } + if(conn->bits.socksproxy) { + result = Curl_idnconvert_hostname(&conn->socks_proxy.host); + if(result) + return result; + } +#endif /************************************************************* * Check whether the host and the "connect to host" are equal. @@ -3766,13 +3591,6 @@ static CURLcode create_conn(struct Curl_easy *data, if(result) goto out; - conn->recv[FIRSTSOCKET] = Curl_recv_plain; - conn->send[FIRSTSOCKET] = Curl_send_plain; - conn->recv[SECONDARYSOCKET] = Curl_recv_plain; - conn->send[SECONDARYSOCKET] = Curl_send_plain; - - conn->bits.tcp_fastopen = data->set.tcp_fastopen; - /*********************************************************************** * file: is a special case in that it doesn't need a network connection ***********************************************************************/ @@ -3787,8 +3605,6 @@ static CURLcode create_conn(struct Curl_easy *data, /* Setup a "faked" transfer that'll do nothing */ if(!result) { - conn->bits.tcpconnect[FIRSTSOCKET] = TRUE; /* we are "connected */ - Curl_attach_connection(data, conn); result = Curl_conncache_add_conn(data); if(result) @@ -3814,6 +3630,13 @@ static CURLcode create_conn(struct Curl_easy *data, } #endif + /* Setup filter for network connections */ + conn->recv[FIRSTSOCKET] = Curl_conn_recv; + conn->send[FIRSTSOCKET] = Curl_conn_send; + conn->recv[SECONDARYSOCKET] = Curl_conn_recv; + conn->send[SECONDARYSOCKET] = Curl_conn_send; + conn->bits.tcp_fastopen = data->set.tcp_fastopen; + /* Get a cloned copy of the SSL config situation stored in the connection struct. But to get this going nicely, we must first make sure that the strings in the master copy are pointing to the correct @@ -3907,22 +3730,22 @@ static CURLcode create_conn(struct Curl_easy *data, /* reuse_fresh is TRUE if we are told to use a new connection by force, but we only acknowledge this option if this is not a re-used connection - already (which happens due to follow-location or during a HTTP + already (which happens due to follow-location or during an HTTP authentication phase). CONNECT_ONLY transfers also refuse reuse. */ - if((data->set.reuse_fresh && !data->state.this_is_a_follow) || + if((data->set.reuse_fresh && !data->state.followlocation) || data->set.connect_only) reuse = FALSE; else - reuse = ConnectionExists(data, conn, &conn_temp, &force_reuse, &waitpipe); + reuse = ConnectionExists(data, conn, &existing, &force_reuse, &waitpipe); if(reuse) { /* * We already have a connection for this, we got the former connection in - * the conn_temp variable and thus we need to cleanup the one we just - * allocated before we can move along and use the previously existing one. + * `existing` and thus we need to cleanup the one we just + * allocated before we can move along and use `existing`. */ - reuse_conn(data, conn, conn_temp); - conn = conn_temp; + reuse_conn(data, conn, existing); + conn = existing; *in_connect = conn; #ifndef CURL_DISABLE_PROXY @@ -3997,7 +3820,7 @@ static CURLcode create_conn(struct Curl_easy *data, if(!connections_available) { infof(data, "No connections available."); - conn_free(conn); + conn_free(data, conn); *in_connect = NULL; result = CURLE_NO_CONNECTION_AVAILABLE; @@ -4080,7 +3903,6 @@ CURLcode Curl_setup_conn(struct Curl_easy *data, *protocol_done = TRUE; return result; } - *protocol_done = FALSE; /* default to not done */ #ifndef CURL_DISABLE_PROXY /* set proxy_connect_closed to false unconditionally already here since it @@ -4097,26 +3919,11 @@ CURLcode Curl_setup_conn(struct Curl_easy *data, /* set start time here for timeout purposes in the connect procedure, it is later set again for the progress meter purpose */ conn->now = Curl_now(); - - if(CURL_SOCKET_BAD == conn->sock[FIRSTSOCKET]) { - conn->bits.tcpconnect[FIRSTSOCKET] = FALSE; - result = Curl_connecthost(data, conn, conn->dns_entry); - if(result) - return result; - } - else { - Curl_pgrsTime(data, TIMER_CONNECT); /* we're connected already */ - if(conn->ssl[FIRSTSOCKET].use || - (conn->handler->protocol & PROTO_FAMILY_SSH)) - Curl_pgrsTime(data, TIMER_APPCONNECT); /* we're connected already */ - conn->bits.tcpconnect[FIRSTSOCKET] = TRUE; - *protocol_done = TRUE; - Curl_updateconninfo(data, conn, conn->sock[FIRSTSOCKET]); - Curl_verboseconnect(data, conn); - } - - conn->now = Curl_now(); /* time this *after* the connect is done, we set - this here perhaps a second time */ + if(!conn->bits.reuse) + result = Curl_conn_setup(data, conn, FIRSTSOCKET, conn->dns_entry, + CURL_CF_SSL_DEFAULT); + /* not sure we need this flag to be passed around any more */ + *protocol_done = FALSE; return result; } @@ -4133,6 +3940,7 @@ CURLcode Curl_connect(struct Curl_easy *data, Curl_free_request_state(data); memset(&data->req, 0, sizeof(struct SingleRequest)); data->req.size = data->req.maxdownload = -1; + data->req.no_body = data->set.opt_no_body; /* call the stuff that needs to be called */ result = create_conn(data, &conn, asyncp); @@ -4194,7 +4002,7 @@ CURLcode Curl_init_do(struct Curl_easy *data, struct connectdata *conn) data->state.done = FALSE; /* *_done() is not called yet */ data->state.expect100header = FALSE; - if(data->set.opt_no_body) + if(data->req.no_body) /* in HTTP lingo, no body means using the HEAD request... */ data->state.httpreq = HTTPREQ_HEAD; diff --git a/lib/url.h b/lib/url.h index ba4270d..1a03c56 100644 --- a/lib/url.h +++ b/lib/url.h @@ -49,11 +49,6 @@ CURLcode Curl_parse_login_details(const char *login, const size_t len, const struct Curl_handler *Curl_builtin_scheme(const char *scheme, size_t schemelen); -bool Curl_is_ASCII_name(const char *hostname); -CURLcode Curl_idnconvert_hostname(struct Curl_easy *data, - struct hostname *host); -void Curl_free_idnconverted_hostname(struct hostname *host); - #define CURL_DEFAULT_PROXY_PORT 1080 /* default proxy port unless specified */ #define CURL_DEFAULT_HTTPS_PROXY_PORT 443 /* default https proxy port unless specified */ @@ -64,21 +59,4 @@ void Curl_free_idnconverted_hostname(struct hostname *host); void Curl_verboseconnect(struct Curl_easy *data, struct connectdata *conn); #endif -#ifdef CURL_DISABLE_PROXY -#define CONNECT_PROXY_SSL() FALSE -#else - -#define CONNECT_PROXY_SSL()\ - (conn->http_proxy.proxytype == CURLPROXY_HTTPS &&\ - !conn->bits.proxy_ssl_connected[sockindex]) - -#define CONNECT_FIRSTSOCKET_PROXY_SSL()\ - (conn->http_proxy.proxytype == CURLPROXY_HTTPS &&\ - !conn->bits.proxy_ssl_connected[FIRSTSOCKET]) - -#define CONNECT_SECONDARYSOCKET_PROXY_SSL()\ - (conn->http_proxy.proxytype == CURLPROXY_HTTPS &&\ - !conn->bits.proxy_ssl_connected[SECONDARYSOCKET]) -#endif /* !CURL_DISABLE_PROXY */ - #endif /* HEADER_CURL_URL_H */ diff --git a/lib/urlapi.c b/lib/urlapi.c index 7dac81c..b96af35 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -636,7 +636,7 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname, } else { /* letters from the second string are not ok */ - len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,"); + len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,+&()"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME; diff --git a/lib/urldata.h b/lib/urldata.h index 1d430b5..3d7545c 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -113,6 +113,24 @@ typedef unsigned int curl_prot_t; input easier and better. */ #define CURL_MAX_INPUT_LENGTH 8000000 +/* Macros intended for DEBUGF logging, use like: + * DEBUGF(infof(data, CFMSG(cf, "this filter %s rocks"), "very much")); + * and it will output: + * [CONN-1-0][CF-SSL] this filter very much rocks + * on connection #1 with sockindex 0 for filter of type "SSL". */ +#define DMSG(d,msg) \ + "[CONN-%ld] "msg, (d)->conn->connection_id +#define DMSGI(d,i,msg) \ + "[CONN-%ld-%d] "msg, (d)->conn->connection_id, (i) +#define CMSG(c,msg) \ + "[CONN-%ld] "msg, (conn)->connection_id +#define CMSGI(c,i,msg) \ + "[CONN-%ld-%d] "msg, (conn)->connection_id, (i) +#define CFMSG(cf,msg) \ + "[CONN-%ld-%d][CF-%s] "msg, (cf)->conn->connection_id, \ + (cf)->sockindex, (cf)->cft->name + + #include "cookie.h" #include "psl.h" #include "formdata.h" @@ -249,22 +267,9 @@ typedef enum { /* SSL backend-specific data; declared differently by each SSL backend */ struct ssl_backend_data; -/* struct for data related to each SSL connection */ -struct ssl_connect_data { - ssl_connection_state state; - ssl_connect_state connecting_state; -#if defined(USE_SSL) - struct ssl_backend_data *backend; -#endif - /* Use ssl encrypted communications TRUE/FALSE. The library is not - necessarily using ssl at the moment but at least asked to or means to use - it. See 'state' for the exact current state of the connection. */ - BIT(use); -}; - struct ssl_primary_config { long version; /* what version the client wants to use */ - long version_max; /* max supported version the client wants to use*/ + long version_max; /* max supported version the client wants to use */ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ char *issuercert; /* optional issuer certificate filename */ @@ -301,7 +306,7 @@ struct ssl_config_data { char *key_passwd; /* plain text private key password */ BIT(certinfo); /* gather lots of certificate info */ BIT(falsestart); - BIT(enable_beast); /* allow this flaw for interoperability's sake*/ + BIT(enable_beast); /* allow this flaw for interoperability's sake */ BIT(no_revoke); /* disable SSL certificate revocation checks */ BIT(no_partialchain); /* don't accept partial certificate chains */ BIT(revoke_best_effort); /* ignore SSL revocation offline/missing revocation @@ -313,6 +318,7 @@ struct ssl_config_data { struct ssl_general_config { size_t max_ssl_sessions; /* SSL session id cache size */ + int ca_cache_timeout; /* Certificate store cache timeout (seconds) */ }; /* information stored about one single SSL session */ @@ -476,12 +482,8 @@ struct negotiatedata { * Boolean values that concerns this connection. */ struct ConnectBits { - bool tcpconnect[2]; /* the TCP layer (or similar) is connected, this is set - the first time on the first connect function call */ #ifndef CURL_DISABLE_PROXY - bool proxy_ssl_connected[2]; /* TRUE when SSL initialization for HTTPS proxy - is complete */ - BIT(httpproxy); /* if set, this transfer is done through a http proxy */ + BIT(httpproxy); /* if set, this transfer is done through an HTTP proxy */ BIT(socksproxy); /* if set, this transfer is done through a socks proxy */ BIT(proxy_user_passwd); /* user+password for the proxy? */ BIT(tunnel_proxy); /* if CONNECT is used to "tunnel" through the proxy. @@ -514,10 +516,6 @@ struct ConnectBits { that we are creating a request with an auth header, but it is not the final request in the auth negotiation. */ - BIT(rewindaftersend);/* TRUE when the sending couldn't be stopped even - though it will be discarded. When the whole send - operation is done, we must call the data rewind - callback. */ #ifndef CURL_DISABLE_FTP BIT(ftp_use_epsv); /* As set with CURLOPT_FTP_USE_EPSV, but if we find out EPSV doesn't work we disable it for the forthcoming @@ -724,6 +722,7 @@ struct SingleRequest { BIT(forbidchunk); /* used only to explicitly forbid chunk-upload for specific upload buffers. See readmoredata() in http.c for details. */ + BIT(no_body); /* the response has no body */ }; /* @@ -865,7 +864,7 @@ struct postponed_data { struct proxy_info { struct hostname host; - long port; + int port; unsigned char proxytype; /* curl_proxytype: what kind of proxy that is in use */ char *user; /* proxy user name string, allocated */ @@ -873,38 +872,6 @@ struct proxy_info { }; struct ldapconninfo; -struct http_connect_state; - -/* for the (SOCKS) connect state machine */ -enum connect_t { - CONNECT_INIT, - CONNECT_SOCKS_INIT, /* 1 */ - CONNECT_SOCKS_SEND, /* 2 waiting to send more first data */ - CONNECT_SOCKS_READ_INIT, /* 3 set up read */ - CONNECT_SOCKS_READ, /* 4 read server response */ - CONNECT_GSSAPI_INIT, /* 5 */ - CONNECT_AUTH_INIT, /* 6 setup outgoing auth buffer */ - CONNECT_AUTH_SEND, /* 7 send auth */ - CONNECT_AUTH_READ, /* 8 read auth response */ - CONNECT_REQ_INIT, /* 9 init SOCKS "request" */ - CONNECT_RESOLVING, /* 10 */ - CONNECT_RESOLVED, /* 11 */ - CONNECT_RESOLVE_REMOTE, /* 12 */ - CONNECT_REQ_SEND, /* 13 */ - CONNECT_REQ_SENDING, /* 14 */ - CONNECT_REQ_READ, /* 15 */ - CONNECT_REQ_READ_MORE, /* 16 */ - CONNECT_DONE /* 17 connected fine to the remote or the SOCKS proxy */ -}; - -#define SOCKS_STATE(x) (((x) >= CONNECT_SOCKS_INIT) && \ - ((x) < CONNECT_DONE)) - -struct connstate { - enum connect_t state; - ssize_t outstanding; /* send this many bytes more */ - unsigned char *outp; /* send from this pointer */ -}; #define TRNSPRT_TCP 3 #define TRNSPRT_UDP 4 @@ -916,12 +883,11 @@ struct connstate { * unique for an entire connection. */ struct connectdata { - struct connstate cnnct; struct Curl_llist_element bundle_node; /* conncache */ /* chunk is for HTTP chunked encoding, but is in the general connectdata - struct only because we can do just about any protocol through a HTTP proxy - and a HTTP proxy may in fact respond using chunked encoding */ + struct only because we can do just about any protocol through an HTTP + proxy and an HTTP proxy may in fact respond using chunked encoding */ struct Curl_chunker chunk; curl_closesocket_callback fclosesocket; /* function closing the socket(s) */ @@ -985,17 +951,11 @@ struct connectdata { int tempfamily[2]; /* family used for the temp sockets */ Curl_recv *recv[2]; Curl_send *send[2]; + struct Curl_cfilter *cfilter[2]; /* connection filters */ #ifdef USE_RECV_BEFORE_SEND_WORKAROUND struct postponed_data postponed[2]; /* two buffers for two sockets */ #endif /* USE_RECV_BEFORE_SEND_WORKAROUND */ - struct ssl_connect_data ssl[2]; /* this is for ssl-stuff */ -#ifndef CURL_DISABLE_PROXY - struct ssl_connect_data proxy_ssl[2]; /* this is for proxy ssl-stuff */ -#endif -#ifdef USE_SSL - void *ssl_extra; /* separately allocated backend-specific data */ -#endif struct ssl_primary_config ssl_config; #ifndef CURL_DISABLE_PROXY struct ssl_primary_config proxy_ssl_config; @@ -1112,7 +1072,6 @@ struct connectdata { #endif } proto; - struct http_connect_state *connect_state; /* for HTTP CONNECT */ struct connectbundle *bundle; /* The bundle we are member of */ #ifdef USE_UNIX_SOCKETS char *unix_domain_socket; @@ -1520,6 +1479,9 @@ struct UrlState { BIT(url_alloc); /* URL string is malloc()'ed */ BIT(referer_alloc); /* referer string is malloc()ed */ BIT(wildcard_resolve); /* Set to true if any resolve change is a wildcard */ + BIT(rewindbeforesend);/* TRUE when the sending couldn't be stopped even + though it will be discarded. We must call the data + rewind callback before trying to send again. */ }; /* @@ -1531,7 +1493,7 @@ struct UrlState { * Character pointer fields point to dynamic storage, unless otherwise stated. */ -struct Curl_multi; /* declared and used only in multi.c */ +struct Curl_multi; /* declared in multihandle.c */ /* * This enumeration MUST not use conditional directives (#ifdefs), new @@ -1655,17 +1617,17 @@ struct UserDefined { FILE *err; /* the stderr user data goes here */ void *debugdata; /* the data that will be passed to fdebug */ char *errorbuffer; /* (Static) store failure messages in here */ - long proxyport; /* If non-zero, use this port number by default. If the - proxy string features a ":[port]" that one will override - this. */ void *out; /* CURLOPT_WRITEDATA */ void *in_set; /* CURLOPT_READDATA */ void *writeheader; /* write the header to this if non-NULL */ + unsigned short proxyport; /* If non-zero, use this port number by + default. If the proxy string features a + ":[port]" that one will override this. */ unsigned short use_port; /* which port to use (when not using default) */ unsigned long httpauth; /* kind of HTTP authentication to use (bitmask) */ unsigned long proxyauth; /* kind of proxy authentication to use (bitmask) */ #ifndef CURL_DISABLE_PROXY - unsigned long socks5auth;/* kind of SOCKS5 authentication to use (bitmask) */ + unsigned char socks5auth;/* kind of SOCKS5 authentication to use (bitmask) */ #endif long maxredirs; /* maximum no. of http(s) redirects to follow, set to -1 for infinity */ @@ -1859,8 +1821,12 @@ struct UserDefined { /* Here follows boolean settings that define how to behave during this session. They are STATIC, set by libcurl users or at least initially and they don't change during operations. */ + BIT(quick_exit); /* set 1L when it is okay to leak things (like + threads), as we're about to exit() anyway and + don't want lengthy cleanups to delay termination, + e.g. after a DNS timeout */ BIT(get_filetime); /* get the time and get of the remote file */ - BIT(tunnel_thru_httpproxy); /* use CONNECT through a HTTP proxy */ + BIT(tunnel_thru_httpproxy); /* use CONNECT through an HTTP proxy */ BIT(prefer_ascii); /* ASCII rather than binary */ BIT(remote_append); /* append, not overwrite, on upload */ BIT(list_only); /* list directory */ diff --git a/lib/vauth/digest.c b/lib/vauth/digest.c index f945e8b..c81ce10 100644 --- a/lib/vauth/digest.c +++ b/lib/vauth/digest.c @@ -142,7 +142,7 @@ bool Curl_auth_digest_get_pair(const char *str, char *value, char *content, } #if !defined(USE_WINDOWS_SSPI) -/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string*/ +/* Convert md5 chunk to RFC2617 (section 3.1.3) -suitable ascii string */ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ unsigned char *dest) /* 33 bytes */ { @@ -151,7 +151,7 @@ static void auth_digest_md5_to_ascii(unsigned char *source, /* 16 bytes */ msnprintf((char *) &dest[i * 2], 3, "%02x", source[i]); } -/* Convert sha256 chunk to RFC7616 -suitable ascii string*/ +/* Convert sha256 chunk to RFC7616 -suitable ascii string */ static void auth_digest_sha256_to_ascii(unsigned char *source, /* 32 bytes */ unsigned char *dest) /* 65 bytes */ { @@ -186,7 +186,7 @@ static char *auth_digest_string_quoted(const char *source) } *d++ = *s++; } - *d = 0; + *d = '\0'; } return dest; @@ -490,7 +490,7 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, /* * Curl_auth_decode_digest_http_message() * - * This is used to decode a HTTP DIGEST challenge message into the separate + * This is used to decode an HTTP DIGEST challenge message into the separate * attributes. * * Parameters: @@ -650,7 +650,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, /* * auth_create_digest_http_message() * - * This is used to generate a HTTP DIGEST response message ready for sending + * This is used to generate an HTTP DIGEST response message ready for sending * to the recipient. * * Parameters: @@ -926,7 +926,7 @@ static CURLcode auth_create_digest_http_message( /* * Curl_auth_create_digest_http_message() * - * This is used to generate a HTTP DIGEST response message ready for sending + * This is used to generate an HTTP DIGEST response message ready for sending * to the recipient. * * Parameters: diff --git a/lib/vauth/digest_sspi.c b/lib/vauth/digest_sspi.c index 89a9db5..6c95a3e 100644 --- a/lib/vauth/digest_sspi.c +++ b/lib/vauth/digest_sspi.c @@ -307,7 +307,7 @@ CURLcode Curl_override_sspi_http_realm(const char *chlg, /* * Curl_auth_decode_digest_http_message() * - * This is used to decode a HTTP DIGEST challenge message into the separate + * This is used to decode an HTTP DIGEST challenge message into the separate * attributes. * * Parameters: @@ -371,7 +371,7 @@ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, /* * Curl_auth_create_digest_http_message() * - * This is used to generate a HTTP DIGEST response message ready for sending + * This is used to generate an HTTP DIGEST response message ready for sending * to the recipient. * * Parameters: diff --git a/lib/vauth/krb5_sspi.c b/lib/vauth/krb5_sspi.c index 895b4a1..015bc66 100644 --- a/lib/vauth/krb5_sspi.c +++ b/lib/vauth/krb5_sspi.c @@ -471,4 +471,4 @@ void Curl_auth_cleanup_gssapi(struct kerberos5data *krb5) krb5->token_max = 0; } -#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5*/ +#endif /* USE_WINDOWS_SSPI && USE_KERBEROS5 */ diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c index c10fa6c..0141e17 100644 --- a/lib/vauth/ntlm.c +++ b/lib/vauth/ntlm.c @@ -88,8 +88,6 @@ static void ntlm_print_flags(FILE *handle, unsigned long flags) fprintf(handle, "NTLMFLAG_NEGOTIATE_DATAGRAM_STYLE "); if(flags & NTLMFLAG_NEGOTIATE_LM_KEY) fprintf(handle, "NTLMFLAG_NEGOTIATE_LM_KEY "); - if(flags & NTLMFLAG_NEGOTIATE_NETWARE) - fprintf(handle, "NTLMFLAG_NEGOTIATE_NETWARE "); if(flags & NTLMFLAG_NEGOTIATE_NTLM_KEY) fprintf(handle, "NTLMFLAG_NEGOTIATE_NTLM_KEY "); if(flags & (1<<10)) diff --git a/lib/vauth/ntlm.h b/lib/vauth/ntlm.h index 4dfda55..14ebba2 100644 --- a/lib/vauth/ntlm.h +++ b/lib/vauth/ntlm.h @@ -64,9 +64,6 @@ /* Indicates that the LAN Manager session key should be used for signing and sealing authenticated communications. */ -#define NTLMFLAG_NEGOTIATE_NETWARE (1<<8) -/* unknown purpose */ - #define NTLMFLAG_NEGOTIATE_NTLM_KEY (1<<9) /* Indicates that NTLM authentication is being used. */ diff --git a/lib/vauth/vauth.h b/lib/vauth/vauth.h index af27f01..c310c66 100644 --- a/lib/vauth/vauth.h +++ b/lib/vauth/vauth.h @@ -104,11 +104,11 @@ CURLcode Curl_auth_create_digest_md5_message(struct Curl_easy *data, const char *service, struct bufref *out); -/* This is used to decode a HTTP DIGEST challenge message */ +/* This is used to decode an HTTP DIGEST challenge message */ CURLcode Curl_auth_decode_digest_http_message(const char *chlg, struct digestdata *digest); -/* This is used to generate a HTTP DIGEST response message */ +/* This is used to generate an HTTP DIGEST response message */ CURLcode Curl_auth_create_digest_http_message(struct Curl_easy *data, const char *userp, const char *passwdp, diff --git a/lib/version.c b/lib/version.c index f71f49e..b43a8bc 100644 --- a/lib/version.c +++ b/lib/version.c @@ -382,93 +382,145 @@ static const char * const protocols[] = { NULL }; -static curl_version_info_data version_info = { - CURLVERSION_NOW, - LIBCURL_VERSION, - LIBCURL_VERSION_NUM, - OS, /* as found by configure or set by hand at build-time */ - 0 /* features is 0 by default */ -#ifdef ENABLE_IPV6 - | CURL_VERSION_IPV6 +/* + * Feature presence run-time check functions. + * + * Warning: the value returned by these should not change between + * curl_global_init() and curl_global_cleanup() calls. + */ + +#if defined(USE_LIBIDN2) +static int idn_present(curl_version_info_data *info) +{ + return info->libidn != NULL; +} +#else +#define idn_present NULL #endif -#ifdef USE_SSL - | CURL_VERSION_SSL + +#if defined(USE_SSL) && !defined(CURL_DISABLE_PROXY) +static int https_proxy_present(curl_version_info_data *info) +{ + (void) info; + return Curl_ssl_supports(NULL, SSLSUPP_HTTPS_PROXY); +} #endif -#ifdef USE_NTLM - | CURL_VERSION_NTLM + +/* + * Features table. + * + * Keep the features alphabetically sorted. + * Use FEATURE() macro to define an entry: this allows documentation check. + */ + +#define FEATURE(name, present, bitmask) {(name), (present), (bitmask)} + +struct feat { + const char *name; + int (*present)(curl_version_info_data *info); + int bitmask; +}; + +static const struct feat features_table[] = { +#ifndef CURL_DISABLE_ALTSVC + FEATURE("alt-svc", NULL, CURL_VERSION_ALTSVC), #endif -#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ - defined(NTLM_WB_ENABLED) - | CURL_VERSION_NTLM_WB +#ifdef CURLRES_ASYNCH + FEATURE("AsynchDNS", NULL, CURL_VERSION_ASYNCHDNS), #endif -#ifdef USE_SPNEGO - | CURL_VERSION_SPNEGO +#ifdef HAVE_BROTLI + FEATURE("brotli", NULL, CURL_VERSION_BROTLI), #endif -#ifdef USE_KERBEROS5 - | CURL_VERSION_KERBEROS5 +#ifdef DEBUGBUILD + FEATURE("Debug", NULL, CURL_VERSION_DEBUG), +#endif +#ifdef USE_GSASL + FEATURE("gsasl", NULL, CURL_VERSION_GSASL), #endif #ifdef HAVE_GSSAPI - | CURL_VERSION_GSSAPI + FEATURE("GSS-API", NULL, CURL_VERSION_GSSAPI), #endif -#ifdef USE_WINDOWS_SSPI - | CURL_VERSION_SSPI +#ifndef CURL_DISABLE_HSTS + FEATURE("HSTS", NULL, CURL_VERSION_HSTS), #endif -#ifdef HAVE_LIBZ - | CURL_VERSION_LIBZ +#if defined(USE_NGHTTP2) || defined(USE_HYPER) + FEATURE("HTTP2", NULL, CURL_VERSION_HTTP2), #endif -#ifdef DEBUGBUILD - | CURL_VERSION_DEBUG +#if defined(ENABLE_QUIC) + FEATURE("HTTP3", NULL, CURL_VERSION_HTTP3), #endif -#ifdef CURLDEBUG - | CURL_VERSION_CURLDEBUG +#if defined(USE_SSL) && !defined(CURL_DISABLE_PROXY) + FEATURE("HTTPS-proxy", https_proxy_present, CURL_VERSION_HTTPS_PROXY), #endif -#ifdef CURLRES_ASYNCH - | CURL_VERSION_ASYNCHDNS +#if defined(USE_LIBIDN2) || defined(USE_WIN32_IDN) + FEATURE("IDN", idn_present, CURL_VERSION_IDN), +#endif +#ifdef ENABLE_IPV6 + FEATURE("IPv6", NULL, CURL_VERSION_IPV6), +#endif +#ifdef USE_KERBEROS5 + FEATURE("Kerberos", NULL, CURL_VERSION_KERBEROS5), #endif #if (SIZEOF_CURL_OFF_T > 4) && \ ( (SIZEOF_OFF_T > 4) || defined(USE_WIN32_LARGE_FILES) ) - | CURL_VERSION_LARGEFILE + FEATURE("Largefile", NULL, CURL_VERSION_LARGEFILE), #endif -#if defined(WIN32) && defined(UNICODE) && defined(_UNICODE) - | CURL_VERSION_UNICODE -#endif -#if defined(USE_TLS_SRP) - | CURL_VERSION_TLSAUTH_SRP +#ifdef HAVE_LIBZ + FEATURE("libz", NULL, CURL_VERSION_LIBZ), #endif -#if defined(USE_NGHTTP2) || defined(USE_HYPER) - | CURL_VERSION_HTTP2 +#ifdef CURL_WITH_MULTI_SSL + FEATURE("MultiSSL", NULL, CURL_VERSION_MULTI_SSL), #endif -#if defined(ENABLE_QUIC) - | CURL_VERSION_HTTP3 +#ifdef USE_NTLM + FEATURE("NTLM", NULL, CURL_VERSION_NTLM), #endif -#if defined(USE_UNIX_SOCKETS) - | CURL_VERSION_UNIX_SOCKETS +#if !defined(CURL_DISABLE_HTTP) && defined(USE_NTLM) && \ + defined(NTLM_WB_ENABLED) + FEATURE("NTLM_WB", NULL, CURL_VERSION_NTLM_WB), #endif #if defined(USE_LIBPSL) - | CURL_VERSION_PSL + FEATURE("PSL", NULL, CURL_VERSION_PSL), +#endif +#ifdef USE_SPNEGO + FEATURE("SPNEGO", NULL, CURL_VERSION_SPNEGO), #endif -#if defined(CURL_WITH_MULTI_SSL) - | CURL_VERSION_MULTI_SSL +#ifdef USE_SSL + FEATURE("SSL", NULL, CURL_VERSION_SSL), #endif -#if defined(HAVE_BROTLI) - | CURL_VERSION_BROTLI +#ifdef USE_WINDOWS_SSPI + FEATURE("SSPI", NULL, CURL_VERSION_SSPI), #endif -#if defined(HAVE_ZSTD) - | CURL_VERSION_ZSTD +#ifdef GLOBAL_INIT_IS_THREADSAFE + FEATURE("threadsafe", NULL, CURL_VERSION_THREADSAFE), #endif -#ifndef CURL_DISABLE_ALTSVC - | CURL_VERSION_ALTSVC +#ifdef USE_TLS_SRP + FEATURE("TLS-SRP", NULL, CURL_VERSION_TLSAUTH_SRP), #endif -#ifndef CURL_DISABLE_HSTS - | CURL_VERSION_HSTS +#ifdef CURLDEBUG + FEATURE("TrackMemory", NULL, CURL_VERSION_CURLDEBUG), +#endif +#if defined(WIN32) && defined(UNICODE) && defined(_UNICODE) + FEATURE("Unicode", NULL, CURL_VERSION_UNICODE), #endif -#if defined(USE_GSASL) - | CURL_VERSION_GSASL +#ifdef USE_UNIX_SOCKETS + FEATURE("UnixSockets", NULL, CURL_VERSION_UNIX_SOCKETS), #endif -#if defined(GLOBAL_INIT_IS_THREADSAFE) - | CURL_VERSION_THREADSAFE +#ifdef HAVE_ZSTD + FEATURE("zstd", NULL, CURL_VERSION_ZSTD), #endif - , + {NULL, NULL, 0} +}; + +static const char *feature_names[sizeof(features_table) / + sizeof(features_table[0])] = {NULL}; + + +static curl_version_info_data version_info = { + CURLVERSION_NOW, + LIBCURL_VERSION, + LIBCURL_VERSION_NUM, + OS, /* as found by configure or set by hand at build-time */ + 0, /* features bitmask is built at run-time */ NULL, /* ssl_version */ 0, /* ssl_version_num, this is kept at zero */ NULL, /* zlib_version */ @@ -496,11 +548,16 @@ static curl_version_info_data version_info = { 0, /* zstd_ver_num */ NULL, /* zstd version */ NULL, /* Hyper version */ - NULL /* gsasl version */ + NULL, /* gsasl version */ + feature_names }; curl_version_info_data *curl_version_info(CURLversion stamp) { + size_t n; + const struct feat *p; + int features = 0; + #if defined(USE_SSH) static char ssh_buffer[80]; #endif @@ -518,15 +575,11 @@ curl_version_info_data *curl_version_info(CURLversion stamp) static char zstd_buffer[80]; #endif + (void)stamp; /* avoid compiler warnings, we don't use this */ + #ifdef USE_SSL Curl_ssl_version(ssl_buffer, sizeof(ssl_buffer)); version_info.ssl_version = ssl_buffer; -#ifndef CURL_DISABLE_PROXY - if(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY) - version_info.features |= CURL_VERSION_HTTPS_PROXY; - else - version_info.features &= ~CURL_VERSION_HTTPS_PROXY; -#endif #endif #ifdef HAVE_LIBZ @@ -544,10 +597,6 @@ curl_version_info_data *curl_version_info(CURLversion stamp) /* This returns a version string if we use the given version or later, otherwise it returns NULL */ version_info.libidn = idn2_check_version(IDN2_VERSION); - if(version_info.libidn) - version_info.features |= CURL_VERSION_IDN; -#elif defined(USE_WIN32_IDN) - version_info.features |= CURL_VERSION_IDN; #endif #if defined(USE_SSH) @@ -597,6 +646,16 @@ curl_version_info_data *curl_version_info(CURLversion stamp) } #endif - (void)stamp; /* avoid compiler warnings, we don't use this */ + /* Get available features, build bitmask and names array. */ + n = 0; + for(p = features_table; p->name; p++) + if(!p->present || p->present(&version_info)) { + features |= p->bitmask; + feature_names[n++] = p->name; + } + + feature_names[n] = NULL; /* Terminate array. */ + version_info.features = features; + return &version_info; } diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c index 097cca4..f16b469 100644 --- a/lib/vquic/ngtcp2.c +++ b/lib/vquic/ngtcp2.c @@ -27,6 +27,7 @@ #ifdef USE_NGTCP2 #include #include + #ifdef USE_OPENSSL #include #ifdef OPENSSL_IS_BORINGSSL @@ -42,6 +43,7 @@ #include #include "vtls/wolfssl.h" #endif + #include "urldata.h" #include "sendf.h" #include "strdup.h" @@ -49,6 +51,7 @@ #include "ngtcp2.h" #include "multiif.h" #include "strcase.h" +#include "cfilters.h" #include "connect.h" #include "strerror.h" #include "dynbuf.h" @@ -300,17 +303,19 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) static CURLcode quic_set_client_cert(struct Curl_easy *data, struct quicsocket *qs) { - struct connectdata *conn = data->conn; SSL_CTX *ssl_ctx = qs->sslctx; - char *const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - const char *const ssl_cert_type = SSL_SET_OPTION(cert_type); + const struct ssl_config_data *ssl_config; - if(ssl_cert || ssl_cert_blob || ssl_cert_type) { + ssl_config = Curl_ssl_get_config(data, FIRSTSOCKET); + DEBUGASSERT(ssl_config); + + if(ssl_config->primary.clientcert || ssl_config->primary.cert_blob + || ssl_config->cert_type) { return Curl_ossl_set_client_cert( - data, ssl_ctx, ssl_cert, ssl_cert_blob, ssl_cert_type, - SSL_SET_OPTION(key), SSL_SET_OPTION(key_blob), - SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd)); + data, ssl_ctx, ssl_config->primary.clientcert, + ssl_config->primary.cert_blob, ssl_config->cert_type, + ssl_config->key, ssl_config->key_blob, + ssl_config->key_type, ssl_config->key_passwd); } return CURLE_OK; @@ -318,13 +323,17 @@ static CURLcode quic_set_client_cert(struct Curl_easy *data, /** SSL callbacks ***/ -static int quic_init_ssl(struct quicsocket *qs) +static CURLcode quic_init_ssl(struct quicsocket *qs, + struct Curl_easy *data, + struct connectdata *conn) { const uint8_t *alpn = NULL; size_t alpnlen = 0; /* this will need some attention when HTTPS proxy over QUIC get fixed */ const char * const hostname = qs->conn->host.name; + (void)data; + (void)conn; DEBUGASSERT(!qs->ssl); qs->ssl = SSL_new(qs->sslctx); @@ -339,64 +348,49 @@ static int quic_init_ssl(struct quicsocket *qs) /* set SNI */ SSL_set_tlsext_host_name(qs->ssl, hostname); - return 0; + return CURLE_OK; } #elif defined(USE_GNUTLS) -static int quic_init_ssl(struct quicsocket *qs) +static CURLcode quic_init_ssl(struct quicsocket *qs, + struct Curl_easy *data, + struct connectdata *conn) { + CURLcode result; gnutls_datum_t alpn[2]; /* this will need some attention when HTTPS proxy over QUIC get fixed */ const char * const hostname = qs->conn->host.name; + long * const pverifyresult = &data->set.ssl.certverifyresult; int rc; - DEBUGASSERT(!qs->ssl); + DEBUGASSERT(qs->gtls == NULL); + qs->gtls = calloc(1, sizeof(*(qs->gtls))); + if(!qs->gtls) + return CURLE_OUT_OF_MEMORY; - gnutls_init(&qs->ssl, GNUTLS_CLIENT); - gnutls_session_set_ptr(qs->ssl, &qs->conn_ref); + result = gtls_client_init(data, &conn->ssl_config, &data->set.ssl, + hostname, qs->gtls, pverifyresult); + if(result) + return result; - if(ngtcp2_crypto_gnutls_configure_client_session(qs->ssl) != 0) { + gnutls_session_set_ptr(qs->gtls->session, &qs->conn_ref); + + if(ngtcp2_crypto_gnutls_configure_client_session(qs->gtls->session) != 0) { H3BUGF(fprintf(stderr, "ngtcp2_crypto_gnutls_configure_client_session failed\n")); - return 1; + return CURLE_QUIC_CONNECT_ERROR; } - rc = gnutls_priority_set_direct(qs->ssl, QUIC_PRIORITY, NULL); + rc = gnutls_priority_set_direct(qs->gtls->session, QUIC_PRIORITY, NULL); if(rc < 0) { H3BUGF(fprintf(stderr, "gnutls_priority_set_direct failed: %s\n", gnutls_strerror(rc))); - return 1; + return CURLE_QUIC_CONNECT_ERROR; } /* Open the file if a TLS or QUIC backend has not done this before. */ Curl_tls_keylog_open(); if(Curl_tls_keylog_enabled()) { - gnutls_session_set_keylog_function(qs->ssl, keylog_callback); - } - - if(qs->cred) - gnutls_certificate_free_credentials(qs->cred); - - rc = gnutls_certificate_allocate_credentials(&qs->cred); - if(rc < 0) { - H3BUGF(fprintf(stderr, - "gnutls_certificate_allocate_credentials failed: %s\n", - gnutls_strerror(rc))); - return 1; - } - - rc = gnutls_certificate_set_x509_system_trust(qs->cred); - if(rc < 0) { - H3BUGF(fprintf(stderr, - "gnutls_certificate_set_x509_system_trust failed: %s\n", - gnutls_strerror(rc))); - return 1; - } - - rc = gnutls_credentials_set(qs->ssl, GNUTLS_CRD_CERTIFICATE, qs->cred); - if(rc < 0) { - H3BUGF(fprintf(stderr, "gnutls_credentials_set failed: %s\n", - gnutls_strerror(rc))); - return 1; + gnutls_session_set_keylog_function(qs->gtls->session, keylog_callback); } /* strip the first byte (the length) from NGHTTP3_ALPN_H3 */ @@ -405,11 +399,9 @@ static int quic_init_ssl(struct quicsocket *qs) alpn[1].data = (unsigned char *)H3_ALPN_H3 + 1; alpn[1].size = sizeof(H3_ALPN_H3) - 2; - gnutls_alpn_set_protocols(qs->ssl, alpn, 2, GNUTLS_ALPN_MANDATORY); + gnutls_alpn_set_protocols(qs->gtls->session, alpn, 2, GNUTLS_ALPN_MANDATORY); - /* set SNI */ - gnutls_server_name_set(qs->ssl, GNUTLS_NAME_DNS, hostname, strlen(hostname)); - return 0; + return CURLE_OK; } #elif defined(USE_WOLFSSL) @@ -484,13 +476,17 @@ static WOLFSSL_CTX *quic_ssl_ctx(struct Curl_easy *data) /** SSL callbacks ***/ -static int quic_init_ssl(struct quicsocket *qs) +static CURLcode quic_init_ssl(struct quicsocket *qs, + struct Curl_easy *data, + struct connectdata *conn) { const uint8_t *alpn = NULL; size_t alpnlen = 0; /* this will need some attention when HTTPS proxy over QUIC get fixed */ const char * const hostname = qs->conn->host.name; + (void)data; + (void)conn; DEBUGASSERT(!qs->ssl); qs->ssl = SSL_new(qs->sslctx); @@ -507,7 +503,7 @@ static int quic_init_ssl(struct quicsocket *qs) wolfSSL_UseSNI(qs->ssl, WOLFSSL_SNI_HOST_NAME, hostname, (unsigned short)strlen(hostname)); - return 0; + return CURLE_OK; } #endif /* defined(USE_WOLFSSL) */ @@ -812,8 +808,9 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, return CURLE_QUIC_CONNECT_ERROR; #endif - if(quic_init_ssl(qs)) - return CURLE_QUIC_CONNECT_ERROR; + result = quic_init_ssl(qs, data, conn); + if(result) + return result; qs->dcid.datalen = NGTCP2_MAX_CIDLEN; result = Curl_rand(data, qs->dcid.data, NGTCP2_MAX_CIDLEN); @@ -845,7 +842,11 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, if(rc) return CURLE_QUIC_CONNECT_ERROR; +#ifdef USE_GNUTLS + ngtcp2_conn_set_tls_native_handle(qs->qconn, qs->gtls->session); +#else ngtcp2_conn_set_tls_native_handle(qs->qconn, qs->ssl); +#endif ngtcp2_connection_close_error_default(&qs->last_error); @@ -894,7 +895,7 @@ static int ng_getsock(struct Curl_easy *data, struct connectdata *conn, socks[0] = conn->sock[FIRSTSOCKET]; - /* in a HTTP/2 connection we can basically always get a frame so we should + /* in an HTTP/2 connection we can basically always get a frame so we should always be ready for one */ bitmap |= GETSOCK_READSOCK(FIRSTSOCKET); @@ -932,29 +933,29 @@ static void qs_disconnect(struct quicsocket *qs) close(qs->qlogfd); qs->qlogfd = -1; } - if(qs->ssl) #ifdef USE_OPENSSL + if(qs->ssl) SSL_free(qs->ssl); + qs->ssl = NULL; + SSL_CTX_free(qs->sslctx); #elif defined(USE_GNUTLS) - gnutls_deinit(qs->ssl); + if(qs->gtls) { + if(qs->gtls->cred) + gnutls_certificate_free_credentials(qs->gtls->cred); + if(qs->gtls->session) + gnutls_deinit(qs->gtls->session); + free(qs->gtls); + qs->gtls = NULL; + } #elif defined(USE_WOLFSSL) + if(qs->ssl) wolfSSL_free(qs->ssl); -#endif qs->ssl = NULL; -#ifdef USE_GNUTLS - if(qs->cred) { - gnutls_certificate_free_credentials(qs->cred); - qs->cred = NULL; - } + wolfSSL_CTX_free(qs->sslctx); #endif free(qs->pktbuf); nghttp3_conn_del(qs->h3conn); ngtcp2_conn_del(qs->qconn); -#ifdef USE_OPENSSL - SSL_CTX_free(qs->sslctx); -#elif defined(USE_WOLFSSL) - wolfSSL_CTX_free(qs->sslctx); -#endif } void Curl_quic_disconnect(struct Curl_easy *data, @@ -1170,7 +1171,7 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id, } } else { - /* store as a HTTP1-style header */ + /* store as an HTTP1-style header */ result = write_data(stream, h3name.base, h3name.len); if(result) { return -1; @@ -1672,6 +1673,15 @@ static CURLcode ng_has_connected(struct Curl_easy *data, struct connectdata *conn, int tempindex) { CURLcode result = CURLE_OK; + const char *hostname, *disp_hostname; + int port; + char *snihost; + + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &disp_hostname, &port); + snihost = Curl_ssl_snihost(data, hostname, NULL); + if(!snihost) + return CURLE_PEER_FAILED_VERIFICATION; + conn->recv[FIRSTSOCKET] = ngh3_stream_recv; conn->send[FIRSTSOCKET] = ngh3_stream_send; conn->handler = &Curl_handler_http3; @@ -1691,16 +1701,18 @@ static CURLcode ng_has_connected(struct Curl_easy *data, X509_free(server_cert); if(result) return result; - infof(data, "Verified certificate just fine"); #elif defined(USE_GNUTLS) - result = Curl_gtls_verifyserver(data, conn, conn->quic->ssl, FIRSTSOCKET); + result = Curl_gtls_verifyserver(data, conn->quic->gtls->session, + &conn->ssl_config, &data->set.ssl, + hostname, disp_hostname, + data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + if(result) + return result; #elif defined(USE_WOLFSSL) - char *snihost = Curl_ssl_snihost(data, SSL_HOST_NAME(), NULL); - if(!snihost || - (wolfSSL_check_domain_name(conn->quic->ssl, snihost) == SSL_FAILURE)) + if(wolfSSL_check_domain_name(conn->quic->ssl, snihost) == SSL_FAILURE) return CURLE_PEER_FAILED_VERIFICATION; - infof(data, "Verified certificate just fine"); #endif + infof(data, "Verified certificate just fine"); } else infof(data, "Skipped certificate verification"); diff --git a/lib/vquic/ngtcp2.h b/lib/vquic/ngtcp2.h index 6539f5f..2265999 100644 --- a/lib/vquic/ngtcp2.h +++ b/lib/vquic/ngtcp2.h @@ -36,14 +36,14 @@ #include #ifdef USE_OPENSSL #include -#elif defined(USE_GNUTLS) -#include #elif defined(USE_WOLFSSL) #include #include #include #endif +struct gtls_instance; + struct blocked_pkt { const uint8_t *pkt; size_t pktlen; @@ -64,8 +64,7 @@ struct quicsocket { SSL_CTX *sslctx; SSL *ssl; #elif defined(USE_GNUTLS) - gnutls_certificate_credentials_t cred; - gnutls_session_t ssl; + struct gtls_instance *gtls; #elif defined(USE_WOLFSSL) WOLFSSL_CTX *sslctx; WOLFSSL *ssl; diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c index a52a7e8..2b9a041 100644 --- a/lib/vquic/quiche.c +++ b/lib/vquic/quiche.c @@ -80,7 +80,7 @@ static int quiche_getsock(struct Curl_easy *data, socks[0] = conn->sock[FIRSTSOCKET]; - /* in a HTTP/2 connection we can basically always get a frame so we should + /* in an HTTP/2 connection we can basically always get a frame so we should always be ready for one */ bitmap |= GETSOCK_READSOCK(FIRSTSOCKET); @@ -348,9 +348,6 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, Curl_persistconninfo(data, conn, NULL, -1); - /* for connection reuse purposes: */ - conn->ssl[FIRSTSOCKET].state = ssl_connection_complete; - { unsigned char alpn_protocols[] = QUICHE_H3_APPLICATION_PROTOCOL; unsigned alpn_len, offset = 0; diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c index 0105e40..d9fa58a 100644 --- a/lib/vssh/libssh.c +++ b/lib/vssh/libssh.c @@ -51,11 +51,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -71,6 +66,7 @@ #include "strdup.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "inet_ntop.h" #include "parsedate.h" /* for the week day and month names */ @@ -1415,7 +1411,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) case SSH_SFTP_READDIR_INIT: Curl_pgrsSetDownloadSize(data, -1); - if(data->set.opt_no_body) { + if(data->req.no_body) { state(data, SSH_STOP); break; } @@ -1662,13 +1658,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) CURLofft to_t; CURLofft from_t; - from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from); + from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from); if(from_t == CURL_OFFT_FLOW) { return CURLE_RANGE_ERROR; } while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; - to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); + to_t = curlx_strtoofft(ptr, &ptr2, 10, &to); if(to_t == CURL_OFFT_FLOW) { return CURLE_RANGE_ERROR; } @@ -2323,7 +2319,6 @@ CURLcode scp_perform(struct Curl_easy *data, bool *connected, bool *dophase_done) { CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; DEBUGF(infof(data, "DO phase starts")); @@ -2334,7 +2329,7 @@ CURLcode scp_perform(struct Curl_easy *data, result = myssh_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) { DEBUGF(infof(data, "DO phase is complete")); @@ -2504,7 +2499,6 @@ CURLcode sftp_perform(struct Curl_easy *data, bool *dophase_done) { CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; DEBUGF(infof(data, "DO phase starts")); @@ -2516,7 +2510,7 @@ CURLcode sftp_perform(struct Curl_easy *data, /* run the state-machine */ result = myssh_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) { DEBUGF(infof(data, "DO phase is complete")); diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c index 5a2c0f8..ce9229f 100644 --- a/lib/vssh/libssh2.c +++ b/lib/vssh/libssh2.c @@ -54,11 +54,6 @@ #include #endif -#if (defined(NETWARE) && defined(__NOVELL_LIBC__)) -#undef in_addr_t -#define in_addr_t unsigned long -#endif - #include #include "urldata.h" #include "sendf.h" @@ -74,6 +69,7 @@ #include "strdup.h" #include "strcase.h" #include "vtls/vtls.h" +#include "cfilters.h" #include "connect.h" #include "inet_ntop.h" #include "parsedate.h" /* for the week day and month names */ @@ -83,7 +79,6 @@ #include "select.h" #include "warnless.h" #include "curl_path.h" -#include "strcase.h" #include /* for base64 encoding/decoding */ #include @@ -610,9 +605,9 @@ static CURLcode ssh_knownhost(struct Curl_easy *data) /* remove old host+key that doesn't match */ if(host) libssh2_knownhost_del(sshc->kh, host); - /*FALLTHROUGH*/ + /* FALLTHROUGH */ case CURLKHSTAT_FINE: - /*FALLTHROUGH*/ + /* FALLTHROUGH */ case CURLKHSTAT_FINE_ADD_TO_FILE: /* proceed */ if(keycheck != LIBSSH2_KNOWNHOST_CHECK_MATCH) { @@ -785,7 +780,7 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data) size_t keylen = 0; int sshkeytype = 0; int rc = 0; - /* we handle the process to the callback*/ + /* we handle the process to the callback */ const char *remotekey = libssh2_session_hostkey(sshc->ssh_session, &keylen, &sshkeytype); if(remotekey) { @@ -796,10 +791,14 @@ static CURLcode ssh_check_fingerprint(struct Curl_easy *data) Curl_set_in_callback(data, false); if(rc!= CURLKHMATCH_OK) { state(data, SSH_SESSION_FREE); + sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; + return sshc->actualcode; } } else { state(data, SSH_SESSION_FREE); + sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; + return sshc->actualcode; } return CURLE_OK; } @@ -2251,7 +2250,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) case SSH_SFTP_READDIR_INIT: Curl_pgrsSetDownloadSize(data, -1); - if(data->set.opt_no_body) { + if(data->req.no_body) { state(data, SSH_STOP); break; } @@ -2503,12 +2502,12 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block) CURLofft to_t; CURLofft from_t; - from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from); + from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from); if(from_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; while(*ptr && (ISBLANK(*ptr) || (*ptr == '-'))) ptr++; - to_t = curlx_strtoofft(ptr, &ptr2, 0, &to); + to_t = curlx_strtoofft(ptr, &ptr2, 10, &to); if(to_t == CURL_OFFT_FLOW) return CURLE_RANGE_ERROR; if((to_t == CURL_OFFT_INVAL) /* no "to" value given */ @@ -3375,7 +3374,6 @@ CURLcode scp_perform(struct Curl_easy *data, bool *dophase_done) { CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; DEBUGF(infof(data, "DO phase starts")); @@ -3387,7 +3385,7 @@ CURLcode scp_perform(struct Curl_easy *data, /* run the state-machine */ result = ssh_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) { DEBUGF(infof(data, "DO phase is complete")); @@ -3576,7 +3574,7 @@ CURLcode sftp_perform(struct Curl_easy *data, /* run the state-machine */ result = ssh_multi_statemach(data, dophase_done); - *connected = data->conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) { DEBUGF(infof(data, "DO phase is complete")); diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c index c2f85f3..6a8fb56 100644 --- a/lib/vssh/wolfssh.c +++ b/lib/vssh/wolfssh.c @@ -31,6 +31,7 @@ #include #include #include "urldata.h" +#include "cfilters.h" #include "connect.h" #include "sendf.h" #include "progress.h" @@ -836,7 +837,7 @@ static CURLcode wssh_statemach_act(struct Curl_easy *data, bool *block) case SSH_SFTP_READDIR_INIT: Curl_pgrsSetDownloadSize(data, -1); - if(data->set.opt_no_body) { + if(data->req.no_body) { state(data, SSH_STOP); break; } @@ -939,7 +940,6 @@ CURLcode wsftp_perform(struct Curl_easy *data, bool *dophase_done) { CURLcode result = CURLE_OK; - struct connectdata *conn = data->conn; DEBUGF(infof(data, "DO phase starts")); @@ -951,7 +951,7 @@ CURLcode wsftp_perform(struct Curl_easy *data, /* run the state-machine */ result = wssh_multi_statemach(data, dophase_done); - *connected = conn->bits.tcpconnect[FIRSTSOCKET]; + *connected = Curl_conn_is_connected(data->conn, FIRSTSOCKET); if(*dophase_done) { DEBUGF(infof(data, "DO phase is complete")); diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index 1221ce8..d9c0ce0 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -32,13 +32,17 @@ #include "sendf.h" #include "inet_pton.h" #include "vtls.h" +#include "vtls_int.h" #include "connect.h" #include "select.h" #include "multiif.h" #include "curl_printf.h" -#include "curl_memory.h" #include "strcase.h" +/* The last #include files should be: */ +#include "curl_memory.h" +#include "memdebug.h" + struct x509_context { const br_x509_class *vtable; br_x509_minimal_context minimal; @@ -566,18 +570,20 @@ static CURLcode bearssl_set_selected_ciphers(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_connect_step1(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char *hostname = SSL_HOST_NAME(); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const bool verifyhost = SSL_CONN_CONFIG(verifyhost); + (ca_info_blob ? NULL : conn_config->CAfile); + const char *hostname = connssl->hostname; + const bool verifypeer = conn_config->verifypeer; + const bool verifyhost = conn_config->verifyhost; CURLcode ret; unsigned version_min, version_max; #ifdef ENABLE_IPV6 @@ -588,7 +594,7 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, DEBUGASSERT(backend); - switch(SSL_CONN_CONFIG(version)) { + switch(conn_config->version) { case CURL_SSLVERSION_SSLv2: failf(data, "BearSSL does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; @@ -659,11 +665,11 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, br_ssl_engine_set_buffer(&backend->ctx.eng, backend->buf, sizeof(backend->buf), 1); - if(SSL_CONN_CONFIG(cipher_list)) { + if(conn_config->cipher_list) { /* Override the ciphers as specified. For the default cipher list see the BearSSL source code of br_ssl_client_init_full() */ ret = bearssl_set_selected_ciphers(data, &backend->ctx.eng, - SSL_CONN_CONFIG(cipher_list)); + conn_config->cipher_list); if(ret) return ret; } @@ -674,19 +680,18 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, backend->x509.verifyhost = verifyhost; br_ssl_engine_set_x509(&backend->ctx.eng, &backend->x509.vtable); - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { void *session; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, - &session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &session, NULL)) { br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); infof(data, "BearSSL: re-using session ID"); } Curl_ssl_sessionid_unlock(data); } - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { int cur = 0; /* NOTE: when adding more protocols here, increase the size of the @@ -696,7 +701,7 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!Curl_ssl_cf_is_proxy(cf) || !cf->conn->bits.tunnel_proxy) #endif ) { backend->protocols[cur++] = ALPN_H2; @@ -753,17 +758,17 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_run_until(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode bearssl_run_until(struct Curl_cfilter *cf, + struct Curl_easy *data, unsigned target) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - curl_socket_t sockfd = conn->sock[sockindex]; unsigned state; unsigned char *buf; size_t len; ssize_t ret; + CURLcode result; int err; DEBUGASSERT(backend); @@ -802,48 +807,37 @@ static CURLcode bearssl_run_until(struct Curl_easy *data, return CURLE_OK; if(state & BR_SSL_SENDREC) { buf = br_ssl_engine_sendrec_buf(&backend->ctx.eng, &len); - ret = swrite(sockfd, buf, len); - if(ret == -1) { - if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { - if(connssl->state != ssl_connection_complete) - connssl->connecting_state = ssl_connect_2_writing; - return CURLE_AGAIN; - } - return CURLE_WRITE_ERROR; + ret = Curl_conn_cf_send(cf->next, data, (char *)buf, len, &result); + if(ret <= 0) { + return result; } br_ssl_engine_sendrec_ack(&backend->ctx.eng, ret); } else if(state & BR_SSL_RECVREC) { buf = br_ssl_engine_recvrec_buf(&backend->ctx.eng, &len); - ret = sread(sockfd, buf, len); + ret = Curl_conn_cf_recv(cf->next, data, (char *)buf, len, &result); if(ret == 0) { failf(data, "SSL: EOF without close notify"); return CURLE_READ_ERROR; } - if(ret == -1) { - if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { - if(connssl->state != ssl_connection_complete) - connssl->connecting_state = ssl_connect_2_reading; - return CURLE_AGAIN; - } - return CURLE_READ_ERROR; + if(ret <= 0) { + return result; } br_ssl_engine_recvrec_ack(&backend->ctx.eng, ret); } } } -static CURLcode bearssl_connect_step2(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; DEBUGASSERT(backend); - ret = bearssl_run_until(data, conn, sockindex, - BR_SSL_SENDAPP | BR_SSL_RECVAPP); + ret = bearssl_run_until(cf, data, BR_SSL_SENDAPP | BR_SSL_RECVAPP); if(ret == CURLE_AGAIN) return CURLE_OK; if(ret == CURLE_OK) { @@ -856,17 +850,18 @@ static CURLcode bearssl_connect_step2(struct Curl_easy *data, return ret; } -static CURLcode bearssl_connect_step3(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); CURLcode ret; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); DEBUGASSERT(backend); - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { const char *protocol; protocol = br_ssl_engine_get_selected_protocol(&backend->ctx.eng); @@ -875,21 +870,21 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, #ifdef USE_HTTP2 if(!strcmp(protocol, ALPN_H2)) - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; else #endif if(!strcmp(protocol, ALPN_HTTP_1_1)) - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; else infof(data, "ALPN, unrecognized protocol %s", protocol); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else infof(data, VTLS_INFOF_NO_ALPN); } - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { bool incache; bool added = FALSE; void *oldsession; @@ -900,14 +895,10 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); Curl_ssl_sessionid_lock(data); - incache = !(Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &oldsession, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, &oldsession, NULL)); if(incache) Curl_ssl_delsessionid(data, oldsession); - ret = Curl_ssl_addsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - session, 0, sockindex, &added); + ret = Curl_ssl_addsessionid(cf, data, session, 0, &added); Curl_ssl_sessionid_unlock(data); if(!added) free(session); @@ -921,11 +912,10 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, return CURLE_OK; } -static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, +static ssize_t bearssl_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *buf, size_t len, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; @@ -933,7 +923,7 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, DEBUGASSERT(backend); for(;;) { - *err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP); + *err = bearssl_run_until(cf, data, BR_SSL_SENDAPP); if (*err != CURLE_OK) return -1; app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen); @@ -956,18 +946,17 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, } } -static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, +static ssize_t bearssl_recv(struct Curl_cfilter *cf, struct Curl_easy *data, char *buf, size_t len, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; DEBUGASSERT(backend); - *err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP); + *err = bearssl_run_until(cf, data, BR_SSL_RECVAPP); if(*err != CURLE_OK) return -1; app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen); @@ -981,15 +970,14 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, return applen; } -static CURLcode bearssl_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +static CURLcode bearssl_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking, bool *done) { CURLcode ret; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; timediff_t timeout_ms; int what; @@ -1000,7 +988,7 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, } if(ssl_connect_1 == connssl->connecting_state) { - ret = bearssl_connect_step1(data, conn, sockindex); + ret = bearssl_connect_step1(cf, data); if(ret) return ret; } @@ -1053,7 +1041,7 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - ret = bearssl_connect_step2(data, conn, sockindex); + ret = bearssl_connect_step2(cf, data); if(ret || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1062,15 +1050,13 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, } if(ssl_connect_3 == connssl->connecting_state) { - ret = bearssl_connect_step3(data, conn, sockindex); + ret = bearssl_connect_step3(cf, data); if(ret) return ret; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = bearssl_recv; - conn->send[sockindex] = bearssl_send; *done = TRUE; } else @@ -1087,13 +1073,14 @@ static size_t bearssl_version(char *buffer, size_t size) return msnprintf(buffer, size, "BearSSL"); } -static bool bearssl_data_pending(const struct connectdata *conn, - int connindex) +static bool bearssl_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - return br_ssl_engine_current_state(&backend->ctx.eng) & BR_SSL_RECVAPP; + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + return br_ssl_engine_current_state(&ctx->backend->ctx.eng) & BR_SSL_RECVAPP; } static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, @@ -1116,13 +1103,13 @@ static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode bearssl_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode ret; bool done = FALSE; - ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done); + ret = bearssl_connect_common(cf, data, FALSE, &done); if(ret) return ret; @@ -1131,11 +1118,11 @@ static CURLcode bearssl_connect(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode bearssl_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return bearssl_connect_common(data, conn, sockindex, TRUE, done); + return bearssl_connect_common(cf, data, TRUE, done); } static void *bearssl_get_internals(struct ssl_connect_data *connssl, @@ -1146,22 +1133,24 @@ static void *bearssl_get_internals(struct ssl_connect_data *connssl, return &backend->ctx; } -static void bearssl_close(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static void bearssl_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; size_t i; DEBUGASSERT(backend); if(backend->active) { + backend->active = FALSE; br_ssl_engine_close(&backend->ctx.eng); - (void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED); + (void)bearssl_run_until(cf, data, BR_SSL_CLOSED); + } + if(backend->anchors) { + for(i = 0; i < backend->anchors_len; ++i) + free(backend->anchors[i].dn.data); + Curl_safefree(backend->anchors); } - for(i = 0; i < backend->anchors_len; ++i) - free(backend->anchors[i].dn.data); - free(backend->anchors); } static void bearssl_session_free(void *ptr) @@ -1184,7 +1173,7 @@ static CURLcode bearssl_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_bearssl = { { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */ - SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX, + SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX | SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), Curl_none_init, /* init */ @@ -1197,7 +1186,7 @@ const struct Curl_ssl Curl_ssl_bearssl = { Curl_none_cert_status_request, /* cert_status_request */ bearssl_connect, /* connect */ bearssl_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ bearssl_get_internals, /* get_internals */ bearssl_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1208,7 +1197,10 @@ const struct Curl_ssl Curl_ssl_bearssl = { Curl_none_false_start, /* false_start */ bearssl_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + bearssl_recv, /* recv decrypted data */ + bearssl_send, /* send data to encrypt */ }; #endif /* USE_BEARSSL */ diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 4ee4ede..2074dca 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -73,6 +73,7 @@ #include "sendf.h" #include "gskit.h" #include "vtls.h" +#include "vtls_int.h" #include "connect.h" /* for the connect timeout */ #include "select.h" #include "strcase.h" @@ -105,10 +106,8 @@ struct ssl_backend_data { gsk_handle handle; int iocport; -#ifndef CURL_DISABLE_PROXY int localfd; int remotefd; -#endif }; #define BACKEND connssl->backend @@ -295,11 +294,12 @@ static CURLcode set_numeric(struct Curl_easy *data, } -static CURLcode set_ciphers(struct Curl_easy *data, +static CURLcode set_ciphers(struct Curl_cfilter *cf, struct Curl_easy *data, gsk_handle h, unsigned int *protoflags) { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct connectdata *conn = data->conn; - const char *cipherlist = SSL_CONN_CONFIG(cipher_list); + const char *cipherlist = conn_config->cipher_list; const char *clp; const struct gskit_cipher *ctp; int i; @@ -324,7 +324,7 @@ static CURLcode set_ciphers(struct Curl_easy *data, GSKit tokens are always shorter than their cipher names, allocated buffers will always be large enough to accommodate the result. */ l = strlen(cipherlist) + 1; - memset((char *) ciphers, 0, sizeof(ciphers)); + memset(ciphers, 0, sizeof(ciphers)); for(i = 0; i < CURL_GSKPROTO_LAST; i++) { ciphers[i].buf = malloc(l); if(!ciphers[i].buf) { @@ -490,14 +490,16 @@ static CURLcode init_environment(struct Curl_easy *data, } -static void cancel_async_handshake(struct connectdata *conn, int sockindex) +static void cancel_async_handshake(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; Qso_OverlappedIO_t cstat; + (void)data; DEBUGASSERT(BACKEND); - if(QsoCancelOperation(conn->sock[sockindex], 0) > 0) + if(QsoCancelOperation(cf->conn->sock[cf->sockindex], 0) > 0) QsoWaitForIOCompletion(BACKEND->iocport, &cstat, (struct timeval *) NULL); } @@ -509,12 +511,12 @@ static void close_async_handshake(struct ssl_connect_data *connssl) BACKEND->iocport = -1; } -static int pipe_ssloverssl(struct connectdata *conn, int sockindex, - int directions) +static int pipe_ssloverssl(struct Curl_cfilter *cf, int directions) { -#ifndef CURL_DISABLE_PROXY - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_connect_data *connproxyssl = &conn->proxy_ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_cfilter *cf_ssl_next = Curl_ssl_cf_get_ssl(cf->next); + struct ssl_connect_data *connssl_next = cf_ssl_next? + cf_ssl_next->ctx : NULL; struct pollfd fds[2]; int n; int m; @@ -523,14 +525,14 @@ static int pipe_ssloverssl(struct connectdata *conn, int sockindex, char buf[CURL_MAX_WRITE_SIZE]; DEBUGASSERT(BACKEND); - DEBUGASSERT(connproxyssl->backend); - if(!connssl->use || !connproxyssl->use) + if(!connssl_next) return 0; /* No SSL over SSL: OK. */ + DEBUGASSERT(connssl_next->backend); n = 1; fds[0].fd = BACKEND->remotefd; - fds[1].fd = conn->sock[sockindex]; + fds[1].fd = cf->conn->sock[cf->sockindex]; if(directions & SOS_READ) { fds[0].events |= POLLOUT; @@ -547,7 +549,7 @@ static int pipe_ssloverssl(struct connectdata *conn, int sockindex, if(fds[0].revents & POLLOUT) { /* Try getting data from HTTPS proxy and pipe it upstream. */ n = 0; - i = gsk_secure_soc_read(connproxyssl->backend->handle, + i = gsk_secure_soc_read(connssl_next->backend->handle, buf, sizeof(buf), &n); switch(i) { case GSK_OK: @@ -572,7 +574,7 @@ static int pipe_ssloverssl(struct connectdata *conn, int sockindex, if(n < 0) return -1; if(n) { - i = gsk_secure_soc_write(connproxyssl->backend->handle, buf, n, &m); + i = gsk_secure_soc_write(connssl_next->backend->handle, buf, n, &m); if(i != GSK_OK || n != m) return -1; ret = 1; @@ -580,24 +582,21 @@ static int pipe_ssloverssl(struct connectdata *conn, int sockindex, } return ret; /* OK */ -#else - return 0; -#endif } -static void close_one(struct ssl_connect_data *connssl, struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static void close_one(struct Curl_cfilter *cf, struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; + DEBUGASSERT(BACKEND); if(BACKEND->handle) { gskit_status(data, gsk_secure_soc_close(&BACKEND->handle), "gsk_secure_soc_close()", 0); /* Last chance to drain output. */ - while(pipe_ssloverssl(conn, sockindex, SOS_WRITE) > 0) + while(pipe_ssloverssl(cf, SOS_WRITE) > 0) ; BACKEND->handle = (gsk_handle) NULL; -#ifndef CURL_DISABLE_PROXY if(BACKEND->localfd >= 0) { close(BACKEND->localfd); BACKEND->localfd = -1; @@ -606,30 +605,29 @@ static void close_one(struct ssl_connect_data *connssl, struct Curl_easy *data, close(BACKEND->remotefd); BACKEND->remotefd = -1; } -#endif } if(BACKEND->iocport >= 0) close_async_handshake(connssl); } -static ssize_t gskit_send(struct Curl_easy *data, int sockindex, +static ssize_t gskit_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct connectdata *conn = cf->conn; + struct ssl_connect_data *connssl = cf->ctx; CURLcode cc = CURLE_SEND_ERROR; int written; DEBUGASSERT(BACKEND); - if(pipe_ssloverssl(conn, sockindex, SOS_WRITE) >= 0) { + if(pipe_ssloverssl(cf, SOS_WRITE) >= 0) { cc = gskit_status(data, gsk_secure_soc_write(BACKEND->handle, (char *) mem, (int) len, &written), "gsk_secure_soc_write()", CURLE_SEND_ERROR); if(cc == CURLE_OK) - if(pipe_ssloverssl(conn, sockindex, SOS_WRITE) < 0) + if(pipe_ssloverssl(cf, SOS_WRITE) < 0) cc = CURLE_SEND_ERROR; } if(cc != CURLE_OK) { @@ -640,17 +638,18 @@ static ssize_t gskit_send(struct Curl_easy *data, int sockindex, } -static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf, - size_t buffersize, CURLcode *curlcode) +static ssize_t gskit_recv(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t buffersize, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct connectdata *conn = cf->conn; + struct ssl_connect_data *connssl = cf->ctx; int nread; CURLcode cc = CURLE_RECV_ERROR; + (void)data; DEBUGASSERT(BACKEND); - if(pipe_ssloverssl(conn, num, SOS_READ) >= 0) { + if(pipe_ssloverssl(cf, SOS_READ) >= 0) { int buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize; cc = gskit_status(data, gsk_secure_soc_read(BACKEND->handle, buf, buffsize, &nread), @@ -670,11 +669,14 @@ static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf, } static CURLcode -set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data) +set_ssl_version_min_max(unsigned int *protoflags, + struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct connectdata *conn = data->conn; - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; long i = ssl_version; switch(ssl_version_max) { case CURL_SSLVERSION_MAX_NONE: @@ -702,35 +704,36 @@ set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data) return CURLE_OK; } -static CURLcode gskit_connect_step1(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode gskit_connect_step1(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + struct Curl_cfilter *cf_ssl_next = Curl_ssl_cf_get_ssl(cf->next); + struct ssl_connect_data *connssl_next = cf_ssl_next? + cf_ssl_next->ctx : NULL; gsk_handle envir; CURLcode result; - const char * const keyringfile = SSL_CONN_CONFIG(CAfile); - const char * const keyringpwd = SSL_SET_OPTION(key_passwd); - const char * const keyringlabel = SSL_SET_OPTION(primary.clientcert); - const long int ssl_version = SSL_CONN_CONFIG(version); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const hostname = SSL_HOST_NAME(); + const char * const keyringfile = conn_config->CAfile; + const char * const keyringpwd = conn_config->key_passwd; + const char * const keyringlabel = ssl_config->primary.clientcert; + const long int ssl_version = conn_config->version; + const bool verifypeer = conn_config->verifypeer; + const char *hostname = connssl->hostname; const char *sni; unsigned int protoflags = 0; Qso_OverlappedIO_t commarea; -#ifndef CURL_DISABLE_PROXY int sockpair[2]; static const int sobufsize = CURL_MAX_WRITE_SIZE; -#endif /* Create SSL environment, start (preferably asynchronous) handshake. */ DEBUGASSERT(BACKEND); BACKEND->handle = (gsk_handle) NULL; BACKEND->iocport = -1; -#ifndef CURL_DISABLE_PROXY BACKEND->localfd = -1; BACKEND->remotefd = -1; -#endif /* GSKit supports two ways of specifying an SSL context: either by * application identifier (that should have been defined at the system @@ -769,9 +772,8 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, if(result) return result; -#ifndef CURL_DISABLE_PROXY /* Establish a pipelining socket pair for SSL over SSL. */ - if(conn->proxy_ssl[sockindex].use) { + if(connssl_next) { if(Curl_socketpair(0, 0, 0, sockpair)) return CURLE_SSL_CONNECT_ERROR; BACKEND->localfd = sockpair[0]; @@ -787,7 +789,6 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, curlx_nonblock(BACKEND->localfd, TRUE); curlx_nonblock(BACKEND->remotefd, TRUE); } -#endif /* Determine which SSL/TLS version should be enabled. */ sni = hostname; @@ -809,7 +810,7 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: - result = set_ssl_version_min_max(&protoflags, data); + result = set_ssl_version_min_max(&protoflags, cf, data); if(result != CURLE_OK) return result; break; @@ -845,15 +846,10 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, if(!result) result = set_numeric(data, BACKEND->handle, GSK_OS400_READ_TIMEOUT, 1); if(!result) -#ifndef CURL_DISABLE_PROXY result = set_numeric(data, BACKEND->handle, GSK_FD, BACKEND->localfd >= 0? - BACKEND->localfd: conn->sock[sockindex]); -#else - result = set_numeric(data, BACKEND->handle, GSK_FD, - conn->sock[sockindex]); -#endif + BACKEND->localfd: cf->conn->sock[cf->sockindex]); if(!result) - result = set_ciphers(data, BACKEND->handle, &protoflags); + result = set_ciphers(cf, data, BACKEND->handle, &protoflags); if(!protoflags) { failf(data, "No SSL protocol/cipher combination enabled"); result = CURLE_SSL_CIPHER; @@ -920,12 +916,10 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, else if(errno != ENOBUFS) result = gskit_status(data, GSK_ERROR_IO, "QsoCreateIOCompletionPort()", 0); -#ifndef CURL_DISABLE_PROXY - else if(conn->proxy_ssl[sockindex].use) { + else if(connssl_next) { /* Cannot pipeline while handshaking synchronously. */ result = CURLE_SSL_CONNECT_ERROR; } -#endif else { /* No more completion port available. Use synchronous IO. */ result = gskit_status(data, gsk_secure_soc_init(BACKEND->handle), @@ -943,11 +937,11 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, } -static CURLcode gskit_connect_step2(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode gskit_connect_step2(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; Qso_OverlappedIO_t cstat; struct timeval stmv; CURLcode result; @@ -975,7 +969,7 @@ static CURLcode gskit_connect_step2(struct Curl_easy *data, char buffer[STRERROR_LEN]; failf(data, "QsoWaitForIOCompletion() I/O error: %s", Curl_strerror(errno, buffer, sizeof(buffer))); - cancel_async_handshake(conn, sockindex); + cancel_async_handshake(cf, data); close_async_handshake(connssl); return CURLE_SSL_CONNECT_ERROR; } @@ -983,7 +977,7 @@ static CURLcode gskit_connect_step2(struct Curl_easy *data, case 0: /* Handshake in progress, timeout occurred. */ if(nonblocking) return CURLE_OK; - cancel_async_handshake(conn, sockindex); + cancel_async_handshake(cf, data); close_async_handshake(connssl); return CURLE_OPERATION_TIMEDOUT; } @@ -998,15 +992,15 @@ static CURLcode gskit_connect_step2(struct Curl_easy *data, } -static CURLcode gskit_connect_step3(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode gskit_connect_step3(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; const gsk_cert_data_elem *cdev; int cdec; const gsk_cert_data_elem *p; const char *cert = (const char *) NULL; - const char *certend; + const char *certend = (const char *) NULL; const char *ptr; CURLcode result; @@ -1044,7 +1038,7 @@ static CURLcode gskit_connect_step3(struct Curl_easy *data, } /* Verify host. */ - result = Curl_verifyhost(data, conn, cert, certend); + result = Curl_verifyhost(cf, data, cert, certend); if(result) return result; @@ -1066,7 +1060,9 @@ static CURLcode gskit_connect_step3(struct Curl_easy *data, } /* Check pinned public key. */ - ptr = SSL_PINNED_PUB_KEY(); + ptr = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; if(!result && ptr) { struct Curl_X509certificate x509; struct Curl_asn1Element *p; @@ -1087,11 +1083,11 @@ static CURLcode gskit_connect_step3(struct Curl_easy *data, } -static CURLcode gskit_connect_common(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode gskit_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking, bool *done) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; timediff_t timeout_ms; CURLcode result = CURLE_OK; @@ -1110,12 +1106,12 @@ static CURLcode gskit_connect_common(struct Curl_easy *data, result = CURLE_OPERATION_TIMEDOUT; } else - result = gskit_connect_step1(data, conn, sockindex); + result = gskit_connect_step1(cf, data); } /* Handle handshake pipelining. */ if(!result) - if(pipe_ssloverssl(conn, sockindex, SOS_READ | SOS_WRITE) < 0) + if(pipe_ssloverssl(cf, SOS_READ | SOS_WRITE) < 0) result = CURLE_SSL_CONNECT_ERROR; /* Step 2: check if handshake is over. */ @@ -1129,25 +1125,23 @@ static CURLcode gskit_connect_common(struct Curl_easy *data, result = CURLE_OPERATION_TIMEDOUT; } else - result = gskit_connect_step2(data, conn, sockindex, nonblocking); + result = gskit_connect_step2(cf, data, nonblocking); } /* Handle handshake pipelining. */ if(!result) - if(pipe_ssloverssl(conn, sockindex, SOS_READ | SOS_WRITE) < 0) + if(pipe_ssloverssl(cf, SOS_READ | SOS_WRITE) < 0) result = CURLE_SSL_CONNECT_ERROR; /* Step 3: gather certificate info, verify host. */ if(!result && connssl->connecting_state == ssl_connect_3) - result = gskit_connect_step3(data, conn, sockindex); + result = gskit_connect_step3(cf, data); if(result) close_one(connssl, data, conn, sockindex); else if(connssl->connecting_state == ssl_connect_done) { connssl->state = ssl_connection_complete; connssl->connecting_state = ssl_connect_1; - conn->recv[sockindex] = gskit_recv; - conn->send[sockindex] = gskit_send; *done = TRUE; } @@ -1155,27 +1149,29 @@ static CURLcode gskit_connect_common(struct Curl_easy *data, } -static CURLcode gskit_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode gskit_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { + struct ssl_connect_data *connssl = cf->ctx; CURLcode result; - result = gskit_connect_common(data, conn, sockindex, TRUE, done); + result = gskit_connect_common(cf, data, TRUE, done); if(*done || result) - conn->ssl[sockindex].connecting_state = ssl_connect_1; + connssl->connecting_state = ssl_connect_1; return result; } -static CURLcode gskit_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode gskit_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; CURLcode result; bool done; - conn->ssl[sockindex].connecting_state = ssl_connect_1; - result = gskit_connect_common(data, conn, sockindex, FALSE, &done); + connssl->connecting_state = ssl_connect_1; + result = gskit_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -1185,20 +1181,16 @@ static CURLcode gskit_connect(struct Curl_easy *data, } -static void gskit_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void gskit_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - close_one(&conn->ssl[sockindex], data, conn, sockindex); -#ifndef CURL_DISABLE_PROXY - close_one(&conn->proxy_ssl[sockindex], data, conn, sockindex); -#endif + close_one(cf, data); } -static int gskit_shutdown(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static int gskit_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; int what; int rc; char buf[120]; @@ -1214,9 +1206,9 @@ static int gskit_shutdown(struct Curl_easy *data, return 0; #endif - close_one(connssl, data, conn, sockindex); + close_one(cf, data); rc = 0; - what = SOCKET_READABLE(conn->sock[sockindex], + what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], SSL_SHUTDOWN_TIMEOUT); while(loop--) { @@ -1238,7 +1230,7 @@ static int gskit_shutdown(struct Curl_easy *data, notify alert from the server. No way to gsk_secure_soc_read() now, so use read(). */ - nread = read(conn->sock[sockindex], buf, sizeof(buf)); + nread = read(cf->conn->sock[cf->sockindex], buf, sizeof(buf)); if(nread < 0) { char buffer[STRERROR_LEN]; @@ -1249,7 +1241,7 @@ static int gskit_shutdown(struct Curl_easy *data, if(nread <= 0) break; - what = SOCKET_READABLE(conn->sock[sockindex], 0); + what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], 0); } return rc; @@ -1262,12 +1254,14 @@ static size_t gskit_version(char *buffer, size_t size) } -static int gskit_check_cxn(struct connectdata *cxn) +static int gskit_check_cxn(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &cxn->ssl[FIRSTSOCKET]; + struct ssl_connect_data *connssl = cf->ctx; int err; int errlen; + (void)data; /* The only thing that can be tested here is at the socket level. */ DEBUGASSERT(BACKEND); @@ -1311,7 +1305,7 @@ const struct Curl_ssl Curl_ssl_gskit = { Curl_none_cert_status_request, /* cert_status_request */ gskit_connect, /* connect */ gskit_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ gskit_get_internals, /* get_internals */ gskit_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1323,7 +1317,10 @@ const struct Curl_ssl Curl_ssl_gskit = { Curl_none_false_start, /* false_start */ NULL, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + gskit_recv, /* recv decrypted data */ + gskit_send, /* send data to encrypt */ }; #endif /* USE_GSKIT */ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index cf3dbc5..104dce6 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -45,6 +45,7 @@ #include "inet_pton.h" #include "gtls.h" #include "vtls.h" +#include "vtls_int.h" #include "vauth/vauth.h" #include "parsedate.h" #include "connect.h" /* for the connect timeout */ @@ -58,14 +59,6 @@ /* The last #include file should be: */ #include "memdebug.h" -#ifdef HAVE_GNUTLS_SRP -/* the function exists */ -#ifdef USE_TLS_SRP -/* the functionality is not disabled */ -#define USE_GNUTLS_SRP -#endif -#endif - /* Enable GnuTLS debugging by defining GTLSDEBUG */ /*#define GTLSDEBUG */ @@ -84,35 +77,43 @@ static bool gtls_inited = FALSE; # include struct ssl_backend_data { - gnutls_session_t session; - gnutls_certificate_credentials_t cred; -#ifdef USE_GNUTLS_SRP - gnutls_srp_client_credentials_t srp_client_cred; -#endif + struct gtls_instance gtls; }; -static ssize_t gtls_push(void *s, const void *buf, size_t len) +static ssize_t gtls_push(void *s, const void *buf, size_t blen) { - curl_socket_t sock = *(curl_socket_t *)s; - ssize_t ret = swrite(sock, buf, len); - return ret; -} + struct Curl_cfilter *cf = s; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nwritten; + CURLcode result; -static ssize_t gtls_pull(void *s, void *buf, size_t len) -{ - curl_socket_t sock = *(curl_socket_t *)s; - ssize_t ret = sread(sock, buf, len); - return ret; + DEBUGASSERT(data); + nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result); + if(nwritten < 0) { + gnutls_transport_set_errno(connssl->backend->gtls.session, + (CURLE_AGAIN == result)? EAGAIN : EINVAL); + nwritten = -1; + } + return nwritten; } -static ssize_t gtls_push_ssl(void *s, const void *buf, size_t len) +static ssize_t gtls_pull(void *s, void *buf, size_t blen) { - return gnutls_record_send((gnutls_session_t) s, buf, len); -} + struct Curl_cfilter *cf = s; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nread; + CURLcode result; -static ssize_t gtls_pull_ssl(void *s, void *buf, size_t len) -{ - return gnutls_record_recv((gnutls_session_t) s, buf, len); + DEBUGASSERT(data); + nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); + if(nread < 0) { + gnutls_transport_set_errno(connssl->backend->gtls.session, + (CURLE_AGAIN == result)? EAGAIN : EINVAL); + nread = -1; + } + return nread; } /* gtls_init() @@ -205,19 +206,18 @@ static void unload_file(gnutls_datum_t data) /* this function does a SSL/TLS (re-)handshake */ -static CURLcode handshake(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +static CURLcode handshake(struct Curl_cfilter *cf, + struct Curl_easy *data, bool duringconnect, bool nonblocking) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session; - curl_socket_t sockfd = conn->sock[sockindex]; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; DEBUGASSERT(backend); - session = backend->session; + session = backend->gtls.session; for(;;) { timediff_t timeout_ms; @@ -323,12 +323,12 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type) static CURLcode set_ssl_version_min_max(struct Curl_easy *data, + struct ssl_primary_config *conn_config, const char **prioritylist, const char *tls13support) { - struct connectdata *conn = data->conn; - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; if((ssl_version == CURL_SSLVERSION_DEFAULT) || (ssl_version == CURL_SSLVERSION_TLSv1)) @@ -394,20 +394,16 @@ set_ssl_version_min_max(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } -static CURLcode -gtls_connect_step1(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +CURLcode gtls_client_init(struct Curl_easy *data, + struct ssl_primary_config *config, + struct ssl_config_data *ssl_config, + const char *hostname, + struct gtls_instance *gtls, + long *pverifyresult) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; unsigned int init_flags; - gnutls_session_t session; int rc; bool sni = TRUE; /* default is SNI enabled */ - void *transport_ptr = NULL; - gnutls_push_func gnutls_transport_push = NULL; - gnutls_pull_func gnutls_transport_pull = NULL; #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -415,54 +411,44 @@ gtls_connect_step1(struct Curl_easy *data, #endif const char *prioritylist; const char *err = NULL; - const char * const hostname = SSL_HOST_NAME(); - long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult); const char *tls13support; CURLcode result; - DEBUGASSERT(backend); - - if(connssl->state == ssl_connection_complete) - /* to make us tolerant against being called more than once for the - same connection */ - return CURLE_OK; - if(!gtls_inited) gtls_init(); - /* Initialize certverifyresult to OK */ - *certverifyresult = 0; + *pverifyresult = 0; - if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) { + if(config->version == CURL_SSLVERSION_SSLv2) { failf(data, "GnuTLS does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; } - else if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv3) + else if(config->version == CURL_SSLVERSION_SSLv3) sni = FALSE; /* SSLv3 has no SNI */ /* allocate a cred struct */ - rc = gnutls_certificate_allocate_credentials(&backend->cred); + rc = gnutls_certificate_allocate_credentials(>ls->cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_cert_all_cred() failed: %s", gnutls_strerror(rc)); return CURLE_SSL_CONNECT_ERROR; } #ifdef USE_GNUTLS_SRP - if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && + if((config->authtype == CURL_TLSAUTH_SRP) && Curl_auth_allowed_to_host(data)) { - infof(data, "Using TLS-SRP username: %s", - SSL_SET_OPTION(primary.username)); + infof(data, "Using TLS-SRP username: %s", config->username); - rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); + rc = gnutls_srp_allocate_client_credentials( + >ls->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_allocate_client_cred() failed: %s", gnutls_strerror(rc)); return CURLE_OUT_OF_MEMORY; } - rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, - SSL_SET_OPTION(primary.username), - SSL_SET_OPTION(primary.password)); + rc = gnutls_srp_set_client_credentials(gtls->srp_client_cred, + config->username, + config->password); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); @@ -471,67 +457,63 @@ gtls_connect_step1(struct Curl_easy *data, } #endif - if(SSL_CONN_CONFIG(CAfile)) { + if(config->CAfile) { /* set the trusted CA cert bundle file */ - gnutls_certificate_set_verify_flags(backend->cred, + gnutls_certificate_set_verify_flags(gtls->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); - rc = gnutls_certificate_set_x509_trust_file(backend->cred, - SSL_CONN_CONFIG(CAfile), + rc = gnutls_certificate_set_x509_trust_file(gtls->cred, + config->CAfile, GNUTLS_X509_FMT_PEM); if(rc < 0) { infof(data, "error reading ca cert file %s (%s)", - SSL_CONN_CONFIG(CAfile), gnutls_strerror(rc)); - if(SSL_CONN_CONFIG(verifypeer)) { - *certverifyresult = rc; + config->CAfile, gnutls_strerror(rc)); + if(config->verifypeer) { + *pverifyresult = rc; return CURLE_SSL_CACERT_BADFILE; } } else - infof(data, "found %d certificates in %s", rc, - SSL_CONN_CONFIG(CAfile)); + infof(data, "found %d certificates in %s", rc, config->CAfile); } - if(SSL_CONN_CONFIG(CApath)) { + if(config->CApath) { /* set the trusted CA cert directory */ - rc = gnutls_certificate_set_x509_trust_dir(backend->cred, - SSL_CONN_CONFIG(CApath), + rc = gnutls_certificate_set_x509_trust_dir(gtls->cred, + config->CApath, GNUTLS_X509_FMT_PEM); if(rc < 0) { infof(data, "error reading ca cert file %s (%s)", - SSL_CONN_CONFIG(CApath), gnutls_strerror(rc)); - if(SSL_CONN_CONFIG(verifypeer)) { - *certverifyresult = rc; + config->CApath, gnutls_strerror(rc)); + if(config->verifypeer) { + *pverifyresult = rc; return CURLE_SSL_CACERT_BADFILE; } } else - infof(data, "found %d certificates in %s", - rc, SSL_CONN_CONFIG(CApath)); + infof(data, "found %d certificates in %s", rc, config->CApath); } #ifdef CURL_CA_FALLBACK /* use system ca certificate store as fallback */ - if(SSL_CONN_CONFIG(verifypeer) && - !(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) { + if(config->verifypeer && !(config->CAfile || config->CApath)) { /* this ignores errors on purpose */ - gnutls_certificate_set_x509_system_trust(backend->cred); + gnutls_certificate_set_x509_system_trust(gtls->cred); } #endif - if(SSL_SET_OPTION(primary.CRLfile)) { + if(config->CRLfile) { /* set the CRL list file */ - rc = gnutls_certificate_set_x509_crl_file(backend->cred, - SSL_SET_OPTION(primary.CRLfile), + rc = gnutls_certificate_set_x509_crl_file(gtls->cred, + config->CRLfile, GNUTLS_X509_FMT_PEM); if(rc < 0) { failf(data, "error reading crl file %s (%s)", - SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); + config->CRLfile, gnutls_strerror(rc)); return CURLE_SSL_CRL_BADFILE; } else - infof(data, "found %d CRL in %s", - rc, SSL_SET_OPTION(primary.CRLfile)); + infof(data, "found %d CRL in %s", rc, config->CRLfile); } /* Initialize TLS session as a client */ @@ -546,15 +528,12 @@ gtls_connect_step1(struct Curl_easy *data, init_flags |= GNUTLS_NO_TICKETS; #endif - rc = gnutls_init(&backend->session, init_flags); + rc = gnutls_init(>ls->session, init_flags); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_init() failed: %d", rc); return CURLE_SSL_CONNECT_ERROR; } - /* convenient assign */ - session = backend->session; - if((0 == Curl_inet_pton(AF_INET, hostname, &addr)) && #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && @@ -562,15 +541,15 @@ gtls_connect_step1(struct Curl_easy *data, sni) { size_t snilen; char *snihost = Curl_ssl_snihost(data, hostname, &snilen); - if(!snihost || gnutls_server_name_set(session, GNUTLS_NAME_DNS, snihost, - snilen) < 0) { + if(!snihost || gnutls_server_name_set(gtls->session, GNUTLS_NAME_DNS, + snihost, snilen) < 0) { failf(data, "Failed to set SNI"); return CURLE_SSL_CONNECT_ERROR; } } /* Use default priorities */ - rc = gnutls_set_default_priority(session); + rc = gnutls_set_default_priority(gtls->session); if(rc != GNUTLS_E_SUCCESS) return CURLE_SSL_CONNECT_ERROR; @@ -581,13 +560,13 @@ gtls_connect_step1(struct Curl_easy *data, * removed if a run-time error indicates that SRP is not supported by this * GnuTLS version */ - if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2 || - SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv3) { + if(config->version == CURL_SSLVERSION_SSLv2 || + config->version == CURL_SSLVERSION_SSLv3) { failf(data, "GnuTLS does not support SSLv2 or SSLv3"); return CURLE_SSL_CONNECT_ERROR; } - if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_TLSv1_3) { + if(config->version == CURL_SSLVERSION_TLSv1_3) { if(!tls13support) { failf(data, "This GnuTLS installation does not support TLS 1.3"); return CURLE_SSL_CONNECT_ERROR; @@ -595,14 +574,14 @@ gtls_connect_step1(struct Curl_easy *data, } /* At this point we know we have a supported TLS version, so set it */ - result = set_ssl_version_min_max(data, &prioritylist, tls13support); + result = set_ssl_version_min_max(data, config, &prioritylist, tls13support); if(result) return result; #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { + if(config->authtype == CURL_TLSAUTH_SRP) { size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); @@ -610,7 +589,7 @@ gtls_connect_step1(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; strcpy(prioritysrp, prioritylist); strcpy(prioritysrp + len, ":" GNUTLS_SRP); - rc = gnutls_priority_set_direct(session, prioritysrp, &err); + rc = gnutls_priority_set_direct(gtls->session, prioritysrp, &err); free(prioritysrp); if((rc == GNUTLS_E_INVALID_REQUEST) && err) { @@ -620,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, else { #endif infof(data, "GnuTLS ciphers: %s", prioritylist); - rc = gnutls_priority_set_direct(session, prioritylist, &err); + rc = gnutls_priority_set_direct(gtls->session, prioritylist, &err); #ifdef USE_GNUTLS_SRP } #endif @@ -631,48 +610,19 @@ gtls_connect_step1(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } - if(conn->bits.tls_enable_alpn) { - int cur = 0; - gnutls_datum_t protocols[2]; - -#ifdef USE_HTTP2 - if(data->state.httpwant >= CURL_HTTP_VERSION_2 -#ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) -#endif - ) { - protocols[cur].data = (unsigned char *)ALPN_H2; - protocols[cur].size = ALPN_H2_LENGTH; - cur++; - infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); - } -#endif - - protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1; - protocols[cur].size = ALPN_HTTP_1_1_LENGTH; - cur++; - infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); - - if(gnutls_alpn_set_protocols(session, protocols, cur, 0)) { - failf(data, "failed setting ALPN"); - return CURLE_SSL_CONNECT_ERROR; - } - } - - if(SSL_SET_OPTION(primary.clientcert)) { - if(SSL_SET_OPTION(key_passwd)) { + if(config->clientcert) { + if(ssl_config->key_passwd) { const unsigned int supported_key_encryption_algorithms = GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR | GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES | GNUTLS_PKCS_USE_PBES2_AES_128 | GNUTLS_PKCS_USE_PBES2_AES_192 | GNUTLS_PKCS_USE_PBES2_AES_256; rc = gnutls_certificate_set_x509_key_file2( - backend->cred, - SSL_SET_OPTION(primary.clientcert), - SSL_SET_OPTION(key) ? - SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert), - do_file_type(SSL_SET_OPTION(cert_type)), - SSL_SET_OPTION(key_passwd), + gtls->cred, + config->clientcert, + ssl_config->key ? ssl_config->key : config->clientcert, + do_file_type(ssl_config->cert_type), + ssl_config->key_passwd, supported_key_encryption_algorithms); if(rc != GNUTLS_E_SUCCESS) { failf(data, @@ -683,11 +633,10 @@ gtls_connect_step1(struct Curl_easy *data, } else { if(gnutls_certificate_set_x509_key_file( - backend->cred, - SSL_SET_OPTION(primary.clientcert), - SSL_SET_OPTION(key) ? - SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert), - do_file_type(SSL_SET_OPTION(cert_type)) ) != + gtls->cred, + config->clientcert, + ssl_config->key ? ssl_config->key : config->clientcert, + do_file_type(ssl_config->cert_type) ) != GNUTLS_E_SUCCESS) { failf(data, "error reading X.509 key or certificate file"); return CURLE_SSL_CONNECT_ERROR; @@ -697,9 +646,9 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { - rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, - backend->srp_client_cred); + if(config->authtype == CURL_TLSAUTH_SRP) { + rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_SRP, + gtls->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc)); return CURLE_SSL_CONNECT_ERROR; @@ -708,59 +657,88 @@ gtls_connect_step1(struct Curl_easy *data, else #endif { - rc = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, - backend->cred); + rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_CERTIFICATE, + gtls->cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_credentials_set() failed: %s", gnutls_strerror(rc)); return CURLE_SSL_CONNECT_ERROR; } } -#ifndef CURL_DISABLE_PROXY - if(conn->proxy_ssl[sockindex].use) { - struct ssl_backend_data *proxy_backend; - proxy_backend = conn->proxy_ssl[sockindex].backend; - DEBUGASSERT(proxy_backend); - transport_ptr = proxy_backend->session; - gnutls_transport_push = gtls_push_ssl; - gnutls_transport_pull = gtls_pull_ssl; - } - else -#endif - { - /* file descriptor for the socket */ - transport_ptr = &conn->sock[sockindex]; - gnutls_transport_push = gtls_push; - gnutls_transport_pull = gtls_pull; + if(config->verifystatus) { + rc = gnutls_ocsp_status_request_enable_client(gtls->session, + NULL, 0, NULL); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc); + return CURLE_SSL_CONNECT_ERROR; + } } - /* set the connection handle */ - gnutls_transport_set_ptr(session, transport_ptr); + return CURLE_OK; +} + +static CURLcode +gtls_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + long * const pverifyresult = &ssl_config->certverifyresult; + CURLcode result; - /* register callback functions to send and receive data. */ - gnutls_transport_set_push_function(session, gnutls_transport_push); - gnutls_transport_set_pull_function(session, gnutls_transport_pull); + DEBUGASSERT(backend); - if(SSL_CONN_CONFIG(verifystatus)) { - rc = gnutls_ocsp_status_request_enable_client(session, NULL, 0, NULL); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_ocsp_status_request_enable_client() failed: %d", rc); + if(connssl->state == ssl_connection_complete) + /* to make us tolerant against being called more than once for the + same connection */ + return CURLE_OK; + + result = gtls_client_init(data, conn_config, ssl_config, + connssl->hostname, + &backend->gtls, pverifyresult); + if(result) + return result; + + if(cf->conn->bits.tls_enable_alpn) { + int cur = 0; + gnutls_datum_t protocols[2]; + +#ifdef USE_HTTP2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 +#ifndef CURL_DISABLE_PROXY + && (!Curl_ssl_cf_is_proxy(cf) || !cf->conn->bits.tunnel_proxy) +#endif + ) { + protocols[cur].data = (unsigned char *)ALPN_H2; + protocols[cur].size = ALPN_H2_LENGTH; + cur++; + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); + } +#endif + + protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1; + protocols[cur].size = ALPN_HTTP_1_1_LENGTH; + cur++; + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); + + if(gnutls_alpn_set_protocols(backend->gtls.session, protocols, cur, 0)) { + failf(data, "failed setting ALPN"); return CURLE_SSL_CONNECT_ERROR; } } /* This might be a reconnect, so we check for a session ID in the cache to speed up things */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(conn_config->sessionid) { void *ssl_sessionid; size_t ssl_idsize; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &ssl_sessionid, &ssl_idsize, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &ssl_sessionid, &ssl_idsize)) { /* we got a session id, use it! */ - gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); + gnutls_session_set_data(backend->gtls.session, + ssl_sessionid, ssl_idsize); /* Informational message */ infof(data, "SSL re-using session ID"); @@ -768,6 +746,11 @@ gtls_connect_step1(struct Curl_easy *data, Curl_ssl_sessionid_unlock(data); } + /* register callback functions and handle to send and receive data. */ + gnutls_transport_set_ptr(backend->gtls.session, cf); + gnutls_transport_set_push_function(backend->gtls.session, gtls_push); + gnutls_transport_set_pull_function(backend->gtls.session, gtls_pull); + return CURLE_OK; } @@ -829,14 +812,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, return result; } -static Curl_recv gtls_recv; -static Curl_send gtls_send; - CURLcode Curl_gtls_verifyserver(struct Curl_easy *data, - struct connectdata *conn, gnutls_session_t session, - int sockindex) + struct ssl_primary_config *config, + struct ssl_config_data *ssl_config, + const char *hostname, + const char *dispname, + const char *pinned_key) { unsigned int cert_list_size; const gnutls_datum_t *chainp; @@ -849,15 +832,13 @@ Curl_gtls_verifyserver(struct Curl_easy *data, time_t certclock; const char *ptr; int rc; - gnutls_datum_t proto; CURLcode result = CURLE_OK; #ifndef CURL_DISABLE_VERBOSE_STRINGS unsigned int algo; unsigned int bits; gnutls_protocol_t version = gnutls_protocol_get_version(session); #endif - const char * const hostname = SSL_HOST_NAME(); - long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult); + long * const certverifyresult = &ssl_config->certverifyresult; /* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */ ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session), @@ -875,13 +856,13 @@ Curl_gtls_verifyserver(struct Curl_easy *data, chainp = gnutls_certificate_get_peers(session, &cert_list_size); if(!chainp) { - if(SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost) || - SSL_CONN_CONFIG(issuercert)) { + if(config->verifypeer || + config->verifyhost || + config->issuercert) { #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(primary.username) - && !SSL_CONN_CONFIG(verifypeer) + if(ssl_config->primary.authtype == CURL_TLSAUTH_SRP + && ssl_config->primary.username + && !config->verifypeer && gnutls_cipher_get(session)) { /* no peer cert, but auth is ok if we have SRP user and cipher and no peer verify */ @@ -915,7 +896,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } } - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { /* This function will try to verify the peer's certificate and return its status (trusted, invalid etc.). The value of status should be one or more of the gnutls_certificate_status_t enumerated elements bitwise @@ -934,12 +915,12 @@ Curl_gtls_verifyserver(struct Curl_easy *data, /* verify_status is a bitmask of gnutls_certificate_status bits */ if(verify_status & GNUTLS_CERT_INVALID) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { failf(data, "server certificate verification failed. CAfile: %s " - "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): + "CRLfile: %s", config->CAfile ? config->CAfile: "none", - SSL_SET_OPTION(primary.CRLfile) ? - SSL_SET_OPTION(primary.CRLfile) : "none"); + ssl_config->primary.CRLfile ? + ssl_config->primary.CRLfile : "none"); return CURLE_PEER_FAILED_VERIFICATION; } else @@ -951,7 +932,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, else infof(data, " server certificate verification SKIPPED"); - if(SSL_CONN_CONFIG(verifystatus)) { + if(config->verifystatus) { if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { gnutls_datum_t status_request; gnutls_ocsp_resp_t ocsp_resp; @@ -1062,21 +1043,21 @@ Curl_gtls_verifyserver(struct Curl_easy *data, gnutls_x509_crt_t format */ gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); - if(SSL_CONN_CONFIG(issuercert)) { + if(config->issuercert) { gnutls_x509_crt_init(&x509_issuer); - issuerp = load_file(SSL_CONN_CONFIG(issuercert)); + issuerp = load_file(config->issuercert); gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); gnutls_x509_crt_deinit(x509_issuer); unload_file(issuerp); if(rc <= 0) { failf(data, "server certificate issuer check failed (IssuerCert: %s)", - SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + config->issuercert?config->issuercert:"none"); gnutls_x509_crt_deinit(x509_cert); return CURLE_SSL_ISSUER_ERROR; } infof(data, " server certificate issuer check OK (Issuer Cert: %s)", - SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); + config->issuercert?config->issuercert:"none"); } size = sizeof(certname); @@ -1139,15 +1120,15 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } #endif if(!rc) { - if(SSL_CONN_CONFIG(verifyhost)) { + if(config->verifyhost) { failf(data, "SSL: certificate subject name (%s) does not match " - "target host name '%s'", certname, SSL_HOST_DISPNAME()); + "target host name '%s'", certname, dispname); gnutls_x509_crt_deinit(x509_cert); return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, " common name: %s (does not match '%s')", - certname, SSL_HOST_DISPNAME()); + certname, dispname); } else infof(data, " common name: %s (matched)", certname); @@ -1156,7 +1137,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, certclock = gnutls_x509_crt_get_expiration_time(x509_cert); if(certclock == (time_t)-1) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { failf(data, "server cert expiration date verify failed"); *certverifyresult = GNUTLS_CERT_EXPIRED; gnutls_x509_crt_deinit(x509_cert); @@ -1167,7 +1148,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } else { if(certclock < time(NULL)) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { failf(data, "server certificate expiration date has passed."); *certverifyresult = GNUTLS_CERT_EXPIRED; gnutls_x509_crt_deinit(x509_cert); @@ -1183,7 +1164,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, certclock = gnutls_x509_crt_get_activation_time(x509_cert); if(certclock == (time_t)-1) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { failf(data, "server cert activation date verify failed"); *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED; gnutls_x509_crt_deinit(x509_cert); @@ -1194,7 +1175,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } else { if(certclock > time(NULL)) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(config->verifypeer) { failf(data, "server certificate not activated yet."); *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED; gnutls_x509_crt_deinit(x509_cert); @@ -1207,9 +1188,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, infof(data, " server certificate activation date OK"); } - ptr = SSL_PINNED_PUB_KEY(); - if(ptr) { - result = pkp_pin_peer_pubkey(data, x509_cert, ptr); + if(pinned_key) { + result = pkp_pin_peer_pubkey(data, x509_cert, pinned_key); if(result != CURLE_OK) { failf(data, "SSL: public key does not match pinned public key"); gnutls_x509_crt_deinit(x509_cert); @@ -1265,7 +1245,31 @@ Curl_gtls_verifyserver(struct Curl_easy *data, gnutls_x509_crt_deinit(x509_cert); - if(conn->bits.tls_enable_alpn) { + return result; +} + +static CURLcode gtls_verifyserver(struct Curl_cfilter *cf, + struct Curl_easy *data, + gnutls_session_t session) +{ + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + const char *pinned_key = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; + CURLcode result; + + result = Curl_gtls_verifyserver(data, session, conn_config, ssl_config, + connssl->hostname, connssl->dispname, + pinned_key); + if(result) + goto out; + + if(cf->conn->bits.tls_enable_alpn) { + gnutls_datum_t proto; + int rc; + rc = gnutls_alpn_get_selected_protocol(session, &proto); if(rc == 0) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, proto.size, @@ -1275,25 +1279,23 @@ Curl_gtls_verifyserver(struct Curl_easy *data, if(proto.size == ALPN_H2_LENGTH && !memcmp(ALPN_H2, proto.data, ALPN_H2_LENGTH)) { - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(proto.size == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, proto.data, ALPN_HTTP_1_1_LENGTH)) { - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } } else infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } - conn->ssl[sockindex].state = ssl_connection_complete; - - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { /* we always unconditionally get the session id here, as even if we already got it from the cache and asked to use it in the connection, it might've been rejected and then a new one is in use now and we need to @@ -1314,9 +1316,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, gnutls_session_get_data(session, connect_sessionid, &connect_idsize); Curl_ssl_sessionid_lock(data); - incache = !(Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &ssl_sessionid, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, &ssl_sessionid, NULL)); if(incache) { /* there was one before in the cache, so instead of risking that the previous one was rejected, we just kill that and store the new */ @@ -1324,10 +1324,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } /* store this session id */ - result = Curl_ssl_addsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - connect_sessionid, connect_idsize, - sockindex, &added); + result = Curl_ssl_addsessionid(cf, data, connect_sessionid, + connect_idsize, &added); Curl_ssl_sessionid_unlock(data); if(!added) free(connect_sessionid); @@ -1339,10 +1337,10 @@ Curl_gtls_verifyserver(struct Curl_easy *data, result = CURLE_OUT_OF_MEMORY; } +out: return result; } - /* * This function is called after the TCP connect has completed. Setup the TLS * layer and do all necessary magic. @@ -1353,59 +1351,65 @@ Curl_gtls_verifyserver(struct Curl_easy *data, 'ssl_connect_2_writing' (waiting to be able to write). */ static CURLcode -gtls_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +gtls_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking, bool *done) { + struct ssl_connect_data *connssl = cf->ctx; int rc; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + CURLcode result = CURLE_OK; /* Initiate the connection, if not already done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step1(data, conn, sockindex); - if(rc) - return rc; + rc = gtls_connect_step1(cf, data); + if(rc) { + result = rc; + goto out; + } } - rc = handshake(data, conn, sockindex, TRUE, nonblocking); - if(rc) + rc = handshake(cf, data, TRUE, nonblocking); + if(rc) { /* handshake() sets its own error message with failf() */ - return rc; + result = rc; + goto out; + } /* Finish connecting once the handshake is done */ if(ssl_connect_1 == connssl->connecting_state) { struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session; DEBUGASSERT(backend); - session = backend->session; - rc = Curl_gtls_verifyserver(data, conn, session, sockindex); - if(rc) - return rc; - conn->recv[sockindex] = gtls_recv; - conn->send[sockindex] = gtls_send; + session = backend->gtls.session; + rc = gtls_verifyserver(cf, data, session); + if(rc) { + result = rc; + goto out; + } + connssl->state = ssl_connection_complete; } +out: *done = ssl_connect_1 == connssl->connecting_state; - return CURLE_OK; + return result; } -static CURLcode gtls_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode gtls_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return gtls_connect_common(data, conn, sockindex, TRUE, done); + return gtls_connect_common(cf, data, TRUE, done); } -static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode gtls_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result; bool done = FALSE; - result = gtls_connect_common(data, conn, sockindex, FALSE, &done); + result = gtls_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -1414,44 +1418,32 @@ static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn, return CURLE_OK; } -static bool gtls_data_pending(const struct connectdata *conn, - int connindex) +static bool gtls_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; - bool res = FALSE; - struct ssl_backend_data *backend = connssl->backend; + struct ssl_connect_data *ctx = cf->ctx; - DEBUGASSERT(backend); - - if(backend->session && - 0 != gnutls_record_check_pending(backend->session)) - res = TRUE; - -#ifndef CURL_DISABLE_PROXY - connssl = &conn->proxy_ssl[connindex]; - backend = connssl->backend; - DEBUGASSERT(backend); - if(backend->session && - 0 != gnutls_record_check_pending(backend->session)) - res = TRUE; -#endif - - return res; + (void)data; + DEBUGASSERT(ctx && ctx->backend); + if(ctx->backend->gtls.session && + 0 != gnutls_record_check_pending(ctx->backend->gtls.session)) + return TRUE; + return FALSE; } -static ssize_t gtls_send(struct Curl_easy *data, - int sockindex, +static ssize_t gtls_send(struct Curl_cfilter *cf, + struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; ssize_t rc; + (void)data; DEBUGASSERT(backend); - rc = gnutls_record_send(backend->session, mem, len); + rc = gnutls_record_send(backend->gtls.session, mem, len); if(rc < 0) { *curlcode = (rc == GNUTLS_E_AGAIN) @@ -1464,50 +1456,45 @@ static ssize_t gtls_send(struct Curl_easy *data, return rc; } -static void close_one(struct ssl_connect_data *connssl) +static void gtls_close(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + + (void) data; DEBUGASSERT(backend); - if(backend->session) { + if(backend->gtls.session) { char buf[32]; /* Maybe the server has already sent a close notify alert. Read it to avoid an RST on the TCP connection. */ - (void)gnutls_record_recv(backend->session, buf, sizeof(buf)); - gnutls_bye(backend->session, GNUTLS_SHUT_WR); - gnutls_deinit(backend->session); - backend->session = NULL; + (void)gnutls_record_recv(backend->gtls.session, buf, sizeof(buf)); + gnutls_bye(backend->gtls.session, GNUTLS_SHUT_WR); + gnutls_deinit(backend->gtls.session); + backend->gtls.session = NULL; } - if(backend->cred) { - gnutls_certificate_free_credentials(backend->cred); - backend->cred = NULL; + if(backend->gtls.cred) { + gnutls_certificate_free_credentials(backend->gtls.cred); + backend->gtls.cred = NULL; } #ifdef USE_GNUTLS_SRP - if(backend->srp_client_cred) { - gnutls_srp_free_client_credentials(backend->srp_client_cred); - backend->srp_client_cred = NULL; + if(backend->gtls.srp_client_cred) { + gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred); + backend->gtls.srp_client_cred = NULL; } #endif } -static void gtls_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) -{ - (void) data; - close_one(&conn->ssl[sockindex]); -#ifndef CURL_DISABLE_PROXY - close_one(&conn->proxy_ssl[sockindex]); -#endif -} - /* * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static int gtls_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); struct ssl_backend_data *backend = connssl->backend; int retval = 0; @@ -1520,21 +1507,21 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, we do not send one. Let's hope other servers do the same... */ if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE) - gnutls_bye(backend->session, GNUTLS_SHUT_WR); + gnutls_bye(backend->gtls.session, GNUTLS_SHUT_WR); #endif - if(backend->session) { + if(backend->gtls.session) { ssize_t result; bool done = FALSE; char buf[120]; while(!done) { - int what = SOCKET_READABLE(conn->sock[sockindex], + int what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], SSL_SHUTDOWN_TIMEOUT); if(what > 0) { /* Something to read, let's do it and hope that it is the close notify alert from the server */ - result = gnutls_record_recv(backend->session, + result = gnutls_record_recv(backend->gtls.session, buf, sizeof(buf)); switch(result) { case 0: @@ -1564,51 +1551,53 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, done = TRUE; } } - gnutls_deinit(backend->session); + gnutls_deinit(backend->gtls.session); } - gnutls_certificate_free_credentials(backend->cred); + gnutls_certificate_free_credentials(backend->gtls.cred); #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(primary.username) != NULL) - gnutls_srp_free_client_credentials(backend->srp_client_cred); + if(ssl_config->primary.authtype == CURL_TLSAUTH_SRP + && ssl_config->primary.username != NULL) + gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred); #endif - backend->cred = NULL; - backend->session = NULL; + backend->gtls.cred = NULL; + backend->gtls.session = NULL; return retval; } -static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */ - int num, /* socketindex */ - char *buf, /* store read data here */ - size_t buffersize, /* max amount to read */ +static ssize_t gtls_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, + char *buf, + size_t buffersize, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; ssize_t ret; + (void)data; DEBUGASSERT(backend); - ret = gnutls_record_recv(backend->session, buf, buffersize); + ret = gnutls_record_recv(backend->gtls.session, buf, buffersize); if((ret == GNUTLS_E_AGAIN) || (ret == GNUTLS_E_INTERRUPTED)) { *curlcode = CURLE_AGAIN; - return -1; + ret = -1; + goto out; } if(ret == GNUTLS_E_REHANDSHAKE) { /* BLOCKING call, this is bad but a work-around for now. Fixing this "the proper way" takes a whole lot of work. */ - CURLcode result = handshake(data, conn, num, FALSE, FALSE); + CURLcode result = handshake(cf, data, FALSE, FALSE); if(result) /* handshake() writes error message on its own */ *curlcode = result; else *curlcode = CURLE_AGAIN; /* then return as if this was a wouldblock */ - return -1; + ret = -1; + goto out; } if(ret < 0) { @@ -1616,9 +1605,11 @@ static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */ (int)ret, gnutls_strerror((int)ret)); *curlcode = CURLE_RECV_ERROR; - return -1; + ret = -1; + goto out; } +out: return ret; } @@ -1665,7 +1656,7 @@ static void *gtls_get_internals(struct ssl_connect_data *connssl, struct ssl_backend_data *backend = connssl->backend; (void)info; DEBUGASSERT(backend); - return backend->session; + return backend->gtls.session; } const struct Curl_ssl Curl_ssl_gnutls = { @@ -1688,7 +1679,7 @@ const struct Curl_ssl Curl_ssl_gnutls = { gtls_cert_status_request, /* cert_status_request */ gtls_connect, /* connect */ gtls_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ gtls_get_internals, /* get_internals */ gtls_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1699,7 +1690,10 @@ const struct Curl_ssl Curl_ssl_gnutls = { Curl_none_false_start, /* false_start */ gtls_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + gtls_recv, /* recv decrypted data */ + gtls_send, /* send data to encrypt */ }; #endif /* USE_GNUTLS */ diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index abade73..49c1c47 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -25,15 +25,50 @@ ***************************************************************************/ #include "curl_setup.h" +#include #ifdef USE_GNUTLS -#include "urldata.h" #include + +#ifdef HAVE_GNUTLS_SRP +/* the function exists */ +#ifdef USE_TLS_SRP +/* the functionality is not disabled */ +#define USE_GNUTLS_SRP +#endif +#endif + +struct Curl_easy; +struct Curl_cfilter; +struct ssl_primary_config; +struct ssl_config_data; + +struct gtls_instance { + gnutls_session_t session; + gnutls_certificate_credentials_t cred; +#ifdef USE_GNUTLS_SRP + gnutls_srp_client_credentials_t srp_client_cred; +#endif +}; + CURLcode -Curl_gtls_verifyserver(struct Curl_easy *data, struct connectdata *conn, +gtls_client_init(struct Curl_easy *data, + struct ssl_primary_config *config, + struct ssl_config_data *ssl_config, + const char *hostname, + struct gtls_instance *gtls, + long *pverifyresult); + +CURLcode +Curl_gtls_verifyserver(struct Curl_easy *data, gnutls_session_t session, - int sockindex); + struct ssl_primary_config *config, + struct ssl_config_data *ssl_config, + const char *hostname, + const char *dispname, + const char *pinned_key); + extern const struct Curl_ssl Curl_ssl_gnutls; #endif /* USE_GNUTLS */ diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index fbde897..0b81662 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -61,6 +61,7 @@ #include "inet_pton.h" #include "mbedtls.h" #include "vtls.h" +#include "vtls_int.h" #include "parsedate.h" #include "connect.h" /* for the connect timeout */ #include "select.h" @@ -155,6 +156,46 @@ static void mbed_debug(void *context, int level, const char *f_name, #else #endif +static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen) +{ + struct Curl_cfilter *cf = bio; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nwritten; + CURLcode result; + + DEBUGASSERT(data); + nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result); + /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_out_write(len=%d) -> %d, err=%d"), + blen, (int)nwritten, result)); */ + if(nwritten < 0 && CURLE_AGAIN == result) { + nwritten = MBEDTLS_ERR_SSL_WANT_WRITE; + } + return (int)nwritten; +} + +static int bio_cf_read(void *bio, unsigned char *buf, size_t blen) +{ + struct Curl_cfilter *cf = bio; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nread; + CURLcode result; + + DEBUGASSERT(data); + /* OpenSSL catches this case, so should we. */ + if(!buf) + return 0; + + nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result); + /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_in_read(len=%d) -> %d, err=%d"), + blen, (int)nread, result)); */ + if(nread < 0 && CURLE_AGAIN == result) { + nread = MBEDTLS_ERR_SSL_WANT_READ; + } + return (int)nread; +} + /* * profile */ @@ -181,9 +222,6 @@ static const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr = #define PUB_DER_MAX_BYTES (RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \ RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES) -static Curl_recv mbed_recv; -static Curl_send mbed_send; - static CURLcode mbedtls_version_from_curl(int *mbedver, long version) { #if MBEDTLS_VERSION_NUMBER >= 0x03000000 @@ -216,11 +254,11 @@ static CURLcode mbedtls_version_from_curl(int *mbedver, long version) } static CURLcode -set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); #if MBEDTLS_VERSION_NUMBER >= 0x03000000 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_3; int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_3; @@ -228,8 +266,8 @@ set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1; int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_1; #endif - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; CURLcode result = CURLE_OK; DEBUGASSERT(backend); @@ -268,31 +306,29 @@ set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, } static CURLcode -mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - const char * const hostname = SSL_HOST_NAME(); -#ifndef CURL_DISABLE_VERBOSE_STRINGS - const long int port = SSL_HOST_PORT(); -#endif + (ca_info_blob ? NULL : conn_config->CAfile); + const bool verifypeer = conn_config->verifypeer; + const char * const ssl_capath = conn_config->CApath; + char * const ssl_cert = ssl_config->primary.clientcert; + const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; + const char * const ssl_crlfile = ssl_config->primary.CRLfile; + const char *hostname = connssl->hostname; int ret = -1; char errorbuf[128]; DEBUGASSERT(backend); - if((SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) || - (SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv3)) { + if((conn_config->version == CURL_SSLVERSION_SSLv2) || + (conn_config->version == CURL_SSLVERSION_SSLv3)) { failf(data, "Not supported SSL version"); return CURLE_NOT_BUILT_IN; } @@ -416,7 +452,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", - SSL_SET_OPTION(key), -ret, errorbuf); + ssl_config->key, -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } } @@ -424,23 +460,23 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, /* Load the client private key */ mbedtls_pk_init(&backend->pk); - if(SSL_SET_OPTION(key) || SSL_SET_OPTION(key_blob)) { - if(SSL_SET_OPTION(key)) { + if(ssl_config->key || ssl_config->key_blob) { + if(ssl_config->key) { #ifdef MBEDTLS_FS_IO #if MBEDTLS_VERSION_NUMBER >= 0x03000000 - ret = mbedtls_pk_parse_keyfile(&backend->pk, SSL_SET_OPTION(key), - SSL_SET_OPTION(key_passwd), + ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key, + ssl_config->key_passwd, mbedtls_ctr_drbg_random, &backend->ctr_drbg); #else - ret = mbedtls_pk_parse_keyfile(&backend->pk, SSL_SET_OPTION(key), - SSL_SET_OPTION(key_passwd)); + ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key, + ssl_config->key_passwd); #endif if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", - SSL_SET_OPTION(key), -ret, errorbuf); + ssl_config->key, -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } #else @@ -449,10 +485,10 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, #endif } else { - const struct curl_blob *ssl_key_blob = SSL_SET_OPTION(key_blob); + const struct curl_blob *ssl_key_blob = ssl_config->key_blob; const unsigned char *key_data = (const unsigned char *)ssl_key_blob->data; - const char *passwd = SSL_SET_OPTION(key_passwd); + const char *passwd = ssl_config->key_passwd; #if MBEDTLS_VERSION_NUMBER >= 0x03000000 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len, (const unsigned char *)passwd, @@ -505,7 +541,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, } #endif - infof(data, "mbedTLS: Connecting to %s:%ld", hostname, port); + infof(data, "mbedTLS: Connecting to %s:%d", hostname, connssl->port); mbedtls_ssl_config_init(&backend->config); ret = mbedtls_ssl_config_defaults(&backend->config, @@ -527,7 +563,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, mbedtls_ssl_conf_cert_profile(&backend->config, &mbedtls_x509_crt_profile_fr); - switch(SSL_CONN_CONFIG(version)) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: #if MBEDTLS_VERSION_NUMBER < 0x03000000 @@ -541,7 +577,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(data, conn, sockindex); + CURLcode result = set_ssl_version_min_max(cf, data); if(result != CURLE_OK) return result; break; @@ -555,9 +591,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random, &backend->ctr_drbg); - mbedtls_ssl_set_bio(&backend->ssl, &conn->sock[sockindex], - mbedtls_net_send, - mbedtls_net_recv, + mbedtls_ssl_set_bio(&backend->ssl, cf, bio_cf_write, bio_cf_read, NULL /* rev_timeout() */); mbedtls_ssl_conf_ciphersuites(&backend->config, @@ -574,13 +608,11 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, #endif /* Check if there's a cached ID we can/should use here! */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { void *old_session = NULL; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &old_session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &old_session, NULL)) { ret = mbedtls_ssl_set_session(&backend->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(data); @@ -600,7 +632,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, NULL); #endif - if(SSL_SET_OPTION(key) || SSL_SET_OPTION(key_blob)) { + if(ssl_config->key || ssl_config->key_blob) { mbedtls_ssl_conf_own_cert(&backend->config, &backend->clicert, &backend->pk); } @@ -616,7 +648,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, } #ifdef HAS_ALPN - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { const char **p = &backend->protocols[0]; #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2) @@ -664,20 +696,19 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, } static CURLcode -mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) { int ret; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); const mbedtls_x509_crt *peercert; - const char * const pinnedpubkey = SSL_PINNED_PUB_KEY(); + const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; DEBUGASSERT(backend); - conn->recv[sockindex] = mbed_recv; - conn->send[sockindex] = mbed_send; - ret = mbedtls_ssl_handshake(&backend->ssl); if(ret == MBEDTLS_ERR_SSL_WANT_READ) { @@ -701,11 +732,11 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, ret = mbedtls_ssl_get_verify_result(&backend->ssl); - if(!SSL_CONN_CONFIG(verifyhost)) + if(!conn_config->verifyhost) /* Ignore hostname errors if verifyhost is disabled */ ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH; - if(ret && SSL_CONN_CONFIG(verifypeer)) { + if(ret && conn_config->verifypeer) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); @@ -813,7 +844,7 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, } #ifdef HAS_ALPN - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { const char *next_protocol = mbedtls_ssl_get_alpn_protocol(&backend->ssl); if(next_protocol) { @@ -821,19 +852,19 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) && !next_protocol[ALPN_H2_LENGTH]) { - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH) && !next_protocol[ALPN_HTTP_1_1_LENGTH]) { - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } } else { infof(data, VTLS_INFOF_NO_ALPN); } - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -845,21 +876,20 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, } static CURLcode -mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +mbed_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data) { CURLcode retcode = CURLE_OK; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); DEBUGASSERT(backend); - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { int ret; mbedtls_ssl_session *our_ssl_sessionid; void *old_ssl_sessionid = NULL; - bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; bool added = FALSE; our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session)); @@ -879,12 +909,11 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, /* If there's already a matching session in the cache, delete it */ Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, isproxy, &old_ssl_sessionid, NULL, - sockindex)) + if(!Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL)) Curl_ssl_delsessionid(data, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, - 0, sockindex, &added); + retcode = Curl_ssl_addsessionid(cf, data, our_ssl_sessionid, + 0, &added); Curl_ssl_sessionid_unlock(data); if(!added) { mbedtls_ssl_session_free(our_ssl_sessionid); @@ -901,17 +930,16 @@ mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, return CURLE_OK; } -static ssize_t mbed_send(struct Curl_easy *data, int sockindex, +static ssize_t mbed_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; int ret = -1; + (void)data; DEBUGASSERT(backend); - ret = mbedtls_ssl_write(&backend->ssl, (unsigned char *)mem, len); if(ret < 0) { @@ -928,14 +956,13 @@ static void mbedtls_close_all(struct Curl_easy *data) (void)data; } -static void mbedtls_close(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static void mbedtls_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; char buf[32]; - (void) data; + (void)data; DEBUGASSERT(backend); /* Maybe the server has already sent a close notify alert. @@ -956,16 +983,16 @@ static void mbedtls_close(struct Curl_easy *data, #endif /* THREADING_SUPPORT */ } -static ssize_t mbed_recv(struct Curl_easy *data, int num, +static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data, char *buf, size_t buffersize, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; int ret = -1; ssize_t len = -1; + (void)data; DEBUGASSERT(backend); ret = mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, @@ -1048,15 +1075,13 @@ static CURLcode mbedtls_random(struct Curl_easy *data, } static CURLcode -mbed_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +mbed_connect_common(struct Curl_cfilter *cf, struct Curl_easy *data, bool nonblocking, bool *done) { CURLcode retcode; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; timediff_t timeout_ms; int what; @@ -1075,7 +1100,7 @@ mbed_connect_common(struct Curl_easy *data, failf(data, "SSL connection timeout"); return CURLE_OPERATION_TIMEDOUT; } - retcode = mbed_connect_step1(data, conn, sockindex); + retcode = mbed_connect_step1(cf, data); if(retcode) return retcode; } @@ -1130,7 +1155,7 @@ mbed_connect_common(struct Curl_easy *data, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - retcode = mbed_connect_step2(data, conn, sockindex); + retcode = mbed_connect_step2(cf, data); if(retcode || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1140,15 +1165,13 @@ mbed_connect_common(struct Curl_easy *data, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - retcode = mbed_connect_step3(data, conn, sockindex); + retcode = mbed_connect_step3(cf, data); if(retcode) return retcode; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = mbed_recv; - conn->send[sockindex] = mbed_send; *done = TRUE; } else @@ -1160,21 +1183,21 @@ mbed_connect_common(struct Curl_easy *data, return CURLE_OK; } -static CURLcode mbedtls_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode mbedtls_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return mbed_connect_common(data, conn, sockindex, TRUE, done); + return mbed_connect_common(cf, data, TRUE, done); } -static CURLcode mbedtls_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode mbedtls_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode retcode; bool done = FALSE; - retcode = mbed_connect_common(data, conn, sockindex, FALSE, &done); + retcode = mbed_connect_common(cf, data, FALSE, &done); if(retcode) return retcode; @@ -1197,13 +1220,14 @@ static void mbedtls_cleanup(void) (void)Curl_mbedtlsthreadlock_thread_cleanup(); } -static bool mbedtls_data_pending(const struct connectdata *conn, - int sockindex) +static bool mbedtls_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - return mbedtls_ssl_get_bytes_avail(&backend->ssl) != 0; + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + return mbedtls_ssl_get_bytes_avail(&ctx->backend->ssl) != 0; } static CURLcode mbedtls_sha256sum(const unsigned char *input, @@ -1242,7 +1266,8 @@ const struct Curl_ssl Curl_ssl_mbedtls = { SSLSUPP_CA_PATH | SSLSUPP_CAINFO_BLOB | SSLSUPP_PINNEDPUBKEY | - SSLSUPP_SSL_CTX, + SSLSUPP_SSL_CTX | + SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), @@ -1256,7 +1281,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = { Curl_none_cert_status_request, /* cert_status_request */ mbedtls_connect, /* connect */ mbedtls_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ mbedtls_get_internals, /* get_internals */ mbedtls_close, /* close_one */ mbedtls_close_all, /* close_all */ @@ -1267,7 +1292,10 @@ const struct Curl_ssl Curl_ssl_mbedtls = { Curl_none_false_start, /* false_start */ mbedtls_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + mbed_recv, /* recv decrypted data */ + mbed_send, /* send data to encrypt */ }; #endif /* USE_MBEDTLS */ diff --git a/lib/vtls/mbedtls_threadlock.c b/lib/vtls/mbedtls_threadlock.c index 3971e69..7d019ed 100644 --- a/lib/vtls/mbedtls_threadlock.c +++ b/lib/vtls/mbedtls_threadlock.c @@ -26,13 +26,12 @@ #if defined(USE_MBEDTLS) && \ ((defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \ - (defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H))) + defined(USE_THREADS_WIN32)) #if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) # include # define MBEDTLS_MUTEX_T pthread_mutex_t -#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) -# include +#elif defined(USE_THREADS_WIN32) # define MBEDTLS_MUTEX_T HANDLE #endif @@ -60,7 +59,7 @@ int Curl_mbedtlsthreadlock_thread_setup(void) #if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) if(pthread_mutex_init(&mutex_buf[i], NULL)) return 0; /* pthread_mutex_init failed */ -#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) +#elif defined(USE_THREADS_WIN32) mutex_buf[i] = CreateMutex(0, FALSE, 0); if(mutex_buf[i] == 0) return 0; /* CreateMutex failed */ @@ -81,7 +80,7 @@ int Curl_mbedtlsthreadlock_thread_cleanup(void) #if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) if(pthread_mutex_destroy(&mutex_buf[i])) return 0; /* pthread_mutex_destroy failed */ -#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) +#elif defined(USE_THREADS_WIN32) if(!CloseHandle(mutex_buf[i])) return 0; /* CloseHandle failed */ #endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */ @@ -101,7 +100,7 @@ int Curl_mbedtlsthreadlock_lock_function(int n) "Error: mbedtlsthreadlock_lock_function failed\n")); return 0; /* pthread_mutex_lock failed */ } -#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) +#elif defined(USE_THREADS_WIN32) if(WaitForSingleObject(mutex_buf[n], INFINITE) == WAIT_FAILED) { DEBUGF(fprintf(stderr, "Error: mbedtlsthreadlock_lock_function failed\n")); @@ -121,7 +120,7 @@ int Curl_mbedtlsthreadlock_unlock_function(int n) "Error: mbedtlsthreadlock_unlock_function failed\n")); return 0; /* pthread_mutex_unlock failed */ } -#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) +#elif defined(USE_THREADS_WIN32) if(!ReleaseMutex(mutex_buf[n])) { DEBUGF(fprintf(stderr, "Error: mbedtlsthreadlock_unlock_function failed\n")); diff --git a/lib/vtls/mbedtls_threadlock.h b/lib/vtls/mbedtls_threadlock.h index 3a50d03..22e8725 100644 --- a/lib/vtls/mbedtls_threadlock.h +++ b/lib/vtls/mbedtls_threadlock.h @@ -29,7 +29,7 @@ #ifdef USE_MBEDTLS #if (defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \ - (defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H)) + defined(USE_THREADS_WIN32) int Curl_mbedtlsthreadlock_thread_setup(void); int Curl_mbedtlsthreadlock_thread_cleanup(void); diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 12cf618..03694d2 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -39,6 +39,7 @@ #include "strcase.h" #include "select.h" #include "vtls.h" +#include "vtls_int.h" #include "llist.h" #include "multiif.h" #include "curl_printf.h" @@ -68,7 +69,6 @@ #include #endif -#include "strcase.h" #include "warnless.h" #include "x509asn1.h" @@ -696,17 +696,18 @@ fail: return CURLE_SSL_CRL_BADFILE; } -static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn, - int sockindex, char *key_file) +static CURLcode nss_load_key(struct Curl_cfilter *cf, + struct Curl_easy *data, + char *key_file) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); PK11SlotInfo *slot, *tmp; SECStatus status; CURLcode result; - struct ssl_connect_data *ssl = conn->ssl; - - (void)sockindex; /* unused */ - result = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE); + (void)data; + result = nss_create_object(connssl, CKO_PRIVATE_KEY, key_file, FALSE); if(result) { PR_SetError(SEC_ERROR_BAD_KEY, 0); return result; @@ -725,7 +726,7 @@ static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn, return CURLE_SSL_CERTPROBLEM; } - status = PK11_Authenticate(slot, PR_TRUE, SSL_SET_OPTION(key_passwd)); + status = PK11_Authenticate(slot, PR_TRUE, ssl_config->key_passwd); PK11_FreeSlot(slot); return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM; @@ -747,13 +748,15 @@ static int display_error(struct Curl_easy *data, PRInt32 err, return 0; /* The caller will print a generic error */ } -static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn, - int sockindex, char *cert_file, char *key_file) +static CURLcode cert_stuff(struct Curl_cfilter *cf, + struct Curl_easy *data, + char *cert_file, char *key_file) { + struct ssl_connect_data *connssl = cf->ctx; CURLcode result; if(cert_file) { - result = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE); + result = nss_load_cert(connssl, cert_file, PR_FALSE); if(result) { const PRErrorCode err = PR_GetError(); if(!display_error(data, err, cert_file)) { @@ -767,10 +770,10 @@ static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn, if(key_file || (is_file(cert_file))) { if(key_file) - result = nss_load_key(data, conn, sockindex, key_file); + result = nss_load_key(cf, data, key_file); else /* In case the cert file also has the key */ - result = nss_load_key(data, conn, sockindex, cert_file); + result = nss_load_key(cf, data, cert_file); if(result) { const PRErrorCode err = PR_GetError(); if(!display_error(data, err, key_file)) { @@ -800,11 +803,14 @@ static char *nss_get_password(PK11SlotInfo *slot, PRBool retry, void *arg) static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isServer) { - struct Curl_easy *data = (struct Curl_easy *)arg; - struct connectdata *conn = data->conn; + struct Curl_cfilter *cf = (struct Curl_cfilter *)arg; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct Curl_easy *data = connssl->backend->data; + DEBUGASSERT(data); #ifdef SSL_ENABLE_OCSP_STAPLING - if(SSL_CONN_CONFIG(verifystatus)) { + if(conn_config->verifystatus) { SECStatus cacheResult; const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd); @@ -830,7 +836,7 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, } #endif - if(!SSL_CONN_CONFIG(verifypeer)) { + if(!conn_config->verifypeer) { infof(data, "skipping SSL peer certificate verification"); return SECSuccess; } @@ -843,13 +849,16 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, */ static void HandshakeCallback(PRFileDesc *sock, void *arg) { - struct Curl_easy *data = (struct Curl_easy *)arg; - struct connectdata *conn = data->conn; + struct Curl_cfilter *cf = (struct Curl_cfilter *)arg; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->backend->data; + struct connectdata *conn = cf->conn; unsigned int buflenmax = 50; unsigned char buf[50]; unsigned int buflen; SSLNextProtoState state; + DEBUGASSERT(data); if(!conn->bits.tls_enable_alpn) { return; } @@ -879,13 +888,13 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) #ifdef USE_HTTP2 if(buflen == ALPN_H2_LENGTH && !memcmp(ALPN_H2, buf, ALPN_H2_LENGTH)) { - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(buflen == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } /* This callback might get called when PR_Recv() is used within @@ -893,7 +902,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) * be any "bundle" associated with the connection anymore. */ if(conn->bundle) - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } @@ -1064,15 +1073,20 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) { - struct Curl_easy *data = (struct Curl_easy *)arg; - struct connectdata *conn = data->conn; + struct Curl_cfilter *cf = (struct Curl_cfilter *)arg; + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->backend->data; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config; PRErrorCode err = PR_GetError(); CERTCertificate *cert; + DEBUGASSERT(data); + ssl_config = Curl_ssl_cf_get_config(cf, data); /* remember the cert verification result */ - SSL_SET_OPTION_LVALUE(certverifyresult) = err; + ssl_config->certverifyresult = err; - if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost)) + if(err == SSL_ERROR_BAD_CERT_DOMAIN && !conn_config->verifyhost) /* we are asked not to verify the host name */ return SECSuccess; @@ -1549,13 +1563,14 @@ static void nss_cleanup(void) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int nss_check_cxn(struct connectdata *conn) +static int nss_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; int rc; char buf; + (void)data; DEBUGASSERT(backend); rc = @@ -1612,41 +1627,20 @@ static void close_one(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void nss_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void nss_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -#ifndef CURL_DISABLE_PROXY - struct ssl_connect_data *connssl_proxy = &conn->proxy_ssl[sockindex]; -#endif + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; (void)data; - DEBUGASSERT(backend); -#ifndef CURL_DISABLE_PROXY - DEBUGASSERT(connssl_proxy->backend != NULL); -#endif - if(backend->handle -#ifndef CURL_DISABLE_PROXY - || connssl_proxy->backend->handle -#endif - ) { + if(backend->handle) { /* NSS closes the socket we previously handed to it, so we must mark it as closed to avoid double close */ - fake_sclose(conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; + fake_sclose(cf->conn->sock[cf->sockindex]); + cf->conn->sock[cf->sockindex] = CURL_SOCKET_BAD; } -#ifndef CURL_DISABLE_PROXY - if(backend->handle) - /* nss_close(connssl) will transitively close also - connssl_proxy->backend->handle if both are used. Clear it to avoid - a double close leading to crash. */ - connssl_proxy->backend->handle = NULL; - - close_one(connssl_proxy); -#endif close_one(connssl); } @@ -1680,15 +1674,13 @@ static bool is_cc_error(PRInt32 err) } } -static Curl_recv nss_recv; -static Curl_send nss_send; - -static CURLcode nss_load_ca_certificates(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +static CURLcode nss_load_ca_certificates(struct Curl_cfilter *cf, + struct Curl_easy *data) { - const char *cafile = SSL_CONN_CONFIG(CAfile); - const char *capath = SSL_CONN_CONFIG(CApath); + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + const char *cafile = conn_config->CAfile; + const char *capath = conn_config->CApath; bool use_trust_module; CURLcode result = CURLE_OK; @@ -1723,7 +1715,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, PR_Unlock(nss_trustload_lock); if(cafile) - result = nss_load_cert(&conn->ssl[sockindex], cafile, PR_TRUE); + result = nss_load_cert(connssl, cafile, PR_TRUE); if(result) return result; @@ -1747,7 +1739,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; } - if(CURLE_OK != nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE)) + if(CURLE_OK != nss_load_cert(connssl, fullpath, PR_TRUE)) /* This is purposefully tolerant of errors so non-PEM files can * be in the same directory */ infof(data, "failed to load '%s' from CURLOPT_CAPATH", fullpath); @@ -1808,12 +1800,13 @@ static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version) } static CURLcode nss_init_sslver(SSLVersionRange *sslver, - struct Curl_easy *data, - struct connectdata *conn) + struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); CURLcode result; - const long min = SSL_CONN_CONFIG(version); - const long max = SSL_CONN_CONFIG(version_max); + const long min = conn_config->version; + const long max = conn_config->version_max; SSLVersionRange vrange; switch(min) { @@ -1848,10 +1841,11 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, return CURLE_OK; } -static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, +static CURLcode nss_fail_connect(struct Curl_cfilter *cf, struct Curl_easy *data, CURLcode curlerr) { + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(backend); @@ -1876,10 +1870,11 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, } /* Switch the SSL socket into blocking or non-blocking mode. */ -static CURLcode nss_set_blocking(struct ssl_connect_data *connssl, +static CURLcode nss_set_blocking(struct Curl_cfilter *cf, struct Curl_easy *data, bool blocking) { + struct ssl_connect_data *connssl = cf->ctx; PRSocketOptionData sock_opt; struct ssl_backend_data *backend = connssl->backend; @@ -1889,22 +1884,27 @@ static CURLcode nss_set_blocking(struct ssl_connect_data *connssl, sock_opt.value.non_blocking = !blocking; if(PR_SetSocketOption(backend->handle, &sock_opt) != PR_SUCCESS) - return nss_fail_connect(connssl, data, CURLE_SSL_CONNECT_ERROR); + return nss_fail_connect(cf, data, CURLE_SSL_CONNECT_ERROR); return CURLE_OK; } -static CURLcode nss_setup_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode nss_setup_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { PRFileDesc *model = NULL; PRFileDesc *nspr_io = NULL; PRFileDesc *nspr_io_stub = NULL; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + struct Curl_cfilter *cf_ssl_next = Curl_ssl_cf_get_ssl(cf->next); + struct ssl_connect_data *connssl_next = cf_ssl_next? + cf_ssl_next->ctx : NULL; CURLcode result; bool second_layer = FALSE; SSLVersionRange sslver_supported; @@ -1920,7 +1920,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, SSL_LIBRARY_VERSION_TLS_1_0 #endif }; - char *snihost = Curl_ssl_snihost(data, SSL_HOST_NAME(), NULL); + const char *hostname = connssl->hostname; + char *snihost; + + snihost = Curl_ssl_snihost(data, hostname, NULL); if(!snihost) { failf(data, "Failed to set SNI"); return CURLE_SSL_CONNECT_ERROR; @@ -1965,13 +1968,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, goto error; /* do not use SSL cache if disabled or we are not going to verify peer */ - ssl_no_cache = (SSL_SET_OPTION(primary.sessionid) - && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE; + ssl_no_cache = (ssl_config->primary.sessionid + && conn_config->verifypeer) ? PR_FALSE : PR_TRUE; if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) goto error; /* enable/disable the requested SSL version(s) */ - if(nss_init_sslver(&sslver, data, conn) != CURLE_OK) + if(nss_init_sslver(&sslver, cf, data) != CURLE_OK) goto error; if(SSL_VersionRangeGetSupported(ssl_variant_stream, &sslver_supported) != SECSuccess) @@ -1990,7 +1993,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) goto error; - ssl_cbc_random_iv = !SSL_SET_OPTION(enable_beast); + ssl_cbc_random_iv = !ssl_config->enable_beast; #ifdef SSL_CBC_RANDOM_IV /* unless the user explicitly asks to allow the protocol vulnerability, we use the work-around */ @@ -2002,33 +2005,33 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, infof(data, "WARNING: support for SSL_CBC_RANDOM_IV not compiled in"); #endif - if(SSL_CONN_CONFIG(cipher_list)) { - if(set_ciphers(data, model, SSL_CONN_CONFIG(cipher_list)) != SECSuccess) { + if(conn_config->cipher_list) { + if(set_ciphers(data, model, conn_config->cipher_list) != SECSuccess) { result = CURLE_SSL_CIPHER; goto error; } } - if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost)) + if(!conn_config->verifypeer && conn_config->verifyhost) infof(data, "WARNING: ignoring value of ssl.verifyhost"); /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ - if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, data) != SECSuccess) + if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, cf) != SECSuccess) goto error; /* not checked yet */ - SSL_SET_OPTION_LVALUE(certverifyresult) = 0; + ssl_config->certverifyresult = 0; - if(SSL_BadCertHook(model, BadCertHandler, data) != SECSuccess) + if(SSL_BadCertHook(model, BadCertHandler, cf) != SECSuccess) goto error; - if(SSL_HandshakeCallback(model, HandshakeCallback, data) != SECSuccess) + if(SSL_HandshakeCallback(model, HandshakeCallback, cf) != SECSuccess) goto error; { - const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex); - if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) + const CURLcode rv = nss_load_ca_certificates(cf, data); + if((rv == CURLE_SSL_CACERT_BADFILE) && !conn_config->verifypeer) /* not a fatal error because we are not going to verify the peer */ infof(data, "WARNING: CA certificates failed to load"); else if(rv) { @@ -2037,25 +2040,25 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } } - if(SSL_SET_OPTION(primary.CRLfile)) { - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); + if(ssl_config->primary.CRLfile) { + const CURLcode rv = nss_load_crl(ssl_config->primary.CRLfile); if(rv) { result = rv; goto error; } - infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); + infof(data, " CRLfile: %s", ssl_config->primary.CRLfile); } - if(SSL_SET_OPTION(primary.clientcert)) { - char *nickname = dup_nickname(data, SSL_SET_OPTION(primary.clientcert)); + if(ssl_config->primary.clientcert) { + char *nickname = dup_nickname(data, ssl_config->primary.clientcert); if(nickname) { /* we are not going to use libnsspem.so to read the client cert */ backend->obj_clicert = NULL; } else { - CURLcode rv = cert_stuff(data, conn, sockindex, - SSL_SET_OPTION(primary.clientcert), - SSL_SET_OPTION(key)); + CURLcode rv = cert_stuff(cf, data, + ssl_config->primary.clientcert, + ssl_config->key); if(rv) { /* failf() is already done in cert_stuff() */ result = rv; @@ -2075,17 +2078,19 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, goto error; } -#ifndef CURL_DISABLE_PROXY - if(conn->proxy_ssl[sockindex].use) { - struct ssl_backend_data *proxy_backend; - proxy_backend = conn->proxy_ssl[sockindex].backend; - DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state); - DEBUGASSERT(proxy_backend); - DEBUGASSERT(proxy_backend->handle); - nspr_io = proxy_backend->handle; + /* Is there an SSL filter "in front" of us or are we writing directly + * to the socket? */ + if(connssl_next) { + /* The filter should be connected by now, with full handshake */ + DEBUGASSERT(connssl_next->backend->handle); + DEBUGASSERT(ssl_connection_complete == connssl_next->state); + /* We tell our NSS instance to use do IO with the 'next' NSS + * instance. This NSS instance will take ownership of the next + * one, including its destruction. We therefore need to `disown` + * the next filter's handle, once import succeeds. */ + nspr_io = connssl_next->backend->handle; second_layer = TRUE; } -#endif else { /* wrap OS file descriptor by NSPR's file descriptor abstraction */ nspr_io = PR_ImportTCPSocket(sockfd); @@ -2122,14 +2127,16 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, PR_Close(model); /* We don't need this any more */ model = NULL; + if(connssl_next) /* steal the NSS handle we just imported successfully */ + connssl_next->backend->handle = NULL; /* This is the password associated with the cert that we're using */ - if(SSL_SET_OPTION(key_passwd)) { - SSL_SetPKCS11PinArg(backend->handle, SSL_SET_OPTION(key_passwd)); + if(ssl_config->key_passwd) { + SSL_SetPKCS11PinArg(backend->handle, ssl_config->key_passwd); } #ifdef SSL_ENABLE_OCSP_STAPLING - if(SSL_CONN_CONFIG(verifystatus)) { + if(conn_config->verifystatus) { if(SSL_OptionSet(backend->handle, SSL_ENABLE_OCSP_STAPLING, PR_TRUE) != SECSuccess) goto error; @@ -2137,8 +2144,9 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, #endif #ifdef SSL_ENABLE_ALPN - if(SSL_OptionSet(backend->handle, SSL_ENABLE_ALPN, conn->bits.tls_enable_alpn - ? PR_TRUE : PR_FALSE) != SECSuccess) + if(SSL_OptionSet(backend->handle, SSL_ENABLE_ALPN, + cf->conn->bits.tls_enable_alpn ? PR_TRUE : PR_FALSE) + != SECSuccess) goto error; #endif @@ -2155,14 +2163,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, #endif #if defined(SSL_ENABLE_ALPN) - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { int cur = 0; unsigned char protocols[128]; #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!Curl_ssl_cf_is_proxy(cf) || !cf->conn->bits.tunnel_proxy) #endif ) { protocols[cur++] = ALPN_H2_LENGTH; @@ -2199,14 +2207,16 @@ error: if(model) PR_Close(model); - return nss_fail_connect(connssl, data, result); + return nss_fail_connect(cf, data, result); } -static CURLcode nss_do_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode nss_do_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); CURLcode result = CURLE_SSL_CONNECT_ERROR; PRUint32 timeout; @@ -2226,9 +2236,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, if(PR_GetError() == PR_WOULD_BLOCK_ERROR) /* blocking direction is updated by nss_update_connecting_state() */ return CURLE_AGAIN; - else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN) + else if(ssl_config->certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) result = CURLE_PEER_FAILED_VERIFICATION; - else if(SSL_SET_OPTION(certverifyresult) != 0) + else if(ssl_config->certverifyresult) result = CURLE_PEER_FAILED_VERIFICATION; goto error; } @@ -2237,9 +2247,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, if(result) goto error; - if(SSL_CONN_CONFIG(issuercert)) { + if(conn_config->issuercert) { SECStatus ret = SECFailure; - char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); + char *nickname = dup_nickname(data, conn_config->issuercert); if(nickname) { /* we support only nicknames in case of issuercert for now */ ret = check_issuer_cert(backend->handle, nickname); @@ -2256,7 +2266,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, } } - result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY()); + result = cmp_peer_pubkey(connssl, Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]); if(result) /* status already printed */ goto error; @@ -2264,14 +2276,14 @@ static CURLcode nss_do_connect(struct Curl_easy *data, return CURLE_OK; error: - return nss_fail_connect(connssl, data, result); + return nss_fail_connect(cf, data, result); } -static CURLcode nss_connect_common(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode nss_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool *done) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; const bool blocking = (done == NULL); CURLcode result; @@ -2282,7 +2294,7 @@ static CURLcode nss_connect_common(struct Curl_easy *data, } if(connssl->connecting_state == ssl_connect_1) { - result = nss_setup_connect(data, conn, sockindex); + result = nss_setup_connect(cf, data); if(result) /* we do not expect CURLE_AGAIN from nss_setup_connect() */ return result; @@ -2291,11 +2303,11 @@ static CURLcode nss_connect_common(struct Curl_easy *data, } /* enable/disable blocking mode before handshake */ - result = nss_set_blocking(connssl, data, blocking); + result = nss_set_blocking(cf, data, blocking); if(result) return result; - result = nss_do_connect(data, conn, sockindex); + result = nss_do_connect(cf, data); switch(result) { case CURLE_OK: break; @@ -2311,7 +2323,7 @@ static CURLcode nss_connect_common(struct Curl_easy *data, if(blocking) { /* in blocking mode, set NSS non-blocking mode _after_ SSL handshake */ - result = nss_set_blocking(connssl, data, /* blocking */ FALSE); + result = nss_set_blocking(cf, data, /* blocking */ FALSE); if(result) return result; } @@ -2320,8 +2332,6 @@ static CURLcode nss_connect_common(struct Curl_easy *data, *done = TRUE; connssl->state = ssl_connection_complete; - conn->recv[sockindex] = nss_recv; - conn->send[sockindex] = nss_send; /* ssl_connect_done is never used outside, go back to the initial state */ connssl->connecting_state = ssl_connect_1; @@ -2329,30 +2339,30 @@ static CURLcode nss_connect_common(struct Curl_easy *data, return CURLE_OK; } -static CURLcode nss_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode nss_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { - return nss_connect_common(data, conn, sockindex, /* blocking */ NULL); + return nss_connect_common(cf, data, /* blocking */ NULL); } -static CURLcode nss_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode nss_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return nss_connect_common(data, conn, sockindex, done); + return nss_connect_common(cf, data, done); } -static ssize_t nss_send(struct Curl_easy *data, /* transfer */ - int sockindex, /* socketindex */ +static ssize_t nss_send(struct Curl_cfilter *cf, + struct Curl_easy *data, /* transfer */ const void *mem, /* send this data */ size_t len, /* amount to write */ CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; ssize_t rc; + (void)data; DEBUGASSERT(backend); /* The SelectClientCert() hook uses this for infof() and failf() but the @@ -2383,17 +2393,17 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */ return rc; /* number of bytes */ } -static ssize_t nss_recv(struct Curl_easy *data, /* transfer */ - int sockindex, /* socketindex */ +static ssize_t nss_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, /* transfer */ char *buf, /* store read data here */ size_t buffersize, /* max amount to read */ CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; ssize_t nread; + (void)data; DEBUGASSERT(backend); /* The SelectClientCert() hook uses this for infof() and failf() but the @@ -2498,6 +2508,25 @@ static void *nss_get_internals(struct ssl_connect_data *connssl, return backend->handle; } +static bool nss_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + struct ssl_connect_data *connssl = cf->ctx; + + if(!connssl->backend->data) + connssl->backend->data = data; + return TRUE; +} + +static void nss_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + struct ssl_connect_data *connssl = cf->ctx; + + if(connssl->backend->data == data) + connssl->backend->data = NULL; +} + const struct Curl_ssl Curl_ssl_nss = { { CURLSSLBACKEND_NSS, "nss" }, /* info */ @@ -2519,7 +2548,7 @@ const struct Curl_ssl Curl_ssl_nss = { nss_cert_status_request, /* cert_status_request */ nss_connect, /* connect */ nss_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ nss_get_internals, /* get_internals */ nss_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -2530,8 +2559,11 @@ const struct Curl_ssl Curl_ssl_nss = { Curl_none_engines_list, /* engines_list */ nss_false_start, /* false_start */ nss_sha256sum, /* sha256sum */ - NULL, /* associate_connection */ - NULL /* disassociate_connection */ + nss_attach_data, /* associate_connection */ + nss_detach_data, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + nss_recv, /* recv decrypted data */ + nss_send, /* send data to encrypt */ }; #endif /* USE_NSS */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index ad2efa5..e7a1caa 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -55,6 +55,7 @@ #include "slist.h" #include "select.h" #include "vtls.h" +#include "vtls_int.h" #include "vauth/vauth.h" #include "keylog.h" #include "strcase.h" @@ -259,6 +260,22 @@ #define HAVE_OPENSSL_VERSION #endif +/* + * Whether the OpenSSL version has the API needed to support sharing an + * X509_STORE between connections. The API is: + * * `X509_STORE_up_ref` -- Introduced: OpenSSL 1.1.0. + */ +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* OpenSSL >= 1.1.0 */ +#define HAVE_SSL_X509_STORE_SHARE +#endif + +/* What API version do we use? */ +#if defined(LIBRESSL_VERSION_NUMBER) +#define USE_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) +#else /* !LIBRESSL_VERSION_NUMBER */ +#define USE_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) +#endif /* !LIBRESSL_VERSION_NUMBER */ + struct ssl_backend_data { struct Curl_easy *logger; /* transfer handle to pass trace logs to, only using sockindex 0 */ @@ -266,12 +283,21 @@ struct ssl_backend_data { SSL_CTX* ctx; SSL* handle; X509* server_cert; + CURLcode io_result; /* result of last BIO cfilter operation */ #ifndef HAVE_KEYLOG_CALLBACK /* Set to true once a valid keylog entry has been created to avoid dupes. */ bool keylog_done; #endif }; +#if defined(HAVE_SSL_X509_STORE_SHARE) +struct multi_ssl_backend_data { + char *CAfile; /* CAfile path used to generate X509 store */ + X509_STORE *store; /* cached X509 store or NULL if none */ + struct curltime time; /* when the cached store was created */ +}; +#endif /* HAVE_SSL_X509_STORE_SHARE */ + #define push_certinfo(_label, _num) \ do { \ long info_len = BIO_get_mem_data(mem, &ptr); \ @@ -610,9 +636,160 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl) #ifdef USE_OPENSSL -static bool ossl_associate_connection(struct Curl_easy *data, - struct connectdata *conn, - int sockindex); +#if USE_PRE_1_1_API +#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL +#define BIO_set_init(x,v) ((x)->init=(v)) +#define BIO_get_data(x) ((x)->ptr) +#define BIO_set_data(x,v) ((x)->ptr=(v)) +#endif +#define BIO_get_shutdown(x) ((x)->shutdown) +#define BIO_set_shutdown(x,v) ((x)->shutdown=(v)) +#endif /* USE_PRE_1_1_API */ + +static int bio_cf_create(BIO *bio) +{ + BIO_set_shutdown(bio, 1); + BIO_set_init(bio, 1); +#if USE_PRE_1_1_API + bio->num = -1; +#endif + BIO_set_data(bio, NULL); + return 1; +} + +static int bio_cf_destroy(BIO *bio) +{ + if(!bio) + return 0; + return 1; +} + +static long bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr) +{ + struct Curl_cfilter *cf = BIO_get_data(bio); + long ret = 1; + + (void)cf; + (void)ptr; + switch(cmd) { + case BIO_CTRL_GET_CLOSE: + ret = (long)BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: + BIO_set_shutdown(bio, (int)num); + break; + case BIO_CTRL_FLUSH: + /* we do no delayed writes, but if we ever would, this + * needs to trigger it. */ + ret = 1; + break; + case BIO_CTRL_DUP: + ret = 1; + break; +#ifdef BIO_CTRL_EOF + case BIO_CTRL_EOF: + /* EOF has been reached on input? */ + return (!cf->next || !cf->next->connected); +#endif + default: + ret = 0; + break; + } + return ret; +} + +static int bio_cf_out_write(BIO *bio, const char *buf, int blen) +{ + struct Curl_cfilter *cf = BIO_get_data(bio); + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nwritten; + CURLcode result = CURLE_SEND_ERROR; + + DEBUGASSERT(data); + nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result); + /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_out_write(len=%d) -> %d, err=%d"), + blen, (int)nwritten, result)); */ + BIO_clear_retry_flags(bio); + connssl->backend->io_result = result; + if(nwritten < 0) { + if(CURLE_AGAIN == result) + BIO_set_retry_write(bio); + } + return (int)nwritten; +} + +static int bio_cf_in_read(BIO *bio, char *buf, int blen) +{ + struct Curl_cfilter *cf = BIO_get_data(bio); + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nread; + CURLcode result = CURLE_RECV_ERROR; + + DEBUGASSERT(data); + /* OpenSSL catches this case, so should we. */ + if(!buf) + return 0; + + nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); + /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_in_read(len=%d) -> %d, err=%d"), + blen, (int)nread, result)); */ + BIO_clear_retry_flags(bio); + connssl->backend->io_result = result; + if(nread < 0) { + if(CURLE_AGAIN == result) + BIO_set_retry_read(bio); + } + return (int)nread; +} + +static BIO_METHOD *bio_cf_method = NULL; + +#if USE_PRE_1_1_API + +static BIO_METHOD bio_cf_meth_1_0 = { + BIO_TYPE_MEM, + "OpenSSL CF BIO", + bio_cf_out_write, + bio_cf_in_read, + NULL, /* puts is never called */ + NULL, /* gets is never called */ + bio_cf_ctrl, + bio_cf_create, + bio_cf_destroy, + NULL +}; + +static void bio_cf_init_methods(void) +{ + bio_cf_method = &bio_cf_meth_1_0; +} + +#define bio_cf_free_methods() Curl_nop_stmt + +#else + +static void bio_cf_init_methods(void) +{ + bio_cf_method = BIO_meth_new(BIO_TYPE_MEM, "OpenSSL CF BIO"); + BIO_meth_set_write(bio_cf_method, &bio_cf_out_write); + BIO_meth_set_read(bio_cf_method, &bio_cf_in_read); + BIO_meth_set_ctrl(bio_cf_method, &bio_cf_ctrl); + BIO_meth_set_create(bio_cf_method, &bio_cf_create); + BIO_meth_set_destroy(bio_cf_method, &bio_cf_destroy); +} + +static void bio_cf_free_methods(void) +{ + BIO_meth_free(bio_cf_method); +} + +#endif + + +static bool ossl_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data); /* * Number of bytes to read from the random number seed file. This must be @@ -711,12 +888,25 @@ static const char *SSL_ERROR_to_str(int err) } } +static size_t ossl_version(char *buffer, size_t size); + /* Return error string for last OpenSSL error */ static char *ossl_strerror(unsigned long error, char *buf, size_t size) { - if(size) + size_t len; + DEBUGASSERT(size); + *buf = '\0'; + + len = ossl_version(buf, size); + DEBUGASSERT(len < (size - 2)); + if(len < (size - 2)) { + buf += len; + size -= (len + 2); + *buf++ = ':'; + *buf++ = ' '; *buf = '\0'; + } #ifdef OPENSSL_IS_BORINGSSL ERR_error_string_n((uint32_t)error, buf, size); @@ -724,7 +914,7 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) ERR_error_string_n(error, buf, size); #endif - if(size > 1 && !*buf) { + if(!*buf) { strncpy(buf, (error ? "Unknown error" : "No error"), size); buf[size - 1] = '\0'; } @@ -744,16 +934,16 @@ static int ossl_get_ssl_data_index(void) return ssl_ex_data_data_index; } -/* Return an extra data index for the connection data. +/* Return an extra data index for the associated Curl_cfilter instance. * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). */ -static int ossl_get_ssl_conn_index(void) +static int ossl_get_ssl_cf_index(void) { - static int ssl_ex_data_conn_index = -1; - if(ssl_ex_data_conn_index < 0) { - ssl_ex_data_conn_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + static int ssl_ex_data_cf_index = -1; + if(ssl_ex_data_cf_index < 0) { + ssl_ex_data_cf_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); } - return ssl_ex_data_conn_index; + return ssl_ex_data_cf_index; } /* Return an extra data index for the sockindex. @@ -1578,10 +1768,11 @@ static int ossl_init(void) OpenSSL_add_all_algorithms(); #endif + bio_cf_init_methods(); Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_cf_index() < 0 || ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) return 0; @@ -1623,6 +1814,7 @@ static void ossl_cleanup(void) #endif Curl_tls_keylog_close(); + bio_cf_free_methods(); } /* @@ -1633,15 +1825,16 @@ static void ossl_cleanup(void) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int ossl_check_cxn(struct connectdata *conn) +static int ossl_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data) { /* SSL_peek takes data out of the raw recv buffer without peeking so we use recv MSG_PEEK instead. Bug #795 */ #ifdef MSG_PEEK char buf; ssize_t nread; - nread = recv((RECV_TYPE_ARG1)conn->sock[FIRSTSOCKET], (RECV_TYPE_ARG2)&buf, - (RECV_TYPE_ARG3)1, (RECV_TYPE_ARG4)MSG_PEEK); + nread = recv((RECV_TYPE_ARG1)cf->conn->sock[cf->sockindex], + (RECV_TYPE_ARG2)&buf, (RECV_TYPE_ARG3)1, + (RECV_TYPE_ARG4)MSG_PEEK); if(nread == 0) return 0; /* connection has been closed */ if(nread == 1) @@ -1674,6 +1867,7 @@ static int ossl_check_cxn(struct connectdata *conn) return 0; /* connection has been closed */ } #endif + (void)data; return -1; /* connection status unknown */ } @@ -1766,33 +1960,28 @@ static struct curl_slist *ossl_engines_list(struct Curl_easy *data) return list; } -#define set_logger(conn, data) \ - conn->ssl[0].backend->logger = data +#define set_logger(connssl, data) \ + connssl->backend->logger = data -static void ossl_closeone(struct Curl_easy *data, - struct connectdata *conn, - struct ssl_connect_data *connssl) +static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(backend); if(backend->handle) { - char buf[32]; - set_logger(conn, data); - /* - * The conn->sock[0] socket is passed to openssl with SSL_set_fd(). Make - * sure the socket is not closed before calling OpenSSL functions that - * will use it. - */ - DEBUGASSERT(conn->sock[FIRSTSOCKET] != CURL_SOCKET_BAD); + set_logger(connssl, data); - /* Maybe the server has already sent a close notify alert. - Read it to avoid an RST on the TCP connection. */ - (void)SSL_read(backend->handle, buf, (int)sizeof(buf)); + if(cf->next && cf->next->connected) { + char buf[32]; + /* Maybe the server has already sent a close notify alert. + Read it to avoid an RST on the TCP connection. */ + (void)SSL_read(backend->handle, buf, (int)sizeof(buf)); - (void)SSL_shutdown(backend->handle); - SSL_set_connect_state(backend->handle); + (void)SSL_shutdown(backend->handle); + SSL_set_connect_state(backend->handle); + } SSL_free(backend->handle); backend->handle = NULL; @@ -1804,30 +1993,18 @@ static void ossl_closeone(struct Curl_easy *data, } /* - * This function is called when an SSL connection is closed. - */ -static void ossl_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) -{ - ossl_closeone(data, conn, &conn->ssl[sockindex]); -#ifndef CURL_DISABLE_PROXY - ossl_closeone(data, conn, &conn->proxy_ssl[sockindex]); -#endif -} - -/* * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int ossl_shutdown(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static int ossl_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { int retval = 0; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; char buf[256]; /* We will use this for the OpenSSL error buffer, so it has to be at least 256 bytes long. */ unsigned long sslerror; - ssize_t nread; + int nread; int buffsize; int err; bool done = FALSE; @@ -1849,15 +2026,15 @@ static int ossl_shutdown(struct Curl_easy *data, if(backend->handle) { buffsize = (int)sizeof(buf); while(!done && loop--) { - int what = SOCKET_READABLE(conn->sock[sockindex], + int what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], SSL_SHUTDOWN_TIMEOUT); if(what > 0) { ERR_clear_error(); /* Something to read, let's do it and hope that it is the close notify alert from the server */ - nread = (ssize_t)SSL_read(backend->handle, buf, buffsize); - err = SSL_get_error(backend->handle, (int)nread); + nread = SSL_read(backend->handle, buf, buffsize); + err = SSL_get_error(backend->handle, nread); switch(err) { case SSL_ERROR_NONE: /* this is not an error */ @@ -2015,9 +2192,18 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, CURLcode result = CURLE_OK; bool dNSName = FALSE; /* if a dNSName field exists in the cert */ bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */ - const char * const hostname = SSL_HOST_NAME(); - const char * const dispname = SSL_HOST_DISPNAME(); - size_t hostlen = strlen(hostname); + const char *hostname, *dispname; + int port; + size_t hostlen; + + (void)conn; + Curl_conn_get_host(data, FIRSTSOCKET, &hostname, &dispname, &port); + hostlen = strlen(hostname); + +#ifndef ENABLE_IPV6 + /* Silence compiler warnings for unused params */ + (void) conn; +#endif #ifdef ENABLE_IPV6 if(conn->bits.ipv6_ip && @@ -2193,9 +2379,10 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) -static CURLcode verifystatus(struct Curl_easy *data, - struct ssl_connect_data *connssl) +static CURLcode verifystatus(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; int i, ocsp_status; unsigned char *status; const unsigned char *p; @@ -2476,18 +2663,24 @@ static void ossl_trace(int direction, int ssl_ver, int content_type, char unknown[32]; const char *verstr = NULL; struct connectdata *conn = userp; - struct ssl_connect_data *connssl = &conn->ssl[0]; - struct ssl_backend_data *backend = connssl->backend; + int cf_idx = ossl_get_ssl_cf_index(); + struct ssl_connect_data *connssl; struct Curl_easy *data = NULL; + struct Curl_cfilter *cf; - DEBUGASSERT(backend); - data = backend->logger; + DEBUGASSERT(cf_idx >= 0); + cf = (struct Curl_cfilter*) SSL_get_ex_data(ssl, cf_idx); + DEBUGASSERT(cf); + connssl = cf->ctx; + DEBUGASSERT(connssl); + DEBUGASSERT(connssl->backend); + data = connssl->backend->logger; if(!conn || !data || !data->set.fdebug || (direction != 0 && direction != 1)) return; - switch(ssl_ver) { + switch(ssl_ver) { #ifdef SSL2_VERSION /* removed in recent versions */ case SSL2_VERSION: verstr = "SSLv2"; @@ -2563,7 +2756,8 @@ static void ossl_trace(int direction, int ssl_ver, int content_type, msg_name = ssl_msg_type(ssl_ver, msg_type); } - txt_len = msnprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n", + txt_len = msnprintf(ssl_buf, sizeof(ssl_buf), + CFMSG(cf, "%s (%s), %s, %s (%d):\n"), verstr, direction?"OUT":"IN", tls_rt_name, msg_name, msg_type); if(0 <= txt_len && (unsigned)txt_len < sizeof(ssl_buf)) { @@ -2595,10 +2789,11 @@ static void ossl_trace(int direction, int ssl_ver, int content_type, #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ static CURLcode -set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn) +set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx) { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); /* first, TLS min version... */ - long curl_ssl_version_min = SSL_CONN_CONFIG(version); + long curl_ssl_version_min = conn_config->version; long curl_ssl_version_max; /* convert curl min SSL version option to OpenSSL constant */ @@ -2642,7 +2837,7 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn) } /* ... then, TLS max version */ - curl_ssl_version_max = SSL_CONN_CONFIG(version_max); + curl_ssl_version_max = conn_config->version_max; /* convert curl max SSL version option to OpenSSL constant */ switch(curl_ssl_version_max) { @@ -2690,11 +2885,12 @@ typedef long ctx_option_t; #if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */ static CURLcode set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, - struct Curl_easy *data, - struct connectdata *conn, int sockindex) + struct Curl_cfilter *cf, + struct Curl_easy *data) { - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; (void) data; /* In case it's unused. */ @@ -2702,14 +2898,12 @@ set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, case CURL_SSLVERSION_TLSv1_3: #ifdef TLS1_3_VERSION { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - SSL_CTX_set_max_proto_version(backend->ctx, TLS1_3_VERSION); + struct ssl_connect_data *connssl = cf->ctx; + DEBUGASSERT(connssl->backend); + SSL_CTX_set_max_proto_version(connssl->backend->ctx, TLS1_3_VERSION); *ctx_options |= SSL_OP_NO_TLSv1_2; } #else - (void)sockindex; (void)ctx_options; failf(data, OSSL_PACKAGE " was built without TLS 1.3 support"); return CURLE_NOT_BUILT_IN; @@ -2770,31 +2964,30 @@ set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) { int res = 0; - struct connectdata *conn; struct Curl_easy *data; - int sockindex; + struct Curl_cfilter *cf; + const struct ssl_config_data *config; curl_socket_t *sockindex_ptr; int data_idx = ossl_get_ssl_data_index(); - int connectdata_idx = ossl_get_ssl_conn_index(); + int cf_idx = ossl_get_ssl_cf_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); int proxy_idx = ossl_get_proxy_index(); bool isproxy; - if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) + if(data_idx < 0 || cf_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) return 0; - conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); + cf = (struct Curl_cfilter*) SSL_get_ex_data(ssl, cf_idx); data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx); /* The sockindex has been stored as a pointer to an array element */ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); - if(!conn || !data || !sockindex_ptr) + if(!cf || !data || !sockindex_ptr) return 0; - sockindex = (int)(sockindex_ptr - conn->sock); + isproxy = Curl_ssl_cf_is_proxy(cf); - isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; - - if(SSL_SET_OPTION(primary.sessionid)) { + config = Curl_ssl_cf_get_config(cf, data); + if(config->primary.sessionid) { bool incache; bool added = FALSE; void *old_ssl_sessionid = NULL; @@ -2803,8 +2996,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) if(isproxy) incache = FALSE; else - incache = !(Curl_ssl_getsessionid(data, conn, isproxy, - &old_ssl_sessionid, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing"); @@ -2814,8 +3006,8 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) } if(!incache) { - if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, - 0 /* unknown size */, sockindex, &added)) { + if(!Curl_ssl_addsessionid(cf, data, ssl_sessionid, + 0 /* unknown size */, &added)) { if(added) { /* the session has been put into the session cache */ res = 1; @@ -2830,7 +3022,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) return res; } -static CURLcode load_cacert_from_memory(SSL_CTX *ctx, +static CURLcode load_cacert_from_memory(X509_STORE *store, const struct curl_blob *ca_info_blob) { /* these need to be freed at the end */ @@ -2839,16 +3031,11 @@ static CURLcode load_cacert_from_memory(SSL_CTX *ctx, /* everything else is just a reference */ int i, count = 0; - X509_STORE *cts = NULL; X509_INFO *itmp = NULL; if(ca_info_blob->len > (size_t)INT_MAX) return CURLE_SSL_CACERT_BADFILE; - cts = SSL_CTX_get_cert_store(ctx); - if(!cts) - return CURLE_OUT_OF_MEMORY; - cbio = BIO_new_mem_buf(ca_info_blob->data, (int)ca_info_blob->len); if(!cbio) return CURLE_OUT_OF_MEMORY; @@ -2863,7 +3050,7 @@ static CURLcode load_cacert_from_memory(SSL_CTX *ctx, for(i = 0; i < (int)sk_X509_INFO_num(inf); ++i) { itmp = sk_X509_INFO_value(inf, i); if(itmp->x509) { - if(X509_STORE_add_cert(cts, itmp->x509)) { + if(X509_STORE_add_cert(store, itmp->x509)) { ++count; } else { @@ -2873,7 +3060,7 @@ static CURLcode load_cacert_from_memory(SSL_CTX *ctx, } } if(itmp->crl) { - if(X509_STORE_add_crl(cts, itmp->crl)) { + if(X509_STORE_add_crl(store, itmp->crl)) { ++count; } else { @@ -2891,554 +3078,704 @@ static CURLcode load_cacert_from_memory(SSL_CTX *ctx, return (count > 0 ? CURLE_OK : CURLE_SSL_CACERT_BADFILE); } -static CURLcode ossl_connect_step1(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode populate_x509_store(struct Curl_cfilter *cf, + struct Curl_easy *data, + X509_STORE *store) { + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); CURLcode result = CURLE_OK; - char *ciphers; - SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; X509_LOOKUP *lookup = NULL; - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - ctx_option_t ctx_options = 0; - void *ssl_sessionid = NULL; - -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - bool sni; - const char * const hostname = SSL_HOST_NAME(); - -#ifdef ENABLE_IPV6 - struct in6_addr addr; -#else - struct in_addr addr; -#endif -#endif - const long int ssl_version = SSL_CONN_CONFIG(version); -#ifdef USE_OPENSSL_SRP - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); -#endif - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); - const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); - char error_buffer[256]; - struct ssl_backend_data *backend = connssl->backend; + (ca_info_blob ? NULL : conn_config->CAfile); + const char * const ssl_capath = conn_config->CApath; + const char * const ssl_crlfile = ssl_config->primary.CRLfile; + const bool verifypeer = conn_config->verifypeer; bool imported_native_ca = false; - DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); - DEBUGASSERT(backend); - - /* Make funny stuff to get random input */ - result = ossl_seed(data); - if(result) - return result; + if(!store) + return CURLE_OUT_OF_MEMORY; - SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK; +#if defined(USE_WIN32_CRYPTO) + /* Import certificates from the Windows root certificate store if requested. + https://stackoverflow.com/questions/9507184/ + https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L1037 + https://datatracker.ietf.org/doc/html/rfc5280 */ + if((conn_config->verifypeer || conn_config->verifyhost) && + (ssl_config->native_ca_store)) { + HCERTSTORE hStore = CertOpenSystemStore(0, TEXT("ROOT")); - /* check to see if we've been told to use an explicit SSL/TLS version */ + if(hStore) { + PCCERT_CONTEXT pContext = NULL; + /* The array of enhanced key usage OIDs will vary per certificate and is + declared outside of the loop so that rather than malloc/free each + iteration we can grow it with realloc, when necessary. */ + CERT_ENHKEY_USAGE *enhkey_usage = NULL; + DWORD enhkey_usage_size = 0; - switch(ssl_version) { - case CURL_SSLVERSION_DEFAULT: - case CURL_SSLVERSION_TLSv1: - case CURL_SSLVERSION_TLSv1_0: - case CURL_SSLVERSION_TLSv1_1: - case CURL_SSLVERSION_TLSv1_2: - case CURL_SSLVERSION_TLSv1_3: - /* it will be handled later with the context options */ -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - req_method = TLS_client_method(); -#else - req_method = SSLv23_client_method(); + /* This loop makes a best effort to import all valid certificates from + the MS root store. If a certificate cannot be imported it is skipped. + 'result' is used to store only hard-fail conditions (such as out of + memory) that cause an early break. */ + result = CURLE_OK; + for(;;) { + X509 *x509; + FILETIME now; + BYTE key_usage[2]; + DWORD req_size; + const unsigned char *encoded_cert; +#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) + char cert_name[256]; #endif - use_sni(TRUE); - break; - case CURL_SSLVERSION_SSLv2: - failf(data, "No SSLv2 support"); - return CURLE_NOT_BUILT_IN; - case CURL_SSLVERSION_SSLv3: - failf(data, "No SSLv3 support"); - return CURLE_NOT_BUILT_IN; - default: - failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); - return CURLE_SSL_CONNECT_ERROR; - } - DEBUGASSERT(!backend->ctx); - backend->ctx = SSL_CTX_new(req_method); - - if(!backend->ctx) { - failf(data, "SSL: couldn't create a context: %s", - ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer))); - return CURLE_OUT_OF_MEMORY; - } + pContext = CertEnumCertificatesInStore(hStore, pContext); + if(!pContext) + break; -#ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(backend->ctx, SSL_MODE_RELEASE_BUFFERS); +#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) + if(!CertGetNameStringA(pContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, + NULL, cert_name, sizeof(cert_name))) { + strcpy(cert_name, "Unknown"); + } + infof(data, "SSL: Checking cert \"%s\"", cert_name); #endif -#ifdef SSL_CTRL_SET_MSG_CALLBACK - if(data->set.fdebug && data->set.verbose) { - /* the SSL trace callback is only used for verbose logging */ - SSL_CTX_set_msg_callback(backend->ctx, ossl_trace); - SSL_CTX_set_msg_callback_arg(backend->ctx, conn); - set_logger(conn, data); - } -#endif + encoded_cert = (const unsigned char *)pContext->pbCertEncoded; + if(!encoded_cert) + continue; - /* OpenSSL contains code to work around lots of bugs and flaws in various - SSL-implementations. SSL_CTX_set_options() is used to enabled those - work-arounds. The man page for this option states that SSL_OP_ALL enables - all the work-arounds and that "It is usually safe to use SSL_OP_ALL to - enable the bug workaround options if compatibility with somewhat broken - implementations is desired." + GetSystemTimeAsFileTime(&now); + if(CompareFileTime(&pContext->pCertInfo->NotBefore, &now) > 0 || + CompareFileTime(&now, &pContext->pCertInfo->NotAfter) > 0) + continue; - The "-no_ticket" option was introduced in OpenSSL 0.9.8j. It's a flag to - disable "rfc4507bis session ticket support". rfc4507bis was later turned - into the proper RFC5077: https://datatracker.ietf.org/doc/html/rfc5077 + /* If key usage exists check for signing attribute */ + if(CertGetIntendedKeyUsage(pContext->dwCertEncodingType, + pContext->pCertInfo, + key_usage, sizeof(key_usage))) { + if(!(key_usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE)) + continue; + } + else if(GetLastError()) + continue; - The enabled extension concerns the session management. I wonder how often - libcurl stops a connection and then resumes a TLS session. Also, sending - the session data is some overhead. I suggest that you just use your - proposed patch (which explicitly disables TICKET). + /* If enhanced key usage exists check for server auth attribute. + * + * Note "In a Microsoft environment, a certificate might also have EKU + * extended properties that specify valid uses for the certificate." + * The call below checks both, and behavior varies depending on what is + * found. For more details see CertGetEnhancedKeyUsage doc. + */ + if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size)) { + if(req_size && req_size > enhkey_usage_size) { + void *tmp = realloc(enhkey_usage, req_size); - If someone writes an application with libcurl and OpenSSL who wants to - enable the feature, one can do this in the SSL callback. + if(!tmp) { + failf(data, "SSL: Out of memory allocating for OID list"); + result = CURLE_OUT_OF_MEMORY; + break; + } - SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper - interoperability with web server Netscape Enterprise Server 2.0.1 which - was released back in 1996. + enhkey_usage = (CERT_ENHKEY_USAGE *)tmp; + enhkey_usage_size = req_size; + } - Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has - become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate - CVE-2010-4180 when using previous OpenSSL versions we no longer enable - this option regardless of OpenSSL version and SSL_OP_ALL definition. + if(CertGetEnhancedKeyUsage(pContext, 0, enhkey_usage, &req_size)) { + if(!enhkey_usage->cUsageIdentifier) { + /* "If GetLastError returns CRYPT_E_NOT_FOUND, the certificate is + good for all uses. If it returns zero, the certificate has no + valid uses." */ + if((HRESULT)GetLastError() != CRYPT_E_NOT_FOUND) + continue; + } + else { + DWORD i; + bool found = false; - OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability - (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to - SSL_OP_ALL that _disables_ that work-around despite the fact that - SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to - keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit - must not be set. - */ + for(i = 0; i < enhkey_usage->cUsageIdentifier; ++i) { + if(!strcmp("1.3.6.1.5.5.7.3.1" /* OID server auth */, + enhkey_usage->rgpszUsageIdentifier[i])) { + found = true; + break; + } + } - ctx_options = SSL_OP_ALL; + if(!found) + continue; + } + } + else + continue; + } + else + continue; -#ifdef SSL_OP_NO_TICKET - ctx_options |= SSL_OP_NO_TICKET; -#endif + x509 = d2i_X509(NULL, &encoded_cert, pContext->cbCertEncoded); + if(!x509) + continue; -#ifdef SSL_OP_NO_COMPRESSION - ctx_options |= SSL_OP_NO_COMPRESSION; + /* Try to import the certificate. This may fail for legitimate reasons + such as duplicate certificate, which is allowed by MS but not + OpenSSL. */ + if(X509_STORE_add_cert(store, x509) == 1) { +#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) + infof(data, "SSL: Imported cert \"%s\"", cert_name); #endif + imported_native_ca = true; + } + X509_free(x509); + } -#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG - /* mitigate CVE-2010-4180 */ - ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; -#endif + free(enhkey_usage); + CertFreeCertificateContext(pContext); + CertCloseStore(hStore, 0); -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - /* unless the user explicitly asks to allow the protocol vulnerability we - use the work-around */ - if(!SSL_SET_OPTION(enable_beast)) - ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + if(result) + return result; + } + if(imported_native_ca) + infof(data, "successfully imported Windows CA store"); + else + infof(data, "error importing Windows CA store, continuing anyway"); + } #endif - switch(ssl_version) { - case CURL_SSLVERSION_SSLv2: - case CURL_SSLVERSION_SSLv3: - return CURLE_NOT_BUILT_IN; - - /* "--tlsv" options mean TLS >= version */ - case CURL_SSLVERSION_DEFAULT: - case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */ - case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */ - case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */ - case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */ - case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */ - /* asking for any TLS version as the minimum, means no SSL versions - allowed */ - ctx_options |= SSL_OP_NO_SSLv2; - ctx_options |= SSL_OP_NO_SSLv3; + if(ca_info_blob) { + result = load_cacert_from_memory(store, ca_info_blob); + if(result) { + if(result == CURLE_OUT_OF_MEMORY || + (verifypeer && !imported_native_ca)) { + failf(data, "error importing CA certificate blob"); + return result; + } + /* Only warn if no certificate verification is required. */ + infof(data, "error importing CA certificate blob, continuing anyway"); + } + } -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ - result = set_ssl_version_min_max(backend->ctx, conn); + if(verifypeer && !imported_native_ca && (ssl_cafile || ssl_capath)) { +#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) + /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */ + if(ssl_cafile && + !X509_STORE_load_file(store, ssl_cafile)) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate file: %s", ssl_cafile); + return CURLE_SSL_CACERT_BADFILE; + } + if(ssl_capath && + !X509_STORE_load_path(store, ssl_capath)) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate path: %s", ssl_capath); + return CURLE_SSL_CACERT_BADFILE; + } #else - result = set_ssl_version_min_max_legacy(&ctx_options, data, conn, - sockindex); + /* tell OpenSSL where to find CA certificates that are used to verify the + server's certificate. */ + if(!X509_STORE_load_locations(store, ssl_cafile, ssl_capath)) { + /* Fail if we insist on successfully verifying the server. */ + failf(data, "error setting certificate verify locations:" + " CAfile: %s CApath: %s", + ssl_cafile ? ssl_cafile : "none", + ssl_capath ? ssl_capath : "none"); + return CURLE_SSL_CACERT_BADFILE; + } #endif - if(result != CURLE_OK) - return result; - break; + infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); + infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); + } - default: - failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); - return CURLE_SSL_CONNECT_ERROR; +#ifdef CURL_CA_FALLBACK + if(verifypeer && + !ca_info_blob && !ssl_cafile && !ssl_capath && !imported_native_ca) { + /* verifying the peer without any CA certificates won't + work so use openssl's built-in default as fallback */ + X509_STORE_set_default_paths(store); } +#endif - SSL_CTX_set_options(backend->ctx, ctx_options); + if(ssl_crlfile) { + /* tell OpenSSL where to find CRL file that is used to check certificate + * revocation */ + lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); + if(!lookup || + (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) { + failf(data, "error loading CRL file: %s", ssl_crlfile); + return CURLE_SSL_CRL_BADFILE; + } + /* Everything is fine. */ + infof(data, "successfully loaded CRL file:"); + X509_STORE_set_flags(store, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); -#ifdef HAS_ALPN - if(conn->bits.tls_enable_alpn) { - int cur = 0; - unsigned char protocols[128]; + infof(data, " CRLfile: %s", ssl_crlfile); + } -#ifdef USE_HTTP2 - if(data->state.httpwant >= CURL_HTTP_VERSION_2 -#ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + if(verifypeer) { + /* Try building a chain using issuers in the trusted store first to avoid + problems with server-sent legacy intermediates. Newer versions of + OpenSSL do alternate chain checking by default but we do not know how to + determine that in a reliable manner. + https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest + */ +#if defined(X509_V_FLAG_TRUSTED_FIRST) + X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST); #endif - ) { - protocols[cur++] = ALPN_H2_LENGTH; +#ifdef X509_V_FLAG_PARTIAL_CHAIN + if(!ssl_config->no_partialchain && !ssl_crlfile) { + /* Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. - memcpy(&protocols[cur], ALPN_H2, ALPN_H2_LENGTH); - cur += ALPN_H2_LENGTH; - infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); + Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we + cannot do partial chains with a CRL check. + */ + X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN); } #endif + } - protocols[cur++] = ALPN_HTTP_1_1_LENGTH; - memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH); - cur += ALPN_HTTP_1_1_LENGTH; - infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); + return result; +} - /* expects length prefixed preference ordered list of protocols in wire - * format - */ - if(SSL_CTX_set_alpn_protos(backend->ctx, protocols, cur)) { - failf(data, "Error setting ALPN"); - return CURLE_SSL_CONNECT_ERROR; - } +#if defined(HAVE_SSL_X509_STORE_SHARE) +static bool cached_x509_store_expired(const struct Curl_easy *data, + const struct multi_ssl_backend_data *mb) +{ + const struct ssl_general_config *cfg = &data->set.general_ssl; + struct curltime now = Curl_now(); + timediff_t elapsed_ms = Curl_timediff(now, mb->time); + timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000; + + if(timeout_ms < 0) + return false; + + return elapsed_ms >= timeout_ms; +} + +static bool cached_x509_store_different( + struct Curl_cfilter *cf, + const struct multi_ssl_backend_data *mb) +{ + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + if(!mb->CAfile || !conn_config->CAfile) + return mb->CAfile != conn_config->CAfile; + + return strcmp(mb->CAfile, conn_config->CAfile); +} + +static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, + const struct Curl_easy *data) +{ + struct Curl_multi *multi = data->multi_easy ? data->multi_easy : data->multi; + X509_STORE *store = NULL; + + if(multi && + multi->ssl_backend_data && + multi->ssl_backend_data->store && + !cached_x509_store_expired(data, multi->ssl_backend_data) && + !cached_x509_store_different(cf, multi->ssl_backend_data)) { + store = multi->ssl_backend_data->store; } -#endif - if(ssl_cert || ssl_cert_blob || ssl_cert_type) { - if(!result && - !cert_stuff(data, backend->ctx, - ssl_cert, ssl_cert_blob, ssl_cert_type, - SSL_SET_OPTION(key), SSL_SET_OPTION(key_blob), - SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd))) - result = CURLE_SSL_CERTPROBLEM; - if(result) - /* failf() is already done in cert_stuff() */ - return result; + return store; +} + +static void set_cached_x509_store(struct Curl_cfilter *cf, + const struct Curl_easy *data, + X509_STORE *store) +{ + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct Curl_multi *multi = data->multi_easy ? data->multi_easy : data->multi; + struct multi_ssl_backend_data *mbackend; + + if(!multi) + return; + + if(!multi->ssl_backend_data) { + multi->ssl_backend_data = calloc(1, sizeof(struct multi_ssl_backend_data)); + if(!multi->ssl_backend_data) + return; } - ciphers = SSL_CONN_CONFIG(cipher_list); - if(!ciphers) - ciphers = (char *)DEFAULT_CIPHER_SELECTION; - if(ciphers) { - if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { - failf(data, "failed setting cipher list: %s", ciphers); - return CURLE_SSL_CIPHER; + mbackend = multi->ssl_backend_data; + + if(X509_STORE_up_ref(store)) { + char *CAfile = NULL; + + if(conn_config->CAfile) { + CAfile = strdup(conn_config->CAfile); + if(!CAfile) { + X509_STORE_free(store); + return; + } } - infof(data, "Cipher selection: %s", ciphers); + + if(mbackend->store) { + X509_STORE_free(mbackend->store); + free(mbackend->CAfile); + } + + mbackend->time = Curl_now(); + mbackend->store = store; + mbackend->CAfile = CAfile; } +} -#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES - { - char *ciphers13 = SSL_CONN_CONFIG(cipher_list13); - if(ciphers13) { - if(!SSL_CTX_set_ciphersuites(backend->ctx, ciphers13)) { - failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13); - return CURLE_SSL_CIPHER; - } - infof(data, "TLS 1.3 cipher selection: %s", ciphers13); +static CURLcode set_up_x509_store(struct Curl_cfilter *cf, + struct Curl_easy *data, + struct ssl_backend_data *backend) +{ + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + CURLcode result = CURLE_OK; + X509_STORE *cached_store; + bool cache_criteria_met; + + /* Consider the X509 store cacheable if it comes exclusively from a CAfile, + or no source is provided and we are falling back to openssl's built-in + default. */ + cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) && + conn_config->verifypeer && + !conn_config->CApath && + !conn_config->ca_info_blob && + !ssl_config->primary.CRLfile && + !ssl_config->native_ca_store; + + cached_store = get_cached_x509_store(cf, data); + if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) { + SSL_CTX_set_cert_store(backend->ctx, cached_store); + } + else { + X509_STORE *store = SSL_CTX_get_cert_store(backend->ctx); + + result = populate_x509_store(cf, data, store); + if(result == CURLE_OK && cache_criteria_met) { + set_cached_x509_store(cf, data, store); } } + + return result; +} +#else /* HAVE_SSL_X509_STORE_SHARE */ +static CURLcode set_up_x509_store(struct Curl_cfilter *cf, + struct Curl_easy *data, + struct ssl_backend_data *backend) +{ + X509_STORE *store = SSL_CTX_get_cert_store(backend->ctx); + + return populate_x509_store(cf, data, store); +} +#endif /* HAVE_SSL_X509_STORE_SHARE */ + +static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + CURLcode result = CURLE_OK; + char *ciphers; + SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; + struct ssl_connect_data *connssl = cf->ctx; + ctx_option_t ctx_options = 0; + void *ssl_sessionid = NULL; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + BIO *bio; + +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + bool sni; + const char *hostname = connssl->hostname; + +#ifdef ENABLE_IPV6 + struct in6_addr addr; +#else + struct in_addr addr; +#endif +#endif + const long int ssl_version = conn_config->version; +#ifdef USE_OPENSSL_SRP + const enum CURL_TLSAUTH ssl_authtype = ssl_config->primary.authtype; #endif + char * const ssl_cert = ssl_config->primary.clientcert; + const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; + const char * const ssl_cert_type = ssl_config->cert_type; + const bool verifypeer = conn_config->verifypeer; + char error_buffer[256]; + struct ssl_backend_data *backend = connssl->backend; -#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH - /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ - SSL_CTX_set_post_handshake_auth(backend->ctx, 1); + DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); + DEBUGASSERT(backend); + + /* Make funny stuff to get random input */ + result = ossl_seed(data); + if(result) + return result; + + ssl_config->certverifyresult = !X509_V_OK; + + /* check to see if we've been told to use an explicit SSL/TLS version */ + + switch(ssl_version) { + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: + case CURL_SSLVERSION_TLSv1_0: + case CURL_SSLVERSION_TLSv1_1: + case CURL_SSLVERSION_TLSv1_2: + case CURL_SSLVERSION_TLSv1_3: + /* it will be handled later with the context options */ +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + req_method = TLS_client_method(); +#else + req_method = SSLv23_client_method(); #endif + use_sni(TRUE); + break; + case CURL_SSLVERSION_SSLv2: + failf(data, "No SSLv2 support"); + return CURLE_NOT_BUILT_IN; + case CURL_SSLVERSION_SSLv3: + failf(data, "No SSLv3 support"); + return CURLE_NOT_BUILT_IN; + default: + failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); + return CURLE_SSL_CONNECT_ERROR; + } -#ifdef HAVE_SSL_CTX_SET_EC_CURVES - { - char *curves = SSL_CONN_CONFIG(curves); - if(curves) { - if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) { - failf(data, "failed setting curves list: '%s'", curves); - return CURLE_SSL_CIPHER; - } - } + if(backend->ctx) { + /* This happens when an error was encountered before in this + * step and we are called to do it again. Get rid of any leftover + * from the previous call. */ + ossl_close(cf, data); } -#endif + backend->ctx = SSL_CTX_new(req_method); -#ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_auth_allowed_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(primary.username); - char * const ssl_password = SSL_SET_OPTION(primary.password); - infof(data, "Using TLS-SRP username: %s", ssl_username); + if(!backend->ctx) { + failf(data, "SSL: couldn't create a context: %s", + ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer))); + return CURLE_OUT_OF_MEMORY; + } - if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { - failf(data, "Unable to set SRP user name"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } - if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { - failf(data, "failed setting SRP password"); - return CURLE_BAD_FUNCTION_ARGUMENT; - } - if(!SSL_CONN_CONFIG(cipher_list)) { - infof(data, "Setting cipher list SRP"); +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(backend->ctx, SSL_MODE_RELEASE_BUFFERS); +#endif - if(!SSL_CTX_set_cipher_list(backend->ctx, "SRP")) { - failf(data, "failed setting SRP cipher list"); - return CURLE_SSL_CIPHER; - } - } +#ifdef SSL_CTRL_SET_MSG_CALLBACK + if(data->set.fdebug && data->set.verbose) { + /* the SSL trace callback is only used for verbose logging */ + SSL_CTX_set_msg_callback(backend->ctx, ossl_trace); + SSL_CTX_set_msg_callback_arg(backend->ctx, cf->conn); + set_logger(connssl, data); } #endif + /* OpenSSL contains code to work around lots of bugs and flaws in various + SSL-implementations. SSL_CTX_set_options() is used to enabled those + work-arounds. The man page for this option states that SSL_OP_ALL enables + all the work-arounds and that "It is usually safe to use SSL_OP_ALL to + enable the bug workaround options if compatibility with somewhat broken + implementations is desired." -#if defined(USE_WIN32_CRYPTO) - /* Import certificates from the Windows root certificate store if requested. - https://stackoverflow.com/questions/9507184/ - https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L1037 - https://datatracker.ietf.org/doc/html/rfc5280 */ - if((SSL_CONN_CONFIG(verifypeer) || SSL_CONN_CONFIG(verifyhost)) && - (SSL_SET_OPTION(native_ca_store))) { - X509_STORE *store = SSL_CTX_get_cert_store(backend->ctx); - HCERTSTORE hStore = CertOpenSystemStore(0, TEXT("ROOT")); + The "-no_ticket" option was introduced in OpenSSL 0.9.8j. It's a flag to + disable "rfc4507bis session ticket support". rfc4507bis was later turned + into the proper RFC5077: https://datatracker.ietf.org/doc/html/rfc5077 - if(hStore) { - PCCERT_CONTEXT pContext = NULL; - /* The array of enhanced key usage OIDs will vary per certificate and is - declared outside of the loop so that rather than malloc/free each - iteration we can grow it with realloc, when necessary. */ - CERT_ENHKEY_USAGE *enhkey_usage = NULL; - DWORD enhkey_usage_size = 0; + The enabled extension concerns the session management. I wonder how often + libcurl stops a connection and then resumes a TLS session. Also, sending + the session data is some overhead. I suggest that you just use your + proposed patch (which explicitly disables TICKET). - /* This loop makes a best effort to import all valid certificates from - the MS root store. If a certificate cannot be imported it is skipped. - 'result' is used to store only hard-fail conditions (such as out of - memory) that cause an early break. */ - result = CURLE_OK; - for(;;) { - X509 *x509; - FILETIME now; - BYTE key_usage[2]; - DWORD req_size; - const unsigned char *encoded_cert; -#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) - char cert_name[256]; -#endif + If someone writes an application with libcurl and OpenSSL who wants to + enable the feature, one can do this in the SSL callback. - pContext = CertEnumCertificatesInStore(hStore, pContext); - if(!pContext) - break; + SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper + interoperability with web server Netscape Enterprise Server 2.0.1 which + was released back in 1996. -#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) - if(!CertGetNameStringA(pContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, - NULL, cert_name, sizeof(cert_name))) { - strcpy(cert_name, "Unknown"); - } - infof(data, "SSL: Checking cert \"%s\"", cert_name); + Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has + become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate + CVE-2010-4180 when using previous OpenSSL versions we no longer enable + this option regardless of OpenSSL version and SSL_OP_ALL definition. + + OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability + (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to + SSL_OP_ALL that _disables_ that work-around despite the fact that + SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to + keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit + must not be set. + */ + + ctx_options = SSL_OP_ALL; + +#ifdef SSL_OP_NO_TICKET + ctx_options |= SSL_OP_NO_TICKET; #endif - encoded_cert = (const unsigned char *)pContext->pbCertEncoded; - if(!encoded_cert) - continue; +#ifdef SSL_OP_NO_COMPRESSION + ctx_options |= SSL_OP_NO_COMPRESSION; +#endif - GetSystemTimeAsFileTime(&now); - if(CompareFileTime(&pContext->pCertInfo->NotBefore, &now) > 0 || - CompareFileTime(&now, &pContext->pCertInfo->NotAfter) > 0) - continue; +#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG + /* mitigate CVE-2010-4180 */ + ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG; +#endif - /* If key usage exists check for signing attribute */ - if(CertGetIntendedKeyUsage(pContext->dwCertEncodingType, - pContext->pCertInfo, - key_usage, sizeof(key_usage))) { - if(!