mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-12-27 06:59:43 +08:00
Code Issues Packages Projects Releases Wiki Activity
3210101088
curl/lib/vtls/vtls.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

260 lines
9.6 KiB
C
Raw Normal View History

vtls: renamed sslgen.[ch] to vtls.[ch]
2013-12-18 06:32:47 +08:00
#ifndef HEADER_CURL_VTLS_H
#define HEADER_CURL_VTLS_H
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
2023-01-02 20:51:48 +08:00
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
curl.se: new home Closes #6172
2020-11-04 21:02:01 +08:00
* are also available at https://curl.se/docs/copyright.html.
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
vtls: fix ssl session cache race condition Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01 15:30:03 +08:00
* SPDX-License-Identifier: curl
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
2022-05-17 17:16:50 +08:00
*
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
***************************************************************************/
build: fix circular header inclusion with other packages This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-07 02:06:49 +08:00
#include "curl_setup.h"
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
vtls: introduce a new struct for SSL backends This new struct is similar in nature to Curl_handler: it will define the functions and capabilities of all the SSL backends (where Curl_handler defines the functions and capabilities of protocol handlers). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-06-22 22:36:03 +08:00
struct connectdata;
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
2022-11-22 16:55:41 +08:00
struct ssl_config_data;
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
struct ssl_primary_config;
struct Curl_ssl_session;
vtls: introduce a new struct for SSL backends This new struct is similar in nature to Curl_handler: it will define the functions and capabilities of all the SSL backends (where Curl_handler defines the functions and capabilities of protocol handlers). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-06-22 22:36:03 +08:00
vtls: use unified "supports" bitfield member in backends ... instead of previous separate struct fields, to make it easier to extend and change individual backends without having to modify them all. closes #2547
2018-05-04 18:10:39 +08:00
#define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */
#define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */
#define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */
#define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */
#define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */
setopt: add TLS 1.3 ciphersuites Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github Closes #2607
2018-05-29 22:12:52 +08:00
#define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */
SSL: support in-memory CA certs for some backends - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to specify in-memory PEM certificates for OpenSSL, Schannel (Windows) and Secure Transport (Apple) SSL backends. Prior to this change PEM certificates could only be imported from a file and not from memory. Co-authored-by: moparisthebest@users.noreply.github.com Ref: https://github.com/curl/curl/pull/4679 Ref: https://github.com/curl/curl/pull/5677 Ref: https://github.com/curl/curl/pull/6109 Closes https://github.com/curl/curl/pull/6662
2020-07-13 09:17:56 +08:00
#define SSLSUPP_CAINFO_BLOB (1<<6)
vtls: use unified "supports" bitfield member in backends ... instead of previous separate struct fields, to make it easier to extend and change individual backends without having to modify them all. closes #2547
2018-05-04 18:10:39 +08:00
vtls: use a generic "ALPN, server accepted" message Closes #8657
2022-03-31 20:21:01 +08:00
#define ALPN_ACCEPTED "ALPN: server accepted "
vtls: provide a unified APLN-disagree string for all backends Also rephrase to make it sound less dangerous: "ALPN: server did not agree on a protocol. Uses default." Reported-by: Nick Coghlan Fixes #8643 Closes #8651
2022-03-30 17:02:57 +08:00
#define VTLS_INFOF_NO_ALPN \
"ALPN: server did not agree on a protocol. Uses default."
