mirror of
https://github.com/curl/curl.git
synced 2024-12-27 06:59:43 +08:00
02b14378e6
- Don't call the keylog function if it has already logged the key.
For old OpenSSL versions and its forks that do not have support for
OpenSSL's keylog callback, libcurl has its own legacy key logging
function that logs the TLS 1.2 (and earlier) key (client random + master
key) on a single line.
Prior to this change, since e7de80e8 (precedes 8.8.0), the legacy key
logging function could write the same key line more than once (usually
twice) due to some incorrect logic.
Closes https://github.com/curl/curl/pull/13683
123 lines
4.7 KiB
C
123 lines
4.7 KiB
C
#ifndef HEADER_CURL_SSLUSE_H
|
|
#define HEADER_CURL_SSLUSE_H
|
|
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at https://curl.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
* SPDX-License-Identifier: curl
|
|
*
|
|
***************************************************************************/
|
|
|
|
#include "curl_setup.h"
|
|
|
|
#ifdef USE_OPENSSL
|
|
/*
|
|
* This header should only be needed to get included by vtls.c, openssl.c
|
|
* and ngtcp2.c
|
|
*/
|
|
#include <openssl/ossl_typ.h>
|
|
#include <openssl/ssl.h>
|
|
|
|
#include "urldata.h"
|
|
|
|
/* Struct to hold a Curl OpenSSL instance */
|
|
struct ossl_ctx {
|
|
/* these ones requires specific SSL-types */
|
|
SSL_CTX* ssl_ctx;
|
|
SSL* ssl;
|
|
X509* server_cert;
|
|
BIO_METHOD *bio_method;
|
|
CURLcode io_result; /* result of last BIO cfilter operation */
|
|
#ifndef HAVE_KEYLOG_CALLBACK
|
|
/* Set to true once a valid keylog entry has been created to avoid dupes.
|
|
This is a bool and not a bitfield because it is passed by address. */
|
|
bool keylog_done;
|
|
#endif
|
|
BIT(x509_store_setup); /* x509 store has been set up */
|
|
BIT(reused_session); /* session-ID was reused for this */
|
|
};
|
|
|
|
typedef CURLcode Curl_ossl_ctx_setup_cb(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
void *user_data);
|
|
|
|
typedef int Curl_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid);
|
|
|
|
CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
|
|
struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct ssl_peer *peer,
|
|
int transport, /* TCP or QUIC */
|
|
const unsigned char *alpn, size_t alpn_len,
|
|
Curl_ossl_ctx_setup_cb *cb_setup,
|
|
void *cb_user_data,
|
|
Curl_ossl_new_session_cb *cb_new_session,
|
|
void *ssl_user_data);
|
|
|
|
#if (OPENSSL_VERSION_NUMBER < 0x30000000L)
|
|
#define SSL_get1_peer_certificate SSL_get_peer_certificate
|
|
#endif
|
|
|
|
CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
|
|
struct ssl_peer *peer, X509 *server_cert);
|
|
extern const struct Curl_ssl Curl_ssl_openssl;
|
|
|
|
CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data,
|
|
SSL_CTX *ctx, char *cert_file,
|
|
const struct curl_blob *cert_blob,
|
|
const char *cert_type, char *key_file,
|
|
const struct curl_blob *key_blob,
|
|
const char *key_type, char *key_passwd);
|
|
|
|
CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl);
|
|
|
|
/**
|
|
* Setup the OpenSSL X509_STORE in `ssl_ctx` for the cfilter `cf` and
|
|
* easy handle `data`. Will allow reuse of a shared cache if suitable
|
|
* and configured.
|
|
*/
|
|
CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
SSL_CTX *ssl_ctx);
|
|
|
|
CURLcode Curl_ossl_ctx_configure(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
SSL_CTX *ssl_ctx);
|
|
|
|
/*
|
|
* Add a new session to the cache. Takes ownership of the session.
|
|
*/
|
|
CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
const struct ssl_peer *peer,
|
|
SSL_SESSION *ssl_sessionid);
|
|
|
|
/*
|
|
* Get the server cert, verify it and show it, etc., only call failf() if
|
|
* ssl config verifypeer or -host is set. Otherwise all this is for
|
|
* informational purposes only!
|
|
*/
|
|
CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
|
|
struct Curl_easy *data,
|
|
struct ossl_ctx *octx,
|
|
struct ssl_peer *peer);
|
|
|
|
#endif /* USE_OPENSSL */
|
|
#endif /* HEADER_CURL_SSLUSE_H */
|