From 7c7699f113844dee2abf00ee1895a144832d5135 Mon Sep 17 00:00:00 2001 From: Jason Zou Date: Thu, 5 Oct 2023 22:12:41 -0700 Subject: [PATCH] 1. patch snowflake changes on curl-8.1.2 to curl-8.3.0 2. update source versions and build versions respectively --- deps/curl-8.3.0/include/curl/curl.h | 13 + deps/curl-8.3.0/lib/Makefile.in | 60 +- deps/curl-8.3.0/lib/Makefile.inc | 8 +- deps/curl-8.3.0/lib/curl_addrinfo.c | 46 + deps/curl-8.3.0/lib/setopt.c | 26 + deps/curl-8.3.0/lib/url.c | 9 + deps/curl-8.3.0/lib/urldata.h | 3 + deps/curl-8.3.0/lib/vtls/openssl.c | 37 + deps/curl-8.3.0/lib/vtls/sf_cJSON.c | 3117 +++++++++++++++++++++ deps/curl-8.3.0/lib/vtls/sf_cJSON.h | 293 ++ deps/curl-8.3.0/lib/vtls/sf_ocsp.c | 2364 ++++++++++++++++ deps/curl-8.3.0/lib/vtls/sf_ocsp.h | 27 + deps/curl-8.3.0/winbuild/MakefileBuild.vc | 19 +- scripts/build_awssdk.bat | 2 +- scripts/build_awssdk.sh | 2 +- scripts/build_azuresdk.bat | 2 +- scripts/build_azuresdk.sh | 2 +- scripts/build_curl.bat | 4 +- scripts/build_curl.sh | 4 +- scripts/build_oob.bat | 4 +- scripts/build_oob.sh | 4 +- scripts/build_openssl.bat | 2 +- scripts/build_openssl.sh | 2 +- 23 files changed, 6025 insertions(+), 25 deletions(-) create mode 100644 deps/curl-8.3.0/lib/vtls/sf_cJSON.c create mode 100644 deps/curl-8.3.0/lib/vtls/sf_cJSON.h create mode 100644 deps/curl-8.3.0/lib/vtls/sf_ocsp.c create mode 100644 deps/curl-8.3.0/lib/vtls/sf_ocsp.h diff --git a/deps/curl-8.3.0/include/curl/curl.h b/deps/curl-8.3.0/include/curl/curl.h index 898cbda839..5e57265f6b 100644 --- a/deps/curl-8.3.0/include/curl/curl.h +++ b/deps/curl-8.3.0/include/curl/curl.h @@ -122,6 +122,10 @@ typedef void CURL; typedef void CURLSH; #endif +#ifdef __linux__ +extern char sf_enable_getaddrinfo_lock; +#endif + /* * libcurl external API function linkage decorations. */ @@ -2210,6 +2214,15 @@ typedef enum { /* set a specific client IP for HAProxy PROXY protocol header? */ CURLOPT(CURLOPT_HAPROXY_CLIENT_IP, CURLOPTTYPE_STRINGPOINT, 323), + /* Snowflake options. True if enabling ocsp check */ + CURLOPT(CURLOPT_SSL_SF_OCSP_CHECK, CURLOPTTYPE_LONG, 323), + + /* Snowflake options. True if soft fail is enabled */ + CURLOPT(CURLOPT_SSL_SF_OCSP_FAIL_OPEN, CURLOPTTYPE_LONG, 324), + + /* Snowflake options. True if OOB telemetry is enabled. Defaults to false */ + CURLOPT(CURLOPT_SSL_SF_OOB_ENABLE, CURLOPTTYPE_LONG, 325), + CURLOPT_LASTENTRY /* the last unused */ } CURLoption; diff --git a/deps/curl-8.3.0/lib/Makefile.in b/deps/curl-8.3.0/lib/Makefile.in index 7a05ddcbbc..fdfb8fbceb 100644 --- a/deps/curl-8.3.0/lib/Makefile.in +++ b/deps/curl-8.3.0/lib/Makefile.in @@ -349,7 +349,8 @@ am__objects_3 = vtls/libcurl_la-bearssl.lo vtls/libcurl_la-gtls.lo \ vtls/libcurl_la-openssl.lo vtls/libcurl_la-rustls.lo \ vtls/libcurl_la-schannel.lo vtls/libcurl_la-schannel_verify.lo \ vtls/libcurl_la-sectransp.lo vtls/libcurl_la-vtls.lo \ - vtls/libcurl_la-wolfssl.lo vtls/libcurl_la-x509asn1.lo + vtls/libcurl_la-wolfssl.lo vtls/libcurl_la-x509asn1.lo \ + vtls/libcurl_la-sf_ocsp.lo vtls/libcurl_la-sf_cJSON.lo am__objects_4 = vquic/libcurl_la-curl_msh3.lo \ vquic/libcurl_la-curl_ngtcp2.lo \ vquic/libcurl_la-curl_quiche.lo vquic/libcurl_la-vquic.lo @@ -433,7 +434,8 @@ am__objects_11 = libcurlu_la-altsvc.lo libcurlu_la-amigaos.lo \ libcurlu_la-timeval.lo libcurlu_la-transfer.lo \ libcurlu_la-url.lo libcurlu_la-urlapi.lo \ libcurlu_la-version.lo libcurlu_la-version_win32.lo \ - libcurlu_la-warnless.lo libcurlu_la-ws.lo + libcurlu_la-warnless.lo libcurlu_la-ws.lo \ + vtls/libcurl_la-sf_ocsp.lo vtls/libcurl_la-sf_cJSON.lo am__objects_12 = vauth/libcurlu_la-cleartext.lo \ vauth/libcurlu_la-cram.lo vauth/libcurlu_la-digest.lo \ vauth/libcurlu_la-digest_sspi.lo vauth/libcurlu_la-gsasl.lo \ @@ -786,6 +788,8 @@ am__depfiles_remade = ./$(DEPDIR)/libcurl_la-altsvc.Plo \ vtls/$(DEPDIR)/libcurl_la-schannel.Plo \ vtls/$(DEPDIR)/libcurl_la-schannel_verify.Plo \ vtls/$(DEPDIR)/libcurl_la-sectransp.Plo \ + vtls/$(DEPDIR)/libcurl_la-sf_cJSON.Plo \ + vtls/$(DEPDIR)/libcurl_la-sf_ocsp.Plo \ vtls/$(DEPDIR)/libcurl_la-vtls.Plo \ vtls/$(DEPDIR)/libcurl_la-wolfssl.Plo \ vtls/$(DEPDIR)/libcurl_la-x509asn1.Plo \ @@ -800,6 +804,8 @@ am__depfiles_remade = ./$(DEPDIR)/libcurl_la-altsvc.Plo \ vtls/$(DEPDIR)/libcurlu_la-schannel.Plo \ vtls/$(DEPDIR)/libcurlu_la-schannel_verify.Plo \ vtls/$(DEPDIR)/libcurlu_la-sectransp.Plo \ + vtls/$(DEPDIR)/libcurlu_la-sf_cJSON.Plo \ + vtls/$(DEPDIR)/libcurlu_la-sf_ocsp.Plo \ vtls/$(DEPDIR)/libcurlu_la-vtls.Plo \ vtls/$(DEPDIR)/libcurlu_la-wolfssl.Plo \ vtls/$(DEPDIR)/libcurlu_la-x509asn1.Plo @@ -1164,7 +1170,9 @@ LIB_VTLS_CFILES = \ vtls/sectransp.c \ vtls/vtls.c \ vtls/wolfssl.c \ - vtls/x509asn1.c + vtls/x509asn1.c \ + vtls/sf_ocsp.c \ + vtls/sf_cJSON.c LIB_VTLS_HFILES = \ vtls/bearssl.h \ @@ -1181,7 +1189,9 @@ LIB_VTLS_HFILES = \ vtls/vtls.h \ vtls/vtls_int.h \ vtls/wolfssl.h \ - vtls/x509asn1.h + vtls/x509asn1.h \ + vtls/sf_ocsp.h \ + vtls/sf_cJSON.h LIB_VQUIC_CFILES = \ vquic/curl_msh3.c \ @@ -1665,6 +1675,10 @@ vtls/libcurl_la-wolfssl.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) vtls/libcurl_la-x509asn1.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurl_la-sf_ocsp.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurl_la-sf_cJSON.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) vquic/$(am__dirstamp): @$(MKDIR_P) vquic @: > vquic/$(am__dirstamp) @@ -1748,6 +1762,10 @@ vtls/libcurlu_la-wolfssl.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) vtls/libcurlu_la-x509asn1.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurlu_la-sf_ocsp.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurlu_la-sf_cJSON.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) vquic/libcurlu_la-curl_msh3.lo: vquic/$(am__dirstamp) \ vquic/$(DEPDIR)/$(am__dirstamp) vquic/libcurlu_la-curl_ngtcp2.lo: vquic/$(am__dirstamp) \ @@ -2087,6 +2105,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-mbedtls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-mbedtls_threadlock.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-openssl.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-sf_ocsp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-sf_cJSON.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-rustls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-schannel.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-schannel_verify.Plo@am__quote@ # am--include-marker @@ -2101,6 +2121,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-mbedtls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-mbedtls_threadlock.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-openssl.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-sf_ocsp.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-sf_cJSON.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-rustls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-schannel.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-schannel_verify.Plo@am__quote@ # am--include-marker @@ -3238,6 +3260,20 @@ vtls/libcurl_la-x509asn1.lo: vtls/x509asn1.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurl_la-x509asn1.lo `test -f 'vtls/x509asn1.c' || echo '$(srcdir)/'`vtls/x509asn1.c +vtls/libcurl_la-sf_ocsp.lo: vtls/sf_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -MT vtls/libcurl_la-sf_ocsp.lo -MD -MP -MF vtls/$(DEPDIR)/libcurl_la-sf_ocsp.Tpo -c -o vtls/libcurl_la-sf_ocsp.lo `test -f 'vtls/sf_ocsp.c' || echo '$(srcdir)/'`vtls/sf_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurl_la-sf_ocsp.Tpo vtls/$(DEPDIR)/libcurl_la-sf_ocsp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/sf_ocsp.c' object='vtls/libcurl_la-sf_ocsp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurl_la-sf_ocsp.lo `test -f 'vtls/sf_ocsp.c' || echo '$(srcdir)/'`vtls/sf_ocsp.c + +vtls/libcurl_la-sf_cJSON.lo: vtls/sf_cJSON.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -MT vtls/libcurl_la-sf_cJSON.lo -MD -MP -MF vtls/$(DEPDIR)/libcurl_la-sf_cJSON.Tpo -c -o vtls/libcurl_la-sf_cJSON.lo `test -f 'vtls/sf_cJSON.c' || echo '$(srcdir)/'`vtls/sf_cJSON.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurl_la-sf_cJSON.Tpo vtls/$(DEPDIR)/libcurl_la-sf_cJSON.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/sf_cJSON.c' object='vtls/libcurl_la-sf_cJSON.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurl_la-sf_cJSON.lo `test -f 'vtls/sf_cJSON.c' || echo '$(srcdir)/'`vtls/sf_cJSON.c + vquic/libcurl_la-curl_msh3.lo: vquic/curl_msh3.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -MT vquic/libcurl_la-curl_msh3.lo -MD -MP -MF vquic/$(DEPDIR)/libcurl_la-curl_msh3.Tpo -c -o vquic/libcurl_la-curl_msh3.lo `test -f 'vquic/curl_msh3.c' || echo '$(srcdir)/'`vquic/curl_msh3.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vquic/$(DEPDIR)/libcurl_la-curl_msh3.Tpo vquic/$(DEPDIR)/libcurl_la-curl_msh3.Plo @@ -4386,6 +4422,20 @@ vtls/libcurlu_la-x509asn1.lo: vtls/x509asn1.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurlu_la-x509asn1.lo `test -f 'vtls/x509asn1.c' || echo '$(srcdir)/'`vtls/x509asn1.c +vtls/libcurlu_la-sf_ocsp.lo: vtls/sf_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -MT vtls/libcurlu_la-sf_ocsp.lo -MD -MP -MF vtls/$(DEPDIR)/libcurlu_la-sf_ocsp.Tpo -c -o vtls/libcurlu_la-sf_ocsp.lo `test -f 'vtls/sf_ocsp.c' || echo '$(srcdir)/'`vtls/sf_ocsp.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurlu_la-sf_ocsp.Tpo vtls/$(DEPDIR)/libcurlu_la-sf_ocsp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/sf_ocsp.c' object='vtls/libcurlu_la-sf_ocsp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurlu_la-sf_ocsp.lo `test -f 'vtls/sf_ocsp.c' || echo '$(srcdir)/'`vtls/sf_ocsp.c + +vtls/libcurlu_la-sf_cJSON.lo: vtls/sf_cJSON.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -MT vtls/libcurlu_la-sf_cJSON.lo -MD -MP -MF vtls/$(DEPDIR)/libcurlu_la-sf_cJSON.Tpo -c -o vtls/libcurlu_la-sf_cJSON.lo `test -f 'vtls/sf_cJSON.c' || echo '$(srcdir)/'`vtls/sf_cJSON.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurlu_la-sf_cJSON.Tpo vtls/$(DEPDIR)/libcurlu_la-sf_cJSON.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/sf_cJSON.c' object='vtls/libcurlu_la-sf_cJSON.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurlu_la-sf_cJSON.lo `test -f 'vtls/sf_cJSON.c' || echo '$(srcdir)/'`vtls/sf_cJSON.c + vquic/libcurlu_la-curl_msh3.lo: vquic/curl_msh3.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -MT vquic/libcurlu_la-curl_msh3.lo -MD -MP -MF vquic/$(DEPDIR)/libcurlu_la-curl_msh3.Tpo -c -o vquic/libcurlu_la-curl_msh3.lo `test -f 'vquic/curl_msh3.c' || echo '$(srcdir)/'`vquic/curl_msh3.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vquic/$(DEPDIR)/libcurlu_la-curl_msh3.Tpo vquic/$(DEPDIR)/libcurlu_la-curl_msh3.Plo @@ -5337,7 +5387,7 @@ uninstall-am: uninstall-libLTLIBRARIES checksrc: $(CHECKSRC)(@PERL@ $(top_srcdir)/scripts/checksrc.pl -D$(srcdir) \ -W$(srcdir)/curl_config.h $(srcdir)/*.[ch] $(srcdir)/vauth/*.[ch] \ - $(srcdir)/vtls/*.[ch] $(srcdir)/vquic/*.[ch] $(srcdir)/vssh/*.[ch]) + $(srcdir)/vquic/*.[ch] $(srcdir)/vssh/*.[ch]) # for debug builds, we scan the sources on all regular make invokes @CURLDEBUG_TRUE@all-local: checksrc diff --git a/deps/curl-8.3.0/lib/Makefile.inc b/deps/curl-8.3.0/lib/Makefile.inc index a08180b531..f0461774a2 100644 --- a/deps/curl-8.3.0/lib/Makefile.inc +++ b/deps/curl-8.3.0/lib/Makefile.inc @@ -56,7 +56,9 @@ LIB_VTLS_CFILES = \ vtls/sectransp.c \ vtls/vtls.c \ vtls/wolfssl.c \ - vtls/x509asn1.c + vtls/x509asn1.c \ + vtls/sf_ocsp.c \ + vtls/sf_cJSON.c LIB_VTLS_HFILES = \ vtls/bearssl.h \ @@ -73,7 +75,9 @@ LIB_VTLS_HFILES = \ vtls/vtls.h \ vtls/vtls_int.h \ vtls/wolfssl.h \ - vtls/x509asn1.h + vtls/x509asn1.h \ + vtls/sf_ocsp.h \ + vtls/sf_cJSON.h LIB_VQUIC_CFILES = \ vquic/curl_msh3.c \ diff --git a/deps/curl-8.3.0/lib/curl_addrinfo.c b/deps/curl-8.3.0/lib/curl_addrinfo.c index f9211d3f57..765199f96e 100644 --- a/deps/curl-8.3.0/lib/curl_addrinfo.c +++ b/deps/curl-8.3.0/lib/curl_addrinfo.c @@ -47,6 +47,10 @@ # include #endif +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) +#include +#endif + #include #include "curl_addrinfo.h" @@ -86,6 +90,15 @@ Curl_freeaddrinfo(struct Curl_addrinfo *cahead) } } +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) +static void Curl_print_pthread_error(int error) +{ + printf("pthread mutex_raw error no is: %d\n", error); + if(error == EINVAL) { + printf("the mutex has not been properly initialized.\n"); + } +} +#endif #ifdef HAVE_GETADDRINFO /* @@ -102,6 +115,16 @@ Curl_freeaddrinfo(struct Curl_addrinfo *cahead) * whole library, any such call should be 'routed' through this one. */ + /* + * SNOW-119090 where application is not pthread compatible causing + * libnss_file.so being loaded before the pthread and SEGFAULT when + * calling getaddrinfo(). + */ +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) +static pthread_mutex_t sf_getaddrinfo_mutex = PTHREAD_MUTEX_INITIALIZER; +char sf_enable_getaddrinfo_lock = 0; +#endif + int Curl_getaddrinfo_ex(const char *nodename, const char *servname, @@ -115,9 +138,22 @@ Curl_getaddrinfo_ex(const char *nodename, struct Curl_addrinfo *ca; size_t ss_size; int error; +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) + int mutex_error; +#endif *result = NULL; /* assume failure */ +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) + if(sf_enable_getaddrinfo_lock == 1) { + mutex_error = pthread_mutex_lock(&sf_getaddrinfo_mutex); + if(mutex_error) { + Curl_print_pthread_error(mutex_error); + return mutex_error; + } + } +#endif + error = getaddrinfo(nodename, servname, hints, &aihead); if(error) return error; @@ -186,6 +222,16 @@ Curl_getaddrinfo_ex(const char *nodename, if(aihead) freeaddrinfo(aihead); +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) + if(sf_enable_getaddrinfo_lock == 1) { + mutex_error = pthread_mutex_unlock(&sf_getaddrinfo_mutex); + if(mutex_error) { + Curl_print_pthread_error(mutex_error); + error = mutex_error; + } + } +#endif + /* if we failed, also destroy the Curl_addrinfo list */ if(error) { Curl_freeaddrinfo(cafirst); diff --git a/deps/curl-8.3.0/lib/setopt.c b/deps/curl-8.3.0/lib/setopt.c index 2cef1b3d82..4271a7684d 100644 --- a/deps/curl-8.3.0/lib/setopt.c +++ b/deps/curl-8.3.0/lib/setopt.c @@ -2036,6 +2036,32 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) TRUE : FALSE; break; #endif + case CURLOPT_SSL_SF_OCSP_CHECK: + data->set.ssl.primary.sf_ocsp_check = (0 != va_arg(param, long)) ? + TRUE : FALSE; + /* Update the current connection ssl_config. */ + if(data->conn) { + data->conn->ssl_config.sf_ocsp_check = + data->set.ssl.primary.sf_ocsp_check; + } + break; + case CURLOPT_SSL_SF_OCSP_FAIL_OPEN: + data->set.ssl.primary.sf_ocsp_failopen = (0 != va_arg(param, long)) ? + TRUE:FALSE; + if(data->conn) { + data->conn->ssl_config.sf_ocsp_failopen = + data->set.ssl.primary.sf_ocsp_failopen; + } + break; + case CURLOPT_SSL_SF_OOB_ENABLE: + data->set.ssl.primary.sf_oob_enable = (0 != va_arg(param, long)) ? + TRUE : FALSE; + /* Update the current connection ssl_config. */ + if(data->conn) { + data->conn->ssl_config.sf_oob_enable = + data->set.ssl.primary.sf_oob_enable; + } + break; case CURLOPT_SSL_CTX_FUNCTION: /* * Set a SSL_CTX callback diff --git a/deps/curl-8.3.0/lib/url.c b/deps/curl-8.3.0/lib/url.c index 4f5673ed0d..e331c1280e 100644 --- a/deps/curl-8.3.0/lib/url.c +++ b/deps/curl-8.3.0/lib/url.c @@ -1565,12 +1565,21 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; + conn->ssl_config.sf_ocsp_check = data->set.ssl.primary.sf_ocsp_check; + conn->ssl_config.sf_ocsp_failopen = data->set.ssl.primary.sf_ocsp_failopen; + conn->ssl_config.sf_oob_enable = data->set.ssl.primary.sf_oob_enable; #ifndef CURL_DISABLE_PROXY conn->proxy_ssl_config.verifystatus = data->set.proxy_ssl.primary.verifystatus; conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; + conn->proxy_ssl_config.sf_ocsp_check = + data->set.proxy_ssl.primary.sf_ocsp_check; + conn->proxy_ssl_config.sf_ocsp_failopen = + data->set.proxy_ssl.primary.sf_ocsp_failopen; + conn->proxy_ssl_config.sf_oob_enable = + data->set.proxy_ssl.primary.sf_oob_enable; #endif conn->ip_version = data->set.ipver; conn->connect_only = data->set.connect_only; diff --git a/deps/curl-8.3.0/lib/urldata.h b/deps/curl-8.3.0/lib/urldata.h index 4bfb3b48d2..57460c8ae3 100644 --- a/deps/curl-8.3.0/lib/urldata.h +++ b/deps/curl-8.3.0/lib/urldata.h @@ -267,6 +267,9 @@ typedef enum { struct ssl_backend_data; struct ssl_primary_config { + bool sf_ocsp_check; /* set TRUE if client side ocsp check is enabled */ + bool sf_ocsp_failopen; /* set FALSE if failopen has to be disabled.*/ + bool sf_oob_enable; /* set TRUE if OOB telemetry is enabled.*/ char *CApath; /* certificate dir (doesn't work on windows) */ char *CAfile; /* certificate to verify peer against */ char *issuercert; /* optional issuer certificate filename */ diff --git a/deps/curl-8.3.0/lib/vtls/openssl.c b/deps/curl-8.3.0/lib/vtls/openssl.c index a12e712b16..39d20435f5 100644 --- a/deps/curl-8.3.0/lib/vtls/openssl.c +++ b/deps/curl-8.3.0/lib/vtls/openssl.c @@ -63,6 +63,7 @@ #include "multiif.h" #include "strerror.h" #include "curl_printf.h" +#include "sf_ocsp.h" #include #include @@ -1738,6 +1739,9 @@ static int ossl_init(void) Curl_tls_keylog_open(); + /* init Cert OCSP revocation checks */ + initCertOCSP(); + return 1; } @@ -4092,6 +4096,39 @@ static CURLcode servercert(struct Curl_cfilter *cf, return CURLE_PEER_FAILED_VERIFICATION; } + /* !!! Starting Snowflake OCSP !!! */ + if (conn_config->sf_ocsp_check) + { + STACK_OF(X509) *ch = NULL; + X509_STORE *st = NULL; + + ch = SSL_get_peer_cert_chain(backend->handle); + if (!ch) + { + failf(data, "Out of memory. Failed to get certificate chain"); + X509_free(backend->server_cert); + backend->server_cert = NULL; + return CURLE_OUT_OF_MEMORY; + } + st = SSL_CTX_get_cert_store(backend->ctx); + if (!st) + { + failf(data, "NULL data store"); + X509_free(backend->server_cert); + backend->server_cert = NULL; + return CURLE_SSL_INVALIDCERTSTATUS; + } + + result = checkCertOCSP(conn, data, ch, st, conn_config->sf_ocsp_failopen, conn_config->sf_oob_enable); + if (result) + { + X509_free(backend->server_cert); + backend->server_cert = NULL; + return result; + } + } + /* !!! End of Snowflake OCSP !!! */ + infof(data, "%s certificate:", Curl_ssl_cf_is_proxy(cf)? "Proxy" : "Server"); diff --git a/deps/curl-8.3.0/lib/vtls/sf_cJSON.c b/deps/curl-8.3.0/lib/vtls/sf_cJSON.c new file mode 100644 index 0000000000..7f51ebdbef --- /dev/null +++ b/deps/curl-8.3.0/lib/vtls/sf_cJSON.c @@ -0,0 +1,3117 @@ +/* + Copyright (c) 2009-2017 Dave Gamble and cJSON contributors + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ + +/* cJSON */ +/* JSON parser in C. */ + +/* disable warnings about old C89 functions in MSVC */ +#if !defined(_CRT_SECURE_NO_DEPRECATE) && defined(_MSC_VER) +#define _CRT_SECURE_NO_DEPRECATE +#endif + +#ifdef __GNUC__ +#pragma GCC visibility push(default) +#endif +#if defined(_MSC_VER) +#pragma warning (push) +/* disable warning about single line comments in system headers */ +#pragma warning (disable : 4001) +#endif + +#include +#include +#include +#include +#include +#include +#include + +#ifdef ENABLE_LOCALES +#include +#endif + +#if defined(_MSC_VER) +#pragma warning (pop) +#endif +#ifdef __GNUC__ +#pragma GCC visibility pop +#endif + +#include "curl_setup.h" +#include "strcase.h" +#include "sf_cJSON.h" + +/* ignoring float value comparison warning */ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wfloat-equal" + +/* define our own boolean type */ +#ifdef true +#undef true +#endif +#define true ((cJSON_bool)1) + +#ifdef false +#undef false +#endif +#define false ((cJSON_bool)0) + +/* define isnan and isinf for ANSI C, if in C99 or above, isnan and isinf has been defined in math.h */ +#ifndef isinf +#define isinf(d) (isnan((d - d)) && !isnan(d)) +#endif +#ifndef isnan +#define isnan(d) (d != d) +#endif + +#ifndef NAN +#ifdef _WIN32 +#define NAN sqrt(-1.0) +#else +#define NAN 0.0/0.0 +#endif +#endif + +typedef struct { + const unsigned char *json; + size_t position; +} error; +static error global_error = { NULL, 0 }; + +CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void) +{ + return (const char*) (global_error.json + global_error.position); +} + +CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) +{ + if (!cJSON_IsString(item)) + { + return NULL; + } + + return item->valuestring; +} + +CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) +{ + if (!cJSON_IsNumber(item)) + { + return (double) NAN; + } + + return item->valuedouble; +} + +/* This is a safeguard to prevent copy-pasters from using incompatible C and header files */ +#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 15) + #error cJSON.h and cJSON.c have different versions. Make sure that both have the same. +#endif + +CJSON_PUBLIC(const char*) cJSON_Version(void) +{ + static char version[15]; + sprintf(version, "%i.