vtls: use a backend standard message for "ALPN: offers %s" I call it VTLS_INFOF_ALPN_OFFER_1STR, the '1str' meaning that the infof() call also needs a string argument: the ALPN ID. Closes #8657
2022-03-31 20:20:55 +08:00
#define VTLS_INFOF_ALPN_OFFER_1STR \
vtls: clarify "ALPN: offers" message Before: * ALPN: offers h2,http/1.1 After: * ALPN: curl offers h2,http/1.1 Bug: https://curl.se/mail/lib-2023-07/0041.html Reported-by: Richard W.M. Jones Closes #11544
2023-07-30 10:46:40 +08:00
"ALPN: curl offers %s"
vtls: use a generic "ALPN, server accepted" message Closes #8657
2022-03-31 20:21:01 +08:00
#define VTLS_INFOF_ALPN_ACCEPTED_1STR \
ALPN_ACCEPTED "%s"
#define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \
ALPN_ACCEPTED "%.*s"
vtls: provide a unified APLN-disagree string for all backends Also rephrase to make it sound less dangerous: "ALPN: server did not agree on a protocol. Uses default." Reported-by: Nick Coghlan Fixes #8643 Closes #8651
2022-03-30 17:02:57 +08:00
openssl: reduce CA certificate bundle reparsing by caching Closes #9620
2022-09-28 22:51:44 +08:00
/* Curl_multi SSL backend-specific data; declared differently by each SSL
backend */
struct multi_ssl_backend_data;
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses sub-filters for performing parallel connects - socket cfilter for all transport types, including QUIC - QUIC implementations in cfilter, can now participate in eyeballing - connection setup is more dynamic in order to adapt to what filter did really connect. Relevant to see if a SSL filter needs to be added or if SSL has already been provided - HTTP/3 test cases similar to HTTP/2 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche - Fix for data attach/detach in VTLS filters that could lead to crashes during parallel transfers. - Eliminating setup() methods in cfilters, no longer needed. - Improving Curl_conn_is_alive() to replace Curl_connalive() and integrated ssl alive checks into cfilter. - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update connection into and persist it at the easy handle. - Several more cfilter related cleanups and moves: - stream_weigth and dependency info is now wrapped in struct Curl_data_priority - Curl_data_priority members depend is available in HTTP2|HTTP3 - Curl_data_priority members depend on NGHTTP2 support - handling init/reset/cleanup of priority part of url.c - data->state.priority same struct, but shallow copy for compares only - PROTOPT_STREAM has been removed - Curl_conn_is_mulitplex() now available to check on capability - Adding query method to connection filters. - ngtcp2+quiche: implementing query for max concurrent transfers. - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event. - setting keepalive timestamp on connect - DATA_SETUP is called after the connection has been completely setup (but may not connected yet) to allow filters to initialize data members they use. - there is no socket to be had with msh3, it is unclear how select shall work - manual test via "curl --http3 https://curl.se" fail with "empty reply from server". - Various socket/conn related cleanups: - Curl_socket is now Curl_socket_open and in cf-socket.c - Curl_closesocket is now Curl_socket_close and in cf-socket.c - Curl_ssl_use has been replaced with Cur_conn_is_ssl - Curl_conn_tcp_accepted_set has been split into Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set with a clearer purpose Closes #10141
2022-12-30 16:14:55 +08:00
struct Curl_cfilter;
openssl: reduce CA certificate bundle reparsing by caching Closes #9620
2022-09-28 22:51:44 +08:00
vtls: make curl_global_sslset thread-safe .. and update some docs to explain curl_global_* is now thread-safe. Follow-up to 23af112 which made curl_global_init/cleanup thread-safe. Closes https://github.com/curl/curl/pull/9016
2022-06-15 14:20:49 +08:00
CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
const curl_ssl_backend ***avail);
SSL: Add PEM format support for public key pinning
2014-11-25 02:30:09 +08:00
#ifndef MAX_PINNED_PUBKEY_SIZE
#define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
#endif
vtls: switch to CURL_SHA256_DIGEST_LENGTH define ... instead of the prefix-less version since WolfSSL 3.12 now uses an enum with that name that causes build failures for us. Fixes #1865 Closes #1867 Reported-by: Gisle Vanem
2017-09-06 15:32:02 +08:00
#ifndef CURL_SHA256_DIGEST_LENGTH
#define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */
SSL: Pinned public key hash support
2015-07-01 08:23:54 +08:00
#endif
vtls: make Curl_ssl_backend() return the enum type curl_sslbackend To fix the icc warning enumerated type mixed with another type Closes #9179
2022-07-20 16:58:16 +08:00
curl_sslbackend Curl_ssl_backend(void);
ssl: provide Curl_ssl_backend even if no SSL library is available
2014-08-03 16:40:36 +08:00
vtls: cleanup SSL config management - remove `Curl_ssl_get_config()`, no longer needed Closes #12204
2023-10-26 17:27:42 +08:00
/**
* Init ssl config for a new easy handle.
