3d90ec5448
HTTPS proxies:
An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a
secure connection with the proxy is established, the user agent uses the proxy
as usual, including sending CONNECT requests to instruct the proxy to establish
a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect
nearly all aspects of user-proxy communications as opposed to HTTP proxies that
receive all requests (including CONNECT requests) in vulnerable clear text.
With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS
sessions: the "outer" one between the user agent and the proxy and the "inner"
one between the user agent and the origin server (through the proxy). This
change adds supports for such nested sessions as well.
The secure connection with the proxy requires its own set of the usual
SSL/TLS-related options (their descriptions need polishing):
--proxy-cacert FILE CA certificate to verify peer against
--proxy-capath DIR CA directory to verify peer against
--proxy-cert CERT[:PASSWD] Client certificate file and password
--proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
--proxy-ciphers LIST SSL ciphers to use
--proxy-crlfile FILE Get a CRL list in PEM format from the given file
--proxy-insecure Allow connections to SSL sites without certs
--proxy-key KEY Private key file name
--proxy-key-type TYPE Private key file type (DER/PEM/ENG)
--proxy-pass PASS Pass phrase for the private key
--proxy-ssl-allow-beast Allow security flaw to improve interop
--proxy-sslv2 Use SSLv2
--proxy-sslv3 Use SSLv3
--proxy-tlsv1 Use TLSv1
--proxy-tlsuser USER TLS username
--proxy-tlspassword STRING TLS password
--proxy-tlsauthtype STRING TLS authentication type (default SRP)
All --proxy-foo options are independent from their --foo counterparts, except
--proxy-crlfile defaults to --crlfile and --proxy-capath defaults to --capath.
Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.
SOCKS proxy + HTTP/HTTPS proxy combination:
If both --socks* and --proxy options are given, Curl first connects to the
SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy.
163 lines
6.8 KiB
C
163 lines
6.8 KiB
C
#ifndef HEADER_CURL_VTLS_H
|
|
#define HEADER_CURL_VTLS_H
|
|
/***************************************************************************
|
|
* _ _ ____ _
|
|
* Project ___| | | | _ \| |
|
|
* / __| | | | |_) | |
|
|
* | (__| |_| | _ <| |___
|
|
* \___|\___/|_| \_\_____|
|
|
*
|
|
* Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
|
|
*
|
|
* This software is licensed as described in the file COPYING, which
|
|
* you should have received as part of this distribution. The terms
|
|
* are also available at http://curl.haxx.se/docs/copyright.html.
|
|
*
|
|
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
|
* copies of the Software, and permit persons to whom the Software is
|
|
* furnished to do so, under the terms of the COPYING file.
|
|
*
|
|
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
|
* KIND, either express or implied.
|
|
*
|
|
***************************************************************************/
|
|
#include "curl_setup.h"
|
|
|
|
#include "openssl.h" /* OpenSSL versions */
|
|
#include "gtls.h" /* GnuTLS versions */
|
|
#include "nssg.h" /* NSS versions */
|
|
#include "gskit.h" /* Global Secure ToolKit versions */
|
|
#include "polarssl.h" /* PolarSSL versions */
|
|
#include "axtls.h" /* axTLS versions */
|
|
#include "cyassl.h" /* CyaSSL versions */
|
|
#include "schannel.h" /* Schannel SSPI version */
|
|
#include "darwinssl.h" /* SecureTransport (Darwin) version */
|
|
|
|
#ifndef MAX_PINNED_PUBKEY_SIZE
|
|
#define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */
|
|
#endif
|
|
|
|
#ifndef MD5_DIGEST_LENGTH
|
|
#define MD5_DIGEST_LENGTH 16 /* fixed size */
|
|
#endif
|
|
|
|
/* see http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04 */
|
|
#define ALPN_HTTP_1_1_LENGTH 8
|
|
#define ALPN_HTTP_1_1 "http/1.1"
|
|
|
|
bool Curl_ssl_config_matches(struct ssl_primary_config* data,
|
|
struct ssl_primary_config* needle);
|
|
bool Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
|
|
struct ssl_primary_config *dest);
|
|
bool Curl_clone_ssl_config(struct ssl_config_data* source,
|
|
struct ssl_config_data* dest);
|
|
void Curl_clone_general_ssl_config(struct ssl_general_config *source,
|
|
struct ssl_general_config *dest);
|
|
void Curl_free_ssl_config(struct ssl_config_data* sslc);