%i.%i", CJSON_VERSION_MAJOR, CJSON_VERSION_MINOR, CJSON_VERSION_PATCH); + + return version; +} + +/* Case insensitive string comparison, doesn't consider two NULL pointers equal though */ +static int case_insensitive_strcmp(const unsigned char *string1, const unsigned char *string2) +{ + if ((string1 == NULL) || (string2 == NULL)) + { + return 1; + } + + if (string1 == string2) + { + return 0; + } + + for(; Curl_raw_tolower(*string1) == Curl_raw_tolower(*string2); (void)string1++, string2++) + { + if (*string1 == '\0') + { + return 0; + } + } + + return Curl_raw_tolower(*string1) - Curl_raw_tolower(*string2); +} + +typedef struct internal_hooks +{ + void *(CJSON_CDECL *allocate)(size_t size); + void (CJSON_CDECL *deallocate)(void *pointer); + void *(CJSON_CDECL *reallocate)(void *pointer, size_t size); +} internal_hooks; + +#if defined(_MSC_VER) +/* work around MSVC error C2322: '...' address of dllimport '...' is not static */ +static void * CJSON_CDECL internal_malloc(size_t size) +{ + return malloc(size); +} +static void CJSON_CDECL internal_free(void *pointer) +{ + free(pointer); +} +static void * CJSON_CDECL internal_realloc(void *pointer, size_t size) +{ + return realloc(pointer, size); +} +#else +#define internal_malloc malloc +#define internal_free free +#define internal_realloc realloc +#endif + +/* strlen of character literals resolved at compile time */ +#define static_strlen(string_literal) (sizeof(string_literal) - sizeof("")) + +static internal_hooks global_hooks = { internal_malloc, internal_free, internal_realloc }; + +static unsigned char* cJSON_strdup(const unsigned char* string, const internal_hooks * const hooks) +{ + size_t length = 0; + unsigned char *copy = NULL; + + if (string == NULL) + { + return NULL; + } + + length = strlen((const char*)string) + sizeof(""); + copy = (unsigned char*)hooks->allocate(length); + if (copy == NULL) + { + return NULL; + } + memcpy(copy, string, length); + + return copy; +} + +CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks) +{ + if (hooks == NULL) + { + /* Reset hooks */ + global_hooks.allocate = malloc; + global_hooks.deallocate = free; + global_hooks.reallocate = realloc; + return; + } + + global_hooks.allocate = malloc; + if (hooks->malloc_fn != NULL) + { + global_hooks.allocate = hooks->malloc_fn; + } + + global_hooks.deallocate = free; + if (hooks->free_fn != NULL) + { + global_hooks.deallocate = hooks->free_fn; + } + + /* use realloc only if both free and malloc are used */ + global_hooks.reallocate = NULL; + if ((global_hooks.allocate == malloc) && (global_hooks.deallocate == free)) + { + global_hooks.reallocate = realloc; + } +} + +/* Internal constructor. */ +static cJSON *cJSON_New_Item(const internal_hooks * const hooks) +{ + cJSON* node = (cJSON*)hooks->allocate(sizeof(cJSON)); + if (node) + { + memset(node, '\0', sizeof(cJSON)); + } + + return node; +} + +/* Delete a cJSON structure. */ +CJSON_PUBLIC(void) cJSON_Delete(cJSON *item) +{ + cJSON *next = NULL; + while (item != NULL) + { + next = item->next; + if (!(item->type & cJSON_IsReference) && (item->child != NULL)) + { + cJSON_Delete(item->child); + } + if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) + { + global_hooks.deallocate(item->valuestring); + } + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + global_hooks.deallocate(item->string); + } + global_hooks.deallocate(item); + item = next; + } +} + +/* get the decimal point character of the current locale */ +static unsigned char get_decimal_point(void) +{ +#ifdef ENABLE_LOCALES + struct lconv *lconv = localeconv(); + return (unsigned char) lconv->decimal_point[0]; +#else + return '.'; +#endif +} + +typedef struct +{ + const unsigned char *content; + size_t length; + size_t offset; + size_t depth; /* How deeply nested (in arrays/objects) is the input at the current offset. */ + internal_hooks hooks; +} parse_buffer; + +/* check if the given size is left to read in a given parse buffer (starting with 1) */ +#define can_read(buffer, size) ((buffer != NULL) && (((buffer)->offset + size) <= (buffer)->length)) +/* check if the buffer can be accessed at the given index (starting with 0) */ +#define can_access_at_index(buffer, index) ((buffer != NULL) && (((buffer)->offset + index) < (buffer)->length)) +#define cannot_access_at_index(buffer, index) (!can_access_at_index(buffer, index)) +/* get a pointer to the buffer at the position */ +#define buffer_at_offset(buffer) ((buffer)->content + (buffer)->offset) + +/* Parse the input text to generate a number, and populate the result into item. */ +static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_buffer) +{ + double number = 0; + unsigned char *after_end = NULL; + unsigned char number_c_string[64]; + unsigned char decimal_point = get_decimal_point(); + size_t i = 0; + + if ((input_buffer == NULL) || (input_buffer->content == NULL)) + { + return false; + } + + /* copy the number into a temporary buffer and replace '.' with the decimal point + * of the current locale (for strtod) + * This also takes care of '\0' not necessarily being available for marking the end of the input */ + for (i = 0; (i < (sizeof(number_c_string) - 1)) && can_access_at_index(input_buffer, i); i++) + { + switch (buffer_at_offset(input_buffer)[i]) + { + case '0': + case '1': + case '2': + case '3': + case '4': + case '5': + case '6': + case '7': + case '8': + case '9': + case '+': + case '-': + case 'e': + case 'E': + number_c_string[i] = buffer_at_offset(input_buffer)[i]; + break; + + case '.': + number_c_string[i] = decimal_point; + break; + + default: + goto loop_end; + } + } +loop_end: + number_c_string[i] = '\0'; + + number = strtod((const char*)number_c_string, (char**)&after_end); + if (number_c_string == after_end) + { + return false; /* parse_error */ + } + + item->valuedouble = number; + + /* use saturation in case of overflow */ + if (number >= INT_MAX) + { + item->valueint = INT_MAX; + } + else if (number <= (double)INT_MIN) + { + item->valueint = INT_MIN; + } + else + { + item->valueint = (int)number; + } + + item->type = cJSON_Number; + + input_buffer->offset += (size_t)(after_end - number_c_string); + return true; +} + +/* don't ask me, but the original cJSON_SetNumberValue returns an integer or double */ +CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number) +{ + if (number >= INT_MAX) + { + object->valueint = INT_MAX; + } + else if (number <= (double)INT_MIN) + { + object->valueint = INT_MIN; + } + else + { + object->valueint = (int)number; + } + + return object->valuedouble = number; +} + +CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) +{ + char *copy = NULL; + /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ + if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) + { + return NULL; + } + if (strlen(valuestring) <= strlen(object->valuestring)) + { + strcpy(object->valuestring, valuestring); + return object->valuestring; + } + copy = (char*) cJSON_strdup((const unsigned char*)valuestring, &global_hooks); + if (copy == NULL) + { + return NULL; + } + if (object->valuestring != NULL) + { + cJSON_free(object->valuestring); + } + object->valuestring = copy; + + return copy; +} + +typedef struct +{ + unsigned char *buffer; + size_t length; + size_t offset; + size_t depth; /* current nesting depth (for formatted printing) */ + cJSON_bool noalloc; + cJSON_bool format; /* is this print a formatted print */ + internal_hooks hooks; +} printbuffer; + +/* realloc printbuffer if necessary to have at least "needed" bytes more */ +static unsigned char* ensure(printbuffer * const p, size_t needed) +{ + unsigned char *newbuffer = NULL; + size_t newsize = 0; + + if ((p == NULL) || (p->buffer == NULL)) + { + return NULL; + } + + if ((p->length > 0) && (p->offset >= p->length)) + { + /* make sure that offset is valid */ + return NULL; + } + + if (needed > INT_MAX) + { + /* sizes bigger than INT_MAX are currently not supported */ + return NULL; + } + + needed += p->offset + 1; + if (needed <= p->length) + { + return p->buffer + p->offset; + } + + if (p->noalloc) { + return NULL; + } + + /* calculate new buffer size */ + if (needed > (INT_MAX / 2)) + { + /* overflow of int, use INT_MAX if possible */ + if (needed <= INT_MAX) + { + newsize = INT_MAX; + } + else + { + return NULL; + } + } + else + { + newsize = needed * 2; + } + + if (p->hooks.reallocate != NULL) + { + /* reallocate with realloc if available */ + newbuffer = (unsigned char*)p->hooks.reallocate(p->buffer, newsize); + if (newbuffer == NULL) + { + p->hooks.deallocate(p->buffer); + p->length = 0; + p->buffer = NULL; + + return NULL; + } + } + else + { + /* otherwise reallocate manually */ + newbuffer = (unsigned char*)p->hooks.allocate(newsize); + if (!newbuffer) + { + p->hooks.deallocate(p->buffer); + p->length = 0; + p->buffer = NULL; + + return NULL; + } + + memcpy(newbuffer, p->buffer, p->offset + 1); + p->hooks.deallocate(p->buffer); + } + p->length = newsize; + p->buffer = newbuffer; + + return newbuffer + p->offset; +} + +/* calculate the new length of the string in a printbuffer and update the offset */ +static void update_offset(printbuffer * const buffer) +{ + const unsigned char *buffer_pointer = NULL; + if ((buffer == NULL) || (buffer->buffer == NULL)) + { + return; + } + buffer_pointer = buffer->buffer + buffer->offset; + + buffer->offset += strlen((const char*)buffer_pointer); +} + +/* securely comparison of floating-point variables */ +static cJSON_bool compare_double(double a, double b) +{ + double maxVal = fabs(a) > fabs(b) ? fabs(a) : fabs(b); + return (fabs(a - b) <= maxVal * DBL_EPSILON); +} + +/* Render the number nicely from the given item into a string. */ +static cJSON_bool print_number(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + double d = item->valuedouble; + int length = 0; + size_t i = 0; + unsigned char number_buffer[26] = {0}; /* temporary buffer to print the number into */ + unsigned char decimal_point = get_decimal_point(); + double test = 0.0; + + if (output_buffer == NULL) + { + return false; + } + + /* This checks for NaN and Infinity */ + if (isnan(d) || isinf(d)) + { + length = sprintf((char*)number_buffer, "null"); + } + else + { + /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */ + length = sprintf((char*)number_buffer, "%1.15g", d); + + /* Check whether the original double can be recovered */ + if ((sscanf((char*)number_buffer, "%lg", &test) != 1) || !compare_double((double)test, d)) + { + /* If not, print with 17 decimal places of precision */ + length = sprintf((char*)number_buffer, "%1.17g", d); + } + } + + /* sprintf failed or buffer overrun occurred */ + if ((length < 0) || (length > (int)(sizeof(number_buffer) - 1))) + { + return false; + } + + /* reserve appropriate space in the output */ + output_pointer = ensure(output_buffer, (size_t)length + sizeof("")); + if (output_pointer == NULL) + { + return false; + } + + /* copy the printed number to the output and replace locale + * dependent decimal point with '.' */ + for (i = 0; i < ((size_t)length); i++) + { + if (number_buffer[i] == decimal_point) + { + output_pointer[i] = '.'; + continue; + } + + output_pointer[i] = number_buffer[i]; + } + output_pointer[i] = '\0'; + + output_buffer->offset += (size_t)length; + + return true; +} + +/* parse 4 digit hexadecimal number */ +static unsigned parse_hex4(const unsigned char * const input) +{ + unsigned int h = 0; + size_t i = 0; + + for (i = 0; i < 4; i++) + { + /* parse digit */ + if ((input[i] >= '0') && (input[i] <= '9')) + { + h += (unsigned int) input[i] - '0'; + } + else if ((input[i] >= 'A') && (input[i] <= 'F')) + { + h += (unsigned int) 10 + input[i] - 'A'; + } + else if ((input[i] >= 'a') && (input[i] <= 'f')) + { + h += (unsigned int) 10 + input[i] - 'a'; + } + else /* invalid */ + { + return 0; + } + + if (i < 3) + { + /* shift left to make place for the next nibble */ + h = h << 4; + } + } + + return h; +} + +/* converts a UTF-16 literal to UTF-8 + * A literal can be one or two sequences of the form \uXXXX */ +static unsigned char utf16_literal_to_utf8(const unsigned char * const input_pointer, const unsigned char * const input_end, unsigned char **output_pointer) +{ + long unsigned int codepoint = 0; + unsigned int first_code = 0; + const unsigned char *first_sequence = input_pointer; + unsigned char utf8_length = 0; + unsigned char utf8_position = 0; + unsigned char sequence_length = 0; + unsigned char first_byte_mark = 0; + + if ((input_end - first_sequence) < 6) + { + /* input ends unexpectedly */ + goto fail; + } + + /* get the first utf16 sequence */ + first_code = parse_hex4(first_sequence + 2); + + /* check that the code is valid */ + if (((first_code >= 0xDC00) && (first_code <= 0xDFFF))) + { + goto fail; + } + + /* UTF16 surrogate pair */ + if ((first_code >= 0xD800) && (first_code <= 0xDBFF)) + { + const unsigned char *second_sequence = first_sequence + 6; + unsigned int second_code = 0; + sequence_length = 12; /* \uXXXX\uXXXX */ + + if ((input_end - second_sequence) < 6) + { + /* input ends unexpectedly */ + goto fail; + } + + if ((second_sequence[0] != '\\') || (second_sequence[1] != 'u')) + { + /* missing second half of the surrogate pair */ + goto fail; + } + + /* get the second utf16 sequence */ + second_code = parse_hex4(second_sequence + 2); + /* check that the code is valid */ + if ((second_code < 0xDC00) || (second_code > 0xDFFF)) + { + /* invalid second half of the surrogate pair */ + goto fail; + } + + + /* calculate the unicode codepoint from the surrogate pair */ + codepoint = 0x10000 + (((first_code & 0x3FF) << 10) | (second_code & 0x3FF)); + } + else + { + sequence_length = 6; /* \uXXXX */ + codepoint = first_code; + } + + /* encode as UTF-8 + * takes at maximum 4 bytes to encode: + * 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx */ + if (codepoint < 0x80) + { + /* normal ascii, encoding 0xxxxxxx */ + utf8_length = 1; + } + else if (codepoint < 0x800) + { + /* two bytes, encoding 110xxxxx 10xxxxxx */ + utf8_length = 2; + first_byte_mark = 0xC0; /* 11000000 */ + } + else if (codepoint < 0x10000) + { + /* three bytes, encoding 1110xxxx 10xxxxxx 10xxxxxx */ + utf8_length = 3; + first_byte_mark = 0xE0; /* 11100000 */ + } + else if (codepoint <= 0x10FFFF) + { + /* four bytes, encoding 1110xxxx 10xxxxxx 10xxxxxx 10xxxxxx */ + utf8_length = 4; + first_byte_mark = 0xF0; /* 11110000 */ + } + else + { + /* invalid unicode codepoint */ + goto fail; + } + + /* encode as utf8 */ + for (utf8_position = (unsigned char)(utf8_length - 1); utf8_position > 0; utf8_position--) + { + /* 10xxxxxx */ + (*output_pointer)[utf8_position] = (unsigned char)((codepoint | 0x80) & 0xBF); + codepoint >>= 6; + } + /* encode first byte */ + if (utf8_length > 1) + { + (*output_pointer)[0] = (unsigned char)((codepoint | first_byte_mark) & 0xFF); + } + else + { + (*output_pointer)[0] = (unsigned char)(codepoint & 0x7F); + } + + *output_pointer += utf8_length; + + return sequence_length; + +fail: + return 0; +} + +/* Parse the input text into an unescaped cinput, and populate item. */ +static cJSON_bool parse_string(cJSON * const item, parse_buffer * const input_buffer) +{ + const unsigned char *input_pointer = buffer_at_offset(input_buffer) + 1; + const unsigned char *input_end = buffer_at_offset(input_buffer) + 1; + unsigned char *output_pointer = NULL; + unsigned char *output = NULL; + + /* not a string */ + if (buffer_at_offset(input_buffer)[0] != '\"') + { + goto fail; + } + + { + /* calculate approximate size of the output (overestimate) */ + size_t allocation_length = 0; + size_t skipped_bytes = 0; + while (((size_t)(input_end - input_buffer->content) < input_buffer->length) && (*input_end != '\"')) + { + /* is escape sequence */ + if (input_end[0] == '\\') + { + if ((size_t)(input_end + 1 - input_buffer->content) >= input_buffer->length) + { + /* prevent buffer overflow when last input character is a backslash */ + goto fail; + } + skipped_bytes++; + input_end++; + } + input_end++; + } + if (((size_t)(input_end - input_buffer->content) >= input_buffer->length) || (*input_end != '\"')) + { + goto fail; /* string ended unexpectedly */ + } + + /* This is at most how much we need for the output */ + allocation_length = (size_t) (input_end - buffer_at_offset(input_buffer)) - skipped_bytes; + output = (unsigned char*)input_buffer->hooks.allocate(allocation_length + sizeof("")); + if (output == NULL) + { + goto fail; /* allocation failure */ + } + } + + output_pointer = output; + /* loop through the string literal */ + while (input_pointer < input_end) + { + if (*input_pointer != '\\') + { + *output_pointer++ = *input_pointer++; + } + /* escape sequence */ + else + { + unsigned char sequence_length = 2; + if ((input_end - input_pointer) < 1) + { + goto fail; + } + + switch (input_pointer[1]) + { + case 'b': + *output_pointer++ = '\b'; + break; + case 'f': + *output_pointer++ = '\f'; + break; + case 'n': + *output_pointer++ = '\n'; + break; + case 'r': + *output_pointer++ = '\r'; + break; + case 't': + *output_pointer++ = '\t'; + break; + case '\"': + case '\\': + case '/': + *output_pointer++ = input_pointer[1]; + break; + + /* UTF-16 literal */ + case 'u': + sequence_length = utf16_literal_to_utf8(input_pointer, input_end, &output_pointer); + if (sequence_length == 0) + { + /* failed to convert UTF16-literal to UTF-8 */ + goto fail; + } + break; + + default: + goto fail; + } + input_pointer += sequence_length; + } + } + + /* zero terminate the output */ + *output_pointer = '\0'; + + item->type = cJSON_String; + item->valuestring = (char*)output; + + input_buffer->offset = (size_t) (input_end - input_buffer->content); + input_buffer->offset++; + + return true; + +fail: + if (output != NULL) + { + input_buffer->hooks.deallocate(output); + } + + if (input_pointer != NULL) + { + input_buffer->offset = (size_t)(input_pointer - input_buffer->content); + } + + return false; +} + +/* Render the cstring provided to an escaped version that can be printed. */ +static cJSON_bool print_string_ptr(const unsigned char * const input, printbuffer * const output_buffer) +{ + const unsigned char *input_pointer = NULL; + unsigned char *output = NULL; + unsigned char *output_pointer = NULL; + size_t output_length = 0; + /* numbers of additional characters needed for escaping */ + size_t escape_characters = 0; + + if (output_buffer == NULL) + { + return false; + } + + /* empty string */ + if (input == NULL) + { + output = ensure(output_buffer, sizeof("\"\"")); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "\"\""); + + return true; + } + + /* set "flag" to 1 if something needs to be escaped */ + for (input_pointer = input; *input_pointer; input_pointer++) + { + switch (*input_pointer) + { + case '\"': + case '\\': + case '\b': + case '\f': + case '\n': + case '\r': + case '\t': + /* one character escape sequence */ + escape_characters++; + break; + default: + if (*input_pointer < 32) + { + /* UTF-16 escape sequence uXXXX */ + escape_characters += 5; + } + break; + } + } + output_length = (size_t)(input_pointer - input) + escape_characters; + + output = ensure(output_buffer, output_length + sizeof("\"\"")); + if (output == NULL) + { + return false; + } + + /* no characters have to be escaped */ + if (escape_characters == 0) + { + output[0] = '\"'; + memcpy(output + 1, input, output_length); + output[output_length + 1] = '\"'; + output[output_length + 2] = '\0'; + + return true; + } + + output[0] = '\"'; + output_pointer = output + 1; + /* copy the string */ + for (input_pointer = input; *input_pointer != '\0'; (void)input_pointer++, output_pointer++) + { + if ((*input_pointer > 31) && (*input_pointer != '\"') && (*input_pointer != '\\')) + { + /* normal character, copy */ + *output_pointer = *input_pointer; + } + else + { + /* character needs to be escaped */ + *output_pointer++ = '\\'; + switch (*input_pointer) + { + case '\\': + *output_pointer = '\\'; + break; + case '\"': + *output_pointer = '\"'; + break; + case '\b': + *output_pointer = 'b'; + break; + case '\f': + *output_pointer = 'f'; + break; + case '\n': + *output_pointer = 'n'; + break; + case '\r': + *output_pointer = 'r'; + break; + case '\t': + *output_pointer = 't'; + break; + default: + /* escape and print as unicode codepoint */ + sprintf((char*)output_pointer, "u%04x", *input_pointer); + output_pointer += 4; + break; + } + } + } + output[output_length + 1] = '\"'; + output[output_length + 2] = '\0'; + + return true; +} + +/* Invoke print_string_ptr (which is useful) on an item. */ +static cJSON_bool print_string(const cJSON * const item, printbuffer * const p) +{ + return print_string_ptr((unsigned char*)item->valuestring, p); +} + +/* Predeclare these prototypes. */ +static cJSON_bool parse_value(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_value(const cJSON * const item, printbuffer * const output_buffer); +static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_array(const cJSON * const item, printbuffer * const output_buffer); +static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_buffer); +static cJSON_bool print_object(const cJSON * const item, printbuffer * const output_buffer); + +/* Utility to jump whitespace and cr/lf */ +static parse_buffer *buffer_skip_whitespace(parse_buffer * const buffer) +{ + if ((buffer == NULL) || (buffer->content == NULL)) + { + return NULL; + } + + if (cannot_access_at_index(buffer, 0)) + { + return buffer; + } + + while (can_access_at_index(buffer, 0) && (buffer_at_offset(buffer)[0] <= 32)) + { + buffer->offset++; + } + + if (buffer->offset == buffer->length) + { + buffer->offset--; + } + + return buffer; +} + +/* skip the UTF-8 BOM (byte order mark) if it is at the beginning of a buffer */ +static parse_buffer *skip_utf8_bom(parse_buffer * const buffer) +{ + if ((buffer == NULL) || (buffer->content == NULL) || (buffer->offset != 0)) + { + return NULL; + } + + if (can_access_at_index(buffer, 4) && (strncmp((const char*)buffer_at_offset(buffer), "\xEF\xBB\xBF", 3) == 0)) + { + buffer->offset += 3; + } + + return buffer; +} + +CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated) +{ + size_t buffer_length; + + if (NULL == value) + { + return NULL; + } + + /* Adding null character size due to require_null_terminated. */ + buffer_length = strlen(value) + sizeof(""); + + return cJSON_ParseWithLengthOpts(value, buffer_length, return_parse_end, require_null_terminated); +} + +/* Parse an object - create a new root, and populate. */ +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer_length, const char **return_parse_end, cJSON_bool require_null_terminated) +{ + parse_buffer buffer = { 0, 0, 0, 0, { 0, 0, 0 } }; + cJSON *item = NULL; + + /* reset error position */ + global_error.json = NULL; + global_error.position = 0; + + if (value == NULL || 0 == buffer_length) + { + goto fail; + } + + buffer.content = (const unsigned char*)value; + buffer.length = buffer_length; + buffer.offset = 0; + buffer.hooks = global_hooks; + + item = cJSON_New_Item(&global_hooks); + if (item == NULL) /* memory fail */ + { + goto fail; + } + + if (!parse_value(item, buffer_skip_whitespace(skip_utf8_bom(&buffer)))) + { + /* parse failure. ep is set. */ + goto fail; + } + + /* if we require null-terminated JSON without appended garbage, skip and then check for a null terminator */ + if (require_null_terminated) + { + buffer_skip_whitespace(&buffer); + if ((buffer.offset >= buffer.length) || buffer_at_offset(&buffer)[0] != '\0') + { + goto fail; + } + } + if (return_parse_end) + { + *return_parse_end = (const char*)buffer_at_offset(&buffer); + } + + return item; + +fail: + if (item != NULL) + { + cJSON_Delete(item); + } + + if (value != NULL) + { + error local_error; + local_error.json = (const unsigned char*)value; + local_error.position = 0; + + if (buffer.offset < buffer.length) + { + local_error.position = buffer.offset; + } + else if (buffer.length > 0) + { + local_error.position = buffer.length - 1; + } + + if (return_parse_end != NULL) + { + *return_parse_end = (const char*)local_error.json + local_error.position; + } + + global_error = local_error; + } + + return NULL; +} + +/* Default options for cJSON_Parse */ +CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value) +{ + return cJSON_ParseWithOpts(value, 0, 0); +} + +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLength(const char *value, size_t buffer_length) +{ + return cJSON_ParseWithLengthOpts(value, buffer_length, 0, 0); +} + +#define cjson_min(a, b) (((a) < (b)) ? (a) : (b)) + +static unsigned char *print(const cJSON * const item, cJSON_bool format, const internal_hooks * const hooks) +{ + static const size_t default_buffer_size = 256; + printbuffer buffer[1]; + unsigned char *printed = NULL; + + memset(buffer, 0, sizeof(buffer)); + + /* create buffer */ + buffer->buffer = (unsigned char*) hooks->allocate(default_buffer_size); + buffer->length = default_buffer_size; + buffer->format = format; + buffer->hooks = *hooks; + if (buffer->buffer == NULL) + { + goto fail; + } + + /* print the value */ + if (!print_value(item, buffer)) + { + goto fail; + } + update_offset(buffer); + + /* check if reallocate is available */ + if (hooks->reallocate != NULL) + { + printed = (unsigned char*) hooks->reallocate(buffer->buffer, buffer->offset + 1); + if (printed == NULL) { + goto fail; + } + buffer->buffer = NULL; + } + else /* otherwise copy the JSON over to a new buffer */ + { + printed = (unsigned char*) hooks->allocate(buffer->offset + 1); + if (printed == NULL) + { + goto fail; + } + memcpy(printed, buffer->buffer, cjson_min(buffer->length, buffer->offset + 1)); + printed[buffer->offset] = '\0'; /* just to be sure */ + + /* free the buffer */ + hooks->deallocate(buffer->buffer); + } + + return printed; + +fail: + if (buffer->buffer != NULL) + { + hooks->deallocate(buffer->buffer); + } + + if (printed != NULL) + { + hooks->deallocate(printed); + } + + return NULL; +} + +/* Render a cJSON item/entity/structure to text. */ +CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item) +{ + return (char*)print(item, true, &global_hooks); +} + +CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item) +{ + return (char*)print(item, false, &global_hooks); +} + +CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt) +{ + printbuffer p = { 0, 0, 0, 0, 0, 0, { 0, 0, 0 } }; + + if (prebuffer < 0) + { + return NULL; + } + + p.buffer = (unsigned char*)global_hooks.allocate((size_t)prebuffer); + if (!p.buffer) + { + return NULL; + } + + p.length = (size_t)prebuffer; + p.offset = 0; + p.noalloc = false; + p.format = fmt; + p.hooks = global_hooks; + + if (!print_value(item, &p)) + { + global_hooks.deallocate(p.buffer); + return NULL; + } + + return (char*)p.buffer; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format) +{ + printbuffer p = { 0, 0, 0, 0, 0, 0, { 0, 0, 0 } }; + + if ((length < 0) || (buffer == NULL)) + { + return false; + } + + p.buffer = (unsigned char*)buffer; + p.length = (size_t)length; + p.offset = 0; + p.noalloc = true; + p.format = format; + p.hooks = global_hooks; + + return print_value(item, &p); +} + +/* Parser core - when encountering text, process appropriately. */ +static cJSON_bool parse_value(cJSON * const item, parse_buffer * const input_buffer) +{ + if ((input_buffer == NULL) || (input_buffer->content == NULL)) + { + return false; /* no input */ + } + + /* parse the different types of values */ + /* null */ + if (can_read(input_buffer, 4) && (strncmp((const char*)buffer_at_offset(input_buffer), "null", 4) == 0)) + { + item->type = cJSON_NULL; + input_buffer->offset += 4; + return true; + } + /* false */ + if (can_read(input_buffer, 5) && (strncmp((const char*)buffer_at_offset(input_buffer), "false", 5) == 0)) + { + item->type = cJSON_False; + input_buffer->offset += 5; + return true; + } + /* true */ + if (can_read(input_buffer, 4) && (strncmp((const char*)buffer_at_offset(input_buffer), "true", 4) == 0)) + { + item->type = cJSON_True; + item->valueint = 1; + input_buffer->offset += 4; + return true; + } + /* string */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '\"')) + { + return parse_string(item, input_buffer); + } + /* number */ + if (can_access_at_index(input_buffer, 0) && ((buffer_at_offset(input_buffer)[0] == '-') || ((buffer_at_offset(input_buffer)[0] >= '0') && (buffer_at_offset(input_buffer)[0] <= '9')))) + { + return parse_number(item, input_buffer); + } + /* array */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '[')) + { + return parse_array(item, input_buffer); + } + /* object */ + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '{')) + { + return parse_object(item, input_buffer); + } + + return false; +} + +/* Render a value to text. */ +static cJSON_bool print_value(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output = NULL; + + if ((item == NULL) || (output_buffer == NULL)) + { + return false; + } + + switch ((item->type) & 0xFF) + { + case cJSON_NULL: + output = ensure(output_buffer, 5); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "null"); + return true; + + case cJSON_False: + output = ensure(output_buffer, 6); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "false"); + return true; + + case cJSON_True: + output = ensure(output_buffer, 5); + if (output == NULL) + { + return false; + } + strcpy((char*)output, "true"); + return true; + + case cJSON_Number: + return print_number(item, output_buffer); + + case cJSON_Raw: + { + size_t raw_length = 0; + if (item->valuestring == NULL) + { + return false; + } + + raw_length = strlen(item->valuestring) + sizeof(""); + output = ensure(output_buffer, raw_length); + if (output == NULL) + { + return false; + } + memcpy(output, item->valuestring, raw_length); + return true; + } + + case cJSON_String: + return print_string(item, output_buffer); + + case cJSON_Array: + return print_array(item, output_buffer); + + case cJSON_Object: + return print_object(item, output_buffer); + + default: + return false; + } +} + +/* Build an array from input text. */ +static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buffer) +{ + cJSON *head = NULL; /* head of the linked list */ + cJSON *current_item = NULL; + + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + + if (buffer_at_offset(input_buffer)[0] != '[') + { + /* not an array */ + goto fail; + } + + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ']')) + { + /* empty array */ + goto success; + } + + /* check if we skipped to the end of the buffer */ + if (cannot_access_at_index(input_buffer, 0)) + { + input_buffer->offset--; + goto fail; + } + + /* step back to character in front of the first element */ + input_buffer->offset--; + /* loop through the comma separated array elements */ + do + { + /* allocate next item */ + cJSON *new_item = cJSON_New_Item(&(input_buffer->hooks)); + if (new_item == NULL) + { + goto fail; /* allocation failure */ + } + + /* attach next item to list */ + if (head == NULL) + { + /* start the linked list */ + current_item = head = new_item; + } + else + { + /* add to the end and advance */ + current_item->next = new_item; + new_item->prev = current_item; + current_item = new_item; + } + + /* parse next value */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_value(current_item, input_buffer)) + { + goto fail; /* failed to parse value */ + } + buffer_skip_whitespace(input_buffer); + } + while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ',')); + + if (cannot_access_at_index(input_buffer, 0) || buffer_at_offset(input_buffer)[0] != ']') + { + goto fail; /* expected end of array */ + } + +success: + input_buffer->depth--; + + if (head != NULL) { + head->prev = current_item; + } + + item->type = cJSON_Array; + item->child = head; + + input_buffer->offset++; + + return true; + +fail: + if (head != NULL) + { + cJSON_Delete(head); + } + + return false; +} + +/* Render an array to text */ +static cJSON_bool print_array(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + size_t length = 0; + cJSON *current_element = item->child; + + if (output_buffer == NULL) + { + return false; + } + + /* Compose the output array. */ + /* opening square bracket */ + output_pointer = ensure(output_buffer, 1); + if (output_pointer == NULL) + { + return false; + } + + *output_pointer = '['; + output_buffer->offset++; + output_buffer->depth++; + + while (current_element != NULL) + { + if (!print_value(current_element, output_buffer)) + { + return false; + } + update_offset(output_buffer); + if (current_element->next) + { + length = (size_t) (output_buffer->format ? 2 : 1); + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ','; + if(output_buffer->format) + { + *output_pointer++ = ' '; + } + *output_pointer = '\0'; + output_buffer->offset += length; + } + current_element = current_element->next; + } + + output_pointer = ensure(output_buffer, 2); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ']'; + *output_pointer = '\0'; + output_buffer->depth--; + + return true; +} + +/* Build an object from the text. */ +static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_buffer) +{ + cJSON *head = NULL; /* linked list head */ + cJSON *current_item = NULL; + + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '{')) + { + goto fail; /* not an object */ + } + + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == '}')) + { + goto success; /* empty object */ + } + + /* check if we skipped to the end of the buffer */ + if (cannot_access_at_index(input_buffer, 0)) + { + input_buffer->offset--; + goto fail; + } + + /* step back to character in front of the first element */ + input_buffer->offset--; + /* loop through the comma separated array elements */ + do + { + /* allocate next item */ + cJSON *new_item = cJSON_New_Item(&(input_buffer->hooks)); + if (new_item == NULL) + { + goto fail; /* allocation failure */ + } + + /* attach next item to list */ + if (head == NULL) + { + /* start the linked list */ + current_item = head = new_item; + } + else + { + /* add to the end and advance */ + current_item->next = new_item; + new_item->prev = current_item; + current_item = new_item; + } + + /* parse the name of the child */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_string(current_item, input_buffer)) + { + goto fail; /* failed to parse name */ + } + buffer_skip_whitespace(input_buffer); + + /* swap valuestring and string, because we parsed the name */ + current_item->string = current_item->valuestring; + current_item->valuestring = NULL; + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != ':')) + { + goto fail; /* invalid object */ + } + + /* parse the value */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); + if (!parse_value(current_item, input_buffer)) + { + goto fail; /* failed to parse value */ + } + buffer_skip_whitespace(input_buffer); + } + while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ',')); + + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '}')) + { + goto fail; /* expected end of object */ + } + +success: + input_buffer->depth--; + + if (head != NULL) { + head->prev = current_item; + } + + item->type = cJSON_Object; + item->child = head; + + input_buffer->offset++; + return true; + +fail: + if (head != NULL) + { + cJSON_Delete(head); + } + + return false; +} + +/* Render an object to text. */ +static cJSON_bool print_object(const cJSON * const item, printbuffer * const output_buffer) +{ + unsigned char *output_pointer = NULL; + size_t length = 0; + cJSON *current_item = item->child; + + if (output_buffer == NULL) + { + return false; + } + + /* Compose the output: */ + length = (size_t) (output_buffer->format ? 2 : 1); /* fmt: {\n */ + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + + *output_pointer++ = '{'; + output_buffer->depth++; + if (output_buffer->format) + { + *output_pointer++ = '\n'; + } + output_buffer->offset += length; + + while (current_item) + { + if (output_buffer->format) + { + size_t i; + output_pointer = ensure(output_buffer, output_buffer->depth); + if (output_pointer == NULL) + { + return false; + } + for (i = 0; i < output_buffer->depth; i++) + { + *output_pointer++ = '\t'; + } + output_buffer->offset += output_buffer->depth; + } + + /* print key */ + if (!print_string_ptr((unsigned char*)current_item->string, output_buffer)) + { + return false; + } + update_offset(output_buffer); + + length = (size_t) (output_buffer->format ? 2 : 1); + output_pointer = ensure(output_buffer, length); + if (output_pointer == NULL) + { + return false; + } + *output_pointer++ = ':'; + if (output_buffer->format) + { + *output_pointer++ = '\t'; + } + output_buffer->offset += length; + + /* print value */ + if (!print_value(current_item, output_buffer)) + { + return false; + } + update_offset(output_buffer); + + /* print comma if not last */ + length = ((size_t)(output_buffer->format ? 1 : 0) + (size_t)(current_item->next ? 1 : 0)); + output_pointer = ensure(output_buffer, length + 1); + if (output_pointer == NULL) + { + return false; + } + if (current_item->next) + { + *output_pointer++ = ','; + } + + if (output_buffer->format) + { + *output_pointer++ = '\n'; + } + *output_pointer = '\0'; + output_buffer->offset += length; + + current_item = current_item->next; + } + + output_pointer = ensure(output_buffer, output_buffer->format ? (output_buffer->depth + 1) : 2); + if (output_pointer == NULL) + { + return false; + } + if (output_buffer->format) + { + size_t i; + for (i = 0; i < (output_buffer->depth - 1); i++) + { + *output_pointer++ = '\t'; + } + } + *output_pointer++ = '}'; + *output_pointer = '\0'; + output_buffer->depth--; + + return true; +} + +/* Get Array size/item / object item. */ +CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array) +{ + cJSON *child = NULL; + size_t size = 0; + + if (array == NULL) + { + return 0; + } + + child = array->child; + + while(child != NULL) + { + size++; + child = child->next; + } + + /* FIXME: Can overflow here. Cannot be fixed without breaking the API */ + + return (int)size; +} + +static cJSON* get_array_item(const cJSON *array, size_t index) +{ + cJSON *current_child = NULL; + + if (array == NULL) + { + return NULL; + } + + current_child = array->child; + while ((current_child != NULL) && (index > 0)) + { + index--; + current_child = current_child->next; + } + + return current_child; +} + +CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index) +{ + if (index < 0) + { + return NULL; + } + + return get_array_item(array, (size_t)index); +} + +static cJSON *get_object_item(const cJSON * const object, const char * const name, const cJSON_bool case_sensitive) +{ + cJSON *current_element = NULL; + + if ((object == NULL) || (name == NULL)) + { + return NULL; + } + + current_element = object->child; + if (case_sensitive) + { + while ((current_element != NULL) && (current_element->string != NULL) && (strcmp(name, current_element->string) != 0)) + { + current_element = current_element->next; + } + } + else + { + while ((current_element != NULL) && (case_insensitive_strcmp((const unsigned char*)name, (const unsigned char*)(current_element->string)) != 0)) + { + current_element = current_element->next; + } + } + + if ((current_element == NULL) || (current_element->string == NULL)) { + return NULL; + } + + return current_element; +} + +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string) +{ + return get_object_item(object, string, false); +} + +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string) +{ + return get_object_item(object, string, true); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string) +{ + return cJSON_GetObjectItem(object, string) ? 1 : 0; +} + +/* Utility for array list handling. */ +static void suffix_object(cJSON *prev, cJSON *item) +{ + prev->next = item; + item->prev = prev; +} + +/* Utility for handling references. */ +static cJSON *create_reference(const cJSON *item, const internal_hooks * const hooks) +{ + cJSON *reference = NULL; + if (item == NULL) + { + return NULL; + } + + reference = cJSON_New_Item(hooks); + if (reference == NULL) + { + return NULL; + } + + memcpy(reference, item, sizeof(cJSON)); + reference->string = NULL; + reference->type |= cJSON_IsReference; + reference->next = reference->prev = NULL; + return reference; +} + +static cJSON_bool add_item_to_array(cJSON *array, cJSON *item) +{ + cJSON *child = NULL; + + if ((item == NULL) || (array == NULL) || (array == item)) + { + return false; + } + + child = array->child; + /* + * To find the last item in array quickly, we use prev in array + */ + if (child == NULL) + { + /* list is empty, start new one */ + array->child = item; + item->prev = item; + item->next = NULL; + } + else + { + /* append to the end */ + if (child->prev) + { + suffix_object(child->prev, item); + array->child->prev = item; + } + } + + return true; +} + +/* Add item to array/object. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToArray(cJSON *array, cJSON *item) +{ + return add_item_to_array(array, item); +} + +#if defined(__clang__) || (defined(__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ > 5)))) + #pragma GCC diagnostic push +#endif +#ifdef __GNUC__ +#pragma GCC diagnostic ignored "-Wcast-qual" +#endif +/* helper function to cast away const */ +static void* cast_away_const(const void* string) +{ + return (void*)string; +} +#if defined(__clang__) || (defined(__GNUC__) && ((__GNUC__ > 4) || ((__GNUC__ == 4) && (__GNUC_MINOR__ > 5)))) + #pragma GCC diagnostic pop +#endif + + +static cJSON_bool add_item_to_object(cJSON * const object, const char * const string, cJSON * const item, const internal_hooks * const hooks, const cJSON_bool constant_key) +{ + char *new_key = NULL; + int new_type = cJSON_Invalid; + + if ((object == NULL) || (string == NULL) || (item == NULL) || (object == item)) + { + return false; + } + + if (constant_key) + { + new_key = (char*)cast_away_const(string); + new_type = item->type | cJSON_StringIsConst; + } + else + { + new_key = (char*)cJSON_strdup((const unsigned char*)string, hooks); + if (new_key == NULL) + { + return false; + } + + new_type = item->type & ~cJSON_StringIsConst; + } + + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + hooks->deallocate(item->string); + } + + item->string = new_key; + item->type = new_type; + + return add_item_to_array(object, item); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item) +{ + return add_item_to_object(object, string, item, &global_hooks, false); +} + +/* Add an item to an object with constant string as key */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item) +{ + return add_item_to_object(object, string, item, &global_hooks, true); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item) +{ + if (array == NULL) + { + return false; + } + + return add_item_to_array(array, create_reference(item, &global_hooks)); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item) +{ + if ((object == NULL) || (string == NULL)) + { + return false; + } + + return add_item_to_object(object, string, create_reference(item, &global_hooks), &global_hooks, false); +} + +CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name) +{ + cJSON *null = cJSON_CreateNull(); + if (add_item_to_object(object, name, null, &global_hooks, false)) + { + return null; + } + + cJSON_Delete(null); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name) +{ + cJSON *true_item = cJSON_CreateTrue(); + if (add_item_to_object(object, name, true_item, &global_hooks, false)) + { + return true_item; + } + + cJSON_Delete(true_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name) +{ + cJSON *false_item = cJSON_CreateFalse(); + if (add_item_to_object(object, name, false_item, &global_hooks, false)) + { + return false_item; + } + + cJSON_Delete(false_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean) +{ + cJSON *bool_item = cJSON_CreateBool(boolean); + if (add_item_to_object(object, name, bool_item, &global_hooks, false)) + { + return bool_item; + } + + cJSON_Delete(bool_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number) +{ + cJSON *number_item = cJSON_CreateNumber(number); + if (add_item_to_object(object, name, number_item, &global_hooks, false)) + { + return number_item; + } + + cJSON_Delete(number_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string) +{ + cJSON *string_item = cJSON_CreateString(string); + if (add_item_to_object(object, name, string_item, &global_hooks, false)) + { + return string_item; + } + + cJSON_Delete(string_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw) +{ + cJSON *raw_item = cJSON_CreateRaw(raw); + if (add_item_to_object(object, name, raw_item, &global_hooks, false)) + { + return raw_item; + } + + cJSON_Delete(raw_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name) +{ + cJSON *object_item = cJSON_CreateObject(); + if (add_item_to_object(object, name, object_item, &global_hooks, false)) + { + return object_item; + } + + cJSON_Delete(object_item); + return NULL; +} + +CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name) +{ + cJSON *array = cJSON_CreateArray(); + if (add_item_to_object(object, name, array, &global_hooks, false)) + { + return array; + } + + cJSON_Delete(array); + return NULL; +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item) +{ + if ((parent == NULL) || (item == NULL)) + { + return NULL; + } + + if (item != parent->child) + { + /* not the first element */ + item->prev->next = item->next; + } + if (item->next != NULL) + { + /* not the last element */ + item->next->prev = item->prev; + } + + if (item == parent->child) + { + /* first element */ + parent->child = item->next; + } + else if (item->next == NULL) + { + /* last element */ + parent->child->prev = item->prev; + } + + /* make sure the detached item doesn't point anywhere anymore */ + item->prev = NULL; + item->next = NULL; + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which) +{ + if (which < 0) + { + return NULL; + } + + return cJSON_DetachItemViaPointer(array, get_array_item(array, (size_t)which)); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which) +{ + cJSON_Delete(cJSON_DetachItemFromArray(array, which)); +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string) +{ + cJSON *to_detach = cJSON_GetObjectItem(object, string); + + return cJSON_DetachItemViaPointer(object, to_detach); +} + +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string) +{ + cJSON *to_detach = cJSON_GetObjectItemCaseSensitive(object, string); + + return cJSON_DetachItemViaPointer(object, to_detach); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string) +{ + cJSON_Delete(cJSON_DetachItemFromObject(object, string)); +} + +CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string) +{ + cJSON_Delete(cJSON_DetachItemFromObjectCaseSensitive(object, string)); +} + +/* Replace array/object items with new ones. */ +CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem) +{ + cJSON *after_inserted = NULL; + + if (which < 0) + { + return false; + } + + after_inserted = get_array_item(array, (size_t)which); + if (after_inserted == NULL) + { + return add_item_to_array(array, newitem); + } + + newitem->next = after_inserted; + newitem->prev = after_inserted->prev; + after_inserted->prev = newitem; + if (after_inserted == array->child) + { + array->child = newitem; + } + else + { + newitem->prev->next = newitem; + } + return true; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement) +{ + if ((parent == NULL) || (replacement == NULL) || (item == NULL)) + { + return false; + } + + if (replacement == item) + { + return true; + } + + replacement->next = item->next; + replacement->prev = item->prev; + + if (replacement->next != NULL) + { + replacement->next->prev = replacement; + } + if (parent->child == item) + { + if (parent->child->prev == parent->child) + { + replacement->prev = replacement; + } + parent->child = replacement; + } + else + { /* + * To find the last item in array quickly, we use prev in array. + * We can't modify the last item's next pointer where this item was the parent's child + */ + if (replacement->prev != NULL) + { + replacement->prev->next = replacement; + } + if (replacement->next == NULL) + { + parent->child->prev = replacement; + } + } + + item->next = NULL; + item->prev = NULL; + cJSON_Delete(item); + + return true; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem) +{ + if (which < 0) + { + return false; + } + + return cJSON_ReplaceItemViaPointer(array, get_array_item(array, (size_t)which), newitem); +} + +static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSON *replacement, cJSON_bool case_sensitive) +{ + if ((replacement == NULL) || (string == NULL)) + { + return false; + } + + /* replace the name in the replacement */ + if (!(replacement->type & cJSON_StringIsConst) && (replacement->string != NULL)) + { + cJSON_free(replacement->string); + } + replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); + replacement->type &= ~cJSON_StringIsConst; + + return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObject(cJSON *object, const char *string, cJSON *newitem) +{ + return replace_item_in_object(object, string, newitem, false); +} + +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object, const char *string, cJSON *newitem) +{ + return replace_item_in_object(object, string, newitem, true); +} + +/* Create basic types: */ +CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_NULL; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_True; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_False; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = boolean ? cJSON_True : cJSON_False; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_Number; + item->valuedouble = num; + + /* use saturation in case of overflow */ + if (num >= INT_MAX) + { + item->valueint = INT_MAX; + } + else if (num <= (double)INT_MIN) + { + item->valueint = INT_MIN; + } + else + { + item->valueint = (int)num; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_String; + item->valuestring = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); + if(!item->valuestring) + { + cJSON_Delete(item); + return NULL; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) + { + item->type = cJSON_String | cJSON_IsReference; + item->valuestring = (char*)cast_away_const(string); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) { + item->type = cJSON_Object | cJSON_IsReference; + item->child = (cJSON*)cast_away_const(child); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child) { + cJSON *item = cJSON_New_Item(&global_hooks); + if (item != NULL) { + item->type = cJSON_Array | cJSON_IsReference; + item->child = (cJSON*)cast_away_const(child); + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type = cJSON_Raw; + item->valuestring = (char*)cJSON_strdup((const unsigned char*)raw, &global_hooks); + if(!item->valuestring) + { + cJSON_Delete(item); + return NULL; + } + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if(item) + { + item->type=cJSON_Array; + } + + return item; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void) +{ + cJSON *item = cJSON_New_Item(&global_hooks); + if (item) + { + item->type = cJSON_Object; + } + + return item; +} + +/* Create Arrays: */ +CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber(numbers[i]); + if (!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber((double)numbers[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (numbers == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for(i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateNumber(numbers[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p, n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int count) +{ + size_t i = 0; + cJSON *n = NULL; + cJSON *p = NULL; + cJSON *a = NULL; + + if ((count < 0) || (strings == NULL)) + { + return NULL; + } + + a = cJSON_CreateArray(); + + for (i = 0; a && (i < (size_t)count); i++) + { + n = cJSON_CreateString(strings[i]); + if(!n) + { + cJSON_Delete(a); + return NULL; + } + if(!i) + { + a->child = n; + } + else + { + suffix_object(p,n); + } + p = n; + } + + if (a && a->child) { + a->child->prev = n; + } + + return a; +} + +/* Duplication */ +CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse) +{ + cJSON *newitem = NULL; + cJSON *child = NULL; + cJSON *next = NULL; + cJSON *newchild = NULL; + + /* Bail on bad ptr */ + if (!item) + { + goto fail; + } + /* Create new item */ + newitem = cJSON_New_Item(&global_hooks); + if (!newitem) + { + goto fail; + } + /* Copy over all vars */ + newitem->type = item->type & (~cJSON_IsReference); + newitem->valueint = item->valueint; + newitem->valuedouble = item->valuedouble; + if (item->valuestring) + { + newitem->valuestring = (char*)cJSON_strdup((unsigned char*)item->valuestring, &global_hooks); + if (!newitem->valuestring) + { + goto fail; + } + } + if (item->string) + { + newitem->string = (item->type&cJSON_StringIsConst) ? item->string : (char*)cJSON_strdup((unsigned char*)item->string, &global_hooks); + if (!newitem->string) + { + goto fail; + } + } + /* If non-recursive, then we're done! */ + if (!recurse) + { + return newitem; + } + /* Walk the ->next chain for the child. */ + child = item->child; + while (child != NULL) + { + newchild = cJSON_Duplicate(child, true); /* Duplicate (with recurse) each item in the ->next chain */ + if (!newchild) + { + goto fail; + } + if (next != NULL) + { + /* If newitem->child already set, then crosswire ->prev and ->next and move on */ + next->next = newchild; + newchild->prev = next; + next = newchild; + } + else + { + /* Set newitem->child and move to it */ + newitem->child = newchild; + next = newchild; + } + child = child->next; + } + if (newitem && newitem->child) + { + newitem->child->prev = newchild; + } + + return newitem; + +fail: + if (newitem != NULL) + { + cJSON_Delete(newitem); + } + + return NULL; +} + +static void skip_oneline_comment(char **input) +{ + *input += static_strlen("//"); + + for (; (*input)[0] != '\0'; ++(*input)) + { + if ((*input)[0] == '\n') { + *input += static_strlen("\n"); + return; + } + } +} + +static void skip_multiline_comment(char **input) +{ + *input += static_strlen("/*"); + + for (; (*input)[0] != '\0'; ++(*input)) + { + if (((*input)[0] == '*') && ((*input)[1] == '/')) + { + *input += static_strlen("*/"); + return; + } + } +} + +static void minify_string(char **input, char **output) { + (*output)[0] = (*input)[0]; + *input += static_strlen("\""); + *output += static_strlen("\""); + + + for (; (*input)[0] != '\0'; (void)++(*input), ++(*output)) { + (*output)[0] = (*input)[0]; + + if ((*input)[0] == '\"') { + (*output)[0] = '\"'; + *input += static_strlen("\""); + *output += static_strlen("\""); + return; + } else if (((*input)[0] == '\\') && ((*input)[1] == '\"')) { + (*output)[1] = (*input)[1]; + *input += static_strlen("\""); + *output += static_strlen("\""); + } + } +} + +CJSON_PUBLIC(void) cJSON_Minify(char *json) +{ + char *into = json; + + if (json == NULL) + { + return; + } + + while (json[0] != '\0') + { + switch (json[0]) + { + case ' ': + case '\t': + case '\r': + case '\n': + json++; + break; + + case '/': + if (json[1] == '/') + { + skip_oneline_comment(&json); + } + else if (json[1] == '*') + { + skip_multiline_comment(&json); + } else { + json++; + } + break; + + case '\"': + minify_string(&json, (char**)&into); + break; + + default: + into[0] = json[0]; + json++; + into++; + } + } + + /* and null-terminate. */ + *into = '\0'; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Invalid; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_False; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xff) == cJSON_True; +} + + +CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & (cJSON_True | cJSON_False)) != 0; +} +CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_NULL; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Number; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_String; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Array; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Object; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item) +{ + if (item == NULL) + { + return false; + } + + return (item->type & 0xFF) == cJSON_Raw; +} + +CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive) +{ + if ((a == NULL) || (b == NULL) || ((a->type & 0xFF) != (b->type & 0xFF))) + { + return false; + } + + /* check if type is valid */ + switch (a->type & 0xFF) + { + case cJSON_False: + case cJSON_True: + case cJSON_NULL: + case cJSON_Number: + case cJSON_String: + case cJSON_Raw: + case cJSON_Array: + case cJSON_Object: + break; + + default: + return false; + } + + /* identical objects are equal */ + if (a == b) + { + return true; + } + + switch (a->type & 0xFF) + { + /* in these cases and equal type is enough */ + case cJSON_False: + case cJSON_True: + case cJSON_NULL: + return true; + + case cJSON_Number: + if (compare_double(a->valuedouble, b->valuedouble)) + { + return true; + } + return false; + + case cJSON_String: + case cJSON_Raw: + if ((a->valuestring == NULL) || (b->valuestring == NULL)) + { + return false; + } + if (strcmp(a->valuestring, b->valuestring) == 0) + { + return true; + } + + return false; + + case cJSON_Array: + { + cJSON *a_element = a->child; + cJSON *b_element = b->child; + + for (; (a_element != NULL) && (b_element != NULL);) + { + if (!cJSON_Compare(a_element, b_element, case_sensitive)) + { + return false; + } + + a_element = a_element->next; + b_element = b_element->next; + } + + /* one of the arrays is longer than the other */ + if (a_element != b_element) { + return false; + } + + return true; + } + + case cJSON_Object: + { + cJSON *a_element = NULL; + cJSON *b_element = NULL; + cJSON_ArrayForEach(a_element, a) + { + /* TODO This has O(n^2) runtime, which is horrible! */ + b_element = get_object_item(b, a_element->string, case_sensitive); + if (b_element == NULL) + { + return false; + } + + if (!cJSON_Compare(a_element, b_element, case_sensitive)) + { + return false; + } + } + + /* doing this twice, once on a and b to prevent true comparison if a subset of b + * TODO: Do this the proper way, this is just a fix for now */ + cJSON_ArrayForEach(b_element, b) + { + a_element = get_object_item(a, b_element->string, case_sensitive); + if (a_element == NULL) + { + return false; + } + + if (!cJSON_Compare(b_element, a_element, case_sensitive)) + { + return false; + } + } + + return true; + } + + default: + return false; + } +} + +CJSON_PUBLIC(void *) cJSON_malloc(size_t size) +{ + return global_hooks.allocate(size); +} + +CJSON_PUBLIC(void) cJSON_free(void *object) +{ + global_hooks.deallocate(object); +} +#pragma GCC diagnostic pop diff --git a/deps/curl-8.3.0/lib/vtls/sf_cJSON.h b/deps/curl-8.3.0/lib/vtls/sf_cJSON.h new file mode 100644 index 0000000000..92907a2cd3 --- /dev/null +++ b/deps/curl-8.3.0/lib/vtls/sf_cJSON.h @@ -0,0 +1,293 @@ +/* + Copyright (c) 2009-2017 Dave Gamble and cJSON contributors + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal + in the Software without restriction, including without limitation the rights + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + THE SOFTWARE. +*/ + +#ifndef cJSON__h +#define cJSON__h + +#ifdef __cplusplus +extern "C" +{ +#endif + +#if !defined(__WINDOWS__) && (defined(WIN32) || defined(WIN64) || defined(_MSC_VER) || defined(_WIN32)) +#define __WINDOWS__ +#endif + +#ifdef __WINDOWS__ + +/* When compiling for windows, we specify a specific calling convention to avoid issues where we are being called from a project with a different default calling convention. For windows you have 3 define options: + +CJSON_HIDE_SYMBOLS - Define this in the case where you don't want to ever dllexport symbols +CJSON_EXPORT_SYMBOLS - Define this on library build when you want to dllexport symbols (default) +CJSON_IMPORT_SYMBOLS - Define this if you want to dllimport symbol + +For *nix builds that support visibility attribute, you can define similar behavior by + +setting default visibility to hidden by adding +-fvisibility=hidden (for gcc) +or +-xldscope=hidden (for sun cc) +to CFLAGS + +then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJSON_EXPORT_SYMBOLS does + +*/ + +#define CJSON_CDECL __cdecl +#define CJSON_STDCALL __stdcall + +/* export symbols by default, this is necessary for copy pasting the C and header file */ +#if !defined(CJSON_HIDE_SYMBOLS) && !defined(CJSON_IMPORT_SYMBOLS) && !defined(CJSON_EXPORT_SYMBOLS) +#define CJSON_EXPORT_SYMBOLS +#endif + +#if defined(CJSON_HIDE_SYMBOLS) +#define CJSON_PUBLIC(type) type CJSON_STDCALL +#elif defined(CJSON_EXPORT_SYMBOLS) +#define CJSON_PUBLIC(type) __declspec(dllexport) type CJSON_STDCALL +#elif defined(CJSON_IMPORT_SYMBOLS) +#define CJSON_PUBLIC(type) __declspec(dllimport) type CJSON_STDCALL +#endif +#else /* !