Home | History | Annotate | Download | only in vtls
      1 /***************************************************************************
      2  *                                  _   _ ____  _
      3  *  Project                     ___| | | |  _ \| |
      4  *                             / __| | | | |_) | |
      5  *                            | (__| |_| |  _ <| |___
      6  *                             \___|\___/|_| \_\_____|
      7  *
      8  * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel (at) haxx.se>, et al.
      9  *
     10  * This software is licensed as described in the file COPYING, which
     11  * you should have received as part of this distribution. The terms
     12  * are also available at https://curl.haxx.se/docs/copyright.html.
     13  *
     14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
     15  * copies of the Software, and permit persons to whom the Software is
     16  * furnished to do so, under the terms of the COPYING file.
     17  *
     18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
     19  * KIND, either express or implied.
     20  *
     21  ***************************************************************************/
     22 
     23 /*
     24  * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
     25  * but vtls.c should ever call or use these functions.
     26  */
     27 
     28 /*
     29  * The original SSLeay-using code for curl was written by Linas Vepstas and
     30  * Sampo Kellomaki 1998.
     31  */
     32 
     33 #include "curl_setup.h"
     34 
     35 #ifdef USE_OPENSSL
     36 
     37 #ifdef HAVE_LIMITS_H
     38 #include <limits.h>
     39 #endif
     40 
     41 #include "urldata.h"
     42 #include "sendf.h"
     43 #include "formdata.h" /* for the boundary function */
     44 #include "url.h" /* for the ssl config check function */
     45 #include "inet_pton.h"
     46 #include "openssl.h"
     47 #include "connect.h"
     48 #include "slist.h"
     49 #include "strequal.h"
     50 #include "select.h"
     51 #include "vtls.h"
     52 #include "rawstr.h"
     53 #include "hostcheck.h"
     54 #include "curl_printf.h"
     55 
     56 #include <openssl/ssl.h>
     57 #include <openssl/rand.h>
     58 #include <openssl/x509v3.h>
     59 #include <openssl/dsa.h>
     60 #include <openssl/dh.h>
     61 #include <openssl/err.h>
     62 #include <openssl/md5.h>
     63 #include <openssl/conf.h>
     64 #include <openssl/bn.h>
     65 #include <openssl/rsa.h>
     66 
     67 #ifdef HAVE_OPENSSL_PKCS12_H
     68 #include <openssl/pkcs12.h>
     69 #endif
     70 
     71 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
     72 #include <openssl/ocsp.h>
     73 #endif
     74 
     75 #include "warnless.h"
     76 #include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
     77 
     78 /* The last #include files should be: */
     79 #include "curl_memory.h"
     80 #include "memdebug.h"
     81 
     82 #ifndef OPENSSL_VERSION_NUMBER
     83 #error "OPENSSL_VERSION_NUMBER not defined"
     84 #endif
     85 
     86 #if defined(HAVE_OPENSSL_ENGINE_H)
     87 #include <openssl/ui.h>
     88 #endif
     89 
     90 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
     91 #define SSL_METHOD_QUAL const
     92 #else
     93 #define SSL_METHOD_QUAL
     94 #endif
     95 
     96 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
     97 #define HAVE_ERR_REMOVE_THREAD_STATE 1
     98 #if (OPENSSL_VERSION_NUMBER >= 0x10100004L) && \
     99   !defined(LIBRESSL_VERSION_NUMBER)
    100 /* OpenSSL 1.1.0 deprecates the function */
    101 #define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
    102 #endif
    103 #endif
    104 
    105 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \
    106   OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
    107 #undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
    108 #define OPENSSL_NO_SSL2
    109 #endif
    110 
    111 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
    112   !defined(LIBRESSL_VERSION_NUMBER)
    113 #define SSLeay_add_ssl_algorithms() SSL_library_init()
    114 #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
    115 #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
    116 #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
    117 #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
    118 #endif
    119 
    120 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
    121   !defined(LIBRESSL_VERSION_NUMBER)
    122 #define HAVE_X509_GET0_SIGNATURE 1
    123 #endif
    124 
    125 #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
    126   OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
    127   !defined(OPENSSL_NO_COMP)
    128 #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
    129 #endif
    130 
    131 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
    132 /* not present in older OpenSSL */
    133 #define OPENSSL_load_builtin_modules(x)
    134 #endif
    135 
    136 #if defined(LIBRESSL_VERSION_NUMBER)
    137 #define OSSL_PACKAGE "LibreSSL"
    138 #elif defined(OPENSSL_IS_BORINGSSL)
    139 #define OSSL_PACKAGE "BoringSSL"
    140 #else
    141 #define OSSL_PACKAGE "OpenSSL"
    142 #endif
    143 
    144 /*
    145  * Number of bytes to read from the random number seed file. This must be
    146  * a finite value (because some entropy "files" like /dev/urandom have
    147  * an infinite length), but must be large enough to provide enough
    148  * entopy to properly seed OpenSSL's PRNG.
    149  */
    150 #define RAND_LOAD_LENGTH 1024
    151 
    152 static int passwd_callback(char *buf, int num, int encrypting,
    153                            void *global_passwd)
    154 {
    155   DEBUGASSERT(0 == encrypting);
    156 
    157   if(!encrypting) {
    158     int klen = curlx_uztosi(strlen((char *)global_passwd));
    159     if(num > klen) {
    160       memcpy(buf, global_passwd, klen+1);
    161       return klen;
    162     }
    163   }
    164   return 0;
    165 }
    166 
    167 /*
    168  * rand_enough() is a function that returns TRUE if we have seeded the random
    169  * engine properly. We use some preprocessor magic to provide a seed_enough()
    170  * macro to use, just to prevent a compiler warning on this function if we
    171  * pass in an argument that is never used.
    172  */
    173 
    174 #ifdef HAVE_RAND_STATUS
    175 #define seed_enough(x) rand_enough()
    176 static bool rand_enough(void)
    177 {
    178   return (0 != RAND_status()) ? TRUE : FALSE;
    179 }
    180 #else
    181 #define seed_enough(x) rand_enough(x)
    182 static bool rand_enough(int nread)
    183 {
    184   /* this is a very silly decision to make */
    185   return (nread > 500) ? TRUE : FALSE;
    186 }
    187 #endif
    188 
    189 static int ossl_seed(struct Curl_easy *data)
    190 {
    191   char *buf = data->state.buffer; /* point to the big buffer */
    192   int nread=0;
    193 
    194   /* Q: should we add support for a random file name as a libcurl option?
    195      A: Yes, it is here */
    196 
    197 #ifndef RANDOM_FILE
    198   /* if RANDOM_FILE isn't defined, we only perform this if an option tells
    199      us to! */
    200   if(data->set.ssl.random_file)
    201 #define RANDOM_FILE "" /* doesn't matter won't be used */
    202 #endif
    203   {
    204     /* let the option override the define */
    205     nread += RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
    206                              data->set.str[STRING_SSL_RANDOM_FILE]:
    207                              RANDOM_FILE),
    208                             RAND_LOAD_LENGTH);
    209     if(seed_enough(nread))
    210       return nread;
    211   }
    212 
    213 #if defined(HAVE_RAND_EGD)
    214   /* only available in OpenSSL 0.9.5 and later */
    215   /* EGD_SOCKET is set at configure time or not at all */
    216 #ifndef EGD_SOCKET
    217   /* If we don't have the define set, we only do this if the egd-option
    218      is set */
    219   if(data->set.str[STRING_SSL_EGDSOCKET])
    220 #define EGD_SOCKET "" /* doesn't matter won't be used */
    221 #endif
    222   {
    223     /* If there's an option and a define, the option overrides the
    224        define */
    225     int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
    226                        data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
    227     if(-1 != ret) {
    228       nread += ret;
    229       if(seed_enough(nread))
    230         return nread;
    231     }
    232   }
    233 #endif
    234 
    235   /* If we get here, it means we need to seed the PRNG using a "silly"
    236      approach! */
    237   do {
    238     unsigned char randb[64];
    239     int len = sizeof(randb);
    240     RAND_bytes(randb, len);
    241     RAND_add(randb, len, (len >> 1));
    242   } while(!RAND_status());
    243 
    244   /* generates a default path for the random seed file */
    245   buf[0]=0; /* blank it first */
    246   RAND_file_name(buf, BUFSIZE);
    247   if(buf[0]) {
    248     /* we got a file name to try */
    249     nread += RAND_load_file(buf, RAND_LOAD_LENGTH);
    250     if(seed_enough(nread))
    251       return nread;
    252   }
    253 
    254   infof(data, "libcurl is now using a weak random seed!\n");
    255   return nread;
    256 }
    257 
    258 static void Curl_ossl_seed(struct Curl_easy *data)
    259 {
    260   /* we have the "SSL is seeded" boolean static to prevent multiple
    261      time-consuming seedings in vain */
    262   static bool ssl_seeded = FALSE;
    263 
    264   if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] ||
    265      data->set.str[STRING_SSL_EGDSOCKET]) {
    266     ossl_seed(data);
    267     ssl_seeded = TRUE;
    268   }
    269 }
    270 
    271 #ifndef SSL_FILETYPE_ENGINE
    272 #define SSL_FILETYPE_ENGINE 42
    273 #endif
    274 #ifndef SSL_FILETYPE_PKCS12
    275 #define SSL_FILETYPE_PKCS12 43
    276 #endif
    277 static int do_file_type(const char *type)
    278 {
    279   if(!type || !type[0])
    280     return SSL_FILETYPE_PEM;
    281   if(Curl_raw_equal(type, "PEM"))
    282     return SSL_FILETYPE_PEM;
    283   if(Curl_raw_equal(type, "DER"))
    284     return SSL_FILETYPE_ASN1;
    285   if(Curl_raw_equal(type, "ENG"))
    286     return SSL_FILETYPE_ENGINE;
    287   if(Curl_raw_equal(type, "P12"))
    288     return SSL_FILETYPE_PKCS12;
    289   return -1;
    290 }
    291 
    292 #if defined(HAVE_OPENSSL_ENGINE_H)
    293 /*
    294  * Supply default password to the engine user interface conversation.
    295  * The password is passed by OpenSSL engine from ENGINE_load_private_key()
    296  * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
    297  */
    298 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
    299 {
    300   const char *password;
    301   switch(UI_get_string_type(uis)) {
    302   case UIT_PROMPT:
    303   case UIT_VERIFY:
    304     password = (const char*)UI_get0_user_data(ui);
    305     if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
    306       UI_set_result(ui, uis, password);
    307       return 1;
    308     }
    309   default:
    310     break;
    311   }
    312   return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
    313 }
    314 
    315 /*
    316  * Suppress interactive request for a default password if available.
    317  */
    318 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
    319 {
    320   switch(UI_get_string_type(uis)) {
    321   case UIT_PROMPT:
    322   case UIT_VERIFY:
    323     if(UI_get0_user_data(ui) &&
    324        (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
    325       return 1;
    326     }
    327   default:
    328     break;
    329   }
    330   return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
    331 }
    332 #endif
    333 
    334 static
    335 int cert_stuff(struct connectdata *conn,
    336                SSL_CTX* ctx,
    337                char *cert_file,
    338                const char *cert_type,
    339                char *key_file,
    340                const char *key_type)
    341 {
    342   struct Curl_easy *data = conn->data;
    343 
    344   int file_type = do_file_type(cert_type);
    345 
    346   if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
    347     SSL *ssl;
    348     X509 *x509;
    349     int cert_done = 0;
    350 
    351     if(data->set.str[STRING_KEY_PASSWD]) {
    352       /* set the password in the callback userdata */
    353       SSL_CTX_set_default_passwd_cb_userdata(ctx,
    354                                              data->set.str[STRING_KEY_PASSWD]);
    355       /* Set passwd callback: */
    356       SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
    357     }
    358 
    359 
    360     switch(file_type) {
    361     case SSL_FILETYPE_PEM:
    362       /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
    363       if(SSL_CTX_use_certificate_chain_file(ctx,
    364                                             cert_file) != 1) {
    365         failf(data,
    366               "could not load PEM client certificate, " OSSL_PACKAGE
    367               " error %s, "
    368               "(no key found, wrong pass phrase, or wrong file format?)",
    369               ERR_error_string(ERR_get_error(), NULL) );
    370         return 0;
    371       }
    372       break;
    373 
    374     case SSL_FILETYPE_ASN1:
    375       /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
    376          we use the case above for PEM so this can only be performed with
    377          ASN1 files. */
    378       if(SSL_CTX_use_certificate_file(ctx,
    379                                       cert_file,
    380                                       file_type) != 1) {
    381         failf(data,
    382               "could not load ASN1 client certificate, " OSSL_PACKAGE
    383               " error %s, "
    384               "(no key found, wrong pass phrase, or wrong file format?)",
    385               ERR_error_string(ERR_get_error(), NULL) );
    386         return 0;
    387       }
    388       break;
    389     case SSL_FILETYPE_ENGINE:
    390 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
    391       {
    392         if(data->state.engine) {
    393           const char *cmd_name = "LOAD_CERT_CTRL";
    394           struct {
    395             const char *cert_id;
    396             X509 *cert;
    397           } params;
    398 
    399           params.cert_id = cert_file;
    400           params.cert = NULL;
    401 
    402           /* Does the engine supports LOAD_CERT_CTRL ? */
    403           if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
    404                           0, (void *)cmd_name, NULL)) {
    405             failf(data, "ssl engine does not support loading certificates");
    406             return 0;
    407           }
    408 
    409           /* Load the certificate from the engine */
    410           if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
    411                               0, &params, NULL, 1)) {
    412             failf(data, "ssl engine cannot load client cert with id"
    413                   " '%s' [%s]", cert_file,
    414                   ERR_error_string(ERR_get_error(), NULL));
    415             return 0;
    416           }
    417 
    418           if(!params.cert) {
    419             failf(data, "ssl engine didn't initialized the certificate "
    420                   "properly.");
    421             return 0;
    422           }
    423 
    424           if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
    425             failf(data, "unable to set client certificate");
    426             X509_free(params.cert);
    427             return 0;
    428           }
    429           X509_free(params.cert); /* we don't need the handle any more... */
    430         }
    431         else {
    432           failf(data, "crypto engine not set, can't load certificate");
    433           return 0;
    434         }
    435       }
    436       break;
    437 #else
    438       failf(data, "file type ENG for certificate not implemented");
    439       return 0;
    440 #endif
    441 
    442     case SSL_FILETYPE_PKCS12:
    443     {
    444 #ifdef HAVE_OPENSSL_PKCS12_H
    445       FILE *f;
    446       PKCS12 *p12;
    447       EVP_PKEY *pri;
    448       STACK_OF(X509) *ca = NULL;
    449 
    450       f = fopen(cert_file, "rb");
    451       if(!f) {
    452         failf(data, "could not open PKCS12 file '%s'", cert_file);
    453         return 0;
    454       }
    455       p12 = d2i_PKCS12_fp(f, NULL);
    456       fclose(f);
    457 
    458       if(!p12) {
    459         failf(data, "error reading PKCS12 file '%s'", cert_file);
    460         return 0;
    461       }
    462 
    463       PKCS12_PBE_add();
    464 
    465       if(!PKCS12_parse(p12, data->set.str[STRING_KEY_PASSWD], &pri, &x509,
    466                        &ca)) {
    467         failf(data,
    468               "could not parse PKCS12 file, check password, " OSSL_PACKAGE
    469               " error %s",
    470               ERR_error_string(ERR_get_error(), NULL) );
    471         PKCS12_free(p12);
    472         return 0;
    473       }
    474 
    475       PKCS12_free(p12);
    476 
    477       if(SSL_CTX_use_certificate(ctx, x509) != 1) {
    478         failf(data,
    479               "could not load PKCS12 client certificate, " OSSL_PACKAGE
    480               " error %s",
    481               ERR_error_string(ERR_get_error(), NULL) );
    482         goto fail;
    483       }
    484 
    485       if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
    486         failf(data, "unable to use private key from PKCS12 file '%s'",
    487               cert_file);
    488         goto fail;
    489       }
    490 
    491       if(!SSL_CTX_check_private_key (ctx)) {
    492         failf(data, "private key from PKCS12 file '%s' "
    493               "does not match certificate in same file", cert_file);
    494         goto fail;
    495       }
    496       /* Set Certificate Verification chain */
    497       if(ca) {
    498         while(sk_X509_num(ca)) {
    499           /*
    500            * Note that sk_X509_pop() is used below to make sure the cert is
    501            * removed from the stack properly before getting passed to
    502            * SSL_CTX_add_extra_chain_cert(). Previously we used
    503            * sk_X509_value() instead, but then we'd clean it in the subsequent
    504            * sk_X509_pop_free() call.