*/
void Curl_ssl_easy_config_init(struct Curl_easy *data);
vtls: late clone of connection ssl config - perform connection cache matching against `data->set.ssl.primary` and proxy counterpart - fully clone connection ssl config only when connection is used Closes #12237
2023-10-31 22:25:08 +08:00
/**
* Init the `data->set.ssl` and `data->set.proxy_ssl` for
* connection matching use.
*/
CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data);
vtls: cleanup SSL config management - remove `Curl_ssl_get_config()`, no longer needed Closes #12204
2023-10-26 17:27:42 +08:00
/**
* Init SSL configs (main + proxy) for a new connection from the easy handle.
*/
CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
struct connectdata *conn);
/**
* Free allocated resources in SSL configs (main + proxy) for
* the given connection.
*/
void Curl_ssl_conn_config_cleanup(struct connectdata *conn);
/**
* Return TRUE iff SSL configuration from `conn` is functionally the
* same as the one on `candidate`.
* @param proxy match the proxy SSL config or the main one
*/
bool Curl_ssl_conn_config_match(struct Curl_easy *data,
struct connectdata *candidate,
bool proxy);
/* Update certain connection SSL config flags after they have
* been changed on the easy handle. Will work for `verifypeer`,
* `verifyhost` and `verifystatus`. */
void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy);
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
2023-11-17 22:26:08 +08:00
/**
* Init SSL peer information for filter. Can be called repeatedly.
*/
tls: use shared init code for TCP+QUIC Closes #13172
2024-03-22 20:07:25 +08:00
CURLcode Curl_ssl_peer_init(struct ssl_peer *peer,
struct Curl_cfilter *cf, int transport);
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
2023-11-17 22:26:08 +08:00
/**
* Free all allocated data and reset peer information.
*/
void Curl_ssl_peer_cleanup(struct ssl_peer *peer);
- I did a cleanup of the internal generic SSL layer and how the various SSL libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-12 01:01:58 +08:00
#ifdef USE_SSL
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
int Curl_ssl_init(void);
void Curl_ssl_cleanup(void);
/* tell the SSL stuff to close down all open information regarding
connections (and thus session ID caching etc) */
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
void Curl_ssl_close_all(struct Curl_easy *data);
CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
/* Sets engine as default for all SSL operations */
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data);
refactorize interface of Curl_ssl_recv/Curl_ssl_send
2010-04-05 05:37:18 +08:00
GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls
2005-04-07 23:27:13 +08:00
/* init the SSL session ID cache */
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t);
version: turn version number functions into returning void ... as we never use the return codes from them. Reviewed-by: Daniel Gustafsson Closes #7319
2021-06-30 17:09:55 +08:00
void Curl_ssl_version(char *buffer, size_t size);
ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
2013-07-15 23:26:59 +08:00
/* Certificate information list handling. */
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
void Curl_ssl_free_certinfo(struct Curl_easy *data);
checksrc: code style: use 'char *name' style
2016-11-23 14:53:24 +08:00
CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num);
CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum,
const char *label, const char *value,
ssluse.c,sslgen.c,sslgen.h: move certinfo support to generic SSL
2013-07-15 23:26:59 +08:00
size_t valuelen);
checksrc: code style: use 'char *name' style
2016-11-23 14:53:24 +08:00
CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum,
const char *label, const char *value);
A few prototypes shouldn't be defined if SSL is disabled.
2008-10-21 07:07:48 +08:00
/* Functions to be used by SSL library adaptation functions */
vtls: fix ssl session cache race condition Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01 15:30:03 +08:00
/* Lock session cache mutex.
* Call this before calling other Curl_ssl_*session* functions
* Caller should unlock this mutex as soon as possible, as it may block
* other SSL connection from making progress.
* The purpose of explicitly locking SSL session cache data is to allow
* individual SSL engines to manage session lifetime in their specific way.
*/
vtls: reduce conn->data use Closes #6474
2021-01-14 00:01:31 +08:00
void Curl_ssl_sessionid_lock(struct Curl_easy *data);
vtls: fix ssl session cache race condition Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01 15:30:03 +08:00
/* Unlock session cache mutex */
vtls: reduce conn->data use Closes #6474
2021-01-14 00:01:31 +08:00
void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
vtls: fix ssl session cache race condition Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01 15:30:03 +08:00
/* Kill a single session ID entry in the cache
* Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
* This will call engine-specific curlssl_session_free function, which must
* take sessionid object ownership from sessionid cache
* (e.g. decrement refcount).