(key_usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE)) - continue; - } - else if(GetLastError()) - continue; +#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS + /* unless the user explicitly asks to allow the protocol vulnerability we + use the work-around */ + if(!ssl_config->enable_beast) + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; +#endif - /* If enhanced key usage exists check for server auth attribute. - * - * Note "In a Microsoft environment, a certificate might also have EKU - * extended properties that specify valid uses for the certificate." - * The call below checks both, and behavior varies depending on what is - * found. For more details see CertGetEnhancedKeyUsage doc. - */ - if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size)) { - if(req_size && req_size > enhkey_usage_size) { - void *tmp = realloc(enhkey_usage, req_size); + switch(ssl_version) { + case CURL_SSLVERSION_SSLv2: + case CURL_SSLVERSION_SSLv3: + return CURLE_NOT_BUILT_IN; - if(!tmp) { - failf(data, "SSL: Out of memory allocating for OID list"); - result = CURLE_OUT_OF_MEMORY; - break; - } + /* "--tlsv" options mean TLS >= version */ + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */ + case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */ + case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */ + case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */ + case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */ + /* asking for any TLS version as the minimum, means no SSL versions + allowed */ + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; - enhkey_usage = (CERT_ENHKEY_USAGE *)tmp; - enhkey_usage_size = req_size; - } +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ + result = set_ssl_version_min_max(cf, backend->ctx); +#else + result = set_ssl_version_min_max_legacy(&ctx_options, cf, data); +#endif + if(result != CURLE_OK) + return result; + break; - if(CertGetEnhancedKeyUsage(pContext, 0, enhkey_usage, &req_size)) { - if(!enhkey_usage->cUsageIdentifier) { - /* "If GetLastError returns CRYPT_E_NOT_FOUND, the certificate is - good for all uses. If it returns zero, the certificate has no - valid uses." */ - if((HRESULT)GetLastError() != CRYPT_E_NOT_FOUND) - continue; - } - else { - DWORD i; - bool found = false; + default: + failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION"); + return CURLE_SSL_CONNECT_ERROR; + } - for(i = 0; i < enhkey_usage->cUsageIdentifier; ++i) { - if(!strcmp("1.3.6.1.5.5.7.3.1" /* OID server auth */, - enhkey_usage->rgpszUsageIdentifier[i])) { - found = true; - break; - } - } + SSL_CTX_set_options(backend->ctx, ctx_options); - if(!found) - continue; - } - } - else - continue; - } - else - continue; +#ifdef HAS_ALPN + if(cf->conn->bits.tls_enable_alpn) { + int cur = 0; + unsigned char protocols[128]; - x509 = d2i_X509(NULL, &encoded_cert, pContext->cbCertEncoded); - if(!x509) - continue; +#ifdef USE_HTTP2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 +#ifndef CURL_DISABLE_PROXY + && (!Curl_ssl_cf_is_proxy(cf) || !cf->conn->bits.tunnel_proxy) +#endif + ) { + protocols[cur++] = ALPN_H2_LENGTH; - /* Try to import the certificate. This may fail for legitimate reasons - such as duplicate certificate, which is allowed by MS but not - OpenSSL. */ - if(X509_STORE_add_cert(store, x509) == 1) { -#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) - infof(data, "SSL: Imported cert \"%s\"", cert_name); + memcpy(&protocols[cur], ALPN_H2, ALPN_H2_LENGTH); + cur += ALPN_H2_LENGTH; + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); + } #endif - imported_native_ca = true; - } - X509_free(x509); - } - free(enhkey_usage); - CertFreeCertificateContext(pContext); - CertCloseStore(hStore, 0); + protocols[cur++] = ALPN_HTTP_1_1_LENGTH; + memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH); + cur += ALPN_HTTP_1_1_LENGTH; + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); - if(result) - return result; + /* expects length prefixed preference ordered list of protocols in wire + * format + */ + if(SSL_CTX_set_alpn_protos(backend->ctx, protocols, cur)) { + failf(data, "Error setting ALPN"); + return CURLE_SSL_CONNECT_ERROR; } - if(imported_native_ca) - infof(data, "successfully imported Windows CA store"); - else - infof(data, "error importing Windows CA store, continuing anyway"); } #endif - if(ca_info_blob) { - result = load_cacert_from_memory(backend->ctx, ca_info_blob); - if(result) { - if(result == CURLE_OUT_OF_MEMORY || - (verifypeer && !imported_native_ca)) { - failf(data, "error importing CA certificate blob"); - return result; - } - /* Only warn if no certificate verification is required. */ - infof(data, "error importing CA certificate blob, continuing anyway"); - } + if(ssl_cert || ssl_cert_blob || ssl_cert_type) { + if(!result && + !cert_stuff(data, backend->ctx, + ssl_cert, ssl_cert_blob, ssl_cert_type, + ssl_config->key, ssl_config->key_blob, + ssl_config->key_type, ssl_config->key_passwd)) + result = CURLE_SSL_CERTPROBLEM; + if(result) + /* failf() is already done in cert_stuff() */ + return result; } - if(verifypeer && !imported_native_ca && (ssl_cafile || ssl_capath)) { -#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3) - /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */ - if(ssl_cafile && - !SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate file: %s", ssl_cafile); - return CURLE_SSL_CACERT_BADFILE; - } - if(ssl_capath && - !SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate path: %s", ssl_capath); - return CURLE_SSL_CACERT_BADFILE; - } -#else - /* tell OpenSSL where to find CA certificates that are used to verify the - server's certificate. */ - if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) { - /* Fail if we insist on successfully verifying the server. */ - failf(data, "error setting certificate verify locations:" - " CAfile: %s CApath: %s", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); - return CURLE_SSL_CACERT_BADFILE; + ciphers = conn_config->cipher_list; + if(!ciphers) + ciphers = (char *)DEFAULT_CIPHER_SELECTION; + if(ciphers) { + if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { + failf(data, "failed setting cipher list: %s", ciphers); + return CURLE_SSL_CIPHER; } -#endif - infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); - infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); + infof(data, "Cipher selection: %s", ciphers); } -#ifdef CURL_CA_FALLBACK - if(verifypeer && - !ca_info_blob && !ssl_cafile && !ssl_capath && !imported_native_ca) { - /* verifying the peer without any CA certificates won't - work so use openssl's built-in default as fallback */ - SSL_CTX_set_default_verify_paths(backend->ctx); +#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES + { + char *ciphers13 = conn_config->cipher_list13; + if(ciphers13) { + if(!SSL_CTX_set_ciphersuites(backend->ctx, ciphers13)) { + failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13); + return CURLE_SSL_CIPHER; + } + infof(data, "TLS 1.3 cipher selection: %s", ciphers13); + } } #endif - if(ssl_crlfile) { - /* tell OpenSSL where to find CRL file that is used to check certificate - * revocation */ - lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(backend->ctx), - X509_LOOKUP_file()); - if(!lookup || - (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) { - failf(data, "error loading CRL file: %s", ssl_crlfile); - return CURLE_SSL_CRL_BADFILE; - } - /* Everything is fine. */ - infof(data, "successfully loaded CRL file:"); - X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx), - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); +#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH + /* OpenSSL 1.1.1 requires clients to opt-in for PHA */ + SSL_CTX_set_post_handshake_auth(backend->ctx, 1); +#endif - infof(data, " CRLfile: %s", ssl_crlfile); +#ifdef HAVE_SSL_CTX_SET_EC_CURVES + { + char *curves = conn_config->curves; + if(curves) { + if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) { + failf(data, "failed setting curves list: '%s'", curves); + return CURLE_SSL_CIPHER; + } + } } - - if(verifypeer) { - /* Try building a chain using issuers in the trusted store first to avoid - problems with server-sent legacy intermediates. Newer versions of - OpenSSL do alternate chain checking by default but we do not know how to - determine that in a reliable manner. - https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest - */ -#if defined(X509_V_FLAG_TRUSTED_FIRST) - X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx), - X509_V_FLAG_TRUSTED_FIRST); #endif -#ifdef X509_V_FLAG_PARTIAL_CHAIN - if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) { - /* Have intermediate certificates in the trust store be treated as - trust-anchors, in the same way as self-signed root CA certificates - are. This allows users to verify servers using the intermediate cert - only, instead of needing the whole chain. - Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we - cannot do partial chains with a CRL check. - */ - X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx), - X509_V_FLAG_PARTIAL_CHAIN); +#ifdef USE_OPENSSL_SRP + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_auth_allowed_to_host(data)) { + char * const ssl_username = ssl_config->primary.username; + char * const ssl_password = ssl_config->primary.password; + infof(data, "Using TLS-SRP username: %s", ssl_username); + + if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { + failf(data, "Unable to set SRP user name"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } + if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { + failf(data, "failed setting SRP password"); + return CURLE_BAD_FUNCTION_ARGUMENT; + } + if(!conn_config->cipher_list) { + infof(data, "Setting cipher list SRP"); + + if(!SSL_CTX_set_cipher_list(backend->ctx, "SRP")) { + failf(data, "failed setting SRP cipher list"); + return CURLE_SSL_CIPHER; + } } -#endif } +#endif + + result = set_up_x509_store(cf, data, backend); + if(result) + return result; /* OpenSSL always tries to verify the peer, this only says whether it should * fail to connect if the verification fails, or if it should continue @@ -3485,7 +3822,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) - if(SSL_CONN_CONFIG(verifystatus)) + if(conn_config->verifystatus) SSL_set_tlsext_status_type(backend->handle, TLSEXT_STATUSTYPE_ocsp); #endif @@ -3510,18 +3847,17 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, } #endif - if(!ossl_associate_connection(data, conn, sockindex)) { + if(!ossl_attach_data(cf, data)) { /* Maybe the internal errors of SSL_get_ex_new_index or SSL_set_ex_data */ - failf(data, "SSL: ossl_associate_connection failed: %s", + failf(data, "SSL: ossl_attach_data failed: %s", ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); return CURLE_SSL_CONNECT_ERROR; } - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, - &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &ssl_sessionid, NULL)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { Curl_ssl_sessionid_unlock(data); @@ -3536,40 +3872,25 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, Curl_ssl_sessionid_unlock(data); } -#ifndef CURL_DISABLE_PROXY - if(conn->proxy_ssl[sockindex].use) { - BIO *const bio = BIO_new(BIO_f_ssl()); - struct ssl_backend_data *proxy_backend; - SSL* handle = NULL; - proxy_backend = conn->proxy_ssl[sockindex].backend; - DEBUGASSERT(proxy_backend); - handle = proxy_backend->handle; - DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state); - DEBUGASSERT(handle != NULL); - DEBUGASSERT(bio != NULL); - BIO_set_ssl(bio, handle, FALSE); - SSL_set_bio(backend->handle, bio, bio); - } - else -#endif - if(!SSL_set_fd(backend->handle, (int)sockfd)) { - /* pass the raw socket into the SSL layers */ - failf(data, "SSL: SSL_set_fd failed: %s", - ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); - return CURLE_SSL_CONNECT_ERROR; - } + bio = BIO_new(bio_cf_method); + if(!bio) + return CURLE_OUT_OF_MEMORY; + + BIO_set_data(bio, cf); + SSL_set_bio(backend->handle, bio, bio); connssl->connecting_state = ssl_connect_2; return CURLE_OK; } -static CURLcode ossl_connect_step2(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, + struct Curl_easy *data) { int err; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || ssl_connect_2_writing == connssl->connecting_state); @@ -3607,6 +3928,9 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, return CURLE_OK; } #endif + else if(backend->io_result == CURLE_AGAIN) { + return CURLE_OK; + } else { /* untreated error */ unsigned long errdetail; @@ -3634,7 +3958,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, lerr = SSL_get_verify_result(backend->handle); if(lerr != X509_V_OK) { - SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; + ssl_config->certverifyresult = lerr; msnprintf(error_buffer, sizeof(error_buffer), "SSL certificate problem: %s", X509_verify_cert_error_string(lerr)); @@ -3669,15 +3993,14 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, * the SO_ERROR is also lost. */ if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) { - const char * const hostname = SSL_HOST_NAME(); - const long int port = SSL_HOST_PORT(); char extramsg[80]=""; int sockerr = SOCKERRNO; + if(sockerr && detail == SSL_ERROR_SYSCALL) Curl_strerror(sockerr, extramsg, sizeof(extramsg)); - failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ", + failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%d ", extramsg[0] ? extramsg : SSL_ERROR_to_str(detail), - hostname, port); + connssl->hostname, connssl->port); return result; } @@ -3700,7 +4023,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, /* Sets data and len to negotiated protocol, len is 0 if no protocol was * negotiated */ - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { const unsigned char *neg_protocol; unsigned int len; SSL_get0_alpn_selected(backend->handle, &neg_protocol, &len); @@ -3710,19 +4033,19 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, #ifdef USE_HTTP2 if(len == ALPN_H2_LENGTH && !memcmp(ALPN_H2, neg_protocol, len)) { - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(len == ALPN_HTTP_1_1_LENGTH && !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) { - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } } else infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -3797,11 +4120,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert, * We check certificates to authenticate the server; otherwise we risk * man-in-the-middle attack. */ -static CURLcode servercert(struct Curl_easy *data, - struct connectdata *conn, - struct ssl_connect_data *connssl, +static CURLcode servercert(struct Curl_cfilter *cf, + struct Curl_easy *data, bool strict) { + struct connectdata *conn = cf->conn; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); CURLcode result = CURLE_OK; int rc; long lerr; @@ -3838,7 +4164,8 @@ static CURLcode servercert(struct Curl_easy *data, return CURLE_PEER_FAILED_VERIFICATION; } - infof(data, "%s certificate:", SSL_IS_PROXY() ? "Proxy" : "Server"); + infof(data, "%s certificate:", + Curl_ssl_cf_is_proxy(cf)? "Proxy" : "Server"); rc = x509_name_oneline(X509_get_subject_name(backend->server_cert), buffer, sizeof(buffer)); @@ -3861,7 +4188,7 @@ static CURLcode servercert(struct Curl_easy *data, BIO_free(mem); - if(SSL_CONN_CONFIG(verifyhost)) { + if(conn_config->verifyhost) { result = Curl_ossl_verifyhost(data, conn, backend->server_cert); if(result) { X509_free(backend->server_cert); @@ -3884,10 +4211,10 @@ static CURLcode servercert(struct Curl_easy *data, deallocating the certificate. */ /* e.g. match issuer name with provided issuer certificate */ - if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { - if(SSL_CONN_CONFIG(issuercert_blob)) { - fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, - (int)SSL_CONN_CONFIG(issuercert_blob)->len); + if(conn_config->issuercert || conn_config->issuercert_blob) { + if(conn_config->issuercert_blob) { + fp = BIO_new_mem_buf(conn_config->issuercert_blob->data, + (int)conn_config->issuercert_blob->len); if(!fp) { failf(data, "BIO_new_mem_buf NULL, " OSSL_PACKAGE @@ -3912,10 +4239,10 @@ static CURLcode servercert(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; } - if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { + if(BIO_read_filename(fp, conn_config->issuercert) <= 0) { if(strict) failf(data, "SSL: Unable to open issuer cert (%s)", - SSL_CONN_CONFIG(issuercert)); + conn_config->issuercert); BIO_free(fp); X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3927,7 +4254,7 @@ static CURLcode servercert(struct Curl_easy *data, if(!issuer) { if(strict) failf(data, "SSL: Unable to read issuer cert (%s)", - SSL_CONN_CONFIG(issuercert)); + conn_config->issuercert); BIO_free(fp); X509_free(issuer); X509_free(backend->server_cert); @@ -3938,7 +4265,7 @@ static CURLcode servercert(struct Curl_easy *data, if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { if(strict) failf(data, "SSL: Certificate issuer check failed (%s)", - SSL_CONN_CONFIG(issuercert)); + conn_config->issuercert); BIO_free(fp); X509_free(issuer); X509_free(backend->server_cert); @@ -3947,15 +4274,15 @@ static CURLcode servercert(struct Curl_easy *data, } infof(data, " SSL certificate issuer check ok (%s)", - SSL_CONN_CONFIG(issuercert)); + conn_config->issuercert); BIO_free(fp); X509_free(issuer); } lerr = SSL_get_verify_result(backend->handle); - SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; + ssl_config->certverifyresult = lerr; if(lerr != X509_V_OK) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(conn_config->verifypeer) { /* We probably never reach this, because SSL_connect() will fail and we return earlier if verifypeer is set? */ if(strict) @@ -3974,8 +4301,8 @@ static CURLcode servercert(struct Curl_easy *data, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) - if(SSL_CONN_CONFIG(verifystatus)) { - result = verifystatus(data, connssl); + if(conn_config->verifystatus) { + result = verifystatus(cf, data); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3988,7 +4315,9 @@ static CURLcode servercert(struct Curl_easy *data, /* when not strict, we don't bother about the verify cert problems */ result = CURLE_OK; - ptr = SSL_PINNED_PUB_KEY(); + ptr = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; if(!result && ptr) { result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr); if(result) @@ -4002,11 +4331,12 @@ static CURLcode servercert(struct Curl_easy *data, return result; } -static CURLcode ossl_connect_step3(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step3(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result = CURLE_OK; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); @@ -4017,8 +4347,8 @@ static CURLcode ossl_connect_step3(struct Curl_easy *data, * operations. */ - result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost))); + result = servercert(cf, data, conn_config->verifypeer || + conn_config->verifyhost); if(!result) connssl->connecting_state = ssl_connect_done; @@ -4026,18 +4356,14 @@ static CURLcode ossl_connect_step3(struct Curl_easy *data, return result; } -static Curl_recv ossl_recv; -static Curl_send ossl_send; - -static CURLcode ossl_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +static CURLcode ossl_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking, bool *done) { - CURLcode result; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + CURLcode result = CURLE_OK; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; int what; /* check if the connection has already been established */ @@ -4056,9 +4382,9 @@ static CURLcode ossl_connect_common(struct Curl_easy *data, return CURLE_OPERATION_TIMEDOUT; } - result = ossl_connect_step1(data, conn, sockindex); + result = ossl_connect_step1(cf, data); if(result) - return result; + goto out; } while(ssl_connect_2 == connssl->connecting_state || @@ -4071,7 +4397,8 @@ static CURLcode ossl_connect_common(struct Curl_easy *data, if(timeout_ms < 0) { /* no need to continue if time already is up */ failf(data, "SSL connection timeout"); - return CURLE_OPERATION_TIMEDOUT; + result = CURLE_OPERATION_TIMEDOUT; + goto out; } /* if ssl is expecting something, check if it's available. */ @@ -4088,16 +4415,19 @@ static CURLcode ossl_connect_common(struct Curl_easy *data, if(what < 0) { /* fatal error */ failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); - return CURLE_SSL_CONNECT_ERROR; + result = CURLE_SSL_CONNECT_ERROR; + goto out; } if(0 == what) { if(nonblocking) { *done = FALSE; - return CURLE_OK; + result = CURLE_OK; + goto out; } /* timeout */ failf(data, "SSL connection timeout"); - return CURLE_OPERATION_TIMEDOUT; + result = CURLE_OPERATION_TIMEDOUT; + goto out; } /* socket is readable or writable */ } @@ -4108,25 +4438,23 @@ static CURLcode ossl_connect_common(struct Curl_easy *data, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = ossl_connect_step2(data, conn, sockindex); + result = ossl_connect_step2(cf, data); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || ssl_connect_2_writing == connssl->connecting_state))) - return result; + goto out; } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = ossl_connect_step3(data, conn, sockindex); + result = ossl_connect_step3(cf, data); if(result) - return result; + goto out; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = ossl_recv; - conn->send[sockindex] = ossl_send; *done = TRUE; } else @@ -4135,24 +4463,24 @@ static CURLcode ossl_connect_common(struct Curl_easy *data, /* Reset our connect state machine */ connssl->connecting_state = ssl_connect_1; - return CURLE_OK; +out: + return result; } -static CURLcode ossl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +static CURLcode ossl_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, bool *done) { - return ossl_connect_common(data, conn, sockindex, TRUE, done); + return ossl_connect_common(cf, data, TRUE, done); } -static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode ossl_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result; bool done = FALSE; - result = ossl_connect_common(data, conn, sockindex, FALSE, &done); + result = ossl_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -4161,28 +4489,20 @@ static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn, return CURLE_OK; } -static bool ossl_data_pending(const struct connectdata *conn, - int connindex) +static bool ossl_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; - DEBUGASSERT(connssl->backend); - if(connssl->backend->handle && SSL_pending(connssl->backend->handle)) + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + if(ctx->backend->handle && SSL_pending(ctx->backend->handle)) return TRUE; -#ifndef CURL_DISABLE_PROXY - { - const struct ssl_connect_data *proxyssl = &conn->proxy_ssl[connindex]; - DEBUGASSERT(proxyssl->backend); - if(proxyssl->backend->handle && SSL_pending(proxyssl->backend->handle)) - return TRUE; - } -#endif return FALSE; } -static size_t ossl_version(char *buffer, size_t size); - -static ssize_t ossl_send(struct Curl_easy *data, - int sockindex, +static ssize_t ossl_send(struct Curl_cfilter *cf, + struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) @@ -4194,16 +4514,16 @@ static ssize_t ossl_send(struct Curl_easy *data, unsigned long sslerror; int memlen; int rc; - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + (void)data; DEBUGASSERT(backend); ERR_clear_error(); memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len; - set_logger(conn, data); + set_logger(connssl, data); rc = SSL_write(backend->handle, mem, memlen); if(rc <= 0) { @@ -4216,10 +4536,17 @@ static ssize_t ossl_send(struct Curl_easy *data, should be called again later. This is basically an EWOULDBLOCK equivalent. */ *curlcode = CURLE_AGAIN; - return -1; + rc = -1; + goto out; case SSL_ERROR_SYSCALL: { int sockerr = SOCKERRNO; + + if(backend->io_result == CURLE_AGAIN) { + *curlcode = CURLE_AGAIN; + rc = -1; + goto out; + } sslerror = ERR_get_error(); if(sslerror) ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)); @@ -4232,18 +4559,20 @@ static ssize_t ossl_send(struct Curl_easy *data, failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_SEND_ERROR; - return -1; + rc = -1; + goto out; } - case SSL_ERROR_SSL: + case SSL_ERROR_SSL: { /* A failure in the SSL library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error. */ + struct Curl_cfilter *cf_ssl_next = Curl_ssl_cf_get_ssl(cf->next); + struct ssl_connect_data *connssl_next = cf_ssl_next? + cf_ssl_next->ctx : NULL; sslerror = ERR_get_error(); if(ERR_GET_LIB(sslerror) == ERR_LIB_SSL && ERR_GET_REASON(sslerror) == SSL_R_BIO_NOT_SET && - conn->ssl[sockindex].state == ssl_connection_complete -#ifndef CURL_DISABLE_PROXY - && conn->proxy_ssl[sockindex].state == ssl_connection_complete -#endif + connssl->state == ssl_connection_complete && + (connssl_next && connssl_next->state == ssl_connection_complete) ) { char ver[120]; (void)ossl_version(ver, sizeof(ver)); @@ -4253,20 +4582,26 @@ static ssize_t ossl_send(struct Curl_easy *data, failf(data, "SSL_write() error: %s", ossl_strerror(sslerror, error_buffer, sizeof(error_buffer))); *curlcode = CURLE_SEND_ERROR; - return -1; + rc = -1; + goto out; + } + default: + /* a true error */ + failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", + SSL_ERROR_to_str(err), SOCKERRNO); + *curlcode = CURLE_SEND_ERROR; + rc = -1; + goto out; } - /* a true error */ - failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", - SSL_ERROR_to_str(err), SOCKERRNO); - *curlcode = CURLE_SEND_ERROR; - return -1; } *curlcode = CURLE_OK; + +out: return (ssize_t)rc; /* number of bytes */ } -static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ - int num, /* socketindex */ +static ssize_t ossl_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, /* transfer */ char *buf, /* store read data here */ size_t buffersize, /* max amount to read */ CURLcode *curlcode) @@ -4275,17 +4610,19 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ unsigned long sslerror; ssize_t nread; int buffsize; - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct connectdata *conn = cf->conn; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + (void)data; DEBUGASSERT(backend); ERR_clear_error(); buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize; - set_logger(conn, data); + set_logger(connssl, data); nread = (ssize_t)SSL_read(backend->handle, buf, buffsize); + if(nread <= 0) { /* failed SSL_read */ int err = SSL_get_error(backend->handle, (int)nread); @@ -4295,7 +4632,7 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ break; case SSL_ERROR_ZERO_RETURN: /* no more data */ /* close_notify alert */ - if(num == FIRSTSOCKET) + if(cf->sockindex == FIRSTSOCKET) /* mark the connection for close if it is indeed the control connection */ connclose(conn, "TLS close_notify"); @@ -4304,11 +4641,17 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ case SSL_ERROR_WANT_WRITE: /* there's data pending, re-invoke SSL_read() */ *curlcode = CURLE_AGAIN; - return -1; + nread = -1; + goto out; default: /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return value/errno" */ /* https://www.openssl.org/docs/crypto/ERR_get_error.html */ + if(backend->io_result == CURLE_AGAIN) { + *curlcode = CURLE_AGAIN; + nread = -1; + goto out; + } sslerror = ERR_get_error(); if((nread < 0) || sslerror) { /* If the return code was negative or there actually is an error in the @@ -4325,7 +4668,8 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; - return -1; + nread = -1; + goto out; } /* For debug builds be a little stricter and error on any SSL_ERROR_SYSCALL. For example a server may have closed the connection @@ -4348,11 +4692,14 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ " (Fatal because this is a curl debug build)", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; - return -1; + nread = -1; + goto out; } #endif } } + +out: return nread; } @@ -4364,7 +4711,7 @@ static size_t ossl_version(char *buffer, size_t size) int count; const char *ver = OpenSSL_version(OPENSSL_VERSION); const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */ - if(Curl_strncasecompare(ver, expected, sizeof(expected) - 1)) { + if(strncasecompare(ver, expected, sizeof(expected) - 1)) { ver += sizeof(expected) - 1; } count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver); @@ -4491,41 +4838,44 @@ static void *ossl_get_internals(struct ssl_connect_data *connssl, (void *)backend->ctx : (void *)backend->handle; } -static bool ossl_associate_connection(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +static bool ossl_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + const struct ssl_config_data *config; + DEBUGASSERT(backend); /* If we don't have SSL context, do nothing. */ if(!backend->handle) return FALSE; - if(SSL_SET_OPTION(primary.sessionid)) { + config = Curl_ssl_cf_get_config(cf, data); + if(config->primary.sessionid) { int data_idx = ossl_get_ssl_data_index(); - int connectdata_idx = ossl_get_ssl_conn_index(); + int cf_idx = ossl_get_ssl_cf_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); int proxy_idx = ossl_get_proxy_index(); - if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && + if(data_idx >= 0 && cf_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { - int data_status, conn_status, sockindex_status, proxy_status; + int data_status, cf_status, sockindex_status, proxy_status; /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ data_status = SSL_set_ex_data(backend->handle, data_idx, data); - conn_status = SSL_set_ex_data(backend->handle, connectdata_idx, conn); + cf_status = SSL_set_ex_data(backend->handle, cf_idx, cf); sockindex_status = SSL_set_ex_data(backend->handle, sockindex_idx, - conn->sock + sockindex); + cf->conn->sock + cf->sockindex); #ifndef CURL_DISABLE_PROXY proxy_status = SSL_set_ex_data(backend->handle, proxy_idx, - SSL_IS_PROXY() ? (void *) 1 : NULL); + Curl_ssl_cf_is_proxy(cf)? + (void *) 1 : NULL); #else proxy_status = SSL_set_ex_data(backend->handle, proxy_idx, NULL); #endif - if(data_status && conn_status && sockindex_status && proxy_status) + if(data_status && cf_status && sockindex_status && proxy_status) return TRUE; } return FALSE; @@ -4541,11 +4891,11 @@ static bool ossl_associate_connection(struct Curl_easy *data, * transfer that might still be using the same connection. */ -static void ossl_disassociate_connection(struct Curl_easy *data, - int sockindex) +static void ossl_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(backend); @@ -4553,24 +4903,38 @@ static void ossl_disassociate_connection(struct Curl_easy *data, if(!backend->handle) return; - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { int data_idx = ossl_get_ssl_data_index(); - int connectdata_idx = ossl_get_ssl_conn_index(); + int cf_idx = ossl_get_ssl_cf_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); int proxy_idx = ossl_get_proxy_index(); - if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 && + if(data_idx >= 0 && cf_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { /* Disable references to data in "new session" callback to avoid * accessing a stale pointer. */ SSL_set_ex_data(backend->handle, data_idx, NULL); - SSL_set_ex_data(backend->handle, connectdata_idx, NULL); + SSL_set_ex_data(backend->handle, cf_idx, NULL); SSL_set_ex_data(backend->handle, sockindex_idx, NULL); SSL_set_ex_data(backend->handle, proxy_idx, NULL); } } } +static void ossl_free_multi_ssl_backend_data( + struct multi_ssl_backend_data *mbackend) +{ +#if defined(HAVE_SSL_X509_STORE_SHARE) + if(mbackend->store) { + X509_STORE_free(mbackend->store); + } + free(mbackend->CAfile); + free(mbackend); +#else /* HAVE_SSL_X509_STORE_SHARE */ + (void)mbackend; +#endif /* HAVE_SSL_X509_STORE_SHARE */ +} + const struct Curl_ssl Curl_ssl_openssl = { { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */ @@ -4596,7 +4960,7 @@ const struct Curl_ssl Curl_ssl_openssl = { ossl_cert_status_request, /* cert_status_request */ ossl_connect, /* connect */ ossl_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks,/* getsock */ ossl_get_internals, /* get_internals */ ossl_close, /* close_one */ ossl_close_all, /* close_all */ @@ -4610,8 +4974,11 @@ const struct Curl_ssl Curl_ssl_openssl = { #else NULL, /* sha256sum */ #endif - ossl_associate_connection, /* associate_connection */ - ossl_disassociate_connection /* disassociate_connection */ + ossl_attach_data, /* use of data in this connection */ + ossl_detach_data, /* remote of data from this connection */ + ossl_free_multi_ssl_backend_data, /* free_multi_ssl_backend_data */ + ossl_recv, /* recv decrypted data */ + ossl_send, /* send data to encrypt */ }; #endif /* USE_OPENSSL */ diff --git a/lib/vtls/rustls.c b/lib/vtls/rustls.c index 77a49f1..27f4ec8 100644 --- a/lib/vtls/rustls.c +++ b/lib/vtls/rustls.c @@ -35,6 +35,7 @@ #include "urldata.h" #include "sendf.h" #include "vtls.h" +#include "vtls_int.h" #include "select.h" #include "strerror.h" #include "multiif.h" @@ -63,43 +64,64 @@ static CURLcode map_error(rustls_result r) } static bool -cr_data_pending(const struct connectdata *conn, int sockindex) +cr_data_pending(struct Curl_cfilter *cf, const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - return backend->data_pending; + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + return ctx->backend->data_pending; } static CURLcode -cr_connect(struct Curl_easy *data UNUSED_PARAM, - struct connectdata *conn UNUSED_PARAM, - int sockindex UNUSED_PARAM) +cr_connect(struct Curl_cfilter *cf UNUSED_PARAM, + struct Curl_easy *data UNUSED_PARAM) { infof(data, "rustls_connect: unimplemented"); return CURLE_SSL_CONNECT_ERROR; } +struct io_ctx { + struct Curl_cfilter *cf; + struct Curl_easy *data; +}; + static int read_cb(void *userdata, uint8_t *buf, uintptr_t len, uintptr_t *out_n) { - ssize_t n = sread(*(int *)userdata, buf, len); - if(n < 0) { - return SOCKERRNO; + struct io_ctx *io_ctx = userdata; + CURLcode result; + int ret = 0; + ssize_t nread = Curl_conn_cf_recv(io_ctx->cf->next, io_ctx->data, + (char *)buf, len, &result); + if(nread < 0) { + nread = 0; + if(CURLE_AGAIN == result) + ret = EAGAIN; + else + ret = EINVAL; } - *out_n = n; - return 0; + *out_n = (int)nread; + return ret; } static int write_cb(void *userdata, const uint8_t *buf, uintptr_t len, uintptr_t *out_n) { - ssize_t n = swrite(*(int *)userdata, buf, len); - if(n < 0) { - return SOCKERRNO; + struct io_ctx *io_ctx = userdata; + CURLcode result; + int ret = 0; + ssize_t nwritten = Curl_conn_cf_send(io_ctx->cf->next, io_ctx->data, + (const char *)buf, len, &result); + if(nwritten < 0) { + nwritten = 0; + if(CURLE_AGAIN == result) + ret = EAGAIN; + else + ret = EINVAL; } - *out_n = n; - return 0; + *out_n = (int)nwritten; + return ret; } /* @@ -115,13 +137,13 @@ write_cb(void *userdata, const uint8_t *buf, uintptr_t len, uintptr_t *out_n) * output buffer. */ static ssize_t -cr_recv(struct Curl_easy *data, int sockindex, +cr_recv(struct Curl_cfilter *cf, struct Curl_easy *data, char *plainbuf, size_t plainlen, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *const connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *const connssl = cf->ctx; struct ssl_backend_data *const backend = connssl->backend; struct rustls_connection *rconn = NULL; + struct io_ctx io_ctx; size_t n = 0; size_t tls_bytes_read = 0; @@ -133,10 +155,13 @@ cr_recv(struct Curl_easy *data, int sockindex, DEBUGASSERT(backend); rconn = backend->conn; - io_error = rustls_connection_read_tls(rconn, read_cb, - &conn->sock[sockindex], &tls_bytes_read); + io_ctx.cf = cf; + io_ctx.data = data; + + io_error = rustls_connection_read_tls(rconn, read_cb, &io_ctx, + &tls_bytes_read); if(io_error == EAGAIN || io_error == EWOULDBLOCK) { - infof(data, "sread: EAGAIN or EWOULDBLOCK"); + infof(data, CFMSG(cf, "cr_recv: EAGAIN or EWOULDBLOCK")); } else if(io_error) { char buffer[STRERROR_LEN]; @@ -146,7 +171,7 @@ cr_recv(struct Curl_easy *data, int sockindex, return -1; } - infof(data, "cr_recv read %ld bytes from the network", tls_bytes_read); + infof(data, CFMSG(cf, "cr_recv: read %ld TLS bytes"), tls_bytes_read); rresult = rustls_connection_process_new_packets(rconn); if(rresult != RUSTLS_RESULT_OK) { @@ -164,7 +189,8 @@ cr_recv(struct Curl_easy *data, int sockindex, plainlen - plain_bytes_copied, &n); if(rresult == RUSTLS_RESULT_PLAINTEXT_EMPTY) { - infof(data, "cr_recv got PLAINTEXT_EMPTY. will try again later."); + infof(data, CFMSG(cf, "cr_recv: got PLAINTEXT_EMPTY. " + "will try again later.")); backend->data_pending = FALSE; break; } @@ -181,7 +207,7 @@ cr_recv(struct Curl_easy *data, int sockindex, break; } else { - infof(data, "cr_recv copied out %ld bytes of plaintext", n); + infof(data, CFMSG(cf, "cr_recv: got %ld plain bytes"), n); plain_bytes_copied += n; } } @@ -216,13 +242,13 @@ cr_recv(struct Curl_easy *data, int sockindex, * It will only drain rustls' plaintext output buffer into the socket. */ static ssize_t -cr_send(struct Curl_easy *data, int sockindex, +cr_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *plainbuf, size_t plainlen, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *const connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *const connssl = cf->ctx; struct ssl_backend_data *const backend = connssl->backend; struct rustls_connection *rconn = NULL; + struct io_ctx io_ctx; size_t plainwritten = 0; size_t tlswritten = 0; size_t tlswritten_total = 0; @@ -232,7 +258,7 @@ cr_send(struct Curl_easy *data, int sockindex, DEBUGASSERT(backend); rconn = backend->conn; - infof(data, "cr_send %ld bytes of plaintext", plainlen); + infof(data, CFMSG(cf, "cr_send: %ld plain bytes"), plainlen); if(plainlen > 0) { rresult = rustls_connection_write(rconn, plainbuf, plainlen, @@ -249,11 +275,15 @@ cr_send(struct Curl_easy *data, int sockindex, } } + io_ctx.cf = cf; + io_ctx.data = data; + while(rustls_connection_wants_write(rconn)) { - io_error = rustls_connection_write_tls(rconn, write_cb, - &conn->sock[sockindex], &tlswritten); + io_error = rustls_connection_write_tls(rconn, write_cb, &io_ctx, + &tlswritten); if(io_error == EAGAIN || io_error == EWOULDBLOCK) { - infof(data, "swrite: EAGAIN after %ld bytes", tlswritten_total); + infof(data, CFMSG(cf, "cr_send: EAGAIN after %ld bytes"), + tlswritten_total); *err = CURLE_AGAIN; return -1; } @@ -269,7 +299,7 @@ cr_send(struct Curl_easy *data, int sockindex, *err = CURLE_WRITE_ERROR; return -1; } - infof(data, "cr_send wrote %ld bytes to network", tlswritten); + infof(data, CFMSG(cf, "cr_send: wrote %ld TLS bytes"), tlswritten); tlswritten_total += tlswritten; } @@ -302,18 +332,20 @@ cr_hostname_is_ip(const char *hostname) } static CURLcode -cr_init_backend(struct Curl_easy *data, struct connectdata *conn, +cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data, struct ssl_backend_data *const backend) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct rustls_connection *rconn = NULL; struct rustls_client_config_builder *config_builder = NULL; struct rustls_root_cert_store *roots = NULL; - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char *hostname = conn->host.name; + (ca_info_blob ? NULL : conn_config->CAfile); + const bool verifypeer = conn_config->verifypeer; + const char *hostname = connssl->hostname; char errorbuf[256]; size_t errorlen; int result; @@ -400,7 +432,7 @@ cr_init_backend(struct Curl_easy *data, struct connectdata *conn, } static void -cr_set_negotiated_alpn(struct Curl_easy *data, struct connectdata *conn, +cr_set_negotiated_alpn(struct Curl_cfilter *cf, struct Curl_easy *data, const struct rustls_connection *rconn) { const uint8_t *protocol = NULL; @@ -415,29 +447,29 @@ cr_set_negotiated_alpn(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(len == ALPN_H2_LENGTH && 0 == memcmp(ALPN_H2, protocol, len)) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_H2); - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(len == ALPN_HTTP_1_1_LENGTH && 0 == memcmp(ALPN_HTTP_1_1, protocol, len)) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_HTTP_1_1); - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } else { infof(data, "ALPN, negotiated an unrecognized protocol"); } - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } static CURLcode -cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, - int sockindex, bool *done) +cr_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, bool *done) { - struct ssl_connect_data *const connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *const connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; struct ssl_backend_data *const backend = connssl->backend; struct rustls_connection *rconn = NULL; CURLcode tmperr = CURLE_OK; @@ -451,7 +483,7 @@ cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, DEBUGASSERT(backend); if(ssl_connection_none == connssl->state) { - result = cr_init_backend(data, conn, connssl->backend); + result = cr_init_backend(cf, data, connssl->backend); if(result != CURLE_OK) { return result; } @@ -471,10 +503,8 @@ cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, /* Done with the handshake. Set up callbacks to send/receive data. */ connssl->state = ssl_connection_complete; - cr_set_negotiated_alpn(data, conn, rconn); + cr_set_negotiated_alpn(cf, data, rconn); - conn->recv[sockindex] = cr_recv; - conn->send[sockindex] = cr_send; *done = TRUE; return CURLE_OK; } @@ -502,7 +532,7 @@ cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, if(wants_write) { infof(data, "rustls_connection wants us to write_tls."); - cr_send(data, sockindex, NULL, 0, &tmperr); + cr_send(cf, data, NULL, 0, &tmperr); if(tmperr == CURLE_AGAIN) { infof(data, "writing would block"); /* fall through */ @@ -515,7 +545,7 @@ cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, if(wants_read) { infof(data, "rustls_connection wants us to read_tls."); - cr_recv(data, sockindex, NULL, 0, &tmperr); + cr_recv(cf, data, NULL, 0, &tmperr); if(tmperr == CURLE_AGAIN) { infof(data, "reading would block"); /* fall through */ @@ -539,13 +569,15 @@ cr_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, /* returns a bitmap of flags for this connection's first socket indicating whether we want to read or write */ static int -cr_getsock(struct connectdata *conn, curl_socket_t *socks) +cr_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data, + curl_socket_t *socks) { - struct ssl_connect_data *const connssl = &conn->ssl[FIRSTSOCKET]; - curl_socket_t sockfd = conn->sock[FIRSTSOCKET]; + struct ssl_connect_data *const connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; struct ssl_backend_data *const backend = connssl->backend; struct rustls_connection *rconn = NULL; + (void)data; DEBUGASSERT(backend); rconn = backend->conn; @@ -571,10 +603,9 @@ cr_get_internals(struct ssl_connect_data *connssl, } static void -cr_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +cr_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; CURLcode tmperr = CURLE_OK; ssize_t n = 0; @@ -583,7 +614,7 @@ cr_close(struct Curl_easy *data, struct connectdata *conn, if(backend->conn) { rustls_connection_send_close_notify(backend->conn); - n = cr_send(data, sockindex, NULL, 0, &tmperr); + n = cr_send(cf, data, NULL, 0, &tmperr); if(n < 0) { failf(data, "error sending close notify: %d", tmperr); } @@ -606,7 +637,8 @@ static size_t cr_version(char *buffer, size_t size) const struct Curl_ssl Curl_ssl_rustls = { { CURLSSLBACKEND_RUSTLS, "rustls" }, SSLSUPP_CAINFO_BLOB | /* supports */ - SSLSUPP_TLS13_CIPHERSUITES, + SSLSUPP_TLS13_CIPHERSUITES | + SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), Curl_none_init, /* init */ @@ -619,7 +651,7 @@ const struct Curl_ssl Curl_ssl_rustls = { Curl_none_cert_status_request, /* cert_status_request */ cr_connect, /* connect */ cr_connect_nonblocking, /* connect_nonblocking */ - cr_getsock, /* cr_getsock */ + cr_get_select_socks, /* get_select_socks */ cr_get_internals, /* get_internals */ cr_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -630,7 +662,10 @@ const struct Curl_ssl Curl_ssl_rustls = { Curl_none_false_start, /* false_start */ NULL, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + cr_recv, /* recv decrypted data */ + cr_send, /* send data to encrypt */ }; #endif /* USE_RUSTLS */ diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 454eb79..7eab954 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -41,6 +41,7 @@ #include "schannel.h" #include "vtls.h" +#include "vtls_int.h" #include "strcase.h" #include "sendf.h" #include "connect.h" /* for the connect timeout */ @@ -185,11 +186,8 @@ #define PKCS12_NO_PERSIST_KEY 0x00008000 #endif -static Curl_recv schannel_recv; -static Curl_send schannel_send; - -static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_cfilter *cf, + struct Curl_easy *data, const char *pinnedpubkey); static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType, @@ -209,11 +207,13 @@ static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr, } static CURLcode -set_ssl_version_min_max(DWORD *enabled_protocols, struct Curl_easy *data, - struct connectdata *conn) +set_ssl_version_min_max(DWORD *enabled_protocols, + struct Curl_cfilter *cf, + struct Curl_easy *data) { - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; long i = ssl_version; switch(ssl_version_max) { @@ -262,7 +262,7 @@ set_ssl_version_min_max(DWORD *enabled_protocols, struct Curl_easy *data, return CURLE_OK; } -/*longest is 26, buffer is slightly bigger*/ +/* longest is 26, buffer is slightly bigger */ #define LONGEST_ALG_ID 32 #define CIPHEROPTION(X) \ if(strcmp(#X, tmp) == 0) \ @@ -289,7 +289,7 @@ get_alg_id_by_name(char *name) CIPHEROPTION(CALG_MAC); CIPHEROPTION(CALG_RSA_SIGN); CIPHEROPTION(CALG_DSS_SIGN); -/*ifdefs for the options that are defined conditionally in wincrypt.h*/ +/* ifdefs for the options that are defined conditionally in wincrypt.h */ #ifdef CALG_NO_SIGN CIPHEROPTION(CALG_NO_SIGN); #endif @@ -477,11 +477,12 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path, } #endif static CURLcode -schannel_acquire_credential_handle(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +schannel_acquire_credential_handle(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); #ifdef HAS_CLIENT_CERT_PATH PCCERT_CONTEXT client_certs[1] = { NULL }; @@ -498,7 +499,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, DEBUGASSERT(backend); - if(conn->ssl_config.verifypeer) { + if(conn_config->verifypeer) { #ifdef HAS_MANUAL_VERIFY_API if(backend->use_manual_cred_validation) flags = SCH_CRED_MANUAL_CRED_VALIDATION; @@ -506,14 +507,14 @@ schannel_acquire_credential_handle(struct Curl_easy *data, #endif flags = SCH_CRED_AUTO_CRED_VALIDATION; - if(SSL_SET_OPTION(no_revoke)) { + if(ssl_config->no_revoke) { flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE; DEBUGF(infof(data, "schannel: disabled server certificate revocation " "checks")); } - else if(SSL_SET_OPTION(revoke_best_effort)) { + else if(ssl_config->revoke_best_effort) { flags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE | SCH_CRED_REVOCATION_CHECK_CHAIN; @@ -534,14 +535,14 @@ schannel_acquire_credential_handle(struct Curl_easy *data, "schannel: disabled server cert revocation checks")); } - if(!conn->ssl_config.verifyhost) { + if(!conn_config->verifyhost) { flags |= SCH_CRED_NO_SERVERNAME_CHECK; DEBUGF(infof(data, "schannel: verifyhost setting prevents Schannel from " "comparing the supplied target name with the subject " "names in server certificates.")); } - if(!SSL_SET_OPTION(auto_client_cert)) { + if(!ssl_config->auto_client_cert) { flags &= ~SCH_CRED_USE_DEFAULT_CREDS; flags |= SCH_CRED_NO_DEFAULT_CREDS; infof(data, "schannel: disabled automatic use of client certificate"); @@ -549,7 +550,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, else infof(data, "schannel: enabled automatic use of client certificate"); - switch(conn->ssl_config.version) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1_0: @@ -557,7 +558,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - result = set_ssl_version_min_max(&enabled_protocols, data, conn); + result = set_ssl_version_min_max(&enabled_protocols, cf, data); if(result != CURLE_OK) return result; break; @@ -812,7 +813,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, * disable all the ciphers and re-enable which * ciphers the user has provided. */ - ciphers13 = SSL_CONN_CONFIG(cipher_list13); + ciphers13 = conn_config->cipher_list13; if(ciphers13) { const int remaining_ciphers = 5; @@ -1006,7 +1007,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, else { /* Pre-Windows 10 1809 */ ALG_ID algIds[NUM_CIPHERS]; - char *ciphers = SSL_CONN_CONFIG(cipher_list); + char *ciphers = conn_config->cipher_list; SCHANNEL_CRED schannel_cred = { 0 }; schannel_cred.dwVersion = SCHANNEL_CRED_VERSION; schannel_cred.dwFlags = flags; @@ -1015,7 +1016,7 @@ schannel_acquire_credential_handle(struct Curl_easy *data, if(ciphers) { result = set_ssl_ciphers(&schannel_cred, ciphers, algIds); if(CURLE_OK != result) { - failf(data, "Unable to set ciphers to passed via SSL_CONN_CONFIG"); + failf(data, "Unable to set ciphers to from connection ssl config"); return result; } } @@ -1065,11 +1066,13 @@ schannel_acquire_credential_handle(struct Curl_easy *data, } static CURLcode -schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +schannel_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) { ssize_t written = -1; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); SecBuffer outbuf; SecBufferDesc outbuf_desc; SecBuffer inbuf; @@ -1084,14 +1087,12 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, struct in6_addr addr6; #endif CURLcode result; - char * const hostname = SSL_HOST_NAME(); - struct ssl_backend_data *backend = connssl->backend; + const char *hostname = connssl->hostname; DEBUGASSERT(backend); - DEBUGF(infof(data, - "schannel: SSL/TLS connection with %s port %hu (step 1/3)", - hostname, conn->remote_port)); + "schannel: SSL/TLS connection with %s port %d (step 1/3)", + hostname, connssl->port)); if(curlx_verify_windows_version(5, 1, 0, PLATFORM_WINNT, VERSION_LESS_THAN_EQUAL)) { @@ -1104,7 +1105,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, #ifdef HAS_ALPN /* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above. Also it doesn't seem to be supported for Wine, see curl bug #983. */ - backend->use_alpn = conn->bits.tls_enable_alpn && + backend->use_alpn = cf->conn->bits.tls_enable_alpn && !GetProcAddress(GetModuleHandle(TEXT("ntdll")), "wine_get_version") && curlx_verify_windows_version(6, 3, 0, PLATFORM_WINNT, @@ -1123,7 +1124,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, #endif #else #ifdef HAS_MANUAL_VERIFY_API - if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) { + if(conn_config->CAfile || conn_config->ca_info_blob) { if(curlx_verify_windows_version(6, 1, 0, PLATFORM_WINNT, VERSION_GREATER_THAN_EQUAL)) { backend->use_manual_cred_validation = true; @@ -1137,7 +1138,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, else backend->use_manual_cred_validation = false; #else - if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) { + if(conn_config->CAfile || conn_config->ca_info_blob) { failf(data, "schannel: CA cert support not built in"); return CURLE_NOT_BUILT_IN; } @@ -1147,11 +1148,9 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, backend->cred = NULL; /* check for an existing re-usable credential handle */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - (void **)&old_cred, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, (void **)&old_cred, NULL)) { backend->cred = old_cred; DEBUGF(infof(data, "schannel: re-using existing credential handle")); @@ -1166,13 +1165,13 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, if(!backend->cred) { char *snihost; - result = schannel_acquire_credential_handle(data, conn, sockindex); + result = schannel_acquire_credential_handle(cf, data); if(result != CURLE_OK) { return result; } /* A hostname associated with the credential is needed by InitializeSecurityContext for SNI and other reasons. */ - snihost = Curl_ssl_snihost(data, SSL_HOST_NAME(), NULL); + snihost = Curl_ssl_snihost(data, hostname, NULL); if(!snihost) { failf(data, "Failed to set SNI"); return CURLE_SSL_CONNECT_ERROR; @@ -1200,18 +1199,18 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, /* The first four bytes will be an unsigned int indicating number of bytes of data in the rest of the buffer. */ - extension_len = (unsigned int *)(&alpn_buffer[cur]); + extension_len = (unsigned int *)(void *)(&alpn_buffer[cur]); cur += sizeof(unsigned int); /* The next four bytes are an indicator that this buffer will contain ALPN data, as opposed to NPN, for example. */ - *(unsigned int *)&alpn_buffer[cur] = + *(unsigned int *)(void *)&alpn_buffer[cur] = SecApplicationProtocolNegotiationExt_ALPN; cur += sizeof(unsigned int); /* The next two bytes will be an unsigned short indicating the number of bytes used to list the preferred protocols. */ - list_len = (unsigned short*)(&alpn_buffer[cur]); + list_len = (unsigned short*)(void *)(&alpn_buffer[cur]); cur += sizeof(unsigned short); list_start_index = cur; @@ -1254,7 +1253,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, ISC_REQ_CONFIDENTIALITY | ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_STREAM; - if(!SSL_SET_OPTION(auto_client_cert)) { + if(!ssl_config->auto_client_cert) { backend->req_flags |= ISC_REQ_USE_SUPPLIED_CREDS; } @@ -1314,8 +1313,9 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, "sending %lu bytes.", outbuf.cbBuffer)); /* send initial handshake data which is now stored in output buffer */ - result = Curl_write_plain(data, conn->sock[sockindex], outbuf.pvBuffer, - outbuf.cbBuffer, &written); + written = Curl_conn_cf_send(cf->next, data, + outbuf.pvBuffer, outbuf.cbBuffer, + &result); s_pSecFn->FreeContextBuffer(outbuf.pvBuffer); if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) { failf(data, "schannel: failed to send initial handshake data: " @@ -1339,12 +1339,13 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, } static CURLcode -schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +schannel_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); int i; ssize_t nread = -1, written = -1; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; unsigned char *reallocated_buffer; SecBuffer outbuf[3]; SecBufferDesc outbuf_desc; @@ -1354,15 +1355,14 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, CURLcode result; bool doread; const char *pubkey_ptr; - struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(backend); doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE; DEBUGF(infof(data, - "schannel: SSL/TLS connection with %s port %hu (step 2/3)", - SSL_HOST_NAME(), conn->remote_port)); + "schannel: SSL/TLS connection with %s port %d (step 2/3)", + connssl->hostname, connssl->port)); if(!backend->cred || !backend->ctxt) return CURLE_SSL_CONNECT_ERROR; @@ -1412,12 +1412,12 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, for(;;) { if(doread) { /* read encrypted handshake data from socket */ - result = Curl_read_plain(conn->sock[sockindex], + nread = Curl_conn_cf_recv(cf->next, data, (char *) (backend->encdata_buffer + backend->encdata_offset), backend->encdata_length - backend->encdata_offset, - &nread); + &result); if(result == CURLE_AGAIN) { if(connssl->connecting_state != ssl_connect_2_writing) connssl->connecting_state = ssl_connect_2_reading; @@ -1501,9 +1501,9 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, "sending %lu bytes.", outbuf[i].cbBuffer)); /* send handshake token to server */ - result = Curl_write_plain(data, conn->sock[sockindex], - outbuf[i].pvBuffer, outbuf[i].cbBuffer, - &written); + written = Curl_conn_cf_send(cf->next, data, + outbuf[i].pvBuffer, outbuf[i].cbBuffer, + &result); if((result != CURLE_OK) || (outbuf[i].cbBuffer != (size_t) written)) { failf(data, "schannel: failed to send next handshake data: " @@ -1596,9 +1596,11 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, DEBUGF(infof(data, "schannel: SSL/TLS handshake complete")); } - pubkey_ptr = SSL_PINNED_PUB_KEY(); + pubkey_ptr = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; if(pubkey_ptr) { - result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr); + result = pkp_pin_peer_pubkey(cf, data, pubkey_ptr); if(result) { failf(data, "SSL: public key does not match pinned public key"); return result; @@ -1606,8 +1608,8 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, } #ifdef HAS_MANUAL_VERIFY_API - if(conn->ssl_config.verifypeer && backend->use_manual_cred_validation) { - return Curl_verify_certificate(data, conn, sockindex); + if(conn_config->verifypeer && backend->use_manual_cred_validation) { + return Curl_verify_certificate(cf, data); } #endif @@ -1674,28 +1676,24 @@ add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, void *raw_arg) } static CURLcode -schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +schannel_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_backend_data *backend = connssl->backend; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); CURLcode result = CURLE_OK; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; - bool isproxy = SSL_IS_PROXY(); -#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) - const char * const hostname = SSL_HOST_NAME(); -#endif #ifdef HAS_ALPN SecPkgContext_ApplicationProtocol alpn_result; #endif - struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); DEBUGASSERT(backend); DEBUGF(infof(data, - "schannel: SSL/TLS connection with %s port %hu (step 3/3)", - hostname, conn->remote_port)); + "schannel: SSL/TLS connection with %s port %d (step 3/3)", + connssl->hostname, connssl->port)); if(!backend->cred) return CURLE_SSL_CONNECT_ERROR; @@ -1747,13 +1745,13 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, alpn = CURL_HTTP_VERSION_1_1; } if(backend->recv_renegotiating) { - if(alpn != conn->alpn) { + if(alpn != cf->conn->alpn) { failf(data, "schannel: server selected an ALPN protocol too late"); return CURLE_SSL_CONNECT_ERROR; } } else - conn->alpn = alpn; + cf->conn->alpn = alpn; } else { if(!backend->recv_renegotiating) @@ -1761,21 +1759,20 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, } if(!backend->recv_renegotiating) { - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } #endif /* save the current session data for possible re-use */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { bool incache; bool added = FALSE; struct Curl_schannel_cred *old_cred = NULL; Curl_ssl_sessionid_lock(data); - incache = !(Curl_ssl_getsessionid(data, conn, isproxy, (void **)&old_cred, - NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, (void **)&old_cred, NULL)); if(incache) { if(old_cred != backend->cred) { DEBUGF(infof(data, @@ -1786,9 +1783,9 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, } } if(!incache) { - result = Curl_ssl_addsessionid(data, conn, isproxy, backend->cred, + result = Curl_ssl_addsessionid(cf, data, backend->cred, sizeof(struct Curl_schannel_cred), - sockindex, &added); + &added); if(result) { Curl_ssl_sessionid_unlock(data); failf(data, "schannel: failed to store credential handle"); @@ -1838,12 +1835,13 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, } static CURLcode -schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, - int sockindex, bool nonblocking, bool *done) +schannel_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool nonblocking, bool *done) { CURLcode result; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; timediff_t timeout_ms; int what; @@ -1863,7 +1861,7 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = schannel_connect_step1(data, conn, sockindex); + result = schannel_connect_step1(cf, data); if(result) return result; } @@ -1918,7 +1916,7 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = schannel_connect_step2(data, conn, sockindex); + result = schannel_connect_step2(cf, data); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1928,22 +1926,13 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = schannel_connect_step3(data, conn, sockindex); + result = schannel_connect_step3(cf, data); if(result) return result; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - if(!connssl->backend->recv_renegotiating) { - /* On renegotiation, we don't want to reset the existing recv/send - * function pointers. They will have been set after the initial TLS - * handshake was completed. If they were subsequently modified, as - * is the case with HTTP/2, we don't want to override that change. - */ - conn->recv[sockindex] = schannel_recv; - conn->send[sockindex] = schannel_send; - } #ifdef SECPKG_ATTR_ENDPOINT_BINDINGS /* When SSPI is used in combination with Schannel @@ -1954,7 +1943,7 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, { struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(backend); - conn->sslContext = &backend->ctxt->ctxt_handle; + cf->conn->sslContext = &backend->ctxt->ctxt_handle; } #endif @@ -1970,14 +1959,13 @@ schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, } static ssize_t -schannel_send(struct Curl_easy *data, int sockindex, +schannel_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *buf, size_t len, CURLcode *err) { ssize_t written = -1; size_t data_len = 0; unsigned char *ptr = NULL; - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; SecBuffer outbuf[4]; SecBufferDesc outbuf_desc; SECURITY_STATUS sspi_status = SEC_E_OK; @@ -2068,7 +2056,7 @@ schannel_send(struct Curl_easy *data, int sockindex, } else if(!timeout_ms) timeout_ms = TIMEDIFF_T_MAX; - what = SOCKET_WRITABLE(conn->sock[sockindex], timeout_ms); + what = SOCKET_WRITABLE(cf->conn->sock[cf->sockindex], timeout_ms); if(what < 0) { /* fatal error */ failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); @@ -2085,8 +2073,9 @@ schannel_send(struct Curl_easy *data, int sockindex, } /* socket is writable */ - result = Curl_write_plain(data, conn->sock[sockindex], ptr + written, - len - written, &this_write); + this_write = Curl_conn_cf_send(cf->next, data, + ptr + written, len - written, + &result); if(result == CURLE_AGAIN) continue; else if(result != CURLE_OK) { @@ -2116,13 +2105,12 @@ schannel_send(struct Curl_easy *data, int sockindex, } static ssize_t -schannel_recv(struct Curl_easy *data, int sockindex, +schannel_recv(struct Curl_cfilter *cf, struct Curl_easy *data, char *buf, size_t len, CURLcode *err) { size_t size = 0; ssize_t nread = -1; - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; unsigned char *reallocated_buffer; size_t reallocated_length; bool done = FALSE; @@ -2198,19 +2186,19 @@ schannel_recv(struct Curl_easy *data, int sockindex, backend->encdata_offset, backend->encdata_length)); /* read encrypted data from socket */ - *err = Curl_read_plain(conn->sock[sockindex], - (char *)(backend->encdata_buffer + + nread = Curl_conn_cf_recv(cf->next, data, + (char *)(backend->encdata_buffer + backend->encdata_offset), - size, &nread); + size, err); if(*err) { nread = -1; if(*err == CURLE_AGAIN) DEBUGF(infof(data, - "schannel: Curl_read_plain returned CURLE_AGAIN")); + "schannel: recv returned CURLE_AGAIN")); else if(*err == CURLE_RECV_ERROR) - infof(data, "schannel: Curl_read_plain returned CURLE_RECV_ERROR"); + infof(data, "schannel: recv returned CURLE_RECV_ERROR"); else - infof(data, "schannel: Curl_read_plain returned error %d", *err); + infof(data, "schannel: recv returned error %d", *err); } else if(nread == 0) { backend->recv_connection_closed = true; @@ -2331,7 +2319,7 @@ schannel_recv(struct Curl_easy *data, int sockindex, connssl->state = ssl_connection_negotiating; connssl->connecting_state = ssl_connect_2_writing; backend->recv_renegotiating = true; - *err = schannel_connect_common(data, conn, sockindex, FALSE, &done); + *err = schannel_connect_common(cf, data, FALSE, &done); backend->recv_renegotiating = false; if(*err) { infof(data, "schannel: renegotiation failed"); @@ -2439,20 +2427,20 @@ schannel_recv(struct Curl_easy *data, int sockindex, return *err ? -1 : 0; } -static CURLcode schannel_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode schannel_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return schannel_connect_common(data, conn, sockindex, TRUE, done); + return schannel_connect_common(cf, data, TRUE, done); } -static CURLcode schannel_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode schannel_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result; bool done = FALSE; - result = schannel_connect_common(data, conn, sockindex, FALSE, &done); + result = schannel_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -2461,15 +2449,16 @@ static CURLcode schannel_connect(struct Curl_easy *data, return CURLE_OK; } -static bool schannel_data_pending(const struct connectdata *conn, - int sockindex) +static bool schannel_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + (void)data; DEBUGASSERT(backend); - if(connssl->use) /* SSL/TLS is in use */ + if(connssl->backend->ctxt) /* SSL/TLS is in use */ return (backend->decdata_offset > 0 || (backend->encdata_offset > 0 && !backend->encdata_is_incomplete)); else @@ -2500,25 +2489,24 @@ static void schannel_session_free(void *ptr) /* shut down the SSL connection and clean up related memory. this function can be called multiple times on the same connection including if the SSL connection failed (eg connection made but failed handshake). */ -static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static int schannel_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { /* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx * Shutting Down an Schannel Connection */ - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - char * const hostname = SSL_HOST_NAME(); + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(data); DEBUGASSERT(backend); - if(connssl->use) { - infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu", - hostname, conn->remote_port); + if(connssl->backend->ctxt) { + infof(data, "schannel: shutting down SSL/TLS connection with %s port %d", + connssl->hostname, connssl->port); } - if(connssl->use && backend->cred && backend->ctxt) { + if(backend->cred && backend->ctxt) { SecBufferDesc BuffDesc; SecBuffer Buffer; SECURITY_STATUS sspi_status; @@ -2559,10 +2547,9 @@ static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn, if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) { /* send close message which is in output buffer */ - ssize_t written; - result = Curl_write_plain(data, conn->sock[sockindex], outbuf.pvBuffer, - outbuf.cbBuffer, &written); - + ssize_t written = Curl_conn_cf_send(cf->next, data, + outbuf.pvBuffer, outbuf.cbBuffer, + &result); s_pSecFn->FreeContextBuffer(outbuf.pvBuffer); if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) { infof(data, "schannel: failed to send close msg: %s" @@ -2604,14 +2591,9 @@ static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn, return CURLE_OK; } -static void schannel_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void schannel_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - if(conn->ssl[sockindex].use) - /* Curl_ssl_shutdown resets the socket state and calls schannel_shutdown */ - Curl_ssl_shutdown(data, conn, sockindex); - else - schannel_shutdown(data, conn, sockindex); + schannel_shutdown(cf, data); } static int schannel_init(void) @@ -2639,11 +2621,11 @@ static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM, return Curl_win32_random(entropy, length); } -static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_cfilter *cf, + struct Curl_easy *data, const char *pinnedpubkey) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; CERT_CONTEXT *pCertContextServer = NULL; @@ -2784,7 +2766,8 @@ const struct Curl_ssl Curl_ssl_schannel = { SSLSUPP_CAINFO_BLOB | #endif SSLSUPP_PINNEDPUBKEY | - SSLSUPP_TLS13_CIPHERSUITES, + SSLSUPP_TLS13_CIPHERSUITES | + SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), @@ -2798,7 +2781,7 @@ const struct Curl_ssl Curl_ssl_schannel = { Curl_none_cert_status_request, /* cert_status_request */ schannel_connect, /* connect */ schannel_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ schannel_get_internals, /* get_internals */ schannel_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -2809,7 +2792,10 @@ const struct Curl_ssl Curl_ssl_schannel = { Curl_none_false_start, /* false_start */ schannel_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + schannel_recv, /* recv decrypted data */ + schannel_send, /* send data to encrypt */ }; #endif /* USE_SCHANNEL */ diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h index 24d7eff..6d4235a 100644 --- a/lib/vtls/schannel.h +++ b/lib/vtls/schannel.h @@ -54,6 +54,7 @@ #include #include "curl_sspi.h" +#include "cfilters.h" #include "urldata.h" /* has been included via the above . @@ -77,14 +78,12 @@ extern const struct Curl_ssl Curl_ssl_schannel; -CURLcode Curl_verify_certificate(struct Curl_easy *data, - struct connectdata *conn, int sockindex); +CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, + struct Curl_easy *data); /* structs to expose only in schannel.c and schannel_verify.c */ #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS -#include - #ifdef __MINGW32__ #ifdef __MINGW64_VERSION_MAJOR #define HAS_MANUAL_VERIFY_API diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c index 1ac1d3e..e499216 100644 --- a/lib/vtls/schannel_verify.c +++ b/lib/vtls/schannel_verify.c @@ -42,6 +42,7 @@ #ifdef HAS_MANUAL_VERIFY_API #include "vtls.h" +#include "vtls_int.h" #include "sendf.h" #include "strerror.h" #include "curl_multibyte.h" @@ -458,7 +459,7 @@ static DWORD cert_get_name_string(struct Curl_easy *data, static CURLcode verify_host(struct Curl_easy *data, CERT_CONTEXT *pCertContextServer, - const char * const conn_hostname) + const char *conn_hostname) { CURLcode result = CURLE_PEER_FAILED_VERIFICATION; TCHAR *cert_hostname_buff = NULL; @@ -562,17 +563,18 @@ cleanup: return result; } -CURLcode Curl_verify_certificate(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); SECURITY_STATUS sspi_status; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; const CERT_CHAIN_CONTEXT *pChainContext = NULL; HCERTCHAINENGINE cert_chain_engine = NULL; HCERTSTORE trust_store = NULL; - const char * const conn_hostname = SSL_HOST_NAME(); DEBUGASSERT(BACKEND); @@ -589,7 +591,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } if(result == CURLE_OK && - (SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) && + (conn_config->CAfile || conn_config->ca_info_blob) && BACKEND->use_manual_cred_validation) { /* * Create a chain engine that uses the certificates in the CA file as @@ -616,7 +618,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, result = CURLE_SSL_CACERT_BADFILE; } else { - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; if(ca_info_blob) { result = add_certs_data_to_store(trust_store, (const char *)ca_info_blob->data, @@ -626,7 +628,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } else { result = add_certs_file_to_store(trust_store, - SSL_CONN_CONFIG(CAfile), + conn_config->CAfile, data); } } @@ -669,7 +671,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, NULL, pCertContextServer->hCertStore, &ChainPara, - (SSL_SET_OPTION(no_revoke) ? 0 : + (ssl_config->no_revoke ? 0 : CERT_CHAIN_REVOCATION_CHECK_CHAIN), NULL, &pChainContext)) { @@ -718,8 +720,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } if(result == CURLE_OK) { - if(SSL_CONN_CONFIG(verifyhost)) { - result = verify_host(data, pCertContextServer, conn_hostname); + if(conn_config->verifyhost) { + result = verify_host(data, pCertContextServer, connssl->hostname); } } diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index c764e36..ab79654 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -122,12 +122,12 @@ #include #endif /* CURL_BUILD_MAC */ -#include "urldata.h" #include "sendf.h" #include "inet_pton.h" #include "connect.h" #include "select.h" #include "vtls.h" +#include "vtls_int.h" #include "sectransp.h" #include "curl_printf.h" #include "strdup.h" @@ -142,7 +142,6 @@ struct ssl_backend_data { SSLContextRef ssl_ctx; - curl_socket_t ssl_sockfd; bool ssl_direction; /* true if writing, false if reading */ size_t ssl_write_buffered_length; }; @@ -825,115 +824,62 @@ static const unsigned char ecDsaSecp384r1SpkiHeader[] = { #endif /* SECTRANSP_PINNEDPUBKEY_V1 */ #endif /* SECTRANSP_PINNEDPUBKEY */ -/* The following two functions were ripped from Apple sample code, - * with some modifications: */ -static OSStatus SocketRead(SSLConnectionRef connection, - void *data, /* owned by - * caller, data - * RETURNED */ - size_t *dataLength) /* IN/OUT */ +static OSStatus bio_cf_in_read(SSLConnectionRef connection, + void *buf, + size_t *dataLength) /* IN/OUT */ { - size_t bytesToGo = *dataLength; - size_t initLen = bytesToGo; - UInt8 *currData = (UInt8 *)data; - /*int sock = *(int *)connection;*/ - struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct Curl_cfilter *cf = (struct Curl_cfilter *)connection; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - int sock; + struct Curl_easy *data = connssl->call_data; + ssize_t nread; + CURLcode result; OSStatus rtn = noErr; - size_t bytesRead; - ssize_t rrtn; - int theErr; - DEBUGASSERT(backend); - sock = backend->ssl_sockfd; - *dataLength = 0; - - for(;;) { - bytesRead = 0; - rrtn = read(sock, currData, bytesToGo); - if(rrtn <= 0) { - /* this is guesswork... */ - theErr = errno; - if(rrtn == 0) { /* EOF = server hung up */ - /* the framework will turn this into errSSLClosedNoNotify */ - rtn = errSSLClosedGraceful; - } - else /* do the switch */ - switch(theErr) { - case ENOENT: - /* connection closed */ - rtn = errSSLClosedGraceful; - break; - case ECONNRESET: - rtn = errSSLClosedAbort; - break; - case EAGAIN: - rtn = errSSLWouldBlock; - backend->ssl_direction = false; - break; - default: - rtn = ioErr; - break; - } - break; - } - else { - bytesRead = rrtn; - } - bytesToGo -= bytesRead; - currData += bytesRead; - - if(bytesToGo == 0) { - /* filled buffer with incoming data, done */ - break; + DEBUGASSERT(data); + nread = Curl_conn_cf_recv(cf->next, data, buf, *dataLength, &result); + if(nread < 0) { + switch(result) { + case CURLE_OK: + case CURLE_AGAIN: + rtn = errSSLWouldBlock; + backend->ssl_direction = false; + break; + default: + rtn = ioErr; + break; } + nread = 0; } - *dataLength = initLen - bytesToGo; - + *dataLength = nread; return rtn; } -static OSStatus SocketWrite(SSLConnectionRef connection, - const void *data, - size_t *dataLength) /* IN/OUT */ +static OSStatus bio_cf_out_write(SSLConnectionRef connection, + const void *buf, + size_t *dataLength) /* IN/OUT */ { - size_t bytesSent = 0; - /*int sock = *(int *)connection;*/ - struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection; + struct Curl_cfilter *cf = (struct Curl_cfilter *)connection; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - int sock; - ssize_t length; - size_t dataLen = *dataLength; - const UInt8 *dataPtr = (UInt8 *)data; - OSStatus ortn; - int theErr; - - DEBUGASSERT(backend); - sock = backend->ssl_sockfd; - *dataLength = 0; + struct Curl_easy *data = connssl->call_data; + ssize_t nwritten; + CURLcode result; + OSStatus ortn = noErr; - do { - length = write(sock, - (char *)dataPtr + bytesSent, - dataLen - bytesSent); - } while((length > 0) && - ( (bytesSent += length) < dataLen) ); - - if(length <= 0) { - theErr = errno; - if(theErr == EAGAIN) { + DEBUGASSERT(data); + nwritten = Curl_conn_cf_send(cf->next, data, buf, *dataLength, &result); + if(nwritten <= 0) { + if(result == CURLE_AGAIN) { ortn = errSSLWouldBlock; backend->ssl_direction = true; } else { ortn = ioErr; } + nwritten = 0; } - else { - ortn = noErr; - } - *dataLength = bytesSent; + *dataLength = nwritten; return ortn; } @@ -1372,14 +1318,14 @@ static CURLcode sectransp_version_from_curl(SSLProtocol *darwinver, } #endif -static CURLcode -set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode set_ssl_version_min_max(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - long ssl_version = SSL_CONN_CONFIG(version); - long ssl_version_max = SSL_CONN_CONFIG(version_max); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + long ssl_version = conn_config->version; + long ssl_version_max = conn_config->version_max; long max_supported_version_by_os; DEBUGASSERT(backend); @@ -1665,23 +1611,21 @@ static CURLcode sectransp_set_selected_ciphers(struct Curl_easy *data, return CURLE_OK; } -static CURLcode sectransp_connect_step1(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf, + struct Curl_easy *data) { - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - const struct curl_blob *ssl_cablob = SSL_CONN_CONFIG(ca_info_blob); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + const struct curl_blob *ssl_cablob = conn_config->ca_info_blob; const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ssl_cablob ? NULL : SSL_CONN_CONFIG(CAfile)); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - bool isproxy = SSL_IS_PROXY(); - const char * const hostname = SSL_HOST_NAME(); - const long int port = SSL_HOST_PORT(); + (ssl_cablob ? NULL : conn_config->CAfile); + const bool verifypeer = conn_config->verifypeer; + char * const ssl_cert = ssl_config->primary.clientcert; + const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; + bool isproxy = Curl_ssl_cf_is_proxy(cf); #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -1733,7 +1677,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, /* check to see if we've been told to use an explicit SSL/TLS version */ #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS if(SSLSetProtocolVersionMax) { - switch(conn->ssl_config.version) { + switch(conn_config->version) { case CURL_SSLVERSION_TLSv1: (void)SSLSetProtocolVersionMin(backend->ssl_ctx, kTLSProtocol1); #if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && HAVE_BUILTIN_AVAILABLE == 1 @@ -1754,7 +1698,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(data, conn, sockindex); + CURLcode result = set_ssl_version_min_max(cf, data); if(result != CURLE_OK) return result; break; @@ -1773,7 +1717,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx, kSSLProtocolAll, false); - switch(conn->ssl_config.version) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx, @@ -1791,7 +1735,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(data, conn, sockindex); + CURLcode result = set_ssl_version_min_max(cf, data); if(result != CURLE_OK) return result; break; @@ -1807,13 +1751,13 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, #endif /* CURL_SUPPORT_MAC_10_8 */ } #else - if(conn->ssl_config.version_max != CURL_SSLVERSION_MAX_NONE) { + if(conn_config->version_max != CURL_SSLVERSION_MAX_NONE) { failf(data, "Your version of the OS does not support to set maximum" " SSL/TLS version"); return CURLE_SSL_CONNECT_ERROR; } (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx, kSSLProtocolAll, false); - switch(conn->ssl_config.version) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1_0: @@ -1841,7 +1785,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, #endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ #if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && HAVE_BUILTIN_AVAILABLE == 1 - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { if(__builtin_available(macOS 10.13.4, iOS 11, tvOS 11, *)) { CFMutableArrayRef alpnArr = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks); @@ -1849,7 +1793,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!isproxy || !conn->bits.tunnel_proxy) + && (!isproxy || !cf->conn->bits.tunnel_proxy) #endif ) { CFArrayAppendValue(alpnArr, CFSTR(ALPN_H2)); @@ -1872,7 +1816,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, } #endif - if(SSL_SET_OPTION(key)) { + if(ssl_config->key) { infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure " "Transport. The private key must be in the Keychain."); } @@ -1891,17 +1835,17 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, else err = !noErr; if((err != noErr) && (is_cert_file || is_cert_data)) { - if(!SSL_SET_OPTION(cert_type)) + if(!ssl_config->cert_type) infof(data, "SSL: Certificate type not set, assuming " "PKCS#12 format."); - else if(!strcasecompare(SSL_SET_OPTION(cert_type), "P12")) { + else if(!strcasecompare(ssl_config->cert_type, "P12")) { failf(data, "SSL: The Security framework only supports " "loading identities that are in PKCS#12 format."); return CURLE_SSL_CERTPROBLEM; } err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob, - SSL_SET_OPTION(key_passwd), + ssl_config->key_passwd, &cert_and_key); } @@ -1994,7 +1938,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, #else if(SSLSetSessionOption) { #endif /* CURL_BUILD_MAC */ - bool break_on_auth = !conn->ssl_config.verifypeer || + bool break_on_auth = !conn_config->verifypeer || ssl_cafile || ssl_cablob; err = SSLSetSessionOption(backend->ssl_ctx, kSSLSessionOptionBreakOnServerAuth, @@ -2007,7 +1951,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, else { #if CURL_SUPPORT_MAC_10_8 err = SSLSetEnableCertVerify(backend->ssl_ctx, - conn->ssl_config.verifypeer?true:false); + conn_config->verifypeer?true:false); if(err != noErr) { failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; @@ -2016,7 +1960,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, } #else err = SSLSetEnableCertVerify(backend->ssl_ctx, - conn->ssl_config.verifypeer?true:false); + conn_config->verifypeer?true:false); if(err != noErr) { failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; @@ -2037,9 +1981,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, /* Configure hostname check. SNI is used if available. * Both hostname check and SNI require SSLSetPeerDomainName(). * Also: the verifyhost setting influences SNI usage */ - if(conn->ssl_config.verifyhost) { + if(conn_config->verifyhost) { size_t snilen; - char *snihost = Curl_ssl_snihost(data, hostname, &snilen); + char *snihost = Curl_ssl_snihost(data, connssl->hostname, &snilen); if(!snihost) { failf(data, "Failed to set SNI"); return CURLE_SSL_CONNECT_ERROR; @@ -2052,9 +1996,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } - if((Curl_inet_pton(AF_INET, hostname, &addr)) + if((Curl_inet_pton(AF_INET, connssl->hostname, &addr)) #ifdef ENABLE_IPV6 - || (Curl_inet_pton(AF_INET6, hostname, &addr)) + || (Curl_inet_pton(AF_INET6, connssl->hostname, &addr)) #endif ) { infof(data, "WARNING: using IP address, SNI is being disabled by " @@ -2065,7 +2009,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, infof(data, "WARNING: disabling hostname validation also disables SNI."); } - ciphers = SSL_CONN_CONFIG(cipher_list); + ciphers = conn_config->cipher_list; if(ciphers) { err = sectransp_set_selected_ciphers(data, backend->ssl_ctx, ciphers); } @@ -2083,20 +2027,20 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, specifically doesn't want us doing that: */ if(SSLSetSessionOption) { SSLSetSessionOption(backend->ssl_ctx, kSSLSessionOptionSendOneByteRecord, - !SSL_SET_OPTION(enable_beast)); + !ssl_config->enable_beast); SSLSetSessionOption(backend->ssl_ctx, kSSLSessionOptionFalseStart, - data->set.ssl.falsestart); /* false start support */ + ssl_config->falsestart); /* false start support */ } #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ /* Check if there's a cached ID we can/should use here! */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { char *ssl_sessionid; size_t ssl_sessionid_len; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, isproxy, (void **)&ssl_sessionid, - &ssl_sessionid_len, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, (void **)&ssl_sessionid, + &ssl_sessionid_len)) { /* we got a session id, use it! */ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); Curl_ssl_sessionid_unlock(data); @@ -2112,9 +2056,10 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, else { CURLcode result; ssl_sessionid = - aprintf("%s:%d:%d:%s:%ld", + aprintf("%s:%d:%d:%s:%d", ssl_cafile ? ssl_cafile : "(blob memory)", - verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port); + verifypeer, conn_config->verifyhost, connssl->hostname, + connssl->port); ssl_sessionid_len = strlen(ssl_sessionid); err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -2124,8 +2069,8 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid, - ssl_sessionid_len, sockindex, NULL); + result = Curl_ssl_addsessionid(cf, data, ssl_sessionid, + ssl_sessionid_len, NULL); Curl_ssl_sessionid_unlock(data); if(result) { failf(data, "failed to store ssl session"); @@ -2134,18 +2079,13 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, } } - err = SSLSetIOFuncs(backend->ssl_ctx, SocketRead, SocketWrite); + err = SSLSetIOFuncs(backend->ssl_ctx, bio_cf_in_read, bio_cf_out_write); if(err != noErr) { failf(data, "SSL: SSLSetIOFuncs() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; } - /* pass the raw socket into the SSL layers */ - /* We need to store the FD in a constant memory address, because - * SSLSetConnection() will not copy that address. I've found that - * conn->sock[sockindex] may change on its own. */ - backend->ssl_sockfd = sockfd; - err = SSLSetConnection(backend->ssl_ctx, connssl); + err = SSLSetConnection(backend->ssl_ctx, cf); if(err != noErr) { failf(data, "SSL: SSLSetConnection() failed: %d", err); return CURLE_SSL_CONNECT_ERROR; @@ -2544,16 +2484,15 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, } #endif /* SECTRANSP_PINNEDPUBKEY */ -static CURLcode -sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode sectransp_connect_step2(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); OSStatus err; SSLCipherSuite cipher; SSLProtocol protocol = 0; - const char * const hostname = SSL_HOST_NAME(); DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state @@ -2573,16 +2512,16 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, /* The below is errSSLServerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if((SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) && - SSL_CONN_CONFIG(verifypeer)) { - CURLcode result = verify_cert(data, SSL_CONN_CONFIG(CAfile), - SSL_CONN_CONFIG(ca_info_blob), + if((conn_config->CAfile || conn_config->ca_info_blob) && + conn_config->verifypeer) { + CURLcode result = verify_cert(data, conn_config->CAfile, + conn_config->ca_info_blob, backend->ssl_ctx); if(result) return result; } /* the documentation says we need to call SSLHandshake() again */ - return sectransp_connect_step2(data, conn, sockindex); + return sectransp_connect_step2(cf, data); /* Problem with encrypt / decrypt */ case errSSLPeerDecodeError: @@ -2684,7 +2623,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, host name: */ case errSSLHostNameMismatch: failf(data, "SSL certificate peer verification failed, the " - "certificate did not match \"%s\"\n", conn->host.dispname); + "certificate did not match \"%s\"\n", connssl->dispname); return CURLE_PEER_FAILED_VERIFICATION; /* Problem with SSL / TLS negotiation */ @@ -2776,7 +2715,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, default: /* May also return codes listed in Security Framework Result Codes */ failf(data, "Unknown SSL protocol error in connection to %s:%d", - hostname, err); + connssl->hostname, err); break; } return CURLE_SSL_CONNECT_ERROR; @@ -2835,7 +2774,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, } #if(CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && HAVE_BUILTIN_AVAILABLE == 1 - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { if(__builtin_available(macOS 10.13.4, iOS 11, tvOS 11, *)) { CFArrayRef alpnArr = NULL; CFStringRef chosenProtocol = NULL; @@ -2847,18 +2786,18 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(chosenProtocol && !CFStringCompare(chosenProtocol, CFSTR(ALPN_H2), 0)) { - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; } else #endif if(chosenProtocol && !CFStringCompare(chosenProtocol, CFSTR(ALPN_HTTP_1_1), 0)) { - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; } else infof(data, VTLS_INFOF_NO_ALPN); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); /* chosenProtocol is a reference to the string within alpnArr @@ -2894,11 +2833,12 @@ add_cert_to_certinfo(struct Curl_easy *data, } static CURLcode -collect_server_cert_single(struct Curl_easy *data, +collect_server_cert_single(struct Curl_cfilter *cf, struct Curl_easy *data, SecCertificateRef server_cert, CFIndex idx) { CURLcode result = CURLE_OK; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); #ifndef CURL_DISABLE_VERBOSE_STRINGS if(data->set.verbose) { char *certp; @@ -2909,25 +2849,24 @@ collect_server_cert_single(struct Curl_easy *data, } } #endif - if(data->set.ssl.certinfo) + if(ssl_config->certinfo) result = add_cert_to_certinfo(data, server_cert, (int)idx); return result; } /* This should be called during step3 of the connection at the earliest */ -static CURLcode -collect_server_cert(struct Curl_easy *data, - struct connectdata *conn, - int sockindex) +static CURLcode collect_server_cert(struct Curl_cfilter *cf, + struct Curl_easy *data) { #ifndef CURL_DISABLE_VERBOSE_STRINGS const bool show_verbose_server_cert = data->set.verbose; #else const bool show_verbose_server_cert = false; #endif - CURLcode result = data->set.ssl.certinfo ? + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + CURLcode result = ssl_config->certinfo ? CURLE_PEER_FAILED_VERIFICATION : CURLE_OK; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; CFArrayRef server_certs = NULL; SecCertificateRef server_cert; @@ -2937,7 +2876,7 @@ collect_server_cert(struct Curl_easy *data, DEBUGASSERT(backend); - if(!show_verbose_server_cert && !data->set.ssl.certinfo) + if(!show_verbose_server_cert && !ssl_config->certinfo) return CURLE_OK; if(!backend->ssl_ctx) @@ -2951,11 +2890,11 @@ collect_server_cert(struct Curl_easy *data, a null trust, so be on guard for that: */ if(err == noErr && trust) { count = SecTrustGetCertificateCount(trust); - if(data->set.ssl.certinfo) + if(ssl_config->certinfo) result = Curl_ssl_init_certinfo(data, (int)count); for(i = 0L ; !result && (i < count) ; i++) { server_cert = SecTrustGetCertificateAtIndex(trust, i); - result = collect_server_cert_single(data, server_cert, i); + result = collect_server_cert_single(cf, data, server_cert, i); } CFRelease(trust); } @@ -2973,11 +2912,11 @@ collect_server_cert(struct Curl_easy *data, a null trust, so be on guard for that: */ if(err == noErr && trust) { count = SecTrustGetCertificateCount(trust); - if(data->set.ssl.certinfo) + if(ssl_config->certinfo) result = Curl_ssl_init_certinfo(data, (int)count); for(i = 0L ; !result && (i < count) ; i++) { server_cert = SecTrustGetCertificateAtIndex(trust, i); - result = collect_server_cert_single(data, server_cert, i); + result = collect_server_cert_single(cf, data, server_cert, i); } CFRelease(trust); } @@ -2988,12 +2927,12 @@ collect_server_cert(struct Curl_easy *data, /* Just in case SSLCopyPeerCertificates() returns null too... */ if(err == noErr && server_certs) { count = CFArrayGetCount(server_certs); - if(data->set.ssl.certinfo) + if(ssl_config->certinfo) result = Curl_ssl_init_certinfo(data, (int)count); for(i = 0L ; !result && (i < count) ; i++) { server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i); - result = collect_server_cert_single(data, server_cert, i); + result = collect_server_cert_single(cf, data, server_cert, i); } CFRelease(server_certs); } @@ -3005,11 +2944,11 @@ collect_server_cert(struct Curl_easy *data, err = SSLCopyPeerCertificates(backend->ssl_ctx, &server_certs); if(err == noErr) { count = CFArrayGetCount(server_certs); - if(data->set.ssl.certinfo) + if(ssl_config->certinfo) result = Curl_ssl_init_certinfo(data, (int)count); for(i = 0L ; !result && (i < count) ; i++) { server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i); - result = collect_server_cert_single(data, server_cert, i); + result = collect_server_cert_single(cf, data, server_cert, i); } CFRelease(server_certs); } @@ -3017,16 +2956,15 @@ collect_server_cert(struct Curl_easy *data, return result; } -static CURLcode -sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static CURLcode sectransp_connect_step3(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; /* There is no step 3! * Well, okay, let's collect server certificates, and if verbose mode is on, * let's print the details of the server certificates. */ - const CURLcode result = collect_server_cert(data, conn, sockindex); + const CURLcode result = collect_server_cert(cf, data); if(result) return result; @@ -3034,19 +2972,14 @@ sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn, return CURLE_OK; } -static Curl_recv sectransp_recv; -static Curl_send sectransp_send; - static CURLcode -sectransp_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +sectransp_connect_common(struct Curl_cfilter *cf, struct Curl_easy *data, bool nonblocking, bool *done) { CURLcode result; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; int what; /* check if the connection has already been established */ @@ -3065,7 +2998,7 @@ sectransp_connect_common(struct Curl_easy *data, return CURLE_OPERATION_TIMEDOUT; } - result = sectransp_connect_step1(data, conn, sockindex); + result = sectransp_connect_step1(cf, data); if(result) return result; } @@ -3119,7 +3052,7 @@ sectransp_connect_common(struct Curl_easy *data, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = sectransp_connect_step2(data, conn, sockindex); + result = sectransp_connect_step2(cf, data); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -3130,15 +3063,13 @@ sectransp_connect_common(struct Curl_easy *data, if(ssl_connect_3 == connssl->connecting_state) { - result = sectransp_connect_step3(data, conn, sockindex); + result = sectransp_connect_step3(cf, data); if(result) return result; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = sectransp_recv; - conn->send[sockindex] = sectransp_send; *done = TRUE; } else @@ -3150,20 +3081,20 @@ sectransp_connect_common(struct Curl_easy *data, return CURLE_OK; } -static CURLcode sectransp_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode sectransp_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return sectransp_connect_common(data, conn, sockindex, TRUE, done); + return sectransp_connect_common(cf, data, TRUE, done); } -static CURLcode sectransp_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode sectransp_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result; bool done = FALSE; - result = sectransp_connect_common(data, conn, sockindex, FALSE, &done); + result = sectransp_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -3173,10 +3104,9 @@ static CURLcode sectransp_connect(struct Curl_easy *data, return CURLE_OK; } -static void sectransp_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void sectransp_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; (void) data; @@ -3197,19 +3127,19 @@ static void sectransp_close(struct Curl_easy *data, struct connectdata *conn, #endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ backend->ssl_ctx = NULL; } - backend->ssl_sockfd = 0; } -static int sectransp_shutdown(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static int sectransp_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; ssize_t nread; int what; int rc; char buf[120]; int loop = 10; /* avoid getting stuck */ + CURLcode result; DEBUGASSERT(backend); @@ -3221,11 +3151,11 @@ static int sectransp_shutdown(struct Curl_easy *data, return 0; #endif - sectransp_close(data, conn, sockindex); + sectransp_close(cf, data); rc = 0; - what = SOCKET_READABLE(conn->sock[sockindex], SSL_SHUTDOWN_TIMEOUT); + what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], SSL_SHUTDOWN_TIMEOUT); while(loop--) { if(what < 0) { @@ -3243,19 +3173,17 @@ static int sectransp_shutdown(struct Curl_easy *data, /* Something to read, let's do it and hope that it is the close notify alert from the server. No way to SSL_Read now, so use read(). */ - nread = read(conn->sock[sockindex], buf, sizeof(buf)); + nread = Curl_conn_cf_recv(cf->next, data, buf, sizeof(buf), &result); if(nread < 0) { - char buffer[STRERROR_LEN]; - failf(data, "read: %s", - Curl_strerror(errno, buffer, sizeof(buffer))); + failf(data, "read: %s", curl_easy_strerror(result)); rc = -1; } if(nread <= 0) break; - what = SOCKET_READABLE(conn->sock[sockindex], 0); + what = SOCKET_READABLE(cf->conn->sock[cf->sockindex], 0); } return rc; @@ -3285,13 +3213,15 @@ static size_t sectransp_version(char *buffer, size_t size) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int sectransp_check_cxn(struct connectdata *conn) +static int sectransp_check_cxn(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; OSStatus err; SSLSessionState state; + (void)data; DEBUGASSERT(backend); if(backend->ssl_ctx) { @@ -3303,14 +3233,15 @@ static int sectransp_check_cxn(struct connectdata *conn) return 0; } -static bool sectransp_data_pending(const struct connectdata *conn, - int connindex) +static bool sectransp_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; + const struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; OSStatus err; size_t buffer; + (void)data; DEBUGASSERT(backend); if(backend->ssl_ctx) { /* SSL is in use */ @@ -3362,14 +3293,13 @@ static bool sectransp_false_start(void) return FALSE; } -static ssize_t sectransp_send(struct Curl_easy *data, - int sockindex, +static ssize_t sectransp_send(struct Curl_cfilter *cf, + struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; size_t processed = 0UL; OSStatus err; @@ -3431,15 +3361,15 @@ static ssize_t sectransp_send(struct Curl_easy *data, return (ssize_t)processed; } -static ssize_t sectransp_recv(struct Curl_easy *data, - int num, +static ssize_t sectransp_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, char *buf, size_t buffersize, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); size_t processed = 0UL; OSStatus err; @@ -3470,10 +3400,10 @@ static ssize_t sectransp_recv(struct Curl_easy *data, /* The below is errSSLPeerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if((SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) && - SSL_CONN_CONFIG(verifypeer)) { - CURLcode result = verify_cert(data, SSL_CONN_CONFIG(CAfile), - SSL_CONN_CONFIG(ca_info_blob), + if((conn_config->CAfile || conn_config->ca_info_blob) && + conn_config->verifypeer) { + CURLcode result = verify_cert(data, conn_config->CAfile, + conn_config->ca_info_blob, backend->ssl_ctx); if(result) return result; @@ -3504,10 +3434,9 @@ const struct Curl_ssl Curl_ssl_sectransp = { SSLSUPP_CAINFO_BLOB | SSLSUPP_CERTINFO | #ifdef SECTRANSP_PINNEDPUBKEY - SSLSUPP_PINNEDPUBKEY, -#else - 0, + SSLSUPP_PINNEDPUBKEY | #endif /* SECTRANSP_PINNEDPUBKEY */ + SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), @@ -3521,7 +3450,7 @@ const struct Curl_ssl Curl_ssl_sectransp = { Curl_none_cert_status_request, /* cert_status_request */ sectransp_connect, /* connect */ sectransp_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ sectransp_get_internals, /* get_internals */ sectransp_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -3532,7 +3461,10 @@ const struct Curl_ssl Curl_ssl_sectransp = { sectransp_false_start, /* false_start */ sectransp_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + sectransp_recv, /* recv decrypted data */ + sectransp_send, /* send data to encrypt */ }; #ifdef __clang__ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 9dee5aa..873ee6b 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -51,8 +51,10 @@ #endif #include "urldata.h" +#include "cfilters.h" #include "vtls.h" /* generic SSL protos etc */ +#include "vtls_int.h" #include "slist.h" #include "sendf.h" #include "strcase.h" @@ -150,11 +152,11 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, !Curl_timestrcmp(data->password, needle->password) && (data->authtype == needle->authtype) && #endif - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->curves, needle->curves) && - Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) + strcasecompare(data->cipher_list, needle->cipher_list) && + strcasecompare(data->cipher_list13, needle->cipher_list13) && + strcasecompare(data->curves, needle->curves) && + strcasecompare(data->CRLfile, needle->CRLfile) && + strcasecompare(data->pinned_key, needle->pinned_key)) return TRUE; return FALSE; @@ -291,89 +293,68 @@ static bool ssl_prefs_check(struct Curl_easy *data) return TRUE; } -#ifndef CURL_DISABLE_PROXY -static CURLcode -ssl_connect_init_proxy(struct connectdata *conn, int sockindex) +static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data) { - DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]); - if(ssl_connection_complete == conn->ssl[sockindex].state && - !conn->proxy_ssl[sockindex].use) { - struct ssl_backend_data *pbdata; - - if(!(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY)) - return CURLE_NOT_BUILT_IN; - - /* The pointers to the ssl backend data, which is opaque here, are swapped - rather than move the contents. */ - pbdata = conn->proxy_ssl[sockindex].backend; - conn->proxy_ssl[sockindex] = conn->ssl[sockindex]; + struct ssl_connect_data *ctx; - DEBUGASSERT(pbdata != NULL); + (void)data; + ctx = calloc(1, sizeof(*ctx)); + if(!ctx) + return NULL; - memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex])); - memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data); + ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data); + if(!ctx->backend) { + free(ctx); + return NULL; + } + return ctx; +} - conn->ssl[sockindex].backend = pbdata; +static void cf_ctx_free(struct ssl_connect_data *ctx) +{ + if(ctx) { + free(ctx->backend); + free(ctx); } - return CURLE_OK; } -#endif -CURLcode -Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void cf_ctx_set_data(struct Curl_cfilter *cf, + struct Curl_easy *data) { - CURLcode result; + if(cf->ctx) + ((struct ssl_connect_data *)cf->ctx)->call_data = data; +} -#ifndef CURL_DISABLE_PROXY - if(conn->bits.proxy_ssl_connected[sockindex]) { - result = ssl_connect_init_proxy(conn, sockindex); - if(result) - return result; - } -#endif +static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + struct ssl_connect_data *connssl = cf->ctx; + CURLcode result; if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl-enabled from here on. */ - conn->ssl[sockindex].use = TRUE; - conn->ssl[sockindex].state = ssl_connection_negotiating; + connssl->state = ssl_connection_negotiating; - result = Curl_ssl->connect_blocking(data, conn, sockindex); + result = Curl_ssl->connect_blocking(cf, data); - if(!result) + if(!result) { Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ - else - conn->ssl[sockindex].use = FALSE; + DEBUGASSERT(connssl->state == ssl_connection_complete); + } return result; } -CURLcode -Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, - bool isproxy, int sockindex, bool *done) +static CURLcode +ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data, + bool *done) { - CURLcode result; - -#ifndef CURL_DISABLE_PROXY - if(conn->bits.proxy_ssl_connected[sockindex]) { - result = ssl_connect_init_proxy(conn, sockindex); - if(result) - return result; - } -#endif if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl requested from here on. */ - conn->ssl[sockindex].use = TRUE; - result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done); - if(result) - conn->ssl[sockindex].use = FALSE; - else if(*done && !isproxy) - Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ - return result; + return Curl_ssl->connect_nonblocking(cf, data, done); } /* @@ -398,42 +379,26 @@ void Curl_ssl_sessionid_unlock(struct Curl_easy *data) * Check if there's a session ID for the given connection in the cache, and if * there's one suitable, it is provided. Returns TRUE when no entry matched. */ -bool Curl_ssl_getsessionid(struct Curl_easy *data, - struct connectdata *conn, - const bool isProxy, +bool Curl_ssl_getsessionid(struct Curl_cfilter *cf, + struct Curl_easy *data, void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex) + size_t *idsize) /* set 0 if unknown */ { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); struct Curl_ssl_session *check; size_t i; long *general_age; bool no_match = TRUE; -#ifndef CURL_DISABLE_PROXY - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; - const char * const name = isProxy ? - conn->http_proxy.host.name : conn->host.name; - int port = isProxy ? (int)conn->port : conn->remote_port; -#else - /* no proxy support */ - struct ssl_primary_config * const ssl_config = &conn->ssl_config; - const char * const name = conn->host.name; - int port = conn->remote_port; -#endif - (void)sockindex; *ssl_sessionid = NULL; - -#ifdef CURL_DISABLE_PROXY - if(isProxy) + if(!ssl_config) return TRUE; -#endif - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + DEBUGASSERT(ssl_config->primary.sessionid); - if(!SSL_SET_OPTION(primary.sessionid) || !data->state.session) + if(!ssl_config->primary.sessionid || !data->state.session) /* session ID re-use is disabled or the session cache has not been setup */ return TRUE; @@ -449,16 +414,16 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, if(!check->sessionid) /* not session ID means blank entry */ continue; - if(strcasecompare(name, check->name) && - ((!conn->bits.conn_to_host && !check->conn_to_host) || - (conn->bits.conn_to_host && check->conn_to_host && - strcasecompare(conn->conn_to_host.name, check->conn_to_host))) && - ((!conn->bits.conn_to_port && check->conn_to_port == -1) || - (conn->bits.conn_to_port && check->conn_to_port != -1 && - conn->conn_to_port == check->conn_to_port)) && - (port == check->remote_port) && - strcasecompare(conn->handler->scheme, check->scheme) && - Curl_ssl_config_matches(ssl_config, &check->ssl_config)) { + if(strcasecompare(connssl->hostname, check->name) && + ((!cf->conn->bits.conn_to_host && !check->conn_to_host) || + (cf->conn->bits.conn_to_host && check->conn_to_host && + strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) && + ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) || + (cf->conn->bits.conn_to_port && check->conn_to_port != -1 && + cf->conn->conn_to_port == check->conn_to_port)) && + (connssl->port == check->remote_port) && + strcasecompare(cf->conn->handler->scheme, check->scheme) && + Curl_ssl_config_matches(conn_config, &check->ssl_config)) { /* yes, we have a session ID! */ (*general_age)++; /* increase general age */ check->age = *general_age; /* set this as used in this age */ @@ -470,10 +435,10 @@ bool Curl_ssl_getsessionid(struct Curl_easy *data, } } - DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d", + DEBUGF(infof(data, DMSG(data, "%s Session ID in cache for %s %s://%s:%d"), no_match? "Didn't find": "Found", - isProxy ? "proxy" : "host", - conn->handler->scheme, name, port)); + Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host", + cf->conn->handler->scheme, connssl->hostname, connssl->port)); return no_match; } @@ -521,14 +486,15 @@ void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) * layer. Curl_XXXX_session_free() will be called to free/kill the session ID * later on. */ -CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, - struct connectdata *conn, - const bool isProxy, +CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf, + struct Curl_easy *data, void *ssl_sessionid, size_t idsize, - int sockindex, bool *added) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); size_t i; struct Curl_ssl_session *store; long oldest_age; @@ -536,17 +502,6 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, char *clone_conn_to_host; int conn_to_port; long *general_age; -#ifndef CURL_DISABLE_PROXY - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; - const char *hostname = isProxy ? conn->http_proxy.host.name : - conn->host.name; -#else - struct ssl_primary_config * const ssl_config = &conn->ssl_config; - const char *hostname = conn->host.name; -#endif - (void)sockindex; if(added) *added = FALSE; @@ -556,14 +511,15 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, store = &data->state.session[0]; oldest_age = data->state.session[0].age; /* zero if unused */ - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); + (void)ssl_config; + DEBUGASSERT(ssl_config->primary.sessionid); - clone_host = strdup(hostname); + clone_host = strdup(connssl->hostname); if(!clone_host) return CURLE_OUT_OF_MEMORY; /* bail out */ - if(conn->bits.conn_to_host) { - clone_conn_to_host = strdup(conn->conn_to_host.name); + if(cf->conn->bits.conn_to_host) { + clone_conn_to_host = strdup(cf->conn->conn_to_host.name); if(!clone_conn_to_host) { free(clone_host); return CURLE_OUT_OF_MEMORY; /* bail out */ @@ -572,8 +528,8 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, else clone_conn_to_host = NULL; - if(conn->bits.conn_to_port) - conn_to_port = conn->conn_to_port; + if(cf->conn->bits.conn_to_port) + conn_to_port = cf->conn->conn_to_port; else conn_to_port = -1; @@ -613,10 +569,10 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, store->conn_to_host = clone_conn_to_host; /* clone connect to host name */ store->conn_to_port = conn_to_port; /* connect to port number */ /* port number */ - store->remote_port = isProxy ? (int)conn->port : conn->remote_port; - store->scheme = conn->handler->scheme; + store->remote_port = connssl->port; + store->scheme = cf->conn->handler->scheme; - if(!Curl_clone_primary_ssl_config(ssl_config, &store->ssl_config)) { + if(!Curl_clone_primary_ssl_config(conn_config, &store->ssl_config)) { Curl_free_primary_ssl_config(&store->ssl_config); store->sessionid = NULL; /* let caller free sessionid */ free(clone_host); @@ -627,32 +583,16 @@ CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, if(added) *added = TRUE; - DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]", - store->scheme, store->name, store->remote_port, - isProxy ? "PROXY" : "server")); + DEBUGF(infof(data, DMSG(data, "Added Session ID to cache for %s://%s:%d" + " [%s]"), store->scheme, store->name, store->remote_port, + Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server")); return CURLE_OK; } -void Curl_ssl_associate_conn(struct Curl_easy *data, - struct connectdata *conn) +void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend) { - if(Curl_ssl->associate_connection) { - Curl_ssl->associate_connection(data, conn, FIRSTSOCKET); - if((conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) && - conn->bits.sock_accepted) - Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET); - } -} - -void Curl_ssl_detach_conn(struct Curl_easy *data, - struct connectdata *conn) -{ - if(Curl_ssl->disassociate_connection) { - Curl_ssl->disassociate_connection(data, FIRSTSOCKET); - if((conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) && - conn->bits.sock_accepted) - Curl_ssl->disassociate_connection(data, SECONDARYSOCKET); - } + if(Curl_ssl->free_multi_ssl_backend_data && mbackend) + Curl_ssl->free_multi_ssl_backend_data(mbackend); } void Curl_ssl_close_all(struct Curl_easy *data) @@ -671,47 +611,26 @@ void Curl_ssl_close_all(struct Curl_easy *data) Curl_ssl->close_all(data); } -int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks) +int Curl_ssl_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data, + curl_socket_t *socks) { - struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; + struct ssl_connect_data *connssl = cf->ctx; + (void)data; if(connssl->connecting_state == ssl_connect_2_writing) { /* write mode */ - socks[0] = conn->sock[FIRSTSOCKET]; + socks[0] = cf->conn->sock[FIRSTSOCKET]; return GETSOCK_WRITESOCK(0); } if(connssl->connecting_state == ssl_connect_2_reading) { /* read mode */ - socks[0] = conn->sock[FIRSTSOCKET]; + socks[0] = cf->conn->sock[FIRSTSOCKET]; return GETSOCK_READSOCK(0); } return GETSOCK_BLANK; } -void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) -{ - DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); - Curl_ssl->close_one(data, conn, sockindex); - conn->ssl[sockindex].state = ssl_connection_none; -} - -CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex) -{ - if(Curl_ssl->shut_down(data, conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; - - conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ - conn->ssl[sockindex].state = ssl_connection_none; - - conn->recv[sockindex] = Curl_recv_plain; - conn->send[sockindex] = Curl_send_plain; - - return CURLE_OK; -} - /* Selects an SSL crypto engine */ CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine) @@ -774,15 +693,10 @@ void Curl_ssl_version(char *buffer, size_t size) * 0 means the connection has been closed * -1 means the connection status is unknown */ -int Curl_ssl_check_cxn(struct connectdata *conn) +int Curl_ssl_check_cxn(struct Curl_easy *data, struct connectdata *conn) { - return Curl_ssl->check_cxn(conn); -} - -bool Curl_ssl_data_pending(const struct connectdata *conn, - int connindex) -{ - return Curl_ssl->data_pending(conn, connindex); + struct Curl_cfilter *cf = Curl_ssl_cf_get_ssl(conn->cfilter[FIRSTSOCKET]); + return cf? Curl_ssl->check_cxn(cf, data) : -1; } void Curl_ssl_free_certinfo(struct Curl_easy *data) @@ -1138,20 +1052,13 @@ bool Curl_ssl_cert_status_request(void) /* * Check whether the SSL backend supports false start. */ -bool Curl_ssl_false_start(void) +bool Curl_ssl_false_start(struct Curl_easy *data) { + (void)data; return Curl_ssl->false_start(); } /* - * Check whether the SSL backend supports setting TLS 1.3 cipher suites - */ -bool Curl_ssl_tls13_ciphersuites(void) -{ - return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES; -} - -/* * Default implementations for unsupported functions. */ @@ -1163,19 +1070,18 @@ int Curl_none_init(void) void Curl_none_cleanup(void) { } -int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM, - struct connectdata *conn UNUSED_PARAM, - int sockindex UNUSED_PARAM) +int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM, + struct Curl_easy *data UNUSED_PARAM) { (void)data; - (void)conn; - (void)sockindex; + (void)cf; return 0; } -int Curl_none_check_cxn(struct connectdata *conn UNUSED_PARAM) +int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data) { - (void)conn; + (void)cf; + (void)data; return -1; } @@ -1199,11 +1105,11 @@ void Curl_none_session_free(void *ptr UNUSED_PARAM) (void)ptr; } -bool Curl_none_data_pending(const struct connectdata *conn UNUSED_PARAM, - int connindex UNUSED_PARAM) +bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM, + const struct Curl_easy *data UNUSED_PARAM) { - (void)conn; - (void)connindex; + (void)cf; + (void)data; return 0; } @@ -1244,28 +1150,30 @@ static int multissl_init(void) return Curl_ssl->init(); } -static CURLcode multissl_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode multissl_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_blocking(data, conn, sockindex); + return Curl_ssl->connect_blocking(cf, data); } -static CURLcode multissl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_nonblocking(data, conn, sockindex, done); + return Curl_ssl->connect_nonblocking(cf, data, done); } -static int multissl_getsock(struct connectdata *conn, curl_socket_t *socks) +static int multissl_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) { if(multissl_setup(NULL)) return 0; - return Curl_ssl->getsock(conn, socks); + return Curl_ssl->get_select_socks(cf, data, socks); } static void *multissl_get_internals(struct ssl_connect_data *connssl, @@ -1276,12 +1184,30 @@ static void *multissl_get_internals(struct ssl_connect_data *connssl, return Curl_ssl->get_internals(connssl, info); } -static void multissl_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data) { if(multissl_setup(NULL)) return; - Curl_ssl->close_one(data, conn, sockindex); + Curl_ssl->close(cf, data); +} + +static ssize_t multissl_recv_plain(struct Curl_cfilter *cf, + struct Curl_easy *data, + char *buf, size_t len, CURLcode *code) +{ + if(multissl_setup(NULL)) + return CURLE_FAILED_INIT; + return Curl_ssl->recv_plain(cf, data, buf, len, code); +} + +static ssize_t multissl_send_plain(struct Curl_cfilter *cf, + struct Curl_easy *data, + const void *mem, size_t len, + CURLcode *code) +{ + if(multissl_setup(NULL)) + return CURLE_FAILED_INIT; + return Curl_ssl->send_plain(cf, data, mem, len, code); } static const struct Curl_ssl Curl_ssl_multi = { @@ -1299,7 +1225,7 @@ static const struct Curl_ssl Curl_ssl_multi = { Curl_none_cert_status_request, /* cert_status_request */ multissl_connect, /* connect */ multissl_connect_nonblocking, /* connect_nonblocking */ - multissl_getsock, /* getsock */ + multissl_get_select_socks, /* getsock */ multissl_get_internals, /* get_internals */ multissl_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1310,7 +1236,10 @@ static const struct Curl_ssl Curl_ssl_multi = { Curl_none_false_start, /* false_start */ NULL, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + multissl_recv_plain, /* recv decrypted data */ + multissl_send_plain, /* send data to encrypt */ }; const struct Curl_ssl *Curl_ssl = @@ -1498,3 +1427,397 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, } #endif /* !USE_SSL */ + +#ifdef USE_SSL + +static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + struct ssl_connect_data *connssl = cf->ctx; + /* TODO: close_one closes BOTH conn->ssl AND conn->proxy_ssl for this + * sockindex (if in use). Gladly, it is safe to call more than once. */ + if(connssl) { + Curl_ssl->close(cf, data); + connssl->state = ssl_connection_none; + } + cf->connected = FALSE; +} + +static void reinit_hostname(struct Curl_cfilter *cf) +{ + struct ssl_connect_data *connssl = cf->ctx; + +#ifndef CURL_DISABLE_PROXY + if(Curl_ssl_cf_is_proxy(cf)) { + /* TODO: there is not definition for a proxy setup on a secondary conn */ + connssl->hostname = cf->conn->http_proxy.host.name; + connssl->dispname = cf->conn->http_proxy.host.dispname; + connssl->port = cf->conn->http_proxy.port; + } + else +#endif + { + /* TODO: secondaryhostname is set to the IP address we connect to + * in the FTP handler, it is assumed that host verification uses the + * hostname from FIRSTSOCKET */ + if(cf->sockindex == SECONDARYSOCKET && 0) { + connssl->hostname = cf->conn->secondaryhostname; + connssl->dispname = connssl->hostname; + connssl->port = cf->conn->secondary_port; + } + else { + connssl->hostname = cf->conn->host.name; + connssl->dispname = cf->conn->host.dispname; + connssl->port = cf->conn->remote_port; + } + } + DEBUGASSERT(connssl->hostname); +} + +static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data) +{ + cf_ctx_set_data(cf, data); + cf_close(cf, data); + cf_ctx_free(cf->ctx); + cf->ctx = NULL; +} + +static void ssl_cf_close(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + cf_ctx_set_data(cf, data); + cf_close(cf, data); + cf->next->cft->close(cf->next, data); + cf_ctx_set_data(cf, NULL); +} + +static CURLcode ssl_cf_connect(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool blocking, bool *done) +{ + struct ssl_connect_data *connssl = cf->ctx; + CURLcode result; + + if(cf->connected) { + *done = TRUE; + return CURLE_OK; + } + + cf_ctx_set_data(cf, data); + (void)connssl; + DEBUGASSERT(data->conn); + DEBUGASSERT(data->conn == cf->conn); + DEBUGASSERT(connssl); + DEBUGASSERT(cf->conn->host.name); + + result = cf->next->cft->connect(cf->next, data, blocking, done); + if(result || !*done) + goto out; + + /* TODO: right now we do not fully control when hostname is set, + * assign it on each connect call. */ + reinit_hostname(cf); + *done = FALSE; + + if(blocking) { + result = ssl_connect(cf, data); + *done = (result == CURLE_OK); + } + else { + result = ssl_connect_nonblocking(cf, data, done); + } + + if(!result && *done) { + cf->connected = TRUE; + if(cf->sockindex == FIRSTSOCKET && !Curl_ssl_cf_is_proxy(cf)) + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ + DEBUGASSERT(connssl->state == ssl_connection_complete); + } +out: + cf_ctx_set_data(cf, NULL); + return result; +} + +static bool ssl_cf_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) +{ + bool result; + + cf_ctx_set_data(cf, (struct Curl_easy *)data); + if(cf->ctx && Curl_ssl->data_pending(cf, data)) + result = TRUE; + else + result = cf->next->cft->has_data_pending(cf->next, data); + cf_ctx_set_data(cf, NULL); + return result; +} + +static ssize_t ssl_cf_send(struct Curl_cfilter *cf, + struct Curl_easy *data, const void *buf, size_t len, + CURLcode *err) +{ + ssize_t nwritten; + + *err = CURLE_OK; + cf_ctx_set_data(cf, data); + nwritten = Curl_ssl->send_plain(cf, data, buf, len, err); + cf_ctx_set_data(cf, NULL); + return nwritten; +} + +static ssize_t ssl_cf_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, char *buf, size_t len, + CURLcode *err) +{ + ssize_t nread; + + *err = CURLE_OK; + cf_ctx_set_data(cf, data); + nread = Curl_ssl->recv_plain(cf, data, buf, len, err); + cf_ctx_set_data(cf, NULL); + return nread; +} + +static int ssl_cf_get_select_socks(struct Curl_cfilter *cf, + struct Curl_easy *data, + curl_socket_t *socks) +{ + int result; + + cf_ctx_set_data(cf, data); + result = Curl_ssl->get_select_socks(cf, data, socks); + cf_ctx_set_data(cf, NULL); + return result; +} + +static void ssl_cf_attach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + if(Curl_ssl->attach_data) { + cf_ctx_set_data(cf, data); + Curl_ssl->attach_data(cf, data); + cf_ctx_set_data(cf, NULL); + } +} + +static void ssl_cf_detach_data(struct Curl_cfilter *cf, + struct Curl_easy *data) +{ + if(Curl_ssl->detach_data) { + cf_ctx_set_data(cf, data); + Curl_ssl->detach_data(cf, data); + cf_ctx_set_data(cf, NULL); + } +} + +static const struct Curl_cftype cft_ssl = { + "SSL", + CF_TYPE_SSL, + ssl_cf_destroy, + Curl_cf_def_setup, + ssl_cf_connect, + ssl_cf_close, + Curl_cf_def_get_host, + ssl_cf_get_select_socks, + ssl_cf_data_pending, + ssl_cf_send, + ssl_cf_recv, + ssl_cf_attach_data, + ssl_cf_detach_data, +}; + +static const struct Curl_cftype cft_ssl_proxy = { + "SSL-PROXY", + CF_TYPE_SSL, + ssl_cf_destroy, + Curl_cf_def_setup, + ssl_cf_connect, + ssl_cf_close, + Curl_cf_def_get_host, + ssl_cf_get_select_socks, + ssl_cf_data_pending, + ssl_cf_send, + ssl_cf_recv, + ssl_cf_attach_data, + ssl_cf_detach_data, +}; + +CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) +{ + struct Curl_cfilter *cf; + struct ssl_connect_data *ctx; + CURLcode result; + + DEBUGASSERT(data->conn); + ctx = cf_ctx_new(data); + if(!ctx) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } + + result = Curl_cf_create(&cf, &cft_ssl, ctx); + if(result) + goto out; + + Curl_conn_cf_add(data, conn, sockindex, cf); + + result = CURLE_OK; + +out: + if(result) + cf_ctx_free(ctx); + return result; +} + +#ifndef CURL_DISABLE_PROXY +CURLcode Curl_ssl_cfilter_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) +{ + struct Curl_cfilter *cf; + struct ssl_connect_data *ctx; + CURLcode result; + + ctx = cf_ctx_new(data); + if(!ctx) { + result = CURLE_OUT_OF_MEMORY; + goto out; + } + + result = Curl_cf_create(&cf, &cft_ssl_proxy, ctx); + if(result) + goto out; + + Curl_conn_cf_add(data, conn, sockindex, cf); + + result = CURLE_OK; + +out: + if(result) + cf_ctx_free(ctx); + return result; +} + +#endif /* !CURL_DISABLE_PROXY */ + +bool Curl_ssl_supports(struct Curl_easy *data, int option) +{ + (void)data; + return (Curl_ssl->supports & option)? TRUE : FALSE; +} + +void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex, + CURLINFO info, int n) +{ + void *result = NULL; + (void)n; + if(data->conn) { + struct Curl_cfilter *cf; + /* get first filter in chain, if any is present */ + cf = Curl_ssl_cf_get_ssl(data->conn->cfilter[sockindex]); + if(cf) { + cf_ctx_set_data(cf, data); + result = Curl_ssl->get_internals(cf->ctx, info); + cf_ctx_set_data(cf, NULL); + } + } + return result; +} + +CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data, + int sockindex) +{ + struct Curl_cfilter *cf = data->conn? data->conn->cfilter[sockindex] : NULL; + CURLcode result = CURLE_OK; + + (void)data; + for(; cf; cf = cf->next) { + if(cf->cft == &cft_ssl) { + if(Curl_ssl->shut_down(cf, data)) + result = CURLE_SSL_SHUTDOWN_FAILED; + Curl_conn_cf_discard(cf, data); + break; + } + } + return result; +} + +static struct Curl_cfilter *get_ssl_cf_engaged(struct connectdata *conn, + int sockindex) +{ + struct Curl_cfilter *cf, *lowest_ssl_cf = NULL; + + for(cf = conn->cfilter[sockindex]; cf; cf = cf->next) { + if(cf->cft == &cft_ssl || cf->cft == &cft_ssl_proxy) { + lowest_ssl_cf = cf; + if(cf->connected || (cf->next && cf->next->connected)) { + /* connected or about to start */ + return cf; + } + } + } + return lowest_ssl_cf; +} + +bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf) +{ + return (cf->cft == &cft_ssl_proxy); +} + +struct ssl_config_data * +Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data) +{ +#ifdef CURL_DISABLE_PROXY + (void)cf; + return &data->set.ssl; +#else + return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl; +#endif +} + +struct ssl_config_data * +Curl_ssl_get_config(struct Curl_easy *data, int sockindex) +{ + struct Curl_cfilter *cf; + + (void)data; + DEBUGASSERT(data->conn); + cf = get_ssl_cf_engaged(data->conn, sockindex); + return cf? Curl_ssl_cf_get_config(cf, data) : &data->set.ssl; +} + +struct ssl_primary_config * +Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf) +{ +#ifdef CURL_DISABLE_PROXY + return &cf->conn->ssl_config; +#else + return Curl_ssl_cf_is_proxy(cf)? + &cf->conn->proxy_ssl_config : &cf->conn->ssl_config; +#endif +} + +struct ssl_primary_config * +Curl_ssl_get_primary_config(struct Curl_easy *data, + struct connectdata *conn, + int sockindex) +{ + struct Curl_cfilter *cf; + + (void)data; + DEBUGASSERT(conn); + cf = get_ssl_cf_engaged(conn, sockindex); + return cf? Curl_ssl_cf_get_primary_config(cf) : NULL; +} + +struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf) +{ + for(; cf; cf = cf->next) { + if(cf->cft == &cft_ssl || cf->cft == &cft_ssl_proxy) + return cf; + } + return NULL; +} + +#endif /* USE_SSL */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 50c53b3..5ad64fc 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -26,7 +26,10 @@ #include "curl_setup.h" struct connectdata; +struct ssl_config_data; struct ssl_connect_data; +struct ssl_primary_config; +struct Curl_ssl_session; #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */ #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */ @@ -47,98 +50,13 @@ struct ssl_connect_data; #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ ALPN_ACCEPTED "%.*s" -struct Curl_ssl { - /* - * This *must* be the first entry to allow returning the list of available - * backends in curl_global_sslset(). - */ - curl_ssl_backend info; - unsigned int supports; /* bitfield, see above */ - size_t sizeof_ssl_backend_data; - - int (*init)(void); - void (*cleanup)(void); - - size_t (*version)(char *buffer, size_t size); - int (*check_cxn)(struct connectdata *cxn); - int (*shut_down)(struct Curl_easy *data, struct connectdata *conn, - int sockindex); - bool (*data_pending)(const struct connectdata *conn, - int connindex); - - /* return 0 if a find random is filled in */ - CURLcode (*random)(struct Curl_easy *data, unsigned char *entropy, - size_t length); - bool (*cert_status_request)(void); - - CURLcode (*connect_blocking)(struct Curl_easy *data, - struct connectdata *conn, int sockindex); - CURLcode (*connect_nonblocking)(struct Curl_easy *data, - struct connectdata *conn, int sockindex, - bool *done); - - /* If the SSL backend wants to read or write on this connection during a - handshake, set socks[0] to the connection's FIRSTSOCKET, and return - a bitmap indicating read or write with GETSOCK_WRITESOCK(0) or - GETSOCK_READSOCK(0). Otherwise return GETSOCK_BLANK. - Mandatory. */ - int (*getsock)(struct connectdata *conn, curl_socket_t *socks); - - void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info); - void (*close_one)(struct Curl_easy *data, struct connectdata *conn, - int sockindex); - void (*close_all)(struct Curl_easy *data); - void (*session_free)(void *ptr); - - CURLcode (*set_engine)(struct Curl_easy *data, const char *engine); - CURLcode (*set_engine_default)(struct Curl_easy *data); - struct curl_slist *(*engines_list)(struct Curl_easy *data); - - bool (*false_start)(void); - CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, - unsigned char *sha256sum, size_t sha256sumlen); - - bool (*associate_connection)(struct Curl_easy *data, - struct connectdata *conn, - int sockindex); - void (*disassociate_connection)(struct Curl_easy *data, int sockindex); -}; - -#ifdef USE_SSL -extern const struct Curl_ssl *Curl_ssl; -#endif - -int Curl_none_init(void); -void Curl_none_cleanup(void); -int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex); -int Curl_none_check_cxn(struct connectdata *conn); -CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy, - size_t length); -void Curl_none_close_all(struct Curl_easy *data); -void Curl_none_session_free(void *ptr); -bool Curl_none_data_pending(const struct connectdata *conn, int connindex); -bool Curl_none_cert_status_request(void); -CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine); -CURLcode Curl_none_set_engine_default(struct Curl_easy *data); -struct curl_slist *Curl_none_engines_list(struct Curl_easy *data); -bool Curl_none_false_start(void); -bool Curl_ssl_tls13_ciphersuites(void); +/* Curl_multi SSL backend-specific data; declared differently by each SSL + backend */ +struct multi_ssl_backend_data; CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, const curl_ssl_backend ***avail); -#include "openssl.h" /* OpenSSL versions */ -#include "gtls.h" /* GnuTLS versions */ -#include "nssg.h" /* NSS versions */ -#include "gskit.h" /* Global Secure ToolKit versions */ -#include "wolfssl.h" /* wolfSSL versions */ -#include "schannel.h" /* Schannel SSPI version */ -#include "sectransp.h" /* SecureTransport (Darwin) version */ -#include "mbedtls.h" /* mbedTLS versions */ -#include "bearssl.h" /* BearSSL versions */ -#include "rustls.h" /* rustls versions */ - #ifndef MAX_PINNED_PUBKEY_SIZE #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */ #endif @@ -153,40 +71,6 @@ CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, #define ALPN_H2_LENGTH 2 #define ALPN_H2 "h2" -/* set of helper macros for the backends to access the correct fields. For the - proxy or for the remote host - to properly support HTTPS proxy */ -#ifndef CURL_DISABLE_PROXY -#define SSL_IS_PROXY() \ - (CURLPROXY_HTTPS == conn->http_proxy.proxytype && \ - ssl_connection_complete != \ - conn->proxy_ssl[conn->sock[SECONDARYSOCKET] == \ - CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state) -#define SSL_SET_OPTION(var) \ - (SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var) -#define SSL_SET_OPTION_LVALUE(var) \ - (*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var)) -#define SSL_CONN_CONFIG(var) \ - (SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var) -#define SSL_HOST_NAME() \ - (SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name) -#define SSL_HOST_DISPNAME() \ - (SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname) -#define SSL_HOST_PORT() \ - (SSL_IS_PROXY() ? conn->port : conn->remote_port) -#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \ - ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \ - : data->set.str[STRING_SSL_PINNEDPUBLICKEY]) -#else -#define SSL_IS_PROXY() FALSE -#define SSL_SET_OPTION(var) data->set.ssl.var -#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var -#define SSL_CONN_CONFIG(var) conn->ssl_config.var -#define SSL_HOST_NAME() conn->host.name -#define SSL_HOST_DISPNAME() conn->host.dispname -#define SSL_HOST_PORT() conn->remote_port -#define SSL_PINNED_PUB_KEY() \ - data->set.str[STRING_SSL_PINNEDPUBLICKEY] -#endif char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen); bool Curl_ssl_config_matches(struct ssl_primary_config *data, @@ -194,31 +78,15 @@ bool Curl_ssl_config_matches(struct ssl_primary_config *data, bool Curl_clone_primary_ssl_config(struct ssl_primary_config *source, struct ssl_primary_config *dest); void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc); -/* An implementation of the getsock field of Curl_ssl that relies - on the ssl_connect_state enum. Asks for read or write depending - on whether conn->state is ssl_connect_2_reading or - ssl_connect_2_writing. */ -int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks); curl_sslbackend Curl_ssl_backend(void); #ifdef USE_SSL int Curl_ssl_init(void); void Curl_ssl_cleanup(void); -CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, - int sockindex); -CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - bool isproxy, - int sockindex, - bool *done); /* tell the SSL stuff to close down all open information regarding connections (and thus session ID caching etc) */ void Curl_ssl_close_all(struct Curl_easy *data); -void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex); -CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex); CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); /* Sets engine as default for all SSL operations */ CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); @@ -227,9 +95,7 @@ struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data); /* init the SSL session ID cache */ CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t); void Curl_ssl_version(char *buffer, size_t size); -bool Curl_ssl_data_pending(const struct connectdata *conn, - int connindex); -int Curl_ssl_check_cxn(struct connectdata *conn); +int Curl_ssl_check_cxn(struct Curl_easy *data, struct connectdata *conn); /* Certificate information list handling. */ @@ -255,30 +121,6 @@ void Curl_ssl_sessionid_lock(struct Curl_easy *data); /* Unlock session cache mutex */ void Curl_ssl_sessionid_unlock(struct Curl_easy *data); -/* extract a session ID - * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). - * Caller must make sure that the ownership of returned sessionid object - * is properly taken (e.g. its refcount is incremented - * under sessionid mutex). - */ -bool Curl_ssl_getsessionid(struct Curl_easy *data, - struct connectdata *conn, - const bool isProxy, - void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex); -/* add a new session ID - * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). - * Caller must ensure that it has properly shared ownership of this sessionid - * object with cache (e.g. incrementing refcount on success) - */ -CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, - struct connectdata *conn, - const bool isProxy, - void *ssl_sessionid, - size_t idsize, - int sockindex, - bool *added); /* Kill a single session ID entry in the cache * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). * This will call engine-specific curlssl_session_free function, which must @@ -304,41 +146,90 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, bool Curl_ssl_cert_status_request(void); -bool Curl_ssl_false_start(void); +bool Curl_ssl_false_start(struct Curl_easy *data); -void Curl_ssl_associate_conn(struct Curl_easy *data, - struct connectdata *conn); -void Curl_ssl_detach_conn(struct Curl_easy *data, - struct connectdata *conn); +void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend); #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ +CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + +CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data, + int sockindex); + +#ifndef CURL_DISABLE_PROXY +CURLcode Curl_ssl_cfilter_proxy_add(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); +#endif /* !CURL_DISABLE_PROXY */ + +/** + * Get the SSL configuration that is used on the connection. + * This returns NULL if no SSL is configured. + * Otherwise it returns the config of the first (highest) one that is + * either connected, in handshake or about to start + * (e.g. all filters below it are connected). If SSL filters are present, + * but neither can start operating, return the config of the lowest one + * that will first come into effect when connecting. + */ +struct ssl_config_data *Curl_ssl_get_config(struct Curl_easy *data, + int sockindex); + +/** + * Get the primary SSL configuration from the connection. + * This returns NULL if no SSL is configured. + * Otherwise it returns the config of the first (highest) one that is + * either connected, in handshake or about to start + * (e.g. all filters below it are connected). If SSL filters are present, + * but neither can start operating, return the config of the lowest one + * that will first come into effect when connecting. + */ +struct ssl_primary_config * +Curl_ssl_get_primary_config(struct Curl_easy *data, + struct connectdata *conn, + int sockindex); + +/** + * True iff the underlying SSL implementation supports the option. + * Option is one of the defined SSLSUPP_* values. + * `data` maybe NULL for the features of the default implementation. + */ +bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option); + +/** + * Get the internal ssl instance (like OpenSSL's SSL*) from the filter + * chain at `sockindex` of type specified by `info`. + * For `n` == 0, the first active (top down) instance is returned. + * 1 gives the second active, etc. + * NULL is returned when no active SSL filter is present. + */ +void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex, + CURLINFO info, int n); + #else /* if not USE_SSL */ /* When SSL support is not present, just define away these function calls */ #define Curl_ssl_init() 1 #define Curl_ssl_cleanup() Curl_nop_stmt -#define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_close_all(x) Curl_nop_stmt -#define Curl_ssl_close(x,y,z) Curl_nop_stmt -#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN #define Curl_ssl_engines_list(x) NULL -#define Curl_ssl_send(a,b,c,d,e) -1 -#define Curl_ssl_recv(a,b,c,d,e) -1 #define Curl_ssl_initsessions(x,y) CURLE_OK -#define