    505            */
    506           X509 *x = sk_X509_pop(ca);
    507           if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
    508             X509_free(x);
    509             failf(data, "cannot add certificate to certificate chain");
    510             goto fail;
    511           }
    512           /* SSL_CTX_add_client_CA() seems to work with either sk_* function,
    513            * presumably because it duplicates what we pass to it.
    514            */
    515           if(!SSL_CTX_add_client_CA(ctx, x)) {
    516             failf(data, "cannot add certificate to client CA list");
    517             goto fail;
    518           }
    519         }
    520       }
    521 
    522       cert_done = 1;
    523   fail:
    524       EVP_PKEY_free(pri);
    525       X509_free(x509);
    526       sk_X509_pop_free(ca, X509_free);
    527 
    528       if(!cert_done)
    529         return 0; /* failure! */
    530       break;
    531 #else
    532       failf(data, "file type P12 for certificate not supported");
    533       return 0;
    534 #endif
    535     }
    536     default:
    537       failf(data, "not supported file type '%s' for certificate", cert_type);
    538       return 0;
    539     }
    540 
    541     file_type = do_file_type(key_type);
    542 
    543     switch(file_type) {
    544     case SSL_FILETYPE_PEM:
    545       if(cert_done)
    546         break;
    547       if(!key_file)
    548         /* cert & key can only be in PEM case in the same file */
    549         key_file=cert_file;
    550     case SSL_FILETYPE_ASN1:
    551       if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != 1) {
    552         failf(data, "unable to set private key file: '%s' type %s",
    553               key_file, key_type?key_type:"PEM");
    554         return 0;
    555       }
    556       break;
    557     case SSL_FILETYPE_ENGINE:
    558 #ifdef HAVE_OPENSSL_ENGINE_H
    559       {                         /* XXXX still needs some work */
    560         EVP_PKEY *priv_key = NULL;
    561         if(data->state.engine) {
    562           UI_METHOD *ui_method =
    563             UI_create_method((char *)"cURL user interface");
    564           if(!ui_method) {
    565             failf(data, "unable do create " OSSL_PACKAGE
    566                   " user-interface method");
    567             return 0;
    568           }
    569           UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
    570           UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
    571           UI_method_set_reader(ui_method, ssl_ui_reader);
    572           UI_method_set_writer(ui_method, ssl_ui_writer);
    573           /* the typecast below was added to please mingw32 */
    574           priv_key = (EVP_PKEY *)
    575             ENGINE_load_private_key(data->state.engine, key_file,
    576                                     ui_method,
    577                                     data->set.str[STRING_KEY_PASSWD]);
    578           UI_destroy_method(ui_method);
    579           if(!priv_key) {
    580             failf(data, "failed to load private key from crypto engine");
    581             return 0;
    582           }
    583           if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
    584             failf(data, "unable to set private key");
    585             EVP_PKEY_free(priv_key);
    586             return 0;
    587           }
    588           EVP_PKEY_free(priv_key);  /* we don't need the handle any more... */
    589         }
    590         else {
    591           failf(data, "crypto engine not set, can't load private key");
    592           return 0;
    593         }
    594       }
    595       break;
    596 #else
    597       failf(data, "file type ENG for private key not supported");
    598       return 0;
    599 #endif
    600     case SSL_FILETYPE_PKCS12:
    601       if(!cert_done) {
    602         failf(data, "file type P12 for private key not supported");
    603         return 0;
    604       }
    605       break;
    606     default:
    607       failf(data, "not supported file type for private key");
    608       return 0;
    609     }
    610 
    611     ssl=SSL_new(ctx);
    612     if(!ssl) {
    613       failf(data, "unable to create an SSL structure");
    614       return 0;
    615     }
    616 
    617     x509=SSL_get_certificate(ssl);
    618 
    619     /* This version was provided by Evan Jordan and is supposed to not
    620        leak memory as the previous version: */
    621     if(x509) {
    622       EVP_PKEY *pktmp = X509_get_pubkey(x509);
    623       EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
    624       EVP_PKEY_free(pktmp);
    625     }
    626 
    627     SSL_free(ssl);
    628 
    629     /* If we are using DSA, we can copy the parameters from
    630      * the private key */
    631 
    632 
    633     /* Now we know that a key and cert have been set against
    634      * the SSL context */
    635     if(!SSL_CTX_check_private_key(ctx)) {
    636       failf(data, "Private key does not match the certificate public key");
    637       return 0;
    638     }
    639   }
    640   return 1;
    641 }
    642 
    643 /* returns non-zero on failure */
    644 static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
    645 {
    646 #if 0
    647   return X509_NAME_oneline(a, buf, size);
    648 #else
    649   BIO *bio_out = BIO_new(BIO_s_mem());
    650   BUF_MEM *biomem;
    651   int rc;
    652 
    653   if(!bio_out)
    654     return 1; /* alloc failed! */
    655 
    656   rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
    657   BIO_get_mem_ptr(bio_out, &biomem);
    658 
    659   if((size_t)biomem->length < size)
    660     size = biomem->length;
    661   else
    662     size--; /* don't overwrite the buffer end */
    663 
    664   memcpy(buf, biomem->data, size);
    665   buf[size]=0;
    666 
    667   BIO_free(bio_out);
    668 
    669   return !rc;
    670 #endif
    671 }
    672 
    673 /* Return error string for last OpenSSL error
    674  */
    675 static char *ossl_strerror(unsigned long error, char *buf, size_t size)
    676 {
    677   /* OpenSSL 0.9.6 and later has a function named
    678      ERR_error_string_n() that takes the size of the buffer as a
    679      third argument */
    680   ERR_error_string_n(error, buf, size);
    681   return buf;
    682 }
    683 
    684 /**
    685  * Global SSL init
    686  *
    687  * @retval 0 error initializing SSL
    688  * @retval 1 SSL initialized successfully
    689  */
    690 int Curl_ossl_init(void)
    691 {
    692   OPENSSL_load_builtin_modules();
    693 
    694 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES
    695   ENGINE_load_builtin_engines();
    696 #endif
    697 
    698   /* OPENSSL_config(NULL); is "strongly recommended" to use but unfortunately
    699      that function makes an exit() call on wrongly formatted config files
    700      which makes it hard to use in some situations. OPENSSL_config() itself
    701      calls CONF_modules_load_file() and we use that instead and we ignore
    702      its return code! */
    703 
    704   /* CONF_MFLAGS_DEFAULT_SECTION introduced some time between 0.9.8b and
    705      0.9.8e */
    706 #ifndef CONF_MFLAGS_DEFAULT_SECTION
    707 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
    708 #endif
    709 
    710   CONF_modules_load_file(NULL, NULL,
    711                          CONF_MFLAGS_DEFAULT_SECTION|
    712                          CONF_MFLAGS_IGNORE_MISSING_FILE);
    713 
    714   /* Lets get nice error messages */
    715   SSL_load_error_strings();
    716 
    717   /* Init the global ciphers and digests */
    718   if(!SSLeay_add_ssl_algorithms())
    719     return 0;
    720 
    721   OpenSSL_add_all_algorithms();
    722 
    723   return 1;
    724 }
    725 
    726 /* Global cleanup */
    727 void Curl_ossl_cleanup(void)
    728 {
    729   /* Free ciphers and digests lists */
    730   EVP_cleanup();
    731 
    732 #ifdef HAVE_ENGINE_CLEANUP
    733   /* Free engine list */
    734   ENGINE_cleanup();
    735 #endif
    736 
    737 #ifdef HAVE_CRYPTO_CLEANUP_ALL_EX_DATA
    738   /* Free OpenSSL ex_data table */
    739   CRYPTO_cleanup_all_ex_data();
    740 #endif
    741 
    742   /* Free OpenSSL error strings */
    743   ERR_free_strings();
    744 
    745   /* Free thread local error state, destroying hash upon zero refcount */
    746 #ifdef HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED
    747 
    748 #elif defined(HAVE_ERR_REMOVE_THREAD_STATE)
    749   ERR_remove_thread_state(NULL);
    750 #else
    751   ERR_remove_state(0);
    752 #endif
    753 
    754   /* Free all memory allocated by all configuration modules */
    755   CONF_modules_free();
    756 
    757 #ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
    758   SSL_COMP_free_compression_methods();
    759 #endif
    760 }
    761 
    762 /*
    763  * This function is used to determine connection status.
    764  *
    765  * Return codes:
    766  *     1 means the connection is still in place
    767  *     0 means the connection has been closed
    768  *    -1 means the connection status is unknown
    769  */
    770 int Curl_ossl_check_cxn(struct connectdata *conn)
    771 {
    772   /* SSL_peek takes data out of the raw recv buffer without peeking so we use
    773      recv MSG_PEEK instead. Bug #795 */
    774 #ifdef MSG_PEEK
    775   char buf;
    776   ssize_t nread;
    777   nread = recv((RECV_TYPE_ARG1)conn->sock[FIRSTSOCKET], (RECV_TYPE_ARG2)&buf,
    778                (RECV_TYPE_ARG3)1, (RECV_TYPE_ARG4)MSG_PEEK);
    779   if(nread == 0)
    780     return 0; /* connection has been closed */
    781   else if(nread == 1)
    782     return 1; /* connection still in place */
    783   else if(nread == -1) {
    784       int err = SOCKERRNO;
    785       if(err == EINPROGRESS ||
    786 #if defined(EAGAIN) && (EAGAIN != EWOULDBLOCK)
    787          err == EAGAIN ||
    788 #endif
    789          err == EWOULDBLOCK)
    790         return 1; /* connection still in place */
    791       if(err == ECONNRESET ||
    792 #ifdef ECONNABORTED
    793          err == ECONNABORTED ||
    794 #endif
    795 #ifdef ENETDOWN
    796          err == ENETDOWN ||
    797 #endif
    798 #ifdef ENETRESET
    799          err == ENETRESET ||
    800 #endif
    801 #ifdef ESHUTDOWN
    802          err == ESHUTDOWN ||
    803 #endif
    804 #ifdef ETIMEDOUT
    805          err == ETIMEDOUT ||
    806 #endif
    807          err == ENOTCONN)
    808         return 0; /* connection has been closed */
    809   }
    810 #endif
    811   return -1; /* connection status unknown */
    812 }
    813 
    814 /* Selects an OpenSSL crypto engine
    815  */
    816 CURLcode Curl_ossl_set_engine(struct Curl_easy *data, const char *engine)
    817 {
    818 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
    819   ENGINE *e;
    820 
    821 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
    822   e = ENGINE_by_id(engine);
    823 #else
    824   /* avoid memory leak */
    825   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
    826     const char *e_id = ENGINE_get_id(e);
    827     if(!strcmp(engine, e_id))
    828       break;
    829   }
    830 #endif
    831 
    832   if(!e) {
    833     failf(data, "SSL Engine '%s' not found", engine);
    834     return CURLE_SSL_ENGINE_NOTFOUND;
    835   }
    836 
    837   if(data->state.engine) {
    838     ENGINE_finish(data->state.engine);
    839     ENGINE_free(data->state.engine);
    840     data->state.engine = NULL;
    841   }
    842   if(!ENGINE_init(e)) {
    843     char buf[256];
    844 
    845     ENGINE_free(e);
    846     failf(data, "Failed to initialise SSL Engine '%s':\n%s",
    847           engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
    848     return CURLE_SSL_ENGINE_INITFAILED;
    849   }
    850   data->state.engine = e;
    851   return CURLE_OK;
    852 #else
    853   (void)engine;
    854   failf(data, "SSL Engine not supported");
    855   return CURLE_SSL_ENGINE_NOTFOUND;
    856 #endif
    857 }
    858 
    859 /* Sets engine as default for all SSL operations
    860  */
    861 CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data)
    862 {
    863 #ifdef HAVE_OPENSSL_ENGINE_H
    864   if(data->state.engine) {
    865     if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
    866       infof(data, "set default crypto engine '%s'\n",
    867             ENGINE_get_id(data->state.engine));
    868     }
    869     else {
    870       failf(data, "set default crypto engine '%s' failed",
    871             ENGINE_get_id(data->state.engine));
    872       return CURLE_SSL_ENGINE_SETFAILED;
    873     }
    874   }
    875 #else
    876   (void) data;
    877 #endif
    878   return CURLE_OK;
    879 }
    880 
    881 /* Return list of OpenSSL crypto engine names.
    882  */
    883 struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data)
    884 {
    885   struct curl_slist *list = NULL;
    886 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H)
    887   struct curl_slist *beg;
    888   ENGINE *e;
    889 
    890   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
    891     beg = curl_slist_append(list, ENGINE_get_id(e));
    892     if(!beg) {
    893       curl_slist_free_all(list);
    894       return NULL;
    895     }
    896     list = beg;
    897   }
    898 #endif
    899   (void) data;
    900   return list;
    901 }
    902 
    903 
    904 /*
    905  * This function is called when an SSL connection is closed.