*/
vtls: make it 'struct Curl_ssl_session' Use uppercase C for internal symbols. Closes #5906
2020-09-02 18:17:49 +08:00
void Curl_ssl_kill_session(struct Curl_ssl_session *session);
vtls: fix ssl session cache race condition Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01 15:30:03 +08:00
/* delete a session from the cache
* Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
* This will call engine-specific curlssl_session_free function, which must
* take sessionid object ownership from sessionid cache
* (e.g. decrement refcount).
*/
vtls: reduce conn->data use Closes #6474
2021-01-14 00:01:31 +08:00
void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid);
A few prototypes shouldn't be defined if SSL is disabled.
2008-10-21 07:07:48 +08:00
Curl_rand: fixed and moved to rand.c Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-11-11 21:53:36 +08:00
/* get N random bytes into the buffer */
CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
size_t length);
Factorize pinned public key code into generic file handling and backend specific
2014-10-14 00:34:51 +08:00
/* Check pinned public key. */
internals: rename the SessionHandle struct to Curl_easy
2016-06-21 21:47:12 +08:00
CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
ssl: add server cert's "sha256//" hash to verbose Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-09-13 05:35:12 +08:00
const char *pinnedpubkey,
Factorize pinned public key code into generic file handling and backend specific
2014-10-14 00:34:51 +08:00
const unsigned char *pubkey, size_t pubkeylen);
SSL cleanup: use crypto functions through the sslgen layer curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose.
2012-06-26 20:52:46 +08:00
url: add CURLOPT_SSL_VERIFYSTATUS option This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
2014-06-16 19:20:47 +08:00
bool Curl_ssl_cert_status_request(void);
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
bool Curl_ssl_false_start(struct Curl_easy *data);
openssl: associate/detach the transfer from connection CVE-2021-22901 Bug: https://curl.se/docs/CVE-2021-22901.html
2021-05-05 19:42:26 +08:00
openssl: reduce CA certificate bundle reparsing by caching Closes #9620
2022-09-28 22:51:44 +08:00
void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend);
A few prototypes shouldn't be defined if SSL is disabled.
2008-10-21 07:07:48 +08:00
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
2022-11-22 16:55:41 +08:00
CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
cfilter: re-add `conn` as parameter to cfilter setup methods - `Curl_ssl_get_config()` now returns the first config if no SSL proxy filter is active - socket filter starts connection only on first invocation of its connect method Fixes #9982 Closes #9983
2022-11-26 19:43:56 +08:00
struct connectdata *conn,
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
int sockindex);
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses sub-filters for performing parallel connects - socket cfilter for all transport types, including QUIC - QUIC implementations in cfilter, can now participate in eyeballing - connection setup is more dynamic in order to adapt to what filter did really connect. Relevant to see if a SSL filter needs to be added or if SSL has already been provided - HTTP/3 test cases similar to HTTP/2 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche - Fix for data attach/detach in VTLS filters that could lead to crashes during parallel transfers. - Eliminating setup() methods in cfilters, no longer needed. - Improving Curl_conn_is_alive() to replace Curl_connalive() and integrated ssl alive checks into cfilter. - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update connection into and persist it at the easy handle. - Several more cfilter related cleanups and moves: - stream_weigth and dependency info is now wrapped in struct Curl_data_priority - Curl_data_priority members depend is available in HTTP2|HTTP3 - Curl_data_priority members depend on NGHTTP2 support - handling init/reset/cleanup of priority part of url.c - data->state.priority same struct, but shallow copy for compares only - PROTOPT_STREAM has been removed - Curl_conn_is_mulitplex() now available to check on capability - Adding query method to connection filters. - ngtcp2+quiche: implementing query for max concurrent transfers. - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event. - setting keepalive timestamp on connect - DATA_SETUP is called after the connection has been completely setup (but may not connected yet) to allow filters to initialize data members they use. - there is no socket to be had with msh3, it is unclear how select shall work - manual test via "curl --http3 https://curl.se" fail with "empty reply from server". - Various socket/conn related cleanups: - Curl_socket is now Curl_socket_open and in cf-socket.c - Curl_closesocket is now Curl_socket_close and in cf-socket.c - Curl_ssl_use has been replaced with Cur_conn_is_ssl - Curl_conn_tcp_accepted_set has been split into Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set with a clearer purpose Closes #10141
2022-12-30 16:14:55 +08:00
CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
struct Curl_easy *data);
