Lines Matching defs:data
326 Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
331 static void pubkey_show(struct Curl_easy *data,
350 pubkey_show(data, mem, _num, #_type, #_name, _name)
356 pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
377 static void X509V3_ext(struct Curl_easy *data,
405 Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data,
417 CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl)
434 result = Curl_ssl_init_certinfo(data, (int)numcerts);
465 BIO_printf(mem, "%02x", num->data[j]);
491 X509V3_ext(data, i, X509_get0_extensions(x));
504 X509V3_ext(data, i, cinf->extensions);
518 infof(data, " Unable to load public key");
646 BIO_printf(mem, "%02x:", psig->data[j]);
731 struct Curl_easy *data = CF_DATA_CURRENT(cf);
735 DEBUGASSERT(data);
736 nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result);
737 CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, err=%d",
754 struct Curl_easy *data = CF_DATA_CURRENT(cf);
758 DEBUGASSERT(data);
763 nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result);
764 CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, err=%d",
776 result = Curl_ssl_setup_x509_store(cf, data, backend->ctx);
988 static CURLcode ossl_seed(struct Curl_easy *data)
991 if(data->multi && data->multi->ssl_seeded)
996 if(data->multi)
997 data->multi->ssl_seeded = TRUE;
1002 failf(data, "Insufficient randomness");
1047 infof(data, "libcurl is now using a weak random seed");
1127 static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
1137 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1173 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1208 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1268 int cert_stuff(struct Curl_easy *data,
1304 failf(data,
1325 failf(data,
1340 if(!data->state.engine) {
1342 if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1348 if(data->state.engine) {
1359 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1361 failf(data, "ssl engine does not support loading certificates");
1366 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
1368 failf(data, "ssl engine cannot load client cert with id"
1376 failf(data, "ssl engine didn't initialized the certificate "
1382 failf(data, "unable to set client certificate [%s]",
1390 failf(data, "crypto engine not set, can't load certificate");
1396 failf(data, "file type ENG for certificate not implemented");
1407 cert_bio = BIO_new_mem_buf(cert_blob->data, (int)(cert_blob->len));
1409 failf(data,
1420 failf(data,
1429 failf(data, "could not open PKCS12 file '%s'", cert_file);
1439 failf(data, "error reading PKCS12 file '%s'",
1448 failf(data,
1460 failf(data,
1469 failf(data, "unable to use private key from PKCS12 file '%s'",
1475 failf(data, "private key from PKCS12 file '%s' "
1492 failf(data, "cannot add certificate to client CA list");
1497 failf(data, "cannot add certificate to certificate chain");
1513 failf(data, "not supported file type '%s' for certificate", cert_type);
1534 failf(data, "unable to set private key file: '%s' type %s",
1546 if(!data->state.engine) {
1548 if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1554 if(data->state.engine) {
1558 failf(data, "unable do create " OSSL_PACKAGE
1566 priv_key = ENGINE_load_private_key(data->state.engine, key_file,
1571 failf(data, "failed to load private key from crypto engine");
1575 failf(data, "unable to set private key");
1582 failf(data, "crypto engine not set, can't load private key");
1588 failf(data, "file type ENG for private key not supported");
1593 failf(data, "file type P12 for private key not supported");
1598 failf(data, "not supported file type for private key");
1604 failf(data, "unable to create an SSL structure");
1648 failf(data, "Private key does not match the certificate public key");
1656 CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, SSL_CTX *ctx,
1663 int rv = cert_stuff(data, ctx, cert_file, cert_blob, cert_type, key_file,
1690 memcpy(buf, biomem->data, size);
1793 static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
1810 failf(data, "SSL Engine '%s' not found", engine);
1814 if(data->state.engine) {
1815 ENGINE_finish(data->state.engine);
1816 ENGINE_free(data->state.engine);
1817 data->state.engine = NULL;
1823 failf(data, "Failed to initialise SSL Engine '%s': %s",
1827 data->state.engine = e;
1831 failf(data, "SSL Engine not supported");
1838 static CURLcode ossl_set_engine_default(struct Curl_easy *data)