    906  */
    907 void Curl_ossl_close(struct connectdata *conn, int sockindex)
    908 {
    909   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
    910 
    911   if(connssl->handle) {
    912     (void)SSL_shutdown(connssl->handle);
    913     SSL_set_connect_state(connssl->handle);
    914 
    915     SSL_free (connssl->handle);
    916     connssl->handle = NULL;
    917   }
    918   if(connssl->ctx) {
    919     SSL_CTX_free (connssl->ctx);
    920     connssl->ctx = NULL;
    921   }
    922 }
    923 
    924 /*
    925  * This function is called to shut down the SSL layer but keep the
    926  * socket open (CCC - Clear Command Channel)
    927  */
    928 int Curl_ossl_shutdown(struct connectdata *conn, int sockindex)
    929 {
    930   int retval = 0;
    931   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
    932   struct Curl_easy *data = conn->data;
    933   char buf[256]; /* We will use this for the OpenSSL error buffer, so it has
    934                     to be at least 256 bytes long. */
    935   unsigned long sslerror;
    936   ssize_t nread;
    937   int buffsize;
    938   int err;
    939   int done = 0;
    940 
    941   /* This has only been tested on the proftpd server, and the mod_tls code
    942      sends a close notify alert without waiting for a close notify alert in
    943      response. Thus we wait for a close notify alert from the server, but
    944      we do not send one. Let's hope other servers do the same... */
    945 
    946   if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
    947       (void)SSL_shutdown(connssl->handle);
    948 
    949   if(connssl->handle) {
    950     buffsize = (int)sizeof(buf);
    951     while(!done) {
    952       int what = Curl_socket_ready(conn->sock[sockindex],
    953                                    CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
    954       if(what > 0) {
    955         ERR_clear_error();
    956 
    957         /* Something to read, let's do it and hope that it is the close
    958            notify alert from the server */
    959         nread = (ssize_t)SSL_read(conn->ssl[sockindex].handle, buf,
    960                                   buffsize);
    961         err = SSL_get_error(conn->ssl[sockindex].handle, (int)nread);
    962 
    963         switch(err) {
    964         case SSL_ERROR_NONE: /* this is not an error */
    965         case SSL_ERROR_ZERO_RETURN: /* no more data */
    966           /* This is the expected response. There was no data but only
    967              the close notify alert */
    968           done = 1;
    969           break;
    970         case SSL_ERROR_WANT_READ:
    971           /* there's data pending, re-invoke SSL_read() */
    972           infof(data, "SSL_ERROR_WANT_READ\n");
    973           break;
    974         case SSL_ERROR_WANT_WRITE:
    975           /* SSL wants a write. Really odd. Let's bail out. */
    976           infof(data, "SSL_ERROR_WANT_WRITE\n");
    977           done = 1;
    978           break;
    979         default:
    980           /* openssl/ssl.h says "look at error stack/return value/errno" */
    981           sslerror = ERR_get_error();
    982           failf(conn->data, OSSL_PACKAGE " SSL read: %s, errno %d",
    983                 ossl_strerror(sslerror, buf, sizeof(buf)),
    984                 SOCKERRNO);
    985           done = 1;
    986           break;
    987         }
    988       }
    989       else if(0 == what) {
    990         /* timeout */
    991         failf(data, "SSL shutdown timeout");
    992         done = 1;
    993       }
    994       else {
    995         /* anything that gets here is fatally bad */
    996         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
    997         retval = -1;
    998         done = 1;
    999       }
   1000     } /* while()-loop for the select() */
   1001 
   1002     if(data->set.verbose) {
   1003 #ifdef HAVE_SSL_GET_SHUTDOWN
   1004       switch(SSL_get_shutdown(connssl->handle)) {
   1005       case SSL_SENT_SHUTDOWN:
   1006         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
   1007         break;
   1008       case SSL_RECEIVED_SHUTDOWN:
   1009         infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
   1010         break;
   1011       case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
   1012         infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
   1013               "SSL_RECEIVED__SHUTDOWN\n");
   1014         break;
   1015       }
   1016 #endif
   1017     }
   1018 
   1019     SSL_free (connssl->handle);
   1020     connssl->handle = NULL;
   1021   }
   1022   return retval;
   1023 }
   1024 
   1025 void Curl_ossl_session_free(void *ptr)
   1026 {
   1027   /* free the ID */
   1028   SSL_SESSION_free(ptr);
   1029 }
   1030 
   1031 /*
   1032  * This function is called when the 'data' struct is going away. Close
   1033  * down everything and free all resources!
   1034  */
   1035 void Curl_ossl_close_all(struct Curl_easy *data)
   1036 {
   1037 #ifdef HAVE_OPENSSL_ENGINE_H
   1038   if(data->state.engine) {
   1039     ENGINE_finish(data->state.engine);
   1040     ENGINE_free(data->state.engine);
   1041     data->state.engine = NULL;
   1042   }
   1043 #else
   1044   (void)data;
   1045 #endif
   1046 }
   1047 
   1048 /* ====================================================== */
   1049 
   1050 
   1051 /* Quote from RFC2818 section 3.1 "Server Identity"
   1052 
   1053    If a subjectAltName extension of type dNSName is present, that MUST
   1054    be used as the identity. Otherwise, the (most specific) Common Name
   1055    field in the Subject field of the certificate MUST be used. Although
   1056    the use of the Common Name is existing practice, it is deprecated and
   1057    Certification Authorities are encouraged to use the dNSName instead.
   1058 
   1059    Matching is performed using the matching rules specified by
   1060    [RFC2459].  If more than one identity of a given type is present in
   1061    the certificate (e.g., more than one dNSName name, a match in any one
   1062    of the set is considered acceptable.) Names may contain the wildcard
   1063    character * which is considered to match any single domain name
   1064    component or component fragment. E.g., *.a.com matches foo.a.com but
   1065    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
   1066 
   1067    In some cases, the URI is specified as an IP address rather than a
   1068    hostname. In this case, the iPAddress subjectAltName must be present
   1069    in the certificate and must exactly match the IP in the URI.
   1070 
   1071 */
   1072 static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
   1073 {
   1074   bool matched = FALSE;
   1075   int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
   1076   size_t addrlen = 0;
   1077   struct Curl_easy *data = conn->data;
   1078   STACK_OF(GENERAL_NAME) *altnames;
   1079 #ifdef ENABLE_IPV6
   1080   struct in6_addr addr;
   1081 #else
   1082   struct in_addr addr;
   1083 #endif
   1084   CURLcode result = CURLE_OK;
   1085   bool dNSName = FALSE; /* if a dNSName field exists in the cert */
   1086 
   1087 #ifdef ENABLE_IPV6
   1088   if(conn->bits.ipv6_ip &&
   1089      Curl_inet_pton(AF_INET6, conn->host.name, &addr)) {
   1090     target = GEN_IPADD;
   1091     addrlen = sizeof(struct in6_addr);
   1092   }
   1093   else
   1094 #endif
   1095     if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) {
   1096       target = GEN_IPADD;
   1097       addrlen = sizeof(struct in_addr);
   1098     }
   1099 
   1100   /* get a "list" of alternative names */
   1101   altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
   1102 
   1103   if(altnames) {
   1104     int numalts;
   1105     int i;
   1106     bool dnsmatched = FALSE;
   1107     bool ipmatched = FALSE;
   1108 
   1109     /* get amount of alternatives, RFC2459 claims there MUST be at least
   1110        one, but we don't depend on it... */
   1111     numalts = sk_GENERAL_NAME_num(altnames);
   1112 
   1113     /* loop through all alternatives - until a dnsmatch */
   1114     for(i=0; (i < numalts) && !dnsmatched; i++) {
   1115       /* get a handle to alternative name number i */
   1116       const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
   1117 
   1118       /* If a subjectAltName extension of type dNSName is present, that MUST
   1119          be used as the identity. / RFC2818 section 3.1 */
   1120       if(check->type == GEN_DNS)
   1121         dNSName = TRUE;
   1122 
   1123       /* only check alternatives of the same type the target is */
   1124       if(check->type == target) {
   1125         /* get data and length */
   1126         const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
   1127         size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
   1128 
   1129         switch(target) {
   1130         case GEN_DNS: /* name/pattern comparison */
   1131           /* The OpenSSL man page explicitly says: "In general it cannot be
   1132              assumed that the data returned by ASN1_STRING_data() is null
   1133              terminated or does not contain embedded nulls." But also that
   1134              "The actual format of the data will depend on the actual string
   1135              type itself: for example for and IA5String the data will be ASCII"
   1136 
   1137              Gisle researched the OpenSSL sources:
   1138              "I checked the 0.9.6 and 0.9.8 sources before my patch and
   1139              it always 0-terminates an IA5String."
   1140           */
   1141           if((altlen == strlen(altptr)) &&
   1142              /* if this isn't true, there was an embedded zero in the name
   1143                 string and we cannot match it. */
   1144              Curl_cert_hostcheck(altptr, conn->host.name)) {
   1145             dnsmatched = TRUE;
   1146             infof(data,
   1147                   " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
   1148                   conn->host.dispname, altptr);
   1149           }
   1150           break;
   1151 
   1152         case GEN_IPADD: /* IP address comparison */
   1153           /* compare alternative IP address if the data chunk is the same size
   1154              our server IP address is */
   1155           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
   1156             ipmatched = TRUE;
   1157             infof(data,
   1158                   " subjectAltName: host \"%s\" matched cert's IP address!\n",
   1159                   conn->host.dispname);
   1160           }
   1161           break;
   1162         }
   1163       }
   1164     }
   1165     GENERAL_NAMES_free(altnames);
   1166 
   1167     if(dnsmatched || (!dNSName && ipmatched)) {
   1168       /* count as a match if the dnsname matched or if there was no dnsname
   1169          fields at all AND there was an IP field match */
   1170       matched = TRUE;
   1171     }
   1172   }
   1173 
   1174   if(matched)
   1175     /* an alternative name matched */
   1176     ;
   1177   else if(dNSName) {
   1178     /* an dNSName field existed, but didn't match and then we MUST fail */
   1179     infof(data, " subjectAltName does not match %s\n", conn->host.dispname);
   1180     failf(data, "SSL: no alternative certificate subject name matches "
   1181           "target host name '%s'", conn->host.dispname);
   1182     result = CURLE_PEER_FAILED_VERIFICATION;
   1183   }
   1184   else {
   1185     /* we have to look to the last occurrence of a commonName in the
   1186        distinguished one to get the most significant one. */
   1187     int j, i=-1;
   1188 
   1189     /* The following is done because of a bug in 0.9.6b */
   1190 
   1191     unsigned char *nulstr = (unsigned char *)"";
   1192     unsigned char *peer_CN = nulstr;
   1193 
   1194     X509_NAME *name = X509_get_subject_name(server_cert);
   1195     if(name)
   1196       while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i))>=0)
   1197         i=j;
   1198 
   1199     /* we have the name entry and we will now convert this to a string
   1200        that we can use for comparison. Doing this we support BMPstring,
   1201        UTF8 etc. */
   1202 
   1203     if(i>=0) {
   1204       ASN1_STRING *tmp =
   1205         X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
   1206 
   1207       /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
   1208          is already UTF-8 encoded. We check for this case and copy the raw
   1209          string manually to avoid the problem. This code can be made
   1210          conditional in the future when OpenSSL has been fixed. Work-around
   1211          brought by Alexis S. L. Carvalho. */
   1212       if(tmp) {
   1213         if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
   1214           j = ASN1_STRING_length(tmp);
   1215           if(j >= 0) {
   1216             peer_CN = OPENSSL_malloc(j+1);
   1217             if(peer_CN) {
   1218               memcpy(peer_CN, ASN1_STRING_data(tmp), j);
   1219               peer_CN[j] = '\0';
   1220             }
   1221           }
   1222         }
