moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

HTTPS-proxy: fixed mbedtls and polishing

Browse Source
This commit is contained in:
Okhin Vasilij 2016-11-21 17:01:25 +07:00 committed by Daniel Stenberg
parent 49765cd75c
commit c6da05a5ec
30 changed files with 159 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_getinfo options"
.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_getinfo options"
.SH NAME
CURLINFO_PROXY_SSL_VERIFYRESULT \- get the result of the proxy certification verification
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAINFO \- path to proxy Certificate Authority (CA) bundle
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CAPATH \- specify directory holding proxy CA certificates
.SH SYNOPSIS

4
docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_CRLFILE \- specify a proxy Certificate Revocation List file
.SH SYNOPSIS
@ -52,8 +52,6 @@ NULL
All TLS-based protocols
.SH EXAMPLE
TODO
.SH AVAILABILITY
Added in 7.51.1
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or
CURLE_OUT_OF_MEMORY if there was insufficient heap space.

2
docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_KEYPASSWD \- set passphrase to proxy private key
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERT \- set SSL proxy client certificate
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLCERTTYPE \- specify type of the proxy client SSL certificate
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEY \- specify private keyfile for TLS and SSL proxy client cert
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLKEYTYPE \- set type of the proxy private key file
.SH SYNOPSIS

4
docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSLVERSION \- set proxy preferred TLS/SSL version
.SH SYNOPSIS
@ -50,7 +50,7 @@ TLSv1.1 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_2
TLSv1.2 (Added in 7.34.0)
.IP CURL_SSLVERSION_TLSv1_3
TLSv1.3 (Added in 7.51.1)
TLSv1.3 (Added in 7.52.0)
.RE
.SH DEFAULT
CURL_SSLVERSION_DEFAULT

2
docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_CIPHER_LIST \- specify ciphers to use for proxy TLS
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_OPTIONS \- set proxy SSL behavior options
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYHOST \- verify the proxy certificate's name against host
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_SSL_VERIFYPEER \- verify the proxy peer's SSL certificate
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_PASSWORD \- password to use for proxy TLS authentication
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_TYPE \- set proxy TLS authentication methods
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_PROXY_TLSAUTH_USERNAME \- user name to use for proxy TLS authentication
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXY \- set socks proxy to use
.SH SYNOPSIS

2
docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3
View File

@ -20,7 +20,7 @@
.\" *
.\" **************************************************************************
.\"
.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options"
.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options"
.SH NAME
CURLOPT_SOCKS_PROXYTYPE \- socks proxy protocol type
.SH SYNOPSIS