1841 if(data->state.engine) {
1842 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
1843 infof(data, "set default crypto engine '%s'",
1844 ENGINE_get_id(data->state.engine));
1847 failf(data, "set default crypto engine '%s' failed",
1848 ENGINE_get_id(data->state.engine));
1853 (void) data;
1860 static struct curl_slist *ossl_engines_list(struct Curl_easy *data)
1876 (void) data;
1880 static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1886 (void)data;
1900 CURL_TRC_CF(data, cf, "SSL shutdown finished");
1907 case SSL_ERROR_ZERO_RETURN: /* no more data */
1908 CURL_TRC_CF(data, cf, "SSL shutdown, EOF from server");
1913 CURL_TRC_CF(data, cf, "SSL shutdown sent");
1916 CURL_TRC_CF(data, cf, "SSL shutdown send blocked");
1920 CURL_TRC_CF(data, cf, "SSL shutdown, error: '%s', errno %d",
1952 struct Curl_easy *data)
1975 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
1982 int what = SOCKET_READABLE(Curl_conn_cf_get_socket(cf, data),
1994 case SSL_ERROR_ZERO_RETURN: /* no more data */
1995 /* This is the expected response. There was no data but only
2000 /* there's data pending, re-invoke SSL_read() */
2001 infof(data, "SSL_ERROR_WANT_READ");
2005 infof(data, "SSL_ERROR_WANT_WRITE");
2011 failf(data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d",
2022 failf(data, "SSL shutdown timeout");
2027 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2033 if(data->set.verbose) {
2037 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN");
2040 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN");
2043 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
2063 * This function is called when the 'data' struct is going away. Close
2066 static void ossl_close_all(struct Curl_easy *data)
2069 if(data->state.engine) {
2070 ENGINE_finish(data->state.engine);
2071 ENGINE_free(data->state.engine);
2072 data->state.engine = NULL;
2075 (void)data;
2092 static bool subj_alt_hostcheck(struct Curl_easy *data,
2101 (void)data;
2104 infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"",
2133 CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
2197 /* get data and length */
2204 assumed that the data returned by ASN1_STRING_data() is null
2206 "The actual format of the data will depend on the actual string
2207 type itself: for example for an IA5String the data will be ASCII"
2215 subj_alt_hostcheck(data, altptr, altlen,
2223 /* compare alternative IP address if the data chunk is the same size
2227 infof(data,
2245 infof(data, " subjectAltName does not match %s", peer->dispname);
2246 failf(data, "SSL: no alternative certificate subject name matches "
2296 failf(data, "SSL: illegal cert name field");
2306 failf(data,
2312 failf(data, "SSL: certificate subject name '%s' does not match "
2317 infof(data, " common name: %s (matched)", peer_CN);
2329 struct Curl_easy *data)
2358 failf(data, "No OCSP response received");
2365 failf(data, "Invalid OCSP response");
2372 failf(data, "Invalid OCSP response status: %s (%d)",
2380 failf(data, "Invalid OCSP response");
2387 failf(data, "Could not get peer certificate chain");
2412 failf(data, "Could not add issuer cert to OCSP response");
2422 failf(data, "OCSP response verification failed");
2430 failf(data, "Error getting peer certificate");
2445 failf(data, "Error computing OCSP ID");
2455 failf(data, "Could not find certificate ID in OCSP response");
2462 failf(data, "OCSP response has expired");
2467 infof(data, "SSL certificate status: %s (%d)",
2476 failf(data, "SSL certificate revocation reason: %s (%d)",
2564 return "Supplemental data";
2568 return "End of early data";
2601 return "TLS app data";
2616 struct Curl_easy *data = NULL;
2621 data = CF_DATA_CURRENT(cf);
2622 if(!data || !data->set.fdebug || (direction && direction != 1))
2709 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len);
2713 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
2830 struct Curl_easy *data)
2836 (void) data; /* In case it's unused. */
2851 failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2859 failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
2867 failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
2896 failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2910 struct Curl_easy *data;
2918 data = connssl? CF_DATA_CURRENT(cf) : NULL;
2920 if(!cf || !data)
2925 config = Curl_ssl_cf_get_config(cf, data);
2931 Curl_ssl_sessionid_lock(data);
2935 incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL));