   1223         else /* not a UTF8 name */
   1224           j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
   1225 
   1226         if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
   1227           /* there was a terminating zero before the end of string, this
   1228              cannot match and we return failure! */
   1229           failf(data, "SSL: illegal cert name field");
   1230           result = CURLE_PEER_FAILED_VERIFICATION;
   1231         }
   1232       }
   1233     }
   1234 
   1235     if(peer_CN == nulstr)
   1236        peer_CN = NULL;
   1237     else {
   1238       /* convert peer_CN from UTF8 */
   1239       CURLcode rc = Curl_convert_from_utf8(data, peer_CN, strlen(peer_CN));
   1240       /* Curl_convert_from_utf8 calls failf if unsuccessful */
   1241       if(rc) {
   1242         OPENSSL_free(peer_CN);
   1243         return rc;
   1244       }
   1245     }
   1246 
   1247     if(result)
   1248       /* error already detected, pass through */
   1249       ;
   1250     else if(!peer_CN) {
   1251       failf(data,
   1252             "SSL: unable to obtain common name from peer certificate");
   1253       result = CURLE_PEER_FAILED_VERIFICATION;
   1254     }
   1255     else if(!Curl_cert_hostcheck((const char *)peer_CN, conn->host.name)) {
   1256       failf(data, "SSL: certificate subject name '%s' does not match "
   1257             "target host name '%s'", peer_CN, conn->host.dispname);
   1258       result = CURLE_PEER_FAILED_VERIFICATION;
   1259     }
   1260     else {
   1261       infof(data, " common name: %s (matched)\n", peer_CN);
   1262     }
   1263     if(peer_CN)
   1264       OPENSSL_free(peer_CN);
   1265   }
   1266 
   1267   return result;
   1268 }
   1269 
   1270 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   1271     !defined(OPENSSL_NO_OCSP)
   1272 static CURLcode verifystatus(struct connectdata *conn,
   1273                              struct ssl_connect_data *connssl)
   1274 {
   1275   int i, ocsp_status;
   1276   const unsigned char *p;
   1277   CURLcode result = CURLE_OK;
   1278   struct Curl_easy *data = conn->data;
   1279 
   1280   OCSP_RESPONSE *rsp = NULL;
   1281   OCSP_BASICRESP *br = NULL;
   1282   X509_STORE     *st = NULL;
   1283   STACK_OF(X509) *ch = NULL;
   1284 
   1285   long len = SSL_get_tlsext_status_ocsp_resp(connssl->handle, &p);
   1286 
   1287   if(!p) {
   1288     failf(data, "No OCSP response received");
   1289     result = CURLE_SSL_INVALIDCERTSTATUS;
   1290     goto end;
   1291   }
   1292 
   1293   rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
   1294   if(!rsp) {
   1295     failf(data, "Invalid OCSP response");
   1296     result = CURLE_SSL_INVALIDCERTSTATUS;
   1297     goto end;
   1298   }
   1299 
   1300   ocsp_status = OCSP_response_status(rsp);
   1301   if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
   1302     failf(data, "Invalid OCSP response status: %s (%d)",
   1303           OCSP_response_status_str(ocsp_status), ocsp_status);
   1304     result = CURLE_SSL_INVALIDCERTSTATUS;
   1305     goto end;
   1306   }
   1307 
   1308   br = OCSP_response_get1_basic(rsp);
   1309   if(!br) {
   1310     failf(data, "Invalid OCSP response");
   1311     result = CURLE_SSL_INVALIDCERTSTATUS;
   1312     goto end;
   1313   }
   1314 
   1315   ch = SSL_get_peer_cert_chain(connssl->handle);
   1316   st = SSL_CTX_get_cert_store(connssl->ctx);
   1317 
   1318 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
   1319      defined(LIBRESSL_VERSION_NUMBER))
   1320   /* The authorized responder cert in the OCSP response MUST be signed by the
   1321      peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
   1322      no problem, but if it's an intermediate cert OpenSSL has a bug where it
   1323      expects this issuer to be present in the chain embedded in the OCSP
   1324      response. So we add it if necessary. */
   1325 
   1326   /* First make sure the peer cert chain includes both a peer and an issuer,
   1327      and the OCSP response contains a responder cert. */
   1328   if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
   1329     X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
   1330 
   1331     /* Find issuer of responder cert and add it to the OCSP response chain */
   1332     for(i = 0; i < sk_X509_num(ch); i++) {
   1333       X509 *issuer = sk_X509_value(ch, i);
   1334       if(X509_check_issued(issuer, responder) == X509_V_OK) {
   1335         if(!OCSP_basic_add1_cert(br, issuer)) {
   1336           failf(data, "Could not add issuer cert to OCSP response");
   1337           result = CURLE_SSL_INVALIDCERTSTATUS;
   1338           goto end;
   1339         }
   1340       }
   1341     }
   1342   }
   1343 #endif
   1344 
   1345   if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
   1346     failf(data, "OCSP response verification failed");
   1347     result = CURLE_SSL_INVALIDCERTSTATUS;
   1348     goto end;
   1349   }
   1350 
   1351   for(i = 0; i < OCSP_resp_count(br); i++) {
   1352     int cert_status, crl_reason;
   1353     OCSP_SINGLERESP *single = NULL;
   1354 
   1355     ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
   1356 
   1357     single = OCSP_resp_get0(br, i);
   1358     if(!single)
   1359       continue;
   1360 
   1361     cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
   1362                                           &thisupd, &nextupd);
   1363 
   1364     if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
   1365       failf(data, "OCSP response has expired");
   1366       result = CURLE_SSL_INVALIDCERTSTATUS;
   1367       goto end;
   1368     }
   1369 
   1370     infof(data, "SSL certificate status: %s (%d)\n",
   1371           OCSP_cert_status_str(cert_status), cert_status);
   1372 
   1373     switch(cert_status) {
   1374       case V_OCSP_CERTSTATUS_GOOD:
   1375         break;
   1376 
   1377       case V_OCSP_CERTSTATUS_REVOKED:
   1378         result = CURLE_SSL_INVALIDCERTSTATUS;
   1379 
   1380         failf(data, "SSL certificate revocation reason: %s (%d)",
   1381               OCSP_crl_reason_str(crl_reason), crl_reason);
   1382         goto end;
   1383 
   1384       case V_OCSP_CERTSTATUS_UNKNOWN:
   1385         result = CURLE_SSL_INVALIDCERTSTATUS;
   1386         goto end;
   1387     }
   1388   }
   1389 
   1390 end:
   1391   if(br) OCSP_BASICRESP_free(br);
   1392   OCSP_RESPONSE_free(rsp);
   1393 
   1394   return result;
   1395 }
   1396 #endif
   1397 
   1398 #endif /* USE_OPENSSL */
   1399 
   1400 /* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
   1401    and thus this cannot be done there. */
   1402 #ifdef SSL_CTRL_SET_MSG_CALLBACK
   1403 
   1404 static const char *ssl_msg_type(int ssl_ver, int msg)
   1405 {
   1406 #ifdef SSL2_VERSION_MAJOR
   1407   if(ssl_ver == SSL2_VERSION_MAJOR) {
   1408     switch (msg) {
   1409       case SSL2_MT_ERROR:
   1410         return "Error";
   1411       case SSL2_MT_CLIENT_HELLO:
   1412         return "Client hello";
   1413       case SSL2_MT_CLIENT_MASTER_KEY:
   1414         return "Client key";
   1415       case SSL2_MT_CLIENT_FINISHED:
   1416         return "Client finished";
   1417       case SSL2_MT_SERVER_HELLO:
   1418         return "Server hello";
   1419       case SSL2_MT_SERVER_VERIFY:
   1420         return "Server verify";
   1421       case SSL2_MT_SERVER_FINISHED:
   1422         return "Server finished";
   1423       case SSL2_MT_REQUEST_CERTIFICATE:
   1424         return "Request CERT";
   1425       case SSL2_MT_CLIENT_CERTIFICATE:
   1426         return "Client CERT";
   1427     }
   1428   }
   1429   else
   1430 #endif
   1431   if(ssl_ver == SSL3_VERSION_MAJOR) {
   1432     switch (msg) {
   1433       case SSL3_MT_HELLO_REQUEST:
   1434         return "Hello request";
   1435       case SSL3_MT_CLIENT_HELLO:
   1436         return "Client hello";
   1437       case SSL3_MT_SERVER_HELLO:
   1438         return "Server hello";
   1439 #ifdef SSL3_MT_NEWSESSION_TICKET
   1440       case SSL3_MT_NEWSESSION_TICKET:
   1441         return "Newsession Ticket";
   1442 #endif
   1443       case SSL3_MT_CERTIFICATE:
   1444         return "Certificate";
   1445       case SSL3_MT_SERVER_KEY_EXCHANGE:
   1446         return "Server key exchange";
   1447       case SSL3_MT_CLIENT_KEY_EXCHANGE:
   1448         return "Client key exchange";
   1449       case SSL3_MT_CERTIFICATE_REQUEST:
   1450         return "Request CERT";
   1451       case SSL3_MT_SERVER_DONE:
   1452         return "Server finished";
   1453       case SSL3_MT_CERTIFICATE_VERIFY:
   1454         return "CERT verify";
   1455       case SSL3_MT_FINISHED:
   1456         return "Finished";
   1457 #ifdef SSL3_MT_CERTIFICATE_STATUS
   1458       case SSL3_MT_CERTIFICATE_STATUS:
   1459         return "Certificate Status";
   1460 #endif
   1461     }
   1462   }
   1463   return "Unknown";
   1464 }
   1465 
   1466 static const char *tls_rt_type(int type)
   1467 {
   1468   switch(type) {
   1469 #ifdef SSL3_RT_HEADER
   1470   case SSL3_RT_HEADER:
   1471     return "TLS header";
   1472 #endif
   1473   case SSL3_RT_CHANGE_CIPHER_SPEC:
   1474     return "TLS change cipher";
   1475   case SSL3_RT_ALERT:
   1476     return "TLS alert";
   1477   case SSL3_RT_HANDSHAKE:
   1478     return "TLS handshake";
   1479   case SSL3_RT_APPLICATION_DATA:
   1480     return "TLS app data";
   1481   default:
   1482     return "TLS Unknown";
   1483   }
   1484 }
   1485 
   1486 
   1487 /*
   1488  * Our callback from the SSL/TLS layers.
   1489  */
   1490 static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
   1491                           const void *buf, size_t len, SSL *ssl,
   1492                           void *userp)
   1493 {
   1494   struct Curl_easy *data;
   1495   const char *msg_name, *tls_rt_name;
   1496   char ssl_buf[1024];
   1497   char unknown[32];
   1498   int msg_type, txt_len;
   1499   const char *verstr = NULL;
   1500   struct connectdata *conn = userp;
   1501 
   1502   if(!conn || !conn->data || !conn->data->set.fdebug ||
   1503      (direction != 0 && direction != 1))
   1504     return;
   1505 
   1506   data = conn->data;
   1507 
   1508   switch(ssl_ver) {
   1509 #ifdef SSL2_VERSION /* removed in recent versions */
   1510   case SSL2_VERSION:
   1511     verstr = "SSLv2";
   1512     break;
   1513 #endif
   1514 #ifdef SSL3_VERSION
   1515   case SSL3_VERSION:
   1516     verstr = "SSLv3";
   1517     break;
   1518 #endif
   1519   case TLS1_VERSION:
   1520     verstr = "TLSv1.0";
   1521     break;
   1522 #ifdef TLS1_1_VERSION
   1523   case TLS1_1_VERSION:
   1524     verstr = "TLSv1.1";
   1525     break;
   1526 #endif
   1527 #ifdef TLS1_2_VERSION
   1528   case TLS1_2_VERSION:
   1529     verstr = "TLSv1.2";
   1530     break;
   1531 #endif
   1532   case 0:
   1533     break;
   1534   default:
   1535     snprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
   1536     verstr = unknown;
   1537     break;
   1538   }
   1539 
   1540   if(ssl_ver) {
   1541     /* the info given when the version is zero is not that useful for us */
   1542 
   1543     ssl_ver >>= 8; /* check the upper 8 bits only below */
   1544 
   1545     /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
   1546      * always pass-up content-type as 0. But the interesting message-type
   1547      * is at 'buf[0]'.
   1548      */
   1549     if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
   1550       tls_rt_name = tls_rt_type(content_type);
   1551     else
   1552       tls_rt_name = "";
   1553 
   1554     msg_type = *(char*)buf;
   1555     msg_name = ssl_msg_type(ssl_ver, msg_type);
   1556 
   1557     txt_len = snprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
   1558                        verstr, direction?"OUT":"IN",
   1559                        tls_rt_name, msg_name, msg_type);
   1560     Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len, NULL);
   1561   }
   1562 
   1563   Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
   1564              CURLINFO_SSL_DATA_IN, (char *)buf, len, NULL);
   1565   (void) ssl;
   1566 }
   1567 #endif
   1568 
   1569 #ifdef USE_OPENSSL
   1570 /* ====================================================== */
   1571 
   1572 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   1573 #  define use_sni(x)  sni = (x)
   1574 #else
   1575 #  define use_sni(x)  Curl_nop_stmt
   1576 #endif
   1577 
   1578 /* Check for OpenSSL 1.0.2 which has ALPN support. */
   1579 #undef HAS_ALPN
   1580 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \
   1581     && !defined(OPENSSL_NO_TLSEXT)
   1582 #  define HAS_ALPN 1
   1583 #endif
   1584 
   1585 /* Check for OpenSSL 1.0.1 which has NPN support. */
   1586 #undef HAS_NPN
   1587 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \
   1588     && !defined(OPENSSL_NO_TLSEXT) \
   1589     && !defined(OPENSSL_NO_NEXTPROTONEG)
   1590 #  define HAS_NPN 1
   1591 #endif
   1592 
   1593 #ifdef HAS_NPN
   1594 
   1595 /*
   1596  * in is a list of lenght prefixed strings. this function has to select
   1597  * the protocol we want to use from the list and write its string into out.