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
2022-11-22 16:55:41 +08:00
CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
int sockindex);
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
#ifndef CURL_DISABLE_PROXY
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses sub-filters for performing parallel connects - socket cfilter for all transport types, including QUIC - QUIC implementations in cfilter, can now participate in eyeballing - connection setup is more dynamic in order to adapt to what filter did really connect. Relevant to see if a SSL filter needs to be added or if SSL has already been provided - HTTP/3 test cases similar to HTTP/2 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche - Fix for data attach/detach in VTLS filters that could lead to crashes during parallel transfers. - Eliminating setup() methods in cfilters, no longer needed. - Improving Curl_conn_is_alive() to replace Curl_connalive() and integrated ssl alive checks into cfilter. - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update connection into and persist it at the easy handle. - Several more cfilter related cleanups and moves: - stream_weigth and dependency info is now wrapped in struct Curl_data_priority - Curl_data_priority members depend is available in HTTP2|HTTP3 - Curl_data_priority members depend on NGHTTP2 support - handling init/reset/cleanup of priority part of url.c - data->state.priority same struct, but shallow copy for compares only - PROTOPT_STREAM has been removed - Curl_conn_is_mulitplex() now available to check on capability - Adding query method to connection filters. - ngtcp2+quiche: implementing query for max concurrent transfers. - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event. - setting keepalive timestamp on connect - DATA_SETUP is called after the connection has been completely setup (but may not connected yet) to allow filters to initialize data members they use. - there is no socket to be had with msh3, it is unclear how select shall work - manual test via "curl --http3 https://curl.se" fail with "empty reply from server". - Various socket/conn related cleanups: - Curl_socket is now Curl_socket_open and in cf-socket.c - Curl_closesocket is now Curl_socket_close and in cf-socket.c - Curl_ssl_use has been replaced with Cur_conn_is_ssl - Curl_conn_tcp_accepted_set has been split into Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set with a clearer purpose Closes #10141
2022-12-30 16:14:55 +08:00
CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
struct Curl_easy *data);
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
#endif /* !CURL_DISABLE_PROXY */
/**
* True iff the underlying SSL implementation supports the option.
* Option is one of the defined SSLSUPP_* values.
* `data` maybe NULL for the features of the default implementation.
*/
bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option);
/**
* Get the internal ssl instance (like OpenSSL's SSL*) from the filter
* chain at `sockindex` of type specified by `info`.
* For `n` == 0, the first active (top down) instance is returned.
* 1 gives the second active, etc.
* NULL is returned when no active SSL filter is present.
*/
void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
CURLINFO info, int n);
vtls: cleanup SSL config management - remove `Curl_ssl_get_config()`, no longer needed Closes #12204
2023-10-26 17:27:42 +08:00
/**
* Get the ssl_config_data in `data` that is relevant for cfilter `cf`.
*/
struct ssl_config_data *Curl_ssl_cf_get_config(struct Curl_cfilter *cf,
struct Curl_easy *data);
/**
* Get the primary config relevant for the filter from its connection.
*/
struct ssl_primary_config *
Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf);
curl_log: for failf/infof and debug logging implementations - new functions and macros for cfilter debugging - set CURL_DEBUG with names of cfilters where debug logging should be enabled - use GNUC __attribute__ to enable printf format checks during compile Closes #10271
2023-01-11 17:30:42 +08:00
extern struct Curl_cftype Curl_cft_ssl;
vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY Closes #12459
2023-12-06 06:49:12 +08:00
#ifndef CURL_DISABLE_PROXY
curl_log: for failf/infof and debug logging implementations - new functions and macros for cfilter debugging - set CURL_DEBUG with names of cfilters where debug logging should be enabled - use GNUC __attribute__ to enable printf format checks during compile Closes #10271
2023-01-11 17:30:42 +08:00
extern struct Curl_cftype Curl_cft_ssl_proxy;
vtls: remove the Curl_cft_ssl_proxy object if CURL_DISABLE_PROXY Closes #12459
2023-12-06 06:49:12 +08:00
#endif
curl_log: for failf/infof and debug logging implementations - new functions and macros for cfilter debugging - set CURL_DEBUG with names of cfilters where debug logging should be enabled - use GNUC __attribute__ to enable printf format checks during compile Closes #10271
2023-01-11 17:30:42 +08:00
setopt: add TLS 1.3 ciphersuites Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github Closes #2607
2018-05-29 22:12:52 +08:00
#else /* if not USE_SSL */
vtls: Separate the SSL backend definition from the API setup Slight code cleanup as the SSL backend #define is mixed up with the API function setup.