2938 infof(data, "old SSL session ID is stale, removing");
2939 Curl_ssl_delsessionid(data, old_ssl_sessionid);
2945 if(!Curl_ssl_addsessionid(cf, data, ssl_sessionid,
2953 failf(data, "failed to store ssl session");
2955 Curl_ssl_sessionid_unlock(data);
2975 cbio = BIO_new_mem_buf(ca_info_blob->data, (int)ca_info_blob->len);
3018 static CURLcode import_windows_cert_store(struct Curl_easy *data,
3061 infof(data, "SSL: Checking cert \"%s\"", cert_name);
3095 failf(data, "SSL: Out of memory allocating for OID list");
3143 infof(data, "SSL: Imported cert \"%s\"", cert_name);
3163 struct Curl_easy *data,
3167 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3180 CURL_TRC_CF(data, cf, "populate_x509_store, path=%s, blob=%d",
3200 result = import_windows_cert_store(data, storeNames[i], store,
3205 infof(data, "successfully imported Windows %s store", storeNames[i]);
3209 infof(data, "error importing Windows %s store, continuing anyway",
3217 failf(data, "error importing CA certificate blob");
3222 infof(data, "successfully imported CA certificate blob");
3232 failf(data, "error setting certificate file: %s", ssl_cafile);
3236 infof(data, "error setting certificate file, continuing anyway");
3241 failf(data, "error setting certificate path: %s", ssl_capath);
3245 infof(data, "error setting certificate path, continuing anyway");
3253 failf(data, "error setting certificate verify locations:"
3260 infof(data, "error setting certificate verify locations,"
3265 infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
3266 infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
3285 failf(data, "error loading CRL file: %s", ssl_crlfile);
3289 infof(data, "successfully loaded CRL file:");
3293 infof(data, " CRLfile: %s", ssl_crlfile);
3325 static bool cached_x509_store_expired(const struct Curl_easy *data,
3328 const struct ssl_general_config *cfg = &data->set.general_ssl;
3351 const struct Curl_easy *data)
3353 struct Curl_multi *multi = data->multi_easy ? data->multi_easy : data->multi;
3360 !cached_x509_store_expired(data, multi->ssl_backend_data) &&
3369 const struct Curl_easy *data,
3373 struct Curl_multi *multi = data->multi_easy ? data->multi_easy : data->multi;
3411 struct Curl_easy *data,
3415 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3423 cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
3430 cached_store = get_cached_x509_store(cf, data);
3437 result = populate_x509_store(cf, data, store);
3439 set_cached_x509_store(cf, data, store);
3447 struct Curl_easy *data,
3452 return populate_x509_store(cf, data, store);
3457 struct Curl_easy *data)
3466 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3481 result = ossl_seed(data);
3504 failf(data, "No SSLv2 support");
3507 failf(data, "No SSLv3 support");
3510 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3518 ossl_close(cf, data);
3523 failf(data, "SSL: couldn't create a context: %s",
3533 if(data->set.fdebug && data->set.verbose) {
3553 the session data is some overhead. I suggest that you just use your
3618 result = ossl_set_ssl_version_min_max_legacy(&ctx_options, cf, data);
3625 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3637 SSL_CTX_set_alpn_protos(backend->ctx, proto.data, proto.len)) {
3638 failf(data, "Error setting ALPN");
3642 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
3648 !cert_stuff(data, backend->ctx,
3663 failf(data, "failed setting cipher list: %s", ciphers);
3666 infof(data, "Cipher selection: %s", ciphers);
3674 failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);
3677 infof(data, "TLS 1.3 cipher selection: %s", ciphers13);
3692 failf(data, "failed setting curves list: '%s'", curves);
3700 if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
3703 infof(data, "Using TLS-SRP username: %s", ssl_username);
3706 failf(data, "Unable to set SRP user name");
3710 failf(data, "failed setting SRP password");
3714 infof(data, "Setting cipher list SRP");
3717 failf(data, "failed setting SRP cipher list");
3748 if(data->set.ssl.fsslctx) {
3753 result = Curl_ssl_setup_x509_store(cf, data, backend->ctx);
3758 Curl_set_in_callback(data, true);
3759 result = (*data->set.ssl.fsslctx)(data, backend->ctx,
3760 data->set.ssl.fsslctxp);
3761 Curl_set_in_callback(data, false);
3763 failf(data, "error signaled by ssl ctx callback");
3773 failf(data, "SSL: couldn't create a context (handle)");
3796 failf(data, "Failed set SNI");
3806 Curl_ssl_sessionid_lock(data);