   1598  */
   1599 
   1600 static int
   1601 select_next_protocol(unsigned char **out, unsigned char *outlen,
   1602                      const unsigned char *in, unsigned int inlen,
   1603                      const char *key, unsigned int keylen)
   1604 {
   1605   unsigned int i;
   1606   for(i = 0; i + keylen <= inlen; i += in[i] + 1) {
   1607     if(memcmp(&in[i + 1], key, keylen) == 0) {
   1608       *out = (unsigned char *) &in[i + 1];
   1609       *outlen = in[i];
   1610       return 0;
   1611     }
   1612   }
   1613   return -1;
   1614 }
   1615 
   1616 static int
   1617 select_next_proto_cb(SSL *ssl,
   1618                      unsigned char **out, unsigned char *outlen,
   1619                      const unsigned char *in, unsigned int inlen,
   1620                      void *arg)
   1621 {
   1622   struct connectdata *conn = (struct connectdata*) arg;
   1623 
   1624   (void)ssl;
   1625 
   1626 #ifdef USE_NGHTTP2
   1627   if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 &&
   1628      !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
   1629                            NGHTTP2_PROTO_VERSION_ID_LEN)) {
   1630     infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
   1631           NGHTTP2_PROTO_VERSION_ID);
   1632     conn->negnpn = CURL_HTTP_VERSION_2;
   1633     return SSL_TLSEXT_ERR_OK;
   1634   }
   1635 #endif
   1636 
   1637   if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
   1638                            ALPN_HTTP_1_1_LENGTH)) {
   1639     infof(conn->data, "NPN, negotiated HTTP1.1\n");
   1640     conn->negnpn = CURL_HTTP_VERSION_1_1;
   1641     return SSL_TLSEXT_ERR_OK;
   1642   }
   1643 
   1644   infof(conn->data, "NPN, no overlap, use HTTP1.1\n");
   1645   *out = (unsigned char *)ALPN_HTTP_1_1;
   1646   *outlen = ALPN_HTTP_1_1_LENGTH;
   1647   conn->negnpn = CURL_HTTP_VERSION_1_1;
   1648 
   1649   return SSL_TLSEXT_ERR_OK;
   1650 }
   1651 #endif /* HAS_NPN */
   1652 
   1653 static const char *
   1654 get_ssl_version_txt(SSL *ssl)
   1655 {
   1656   if(!ssl)
   1657     return "";
   1658 
   1659   switch(SSL_version(ssl)) {
   1660 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   1661   case TLS1_2_VERSION:
   1662     return "TLSv1.2";
   1663   case TLS1_1_VERSION:
   1664     return "TLSv1.1";
   1665 #endif
   1666   case TLS1_VERSION:
   1667     return "TLSv1.0";
   1668   case SSL3_VERSION:
   1669     return "SSLv3";
   1670   case SSL2_VERSION:
   1671     return "SSLv2";
   1672   }
   1673   return "unknown";
   1674 }
   1675 
   1676 static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
   1677 {
   1678   CURLcode result = CURLE_OK;
   1679   char *ciphers;
   1680   struct Curl_easy *data = conn->data;
   1681   SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
   1682   X509_LOOKUP *lookup = NULL;
   1683   curl_socket_t sockfd = conn->sock[sockindex];
   1684   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   1685   long ctx_options;
   1686 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   1687   bool sni;
   1688 #ifdef ENABLE_IPV6
   1689   struct in6_addr addr;
   1690 #else
   1691   struct in_addr addr;
   1692 #endif
   1693 #endif
   1694 
   1695   DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
   1696 
   1697   /* Make funny stuff to get random input */
   1698   Curl_ossl_seed(data);
   1699 
   1700   data->set.ssl.certverifyresult = !X509_V_OK;
   1701 
   1702   /* check to see if we've been told to use an explicit SSL/TLS version */
   1703 
   1704   switch(data->set.ssl.version) {
   1705   default:
   1706   case CURL_SSLVERSION_DEFAULT:
   1707   case CURL_SSLVERSION_TLSv1:
   1708   case CURL_SSLVERSION_TLSv1_0:
   1709   case CURL_SSLVERSION_TLSv1_1:
   1710   case CURL_SSLVERSION_TLSv1_2:
   1711     /* it will be handled later with the context options */
   1712 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
   1713     !defined(LIBRESSL_VERSION_NUMBER)
   1714     req_method = TLS_client_method();
   1715 #else
   1716     req_method = SSLv23_client_method();
   1717 #endif
   1718     use_sni(TRUE);
   1719     break;
   1720   case CURL_SSLVERSION_SSLv2:
   1721 #ifdef OPENSSL_NO_SSL2
   1722     failf(data, OSSL_PACKAGE " was built without SSLv2 support");
   1723     return CURLE_NOT_BUILT_IN;
   1724 #else
   1725 #ifdef USE_TLS_SRP
   1726     if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
   1727       return CURLE_SSL_CONNECT_ERROR;
   1728 #endif
   1729     req_method = SSLv2_client_method();
   1730     use_sni(FALSE);
   1731     break;
   1732 #endif
   1733   case CURL_SSLVERSION_SSLv3:
   1734 #ifdef OPENSSL_NO_SSL3_METHOD
   1735     failf(data, OSSL_PACKAGE " was built without SSLv3 support");
   1736     return CURLE_NOT_BUILT_IN;
   1737 #else
   1738 #ifdef USE_TLS_SRP
   1739     if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
   1740       return CURLE_SSL_CONNECT_ERROR;
   1741 #endif
   1742     req_method = SSLv3_client_method();
   1743     use_sni(FALSE);
   1744     break;
   1745 #endif
   1746   }
   1747 
   1748   if(connssl->ctx)
   1749     SSL_CTX_free(connssl->ctx);
   1750   connssl->ctx = SSL_CTX_new(req_method);
   1751 
   1752   if(!connssl->ctx) {
   1753     failf(data, "SSL: couldn't create a context: %s",
   1754           ERR_error_string(ERR_peek_error(), NULL));
   1755     return CURLE_OUT_OF_MEMORY;
   1756   }
   1757 
   1758 #ifdef SSL_MODE_RELEASE_BUFFERS
   1759   SSL_CTX_set_mode(connssl->ctx, SSL_MODE_RELEASE_BUFFERS);
   1760 #endif
   1761 
   1762 #ifdef SSL_CTRL_SET_MSG_CALLBACK
   1763   if(data->set.fdebug && data->set.verbose) {
   1764     /* the SSL trace callback is only used for verbose logging */
   1765     SSL_CTX_set_msg_callback(connssl->ctx, ssl_tls_trace);
   1766     SSL_CTX_set_msg_callback_arg(connssl->ctx, conn);
   1767   }
   1768 #endif
   1769 
   1770   /* OpenSSL contains code to work-around lots of bugs and flaws in various
   1771      SSL-implementations. SSL_CTX_set_options() is used to enabled those
   1772      work-arounds. The man page for this option states that SSL_OP_ALL enables
   1773      all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
   1774      enable the bug workaround options if compatibility with somewhat broken
   1775      implementations is desired."
   1776 
   1777      The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
   1778      disable "rfc4507bis session ticket support".  rfc4507bis was later turned
   1779      into the proper RFC5077 it seems: https://tools.ietf.org/html/rfc5077
   1780 
   1781      The enabled extension concerns the session management. I wonder how often
   1782      libcurl stops a connection and then resumes a TLS session. also, sending
   1783      the session data is some overhead. .I suggest that you just use your
   1784      proposed patch (which explicitly disables TICKET).
   1785 
   1786      If someone writes an application with libcurl and openssl who wants to
   1787      enable the feature, one can do this in the SSL callback.
   1788 
   1789      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
   1790      interoperability with web server Netscape Enterprise Server 2.0.1 which
   1791      was released back in 1996.
   1792 
   1793      Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
   1794      become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
   1795      CVE-2010-4180 when using previous OpenSSL versions we no longer enable
   1796      this option regardless of OpenSSL version and SSL_OP_ALL definition.
   1797 
   1798      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
   1799      (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
   1800      SSL_OP_ALL that _disables_ that work-around despite the fact that
   1801      SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
   1802      keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
   1803      must not be set.
   1804   */
   1805 
   1806   ctx_options = SSL_OP_ALL;
   1807 
   1808 #ifdef SSL_OP_NO_TICKET
   1809   ctx_options |= SSL_OP_NO_TICKET;
   1810 #endif
   1811 
   1812 #ifdef SSL_OP_NO_COMPRESSION
   1813   ctx_options |= SSL_OP_NO_COMPRESSION;
   1814 #endif
   1815 
   1816 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
   1817   /* mitigate CVE-2010-4180 */
   1818   ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
   1819 #endif
   1820 
   1821 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
   1822   /* unless the user explicitly ask to allow the protocol vulnerability we
   1823      use the work-around */
   1824   if(!conn->data->set.ssl_enable_beast)
   1825     ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
   1826 #endif
   1827 
   1828   switch(data->set.ssl.version) {
   1829   case CURL_SSLVERSION_SSLv3:
   1830 #ifdef USE_TLS_SRP
   1831     if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
   1832       infof(data, "Set version TLSv1.x for SRP authorisation\n");
   1833     }
   1834 #endif
   1835     ctx_options |= SSL_OP_NO_SSLv2;
   1836     ctx_options |= SSL_OP_NO_TLSv1;
   1837 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   1838     ctx_options |= SSL_OP_NO_TLSv1_1;
   1839     ctx_options |= SSL_OP_NO_TLSv1_2;
   1840 #endif
   1841     break;
   1842 
   1843   case CURL_SSLVERSION_DEFAULT:
   1844   case CURL_SSLVERSION_TLSv1:
   1845     ctx_options |= SSL_OP_NO_SSLv2;
   1846     ctx_options |= SSL_OP_NO_SSLv3;
   1847     break;
   1848 
   1849   case CURL_SSLVERSION_TLSv1_0:
   1850     ctx_options |= SSL_OP_NO_SSLv2;
   1851     ctx_options |= SSL_OP_NO_SSLv3;
   1852 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   1853     ctx_options |= SSL_OP_NO_TLSv1_1;
   1854     ctx_options |= SSL_OP_NO_TLSv1_2;
   1855 #endif
   1856     break;
   1857 
   1858 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   1859   case CURL_SSLVERSION_TLSv1_1:
   1860     ctx_options |= SSL_OP_NO_SSLv2;
   1861     ctx_options |= SSL_OP_NO_SSLv3;
   1862     ctx_options |= SSL_OP_NO_TLSv1;
   1863     ctx_options |= SSL_OP_NO_TLSv1_2;
   1864     break;
   1865 
   1866   case CURL_SSLVERSION_TLSv1_2:
   1867     ctx_options |= SSL_OP_NO_SSLv2;
   1868     ctx_options |= SSL_OP_NO_SSLv3;
   1869     ctx_options |= SSL_OP_NO_TLSv1;
   1870     ctx_options |= SSL_OP_NO_TLSv1_1;
   1871     break;
   1872 #endif
   1873 
   1874 #ifndef OPENSSL_NO_SSL2
   1875   case CURL_SSLVERSION_SSLv2:
   1876     ctx_options |= SSL_OP_NO_SSLv3;
   1877     ctx_options |= SSL_OP_NO_TLSv1;
   1878 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
   1879     ctx_options |= SSL_OP_NO_TLSv1_1;
   1880     ctx_options |= SSL_OP_NO_TLSv1_2;
   1881 #endif
   1882     break;
   1883 #endif
   1884 
   1885   default:
   1886     failf(data, "Unsupported SSL protocol version");
   1887     return CURLE_SSL_CONNECT_ERROR;
   1888   }
   1889 
   1890   SSL_CTX_set_options(connssl->ctx, ctx_options);
   1891 
   1892 #ifdef HAS_NPN
   1893   if(conn->bits.tls_enable_npn)
   1894     SSL_CTX_set_next_proto_select_cb(connssl->ctx, select_next_proto_cb, conn);
   1895 #endif
   1896 
   1897 #ifdef HAS_ALPN
   1898   if(conn->bits.tls_enable_alpn) {
   1899     int cur = 0;
   1900     unsigned char protocols[128];
   1901 
   1902 #ifdef USE_NGHTTP2
   1903     if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
   1904       protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
   1905 
   1906       memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
   1907           NGHTTP2_PROTO_VERSION_ID_LEN);
   1908       cur += NGHTTP2_PROTO_VERSION_ID_LEN;
   1909       infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
   1910     }
   1911 #endif
   1912 
   1913     protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
   1914     memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
   1915     cur += ALPN_HTTP_1_1_LENGTH;
   1916     infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
   1917 
   1918     /* expects length prefixed preference ordered list of protocols in wire
   1919      * format
   1920      */
   1921     SSL_CTX_set_alpn_protos(connssl->ctx, protocols, cur);
   1922   }
   1923 #endif
   1924 
   1925   if(data->set.str[STRING_CERT] || data->set.str[STRING_CERT_TYPE]) {
   1926     if(!cert_stuff(conn,
   1927                    connssl->ctx,
   1928                    data->set.str[STRING_CERT],
   1929                    data->set.str[STRING_CERT_TYPE],
   1930                    data->set.str[STRING_KEY],
   1931                    data->set.str[STRING_KEY_TYPE])) {
   1932       /* failf() is already done in cert_stuff() */
   1933       return CURLE_SSL_CERTPROBLEM;
   1934     }
   1935   }
   1936 
   1937   ciphers = data->set.str[STRING_SSL_CIPHER_LIST];
   1938   if(!ciphers)
   1939     ciphers = (char *)DEFAULT_CIPHER_SELECTION;
   1940   if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
   1941     failf(data, "failed setting cipher list: %s", ciphers);
   1942     return CURLE_SSL_CIPHER;
   1943   }
   1944   infof(data, "Cipher selection: %s\n", ciphers);
   1945 
   1946 #ifdef USE_TLS_SRP
   1947   if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
   1948     infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
   1949 
   1950     if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
   1951       failf(data, "Unable to set SRP user name");
   1952       return CURLE_BAD_FUNCTION_ARGUMENT;
   1953     }
   1954     if(!SSL_CTX_set_srp_password(connssl->ctx, data->set.ssl.password)) {
   1955       failf(data, "failed setting SRP password");
   1956       return CURLE_BAD_FUNCTION_ARGUMENT;
   1957     }
   1958     if(!data->set.str[STRING_SSL_CIPHER_LIST]) {
   1959       infof(data, "Setting cipher list SRP\n");
   1960 
   1961       if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
   1962         failf(data, "failed setting SRP cipher list");
   1963         return CURLE_SSL_CIPHER;
   1964       }
   1965     }
   1966   }
   1967 #endif
   1968   if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) {
   1969     /* tell SSL where to find CA certificates that are used to verify
   1970        the servers certificate. */
   1971     if(!SSL_CTX_load_verify_locations(connssl->ctx,
   1972                                        data->set.str[STRING_SSL_CAFILE],
   1973                                        data->set.str[STRING_SSL_CAPATH])) {
   1974       if(data->set.ssl.verifypeer) {
   1975         /* Fail if we insist on successfully verifying the server. */
   1976         failf(data, "error setting certificate verify locations:\n"
   1977               "  CAfile: %s\n  CApath: %s",
   1978               data->set.str[STRING_SSL_CAFILE]?
   1979               data->set.str[STRING_SSL_CAFILE]: "none",
   1980               data->set.str[STRING_SSL_CAPATH]?
   1981               data->set.str[STRING_SSL_CAPATH] : "none");
   1982         return CURLE_SSL_CACERT_BADFILE;
   1983       }
   1984       else {
   1985         /* Just continue with a warning if no strict  certificate verification
   1986            is required. */
   1987         infof(data, "error setting certificate verify locations,"
   1988               " continuing anyway:\n");
   1989       }
   1990     }
   1991     else {
   1992       /* Everything is fine. */
   1993       infof(data, "successfully set certificate verify locations:\n");
   1994     }
   1995     infof(data,
   1996           "  CAfile: %s\n"
   1997           "  CApath: %s\n",
   1998           data->set.str[STRING_SSL_CAFILE] ? data->set.str[STRING_SSL_CAFILE]:
   1999           "none",
   2000           data->set.str[STRING_SSL_CAPATH] ? data->set.str[STRING_SSL_CAPATH]:
   2001           "none");
   2002   }
   2003 #ifdef CURL_CA_FALLBACK
   2004   else if(data->set.ssl.verifypeer) {
   2005     /* verfying the peer without any CA certificates won't
   2006        work so use openssl's built in default as fallback */
   2007     SSL_CTX_set_default_verify_paths(connssl->ctx);
   2008   }
   2009 #endif
   2010 
   2011   if(data->set.str[STRING_SSL_CRLFILE]) {
   2012     /* tell SSL where to find CRL file that is used to check certificate
   2013      * revocation */
   2014     lookup=X509_STORE_add_lookup(SSL_CTX_get_cert_store(connssl->ctx),
   2015                                  X509_LOOKUP_file());
   2016     if(!lookup ||
   2017        (!X509_load_crl_file(lookup, data->set.str[STRING_SSL_CRLFILE],
   2018                             X509_FILETYPE_PEM)) ) {
   2019       failf(data, "error loading CRL file: %s",
   2020             data->set.str[STRING_SSL_CRLFILE]);
   2021       return CURLE_SSL_CRL_BADFILE;
   2022     }
   2023     else {
   2024       /* Everything is fine. */
   2025       infof(data, "successfully load CRL file:\n");
   2026       X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
   2027                            X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
   2028     }
   2029     infof(data,
   2030           "  CRLfile: %s\n", data->set.str[STRING_SSL_CRLFILE] ?
   2031           data->set.str[STRING_SSL_CRLFILE]: "none");
   2032   }
   2033 
   2034   /* Try building a chain using issuers in the trusted store first to avoid
   2035   problems with server-sent legacy intermediates.
   2036   Newer versions of OpenSSL do alternate chain checking by default which
   2037   gives us the same fix without as much of a performance hit (slight), so we
   2038   prefer that if available.