2015-01-18 00:03:49 +08:00
- I did a cleanup of the internal generic SSL layer and how the various SSL libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-12 01:01:58 +08:00
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
fix a bunch of MSVC compiler warnings
2011-09-03 22:06:10 +08:00
#define Curl_ssl_cleanup() Curl_nop_stmt
#define Curl_ssl_close_all(x) Curl_nop_stmt
return code cleanup: build, init and run-time errors Stop the abuse of CURLE_FAILED_INIT as return code for things not being init related by introducing two new return codes: CURLE_NOT_BUILT_IN and CURLE_UNKNOWN_OPTION CURLE_NOT_BUILT_IN replaces return code 4 that has been obsoleted for several years. It is used for returning error when something is attempted to be used but the feature/option was not enabled or explictitly disabled at build-time. Getting this error mostly means that libcurl needs to be rebuilt. CURLE_FAILED_INIT is now saved and used strictly for init failures. Getting this problem means something went seriously wrong, like a resource shortage or similar. CURLE_UNKNOWN_OPTION is the option formerly known as CURLE_UNKNOWN_TELNET_OPTION (and the old name is still present, separately defined to be removed in a very distant future). This error code is meant to be used to return when an option is given to libcurl that isn't known. This problem would mostly indicate a problem in the program that uses libcurl.
2011-04-05 21:14:02 +08:00
#define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
- I did a cleanup of the internal generic SSL layer and how the various SSL libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-12 01:01:58 +08:00
#define Curl_ssl_engines_list(x) NULL
#define Curl_ssl_initsessions(x,y) CURLE_OK
fix a bunch of MSVC compiler warnings
2011-09-03 22:06:10 +08:00
#define Curl_ssl_free_certinfo(x) Curl_nop_stmt
ssl session caching: fix compiler warnings
2012-01-19 06:39:30 +08:00
#define Curl_ssl_kill_session(x) Curl_nop_stmt
vtls.h: Fixed compiler warning when compiled without SSL vtls.c:185:46: warning: unused parameter 'data'
2014-11-10 02:09:58 +08:00
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
vtls: Fixed compilation errors when SSL not used Fixed the following warning and error from commit 3af90a6e19 when SSL is not being used: url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined; assuming extern returning int error LNK2019: unresolved external symbol Curl_ssl_cert_status_request referenced in function Curl_setopt
2015-01-17 23:13:29 +08:00
#define Curl_ssl_cert_status_request() FALSE
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
2022-11-11 18:45:34 +08:00
#define Curl_ssl_false_start(a) FALSE
#define Curl_ssl_get_internals(a,b,c,d) NULL
#define Curl_ssl_supports(a,b) FALSE
cfilter: re-add `conn` as parameter to cfilter setup methods - `Curl_ssl_get_config()` now returns the first config if no SSL proxy filter is active - socket filter starts connection only on first invocation of its connect method Fixes #9982 Closes #9983
2022-11-26 19:43:56 +08:00
#define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
2022-11-22 16:55:41 +08:00
#define Curl_ssl_cfilter_remove(a,b) CURLE_OK
vtls: cleanup SSL config management - remove `Curl_ssl_get_config()`, no longer needed Closes #12204
2023-10-26 17:27:42 +08:00
#define Curl_ssl_cf_get_config(a,b) NULL
#define Curl_ssl_cf_get_primary_config(a) NULL
- I did a cleanup of the internal generic SSL layer and how the various SSL libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-12 01:01:58 +08:00
#endif
vtls: renamed sslgen.[ch] to vtls.[ch]
2013-12-18 06:32:47 +08:00
#endif /* HEADER_CURL_VTLS_H */
Reference in New Issue Copy Permalink