__WINDOWS__ */ +#define CJSON_CDECL +#define CJSON_STDCALL + +#if (defined(__GNUC__) || defined(__SUNPRO_CC) || defined (__SUNPRO_C)) && defined(CJSON_API_VISIBILITY) +#define CJSON_PUBLIC(type) __attribute__((visibility("default"))) type +#else +#define CJSON_PUBLIC(type) type +#endif +#endif + +/* project version */ +#define CJSON_VERSION_MAJOR 1 +#define CJSON_VERSION_MINOR 7 +#define CJSON_VERSION_PATCH 15 + +#include + +/* cJSON Types: */ +#define cJSON_Invalid (0) +#define cJSON_False (1 << 0) +#define cJSON_True (1 << 1) +#define cJSON_NULL (1 << 2) +#define cJSON_Number (1 << 3) +#define cJSON_String (1 << 4) +#define cJSON_Array (1 << 5) +#define cJSON_Object (1 << 6) +#define cJSON_Raw (1 << 7) /* raw json */ + +#define cJSON_IsReference 256 +#define cJSON_StringIsConst 512 + +/* The cJSON structure: */ +typedef struct cJSON +{ + /* next/prev allow you to walk array/object chains. Alternatively, use GetArraySize/GetArrayItem/GetObjectItem */ + struct cJSON *next; + struct cJSON *prev; + /* An array or object item will have a child pointer pointing to a chain of the items in the array/object. */ + struct cJSON *child; + + /* The type of the item, as above. */ + int type; + + /* The item's string, if type==cJSON_String and type == cJSON_Raw */ + char *valuestring; + /* writing to valueint is DEPRECATED, use cJSON_SetNumberValue instead */ + int valueint; + /* The item's number, if type==cJSON_Number */ + double valuedouble; + + /* The item's name string, if this item is the child of, or is in the list of subitems of an object. */ + char *string; +} cJSON; + +typedef struct cJSON_Hooks +{ + /* malloc/free are CDECL on Windows regardless of the default calling convention of the compiler, so ensure the hooks allow passing those functions directly. */ + void *(CJSON_CDECL *malloc_fn)(size_t sz); + void (CJSON_CDECL *free_fn)(void *ptr); +} cJSON_Hooks; + +typedef int cJSON_bool; + +/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them. + * This is to prevent stack overflows. */ +#ifndef CJSON_NESTING_LIMIT +#define CJSON_NESTING_LIMIT 1000 +#endif + +/* returns the version of cJSON as a string */ +CJSON_PUBLIC(const char*) cJSON_Version(void); + +/* Supply malloc, realloc and free functions to cJSON */ +CJSON_PUBLIC(void) cJSON_InitHooks(cJSON_Hooks* hooks); + +/* Memory Management: the caller is always responsible to free the results from all variants of cJSON_Parse (with cJSON_Delete) and cJSON_Print (with stdlib free, cJSON_Hooks.free_fn, or cJSON_free as appropriate). The exception is cJSON_PrintPreallocated, where the caller has full responsibility of the buffer. */ +/* Supply a block of JSON, and this returns a cJSON object you can interrogate. */ +CJSON_PUBLIC(cJSON *) cJSON_Parse(const char *value); +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLength(const char *value, size_t buffer_length); +/* ParseWithOpts allows you to require (and check) that the JSON is null terminated, and to retrieve the pointer to the final byte parsed. */ +/* If you supply a ptr in return_parse_end and parsing fails, then return_parse_end will contain a pointer to the error so will match cJSON_GetErrorPtr(). */ +CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated); +CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer_length, const char **return_parse_end, cJSON_bool require_null_terminated); + +/* Render a cJSON entity to text for transfer/storage. */ +CJSON_PUBLIC(char *) cJSON_Print(const cJSON *item); +/* Render a cJSON entity to text for transfer/storage without any formatting. */ +CJSON_PUBLIC(char *) cJSON_PrintUnformatted(const cJSON *item); +/* Render a cJSON entity to text using a buffered strategy. prebuffer is a guess at the final size. guessing well reduces reallocation. fmt=0 gives unformatted, =1 gives formatted */ +CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON_bool fmt); +/* Render a cJSON entity to text using a buffer already allocated in memory with given length. Returns 1 on success and 0 on failure. */ +/* NOTE: cJSON is not always 100% accurate in estimating how much memory it will use, so to be safe allocate 5 bytes more than you actually need */ +CJSON_PUBLIC(cJSON_bool) cJSON_PrintPreallocated(cJSON *item, char *buffer, const int length, const cJSON_bool format); +/* Delete a cJSON entity and all subentities. */ +CJSON_PUBLIC(void) cJSON_Delete(cJSON *item); + +/* Returns the number of items in an array (or object). */ +CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array); +/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */ +CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index); +/* Get item "string" from object. Case insensitive. */ +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string); +CJSON_PUBLIC(cJSON *) cJSON_GetObjectItemCaseSensitive(const cJSON * const object, const char * const string); +CJSON_PUBLIC(cJSON_bool) cJSON_HasObjectItem(const cJSON *object, const char *string); +/* For analysing failed parses. This returns a pointer to the parse error. You'll probably need to look a few chars back to make sense of it. Defined when cJSON_Parse() returns 0. 0 when cJSON_Parse() succeeds. */ +CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void); + +/* Check item type and return its value */ +CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item); +CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item); + +/* These functions check the type of an item */ +CJSON_PUBLIC(cJSON_bool) cJSON_IsInvalid(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsFalse(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsTrue(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsBool(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsNull(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsNumber(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsString(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsArray(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsObject(const cJSON * const item); +CJSON_PUBLIC(cJSON_bool) cJSON_IsRaw(const cJSON * const item); + +/* These calls create a cJSON item of the appropriate type. */ +CJSON_PUBLIC(cJSON *) cJSON_CreateNull(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateTrue(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateFalse(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateBool(cJSON_bool boolean); +CJSON_PUBLIC(cJSON *) cJSON_CreateNumber(double num); +CJSON_PUBLIC(cJSON *) cJSON_CreateString(const char *string); +/* raw json */ +CJSON_PUBLIC(cJSON *) cJSON_CreateRaw(const char *raw); +CJSON_PUBLIC(cJSON *) cJSON_CreateArray(void); +CJSON_PUBLIC(cJSON *) cJSON_CreateObject(void); + +/* Create a string where valuestring references a string so + * it will not be freed by cJSON_Delete */ +CJSON_PUBLIC(cJSON *) cJSON_CreateStringReference(const char *string); +/* Create an object/array that only references it's elements so + * they will not be freed by cJSON_Delete */ +CJSON_PUBLIC(cJSON *) cJSON_CreateObjectReference(const cJSON *child); +CJSON_PUBLIC(cJSON *) cJSON_CreateArrayReference(const cJSON *child); + +/* These utilities create an Array of count items. + * The parameter count cannot be greater than the number of elements in the number array, otherwise array access will be out of bounds.*/ +CJSON_PUBLIC(cJSON *) cJSON_CreateIntArray(const int *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateFloatArray(const float *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateDoubleArray(const double *numbers, int count); +CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int count); + +/* Append item to the specified array/object. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToArray(cJSON *array, cJSON *item); +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObject(cJSON *object, const char *string, cJSON *item); +/* Use this when string is definitely const (i.e. a literal, or as good as), and will definitely survive the cJSON object. + * WARNING: When this function was used, make sure to always check that (item->type & cJSON_StringIsConst) is zero before + * writing to `item->string` */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemToObjectCS(cJSON *object, const char *string, cJSON *item); +/* Append reference to item to the specified array/object. Use this when you want to add an existing cJSON to a new cJSON, but don't want to corrupt your existing cJSON. */ +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToArray(cJSON *array, cJSON *item); +CJSON_PUBLIC(cJSON_bool) cJSON_AddItemReferenceToObject(cJSON *object, const char *string, cJSON *item); + +/* Remove/Detach items from Arrays/Objects. */ +CJSON_PUBLIC(cJSON *) cJSON_DetachItemViaPointer(cJSON *parent, cJSON * const item); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromArray(cJSON *array, int which); +CJSON_PUBLIC(void) cJSON_DeleteItemFromArray(cJSON *array, int which); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObject(cJSON *object, const char *string); +CJSON_PUBLIC(cJSON *) cJSON_DetachItemFromObjectCaseSensitive(cJSON *object, const char *string); +CJSON_PUBLIC(void) cJSON_DeleteItemFromObject(cJSON *object, const char *string); +CJSON_PUBLIC(void) cJSON_DeleteItemFromObjectCaseSensitive(cJSON *object, const char *string); + +/* Update array items. */ +CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem); /* Shifts pre-existing items to the right. */ +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInArray(cJSON *array, int which, cJSON *newitem); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObject(cJSON *object,const char *string,cJSON *newitem); +CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemInObjectCaseSensitive(cJSON *object,const char *string,cJSON *newitem); + +/* Duplicate a cJSON item */ +CJSON_PUBLIC(cJSON *) cJSON_Duplicate(const cJSON *item, cJSON_bool recurse); +/* Duplicate will create a new, identical cJSON item to the one you pass, in new memory that will + * need to be released. With recurse!=0, it will duplicate any children connected to the item. + * The item->next and ->prev pointers are always zero on return from Duplicate. */ +/* Recursively compare two cJSON items for equality. If either a or b is NULL or invalid, they will be considered unequal. + * case_sensitive determines if object keys are treated case sensitive (1) or case insensitive (0) */ +CJSON_PUBLIC(cJSON_bool) cJSON_Compare(const cJSON * const a, const cJSON * const b, const cJSON_bool case_sensitive); + +/* Minify a strings, remove blank characters(such as ' ', '\t', '\r', '\n') from strings. + * The input pointer json cannot point to a read-only address area, such as a string constant, + * but should point to a readable and writable address area. */ +CJSON_PUBLIC(void) cJSON_Minify(char *json); + +/* Helper functions for creating and adding items to an object at the same time. + * They return the added item or NULL on failure. */ +CJSON_PUBLIC(cJSON*) cJSON_AddNullToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddTrueToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddFalseToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddBoolToObject(cJSON * const object, const char * const name, const cJSON_bool boolean); +CJSON_PUBLIC(cJSON*) cJSON_AddNumberToObject(cJSON * const object, const char * const name, const double number); +CJSON_PUBLIC(cJSON*) cJSON_AddStringToObject(cJSON * const object, const char * const name, const char * const string); +CJSON_PUBLIC(cJSON*) cJSON_AddRawToObject(cJSON * const object, const char * const name, const char * const raw); +CJSON_PUBLIC(cJSON*) cJSON_AddObjectToObject(cJSON * const object, const char * const name); +CJSON_PUBLIC(cJSON*) cJSON_AddArrayToObject(cJSON * const object, const char * const name); + +/* When assigning an integer value, it needs to be propagated to valuedouble too. */ +#define cJSON_SetIntValue(object, number) ((object) ? (object)->valueint = (object)->valuedouble = (number) : (number)) +/* helper for the cJSON_SetNumberValue macro */ +CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number); +#define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number)) +/* Change the valuestring of a cJSON_String object, only takes effect when type of object is cJSON_String */ +CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring); + +/* Macro for iterating over an array or object */ +#define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next) + +/* malloc/free objects using the malloc/free functions that have been set with cJSON_InitHooks */ +CJSON_PUBLIC(void *) cJSON_malloc(size_t size); +CJSON_PUBLIC(void) cJSON_free(void *object); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/deps/curl-8.3.0/lib/vtls/sf_ocsp.c b/deps/curl-8.3.0/lib/vtls/sf_ocsp.c new file mode 100644 index 0000000000..f81ad8278e --- /dev/null +++ b/deps/curl-8.3.0/lib/vtls/sf_ocsp.c @@ -0,0 +1,2364 @@ +/* +* Copyright (c) 2017-2019 Snowflake Computing +*/ + +#include "curl_setup.h" + +#include "urldata.h" +#include "sendf.h" +#include "formdata.h" /* for the boundary function */ +#include "url.h" /* for the ssl config check function */ +#include "inet_pton.h" +#include "openssl.h" +#include "connect.h" +#include "slist.h" +#include "select.h" +#include "vtls.h" +#include "strcase.h" +#include "hostcheck.h" +#include "curl_printf.h" +#include "sf_ocsp.h" +#include "sf_cJSON.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "oobtelemetry.h" + +#ifdef __linux__ +#include +#endif + +#ifdef _WIN32 +// Windows +#include +#include +#include + +typedef HANDLE SF_THREAD_HANDLE; +typedef CONDITION_VARIABLE SF_CONDITION_HANDLE; +typedef CRITICAL_SECTION SF_CRITICAL_SECTION_HANDLE; +typedef SRWLOCK SF_RWLOCK_HANDLE; +typedef HANDLE SF_MUTEX_HANDLE; + +#define PATH_MAX MAX_PATH /* Maximum PATH legnth */ +#define F_OK 0 /* Test for existence. */ +#define PATH_SEP "\\" +#else +// Linux and MacOSX +#include +#include +#include +#include +#include + +typedef pthread_t SF_THREAD_HANDLE; +typedef pthread_cond_t SF_CONDITION_HANDLE; +typedef pthread_mutex_t SF_CRITICAL_SECTION_HANDLE; +typedef pthread_rwlock_t SF_RWLOCK_HANDLE; +typedef pthread_mutex_t SF_MUTEX_HANDLE; +#define PATH_SEP "/" +#endif + +#include "curl_base64.h" +#include "curl_memory.h" +#include "memdebug.h" +#include "sf_ocsp_telemetry_data.h" + +#define DEFAULT_OCSP_RESPONSE_CACHE_HOST "http://ocsp.snowflakecomputing.com" +#define OCSP_RESPONSE_CACHE_JSON "ocsp_response_cache.json" +#define OCSP_RESPONSE_CACHE_URL "%s/%s" +#define OCSP_RESPONDER_RETRY_URL "http://ocsp.snowflakecomputing.com/retry" + +#define GET_STR_OCSP_LOG(X,Y) X->Y ? cJSON_CreateString(X->Y) : NULL +#define GET_BOOL_OCSP_LOG(X,Y) X->Y ? cJSON_CreateString("True") : cJSON_CreateString("False") +#define FREE_OCSP_LOG(X) if (X) free(X) + +// Connection timeout in seconds for CA OCSP Responder +#define CA_OCSP_RESPONDER_CONNECTION_TIMEOUT 10L + +// Connection timeout in seconds for OCSP Cache Server +#define OCSP_CACHE_SERVER_CONNECTION_TIMEOUT 5L + +// Max number of connection retry attempts for OCSP Responder in Fail Open Mode +#define CA_OCSP_RESPONDER_MAX_RETRY_FO 1 + +// Max number of connection retry attempts for OCSP Responder in Fail Close Mode +#define CA_OCSP_RESPONDER_MAX_RETRY_FC 3 + +// Max number of connection retry attempts for OCSP Cache Server +#define OCSP_CACHE_SERVER_MAX_RETRY 1 + +// Max length of buffer +#define MAX_BUFFER_LENGTH 4096 + +typedef enum +{ + INVALID, + VALID +}SF_OCSP_STATUS; + +typedef enum +{ + DISABLED = 0, + ENABLED +}SF_FAILOPEN_STATUS; + +typedef enum +{ + TEST_DISABLED = 0, + TEST_ENABLED +}SF_TESTMODE_STATUS; + +typedef enum +{ + CERT_STATUS_GOOD, + CERT_STATUS_REVOKED, + CERT_STATUS_UNKNOWN, + CERT_STATUS_INVALID, + CERT_STATUS_UNAVAILABLE +}SF_CERT_STATUS; + +typedef enum +{ + SF_OCSP_TEST_MODE, + SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT, + SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY, + SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT, + SF_TEST_OCSP_CERT_STATUS_REVOKED, + SF_TEST_OCSP_CERT_STATUS_UNKNOWN +}SF_OCSP_TEST; + +/* private function declarations */ +static char *ossl_strerror(unsigned long error, char *buf, size_t size); +static SF_CERT_STATUS checkResponse(OCSP_RESPONSE *resp, + STACK_OF(X509) *ch, + X509_STORE *st, + struct Curl_easy *data, + SF_OTD *ocsp_log_data); +static int prepareRequest(OCSP_REQUEST **req, + OCSP_CERTID *id, + struct Curl_easy *data); +static void updateOCSPResponseInMem(OCSP_CERTID *id, OCSP_RESPONSE *resp, + struct Curl_easy *data); +static OCSP_RESPONSE * findOCSPRespInMem(OCSP_CERTID *certid, + struct Curl_easy *data, + SF_OTD *ocsp_log_data); +static OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer, + struct connectdata *conn, struct Curl_easy *data, + SF_FAILOPEN_STATUS ocsp_fail_open, SF_OTD *ocsp_log); +static CURLcode checkOneCert(X509 *cert, X509 *issuer, + STACK_OF(X509) *ch, X509_STORE *st, + SF_FAILOPEN_STATUS ocsp_fail_open, + struct connectdata *conn, + struct Curl_easy *data, + SF_OTD *ocsp_log_data, + bool oob_enable); +static char* ensureCacheDir(char* cache_dir, struct Curl_easy* data); +static char* mkdirIfNotExists(char* dir, struct Curl_easy* data); +static void writeOCSPCacheFile(struct Curl_easy* data); +static void readOCSPCacheFile(struct Curl_easy* data, SF_OTD *ocsp_log_data); +static OCSP_RESPONSE * queryResponderUsingCurl(char *url, OCSP_CERTID *certid, + char *hostname, OCSP_REQUEST *req, + struct Curl_easy *data, + SF_FAILOPEN_STATUS ocsp_fail_open, + SF_OTD *ocsp_log_data); +static void initOCSPCacheServer(struct Curl_easy *data); +static void downloadOCSPCache(struct Curl_easy *data, SF_OTD *ocsp_log_data); +static char* encodeOCSPCertIDToBase64(OCSP_CERTID *certid, struct Curl_easy *data); +static char* encodeOCSPRequestToBase64(OCSP_REQUEST *reqp, struct Curl_easy *data); +static char* encodeOCSPResponseToBase64(OCSP_RESPONSE* resp, struct Curl_easy *data); +static OCSP_CERTID* decodeOCSPCertIDFromBase64(char* src, struct Curl_easy *data); +static OCSP_RESPONSE* decodeOCSPResponseFromBase64(char* src, struct Curl_easy *data); +static SF_OCSP_STATUS checkResponseTimeValidity(OCSP_RESPONSE *resp, + struct Curl_easy *data, + SF_OTD *ocsp_log_data); +static OCSP_RESPONSE* extractOCSPRespFromValue(cJSON *cache_value, + struct Curl_easy *data, + SF_OTD *ocsp_log_dataa); +static cJSON *getCacheEntry(OCSP_CERTID* certid, struct Curl_easy *data); +static void deleteCacheEntry(OCSP_CERTID* certid, struct Curl_easy *data); +static void updateCacheWithBulkEntries(cJSON* tmp_cache, struct Curl_easy *data); +static char * getOCSPPostReqData(const char *hname, OCSP_CERTID *cid, + const char * ocsp_url, const char *ocsp_req, + struct Curl_easy *data); +static int checkSSDStatus(void); +static void termCertOCSP(); +static void printOCSPFailOpenWarning(SF_OTD *ocsp_log, struct Curl_easy *data, bool oob_enable); +static char * generateOCSPTelemetryData(SF_OTD *ocsp_log); +static void clearOSCPLogData(SF_OTD *ocsp_log); +static SF_TESTMODE_STATUS getTestStatus(SF_OCSP_TEST test_name); + +/* Intentially make it global for test purpose */ +CURLcode encodeUrlData(const char *url_data, size_t data_size, char** outptr, size_t *outlen); + +static int _mutex_init(SF_MUTEX_HANDLE *lock); +static int _mutex_lock(SF_MUTEX_HANDLE *lock); +static int _mutex_unlock(SF_MUTEX_HANDLE *lock); +static int _mutex_term(SF_MUTEX_HANDLE *lock); + +/* in memory response cache */ +static cJSON * ocsp_cache_root = NULL; + +/* mutex for ocsp_cache_root */ +static SF_MUTEX_HANDLE ocsp_response_cache_mutex; + +/** OCSP Cache Server is used if enabled */ +static int ocsp_cache_server_enabled = 0; + +static char* ocsp_cache_server_url_env = NULL; + +static char ocsp_cache_server_url[MAX_BUFFER_LENGTH] = ""; + +static char ocsp_cache_server_retry_url_pattern[MAX_BUFFER_LENGTH]; + +/* Mutex */ +int _mutex_init(SF_MUTEX_HANDLE *lock) { +#ifdef _WIN32 + *lock = CreateMutex( + NULL, // default security attribute + FALSE, // initially not owned + NULL // unnamed mutext + ); + return 0; +#else + return pthread_mutex_init(lock, NULL); +#endif +} + +int _mutex_lock(SF_MUTEX_HANDLE *lock) { +#ifdef _WIN32 + DWORD ret = WaitForSingleObject(*lock, INFINITE); + return ret == WAIT_OBJECT_0 ? 