   2039   https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
   2040   */
   2041 #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
   2042   if(data->set.ssl.verifypeer) {
   2043     X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
   2044                          X509_V_FLAG_TRUSTED_FIRST);
   2045   }
   2046 #endif
   2047 
   2048   /* SSL always tries to verify the peer, this only says whether it should
   2049    * fail to connect if the verification fails, or if it should continue
   2050    * anyway. In the latter case the result of the verification is checked with
   2051    * SSL_get_verify_result() below. */
   2052   SSL_CTX_set_verify(connssl->ctx,
   2053                      data->set.ssl.verifypeer?SSL_VERIFY_PEER:SSL_VERIFY_NONE,
   2054                      NULL);
   2055 
   2056   /* give application a chance to interfere with SSL set up. */
   2057   if(data->set.ssl.fsslctx) {
   2058     result = (*data->set.ssl.fsslctx)(data, connssl->ctx,
   2059                                       data->set.ssl.fsslctxp);
   2060     if(result) {
   2061       failf(data, "error signaled by ssl ctx callback");
   2062       return result;
   2063     }
   2064   }
   2065 
   2066   /* Lets make an SSL structure */
   2067   if(connssl->handle)
   2068     SSL_free(connssl->handle);
   2069   connssl->handle = SSL_new(connssl->ctx);
   2070   if(!connssl->handle) {
   2071     failf(data, "SSL: couldn't create a context (handle)!");
   2072     return CURLE_OUT_OF_MEMORY;
   2073   }
   2074 
   2075 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   2076     !defined(OPENSSL_NO_OCSP)
   2077   if(data->set.ssl.verifystatus)
   2078     SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
   2079 #endif
   2080 
   2081   SSL_set_connect_state(connssl->handle);
   2082 
   2083   connssl->server_cert = 0x0;
   2084 
   2085 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
   2086   if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
   2087 #ifdef ENABLE_IPV6
   2088      (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
   2089 #endif
   2090      sni &&
   2091      !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
   2092     infof(data, "WARNING: failed to configure server name indication (SNI) "
   2093           "TLS extension\n");
   2094 #endif
   2095 
   2096   /* Check if there's a cached ID we can/should use here! */
   2097   if(conn->ssl_config.sessionid) {
   2098     void *ssl_sessionid = NULL;
   2099 
   2100     Curl_ssl_sessionid_lock(conn);
   2101     if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL)) {
   2102       /* we got a session id, use it! */
   2103       if(!SSL_set_session(connssl->handle, ssl_sessionid)) {
   2104         Curl_ssl_sessionid_unlock(conn);
   2105         failf(data, "SSL: SSL_set_session failed: %s",
   2106               ERR_error_string(ERR_get_error(), NULL));
   2107         return CURLE_SSL_CONNECT_ERROR;
   2108       }
   2109       /* Informational message */
   2110       infof (data, "SSL re-using session ID\n");
   2111     }
   2112     Curl_ssl_sessionid_unlock(conn);
   2113   }
   2114 
   2115   /* pass the raw socket into the SSL layers */
   2116   if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
   2117     failf(data, "SSL: SSL_set_fd failed: %s",
   2118           ERR_error_string(ERR_get_error(), NULL));
   2119     return CURLE_SSL_CONNECT_ERROR;
   2120   }
   2121 
   2122   connssl->connecting_state = ssl_connect_2;
   2123 
   2124   return CURLE_OK;
   2125 }
   2126 
   2127 static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
   2128 {
   2129   struct Curl_easy *data = conn->data;
   2130   int err;
   2131   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   2132   DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
   2133              || ssl_connect_2_reading == connssl->connecting_state
   2134              || ssl_connect_2_writing == connssl->connecting_state);
   2135 
   2136   ERR_clear_error();
   2137 
   2138   err = SSL_connect(connssl->handle);
   2139 
   2140   /* 1  is fine
   2141      0  is "not successful but was shut down controlled"
   2142      <0 is "handshake was not successful, because a fatal error occurred" */
   2143   if(1 != err) {
   2144     int detail = SSL_get_error(connssl->handle, err);
   2145 
   2146     if(SSL_ERROR_WANT_READ == detail) {
   2147       connssl->connecting_state = ssl_connect_2_reading;
   2148       return CURLE_OK;
   2149     }
   2150     else if(SSL_ERROR_WANT_WRITE == detail) {
   2151       connssl->connecting_state = ssl_connect_2_writing;
   2152       return CURLE_OK;
   2153     }
   2154     else {
   2155       /* untreated error */
   2156       unsigned long errdetail;
   2157       char error_buffer[256]=""; /* OpenSSL documents that this must be at
   2158                                     least 256 bytes long. */
   2159       CURLcode result;
   2160       long lerr;
   2161       int lib;
   2162       int reason;
   2163 
   2164       /* the connection failed, we're not waiting for anything else. */
   2165       connssl->connecting_state = ssl_connect_2;
   2166 
   2167       /* Get the earliest error code from the thread's error queue and removes
   2168          the entry. */
   2169       errdetail = ERR_get_error();
   2170 
   2171       /* Extract which lib and reason */
   2172       lib = ERR_GET_LIB(errdetail);
   2173       reason = ERR_GET_REASON(errdetail);
   2174 
   2175       if((lib == ERR_LIB_SSL) &&
   2176          (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
   2177         result = CURLE_SSL_CACERT;
   2178 
   2179         lerr = SSL_get_verify_result(connssl->handle);
   2180         if(lerr != X509_V_OK) {
   2181           snprintf(error_buffer, sizeof(error_buffer),
   2182                    "SSL certificate problem: %s",
   2183                    X509_verify_cert_error_string(lerr));
   2184         }
   2185         else
   2186           /* strcpy() is fine here as long as the string fits within
   2187              error_buffer */
   2188           strcpy(error_buffer, "SSL certificate verification failed");
   2189       }
   2190       else {
   2191         result = CURLE_SSL_CONNECT_ERROR;
   2192         ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
   2193       }
   2194 
   2195       /* detail is already set to the SSL error above */
   2196 
   2197       /* If we e.g. use SSLv2 request-method and the server doesn't like us
   2198        * (RST connection etc.), OpenSSL gives no explanation whatsoever and
   2199        * the SO_ERROR is also lost.
   2200        */
   2201       if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
   2202         failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
   2203               conn->host.name, conn->remote_port);
   2204         return result;
   2205       }
   2206 
   2207       /* Could be a CERT problem */
   2208       failf(data, "%s", error_buffer);
   2209 
   2210       return result;
   2211     }
   2212   }
   2213   else {
   2214     /* we have been connected fine, we're not waiting for anything else. */
   2215     connssl->connecting_state = ssl_connect_3;
   2216 
   2217     /* Informational message */
   2218     infof(data, "SSL connection using %s / %s\n",
   2219           get_ssl_version_txt(connssl->handle),
   2220           SSL_get_cipher(connssl->handle));
   2221 
   2222 #ifdef HAS_ALPN
   2223     /* Sets data and len to negotiated protocol, len is 0 if no protocol was
   2224      * negotiated
   2225      */
   2226     if(conn->bits.tls_enable_alpn) {
   2227       const unsigned char* neg_protocol;
   2228       unsigned int len;
   2229       SSL_get0_alpn_selected(connssl->handle, &neg_protocol, &len);
   2230       if(len != 0) {
   2231         infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
   2232 
   2233 #ifdef USE_NGHTTP2
   2234         if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
   2235            !memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
   2236           conn->negnpn = CURL_HTTP_VERSION_2;
   2237         }
   2238         else
   2239 #endif
   2240         if(len == ALPN_HTTP_1_1_LENGTH &&
   2241            !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
   2242           conn->negnpn = CURL_HTTP_VERSION_1_1;
   2243         }
   2244       }
   2245       else
   2246         infof(data, "ALPN, server did not agree to a protocol\n");
   2247     }
   2248 #endif
   2249 
   2250     return CURLE_OK;
   2251   }
   2252 }
   2253 
   2254 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
   2255 {
   2256   int i, ilen;
   2257 
   2258   if((ilen = (int)len) < 0)
   2259     return 1; /* buffer too big */
   2260 
   2261   i = i2t_ASN1_OBJECT(buf, ilen, a);
   2262 
   2263   if(i >= ilen)
   2264     return 1; /* buffer too small */
   2265 
   2266   return 0;
   2267 }
   2268 
   2269 #define push_certinfo(_label, _num) \
   2270 do {                              \
   2271   long info_len = BIO_get_mem_data(mem, &ptr); \
   2272   Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
   2273   if(1!=BIO_reset(mem))                                          \
   2274     break;                                                       \
   2275 } WHILE_FALSE
   2276 
   2277 static void pubkey_show(struct Curl_easy *data,
   2278                         BIO *mem,
   2279                         int num,
   2280                         const char *type,
   2281                         const char *name,
   2282 #ifdef HAVE_OPAQUE_RSA_DSA_DH
   2283                         const
   2284 #endif
   2285                         BIGNUM *bn)
   2286 {
   2287   char *ptr;
   2288   char namebuf[32];
   2289 
   2290   snprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
   2291 
   2292   if(bn)
   2293     BN_print(mem, bn);
   2294   push_certinfo(namebuf, num);
   2295 }
   2296 
   2297 #ifdef HAVE_OPAQUE_RSA_DSA_DH
   2298 #define print_pubkey_BN(_type, _name, _num)              \
   2299   pubkey_show(data, mem, _num, #_type, #_name, _name)
   2300 
   2301 #else
   2302 #define print_pubkey_BN(_type, _name, _num)    \
   2303 do {                              \
   2304   if(_type->_name) { \
   2305     pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
   2306   } \
   2307 } WHILE_FALSE
   2308 #endif
   2309 
   2310 static int X509V3_ext(struct Curl_easy *data,
   2311                       int certnum,
   2312                       STACK_OF(X509_EXTENSION) *exts)
   2313 {
   2314   int i;
   2315   size_t j;
   2316 
   2317   if((int)sk_X509_EXTENSION_num(exts) <= 0)
   2318     /* no extensions, bail out */
   2319     return 1;
   2320 
   2321   for(i=0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
   2322     ASN1_OBJECT *obj;
   2323     X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
   2324     BUF_MEM *biomem;
   2325     char buf[512];
   2326     char *ptr=buf;
   2327     char namebuf[128];
   2328     BIO *bio_out = BIO_new(BIO_s_mem());
   2329 
   2330     if(!bio_out)
   2331       return 1;
   2332 
   2333     obj = X509_EXTENSION_get_object(ext);
   2334 
   2335     asn1_object_dump(obj, namebuf, sizeof(namebuf));
   2336 
   2337     if(!X509V3_EXT_print(bio_out, ext, 0, 0))
   2338       ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
   2339 
   2340     BIO_get_mem_ptr(bio_out, &biomem);
   2341 
   2342     for(j = 0; j < (size_t)biomem->length; j++) {
   2343       const char *sep="";
   2344       if(biomem->data[j] == '\n') {
   2345         sep=", ";
   2346         j++; /* skip the newline */
   2347       };
   2348       while((j<(size_t)biomem->length) && (biomem->data[j] == ' '))
   2349         j++;
   2350       if(j<(size_t)biomem->length)
   2351         ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
   2352                       biomem->data[j]);
   2353     }
   2354 
   2355     Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
   2356 
   2357     BIO_free(bio_out);
   2358 
   2359   }
   2360   return 0; /* all is fine */
   2361 }
   2362 
   2363 static CURLcode get_cert_chain(struct connectdata *conn,
   2364                                struct ssl_connect_data *connssl)
   2365 
   2366 {
   2367   CURLcode result;
   2368   STACK_OF(X509) *sk;
   2369   int i;
   2370   struct Curl_easy *data = conn->data;
   2371   int numcerts;
   2372   BIO *mem;
   2373 
   2374   sk = SSL_get_peer_cert_chain(connssl->handle);
   2375   if(!sk) {
   2376     return CURLE_OUT_OF_MEMORY;
   2377   }
   2378 
   2379   numcerts = sk_X509_num(sk);
   2380 
   2381   result = Curl_ssl_init_certinfo(data, numcerts);
   2382   if(result) {
   2383     return result;
   2384   }
   2385 
   2386   mem = BIO_new(BIO_s_mem());
   2387 
   2388   for(i = 0; i < numcerts; i++) {
   2389     ASN1_INTEGER *num;
   2390     X509 *x = sk_X509_value(sk, i);
   2391     EVP_PKEY *pubkey=NULL;
   2392     int j;
   2393     char *ptr;
   2394     ASN1_BIT_STRING *psig = NULL;
   2395 
   2396     X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
   2397     push_certinfo("Subject", i);
   2398 
   2399     X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
   2400     push_certinfo("Issuer", i);
   2401 
   2402     BIO_printf(mem, "%lx", X509_get_version(x));
   2403     push_certinfo("Version", i);
   2404 
   2405     num = X509_get_serialNumber(x);
   2406     if(num->type == V_ASN1_NEG_INTEGER)
   2407       BIO_puts(mem, "-");
   2408     for(j = 0; j < num->length; j++)
   2409       BIO_printf(mem, "%02x", num->data[j]);
   2410     push_certinfo("Serial Number", i);
   2411 
   2412 #if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
   2413     {
   2414       X509_ALGOR *palg = NULL;
   2415       ASN1_STRING *a = ASN1_STRING_new();
   2416       if(a) {
   2417         X509_get0_signature(&psig, &palg, x);
   2418         X509_signature_print(mem, palg, a);
   2419         ASN1_STRING_free(a);
   2420 
   2421         if(palg) {
   2422           i2a_ASN1_OBJECT(mem, palg->algorithm);
   2423           push_certinfo("Public Key Algorithm", i);
   2424         }
   2425       }
   2426       X509V3_ext(data, i, X509_get0_extensions(x));
   2427     }
   2428 #else
   2429     {
   2430       /* before OpenSSL 1.0.2 */
   2431       X509_CINF *cinf = x->cert_info;
   2432 
   2433       i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
   2434       push_certinfo("Signature Algorithm", i);
   2435 
   2436       i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
   2437       push_certinfo("Public Key Algorithm", i);
   2438 
   2439       X509V3_ext(data, i, cinf->extensions);
   2440 
   2441       psig = x->signature;
   2442     }
   2443 #endif
   2444 
   2445     ASN1_TIME_print(mem, X509_get_notBefore(x));
   2446     push_certinfo("Start date", i);
   2447 
   2448     ASN1_TIME_print(mem, X509_get_notAfter(x));
   2449     push_certinfo("Expire date", i);
   2450 
   2451     pubkey = X509_get_pubkey(x);