Curl_ssl_data_pending(x,y) 0 -#define Curl_ssl_check_cxn(x) 0 +#define Curl_ssl_check_cxn(d,x) 0 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt -#define Curl_ssl_connect_nonblocking(x,y,z,w,a) CURLE_NOT_BUILT_IN #define Curl_ssl_kill_session(x) Curl_nop_stmt #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_cert_status_request() FALSE -#define Curl_ssl_false_start() FALSE -#define Curl_ssl_tls13_ciphersuites() FALSE -#define Curl_ssl_associate_conn(a,b) Curl_nop_stmt -#define Curl_ssl_detach_conn(a,b) Curl_nop_stmt +#define Curl_ssl_false_start(a) FALSE +#define Curl_ssl_get_internals(a,b,c,d) NULL +#define Curl_ssl_supports(a,b) FALSE +#define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN +#define Curl_ssl_cfilter_proxy_add(a,b,c) CURLE_NOT_BUILT_IN +#define Curl_ssl_get_config(a,b) NULL +#define Curl_ssl_cfilter_remove(a,b) CURLE_OK #endif #endif /* HEADER_CURL_VTLS_H */ diff --git a/lib/vtls/vtls_int.h b/lib/vtls/vtls_int.h new file mode 100644 index 0000000..6710a2b --- /dev/null +++ b/lib/vtls/vtls_int.h @@ -0,0 +1,190 @@ +#ifndef HEADER_CURL_VTLS_INT_H +#define HEADER_CURL_VTLS_INT_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * SPDX-License-Identifier: curl + * + ***************************************************************************/ +#include "curl_setup.h" +#include "cfilters.h" +#include "urldata.h" + +#ifdef USE_SSL + +/* Information in each SSL cfilter context: cf->ctx */ +struct ssl_connect_data { + ssl_connection_state state; + ssl_connect_state connecting_state; + const char *hostname; /* hostnaem for verification */ + const char *dispname; /* display version of hostname */ + int port; /* remote port at origin */ + struct ssl_backend_data *backend; /* vtls backend specific props */ + struct Curl_easy *call_data; /* data handle used in current call, + * same as parameter passed, but available + * here for backend internal callbacks + * that need it. NULLed after at the + * end of each vtls filter invcocation. */ +}; + + +/* Definitions for SSL Implementations */ + +struct Curl_ssl { + /* + * This *must* be the first entry to allow returning the list of available + * backends in curl_global_sslset(). + */ + curl_ssl_backend info; + unsigned int supports; /* bitfield, see above */ + size_t sizeof_ssl_backend_data; + + int (*init)(void); + void (*cleanup)(void); + + size_t (*version)(char *buffer, size_t size); + int (*check_cxn)(struct Curl_cfilter *cf, struct Curl_easy *data); + int (*shut_down)(struct Curl_cfilter *cf, + struct Curl_easy *data); + bool (*data_pending)(struct Curl_cfilter *cf, + const struct Curl_easy *data); + + /* return 0 if a find random is filled in */ + CURLcode (*random)(struct Curl_easy *data, unsigned char *entropy, + size_t length); + bool (*cert_status_request)(void); + + CURLcode (*connect_blocking)(struct Curl_cfilter *cf, + struct Curl_easy *data); + CURLcode (*connect_nonblocking)(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done); + + /* If the SSL backend wants to read or write on this connection during a + handshake, set socks[0] to the connection's FIRSTSOCKET, and return + a bitmap indicating read or write with GETSOCK_WRITESOCK(0) or + GETSOCK_READSOCK(0). Otherwise return GETSOCK_BLANK. + Mandatory. */ + int (*get_select_socks)(struct Curl_cfilter *cf, struct Curl_easy *data, + curl_socket_t *socks); + + void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info); + void (*close)(struct Curl_cfilter *cf, struct Curl_easy *data); + void (*close_all)(struct Curl_easy *data); + void (*session_free)(void *ptr); + + CURLcode (*set_engine)(struct Curl_easy *data, const char *engine); + CURLcode (*set_engine_default)(struct Curl_easy *data); + struct curl_slist *(*engines_list)(struct Curl_easy *data); + + bool (*false_start)(void); + CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); + + bool (*attach_data)(struct Curl_cfilter *cf, struct Curl_easy *data); + void (*detach_data)(struct Curl_cfilter *cf, struct Curl_easy *data); + + void (*free_multi_ssl_backend_data)(struct multi_ssl_backend_data *mbackend); + + ssize_t (*recv_plain)(struct Curl_cfilter *cf, struct Curl_easy *data, + char *buf, size_t len, CURLcode *code); + ssize_t (*send_plain)(struct Curl_cfilter *cf, struct Curl_easy *data, + const void *mem, size_t len, CURLcode *code); + +}; + +extern const struct Curl_ssl *Curl_ssl; + + +int Curl_none_init(void); +void Curl_none_cleanup(void); +int Curl_none_shutdown(struct Curl_cfilter *cf, struct Curl_easy *data); +int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data); +CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy, + size_t length); +void Curl_none_close_all(struct Curl_easy *data); +void Curl_none_session_free(void *ptr); +bool Curl_none_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data); +bool Curl_none_cert_status_request(void); +CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine); +CURLcode Curl_none_set_engine_default(struct Curl_easy *data); +struct curl_slist *Curl_none_engines_list(struct Curl_easy *data); +bool Curl_none_false_start(void); +int Curl_ssl_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data, + curl_socket_t *socks); + +/** + * Get the ssl_config_data in `data` that is relevant for cfilter `cf`. + */ +struct ssl_config_data *Curl_ssl_cf_get_config(struct Curl_cfilter *cf, + struct Curl_easy *data); + +/** + * Get the primary config relevant for the filter from its connection. + */ +struct ssl_primary_config * + Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf); + +/** + * Get the first SSL filter in the chain starting with `cf`, or NULL. + */ +struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf); + +/** + * Get the SSL filter below the given one or NULL if there is none. + */ +bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf); + +/* extract a session ID + * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). + * Caller must make sure that the ownership of returned sessionid object + * is properly taken (e.g. its refcount is incremented + * under sessionid mutex). + */ +bool Curl_ssl_getsessionid(struct Curl_cfilter *cf, + struct Curl_easy *data, + void **ssl_sessionid, + size_t *idsize); /* set 0 if unknown */ +/* add a new session ID + * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). + * Caller must ensure that it has properly shared ownership of this sessionid + * object with cache (e.g. incrementing refcount on success) + */ +CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf, + struct Curl_easy *data, + void *ssl_sessionid, + size_t idsize, + bool *added); + +#include "openssl.h" /* OpenSSL versions */ +#include "gtls.h" /* GnuTLS versions */ +#include "nssg.h" /* NSS versions */ +#include "gskit.h" /* Global Secure ToolKit versions */ +#include "wolfssl.h" /* wolfSSL versions */ +#include "schannel.h" /* Schannel SSPI version */ +#include "sectransp.h" /* SecureTransport (Darwin) version */ +#include "mbedtls.h" /* mbedTLS versions */ +#include "bearssl.h" /* BearSSL versions */ +#include "rustls.h" /* rustls versions */ + +#endif /* USE_SSL */ + +#endif /* HEADER_CURL_VTLS_INT_H */ diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 594c39a..7cc4774 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -55,6 +55,7 @@ #include "sendf.h" #include "inet_pton.h" #include "vtls.h" +#include "vtls_int.h" #include "keylog.h" #include "parsedate.h" #include "connect.h" /* for the connect timeout */ @@ -84,14 +85,17 @@ #endif #endif +#if defined(HAVE_WOLFSSL_FULL_BIO) && HAVE_WOLFSSL_FULL_BIO +#define USE_BIO_CHAIN +#else +#undef USE_BIO_CHAIN +#endif + struct ssl_backend_data { SSL_CTX* ctx; SSL* handle; }; -static Curl_recv wolfssl_recv; -static Curl_send wolfssl_send; - #ifdef OPENSSL_EXTRA /* * Availability note: @@ -241,19 +245,130 @@ static const struct group_name_map gnm[] = { }; #endif +#ifdef USE_BIO_CHAIN + +static int bio_cf_create(WOLFSSL_BIO *bio) +{ + wolfSSL_BIO_set_shutdown(bio, 1); + wolfSSL_BIO_set_init(bio, 1); + wolfSSL_BIO_set_data(bio, NULL); + return 1; +} + +static int bio_cf_destroy(WOLFSSL_BIO *bio) +{ + if(!bio) + return 0; + return 1; +} + +static long bio_cf_ctrl(WOLFSSL_BIO *bio, int cmd, long num, void *ptr) +{ + struct Curl_cfilter *cf = BIO_get_data(bio); + long ret = 1; + + (void)cf; + (void)ptr; + switch(cmd) { + case BIO_CTRL_GET_CLOSE: + ret = (long)wolfSSL_BIO_get_shutdown(bio); + break; + case BIO_CTRL_SET_CLOSE: + wolfSSL_BIO_set_shutdown(bio, (int)num); + break; + case BIO_CTRL_FLUSH: + /* we do no delayed writes, but if we ever would, this + * needs to trigger it. */ + ret = 1; + break; + case BIO_CTRL_DUP: + ret = 1; + break; +#ifdef BIO_CTRL_EOF + case BIO_CTRL_EOF: + /* EOF has been reached on input? */ + return (!cf->next || !cf->next->connected); +#endif + default: + ret = 0; + break; + } + return ret; +} + +static int bio_cf_out_write(WOLFSSL_BIO *bio, const char *buf, int blen) +{ + struct Curl_cfilter *cf = wolfSSL_BIO_get_data(bio); + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nwritten; + CURLcode result = CURLE_OK; + + DEBUGASSERT(data); + nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result); + wolfSSL_BIO_clear_retry_flags(bio); + if(nwritten < 0 && CURLE_AGAIN == result) + BIO_set_retry_read(bio); + return (int)nwritten; +} + +static int bio_cf_in_read(WOLFSSL_BIO *bio, char *buf, int blen) +{ + struct Curl_cfilter *cf = wolfSSL_BIO_get_data(bio); + struct ssl_connect_data *connssl = cf->ctx; + struct Curl_easy *data = connssl->call_data; + ssize_t nread; + CURLcode result = CURLE_OK; + + DEBUGASSERT(data); + /* OpenSSL catches this case, so should we. */ + if(!buf) + return 0; + + nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); + wolfSSL_BIO_clear_retry_flags(bio); + if(nread < 0 && CURLE_AGAIN == result) + BIO_set_retry_read(bio); + return (int)nread; +} + +static WOLFSSL_BIO_METHOD *bio_cf_method = NULL; + +static void bio_cf_init_methods(void) +{ + bio_cf_method = wolfSSL_BIO_meth_new(BIO_TYPE_MEM, "wolfSSL CF BIO"); + wolfSSL_BIO_meth_set_write(bio_cf_method, &bio_cf_out_write); + wolfSSL_BIO_meth_set_read(bio_cf_method, &bio_cf_in_read); + wolfSSL_BIO_meth_set_ctrl(bio_cf_method, &bio_cf_ctrl); + wolfSSL_BIO_meth_set_create(bio_cf_method, &bio_cf_create); + wolfSSL_BIO_meth_set_destroy(bio_cf_method, &bio_cf_destroy); +} + +static void bio_cf_free_methods(void) +{ + wolfSSL_BIO_meth_free(bio_cf_method); +} + +#else /* USE_BIO_CHAIN */ + +#define bio_cf_init_methods() Curl_nop_stmt +#define bio_cf_free_methods() Curl_nop_stmt + +#endif /* !USE_BIO_CHAIN */ + /* * This function loads all the client/CA certificates and CRLs. Setup the TLS * layer and do all necessary magic. */ static CURLcode -wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) { char *ciphers, *curves; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + const struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); SSL_METHOD* req_method = NULL; - curl_socket_t sockfd = conn->sock[sockindex]; #ifdef HAVE_LIBOQS word16 oqsAlg = 0; size_t idx = 0; @@ -270,13 +385,13 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, if(connssl->state == ssl_connection_complete) return CURLE_OK; - if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) { + if(conn_config->version_max != CURL_SSLVERSION_MAX_NONE) { failf(data, "wolfSSL does not support to set maximum SSL/TLS version"); return CURLE_SSL_CONNECT_ERROR; } /* check to see if we've been told to use an explicit SSL/TLS version */ - switch(SSL_CONN_CONFIG(version)) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: #if LIBWOLFSSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */ @@ -339,7 +454,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, return CURLE_OUT_OF_MEMORY; } - switch(SSL_CONN_CONFIG(version)) { + switch(conn_config->version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: #if LIBWOLFSSL_VERSION_HEX > 0x03004006 /* > 3.4.6 */ @@ -363,7 +478,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, break; } - ciphers = SSL_CONN_CONFIG(cipher_list); + ciphers = conn_config->cipher_list; if(ciphers) { if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { failf(data, "failed setting cipher list: %s", ciphers); @@ -372,7 +487,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, infof(data, "Cipher selection: %s", ciphers); } - curves = SSL_CONN_CONFIG(curves); + curves = conn_config->curves; if(curves) { #ifdef HAVE_LIBOQS @@ -394,18 +509,18 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, } #ifndef NO_FILESYSTEM /* load trusted cacert */ - if(SSL_CONN_CONFIG(CAfile)) { + if(conn_config->CAfile) { if(1 != SSL_CTX_load_verify_locations(backend->ctx, - SSL_CONN_CONFIG(CAfile), - SSL_CONN_CONFIG(CApath))) { - if(SSL_CONN_CONFIG(verifypeer)) { + conn_config->CAfile, + conn_config->CApath)) { + if(conn_config->verifypeer) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:" " CAfile: %s CApath: %s", - SSL_CONN_CONFIG(CAfile)? - SSL_CONN_CONFIG(CAfile): "none", - SSL_CONN_CONFIG(CApath)? - SSL_CONN_CONFIG(CApath) : "none"); + conn_config->CAfile? + conn_config->CAfile: "none", + conn_config->CApath? + conn_config->CApath : "none"); return CURLE_SSL_CACERT_BADFILE; } else { @@ -420,25 +535,25 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, infof(data, "successfully set certificate verify locations:"); } infof(data, " CAfile: %s", - SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile) : "none"); + conn_config->CAfile ? conn_config->CAfile : "none"); infof(data, " CApath: %s", - SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath) : "none"); + conn_config->CApath ? conn_config->CApath : "none"); } /* Load the client certificate, and private key */ - if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) { - int file_type = do_file_type(SSL_SET_OPTION(cert_type)); + if(ssl_config->primary.clientcert && ssl_config->key) { + int file_type = do_file_type(ssl_config->cert_type); if(SSL_CTX_use_certificate_file(backend->ctx, - SSL_SET_OPTION(primary.clientcert), + ssl_config->primary.clientcert, file_type) != 1) { failf(data, "unable to use client certificate (no key or wrong pass" " phrase?)"); return CURLE_SSL_CONNECT_ERROR; } - file_type = do_file_type(SSL_SET_OPTION(key_type)); - if(SSL_CTX_use_PrivateKey_file(backend->ctx, SSL_SET_OPTION(key), + file_type = do_file_type(ssl_config->key_type); + if(SSL_CTX_use_PrivateKey_file(backend->ctx, ssl_config->key, file_type) != 1) { failf(data, "unable to set private key"); return CURLE_SSL_CONNECT_ERROR; @@ -451,8 +566,8 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, * anyway. In the latter case the result of the verification is checked with * SSL_get_verify_result() below. */ SSL_CTX_set_verify(backend->ctx, - SSL_CONN_CONFIG(verifypeer)?SSL_VERIFY_PEER: - SSL_VERIFY_NONE, + conn_config->verifypeer?SSL_VERIFY_PEER: + SSL_VERIFY_NONE, NULL); #ifdef HAVE_SNI @@ -461,16 +576,16 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, #ifdef ENABLE_IPV6 struct in6_addr addr6; #endif - const char * const hostname = SSL_HOST_NAME(); - size_t hostname_len = strlen(hostname); + size_t hostname_len = strlen(connssl->hostname); + if((hostname_len < USHRT_MAX) && - !Curl_inet_pton(AF_INET, hostname, &addr4) + !Curl_inet_pton(AF_INET, connssl->hostname, &addr4) #ifdef ENABLE_IPV6 - && !Curl_inet_pton(AF_INET6, hostname, &addr6) + && !Curl_inet_pton(AF_INET6, connssl->hostname, &addr6) #endif ) { size_t snilen; - char *snihost = Curl_ssl_snihost(data, hostname, &snilen); + char *snihost = Curl_ssl_snihost(data, connssl->hostname, &snilen); if(!snihost || wolfSSL_CTX_UseSNI(backend->ctx, WOLFSSL_SNI_HOST_NAME, snihost, (unsigned short)snilen) != 1) { @@ -491,7 +606,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, } } #ifdef NO_FILESYSTEM - else if(SSL_CONN_CONFIG(verifypeer)) { + else if(conn_config->verifypeer) { failf(data, "SSL: Certificates can't be loaded because wolfSSL was built" " with \"no filesystem\". Either disable peer verification" " (insecure) or if you are building an application with libcurl you" @@ -518,7 +633,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, #endif #ifdef HAVE_ALPN - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { char protocols[128]; *protocols = '\0'; @@ -563,13 +678,11 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, #endif /* HAVE_SECURE_RENEGOTIATION */ /* Check if there's a cached ID we can/should use here! */ - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { void *ssl_sessionid = NULL; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &ssl_sessionid, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &ssl_sessionid, NULL)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { Curl_ssl_delsessionid(data, ssl_sessionid); @@ -581,11 +694,24 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, Curl_ssl_sessionid_unlock(data); } +#ifdef USE_BIO_CHAIN + { + WOLFSSL_BIO *bio; + + bio = BIO_new(bio_cf_method); + if(!bio) + return CURLE_OUT_OF_MEMORY; + + wolfSSL_BIO_set_data(bio, cf); + wolfSSL_set_bio(backend->handle, bio, bio); + } +#else /* USE_BIO_CHAIN */ /* pass the raw socket into the SSL layer */ - if(!SSL_set_fd(backend->handle, (int)sockfd)) { + if(!SSL_set_fd(backend->handle, (int)cf->conn->sock[cf->sockindex])) { failf(data, "SSL: SSL_set_fd failed"); return CURLE_SSL_CONNECT_ERROR; } +#endif /* !USE_BIO_CHAIN */ connssl->connecting_state = ssl_connect_2; return CURLE_OK; @@ -593,25 +719,23 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, static CURLcode -wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) { int ret = -1; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - const char * const dispname = SSL_HOST_DISPNAME(); - const char * const pinnedpubkey = SSL_PINNED_PUB_KEY(); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: + data->set.str[STRING_SSL_PINNEDPUBLICKEY]; DEBUGASSERT(backend); ERR_clear_error(); - conn->recv[sockindex] = wolfssl_recv; - conn->send[sockindex] = wolfssl_send; - /* Enable RFC2818 checks */ - if(SSL_CONN_CONFIG(verifyhost)) { - char *snihost = Curl_ssl_snihost(data, SSL_HOST_NAME(), NULL); + if(conn_config->verifyhost) { + char *snihost = Curl_ssl_snihost(data, connssl->hostname, NULL); if(!snihost || (wolfSSL_check_domain_name(backend->handle, snihost) == SSL_FAILURE)) return CURLE_SSL_CONNECT_ERROR; @@ -661,32 +785,32 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, else if(DOMAIN_NAME_MISMATCH == detail) { #if 1 failf(data, " subject alt name(s) or common name do not match \"%s\"", - dispname); + connssl->dispname); return CURLE_PEER_FAILED_VERIFICATION; #else /* When the wolfssl_check_domain_name() is used and you desire to - * continue on a DOMAIN_NAME_MISMATCH, i.e. 'conn->ssl_config.verifyhost + * continue on a DOMAIN_NAME_MISMATCH, i.e. 'ssl_config.verifyhost * == 0', CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA * error. The only way to do this is currently to switch the * Wolfssl_check_domain_name() in and out based on the - * 'conn->ssl_config.verifyhost' value. */ - if(SSL_CONN_CONFIG(verifyhost)) { + * 'ssl_config.verifyhost' value. */ + if(conn_config->verifyhost) { failf(data, " subject alt name(s) or common name do not match \"%s\"\n", - dispname); + connssl->dispname); return CURLE_PEER_FAILED_VERIFICATION; } else { infof(data, " subject alt name(s) and/or common name do not match \"%s\"", - dispname); + connssl->dispname); return CURLE_OK; } #endif } #if LIBWOLFSSL_VERSION_HEX >= 0x02007000 /* 2.7.0 */ else if(ASN_NO_SIGNER_E == detail) { - if(SSL_CONN_CONFIG(verifypeer)) { + if(conn_config->verifypeer) { failf(data, " CA signer not available for verification"); return CURLE_SSL_CACERT_BADFILE; } @@ -751,7 +875,7 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, } #ifdef HAVE_ALPN - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { int rc; char *protocol = NULL; unsigned short protocol_len = 0; @@ -763,17 +887,17 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, if(protocol_len == ALPN_HTTP_1_1_LENGTH && !memcmp(protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; #ifdef USE_HTTP2 else if(data->state.httpwant >= CURL_HTTP_VERSION_2 && protocol_len == ALPN_H2_LENGTH && !memcmp(protocol, ALPN_H2, ALPN_H2_LENGTH)) - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; #endif else infof(data, "ALPN, unrecognized protocol %.*s", protocol_len, protocol); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else if(rc == SSL_ALPN_NOT_FOUND) @@ -799,28 +923,26 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, static CURLcode -wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +wolfssl_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data) { CURLcode result = CURLE_OK; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + const struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); DEBUGASSERT(backend); - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { bool incache; bool added = FALSE; void *old_ssl_sessionid = NULL; /* SSL_get1_session allocates memory that has to be freed. */ SSL_SESSION *our_ssl_sessionid = SSL_get1_session(backend->handle); - bool isproxy = SSL_IS_PROXY() ? TRUE : FALSE; if(our_ssl_sessionid) { Curl_ssl_sessionid_lock(data); - incache = !(Curl_ssl_getsessionid(data, conn, isproxy, - &old_ssl_sessionid, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing"); @@ -830,8 +952,7 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, } if(!incache) { - result = Curl_ssl_addsessionid(data, conn, isproxy, our_ssl_sessionid, - 0, sockindex, NULL); + result = Curl_ssl_addsessionid(cf, data, our_ssl_sessionid, 0, NULL); if(result) { Curl_ssl_sessionid_unlock(data); SSL_SESSION_free(our_ssl_sessionid); @@ -857,14 +978,13 @@ wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, } -static ssize_t wolfssl_send(struct Curl_easy *data, - int sockindex, +static ssize_t wolfssl_send(struct Curl_cfilter *cf, + struct Curl_easy *data, const void *mem, size_t len, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; char error_buffer[WOLFSSL_MAX_ERROR_SZ]; int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len; @@ -896,10 +1016,9 @@ static ssize_t wolfssl_send(struct Curl_easy *data, return rc; } -static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void wolfssl_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; (void) data; @@ -921,14 +1040,13 @@ static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn, } } -static ssize_t wolfssl_recv(struct Curl_easy *data, - int num, +static ssize_t wolfssl_recv(struct Curl_cfilter *cf, + struct Curl_easy *data, char *buf, size_t buffersize, CURLcode *curlcode) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[num]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; char error_buffer[WOLFSSL_MAX_ERROR_SZ]; int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize; @@ -983,15 +1101,20 @@ static size_t wolfssl_version(char *buffer, size_t size) static int wolfssl_init(void) { + int ret; + #ifdef OPENSSL_EXTRA Curl_tls_keylog_open(); #endif - return (wolfSSL_Init() == SSL_SUCCESS); + ret = (wolfSSL_Init() == SSL_SUCCESS); + bio_cf_init_methods(); + return ret; } static void wolfssl_cleanup(void) { + bio_cf_free_methods(); wolfSSL_Cleanup(); #ifdef OPENSSL_EXTRA Curl_tls_keylog_close(); @@ -999,14 +1122,15 @@ static void wolfssl_cleanup(void) } -static bool wolfssl_data_pending(const struct connectdata *conn, - int connindex) +static bool wolfssl_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - if(backend->handle) /* SSL is in use */ - return (0 != SSL_pending(backend->handle)) ? TRUE : FALSE; + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + if(ctx->backend->handle) /* SSL is in use */ + return (0 != SSL_pending(ctx->backend->handle)) ? TRUE : FALSE; else return FALSE; } @@ -1016,36 +1140,33 @@ static bool wolfssl_data_pending(const struct connectdata *conn, * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static int wolfssl_shutdown(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *ctx = cf->ctx; int retval = 0; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct ssl_backend_data *backend = connssl->backend; - (void) data; - - DEBUGASSERT(backend); + (void)data; + DEBUGASSERT(ctx && ctx->backend); - if(backend->handle) { + if(ctx->backend->handle) { ERR_clear_error(); - SSL_free(backend->handle); - backend->handle = NULL; + SSL_free(ctx->backend->handle); + ctx->backend->handle = NULL; } return retval; } static CURLcode -wolfssl_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, - bool nonblocking, - bool *done) +wolfssl_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool nonblocking, + bool *done) { CURLcode result; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; int what; /* check if the connection has already been established */ @@ -1064,7 +1185,7 @@ wolfssl_connect_common(struct Curl_easy *data, return CURLE_OPERATION_TIMEDOUT; } - result = wolfssl_connect_step1(data, conn, sockindex); + result = wolfssl_connect_step1(cf, data); if(result) return result; } @@ -1119,7 +1240,7 @@ wolfssl_connect_common(struct Curl_easy *data, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = wolfssl_connect_step2(data, conn, sockindex); + result = wolfssl_connect_step2(cf, data); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1128,15 +1249,13 @@ wolfssl_connect_common(struct Curl_easy *data, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = wolfssl_connect_step3(data, conn, sockindex); + result = wolfssl_connect_step3(cf, data); if(result) return result; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = wolfssl_recv; - conn->send[sockindex] = wolfssl_send; *done = TRUE; } else @@ -1149,21 +1268,21 @@ wolfssl_connect_common(struct Curl_easy *data, } -static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode wolfssl_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return wolfssl_connect_common(data, conn, sockindex, TRUE, done); + return wolfssl_connect_common(cf, data, TRUE, done); } -static CURLcode wolfssl_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode wolfssl_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode result; bool done = FALSE; - result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done); + result = wolfssl_connect_common(cf, data, FALSE, &done); if(result) return result; @@ -1216,6 +1335,9 @@ const struct Curl_ssl Curl_ssl_wolfssl = { #ifdef KEEP_PEER_CERT SSLSUPP_PINNEDPUBKEY | #endif +#ifdef USE_BIO_CHAIN + SSLSUPP_HTTPS_PROXY | +#endif SSLSUPP_SSL_CTX, sizeof(struct ssl_backend_data), @@ -1230,7 +1352,7 @@ const struct Curl_ssl Curl_ssl_wolfssl = { Curl_none_cert_status_request, /* cert_status_request */ wolfssl_connect, /* connect */ wolfssl_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ wolfssl_get_internals, /* get_internals */ wolfssl_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1241,7 +1363,10 @@ const struct Curl_ssl Curl_ssl_wolfssl = { Curl_none_false_start, /* false_start */ wolfssl_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + wolfssl_recv, /* recv decrypted data */ + wolfssl_send, /* send data to encrypt */ }; #endif diff --git a/lib/vtls/x509asn1.c b/lib/vtls/x509asn1.c index 0cfcbe8..4c1c9a8 100644 --- a/lib/vtls/x509asn1.c +++ b/lib/vtls/x509asn1.c @@ -182,7 +182,7 @@ static const char *getASN1Element(struct Curl_asn1Element *elem, const char *beg, const char *end) { unsigned char b; - unsigned long len; + size_t len; struct Curl_asn1Element lelem; /* Get a single ASN.1 element into `elem', parse ASN.1 string at `beg' @@ -307,7 +307,7 @@ static const char *bit2str(const char *beg, const char *end) */ static const char *int2str(const char *beg, const char *end) { - unsigned long val = 0; + unsigned int val = 0; size_t n = end - beg; if(!n) @@ -323,7 +323,7 @@ static const char *int2str(const char *beg, const char *end) do val = (val << 8) | *(const unsigned char *) beg++; while(beg < end); - return curl_maprintf("%s%lx", val >= 10? "0x": "", val); + return curl_maprintf("%s%x", val >= 10? "0x": "", val); } /* @@ -953,8 +953,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, * ECC public key is all the data, a value of type BIT STRING mapped to * OCTET STRING and should not be parsed as an ASN.1 value. */ - const unsigned long len = - (unsigned long)((pubkey->end - pubkey->beg - 2) * 4); + const size_t len = ((pubkey->end - pubkey->beg - 2) * 4); if(!certnum) infof(data, " ECC Public Key (%lu bits)", len); if(data->set.ssl.certinfo) { @@ -972,7 +971,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, if(strcasecompare(algo, "rsaEncryption")) { const char *q; - unsigned long len; + size_t len; p = getASN1Element(&elem, pk.beg, pk.end); if(!p) @@ -981,7 +980,7 @@ static int do_pubkey(struct Curl_easy *data, int certnum, /* Compute key length. */ for(q = elem.beg; !*q && q < elem.end; q++) ; - len = (unsigned long)((elem.end - q) * 8); + len = ((elem.end - q) * 8); if(len) { unsigned int i; for(i = *(unsigned char *) q; !(i & 0x80); i <<= 1) @@ -1073,7 +1072,7 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, size_t cl1; char *cp2; CURLcode result = CURLE_OK; - unsigned long version; + unsigned int version; size_t i; size_t j; @@ -1276,9 +1275,12 @@ static const char *checkOID(const char *beg, const char *end, return matched? ccp: NULL; } -CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, +CURLcode Curl_verifyhost(struct Curl_cfilter *cf, + struct Curl_easy *data, const char *beg, const char *end) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct Curl_X509certificate cert; struct Curl_asn1Element dn; struct Curl_asn1Element elem; @@ -1290,9 +1292,8 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, int matched = -1; size_t addrlen = (size_t) -1; ssize_t len; - const char * const hostname = SSL_HOST_NAME(); - const char * const dispname = SSL_HOST_DISPNAME(); - size_t hostlen = strlen(hostname); + size_t hostlen; + #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -1302,19 +1303,21 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, /* Verify that connection server matches info in X509 certificate at `beg'..`end'. */ - if(!SSL_CONN_CONFIG(verifyhost)) + if(!conn_config->verifyhost) return CURLE_OK; if(Curl_parseX509(&cert, beg, end)) return CURLE_PEER_FAILED_VERIFICATION; + hostlen = strlen(connssl->hostname); + /* Get the server IP address. */ #ifdef ENABLE_IPV6 - if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, hostname, &addr)) + if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, connssl->hostname, &addr)) addrlen = sizeof(struct in6_addr); else #endif - if(Curl_inet_pton(AF_INET, hostname, &addr)) + if(Curl_inet_pton(AF_INET, connssl->hostname, &addr)) addrlen = sizeof(struct in_addr); /* Process extensions. */ @@ -1345,19 +1348,20 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, break; switch(name.tag) { case 2: /* DNS name. */ + matched = 0; len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, name.beg, name.end); - if(len > 0 && (size_t)len == strlen(dnsname)) - matched = Curl_cert_hostcheck(dnsname, - (size_t)len, hostname, hostlen); - else - matched = 0; - free(dnsname); + if(len > 0) { + if(size_t)len == strlen(dnsname) + matched = Curl_cert_hostcheck(dnsname, (size_t)len, + connssl->hostname, hostlen); + free(dnsname); + } break; case 7: /* IP address. */ - matched = (size_t) (name.end - name.beg) == addrlen && - !memcmp(&addr, name.beg, addrlen); + matched = (name.end - name.beg) == addrlen && + !memcmp(&addr, name.beg, addrlen); break; } } @@ -1367,12 +1371,12 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, switch(matched) { case 1: /* an alternative name matched the server hostname */ - infof(data, " subjectAltName: %s matched", dispname); + infof(data, " subjectAltName: %s matched", connssl->dispname); return CURLE_OK; case 0: /* an alternative name field existed, but didn't match and then we MUST fail */ - infof(data, " subjectAltName does not match %s", dispname); + infof(data, " subjectAltName does not match %s", connssl->dispname); return CURLE_PEER_FAILED_VERIFICATION; } @@ -1402,21 +1406,19 @@ CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, failf(data, "SSL: unable to obtain common name from peer certificate"); else { len = utf8asn1str(&dnsname, elem.tag, elem.beg, elem.end); - if(len < 0) { - free(dnsname); + if(len < 0) return CURLE_OUT_OF_MEMORY; - } if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */ failf(data, "SSL: illegal cert name field"); else if(Curl_cert_hostcheck((const char *) dnsname, - len, hostname, hostlen)) { + len, connssl->hostname, hostlen)) { infof(data, " common name: %s (matched)", dnsname); free(dnsname); return CURLE_OK; } else failf(data, "SSL: certificate subject name '%s' does not match " - "target host name '%s'", dnsname, dispname); + "target host name '%s'", dnsname, connssl->dispname); free(dnsname); } diff --git a/lib/vtls/x509asn1.h b/lib/vtls/x509asn1.h index a18fa11..eb8e959 100644 --- a/lib/vtls/x509asn1.h +++ b/lib/vtls/x509asn1.h @@ -30,6 +30,7 @@ #if defined(USE_GSKIT) || defined(USE_NSS) || defined(USE_GNUTLS) || \ defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) +#include "cfilters.h" #include "urldata.h" /* @@ -73,7 +74,7 @@ int Curl_parseX509(struct Curl_X509certificate *cert, const char *beg, const char *end); CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum, const char *beg, const char *end); -CURLcode Curl_verifyhost(struct Curl_easy *data, struct connectdata *conn, +CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data, const char *beg, const char *end); #endif /* USE_GSKIT or USE_NSS or USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL * or USE_SECTRANSP */ diff --git a/lib/ws.c b/lib/ws.c index a673446..c1b2622 100644 --- a/lib/ws.c +++ b/lib/ws.c @@ -172,10 +172,9 @@ CURLcode Curl_ws_accept(struct Curl_easy *data) /* remove the spent bytes from the beginning of the buffer as that part has now been delivered to the application */ -static void ws_decode_clear(struct Curl_easy *data) +static void ws_decode_shift(struct Curl_easy *data, size_t spent) { struct websocket *wsp = &data->req.p.http->ws; - size_t spent = wsp->usedbuf; size_t len = Curl_dyn_len(&wsp->buf); size_t keep = len - spent; DEBUGASSERT(len >= spent); @@ -198,42 +197,27 @@ static void ws_decode_clear(struct Curl_easy *data) */ static CURLcode ws_decode(struct Curl_easy *data, - unsigned char *wpkt, size_t ilen, - unsigned char **out, size_t *olen, + unsigned char *inbuf, size_t inlen, + size_t *headlen, size_t *olen, curl_off_t *oleft, - bool *more, unsigned int *flags) { bool fin; unsigned char opcode; curl_off_t total; size_t dataindex = 2; - curl_off_t plen; /* size of data in the buffer */ curl_off_t payloadsize; - struct websocket *wsp = &data->req.p.http->ws; - unsigned char *p; - CURLcode result; - *olen = 0; + *olen = *headlen = 0; - /* add the incoming bytes, if any */ - if(wpkt) { - result = Curl_dyn_addn(&wsp->buf, wpkt, ilen); - if(result) - return result; - } - - plen = Curl_dyn_len(&wsp->buf); - if(plen < 2) { + if(inlen < 2) { /* the smallest possible frame is two bytes */ - infof(data, "WS: plen == %u, EAGAIN", (int)plen); + infof(data, "WS: plen == %u, EAGAIN", (int)inlen); return CURLE_AGAIN; } - p = Curl_dyn_uptr(&wsp->buf); - - fin = p[0] & WSBIT_FIN; - opcode = p[0] & WSBIT_OPCODE_MASK; + fin = inbuf[0] & WSBIT_FIN; + opcode = inbuf[0] & WSBIT_OPCODE_MASK; infof(data, "WS:%d received FIN bit %u", __LINE__, (int)fin); *flags = 0; switch(opcode) { @@ -264,62 +248,56 @@ static CURLcode ws_decode(struct Curl_easy *data, break; } - if(p[1] & WSBIT_MASK) { + if(inbuf[1] & WSBIT_MASK) { /* A client MUST close a connection if it detects a masked frame. */ failf(data, "WS: masked input frame"); return CURLE_RECV_ERROR; } - payloadsize = p[1]; + payloadsize = inbuf[1]; if(payloadsize == 126) { - if(plen < 4) { - infof(data, "WS:%d plen == %u, EAGAIN", __LINE__, (int)plen); + if(inlen < 4) { + infof(data, "WS:%d plen == %u, EAGAIN", __LINE__, (int)inlen); return CURLE_AGAIN; /* not enough data available */ } - payloadsize = (p[2] << 8) | p[3]; + payloadsize = (inbuf[2] << 8) | inbuf[3]; dataindex += 2; } else if(payloadsize == 127) { /* 64 bit payload size */ - if(plen < 10) + if(inlen < 10) return CURLE_AGAIN; - if(p[2] & 80) { + if(inbuf[2] & 80) { failf(data, "WS: too large frame"); return CURLE_RECV_ERROR; } dataindex += 8; - payloadsize = ((curl_off_t)p[2] << 56) | - (curl_off_t)p[3] << 48 | - (curl_off_t)p[4] << 40 | - (curl_off_t)p[5] << 32 | - (curl_off_t)p[6] << 24 | - (curl_off_t)p[7] << 16 | - (curl_off_t)p[8] << 8 | - p[9]; + payloadsize = ((curl_off_t)inbuf[2] << 56) | + (curl_off_t)inbuf[3] << 48 | + (curl_off_t)inbuf[4] << 40 | + (curl_off_t)inbuf[5] << 32 | + (curl_off_t)inbuf[6] << 24 | + (curl_off_t)inbuf[7] << 16 | + (curl_off_t)inbuf[8] << 8 | + inbuf[9]; } + /* point to the payload */ + *headlen = dataindex; total = dataindex + payloadsize; - if(total > plen) { - /* deliver a partial frame */ - *oleft = total - dataindex; + if(total > (curl_off_t)inlen) { + /* buffer contains partial frame */ + *olen = inlen - dataindex; /* bytes to write out */ + *oleft = total - inlen; /* bytes yet to come (for this frame) */ payloadsize = total - dataindex; } else { - *oleft = 0; - if(plen > total) - /* there is another fragment after */ - *more = TRUE; + /* we have the complete frame (`total` bytes) in buffer */ + *olen = payloadsize; /* bytes to write out */ + *oleft = 0; /* bytes yet to come (for this frame) */ } - /* point to the payload */ - *out = &p[dataindex]; - - /* return the payload length */ - *olen = payloadsize; - - /* number of bytes "used" from the buffer */ - wsp->usedbuf = dataindex + payloadsize; - infof(data, "WS: received %zu bytes payload (%zu left)", - payloadsize, *oleft); + infof(data, "WS: received %zu bytes payload (%zu left, buflen was %zu)", + payloadsize, *oleft, inlen); return CURLE_OK; } @@ -332,76 +310,83 @@ size_t Curl_ws_writecb(char *buffer, size_t size /* 1 */, { struct HTTP *ws = (struct HTTP *)userp; struct Curl_easy *data = ws->ws.data; + struct websocket *wsp = &data->req.p.http->ws; void *writebody_ptr = data->set.out; if(data->set.ws_raw_mode) return data->set.fwrite_func(buffer, size, nitems, writebody_ptr); else if(nitems) { - unsigned char *frame = NULL; - size_t flen = 0; - size_t wrote = 0; + size_t wrote = 0, headlen; CURLcode result; - bool more; /* there's is more to parse in the buffer */ - curl_off_t oleft; - - decode: - more = FALSE; - oleft = ws->ws.frame.bytesleft; - if(!oleft) { - unsigned int recvflags; - result = ws_decode(data, (unsigned char *)buffer, nitems, - &frame, &flen, &oleft, &more, &recvflags); - if(result == CURLE_AGAIN) - /* insufficient amount of data, keep it for later */ - return nitems; - else if(result) { - infof(data, "WS: decode error %d", (int)result); + + if(buffer) { + result = Curl_dyn_addn(&wsp->buf, buffer, nitems); + if(result) { + infof(data, "WS: error adding data to buffer %d", (int)result); return nitems - 1; } - /* Store details about the frame to be reachable with curl_ws_meta() - from within the write callback */ - ws->ws.frame.age = 0; - ws->ws.frame.offset = 0; - ws->ws.frame.flags = recvflags; - ws->ws.frame.bytesleft = oleft; + buffer = NULL; } - else { - if(nitems > (size_t)ws->ws.frame.bytesleft) { - nitems = ws->ws.frame.bytesleft; - more = TRUE; + + while(Curl_dyn_len(&wsp->buf)) { + unsigned char *wsbuf = Curl_dyn_uptr(&wsp->buf); + size_t buflen = Curl_dyn_len(&wsp->buf); + size_t write_len = 0; + size_t consumed = 0; + + if(!ws->ws.frame.bytesleft) { + unsigned int recvflags; + curl_off_t fb_left; + + result = ws_decode(data, wsbuf, buflen, + &headlen, &write_len, &fb_left, &recvflags); + consumed += headlen; + wsbuf += headlen; + buflen -= headlen; + if(result == CURLE_AGAIN) + /* insufficient amount of data, keep it for later. + * we pretend to have written all since we have a copy */ + return nitems; + else if(result) { + infof(data, "WS: decode error %d", (int)result); + return nitems - 1; + } + /* New frame. store details about the frame to be reachable with + curl_ws_meta() from within the write callback */ + ws->ws.frame.age = 0; + ws->ws.frame.offset = 0; + ws->ws.frame.flags = recvflags; + ws->ws.frame.bytesleft = fb_left; } - else - more = FALSE; - ws->ws.frame.offset += nitems; - ws->ws.frame.bytesleft -= nitems; - frame = (unsigned char *)buffer; - flen = nitems; - } - if((ws->ws.frame.flags & CURLWS_PING) && !oleft) { - /* auto-respond to PINGs, only works for single-frame payloads atm */ - size_t bytes; - infof(data, "WS: auto-respond to PING with a PONG"); - DEBUGASSERT(frame); - /* send back the exact same content as a PONG */ - result = curl_ws_send(data, frame, flen, &bytes, 0, CURLWS_PONG); - if(result) - return result; - } - else { - /* deliver the decoded frame to the user callback */ - Curl_set_in_callback(data, true); - wrote = data->set.fwrite_func((char *)frame, 1, flen, writebody_ptr); - Curl_set_in_callback(data, false); - if(wrote != flen) - return 0; - } - if(oleft) - ws->ws.frame.offset += flen; - /* the websocket frame has been delivered */ - ws_decode_clear(data); - if(more) { - /* there's more websocket data to deal with in the buffer */ - buffer = NULL; /* the buffer as been drained already */ - goto decode; + else { + /* continuing frame */ + write_len = (size_t)ws->ws.frame.bytesleft; + if(write_len > buflen) + write_len = buflen; + ws->ws.frame.offset += write_len; + ws->ws.frame.bytesleft -= write_len; + } + if((ws->ws.frame.flags & CURLWS_PING) && !ws->ws.frame.bytesleft) { + /* auto-respond to PINGs, only works for single-frame payloads atm */ + size_t bytes; + infof(data, "WS: auto-respond to PING with a PONG"); + /* send back the exact same content as a PONG */ + result = curl_ws_send(data, wsbuf, write_len, + &bytes, 0, CURLWS_PONG); + if(result) + return result; + } + else if(write_len || !wsp->frame.bytesleft) { + /* deliver the decoded frame to the user callback */ + Curl_set_in_callback(data, true); + wrote = data->set.fwrite_func((char *)wsbuf, 1, + write_len, writebody_ptr); + Curl_set_in_callback(data, false); + if(wrote != write_len) + return 0; + } + /* get rid of the buffered data consumed */ + consumed += write_len; + ws_decode_shift(data, consumed); } } return nitems; @@ -412,9 +397,9 @@ CURL_EXTERN CURLcode curl_ws_recv(struct Curl_easy *data, void *buffer, size_t buflen, size_t *nread, struct curl_ws_frame **metap) { - size_t bytes; CURLcode result; struct websocket *wsp = &data->req.p.http->ws; + bool done = FALSE; /* not filled passed buffer yet */ *nread = 0; *metap = NULL; @@ -423,84 +408,81 @@ CURL_EXTERN CURLcode curl_ws_recv(struct Curl_easy *data, void *buffer, if(result) return result; - do { - bool drain = FALSE; /* if there is pending buffered data to drain */ - char *inbuf = data->state.buffer; - bytes = wsp->stillbuffer; - if(!bytes) { + while(!done) { + size_t write_len; + unsigned int recvflags; + + if(!wsp->stillblen) { + /* try to get more data */ + size_t n; result = curl_easy_recv(data, data->state.buffer, - data->set.buffer_size, &bytes); + data->set.buffer_size, &n); if(result) return result; + if(!n) + /* connection closed */ + return CURLE_GOT_NOTHING; + wsp->stillb = data->state.buffer; + wsp->stillblen = n; + } + + infof(data, "WS: got %u websocket bytes to decode", + (int)wsp->stillblen); + if(!wsp->frame.bytesleft) { + size_t headlen; + curl_off_t oleft; + /* detect new frame */ + result = ws_decode(data, (unsigned char *)wsp->stillb, wsp->stillblen, + &headlen, &write_len, &oleft, &recvflags); + if(result == CURLE_AGAIN) + /* a packet fragment only */ + break; + else if(result) + return result; + wsp->stillb += headlen; + wsp->stillblen -= headlen; + wsp->frame.offset = 0; + wsp->frame.bytesleft = oleft; + wsp->frame.flags = recvflags; } else { - /* the pending bytes can be found here */ - inbuf = wsp->stillb; - drain = TRUE; + /* existing frame, remaining payload handling */ + write_len = wsp->frame.bytesleft; + if(write_len > wsp->stillblen) + write_len = wsp->stillblen; } - if(bytes) { - unsigned char *out; - size_t olen; - bool more; - unsigned int recvflags; - curl_off_t oleft = wsp->frame.bytesleft; - - infof(data, "WS: got %u websocket bytes to decode", (int)bytes); - if(!oleft && !drain) { - result = ws_decode(data, (unsigned char *)inbuf, bytes, - &out, &olen, &oleft, &more, &recvflags); - if(result == CURLE_AGAIN) - /* a packet fragment only */ - break; - else if(result) - return result; - wsp->frame.offset = 0; - wsp->frame.bytesleft = oleft; - wsp->frame.flags = recvflags; - } - else { - olen = oleft; - out = (unsigned char *)wsp->stillb; - recvflags = wsp->frame.flags; - if((curl_off_t)buflen < oleft) - /* there is still data left after this */ - wsp->frame.bytesleft -= buflen; - else - wsp->frame.bytesleft = 0; - } - /* auto-respond to PINGs */ - if((recvflags & CURLWS_PING) && !oleft) { - infof(data, "WS: auto-respond to PING with a PONG"); - /* send back the exact same content as a PONG */ - result = curl_ws_send(data, out, olen, &bytes, 0, CURLWS_PONG); - if(result) - return result; - } - else { - if(olen < buflen) { - /* copy the payload to the user buffer */ - memcpy(buffer, out, olen); - *nread = olen; - if(!oleft) - /* websocket frame has been delivered */ - ws_decode_clear(data); - } - else { - /* copy a partial payload */ - memcpy(buffer, out, buflen); - *nread = buflen; - /* remember what is left and where */ - wsp->stillbuffer = olen - buflen; - wsp->stillb = (char *)buffer + buflen; - } - wsp->frame.offset += *nread; - } + /* auto-respond to PINGs */ + if((wsp->frame.flags & CURLWS_PING) && !wsp->frame.bytesleft) { + infof(data, "WS: auto-respond to PING with a PONG"); + /* send back the exact same content as a PONG */ + result = curl_ws_send(data, wsp->stillb, write_len, + &write_len, 0, CURLWS_PONG); + if(result) + return result; } - else - *nread = bytes; - break; - } while(1); + else if(write_len || !wsp->frame.bytesleft) { + if(write_len > buflen) + write_len = buflen; + /* copy the payload to the user buffer */ + memcpy(buffer, wsp->stillb, write_len); + *nread = write_len; + done = TRUE; + } + if(write_len) { + /* update buffer and frame info */ + wsp->frame.offset += write_len; + DEBUGASSERT(wsp->frame.bytesleft >= (curl_off_t)write_len); + if(wsp->frame.bytesleft) + wsp->frame.bytesleft -= write_len; + DEBUGASSERT(write_len <= wsp->stillblen); + wsp->stillblen -= write_len; + if(wsp->stillblen) + wsp->stillb += write_len; + else + wsp->stillb = NULL; + } + } *metap = &wsp->frame; return CURLE_OK; } @@ -649,9 +631,14 @@ CURL_EXTERN CURLcode curl_ws_send(struct Curl_easy *data, const void *buffer, return CURLE_OK; /* raw mode sends exactly what was requested, and this is from within the write callback */ - if(Curl_is_in_callback(data)) + if(Curl_is_in_callback(data)) { + if(!data->conn) { + failf(data, "No associated connection"); + return CURLE_SEND_ERROR; + } result = Curl_write(data, data->conn->writesockfd, buffer, buflen, &written); + } else result = Curl_senddata(data, buffer, buflen, &written); @@ -732,7 +719,7 @@ CURL_EXTERN CURLcode curl_ws_recv(CURL *curl, void *buffer, size_t buflen, (void)buflen; (void)nread; (void)metap; - return CURLE_OK; + return CURLE_NOT_BUILT_IN; } CURL_EXTERN CURLcode curl_ws_send(CURL *curl, const void *buffer, @@ -746,7 +733,7 @@ CURL_EXTERN CURLcode curl_ws_send(CURL *curl, const void *buffer, (void)sent; (void)framesize; (void)sendflags; - return CURLE_OK; + return CURLE_NOT_BUILT_IN; } CURL_EXTERN struct curl_ws_frame *curl_ws_meta(struct Curl_easy *data) diff --git a/lib/ws.h b/lib/ws.h index 341242e..2f3ed2d 100644 --- a/lib/ws.h +++ b/lib/ws.h @@ -48,9 +48,9 @@ struct websocket { struct curl_ws_frame frame; /* the struct used for frame state */ curl_off_t oleft; /* outstanding number of payload bytes left from the server */ - curl_off_t stillbuffer; /* number of bytes left in the buffer to deliver in - the next curl_ws_recv() call */ - char *stillb; /* the stillbuffer pending bytes are here */ + size_t stillblen; /* number of bytes left in the buffer to deliver in + the next curl_ws_recv() call */ + char *stillb; /* the stillblen pending bytes are here */ curl_off_t sleft; /* outstanding number of payload bytes left to send */ unsigned int xori; /* xor index */ }; -- cgit v0.12