3807 if(!Curl_ssl_getsessionid(cf, data, &ssl_sessionid, NULL)) {
3810 Curl_ssl_sessionid_unlock(data);
3811 failf(data, "SSL: SSL_set_session failed: %s",
3817 infof(data, "SSL reusing session ID");
3820 Curl_ssl_sessionid_unlock(data);
3849 struct Curl_easy *data)
3855 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3868 CURLcode result = Curl_ssl_setup_x509_store(cf, data, backend->ctx);
3977 failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%d ",
3984 failf(data, "%s", error_buffer);
4007 infof(data, "SSL connection using %s / %s / %s / %s",
4014 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
4022 return Curl_alpn_set_negotiated(cf, data, neg_protocol, len);
4034 static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
4079 result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
4094 static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
4145 infof(data,
4154 #define infof_certstack(data, ssl)
4166 struct Curl_easy *data,
4171 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
4188 failf(data,
4196 if(data->set.ssl.certinfo)
4198 (void)Curl_ossl_certchain(data, backend->handle);
4206 failf(data, "SSL: couldn't get peer certificate");
4210 infof(data, "%s certificate:",
4215 infof(data, " subject: %s", rc?"[NONE]":buffer);
4222 infof(data, " start date: %.*s", (int)len, ptr);
4227 infof(data, " expire date: %.*s", (int)len, ptr);
4235 result = Curl_ossl_verifyhost(data, conn, &connssl->peer,
4248 failf(data, "SSL: couldn't get X509-issuer name");
4252 infof(data, " issuer: %s", buffer);
4260 fp = BIO_new_mem_buf(conn_config->issuercert_blob->data,
4263 failf(data,
4276 failf(data,
4288 failf(data, "SSL: Unable to open issuer cert (%s)",
4300 failf(data, "SSL: Unable to read issuer cert (%s)",
4311 failf(data, "SSL: Certificate issuer check failed (%s)",
4320 infof(data, " SSL certificate issuer check ok (%s)",
4333 failf(data, "SSL certificate verify result: %s (%ld)",
4338 infof(data, " SSL certificate verify result: %s (%ld),"
4343 infof(data, " SSL certificate verify ok.");
4346 infof_certstack(data, backend->handle);
4352 result = verifystatus(cf, data);
4359 Curl_ssl_sessionid_lock(data);
4360 incache = !(Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL));
4362 infof(data, "Remove session ID again from cache");
4363 Curl_ssl_delsessionid(data, old_ssl_sessionid);
4365 Curl_ssl_sessionid_unlock(data);
4380 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]:
4381 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
4383 result = ossl_pkp_pin_peer_pubkey(data, backend->server_cert, ptr);
4385 failf(data, "SSL: public key does not match pinned public key");
4396 struct Curl_easy *data)
4411 result = servercert(cf, data, conn_config->verifypeer ||
4421 struct Curl_easy *data,
4427 curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
4438 const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4442 failf(data, "SSL connection timeout");
4446 result = ossl_connect_step1(cf, data);
4456 const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4460 failf(data, "SSL connection timeout");
4479 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
4485 failf(data, "SSL connection timeout");
4498 result = ossl_connect_step2(cf, data);
4508 result = ossl_connect_step3(cf, data);
4528 struct Curl_easy *data,
4531 return ossl_connect_common(cf, data, TRUE, done);
4535 struct Curl_easy *data)
4540 result = ossl_connect_common(cf, data, FALSE, &done);
4550 const struct Curl_easy *data)
4556 (void)data;
4564 struct Curl_easy *data,
4580 (void)data;
4618 failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4628 failf(data, "SSL_write() error: %s",
4636 failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4650 struct Curl_easy *data, /* transfer */
4651 char *buf, /* store read data here */
4664 (void)data;
4679 case SSL_ERROR_ZERO_RETURN: /* no more data */
4688 /* there's data pending, re-invoke SSL_read() */
4713 failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
4736 failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
4831 /* can be called with data == NULL */
4832 static CURLcode ossl_random(struct Curl_easy *data,
4836 if(data) {
4837 if(ossl_seed(data)) /* Initiate the seed if not already done */
4947 NULL, /* use of data in this connection */
4948 NULL, /* remote of data from this connection */
4950 ossl_recv, /* recv decrypted data */
4951 ossl_send, /* send data to encrypt */