   2452     if(!pubkey)
   2453       infof(data, "   Unable to load public key\n");
   2454     else {
   2455       int pktype;
   2456 #ifdef HAVE_OPAQUE_EVP_PKEY
   2457       pktype = EVP_PKEY_id(pubkey);
   2458 #else
   2459       pktype = pubkey->type;
   2460 #endif
   2461       switch(pktype) {
   2462       case EVP_PKEY_RSA:
   2463       {
   2464         RSA *rsa;
   2465 #ifdef HAVE_OPAQUE_EVP_PKEY
   2466         rsa = EVP_PKEY_get0_RSA(pubkey);
   2467 #else
   2468         rsa = pubkey->pkey.rsa;
   2469 #endif
   2470 
   2471 #ifdef HAVE_OPAQUE_RSA_DSA_DH
   2472         {
   2473           const BIGNUM *n;
   2474           const BIGNUM *e;
   2475           const BIGNUM *d;
   2476           const BIGNUM *p;
   2477           const BIGNUM *q;
   2478           const BIGNUM *dmp1;
   2479           const BIGNUM *dmq1;
   2480           const BIGNUM *iqmp;
   2481 
   2482           RSA_get0_key(rsa, &n, &e, &d);
   2483           RSA_get0_factors(rsa, &p, &q);
   2484           RSA_get0_crt_params(rsa, &dmp1, &dmq1, &iqmp);
   2485           BN_print(mem, n);
   2486           push_certinfo("RSA Public Key", i);
   2487           print_pubkey_BN(rsa, n, i);
   2488           print_pubkey_BN(rsa, e, i);
   2489           print_pubkey_BN(rsa, d, i);
   2490           print_pubkey_BN(rsa, p, i);
   2491           print_pubkey_BN(rsa, q, i);
   2492           print_pubkey_BN(rsa, dmp1, i);
   2493           print_pubkey_BN(rsa, dmq1, i);
   2494           print_pubkey_BN(rsa, iqmp, i);
   2495         }
   2496 #else
   2497         BIO_printf(mem, "%d", BN_num_bits(rsa->n));
   2498         push_certinfo("RSA Public Key", i);
   2499         print_pubkey_BN(rsa, n, i);
   2500         print_pubkey_BN(rsa, e, i);
   2501         print_pubkey_BN(rsa, d, i);
   2502         print_pubkey_BN(rsa, p, i);
   2503         print_pubkey_BN(rsa, q, i);
   2504         print_pubkey_BN(rsa, dmp1, i);
   2505         print_pubkey_BN(rsa, dmq1, i);
   2506         print_pubkey_BN(rsa, iqmp, i);
   2507 #endif
   2508 
   2509         break;
   2510       }
   2511       case EVP_PKEY_DSA:
   2512       {
   2513         DSA *dsa;
   2514 #ifdef HAVE_OPAQUE_EVP_PKEY
   2515         dsa = EVP_PKEY_get0_DSA(pubkey);
   2516 #else
   2517         dsa = pubkey->pkey.dsa;
   2518 #endif
   2519 #ifdef HAVE_OPAQUE_RSA_DSA_DH
   2520         {
   2521           const BIGNUM *p;
   2522           const BIGNUM *q;
   2523           const BIGNUM *g;
   2524           const BIGNUM *priv_key;
   2525           const BIGNUM *pub_key;
   2526 
   2527           DSA_get0_pqg(dsa, &p, &q, &g);
   2528           DSA_get0_key(dsa, &pub_key, &priv_key);
   2529 
   2530           print_pubkey_BN(dsa, p, i);
   2531           print_pubkey_BN(dsa, q, i);
   2532           print_pubkey_BN(dsa, g, i);
   2533           print_pubkey_BN(dsa, priv_key, i);
   2534           print_pubkey_BN(dsa, pub_key, i);
   2535         }
   2536 #else
   2537         print_pubkey_BN(dsa, p, i);
   2538         print_pubkey_BN(dsa, q, i);
   2539         print_pubkey_BN(dsa, g, i);
   2540         print_pubkey_BN(dsa, priv_key, i);
   2541         print_pubkey_BN(dsa, pub_key, i);
   2542 #endif
   2543         break;
   2544       }
   2545       case EVP_PKEY_DH:
   2546       {
   2547         DH *dh;
   2548 #ifdef HAVE_OPAQUE_EVP_PKEY
   2549         dh = EVP_PKEY_get0_DH(pubkey);
   2550 #else
   2551         dh = pubkey->pkey.dh;
   2552 #endif
   2553 #ifdef HAVE_OPAQUE_RSA_DSA_DH
   2554         {
   2555           const BIGNUM *p;
   2556           const BIGNUM *q;
   2557           const BIGNUM *g;
   2558           const BIGNUM *priv_key;
   2559           const BIGNUM *pub_key;
   2560           DH_get0_pqg(dh, &p, &q, &g);
   2561           DH_get0_key(dh, &pub_key, &priv_key);
   2562           print_pubkey_BN(dh, p, i);
   2563           print_pubkey_BN(dh, q, i);
   2564           print_pubkey_BN(dh, g, i);
   2565           print_pubkey_BN(dh, priv_key, i);
   2566           print_pubkey_BN(dh, pub_key, i);
   2567        }
   2568 #else
   2569         print_pubkey_BN(dh, p, i);
   2570         print_pubkey_BN(dh, g, i);
   2571         print_pubkey_BN(dh, priv_key, i);
   2572         print_pubkey_BN(dh, pub_key, i);
   2573 #endif
   2574         break;
   2575       }
   2576 #if 0
   2577       case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */
   2578         /* left TODO */
   2579         break;
   2580 #endif
   2581       }
   2582       EVP_PKEY_free(pubkey);
   2583     }
   2584 
   2585     if(psig) {
   2586       for(j = 0; j < psig->length; j++)
   2587         BIO_printf(mem, "%02x:", psig->data[j]);
   2588       push_certinfo("Signature", i);
   2589     }
   2590 
   2591     PEM_write_bio_X509(mem, x);
   2592     push_certinfo("Cert", i);
   2593   }
   2594 
   2595   BIO_free(mem);
   2596 
   2597   return CURLE_OK;
   2598 }
   2599 
   2600 /*
   2601  * Heavily modified from:
   2602  * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
   2603  */
   2604 static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
   2605                                     const char *pinnedpubkey)
   2606 {
   2607   /* Scratch */
   2608   int len1 = 0, len2 = 0;
   2609   unsigned char *buff1 = NULL, *temp = NULL;
   2610 
   2611   /* Result is returned to caller */
   2612   CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
   2613 
   2614   /* if a path wasn't specified, don't pin */
   2615   if(!pinnedpubkey)
   2616     return CURLE_OK;
   2617 
   2618   if(!cert)
   2619     return result;
   2620 
   2621   do {
   2622     /* Begin Gyrations to get the subjectPublicKeyInfo     */
   2623     /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
   2624 
   2625     /* https://groups.google.com/group/mailing.openssl.users/browse_thread
   2626      /thread/d61858dae102c6c7 */
   2627     len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
   2628     if(len1 < 1)
   2629       break; /* failed */
   2630 
   2631     /* https://www.openssl.org/docs/crypto/buffer.html */
   2632     buff1 = temp = OPENSSL_malloc(len1);
   2633     if(!buff1)
   2634       break; /* failed */
   2635 
   2636     /* https://www.openssl.org/docs/crypto/d2i_X509.html */
   2637     len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
   2638 
   2639     /*
   2640      * These checks are verifying we got back the same values as when we
   2641      * sized the buffer. It's pretty weak since they should always be the
   2642      * same. But it gives us something to test.
   2643      */
   2644     if((len1 != len2) || !temp || ((temp - buff1) != len1))
   2645       break; /* failed */
   2646 
   2647     /* End Gyrations */
   2648 
   2649     /* The one good exit point */
   2650     result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
   2651   } while(0);
   2652 
   2653   /* https://www.openssl.org/docs/crypto/buffer.html */
   2654   if(buff1)
   2655     OPENSSL_free(buff1);
   2656 
   2657   return result;
   2658 }
   2659 
   2660 /*
   2661  * Get the server cert, verify it and show it etc, only call failf() if the
   2662  * 'strict' argument is TRUE as otherwise all this is for informational
   2663  * purposes only!
   2664  *
   2665  * We check certificates to authenticate the server; otherwise we risk
   2666  * man-in-the-middle attack.
   2667  */
   2668 static CURLcode servercert(struct connectdata *conn,
   2669                            struct ssl_connect_data *connssl,
   2670                            bool strict)
   2671 {
   2672   CURLcode result = CURLE_OK;
   2673   int rc;
   2674   long lerr, len;
   2675   struct Curl_easy *data = conn->data;
   2676   X509 *issuer;
   2677   FILE *fp;
   2678   char *buffer = data->state.buffer;
   2679   const char *ptr;
   2680   BIO *mem = BIO_new(BIO_s_mem());
   2681 
   2682   if(data->set.ssl.certinfo)
   2683     /* we've been asked to gather certificate info! */
   2684     (void)get_cert_chain(conn, connssl);
   2685 
   2686   connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
   2687   if(!connssl->server_cert) {
   2688     if(!strict)
   2689       return CURLE_OK;
   2690 
   2691     failf(data, "SSL: couldn't get peer certificate!");
   2692     return CURLE_PEER_FAILED_VERIFICATION;
   2693   }
   2694 
   2695   infof(data, "Server certificate:\n");
   2696 
   2697   rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
   2698                          buffer, BUFSIZE);
   2699   infof(data, " subject: %s\n", rc?"[NONE]":buffer);
   2700 
   2701   ASN1_TIME_print(mem, X509_get_notBefore(connssl->server_cert));
   2702   len = BIO_get_mem_data(mem, (char **) &ptr);
   2703   infof(data, " start date: %.*s\n", len, ptr);
   2704   rc = BIO_reset(mem);
   2705 
   2706   ASN1_TIME_print(mem, X509_get_notAfter(connssl->server_cert));
   2707   len = BIO_get_mem_data(mem, (char **) &ptr);
   2708   infof(data, " expire date: %.*s\n", len, ptr);
   2709   rc = BIO_reset(mem);
   2710 
   2711   BIO_free(mem);
   2712 
   2713   if(data->set.ssl.verifyhost) {
   2714     result = verifyhost(conn, connssl->server_cert);
   2715     if(result) {
   2716       X509_free(connssl->server_cert);
   2717       connssl->server_cert = NULL;
   2718       return result;
   2719     }
   2720   }
   2721 
   2722   rc = x509_name_oneline(X509_get_issuer_name(connssl->server_cert),
   2723                          buffer, BUFSIZE);
   2724   if(rc) {
   2725     if(strict)
   2726       failf(data, "SSL: couldn't get X509-issuer name!");
   2727     result = CURLE_SSL_CONNECT_ERROR;
   2728   }
   2729   else {
   2730     infof(data, " issuer: %s\n", buffer);
   2731 
   2732     /* We could do all sorts of certificate verification stuff here before
   2733        deallocating the certificate. */
   2734 
   2735     /* e.g. match issuer name with provided issuer certificate */
   2736     if(data->set.str[STRING_SSL_ISSUERCERT]) {
   2737       fp = fopen(data->set.str[STRING_SSL_ISSUERCERT], FOPEN_READTEXT);
   2738       if(!fp) {
   2739         if(strict)
   2740           failf(data, "SSL: Unable to open issuer cert (%s)",
   2741                 data->set.str[STRING_SSL_ISSUERCERT]);
   2742         X509_free(connssl->server_cert);
   2743         connssl->server_cert = NULL;
   2744         return CURLE_SSL_ISSUER_ERROR;
   2745       }
   2746 
   2747       issuer = PEM_read_X509(fp, NULL, ZERO_NULL, NULL);
   2748       if(!issuer) {
   2749         if(strict)
   2750           failf(data, "SSL: Unable to read issuer cert (%s)",
   2751                 data->set.str[STRING_SSL_ISSUERCERT]);
   2752         X509_free(connssl->server_cert);
   2753         X509_free(issuer);
   2754         fclose(fp);
   2755         return CURLE_SSL_ISSUER_ERROR;
   2756       }
   2757 
   2758       fclose(fp);
   2759 
   2760       if(X509_check_issued(issuer, connssl->server_cert) != X509_V_OK) {
   2761         if(strict)
   2762           failf(data, "SSL: Certificate issuer check failed (%s)",
   2763                 data->set.str[STRING_SSL_ISSUERCERT]);
   2764         X509_free(connssl->server_cert);
   2765         X509_free(issuer);
   2766         connssl->server_cert = NULL;
   2767         return CURLE_SSL_ISSUER_ERROR;
   2768       }
   2769 
   2770       infof(data, " SSL certificate issuer check ok (%s)\n",
   2771             data->set.str[STRING_SSL_ISSUERCERT]);
   2772       X509_free(issuer);
   2773     }
   2774 
   2775     lerr = data->set.ssl.certverifyresult =
   2776       SSL_get_verify_result(connssl->handle);
   2777 
   2778     if(data->set.ssl.certverifyresult != X509_V_OK) {
   2779       if(data->set.ssl.verifypeer) {
   2780         /* We probably never reach this, because SSL_connect() will fail
   2781            and we return earlier if verifypeer is set? */
   2782         if(strict)
   2783           failf(data, "SSL certificate verify result: %s (%ld)",
   2784                 X509_verify_cert_error_string(lerr), lerr);
   2785         result = CURLE_PEER_FAILED_VERIFICATION;
   2786       }
   2787       else
   2788         infof(data, " SSL certificate verify result: %s (%ld),"
   2789               " continuing anyway.\n",
   2790               X509_verify_cert_error_string(lerr), lerr);
   2791     }
   2792     else
   2793       infof(data, " SSL certificate verify ok.\n");
   2794   }
   2795 
   2796 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   2797     !defined(OPENSSL_NO_OCSP)
   2798   if(data->set.ssl.verifystatus) {
   2799     result = verifystatus(conn, connssl);
   2800     if(result) {
   2801       X509_free(connssl->server_cert);
   2802       connssl->server_cert = NULL;
   2803       return result;
   2804     }
   2805   }
   2806 #endif
   2807 
   2808   if(!strict)
   2809     /* when not strict, we don't bother about the verify cert problems */
   2810     result = CURLE_OK;
   2811 
   2812   ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
   2813   if(!result && ptr) {
   2814     result = pkp_pin_peer_pubkey(data, connssl->server_cert, ptr);
   2815     if(result)
   2816       failf(data, "SSL: public key does not match pinned public key!");
   2817   }
   2818 
   2819   X509_free(connssl->server_cert);
   2820   connssl->server_cert = NULL;
   2821   connssl->connecting_state = ssl_connect_done;
   2822 
   2823   return result;
   2824 }
   2825 
   2826 static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
   2827 {
   2828   CURLcode result = CURLE_OK;
   2829   struct Curl_easy *data = conn->data;
   2830   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   2831 
   2832   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
   2833 
   2834   if(conn->ssl_config.sessionid) {
   2835     bool incache;
   2836     SSL_SESSION *our_ssl_sessionid;
   2837     void *old_ssl_sessionid = NULL;
   2838 
   2839     our_ssl_sessionid = SSL_get1_session(connssl->handle);
   2840 
   2841     /* SSL_get1_session() will increment the reference count and the session
   2842         will stay in memory until explicitly freed with SSL_SESSION_free(3),
   2843         regardless of its state. */
   2844 
   2845     Curl_ssl_sessionid_lock(conn);
   2846     incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
   2847     if(incache) {
   2848       if(old_ssl_sessionid != our_ssl_sessionid) {
   2849         infof(data, "old SSL session ID is stale, removing\n");
   2850         Curl_ssl_delsessionid(conn, old_ssl_sessionid);
   2851         incache = FALSE;
   2852       }
   2853     }
   2854 
   2855     if(!incache) {
   2856       result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
   2857                                       0 /* unknown size */);
   2858       if(result) {
   2859         Curl_ssl_sessionid_unlock(conn);
   2860         failf(data, "failed to store ssl session");
   2861         return result;
   2862       }
   2863     }
   2864     else {
   2865       /* Session was incache, so refcount already incremented earlier.