|
|
void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc);
|
|
int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks,
|
|
int numsocks);
|
|
|
|
unsigned int Curl_rand(struct SessionHandle *);
|
|
|
|
int Curl_ssl_backend(void);
|
|
|
|
#ifdef USE_SSL
|
|
int Curl_ssl_init(void);
|
|
void Curl_ssl_cleanup(void);
|
|
CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex);
|
|
CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn,
|
|
int sockindex,
|
|
bool *done);
|
|
/* tell the SSL stuff to close down all open information regarding
|
|
connections (and thus session ID caching etc) */
|
|
void Curl_ssl_close_all(struct SessionHandle *data);
|
|
void Curl_ssl_close(struct connectdata *conn, int sockindex);
|
|
CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex);
|
|
CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine);
|
|
/* Sets engine as default for all SSL operations */
|
|
CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data);
|
|
struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data);
|
|
|
|
/* init the SSL session ID cache */
|
|
CURLcode Curl_ssl_initsessions(struct SessionHandle *, size_t);
|
|
size_t Curl_ssl_version(char *buffer, size_t size);
|
|
bool Curl_ssl_data_pending(const struct connectdata *conn,
|
|
int connindex);
|
|
int Curl_ssl_check_cxn(struct connectdata *conn);
|
|
|
|
/* Certificate information list handling. */
|
|
|
|
void Curl_ssl_free_certinfo(struct SessionHandle *data);
|
|
CURLcode Curl_ssl_init_certinfo(struct SessionHandle * data, int num);
|
|
CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle * data, int certnum,
|
|
const char * label, const char * value,
|
|
size_t valuelen);
|
|
CURLcode Curl_ssl_push_certinfo(struct SessionHandle * data, int certnum,
|
|
const char * label, const char * value);
|
|
|
|
/* Functions to be used by SSL library adaptation functions */
|
|
|
|
/* extract a session ID */
|
|
bool Curl_ssl_getsessionid(struct connectdata *conn,
|
|
void **ssl_sessionid,
|
|
size_t *idsize, /* set 0 if unknown */
|
|
int sockindex);
|
|
/* add a new session ID */
|
|
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
|
|
void *ssl_sessionid,
|
|
size_t idsize,
|
|
int sockindex);
|
|
/* Kill a single session ID entry in the cache */
|
|
void Curl_ssl_kill_session(struct curl_ssl_session *session);
|
|
/* delete a session from the cache */
|
|
void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);
|
|
|
|
/* get N random bytes into the buffer, return 0 if a find random is filled
|
|
in */
|
|
int Curl_ssl_random(struct SessionHandle *data, unsigned char *buffer,
|
|
size_t length);
|
|
CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */
|
|
size_t tmplen,
|
|
unsigned char *md5sum, /* output */
|
|
size_t md5len);
|
|
/* Check pinned public key. */
|
|
CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
|
|
const unsigned char *pubkey, size_t pubkeylen);
|
|
|
|
bool Curl_ssl_cert_status_request(void);
|
|
|
|
bool Curl_ssl_false_start(void);
|
|
|
|
#define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */
|
|
|
|
#else
|
|
/* Set the API backend definition to none */
|
|
#define CURL_SSL_BACKEND CURLSSLBACKEND_NONE
|
|
|
|
/* When SSL support is not present, just define away these function calls */
|
|
#define Curl_ssl_init() 1
|
|
#define Curl_ssl_cleanup() Curl_nop_stmt
|
|
#define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN
|
|
#define Curl_ssl_close_all(x) Curl_nop_stmt
|
|
#define Curl_ssl_close(x,y) Curl_nop_stmt
|
|
#define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN
|
|
#define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
|
|
#define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
|
|
#define Curl_ssl_engines_list(x) NULL
|
|
#define Curl_ssl_send(a,b,c,d,e) -1
|
|
#define Curl_ssl_recv(a,b,c,d,e) -1
|
|
#define Curl_ssl_initsessions(x,y) CURLE_OK
|
|
#define Curl_ssl_version(x,y) 0
|
|
#define Curl_ssl_data_pending(x,y) 0
|
|
#define Curl_ssl_check_cxn(x) 0
|
|
#define Curl_ssl_free_certinfo(x) Curl_nop_stmt
|
|
#define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN
|
|
#define Curl_ssl_kill_session(x) Curl_nop_stmt
|
|
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
|
|
#define Curl_ssl_cert_status_request() FALSE
|
|
#define Curl_ssl_false_start() FALSE
|
|
#endif
|
|
|
|
#endif /* HEADER_CURL_VTLS_H */
|