0 : 1; +#else + return pthread_mutex_lock(lock); +#endif +} + +int _mutex_unlock(SF_MUTEX_HANDLE *lock) { +#ifdef _WIN32 + return ReleaseMutex(*lock) == 0; +#else + return pthread_mutex_unlock(lock); +#endif +} + +int _mutex_term(SF_MUTEX_HANDLE *lock) { +#ifdef _WIN32 + return CloseHandle(*lock) == 0; +#else + return pthread_mutex_destroy(lock); +#endif +} + +#ifdef _WIN32 +/** start to sleep for 1s before retrying (milliseconds) */ +static const long START_SLEEP_TIME = 1000; + + /** max sleep time before retrying (milliseconds) */ +static const long MAX_SLEEP_TIME = 16000; +#else +/** start to sleep for 1s before retrying (microseconds) */ +static const unsigned int START_SLEEP_TIME = 1000000; + +/** max sleep time before retrying (microseconds) */ +static const unsigned int MAX_SLEEP_TIME = 16000000; +#endif +static const int MAX_RETRY = 1; + + +/* Encode request data as a part of URL + * Encode all characters reserved by URL + * @param url_data The source data needs to be encoded + * @param data_size The size of the source data + * @param outptr The allocated buffer filled with encoded data, need to be freed by caller + * @param outlen If not NULL, output the encoded data length in outptr. + * Returns CURLE_OK on success, otherwise specific error code. Function + * output shall not be considered valid unless CURLE_OK is returned. + */ +CURLcode encodeUrlData(const char *url_data, size_t data_size, char** outptr, size_t *outlen) +{ + // allocate buffer 3 times larger than source data in case every single, add 1 for '\0' + // character needs to be encoded as %xx + size_t buf_len = data_size * 3 + 1; + char* encode_buf = NULL; + char* cur_ptr = NULL; + size_t enc_len = 0; + size_t pos = 0; + + encode_buf = (char*)malloc(buf_len); + if(!encode_buf) + { + return CURLE_OUT_OF_MEMORY; + } + cur_ptr = encode_buf; + + // encode all special characters + for (pos = 0; pos < data_size; pos++) + { + // if unreserved, put as is + // RFC 3986 section 2.3 Unreserved Characters + char car = url_data[pos]; + if ((car >= '0' && car <= '9') || + (car >= 'A' && car <= 'Z') || + (car >= 'a' && car <= 'z') || + (car == '-' || car == '_' || car == '.' || car == '~')) + { + *cur_ptr = car; + cur_ptr++; + enc_len++; + buf_len--; + } + else + { + snprintf(cur_ptr, buf_len, "%%%.2X", car); + cur_ptr += 3; + enc_len += 3; + buf_len -= 3; + } + } + + *cur_ptr = '\0'; + *outptr = encode_buf; + if (outlen) + { + *outlen = enc_len; + } + return CURLE_OK; +} + +/* Return error string for last OpenSSL error + */ +static char *ossl_strerror(unsigned long error, char *buf, size_t size) +{ + ERR_error_string_n(error, buf, size); + return buf; +} + +static SF_TESTMODE_STATUS getTestStatus(SF_OCSP_TEST test_name) { + char *env = NULL; + switch(test_name) + { + case SF_OCSP_TEST_MODE: + env = getenv("SF_OCSP_TEST_MODE"); + if (env != NULL) + { + return TEST_ENABLED; + } + else + { + return TEST_DISABLED; + } + break; + case SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT: + env = getenv("SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT"); + if (env != NULL) + { + return atol(env); + } + else + { + return 0; + } + break; + case SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY: + env = getenv("SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY"); + if (env != NULL) + { + return TEST_ENABLED; + } + else + { + return TEST_DISABLED; + } + break; + case SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT: + env = getenv("SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT"); + if (env != NULL) + { + return atol(env); + } + else + { + return 0; + } + break; + case SF_TEST_OCSP_CERT_STATUS_REVOKED: + env = getenv("SF_TEST_OCSP_CERT_STATUS_REVOKED"); + if (env != NULL) + { + return TEST_ENABLED; + } + else + { + return TEST_DISABLED; + } + break; + case SF_TEST_OCSP_CERT_STATUS_UNKNOWN: + env = getenv("SF_TEST_OCSP_CERT_STATUS_UNKNOWN"); + if (env != NULL) + { + return TEST_ENABLED; + } + else + { + return TEST_DISABLED; + } + break; + default: + return TEST_DISABLED; + } +} + +static void printTestWarning(struct Curl_easy *data) { + infof(data, "WARNING - DRIVER CONFIGURED IN TEST MODE"); +} + +static int checkSSDStatus(void) { + char *ssd_env = getenv("SF_OCSP_ACTIVATE_SSD"); + int i = 0; + + if (!ssd_env) + { + return 0; + } + + for(i = 0; ssd_env[i] != '\0'; i++) + { + ssd_env[i] = (char)Curl_raw_tolower(ssd_env[i]); + } + return (strncmp(ssd_env, "true", sizeof("true")) == 0); +} + + +SF_CERT_STATUS checkResponse(OCSP_RESPONSE *resp, + STACK_OF(X509) *ch, + X509_STORE *st, + struct Curl_easy *data, + SF_OTD *ocsp_log_data) +{ + int i; + SF_CERT_STATUS result = CERT_STATUS_INVALID; + OCSP_BASICRESP *br = NULL; + int ocsp_res = 0; + char error_buffer[1024]; + + br = OCSP_response_get1_basic(resp); + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_ENABLED) + { + printTestWarning(data); + if (getTestStatus(SF_TEST_OCSP_FORCE_BAD_RESPONSE_VALIDITY) == TEST_ENABLED) + { + failf(data, "Forced Failure - Bad OCSP Response."); + result = CERT_STATUS_INVALID; + goto end; + } + } + + if (br == NULL) + { + failf(data, "Failed to get OCSP response basic"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_LOAD_FAILURE, ocsp_log_data); + result = CERT_STATUS_INVALID; + goto end; + } + + ocsp_res = OCSP_basic_verify(br, ch, st, 0); + /* ocsp_res: 1... success, 0... error, -1... fatal error */ + if (ocsp_res <= 0) + { + failf(data, + "OCSP response signature verification failed. ret: %s", + ossl_strerror(ERR_get_error(), error_buffer, + sizeof(error_buffer))); + sf_otd_set_event_sub_type(OCSP_RESPONSE_SIGNATURE_INVALID, ocsp_log_data); + result = CERT_STATUS_INVALID; + goto end; + } + infof(data, + "OCSP response signature verification success. ret: %s", + ossl_strerror(ERR_get_error(), error_buffer, + sizeof(error_buffer))); + + for (i = 0; i < OCSP_resp_count(br); i++) + { + int cert_status, crl_reason; + int psec, pday; + long skewInSec = 900L; + + OCSP_SINGLERESP *single = NULL; + + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + + single = OCSP_resp_get0(br, i); + if(!single) + continue; + + cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, + &thisupd, &nextupd); + + + if (ASN1_TIME_diff(&pday, &psec, thisupd, nextupd)) + { + /* + * Allow leeway = 1% of the difference of OCSP response validity + * validity = 1% (actual validity of OCSP Response) + */ + long validity = (pday*24*60*60 + psec)/100; + skewInSec = validity > skewInSec ? validity : skewInSec; + infof(data, "Diff between thisupd and nextupd " + "day: %d, sec: %d, Tolerant skew: %d", pday, psec, + skewInSec); + } + else + { + failf(data, "Invalid structure of ASN1_GENERALIZEDTIME"); + result = CERT_STATUS_INVALID; + goto end; + } + + /* + * Consider the OCSP response' time range to be valid if it lies + * in the following range - [thisupd-validity, nextupd+validity] + */ + if(cert_status != V_OCSP_CERTSTATUS_REVOKED && + !OCSP_check_validity(thisupd, nextupd, skewInSec, -1L)) { + failf(data, "OCSP response has expired"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_EXPIRED, ocsp_log_data); + result = CERT_STATUS_INVALID; + goto end; + } + + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_ENABLED) + { + printTestWarning(data); + if (getTestStatus(SF_TEST_OCSP_CERT_STATUS_REVOKED) == TEST_ENABLED) + { + failf(data, "Forced Failure - REVOKED OCSP Status."); + cert_status = V_OCSP_CERTSTATUS_REVOKED; + } + else if (getTestStatus(SF_TEST_OCSP_CERT_STATUS_UNKNOWN) == TEST_ENABLED) + { + failf(data, "Forced Failure - UNKNOWN OCSP Status"); + cert_status = V_OCSP_CERTSTATUS_UNKNOWN; + } + } + + switch(cert_status) + { + case V_OCSP_CERTSTATUS_GOOD: + result = CERT_STATUS_GOOD; + infof(data, "SSL certificate status: %s (%d)", + OCSP_cert_status_str(cert_status), cert_status); + goto end; + + case V_OCSP_CERTSTATUS_REVOKED: + result = CERT_STATUS_REVOKED; + failf(data, "SSL certificate revocation reason: %s (%d)", + OCSP_crl_reason_str(crl_reason), crl_reason); + goto end; + + case V_OCSP_CERTSTATUS_UNKNOWN: + result = CERT_STATUS_UNKNOWN; + infof(data, "SSL certificate status: %s (%d)", + OCSP_cert_status_str(cert_status), cert_status); + goto end; + } + } + +end: + OCSP_BASICRESP_free(br); + return result; +} + +struct curl_read_data +{ + char * read_data_ptr; + int size_left; +}; + +struct curl_memory_write +{ + char *memory_ptr; + size_t size; +}; + +static size_t +write_callback(void *contents, size_t size, size_t nmemb, void *userp) +{ + size_t realsize = size * nmemb; + struct curl_memory_write *mem = (struct curl_memory_write *)userp; + + mem->memory_ptr = realloc(mem->memory_ptr, mem->size + realsize + 1); + + memcpy(&(mem->memory_ptr[mem->size]), contents, realsize); + mem->size += realsize; + mem->memory_ptr[mem->size] = 0; /* null terminated */ + + return realsize; +} + +static char * getOCSPPostReqData(const char *hname, + OCSP_CERTID *cid, + const char * ocsp_url, const char *ocsp_req, + struct Curl_easy *data) +{ + char *ret_data = NULL; + cJSON *hostname = cJSON_CreateString(hname); + cJSON *ocsp_request = cJSON_CreateString(ocsp_req); + cJSON *cert_id = cJSON_CreateString(encodeOCSPCertIDToBase64(cid, data)); + cJSON *ocsp_responder_url = cJSON_CreateString(ocsp_url); + + cJSON *ocsp_post = cJSON_CreateObject(); + + if (!ocsp_post) + { + goto end; + } + + cJSON_AddItemToObject(ocsp_post, "cert_id", cert_id); + cJSON_AddItemToObject(ocsp_post, "ocsp_request", ocsp_request); + cJSON_AddItemToObject(ocsp_post, "ocsp_responder_url",ocsp_responder_url); + cJSON_AddItemToObject(ocsp_post, "hostname", hostname); + ret_data = cJSON_PrintUnformatted(ocsp_post); + end: + return ret_data; +} + +static OCSP_RESPONSE * queryResponderUsingCurl(char *url, OCSP_CERTID *certid, char *hostname, + OCSP_REQUEST *req, struct Curl_easy *data, + SF_FAILOPEN_STATUS ocsp_fail_open, + SF_OTD *ocsp_log_data) +{ + unsigned char *ocsp_req_der = NULL; + int len_ocsp_req_der = 0; + OCSP_RESPONSE * ocsp_response = NULL; + struct curl_memory_write ocsp_response_raw; + unsigned char *ocsp_response_der = NULL; + CURL *ocsp_curl = NULL; + char *ocsp_req_base64 = NULL; + size_t ocsp_req_base64_len = 0; + char *encoded_ocsp_req_base64 = NULL; + CURLcode result; + int use_ssl; + char *host = NULL, *port = NULL, *path = NULL; + char urlbuf[MAX_BUFFER_LENGTH]; + int ocsp_retry_cnt = 0; + + char *ocsp_post_data = NULL; + int ACTIVATE_SSD = checkSSDStatus(); + char *cert_id_b64 = encodeOCSPCertIDToBase64(certid, data); + long sf_timeout = CA_OCSP_RESPONDER_CONNECTION_TIMEOUT; + int test_timeout; + char* test_ocsp_url = NULL; + int max_retry = CA_OCSP_RESPONDER_MAX_RETRY_FO; + int curl_success = 0; + + ocsp_response_raw.memory_ptr = malloc(1); /* will be grown as needed by the realloc above */ + ocsp_response_raw.size = 0; + // Update OCSP Log Data + sf_otd_set_sfc_peer_host(hostname, ocsp_log_data); + sf_otd_set_certid(cert_id_b64, ocsp_log_data); + + len_ocsp_req_der = i2d_OCSP_REQUEST(req, &ocsp_req_der); + if (len_ocsp_req_der<= 0 || ocsp_req_der == NULL) + { + failf(data, "Failed to encode ocsp request into DER format"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_LOAD_FAILURE, ocsp_log_data); + goto end; + } + + result = Curl_base64_encode( + (char *)ocsp_req_der, (size_t)len_ocsp_req_der, + &ocsp_req_base64, &ocsp_req_base64_len); + if (result != CURLE_OK) + { + failf(data, "Failed to encode ocsp requst into base64 format"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_ENCODE_FAILURE, ocsp_log_data); + goto end; + } + + sf_otd_set_ocsp_request(ocsp_req_base64, ocsp_log_data); + + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_ENABLED) + { + printTestWarning(data); + if ((test_timeout = getTestStatus(SF_TEST_CA_OCSP_RESPONDER_CONNECTION_TIMEOUT))) + { + sf_timeout = test_timeout; + } + if ((test_ocsp_url = getenv("SF_TEST_OCSP_URL")) != NULL) + { + snprintf(urlbuf, sizeof(urlbuf), + "%s", test_ocsp_url); + } + } + + OCSP_parse_url(url, &host, &port, &path, &use_ssl); + /* build a direct OCSP URL or OCSP Dynamic Cache Server URL */ + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_DISABLED || test_ocsp_url == NULL) + { + if (!ACTIVATE_SSD) + { + result = encodeUrlData(ocsp_req_base64, ocsp_req_base64_len, + &encoded_ocsp_req_base64, NULL); + if (result != CURLE_OK) + { + failf(data, "Failed to encode ocsp requst with URL safe"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_ENCODE_FAILURE, ocsp_log_data); + goto end; + } + + // send the entire OCSP URL to the cache server + char full_url[MAX_BUFFER_LENGTH] = ""; + strcpy(full_url, host ? host : ""); + + // default port numbers will not be added to the url + // (443 if the scheme is https, else 80) + if (port && + atoi(port) > 0 && + ((use_ssl && atoi(port) != 443) || (!use_ssl && atoi(port) != 80))) + { + strcat(full_url, ":"); + strcat(full_url, port); + } + + // path is guaranteed to begin with a / character + if (path && (strlen(path) > 1)) + { + strcat(full_url, path); + } + + snprintf(urlbuf, sizeof(urlbuf), + ocsp_cache_server_retry_url_pattern, + full_url, + encoded_ocsp_req_base64); + } + else + { + snprintf(urlbuf, sizeof(urlbuf), + ocsp_cache_server_retry_url_pattern); + } + } + + OPENSSL_free(host); + OPENSSL_free(port); + OPENSSL_free(path); + + infof(data, "OCSP fetch URL: %s", urlbuf); + + /* allocate another curl handle for ocsp checking */ + ocsp_curl = curl_easy_init(); + + if (ocsp_curl) + { + curl_easy_setopt(ocsp_curl, CURLOPT_NOPROGRESS, 1L); + curl_easy_setopt(ocsp_curl, CURLOPT_NOSIGNAL, 1); + curl_easy_setopt(ocsp_curl, CURLOPT_TIMEOUT, sf_timeout); + curl_easy_setopt(ocsp_curl, CURLOPT_URL, urlbuf); + curl_easy_setopt(ocsp_curl, CURLOPT_ACCEPT_ENCODING, ""); + curl_easy_setopt(ocsp_curl, CURLOPT_WRITEFUNCTION, write_callback); + curl_easy_setopt(ocsp_curl, CURLOPT_WRITEDATA, &ocsp_response_raw); + + // copy proxy settings from original curl handle if it's set + curl_easy_setopt(ocsp_curl, CURLOPT_PROXY, data->set.str[STRING_PROXY]); + curl_easy_setopt(ocsp_curl, CURLOPT_PROXYPORT, data->set.proxyport); + if (data->set.str[STRING_PROXYUSERNAME] || data->set.str[STRING_PROXYPASSWORD]) + { + curl_easy_setopt(ocsp_curl, CURLOPT_PROXYUSERNAME, data->set.str[STRING_PROXYUSERNAME]); + curl_easy_setopt(ocsp_curl, CURLOPT_PROXYPASSWORD, data->set.str[STRING_PROXYPASSWORD]); + } + curl_easy_setopt(ocsp_curl, CURLOPT_NOPROXY, data->set.str[STRING_NOPROXY]); + + if (ACTIVATE_SSD) + { + curl_easy_setopt(ocsp_curl, CURLOPT_POST, 1L); + ocsp_post_data = getOCSPPostReqData(hostname, certid, url, ocsp_req_base64, data); + if (!ocsp_post_data) + { + goto end; + } + curl_easy_setopt(ocsp_curl, CURLOPT_POSTFIELDS, ocsp_post_data); + } + + ocsp_retry_cnt = 0; + + if (ocsp_fail_open == DISABLED) + { + max_retry = CA_OCSP_RESPONDER_MAX_RETRY_FC; + } + + while(ocsp_retry_cnt < max_retry) + { + char error_msg[MAX_BUFFER_LENGTH]; + CURLcode res = curl_easy_perform(ocsp_curl); + + if (res != CURLE_OK) + { + failf(data, "OCSP checking curl_easy_perform() failed: %s", + curl_easy_strerror(res)); + if (ocsp_retry_cnt == max_retry -1) + { + snprintf(error_msg, OCSP_TELEMETRY_ERROR_MSG_MAX_LEN, + "OCSP checking curl_easy_perform() failed: %s\n", + curl_easy_strerror(res)); + sf_otd_set_error_msg(error_msg, ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_FETCH_FAILURE, ocsp_log_data); + } + ocsp_retry_cnt++; + } + else if (res == CURLE_OK) + { + long response_code; + curl_easy_getinfo(ocsp_curl, CURLINFO_RESPONSE_CODE, &response_code); + if (response_code >= 200 && response_code < 300) + { + infof(data, "OCSP request returned with http status code 2XX"); + curl_success = 1; + break; + } + else if (response_code < 200 || response_code >= 300) + { + failf(data, "OCSP request failed with non-200 level code: %d", + response_code); + + if (ocsp_retry_cnt == max_retry-1) + { + snprintf(error_msg, OCSP_TELEMETRY_ERROR_MSG_MAX_LEN, + "OCSP request failed with non 200 level code %li", response_code); + sf_otd_set_error_msg(error_msg, ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_FETCH_FAILURE, ocsp_log_data); + } + ocsp_retry_cnt++; + } + } + } + } + + if (!curl_success) + { + goto end; + } + + ocsp_response_der = (unsigned char*)ocsp_response_raw.memory_ptr; + ocsp_response = d2i_OCSP_RESPONSE(NULL, + (const unsigned char**)&ocsp_response_der, + (long)ocsp_response_raw.size); + if (ocsp_response == NULL) + { + failf(data, "Failed to decode ocsp response"); + sf_otd_set_error_msg("Failed to decode ocsp response", ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_DECODE_FAILURE, ocsp_log_data); + } + +end: + if (ocsp_req_base64) curl_free(ocsp_req_base64); + if (encoded_ocsp_req_base64) curl_free(encoded_ocsp_req_base64); + if (cert_id_b64) curl_free(cert_id_b64); + if (ocsp_req_der) OPENSSL_free(ocsp_req_der); + if (ocsp_curl) curl_easy_cleanup(ocsp_curl); + + free(ocsp_response_raw.memory_ptr); + + return ocsp_response; +} + +/** + * Prepares OCSP request + * @param req OCSP_REQUEST + * @param certid OCSP_CERTID + * @param data curl handle + * @return 1 if success otherwise 0 + */ +int prepareRequest(OCSP_REQUEST **req, + OCSP_CERTID *certid, + struct Curl_easy *data) +{ + if(!*req) *req = OCSP_REQUEST_new(); + if(!*req) + { + failf(data, "Failed to allocate OCSP request"); + goto err; + } + if(!OCSP_request_add0_id(*req, certid)) + { + failf(data, "Failed to attach CertID to OCSP request"); + goto err; + } + return 1; + +err: + return 0; +} + +/** + * Update the cache entry with the CertID and Response + * @param certid OCSP_CERTID + * @param resp OCSP_RESPONSE + * @param data curl handle + */ +void updateOCSPResponseInMem(OCSP_CERTID *certid, OCSP_RESPONSE *resp, + struct Curl_easy *data) +{ + char * cert_id_encode= NULL; + char * ocsp_response_encode = NULL; + + unsigned long unix_time; + + cJSON * cache_val_array = NULL; + cJSON *found = NULL; + + /* encode OCSP CertID and OCSP Response */ + cert_id_encode = encodeOCSPCertIDToBase64(certid, data); + if (cert_id_encode == NULL) + { + failf(data, "UpdateOCSPResponseInMem - cert id encode failed"); + goto end; + } + ocsp_response_encode = encodeOCSPResponseToBase64(resp, data); + if (ocsp_response_encode == NULL) + { + failf(data, "UpdateOCSPResponseInMem - ocsp response encode failed %s", cert_id_encode); + goto end; + } + + /* timestamp */ + unix_time = (unsigned long)time(NULL); + + /* write to mem cache */ + cache_val_array = cJSON_CreateArray(); + cJSON_AddItemToArray(cache_val_array, cJSON_CreateNumber((double) unix_time)); + cJSON_AddItemToArray(cache_val_array, cJSON_CreateString(ocsp_response_encode)); + + _mutex_lock(&ocsp_response_cache_mutex); + if (ocsp_cache_root == NULL) + { + ocsp_cache_root = cJSON_CreateObject(); + } + found = getCacheEntry(certid, data); + if (found != NULL) + { + /* delete existing entry first if exists. */ + cJSON_DeleteItemFromObject(ocsp_cache_root, found->string); + } + cJSON_AddItemToObject(ocsp_cache_root, cert_id_encode, cache_val_array); + _mutex_unlock(&ocsp_response_cache_mutex); +end: + if (cert_id_encode) curl_free(cert_id_encode); + if (ocsp_response_encode) curl_free(ocsp_response_encode); +} + +/** + * Encode OCSP CertID to Base 64 string + * + * @param certid OCSP_CERTID + * @param data curl handle + * @return base64 string + */ +char* encodeOCSPCertIDToBase64(OCSP_CERTID *certid, struct Curl_easy *data) +{ + int len; + char* ret = NULL; + unsigned char *der_buf = NULL; + size_t encode_len = 0; + CURLcode result; + + len = i2d_OCSP_CERTID(certid, &der_buf); + if (len <= 0 || der_buf == NULL) + { + infof(data, "Failed to encode OCSP CertId"); + goto end; + } + result = Curl_base64_encode((char *)der_buf, (size_t)len, + &ret, &encode_len); + if (result != CURLE_OK) + { + infof(data, "Failed to encode OCSP CertId to base64: %s", + curl_easy_strerror(result)); + } +end: + if (der_buf) OPENSSL_free(der_buf); + return ret; +} + +/** + * Encode OCSP Request to Base 64 string + * @param reqp OCSP_REQUEST + * @param data curl handle + * @return base64 string + */ +char *encodeOCSPRequestToBase64(OCSP_REQUEST *reqp, struct Curl_easy *data) +{ + int len; + char* ret = NULL; + unsigned char *der_buf = NULL; + size_t encode_len = 0; + CURLcode result; + + len = i2d_OCSP_REQUEST(reqp, &der_buf); + if (len <= 0 || der_buf == NULL) + { + infof(data, "Failed to encode OCSP response"); + goto end; + } + + result = Curl_base64_encode((char *)der_buf, (size_t)len, + &ret, &encode_len); + if (result != CURLE_OK) + { + infof(data, "Failed to encode OCSP response to base64: %s", + curl_easy_strerror(result)); + goto end; + } +end: + if (der_buf) OPENSSL_free(der_buf); + return ret; +} + +/** + * Encode OCSP Response to Base 64 string + * + * @param resp OCSP_RESPONSE + * @param data curl handle + * @return base64 string + */ +char *encodeOCSPResponseToBase64(OCSP_RESPONSE* resp, struct Curl_easy *data) +{ + int len; + char* ret = NULL; + unsigned char *der_buf = NULL; + size_t encode_len = 0; + CURLcode result; + + len = i2d_OCSP_RESPONSE(resp, &der_buf); + if (len <= 0 || der_buf == NULL) + { + infof(data, "Failed to encode OCSP response"); + goto end; + } + + result = Curl_base64_encode((char *)der_buf, (size_t)len, + &ret, &encode_len); + if (result != CURLE_OK) + { + infof(data, "Failed to encode OCSP response to base64: %s", + curl_easy_strerror(result)); + goto end; + } +end: + if (der_buf) OPENSSL_free(der_buf); + return ret; +} + +/** + * Decoede OCSP CertID from Base 64 string + * @param src a base64 string + * @param data curl handle + * @return OCSP_CERTID + */ +OCSP_CERTID* decodeOCSPCertIDFromBase64(char* src, struct Curl_easy *data) +{ + unsigned char *ocsp_certid_der = NULL; + unsigned char *ocsp_certid_der_org = NULL; + size_t ocs_certid_der_len; + OCSP_CERTID *target_certid = NULL; + CURLcode result; + if (src == NULL) + { + infof(data, "Base64 input is NULL for decoding OCSP CertID"); + return NULL; + } + + result = Curl_base64_decode(src, + &ocsp_certid_der, &ocs_certid_der_len); + if (result != CURLE_OK) + { + infof(data, "Failed to decode OCSP CertID in the cache. Ignored: %s", + curl_easy_strerror(result)); + return NULL; + } + /* keep the original pointer as it will be updated in d2i function */ + ocsp_certid_der_org = ocsp_certid_der; + + target_certid = d2i_OCSP_CERTID( + NULL, (const unsigned char**)&ocsp_certid_der, (long)ocs_certid_der_len); + + curl_free(ocsp_certid_der_org); + + if (target_certid == NULL) + { + infof(data, "Failed to decode OCSP CertID."); + return NULL; + } + return target_certid; +} + +/** + * Decode OCSP Response from Base 64 string + * @param src a base64 string + * @param data curl handle + * @return OCSP_RESPONSE or NULL + */ +OCSP_RESPONSE * decodeOCSPResponseFromBase64(char* src, struct Curl_easy *data) +{ + OCSP_RESPONSE *resp = NULL; + unsigned char *ocsp_response_der; + unsigned char *ocsp_response_der_org; + size_t ocsp_response_der_len; + CURLcode result; + + if (src == NULL) + { + infof(data, "Base64 input is NULL for decoding OCSP Response"); + return NULL; + } + result = Curl_base64_decode(src, + &ocsp_response_der, &ocsp_response_der_len); + if (result) + { + infof(data, "Failed to decode OCSP response from base64 string: %s", + curl_easy_strerror(result)); + return NULL; + } + /* keep the original pointer as it will be updated in d2i function */ + ocsp_response_der_org = ocsp_response_der; + + resp = d2i_OCSP_RESPONSE(NULL, (const unsigned char **) &ocsp_response_der, + (long) ocsp_response_der_len); + curl_free(ocsp_response_der_org); + if (resp == NULL) + { + infof(data, "Failed to decode OCSP response cache from der format"); + return NULL; + } + return resp; +} + + + +/** + * Validate OCSP Response time validity + */ + +static SF_OCSP_STATUS checkResponseTimeValidity(OCSP_RESPONSE *resp, struct Curl_easy *data, SF_OTD *ocsp_log_data) +{ + int i; + SF_OCSP_STATUS ret_val = INVALID; + OCSP_BASICRESP *br = NULL; + + br = OCSP_response_get1_basic(resp); + if (br == NULL) + { + failf(data, "Failed to get OCSP response basic from cache"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CACHE_ENTRY_LOAD_FAILED, ocsp_log_data); + goto end; + } + + for (i = 0; i < OCSP_resp_count(br); i++) + { + int crl_reason; + int psec, pday; + long skewInSec = 900L; + + OCSP_SINGLERESP *single = NULL; + + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + + single = OCSP_resp_get0(br, i); + if(!single) + continue; + + OCSP_single_get0_status(single, &crl_reason, &rev, + &thisupd, &nextupd); + + + if (ASN1_TIME_diff(&pday, &psec, thisupd, nextupd)) + { + /* + * Allow leeway = 1% of the difference of OCSP response validity + * validity = 1% (actual validity of OCSP Response) + */ + long validity = (pday*24*60*60 + psec)/100; + skewInSec = validity > skewInSec ? validity : skewInSec; + infof(data, "Diff between thisupd and nextupd " + "day: %d, sec: %d, Tolerant skew: %d", pday, psec, + skewInSec); + } + else + { + failf(data, "Invalid structure of ASN1_GENERALIZEDTIME"); + goto end; + } + /* + * Consider the OCSP response' time range to be valid if it lies + * in the following range - [thisupd-validity, nextupd+validity] + */ + if(!OCSP_check_validity(thisupd, nextupd, skewInSec, -1L)) + { + failf(data, "OCSP response has expired"); + sf_otd_set_event_sub_type(OCSP_RESPONSE_FROM_CACHE_EXPIRED, ocsp_log_data); + goto end; + } + } + + ret_val = VALID; + + end: + OCSP_BASICRESP_free(br); + return ret_val; +} + + +/** + * Extract OCSP Response from the cache value. + * + * Must mutex protected as it may delete the existing element if the last + * query time is older than 24 hours. + * + * @param cache_value a cache value to update + * @param data curl handle + * @return OCSP_RESPONSE + */ +OCSP_RESPONSE* extractOCSPRespFromValue(cJSON *cache_value, struct Curl_easy *data, + SF_OTD *ocsp_log_data) +{ + long last_query_time_l = 0L; + cJSON * resp_bas64_j = NULL; + cJSON * last_query_time = NULL; + OCSP_RESPONSE *resp = NULL; + + if (cache_value == NULL || !cJSON_IsArray(cache_value)) + { + infof(data, "OCSP Cache value is invalid"); + goto end; + } + + /* First item is the timestamp when the cache entry was created. */ + last_query_time = cJSON_GetArrayItem(cache_value, 0); + if (!cJSON_IsNumber(last_query_time)) + { + infof(data, "OCSP Cache Last query time is invalid"); + cJSON_DeleteItemFromObjectCaseSensitive(ocsp_cache_root, + cache_value->string); + goto end; + } + + last_query_time_l = (long)last_query_time->valuedouble; + + /* valid for 120 hours */ + if ((unsigned long)time(NULL) - last_query_time_l >= 24*60*60*5) + { + infof(data, "OCSP Response Cache Expired"); + goto end; + } + + /* Second item is the actual OCSP response data */ + resp_bas64_j = cJSON_GetArrayItem(cache_value, 1); + if (!cJSON_IsString(resp_bas64_j) || resp_bas64_j->valuestring == NULL) + { + infof(data, "OCSP Response cache is invalid. Deleting it from the cache."); + cJSON_DeleteItemFromObjectCaseSensitive(ocsp_cache_root, + cache_value->string); + goto end; + } + + /* decode OCSP Response from base64 string */ + resp = decodeOCSPResponseFromBase64(resp_bas64_j->valuestring, data); + if (checkResponseTimeValidity(resp, data, ocsp_log_data) == INVALID) + { + resp = NULL; + } + end: + return resp; +} + +/** + * Find OCSP Response in memory cache. + * @param certid OCSP CertID + * @param data curl handle + * @return OCSP Response if success otherwise NULL + */ +OCSP_RESPONSE * findOCSPRespInMem(OCSP_CERTID *certid, struct Curl_easy *data, SF_OTD *ocsp_log_data) +{ + /* calculate certid */ + OCSP_RESPONSE *resp = NULL; + cJSON *found = NULL; + + _mutex_lock(&ocsp_response_cache_mutex); + found = getCacheEntry(certid, data); + if (!found) + { + infof(data, "OCSP Response not found in the cache"); + goto end; + } + resp = extractOCSPRespFromValue(found, data, ocsp_log_data); + if (resp) + { + /* NOTE encode to base64 only for logging */ + char* cert_id_encode = encodeOCSPCertIDToBase64(certid, data); + infof(data, "OCSP Response Cache found!!!: %s", cert_id_encode); + if (cert_id_encode) curl_free(cert_id_encode); + } +end: + _mutex_unlock(&ocsp_response_cache_mutex); + return resp; +} + +/** + * Get the cache entry for the CertID. + * + * @param certid OCSP CertID + * @param data curl handle + * @return cJSON cache entry if found otherwise NULL + */ +cJSON *getCacheEntry(OCSP_CERTID* certid, struct Curl_easy *data) +{ + cJSON *ret = NULL; + cJSON *element_pointer = NULL; + + if (ocsp_cache_root == NULL) + { + ocsp_cache_root = cJSON_CreateObject(); + } + + cJSON_ArrayForEach(element_pointer, ocsp_cache_root) + { + int cmp = 0; + OCSP_CERTID *target_certid = decodeOCSPCertIDFromBase64( + element_pointer->string, data); + + if (target_certid == NULL) + { + infof(data, "Failed to decode OCSP CertID in the cache."); + continue; + } + cmp = OCSP_id_cmp(target_certid, certid); + OCSP_CERTID_free(target_certid); + if (cmp == 0) + { + ret = element_pointer; + break; + } + } + return ret; +} + +/** + * Delete a Cache entry for Cert ID + * @param certid OCSP_CERTID + * @param data curl handle + */ +void deleteCacheEntry(OCSP_CERTID* certid, struct Curl_easy *data) +{ + cJSON *found = NULL; + + _mutex_lock(&ocsp_response_cache_mutex); + found = getCacheEntry(certid, data); + if (found) + { + cJSON_DeleteItemFromObject(ocsp_cache_root, found->string); + } + _mutex_unlock(&ocsp_response_cache_mutex); +} + +/** + * Update OCSP cache with the cJSON data + * @param tmp_cache a cJSON data + * @param data curl handle + */ +void updateCacheWithBulkEntries(cJSON* tmp_cache, struct Curl_easy *data) +{ + cJSON *element_pointer = NULL; + cJSON *found = NULL; + cJSON *new_value = NULL; + + /* Detect the existing elements */ + cJSON_ArrayForEach(element_pointer, tmp_cache) + { + OCSP_CERTID *cert_id = decodeOCSPCertIDFromBase64( + element_pointer->string, data); + if (cert_id == NULL) + { + infof(data, "CertID is NULL"); + continue; + } + found = getCacheEntry(cert_id, data); + OCSP_CERTID_free(cert_id); + new_value = cJSON_Duplicate(element_pointer, 1); + if (found != NULL) + { + cJSON_DeleteItemFromObject(ocsp_cache_root, found->string); + } + cJSON_AddItemToObject(ocsp_cache_root, element_pointer->string, new_value); + } +} + +/** + * Download a OCSP cache content from OCSP cache server. + * @param data curl handle + */ +void downloadOCSPCache(struct Curl_easy *data, SF_OTD *ocsp_log_data) +{ + struct curl_memory_write ocsp_response_cache_json_mem; + CURL *curlh = NULL; + struct curl_slist *headers = NULL; + cJSON *tmp_cache = NULL; + CURLcode res = CURLE_OK; + + int sf_timeout = OCSP_CACHE_SERVER_CONNECTION_TIMEOUT; + int test_timeout = OCSP_CACHE_SERVER_CONNECTION_TIMEOUT; + + ocsp_response_cache_json_mem.memory_ptr = malloc(1); /* will be grown as needed by the realloc above */ + ocsp_response_cache_json_mem.size = 0; + + + /* allocate another curl handle for ocsp checking */ + curlh = curl_easy_init(); + if (!curlh) + { + failf(data, "Failed to initialize curl to download OCSP cache."); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CURL_FAILURE, ocsp_log_data); + goto end; + } + + headers = curl_slist_append(headers, "Content-Type:application/json"); + + if (getTestStatus(SF_OCSP_TEST_MODE)) + { + printTestWarning(data); + if ((test_timeout = getTestStatus(SF_TEST_OCSP_CACHE_SERVER_CONNECTION_TIMEOUT))) + { + failf(data, "Forced Failure - REVOKED OCSP Status."); + sf_timeout = test_timeout; + } + } + + curl_easy_setopt(curlh, CURLOPT_NOPROGRESS, 1L); + curl_easy_setopt(curlh, CURLOPT_NOSIGNAL, 1); + curl_easy_setopt(curlh, CURLOPT_TIMEOUT, sf_timeout); + curl_easy_setopt(curlh, CURLOPT_URL, ocsp_cache_server_url); + /* empty means use all of builtin supported encodings */ + curl_easy_setopt(curlh, CURLOPT_ACCEPT_ENCODING, ""); + curl_easy_setopt(curlh, CURLOPT_HTTPHEADER, headers); + curl_easy_setopt(curlh, CURLOPT_WRITEFUNCTION, write_callback); + curl_easy_setopt(curlh, CURLOPT_WRITEDATA, &ocsp_response_cache_json_mem); + + // copy proxy settings from original curl handle if it's set + curl_easy_setopt(curlh, CURLOPT_PROXY, data->set.str[STRING_PROXY]); + curl_easy_setopt(curlh, CURLOPT_PROXYPORT, data->set.proxyport); + if (data->set.str[STRING_PROXYUSERNAME] || data->set.str[STRING_PROXYPASSWORD]) + { + curl_easy_setopt(curlh, CURLOPT_PROXYUSERNAME, data->set.str[STRING_PROXYUSERNAME]); + curl_easy_setopt(curlh, CURLOPT_PROXYPASSWORD, data->set.str[STRING_PROXYPASSWORD]); + } + curl_easy_setopt(curlh, CURLOPT_NOPROXY, data->set.str[STRING_NOPROXY]); + + res = CURLE_OK; + + res = curl_easy_perform(curlh); + if (res == CURLE_OK) + { + long response_code; + curl_easy_getinfo(curlh, CURLINFO_RESPONSE_CODE, &response_code); + if (response_code >= 200 && response_code < 300) + { + /* Success */ + infof(data, "OCSP Cache Download request returned with http status code 2XX"); + infof(data, "Successfully downloaded OCSP Cache."); + } + else if (response_code < 200 || response_code >= 300 ) + { + failf(data, "OCSP cache download request failed with non-200 level code: %d, OCSP Cache Could not be downloaded", + response_code); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CACHE_DOWNLOAD_FAILED, ocsp_log_data); + goto end; + } + } + else + { + failf(data, "CURL Response code is not CURLE_OK."); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CURL_FAILURE, ocsp_log_data); + goto end; + } + + _mutex_lock(&ocsp_response_cache_mutex); + if (ocsp_cache_root == NULL) + { + ocsp_cache_root = cJSON_CreateObject(); + } + tmp_cache = cJSON_Parse(ocsp_response_cache_json_mem.memory_ptr); + + /* update OCSP cache with the downloaded cache */ + updateCacheWithBulkEntries(tmp_cache, data); + infof(data, "Number of cache entries: %d", + cJSON_GetArraySize(ocsp_cache_root)); + + _mutex_unlock(&ocsp_response_cache_mutex); +end: + if (tmp_cache) cJSON_Delete(tmp_cache); + if (curlh) curl_easy_cleanup(curlh); + if (headers) curl_slist_free_all(headers); + + free(ocsp_response_cache_json_mem.memory_ptr); +} + +/** + * Find OCSP Response in local cache first. If not found, go to OCSP server to + * get the response. + + * @param cert subject certificate + * @param issuer issuer certificate + * @param data curl connection data + * @return OCSP response + */ +OCSP_RESPONSE * getOCSPResponse(X509 *cert, X509 *issuer, + struct connectdata *conn, + struct Curl_easy *data, + SF_FAILOPEN_STATUS ocsp_fail_open, + SF_OTD *ocsp_log_data) +{ + int i; + bool ocsp_url_missing = true; + bool ocsp_url_invalid = true; + OCSP_RESPONSE *resp = NULL; + OCSP_REQUEST *req = NULL; + OCSP_CERTID *certid = NULL; + STACK_OF(OPENSSL_STRING) *ocsp_list = NULL; + const EVP_MD *cert_id_md = EVP_sha1(); + + /* get certid first */ + certid = OCSP_cert_to_id(cert_id_md, cert, issuer); + resp = findOCSPRespInMem(certid, data, ocsp_log_data); + if (resp != NULL) + { + sf_otd_set_cache_hit(1, ocsp_log_data); + infof(data, "OCSP Entry found in cache"); + goto end; /* found OCSP response in cache */ + } + + if (ocsp_cache_server_enabled) + { + sf_otd_set_cache_enabled(1, ocsp_log_data); + /* download OCSP Cache from the server*/ + downloadOCSPCache(data, ocsp_log_data); + + /* try hitting cache again */ + resp = findOCSPRespInMem(certid, data, ocsp_log_data); + if (resp != NULL) + { + sf_otd_set_cache_hit(1, ocsp_log_data); + infof(data, "OCSP entry found in cache after fresh cache download"); + goto end; /* found OCSP response in cache */ + } + } + else + { + sf_otd_set_cache_enabled(0, ocsp_log_data); + infof(data, "OCSP Cache Server is disabled"); + ocsp_log_data->cache_enabled = 0; + } + + sf_otd_set_cache_hit(0, ocsp_log_data); + if (!prepareRequest(&req, certid, data)) + { + sf_otd_set_event_sub_type(OCSP_REQUEST_CREATION_FAILURE, ocsp_log_data); + goto end; /* failed to prepare request */ + } + + /* loop through OCSP urls */ + ocsp_list = X509_get1_ocsp(cert); + for (i = 0; i < sk_OPENSSL_STRING_num(ocsp_list); i++) + { + int use_ssl; + int url_parse_result; + char *host = NULL, *port = NULL, *path = NULL; + + char *ocsp_url = sk_OPENSSL_STRING_value(ocsp_list, i); + if (ocsp_url == NULL) + { + failf(data, "OCSP Validation URL is not present"); + /* + * Try the next OCSP Server in ocsp_list, if present. + */ + continue; + } + ocsp_url_missing = false; + infof(data, "OCSP Validation URL: %s", ocsp_url); + strncpy(ocsp_log_data->ocsp_responder_url, ocsp_url, sizeof(ocsp_log_data->ocsp_responder_url)); + url_parse_result = OCSP_parse_url( + ocsp_url, &host, &port, &path, &use_ssl); + if (!url_parse_result) + { + failf(data, "Invalid OCSP Validation URL: %s", ocsp_url); + /* try the next OCSP server if available. Usually only one OCSP server + * is attached, so it is unlikely the second OCSP server is used, but + * in theory it could, so it let try. */ + continue; + } + + ocsp_url_invalid = false; + resp = queryResponderUsingCurl(ocsp_url, certid, conn->host.name, req, data, ocsp_fail_open, ocsp_log_data); + /* update local cache */ + OPENSSL_free(host); + OPENSSL_free(path); + OPENSSL_free(port); + + updateOCSPResponseInMem(certid, resp, data); + break; /* good if any OCSP server works */ + } + + if(ocsp_url_missing || ocsp_url_invalid) + { + sf_otd_set_event_sub_type(OCSP_URL_MISSING_OR_INVALID, ocsp_log_data); + } + +end: + if (ocsp_list) X509_email_free(ocsp_list); + /* when ocsp certid is found in mem, which means that no OCSP_REQUEST object + will be created, so needs to explicitly freed certid. Otherwise, certid + will be freed along with the deallocation of OCSP_REQUEST object */ + if (!req && certid) OCSP_CERTID_free(certid); + /* https://www.openssl.org/docs/man1.1.0/crypto/OCSP_request_add0_id.html + * certid must NOT be freed here */ + if (req) OCSP_REQUEST_free(req); + return resp; +} + + +static void printOCSPFailOpenWarning(SF_OTD *ocsp_log, struct Curl_easy *data, bool oob_enable) +{ + char *ocsp_log_data = NULL; + ocsp_log_data = generateOCSPTelemetryData(ocsp_log); + infof(data, "WARNING!!! Using fail-open to connect. Driver is connecting to an " + "HTTPS endpoint without OCSP based Certificate Revocation checking " + "as it could not obtain a valid OCSP Response to use from the CA OCSP " + "responder. Details:%s",ocsp_log_data); + if (ocsp_log_data) + { + if (oob_enable) + { + sendOOBevent(ocsp_log_data); + } + if(ocsp_log_data) cJSON_free(ocsp_log_data); + } +} + +static char * generateOCSPTelemetryData(SF_OTD *ocsp_log) +{ + char *oobevent; + if (!ocsp_log) { + return NULL; + } + setOOBeventdata(OOBEVENTNAME, "OCSPException", 0); + setOOBeventdata(URGENCY, NULL, 1); + oobevent = prepareOOBevent(ocsp_log); + clearOSCPLogData(ocsp_log); + return oobevent; +} + +static void clearOSCPLogData(SF_OTD *ocsp_log) +{ + if (!ocsp_log) { + return; + } + ocsp_log->event_type[0] = '\0'; + ocsp_log->event_sub_type[0] = '\0'; + ocsp_log->sfc_peer_host[0] = '\0'; + ocsp_log->cert_id[0] = '\0'; + ocsp_log->ocsp_req_b64[0] = '\0'; + ocsp_log->ocsp_responder_url[0] = '\0'; + ocsp_log->error_msg[0] = '\0'; +} +/** + * Check one certificate + * @param cert subject certificate + * @param issuer issuer certificate + * @param ch certificate chain + * @param st CA certificates + * @param conn curl connection data + * @return curl return code + */ +CURLcode checkOneCert(X509 *cert, X509 *issuer, + STACK_OF(X509) *ch, X509_STORE *st, + SF_FAILOPEN_STATUS ocsp_fail_open, + struct connectdata *conn, + struct Curl_easy *data, + SF_OTD *ocsp_log_data, + bool oob_enable) +{ + CURLcode result; + SF_CERT_STATUS sf_cert_status = CERT_STATUS_INVALID; +#define MAX_CERT_NAME_LEN 100 + char X509_cert_name[MAX_CERT_NAME_LEN + 1]; + int retry_count = 0; + OCSP_RESPONSE *resp = NULL; + const EVP_MD *cert_id_md = EVP_sha1(); + + char *ocsp_log_str = NULL; + + + while(retry_count < MAX_RETRY) + { + OCSP_CERTID *certid = NULL; + int ocsp_status = 0; + resp = getOCSPResponse(cert, issuer, conn, data, ocsp_fail_open, ocsp_log_data); + infof(data, "Starting checking cert for %s...", + X509_NAME_oneline(X509_get_subject_name(cert), X509_cert_name, + MAX_CERT_NAME_LEN)); + if (!resp) + { + failf(data, "Unable to get OCSP response"); + if (retry_count == MAX_RETRY - 1) + { + sf_otd_set_event_sub_type(OCSP_RESPONSE_FETCH_FAILURE, ocsp_log_data); + } + sf_cert_status = CERT_STATUS_INVALID; + ++retry_count; + continue; + } + + ocsp_status = OCSP_response_status(resp); + if (ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) + { + failf(data, "Invalid OCSP response status: %s (%d)", + OCSP_response_status_str(ocsp_status), ocsp_status); + if (retry_count == MAX_RETRY - 1) + { + sf_otd_set_event_sub_type(OCSP_RESPONSE_STATUS_UNSUCCESSFUL, ocsp_log_data); + } + sf_cert_status = CERT_STATUS_UNAVAILABLE; + if (resp) OCSP_RESPONSE_free(resp); + resp = NULL; + ++retry_count; + continue; + } + + sf_cert_status = checkResponse(resp, ch, st, data, ocsp_log_data); + + if (sf_cert_status == CERT_STATUS_GOOD) + { + result = CURLE_OK; + break; + } + else if (sf_cert_status == CERT_STATUS_REVOKED) + { + sf_otd_set_event_sub_type(OCSP_RESPONSE_CERT_STATUS_REVOKED, ocsp_log_data); + break; + } + + /* delete the cache if the validation failed. */ + certid = OCSP_cert_to_id(cert_id_md, cert, issuer); + deleteCacheEntry(certid, data); + OCSP_CERTID_free(certid); + + /* retry */ + ++retry_count; + } + + if (sf_cert_status != CERT_STATUS_GOOD) + { + /* delete the cache if OCSP revocation check fails */ + OCSP_CERTID *certid = NULL; + + /* remove the entry from cache */ + certid = OCSP_cert_to_id(cert_id_md, cert, issuer); + deleteCacheEntry(certid, data); + OCSP_CERTID_free(certid); + + if (sf_cert_status == CERT_STATUS_UNAVAILABLE) + { + sf_otd_set_error_msg("OCSP Response Unavailable", ocsp_log_data); + sf_otd_set_event_type("RevocationCheckFailure", ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CERT_STATUS_UNAVAILABLE, ocsp_log_data); + } + else if (sf_cert_status == CERT_STATUS_UNKNOWN) + { + sf_otd_set_error_msg("OCSP Response Unknown", ocsp_log_data); + sf_otd_set_event_type("RevocationCheckFailure", ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CERT_STATUS_UNKNOWN, ocsp_log_data); + } + else if (sf_cert_status == CERT_STATUS_INVALID) + { + sf_otd_set_error_msg("OCSP Response is Invalid", ocsp_log_data); + sf_otd_set_event_type("RevocationCheckFailure", ocsp_log_data); + sf_otd_set_event_sub_type(OCSP_RESPONSE_CERT_STATUS_INVALID, ocsp_log_data); + } + + if (ocsp_fail_open == ENABLED && sf_cert_status != CERT_STATUS_REVOKED) + { + sf_otd_set_fail_open_mode(1, ocsp_log_data); + printOCSPFailOpenWarning(ocsp_log_data, data, oob_enable); + result = CURLE_OK; + } + else + { + sf_otd_set_fail_open_mode(0, ocsp_log_data); + result = CURLE_SSL_INVALIDCERTSTATUS; + ocsp_log_str = generateOCSPTelemetryData(ocsp_log_data); + if (ocsp_log_str) + { + if (oob_enable) + { + sendOOBevent(ocsp_log_str); + } + infof(data, ocsp_log_str); + if(ocsp_log_str) cJSON_free(ocsp_log_str); + } + } + } + if (resp) OCSP_RESPONSE_free(resp); + return result; +} + +/** + * Make a directory if not exists + * @param dir a directory to create + * @param data curl handle + * @return directory name if success otherwise NULL + */ +char* mkdirIfNotExists(char* dir, struct Curl_easy *data) +{ +#ifdef _WIN32 + int result = _mkdir(dir); +#else + int result = mkdir(dir, 0755); +#endif + if (result != 0) + { + if (errno != EEXIST) + { + failf(data, "Failed to create %s directory. Ignored. Error: %d", + dir, errno); + return NULL; + + } + infof(data, "Already exists %s directory.", dir); + } + else + { + infof(data, "Created %s directory.", dir); + } + return dir; +} + +/** + * Ensure th cache directory is accessible + * @param cache_dir cache directory + * @param data curl handle + * @return cache directory name or NULL + */ +char* ensureCacheDir(char* cache_dir, struct Curl_easy *data) +{ +#ifdef __linux__ + char *home_env = getenv("HOME"); + strcpy(cache_dir, (home_env == NULL ? (char*)"/tmp" : home_env)); + + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "/.cache"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "/snowflake"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } +#elif defined(__APPLE__) + char *home_env = getenv("HOME"); + strcpy(cache_dir, (home_env == NULL ? (char*)"/tmp" : home_env)); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "/Library"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "/Caches"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "/Snowflake"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } +#elif defined(_WIN32) + char *home_env = getenv("USERPROFILE"); + if (home_env == NULL) + { + home_env = getenv("TMP"); + if (home_env == NULL) + { + home_env = getenv("TEMP"); + } + } + strcpy(cache_dir, (home_env == NULL ? (char*)"c:\\temp" : home_env)); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "\\AppData"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "\\Local"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "\\Snowflake"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } + strcat(cache_dir, "\\Caches"); + if (mkdirIfNotExists(cache_dir, data) == NULL) + { + goto err; + } +#endif + infof(data, "OCSP cache file directory: %s", cache_dir); + return cache_dir; +err: + return NULL; +} + +/** + * Write OCSP cache onto a file in the cache directory + * @param data curl handle + */ +void writeOCSPCacheFile(struct Curl_easy* data) +{ + char cache_dir[PATH_MAX] = ""; + char cache_file[PATH_MAX] = ""; + char cache_lock_file[PATH_MAX] = ""; + FILE *fh; + FILE *fp; + char * jsonText; + + _mutex_lock(&ocsp_response_cache_mutex); + if (ocsp_cache_root == NULL) + { + infof(data, "Skipping writing OCSP cache file as no OCSP cache root exists."); + goto end; + } + + if (ensureCacheDir(cache_dir, data) == NULL) + { + failf(data, "The cache file is not accessible."); + goto end; + } + + /* cache file */ + strcpy(cache_file, cache_dir); + strcat(cache_file, PATH_SEP); + strcat(cache_file, OCSP_RESPONSE_CACHE_JSON); + infof(data, "OCSP Cache file: %s", cache_file); + + /* cache lock directory/file */ + strcpy(cache_lock_file, cache_file); + strcat(cache_lock_file, ".lck"); + + if (access(cache_lock_file, F_OK) != -1) + { + /* lck file exists */ + struct stat statbuf; + if (stat(cache_lock_file, &statbuf) != -1) + { + if ((long)time(NULL) - (long) statbuf.st_mtime < 60*60) + { + infof(data, "Other process lock the file, ignored"); + goto end; + } + else + { + infof(data, "Remove the old lock file"); + if (remove(cache_lock_file) != 0) + { + infof(data, "Failed to delete the lock file: %s, ignored", cache_lock_file); + goto end; + } + } + } + } + + /* create a new lck file */ + fh = fopen(cache_lock_file, "w"); + if (fh == NULL) + { + infof(data, "Failed to create a lock file: %s. Skipping writing OCSP cache file.", + cache_lock_file); + goto end; + } + if (fclose(fh) != 0) + { + infof(data, "Failed to close a lock file: %s. Ignored.", cache_lock_file); + goto end; + } + + fp = fopen(cache_file, "w"); + if (fp == NULL) + { + infof(data, "Failed to open OCSP response cache file. Skipping writing OCSP cache file."); + goto end; + } + jsonText = cJSON_PrintUnformatted(ocsp_cache_root); + if (fprintf(fp, "%s", jsonText) < 0) + { + infof(data, "Failed to write OCSP response cache file. Skipping"); + } + + if (fclose(fp) != 0) + { + infof(data, "Failed to close OCSP response cache file: %s. Ignored", cache_file); + } + infof(data, "Write OCSP Response to cache file"); + + /* deallocate json string */ + cJSON_free(jsonText); + + if (remove(cache_lock_file) != 0) + { + infof(data, "Failed to delete the lock file: %s, ignored", cache_lock_file); + } +end: + if (ocsp_cache_root != NULL) + { + cJSON_Delete(ocsp_cache_root); + ocsp_cache_root = NULL; + } + _mutex_unlock(&ocsp_response_cache_mutex); +} + +/** + * Read OCSP cache from from the local cache directory + * @param data curl handle + */ +void readOCSPCacheFile(struct Curl_easy* data, SF_OTD *ocsp_log_data) +{ + char cache_dir[PATH_MAX] = ""; + char cache_file[PATH_MAX] = ""; + char *ocsp_resp_cache_str = NULL; + FILE* pfile = NULL; +#ifdef _WIN32 + struct _stat statbuf; +#else + struct stat statbuf; +#endif + + _mutex_lock(&ocsp_response_cache_mutex); + + if (ensureCacheDir(cache_dir, data) == NULL) + { + infof(data, "Could not ensure the presence of Cache Directory. " + "Skipping reading cache. Driver will try to download" + "the cache from the Cache Server directly."); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + goto end; + } + + /* cache file */ + strcpy(cache_file, cache_dir); + strcat(cache_file, PATH_SEP); + strcat(cache_file, OCSP_RESPONSE_CACHE_JSON); + infof(data, "OCSP cache file: %s", cache_file); + + if (ocsp_cache_root != NULL) + { + infof(data, "OCSP cache was already read onto memory"); + goto end; + } + if (access(cache_file, F_OK) == -1) + { + infof(data, "No OCSP cache file found on disk. file: %s", cache_file); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + goto end; + } + + /* get file size */ +#ifdef _WIN32 + if (_stat(cache_file, &statbuf) != 0) +#else + if (stat(cache_file, &statbuf) != 0) +#endif + { + infof(data, "Failed to get cache file size. file: %s", cache_file); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + goto end; + } + + /* initialize read buffer */ + ocsp_resp_cache_str = (char *)malloc(statbuf.st_size + 1); + if (ocsp_resp_cache_str == NULL) + { + infof(data, "Failed to allocate buffer for OCSP cache file. file: %s", cache_file); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + goto end; + } + + pfile = fopen(cache_file, "r"); + if (pfile == NULL) + { + infof(data, "Failed to open OCSP response cache file. Ignored."); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + goto end; + } + + if (fgets(ocsp_resp_cache_str, statbuf.st_size + 1, pfile) == NULL) { + infof(data, "Failed to read OCSP response cache file. Ignored"); + goto file_close; + } + /* just attached the whole JSON object */ + ocsp_cache_root = cJSON_Parse(ocsp_resp_cache_str); + if (ocsp_cache_root == NULL) + { + infof(data, "Failed to parse cache file content in json format"); + sf_otd_set_event_sub_type(OCSP_CACHE_READ_FAILURE, ocsp_log_data); + } + else + { + infof(data, "OCSP cache file was successfully loaded"); + } +file_close: + if (fclose(pfile) != 0) + { + infof(data, "Failed to close cache file. Ignored."); + goto end; + } +end: + if (ocsp_cache_root == NULL) ocsp_cache_root = cJSON_CreateObject(); + if (ocsp_resp_cache_str != NULL) free(ocsp_resp_cache_str); + _mutex_unlock(&ocsp_response_cache_mutex); + return; +} + +/** + * Initialize OCSP Cache Server + * @param data curl handle + */ +void initOCSPCacheServer(struct Curl_easy *data) +{ + char* ocsp_cache_server_enabled_env = NULL; + int ACTIVATE_SSD = checkSSDStatus(); + /* OCSP cache server URL */ + _mutex_lock(&ocsp_response_cache_mutex); + ocsp_cache_server_enabled_env = getenv( + "SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED"); + if (ocsp_cache_server_enabled_env == NULL || + strcmp(ocsp_cache_server_enabled_env, "false") != 0) + { + /* OCSP Cache server enabled by default */ + ocsp_cache_server_enabled = 1; + } + + ocsp_cache_server_url_env = getenv( + "SF_OCSP_RESPONSE_CACHE_SERVER_URL"); + + // TEST ENABLED + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_ENABLED) + { + char *test_cache_server_url = getenv("SF_TEST_OCSP_CACHE_SERVER_URL"); + printTestWarning(data); + if (test_cache_server_url) + { + failf(data, "Forced Behavior - Cache Server URL."); + snprintf(ocsp_cache_server_url, sizeof(ocsp_cache_server_url), + "%s", test_cache_server_url); + goto end; + } + } + + if (ocsp_cache_server_url_env == NULL) + { + /* default URL */ + snprintf(ocsp_cache_server_url, sizeof(ocsp_cache_server_url), + OCSP_RESPONSE_CACHE_URL, + DEFAULT_OCSP_RESPONSE_CACHE_HOST, + OCSP_RESPONSE_CACHE_JSON); + + if (!ACTIVATE_SSD) + { + strncpy(ocsp_cache_server_retry_url_pattern, + "%s/%s", sizeof(ocsp_cache_server_retry_url_pattern)); + } + else + { + /* + * Non private link customers always go to default + * retry URL for OCSP retries + */ + strncpy(ocsp_cache_server_retry_url_pattern, + OCSP_RESPONDER_RETRY_URL, + sizeof(OCSP_RESPONDER_RETRY_URL)); + } + } + else + { + // if specified, always use the special retry url + int use_ssl; + char *host = NULL, *port = NULL, *path = NULL; + strncpy(ocsp_cache_server_url, ocsp_cache_server_url_env, + sizeof(ocsp_cache_server_url)); + ocsp_cache_server_url[sizeof(ocsp_cache_server_url) - 1] = '\0'; + OCSP_parse_url( + ocsp_cache_server_url_env, &host, &port, &path, &use_ssl); + + if (!ACTIVATE_SSD) + { + snprintf(ocsp_cache_server_retry_url_pattern, + sizeof(ocsp_cache_server_retry_url_pattern), + "%s://%s:%s/retry/%%s/%%s", use_ssl ? "https" : "http", host, port); + } + else + { + snprintf(ocsp_cache_server_retry_url_pattern, + sizeof(ocsp_cache_server_retry_url_pattern), + "%s://%s:%s/retry", use_ssl ? "https" : "http", host, port); + } + + if (getTestStatus(SF_OCSP_TEST_MODE) == TEST_ENABLED) + { + char *test_cache_server_url = getenv("SF_TEST_OCSP_CACHE_SERVER_URL"); + printTestWarning(data); + if (test_cache_server_url) + { + failf(data, "Forced Behavior - Cache Server URL."); + snprintf(ocsp_cache_server_url, sizeof(ocsp_cache_server_url), + "%s", test_cache_server_url); + } + } + + OPENSSL_free(host); + OPENSSL_free(path); + OPENSSL_free(port); + } + + end: + infof(data, "SF_OCSP_RESPONSE_CACHE_SERVER_ENABLED: %s", + ocsp_cache_server_enabled ? "true" : "false"); + infof(data, "SF_OCSP_RESPONSE_CACHE_SERVER_URL: %s", + ocsp_cache_server_url); + _mutex_unlock(&ocsp_response_cache_mutex); +} + +/** + * Initialize Check OCSP revocation status method + */ +SF_PUBLIC(CURLcode) initCertOCSP() +{ + /* must call only once. not thread safe */ + _mutex_init(&ocsp_response_cache_mutex); + atexit(termCertOCSP); + return CURLE_OK; +} + +/** + * Terminate Check OCSP revocation status method + */ +static void termCertOCSP() +{ + /* terminate the mutex */ + _mutex_term(&ocsp_response_cache_mutex); +} + +/** + * Main entry point. Check OCSP revocation status. + * @param conn Curl connection + * @param ch a chain of certificates + * @param st CA trust + * @param ocsp_failopen_cnxn_param connection param setting for + * failopen. This should be a binary value - either True or False + * There is no option for this to be in a NOTSET state. + * @param oob_enable param setting for enable oob telemetry. + * @return Curl return code + */ +SF_PUBLIC(CURLcode) checkCertOCSP(struct connectdata *conn, + struct Curl_easy *data, + STACK_OF(X509) *ch, + X509_STORE *st, + int ocsp_failopen_cnxn_param, + bool oob_enable) +{ + int numcerts; + int i; + CURLcode rs = CURLE_OK; + char *ocsp_fail_open_env = getenv("SF_OCSP_FAIL_OPEN"); // Testing Only + SF_FAILOPEN_STATUS ocsp_fail_open = ENABLED; + + +// These end points are Out of band telemetry end points. +// Do not use OCSP/failsafe on Out of band telemetry endpoints + if ( (strcmp(conn->host.name, "sfctest.client-telemetry.snowflakecomputing.com") == 0 ) + || (strcmp(conn->host.name, "sfcdev.client-telemetry.snowflakecomputing.com") == 0 ) + || (strcmp(conn->host.name, "client-telemetry.snowflakecomputing.com") == 0 ) + ) { + return rs; + } + + SF_OTD ocsp_log_data; + memset(&ocsp_log_data, 0, sizeof(SF_OTD)); + + if (ocsp_fail_open_env != NULL) + { + /* + * OCSP Fail Open Env Variable is for internal usage/ testing only. + * Using it in production is not advised and not supported. + */ + if(strncmp(ocsp_fail_open_env, "false", 5) != 0) + { + ocsp_fail_open = ENABLED; + } + else + { + ocsp_fail_open = DISABLED; + } + } + else if (ocsp_failopen_cnxn_param) + { + ocsp_fail_open = ENABLED; + } + else + { + ocsp_fail_open = DISABLED; + } + + sf_otd_set_insecure_mode(0, &ocsp_log_data); + + infof(data, "Cert Data Store: %s, Certifcate Chain: %s", st, ch); + initOCSPCacheServer(data); + + infof(data, "Start SF OCSP Validation..."); + readOCSPCacheFile(data, &ocsp_log_data); + + numcerts = sk_X509_num(ch); + infof(data, "Number of certificates in the chain: %d", numcerts); + for (i =0; i < numcerts - 1; i++) + { + X509* cert = sk_X509_value(ch, i); + X509* issuer = sk_X509_value(ch, i+1); + + rs = checkOneCert(cert, issuer, ch, st, ocsp_fail_open, conn, data, &ocsp_log_data, oob_enable); + if (rs != CURLE_OK) + { + goto end; + } + } + writeOCSPCacheFile(data); +end: + infof(data, "End SF OCSP Validation... Result: %d", rs); + return rs; +} diff --git a/deps/curl-8.3.0/lib/vtls/sf_ocsp.h b/deps/curl-8.3.0/lib/vtls/sf_ocsp.h new file mode 100644 index 0000000000..5eb1d3e8a0 --- /dev/null +++ b/deps/curl-8.3.0/lib/vtls/sf_ocsp.h @@ -0,0 +1,27 @@ +/* +* Copyright (c) 2017-2019 Snowflake Computing +*/ + +#ifndef HEADER_CURL_SF_OCSP_H +#define HEADER_CURL_SF_OCSP_H + +#include "urldata.h" +#include + +#ifdef _WIN32 +#define SF_PUBLIC(type) __declspec(dllexport) type __stdcall +#else +#define SF_PUBLIC(type) type +#endif + +SF_PUBLIC(CURLcode) initCertOCSP(); +SF_PUBLIC(CURLcode) checkCertOCSP(struct connectdata *conn, + struct Curl_easy *data, + STACK_OF(X509) *ch, + X509_STORE *st, + int ocsp_failopen, + bool oob_enable); + + +#endif + diff --git a/deps/curl-8.3.0/winbuild/MakefileBuild.vc b/deps/curl-8.3.0/winbuild/MakefileBuild.vc index b6049e832f..f50d683be0 100644 --- a/deps/curl-8.3.0/winbuild/MakefileBuild.vc +++ b/deps/curl-8.3.0/winbuild/MakefileBuild.vc @@ -48,11 +48,11 @@ CC = cl.exe !IF "$(VC)"=="6" CC_NODEBUG = $(CC) /O2 /DNDEBUG CC_DEBUG = $(CC) /Od /Gm /Zi /D_DEBUG /GZ -CFLAGS = /I. /I../lib /I../include /nologo /W4 /GX /DWIN32 /YX /FD /c /DBUILDING_LIBCURL +CFLAGS = /I. /I../lib /I../include /nologo /W4 /GX /DWIN32 /YX /FD /c /DBUILDING_LIBCURL /ZH:SHA_256 !ELSE CC_NODEBUG = $(CC) /O2 /DNDEBUG CC_DEBUG = $(CC) /Od /D_DEBUG /RTC1 /Z7 /LDd -CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /FD /c /DBUILDING_LIBCURL +CFLAGS = /I. /I ../lib /I../include /nologo /W4 /EHsc /DWIN32 /FD /c /DBUILDING_LIBCURL /ZH:SHA_256 !ENDIF LFLAGS = /nologo /machine:$(MACHINE) @@ -69,7 +69,11 @@ LFLAGS_PDB = /incremental:no /opt:ref,icf /DEBUG CFLAGS_LIBCURL_STATIC = /DCURL_STATICLIB -WIN_LIBS = ws2_32.lib wldap32.lib advapi32.lib crypt32.lib +!IF "$(MACHINE)"=="x64" +WIN_LIBS = ws2_32.lib wldap32.lib advapi32.lib crypt32.lib ole32.lib +!ELSE +WIN_LIBS = ws2_32.lib wldap32.lib advapi32.lib crypt32.lib msvcrt.lib ole32.lib +!ENDIF BASE_NAME = libcurl BASE_NAME_DEBUG = $(BASE_NAME)_debug @@ -280,6 +284,10 @@ ZLIB = static ZLIB_CFLAGS = /DHAVE_LIBZ $(ADDITIONAL_ZLIB_CFLAGS) /I"$(ZLIB_INC_DIR)" !ENDIF +OOB_LIBS = libtelemetry_a.lib +OOBLIB = static +OOB_CFLAGS = +OOB_LFLAGS = !IFDEF SSH2_PATH SSH2_INC_DIR= $(SSH2_PATH)\include @@ -463,12 +471,15 @@ PDB = $(PDB_NAME_STATIC_DEBUG) TARGET = $(LIB_NAME_STATIC) PDB = $(PDB_NAME_STATIC) !ENDIF -LNK = $(LNKLIB) /out:$(LIB_DIROBJ)\$(TARGET) +LNK = $(LNKLIB) $(WIN_LIBS) /out:$(LIB_DIROBJ)\$(TARGET) CURL_CC = $(CURL_CC) $(CFLAGS_LIBCURL_STATIC) # AS_DLL !ENDIF +CFLAGS = $(CFLAGS) $(OOB_CFLAGS) +LFLAGS = $(LFLAGS) $(OOB_LFLAGS) $(OOB_LIBS) + !IF "$(USE_SSL)"=="true" CFLAGS = $(CFLAGS) $(SSL_CFLAGS) LFLAGS = $(LFLAGS) $(SSL_LFLAGS) $(SSL_LIBS) diff --git a/scripts/build_awssdk.bat b/scripts/build_awssdk.bat index 72d16559e4..c205649e08 100755 --- a/scripts/build_awssdk.bat +++ b/scripts/build_awssdk.bat @@ -4,7 +4,7 @@ :: @echo off set aws_src_version=1.3.50 -set aws_build_version=4 +set aws_build_version=5 set aws_version=%aws_src_version%.%aws_build_version% call %* goto :EOF diff --git a/scripts/build_awssdk.sh b/scripts/build_awssdk.sh index 25e023d4f7..89a6b8a0c2 100755 --- a/scripts/build_awssdk.sh +++ b/scripts/build_awssdk.sh @@ -13,7 +13,7 @@ function usage() { set -o pipefail AWS_SRC_VERSION=1.3.50 -AWS_BUILD_VERSION=4 +AWS_BUILD_VERSION=5 AWS_DIR=aws-sdk-cpp-$AWS_SRC_VERSION AWS_VERSION=$AWS_SRC_VERSION.$AWS_BUILD_VERSION diff --git a/scripts/build_azuresdk.bat b/scripts/build_azuresdk.bat index a04d4900f7..931ef682e0 100644 --- a/scripts/build_azuresdk.bat +++ b/scripts/build_azuresdk.bat @@ -4,7 +4,7 @@ :: @echo off set azure_src_version=0.1.20 -set azure_build_version=3 +set azure_build_version=4 set azure_version=%azure_src_version%.%azure_build_version% call %* goto :EOF diff --git a/scripts/build_azuresdk.sh b/scripts/build_azuresdk.sh index 6db362f1e4..04b83b1cc4 100755 --- a/scripts/build_azuresdk.sh +++ b/scripts/build_azuresdk.sh @@ -12,7 +12,7 @@ function usage() { set -o pipefail AZURE_SRC_VERSION=0.1.20 -AZURE_BUILD_VERSION=3 +AZURE_BUILD_VERSION=4 AZURE_DIR=azure-storage-cpplite-$AZURE_SRC_VERSION AZURE_VERSION=$AZURE_SRC_VERSION.$AZURE_BUILD_VERSION diff --git a/scripts/build_curl.bat b/scripts/build_curl.bat index 20fac89347..62d6cdd756 100644 --- a/scripts/build_curl.bat +++ b/scripts/build_curl.bat @@ -10,8 +10,8 @@ :: - vs14 / vs15 @echo off -set CURL_SRC_VERSION=8.1.2 -set CURL_BUILD_VERSION=3 +set CURL_SRC_VERSION=8.3.0 +set CURL_BUILD_VERSION=1 set CURL_VERSION=%CURL_SRC_VERSION%.%CURL_BUILD_VERSION% call %* goto :EOF diff --git a/scripts/build_curl.sh b/scripts/build_curl.sh index 008cd89db8..1f72bb610b 100755 --- a/scripts/build_curl.sh +++ b/scripts/build_curl.sh @@ -12,8 +12,8 @@ function usage() { } set -o pipefail -CURL_SRC_VERSION=8.1.2 -CURL_BUILD_VERSION=3 +CURL_SRC_VERSION=8.3.0 +CURL_BUILD_VERSION=1 CURL_DIR=$CURL_SRC_VERSION CURL_VERSION=${CURL_DIR}.${CURL_BUILD_VERSION} diff --git a/scripts/build_oob.bat b/scripts/build_oob.bat index 6cd0df74b1..02470ece78 100644 --- a/scripts/build_oob.bat +++ b/scripts/build_oob.bat @@ -3,7 +3,7 @@ :: @echo off set OOB_SRC_VERSION=1.0.4 -set OOB_BUILD_VERSION=3 +set OOB_BUILD_VERSION=4 set OOB_VERSION=%OOB_SRC_VERSION%.%OOB_BUILD_VERSION% call %* goto :EOF @@ -23,7 +23,7 @@ set dynamic_runtime=%4 set scriptdir=%~dp0 -set CURL_VERSION=8.1.2 +set CURL_VERSION=8.3.0 call "%scriptdir%\_init.bat" %platform% %build_type% %vs_version% if %ERRORLEVEL% NEQ 0 goto :error diff --git a/scripts/build_oob.sh b/scripts/build_oob.sh index e9dfb0bfd0..04a72e2e39 100755 --- a/scripts/build_oob.sh +++ b/scripts/build_oob.sh @@ -12,9 +12,9 @@ function usage() { set -o pipefail OOB_SRC_VERSION=1.0.4 -OOB_BUILD_VERSION=3 +OOB_BUILD_VERSION=4 OOB_VERSION=$OOB_SRC_VERSION.$OOB_BUILD_VERSION -CURL_VERSION=8.1.2 +CURL_VERSION=8.3.0 UUID_VERSION=2.39.0 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" diff --git a/scripts/build_openssl.bat b/scripts/build_openssl.bat index 284566a267..a9686dc229 100644 --- a/scripts/build_openssl.bat +++ b/scripts/build_openssl.bat @@ -10,7 +10,7 @@ :: - vs14 / vs15 @echo off -set OPENSSL_SRC_VERSION=3.0.9 +set OPENSSL_SRC_VERSION=3.0.11 set OPENSSL_BUILD_VERSION=1 set OPENSSL_VERSION=%OPENSSL_SRC_VERSION%.%OPENSSL_BUILD_VERSION% call %* diff --git a/scripts/build_openssl.sh b/scripts/build_openssl.sh index 4bed4a3197..1b094e0932 100755 --- a/scripts/build_openssl.sh +++ b/scripts/build_openssl.sh @@ -12,7 +12,7 @@ function usage() { } set -o pipefail -OPENSSL_SRC_VERSION=3.0.9 +OPENSSL_SRC_VERSION=3.0.11 OPENSSL_BUILD_VERSION=1 OPENSSL_VERSION=$OPENSSL_SRC_VERSION.$OPENSSL_BUILD_VERSION