   2866         * Avoid further increments with each SSL_get1_session() call.
   2867         * This does not free the session as refcount remains > 0
   2868         */
   2869       SSL_SESSION_free(our_ssl_sessionid);
   2870     }
   2871     Curl_ssl_sessionid_unlock(conn);
   2872   }
   2873 
   2874   /*
   2875    * We check certificates to authenticate the server; otherwise we risk
   2876    * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
   2877    * verify the peer ignore faults and failures from the server cert
   2878    * operations.
   2879    */
   2880 
   2881   result = servercert(conn, connssl,
   2882                       (data->set.ssl.verifypeer || data->set.ssl.verifyhost));
   2883 
   2884   if(!result)
   2885     connssl->connecting_state = ssl_connect_done;
   2886 
   2887   return result;
   2888 }
   2889 
   2890 static Curl_recv ossl_recv;
   2891 static Curl_send ossl_send;
   2892 
   2893 static CURLcode ossl_connect_common(struct connectdata *conn,
   2894                                     int sockindex,
   2895                                     bool nonblocking,
   2896                                     bool *done)
   2897 {
   2898   CURLcode result;
   2899   struct Curl_easy *data = conn->data;
   2900   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   2901   curl_socket_t sockfd = conn->sock[sockindex];
   2902   long timeout_ms;
   2903   int what;
   2904 
   2905   /* check if the connection has already been established */
   2906   if(ssl_connection_complete == connssl->state) {
   2907     *done = TRUE;
   2908     return CURLE_OK;
   2909   }
   2910 
   2911   if(ssl_connect_1 == connssl->connecting_state) {
   2912     /* Find out how much more time we're allowed */
   2913     timeout_ms = Curl_timeleft(data, NULL, TRUE);
   2914 
   2915     if(timeout_ms < 0) {
   2916       /* no need to continue if time already is up */
   2917       failf(data, "SSL connection timeout");
   2918       return CURLE_OPERATION_TIMEDOUT;
   2919     }
   2920 
   2921     result = ossl_connect_step1(conn, sockindex);
   2922     if(result)
   2923       return result;
   2924   }
   2925 
   2926   while(ssl_connect_2 == connssl->connecting_state ||
   2927         ssl_connect_2_reading == connssl->connecting_state ||
   2928         ssl_connect_2_writing == connssl->connecting_state) {
   2929 
   2930     /* check allowed time left */
   2931     timeout_ms = Curl_timeleft(data, NULL, TRUE);
   2932 
   2933     if(timeout_ms < 0) {
   2934       /* no need to continue if time already is up */
   2935       failf(data, "SSL connection timeout");
   2936       return CURLE_OPERATION_TIMEDOUT;
   2937     }
   2938 
   2939     /* if ssl is expecting something, check if it's available. */
   2940     if(connssl->connecting_state == ssl_connect_2_reading ||
   2941        connssl->connecting_state == ssl_connect_2_writing) {
   2942 
   2943       curl_socket_t writefd = ssl_connect_2_writing==
   2944         connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
   2945       curl_socket_t readfd = ssl_connect_2_reading==
   2946         connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
   2947 
   2948       what = Curl_socket_ready(readfd, writefd, nonblocking?0:timeout_ms);
   2949       if(what < 0) {
   2950         /* fatal error */
   2951         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
   2952         return CURLE_SSL_CONNECT_ERROR;
   2953       }
   2954       else if(0 == what) {
   2955         if(nonblocking) {
   2956           *done = FALSE;
   2957           return CURLE_OK;
   2958         }
   2959         else {
   2960           /* timeout */
   2961           failf(data, "SSL connection timeout");
   2962           return CURLE_OPERATION_TIMEDOUT;
   2963         }
   2964       }
   2965       /* socket is readable or writable */
   2966     }
   2967 
   2968     /* Run transaction, and return to the caller if it failed or if this
   2969      * connection is done nonblocking and this loop would execute again. This
   2970      * permits the owner of a multi handle to abort a connection attempt
   2971      * before step2 has completed while ensuring that a client using select()
   2972      * or epoll() will always have a valid fdset to wait on.
   2973      */
   2974     result = ossl_connect_step2(conn, sockindex);
   2975     if(result || (nonblocking &&
   2976                   (ssl_connect_2 == connssl->connecting_state ||
   2977                    ssl_connect_2_reading == connssl->connecting_state ||
   2978                    ssl_connect_2_writing == connssl->connecting_state)))
   2979       return result;
   2980 
   2981   } /* repeat step2 until all transactions are done. */
   2982 
   2983   if(ssl_connect_3 == connssl->connecting_state) {
   2984     result = ossl_connect_step3(conn, sockindex);
   2985     if(result)
   2986       return result;
   2987   }
   2988 
   2989   if(ssl_connect_done == connssl->connecting_state) {
   2990     connssl->state = ssl_connection_complete;
   2991     conn->recv[sockindex] = ossl_recv;
   2992     conn->send[sockindex] = ossl_send;
   2993     *done = TRUE;
   2994   }
   2995   else
   2996     *done = FALSE;
   2997 
   2998   /* Reset our connect state machine */
   2999   connssl->connecting_state = ssl_connect_1;
   3000 
   3001   return CURLE_OK;
   3002 }
   3003 
   3004 CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
   3005                                        int sockindex,
   3006                                        bool *done)
   3007 {
   3008   return ossl_connect_common(conn, sockindex, TRUE, done);
   3009 }
   3010 
   3011 CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex)
   3012 {
   3013   CURLcode result;
   3014   bool done = FALSE;
   3015 
   3016   result = ossl_connect_common(conn, sockindex, FALSE, &done);
   3017   if(result)
   3018     return result;
   3019 
   3020   DEBUGASSERT(done);
   3021 
   3022   return CURLE_OK;
   3023 }
   3024 
   3025 bool Curl_ossl_data_pending(const struct connectdata *conn, int connindex)
   3026 {
   3027   if(conn->ssl[connindex].handle)
   3028     /* SSL is in use */
   3029     return (0 != SSL_pending(conn->ssl[connindex].handle)) ? TRUE : FALSE;
   3030   else
   3031     return FALSE;
   3032 }
   3033 
   3034 static ssize_t ossl_send(struct connectdata *conn,
   3035                          int sockindex,
   3036                          const void *mem,
   3037                          size_t len,
   3038                          CURLcode *curlcode)
   3039 {
   3040   /* SSL_write() is said to return 'int' while write() and send() returns
   3041      'size_t' */
   3042   int err;
   3043   char error_buffer[256]; /* OpenSSL documents that this must be at least 256
   3044                              bytes long. */
   3045   unsigned long sslerror;
   3046   int memlen;
   3047   int rc;
   3048 
   3049   ERR_clear_error();
   3050 
   3051   memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
   3052   rc = SSL_write(conn->ssl[sockindex].handle, mem, memlen);
   3053 
   3054   if(rc <= 0) {
   3055     err = SSL_get_error(conn->ssl[sockindex].handle, rc);
   3056 
   3057     switch(err) {
   3058     case SSL_ERROR_WANT_READ:
   3059     case SSL_ERROR_WANT_WRITE:
   3060       /* The operation did not complete; the same TLS/SSL I/O function
   3061          should be called again later. This is basically an EWOULDBLOCK
   3062          equivalent. */
   3063       *curlcode = CURLE_AGAIN;
   3064       return -1;
   3065     case SSL_ERROR_SYSCALL:
   3066       failf(conn->data, "SSL_write() returned SYSCALL, errno = %d",
   3067             SOCKERRNO);
   3068       *curlcode = CURLE_SEND_ERROR;
   3069       return -1;
   3070     case SSL_ERROR_SSL:
   3071       /*  A failure in the SSL library occurred, usually a protocol error.
   3072           The OpenSSL error queue contains more information on the error. */
   3073       sslerror = ERR_get_error();
   3074       failf(conn->data, "SSL_write() error: %s",
   3075             ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
   3076       *curlcode = CURLE_SEND_ERROR;
   3077       return -1;
   3078     }
   3079     /* a true error */
   3080     failf(conn->data, "SSL_write() return error %d", err);
   3081     *curlcode = CURLE_SEND_ERROR;
   3082     return -1;
   3083   }
   3084   *curlcode = CURLE_OK;
   3085   return (ssize_t)rc; /* number of bytes */
   3086 }
   3087 
   3088 static ssize_t ossl_recv(struct connectdata *conn, /* connection data */
   3089                          int num,                  /* socketindex */
   3090                          char *buf,                /* store read data here */
   3091                          size_t buffersize,        /* max amount to read */
   3092                          CURLcode *curlcode)
   3093 {
   3094   char error_buffer[256]; /* OpenSSL documents that this must be at
   3095                              least 256 bytes long. */
   3096   unsigned long sslerror;
   3097   ssize_t nread;
   3098   int buffsize;
   3099 
   3100   ERR_clear_error();
   3101 
   3102   buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
   3103   nread = (ssize_t)SSL_read(conn->ssl[num].handle, buf, buffsize);
   3104   if(nread <= 0) {
   3105     /* failed SSL_read */
   3106     int err = SSL_get_error(conn->ssl[num].handle, (int)nread);
   3107 
   3108     switch(err) {
   3109     case SSL_ERROR_NONE: /* this is not an error */
   3110     case SSL_ERROR_ZERO_RETURN: /* no more data */
   3111       break;
   3112     case SSL_ERROR_WANT_READ:
   3113     case SSL_ERROR_WANT_WRITE:
   3114       /* there's data pending, re-invoke SSL_read() */
   3115       *curlcode = CURLE_AGAIN;
   3116       return -1;
   3117     default:
   3118       /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
   3119          value/errno" */
   3120       /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
   3121       sslerror = ERR_get_error();
   3122       if((nread < 0) || sslerror) {
   3123         /* If the return code was negative or there actually is an error in the
   3124            queue */
   3125         failf(conn->data, "SSL read: %s, errno %d",
   3126               ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)),
   3127               SOCKERRNO);
   3128         *curlcode = CURLE_RECV_ERROR;
   3129         return -1;
   3130       }
   3131     }
   3132   }
   3133   return nread;
   3134 }
   3135 
   3136 size_t Curl_ossl_version(char *buffer, size_t size)
   3137 {
   3138 #ifdef OPENSSL_IS_BORINGSSL
   3139   return snprintf(buffer, size, OSSL_PACKAGE);
   3140 #else /* OPENSSL_IS_BORINGSSL */
   3141   char sub[3];
   3142   unsigned long ssleay_value;
   3143   sub[2]='\0';
   3144   sub[1]='\0';
   3145   ssleay_value=SSLeay();
   3146   if(ssleay_value < 0x906000) {
   3147     ssleay_value=SSLEAY_VERSION_NUMBER;
   3148     sub[0]='\0';
   3149   }
   3150   else {
   3151     if(ssleay_value&0xff0) {
   3152       int minor_ver = (ssleay_value >> 4) & 0xff;
   3153       if(minor_ver > 26) {
   3154         /* handle extended version introduced for 0.9.8za */
   3155         sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
   3156         sub[0] = 'z';
   3157       }
   3158       else {
   3159         sub[0]=(char)(((ssleay_value>>4)&0xff) + 'a' -1);
   3160       }
   3161     }
   3162     else
   3163       sub[0]='\0';
   3164   }
   3165 
   3166   return snprintf(buffer, size, "%s/%lx.%lx.%lx%s",
   3167                   OSSL_PACKAGE,
   3168                   (ssleay_value>>28)&0xf,
   3169                   (ssleay_value>>20)&0xff,
   3170                   (ssleay_value>>12)&0xff,
   3171                   sub);
   3172 #endif /* OPENSSL_IS_BORINGSSL */
   3173 }
   3174 
   3175 /* can be called with data == NULL */
   3176 int Curl_ossl_random(struct Curl_easy *data, unsigned char *entropy,
   3177                      size_t length)
   3178 {
   3179   if(data) {
   3180     Curl_ossl_seed(data); /* Initiate the seed if not already done */
   3181   }
   3182   RAND_bytes(entropy, curlx_uztosi(length));
   3183   return 0; /* 0 as in no problem */
   3184 }
   3185 
   3186 void Curl_ossl_md5sum(unsigned char *tmp, /* input */
   3187                       size_t tmplen,
   3188                       unsigned char *md5sum /* output */,
   3189                       size_t unused)
   3190 {
   3191   MD5_CTX MD5pw;
   3192   (void)unused;
   3193   MD5_Init(&MD5pw);
   3194   MD5_Update(&MD5pw, tmp, tmplen);
   3195   MD5_Final(md5sum, &MD5pw);
   3196 }
   3197 
   3198 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
   3199 void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
   3200                       size_t tmplen,
   3201                       unsigned char *sha256sum /* output */,
   3202                       size_t unused)
   3203 {
   3204   SHA256_CTX SHA256pw;
   3205   (void)unused;
   3206   SHA256_Init(&SHA256pw);
   3207   SHA256_Update(&SHA256pw, tmp, tmplen);
   3208   SHA256_Final(sha256sum, &SHA256pw);
   3209 }
   3210 #endif
   3211 
   3212 bool Curl_ossl_cert_status_request(void)
   3213 {
   3214 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
   3215     !defined(OPENSSL_NO_OCSP)
   3216   return TRUE;
   3217 #else
   3218   return FALSE;
   3219 #endif
   3220 }
   3221 #endif /* USE_OPENSSL */
   3222