curl-library
[PATCH] Implement SSL-backend independent API to access TLS internals, in particular the X509 certificate information.
From: Christian Grothoff <christian_at_grothoff.org>
Date: Mon, 21 Oct 2013 13:50:06 +0200
Date: Mon, 21 Oct 2013 13:50:06 +0200
The new API returns an SSL-backend dependent pointer and
an enum on the backend type, as discussed on the mailinglist.
Sample use:
struct curl_tlsinfo tlsinfo;
union {
struct curl_tlsinfo *tlsinfo;
struct curl_slist *to_slist;
} gptr;
memset (&tlsinfo, 0, sizeof (tlsinfo));
gptr.tlsinfo = &tlsinfo;
if (CURLE_OK !=
curl_easy_getinfo (s5r->curl,
CURLINFO_TLS_SESSION,
&gptr))
return SYSERR;
if (CURLSSLBACKEND_GNUTLS != tlsinfo.ssl_backend)
{
// error: Unsupported SSL backend
return SYSERR;
}
... = gnutls_certificate_get_peers (tlsinfo.internals, ...);
--- docs/libcurl/curl_easy_getinfo.3 | 11 +++++++++++ include/curl/curl.h | 31 ++++++++++++++++++++++++++++--- lib/getinfo.c | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 3 deletions(-) diff --git a/docs/libcurl/curl_easy_getinfo.3 b/docs/libcurl/curl_easy_getinfo.3 index 62d8ae4..b88a9fb 100644 --- a/docs/libcurl/curl_easy_getinfo.3 +++ b/docs/libcurl/curl_easy_getinfo.3 @@ -221,6 +221,17 @@ provided in a series of data in the format "name:content" where the content is for the specific named data. See also the certinfo.c example. NOTE: this option is only available in libcurl built with OpenSSL support. (Added in 7.19.1) + +.IP CURLINFO_TLS_SESSION +Pass a pointer to a 'struct curl_tlsinfo *'. The struct will be initialized +to contain the type of the SSL library used for the handshake, and to the +respective internal TLS session structure of this underlying SSL library. +This can then be used to extract certificate information in a format +convenient for further processing, such as manual validation. NOTE: this +option may not be available for all SSL backends; unsupported SSL backends +may return 'CURLSSLBACKEND_NONE' to indicate that they are not supported; +this does not mean that no SSL backend was used. (Added in 7.34.0) + .IP CURLINFO_CONDITION_UNMET Pass a pointer to a long to receive the number 1 if the condition provided in the previous request didn't match (see \fICURLOPT_TIMECONDITION\fP). Alas, if diff --git a/include/curl/curl.h b/include/curl/curl.h index e3c6bf2..9e70d19 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -1388,8 +1388,7 @@ typedef enum { CINIT(ADDRESS_SCOPE, LONG, 171), /* Collect certificate chain info and allow it to get retrievable with - CURLINFO_CERTINFO after the transfer is complete. (Unfortunately) only - working with OpenSSL-powered builds. */ + CURLINFO_CERTINFO after the transfer is complete. */ CINIT(CERTINFO, LONG, 172), /* "name" and "pwd" to use when fetching. */ @@ -1983,6 +1982,31 @@ struct curl_certinfo { format "name: value" */ }; + +/* enum for the different SSL backends supported by cURL. */ +typedef enum { + CURLSSLBACKEND_NONE = 0, + CURLSSLBACKEND_OPENSSL = 1, + CURLSSLBACKEND_GNUTLS = 2, + CURLSSLBACKEND_NSS = 3, + CURLSSLBACKEND_QSOSSL = 4, + CURLSSLBACKEND_GSKIT = 5, + CURLSSLBACKEND_POLARSSL = 6, + CURLSSLBACKEND_CYASSL = 7, + CURLSSLBACKEND_SCHANNEL = 8, + CURLSSLBACKEND_DARWINSSL = 9 +} curl_ssl_backend; + + +/* info about the SSL library used, and the respective internal + SSL handle that can be used to extract further information about + the connection. Asked for with CURLINFO_TLS_SESSION. */ +struct curl_tlsinfo { + curl_ssl_backend ssl_backend; + void *internals; +}; + + #define CURLINFO_STRING 0x100000 #define CURLINFO_LONG 0x200000 #define CURLINFO_DOUBLE 0x300000 @@ -2034,9 +2058,10 @@ typedef enum { CURLINFO_PRIMARY_PORT = CURLINFO_LONG + 40, CURLINFO_LOCAL_IP = CURLINFO_STRING + 41, CURLINFO_LOCAL_PORT = CURLINFO_LONG + 42, + CURLINFO_TLS_SESSION = CURLINFO_SLIST + 43, /* Fill in new entries below here! */ - CURLINFO_LASTONE = 42 + CURLINFO_LASTONE = 43 } CURLINFO; /* CURLINFO_RESPONSE_CODE is the new name for the option previously known as diff --git a/lib/getinfo.c b/lib/getinfo.c index 3d09dc6..f7dc10b 100644 --- a/lib/getinfo.c +++ b/lib/getinfo.c @@ -277,7 +277,47 @@ static CURLcode getinfo_slist(struct SessionHandle *data, CURLINFO info, ptr.to_certinfo = &data->info.certs; *param_slistp = ptr.to_slist; break; + case CURLINFO_TLS_SESSION: + { + struct curl_tlsinfo * tlsinfo = (struct curl_tlsinfo *) *param_slistp; + struct connectdata * conn; + unsigned int sockindex; + tlsinfo->ssl_backend = CURLSSLBACKEND_NONE; + conn = data->easy_conn; + sockindex = 0; + /* find active ("in use") SSL connection, if any */ + while((sockindex < sizeof(conn->ssl)/sizeof(conn->ssl[0])) && + (! conn->ssl[sockindex].use)) sockindex++; + if(sockindex == sizeof(conn->ssl)/sizeof(conn->ssl[0])) + break; /* no SSL session found */ +#ifdef USE_SSLEAY + tlsinfo->ssl_backend = CURLSSLBACKEND_OPENSSL; + tlsinfo->internals = conn->ssl[sockindex].ctx; +#endif +#ifdef USE_GNUTLS + tlsinfo->ssl_backend = CURLSSLBACKEND_GNUTLS; + tlsinfo->internals = conn->ssl[sockindex].session; +#endif +#ifdef USE_NSS + tlsinfo->ssl_backend = CURLSSLBACKEND_NSS; + tlsinfo->internals = conn->ssl[sockindex].handle; +#endif +#ifdef USE_QSOSSL + tlsinfo->ssl_backend = CURLSSLBACKEND_QSOSSL; + tlsinfo->internals = conn->ssl[sockindex].handle; +#endif +#ifdef USE_GSKIT + tlsinfo->ssl_backend = CURLSSLBACKEND_GSKIT; + tlsinfo->internals = conn->ssl[sockindex].handle; +#endif + /* note: for other SSL backends, it is not immediately + clear what member(s) to return from 'struct ssl_connect_data'; + thus, for now we keep the backend on CURLSSLBACKEND_NONE in + those cases, which should be interpreted as "not supported" */ + break; + } + break; default: return CURLE_BAD_FUNCTION_ARGUMENT; } -- 1.8.4.rc3 --------------040701080700010403070903 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html --------------040701080700010403070903--Received on 2001-09-17