40
docs/libcurl/symbols-in-versions
View File

@ -240,7 +240,7 @@ CURLINFO_PRIMARY_IP 7.19.0
CURLINFO_PRIMARY_PORT 7.21.0
CURLINFO_PRIVATE 7.10.3
CURLINFO_PROXYAUTH_AVAIL 7.10.8
CURLINFO_PROXY_SSL_VERIFYRESULT 7.51.1
CURLINFO_PROXY_SSL_VERIFYRESULT 7.52.0
CURLINFO_REDIRECT_COUNT 7.9.7
CURLINFO_REDIRECT_TIME 7.9.7
CURLINFO_REDIRECT_URL 7.18.2
@ -469,23 +469,23 @@ CURLOPT_PROXYPORT 7.1
CURLOPT_PROXYTYPE 7.10
CURLOPT_PROXYUSERNAME 7.19.1
CURLOPT_PROXYUSERPWD 7.1
CURLOPT_PROXY_CAINFO 7.51.1
CURLOPT_PROXY_CAPATH 7.51.1
CURLOPT_PROXY_CRLFILE 7.51.1
CURLOPT_PROXY_KEYPASSWD 7.51.1
CURLOPT_PROXY_CAINFO 7.52.0
CURLOPT_PROXY_CAPATH 7.52.0
CURLOPT_PROXY_CRLFILE 7.52.0
CURLOPT_PROXY_KEYPASSWD 7.52.0
CURLOPT_PROXY_SERVICE_NAME 7.43.0
CURLOPT_PROXY_SSLCERT 7.51.1
CURLOPT_PROXY_SSLCERTTYPE 7.51.1
CURLOPT_PROXY_SSLKEY 7.51.1
CURLOPT_PROXY_SSLKEYTYPE 7.51.1
CURLOPT_PROXY_SSLVERSION 7.51.1
CURLOPT_PROXY_SSL_CIPHER_LIST 7.51.1
CURLOPT_PROXY_SSL_OPTIONS 7.51.1
CURLOPT_PROXY_SSL_VERIFYHOST 7.51.1
CURLOPT_PROXY_SSL_VERIFYPEER 7.51.1
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.51.1
CURLOPT_PROXY_TLSAUTH_TYPE 7.51.1
CURLOPT_PROXY_TLSAUTH_USERNAME 7.51.1
CURLOPT_PROXY_SSLCERT 7.52.0
CURLOPT_PROXY_SSLCERTTYPE 7.52.0
CURLOPT_PROXY_SSLKEY 7.52.0
CURLOPT_PROXY_SSLKEYTYPE 7.52.0
CURLOPT_PROXY_SSLVERSION 7.52.0
CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0
CURLOPT_PROXY_SSL_OPTIONS 7.52.0
CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0
CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0
CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0
CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0
CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0
CURLOPT_PROXY_TRANSFER_MODE 7.18.0
CURLOPT_PUT 7.1
CURLOPT_QUOTE 7.1
@ -515,8 +515,8 @@ CURLOPT_SOCKOPTDATA 7.16.0
CURLOPT_SOCKOPTFUNCTION 7.16.0
CURLOPT_SOCKS5_GSSAPI_NEC 7.19.4
CURLOPT_SOCKS5_GSSAPI_SERVICE 7.19.4 7.49.0
CURLOPT_SOCKS_PROXY 7.51.1
CURLOPT_SOCKS_PROXYTYPE 7.51.1
CURLOPT_SOCKS_PROXY 7.52.0
CURLOPT_SOCKS_PROXYTYPE 7.52.0
CURLOPT_SOURCE_HOST 7.12.1 - 7.15.5
CURLOPT_SOURCE_PATH 7.12.1 - 7.15.5
CURLOPT_SOURCE_PORT 7.12.1 - 7.15.5
@ -630,7 +630,7 @@ CURLPROTO_TELNET 7.19.4
CURLPROTO_TFTP 7.19.4
CURLPROXY_HTTP 7.10
CURLPROXY_HTTP_1_0 7.19.4
CURLPROXY_HTTPS 7.51.1
CURLPROXY_HTTPS 7.52.0
CURLPROXY_SOCKS4 7.10
CURLPROXY_SOCKS4A 7.18.0
CURLPROXY_SOCKS5 7.10

14
lib/curl_sasl.c
View File

@ -262,6 +262,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
size_t len = 0;
saslstate state1 = SASL_STOP;
saslstate state2 = SASL_FINAL;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if defined(USE_KERBEROS5)
const char* service = data->set.str[STRING_SERVICE_NAME] ?
data->set.str[STRING_SERVICE_NAME] :
@ -341,8 +344,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn,
if(force_ir || data->set.sasl_ir)
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
conn->host.name,
conn->port,
hostname,
port,
conn->oauth_bearer,
&resp, &len);
}
@ -408,6 +411,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
struct Curl_easy *data = conn->data;
saslstate newstate = SASL_FINAL;
char *resp = NULL;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#if !defined(CURL_DISABLE_CRYPTO_AUTH)
char *serverdata;
char *chlg = NULL;
@ -542,8 +548,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn,
/* Create the authorisation message */
if(sasl->authused == SASL_MECH_OAUTHBEARER) {
result = Curl_auth_create_oauth_bearer_message(data, conn->user,
conn->host.name,
conn->port,
hostname,
port,
conn->oauth_bearer,
&resp, &len);

2
lib/http_proxy.c
View File

@ -63,6 +63,8 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex)
}
return result;
#else
(void) conn;
(void) sockindex;
return CURLE_NOT_BUILT_IN;
#endif
}

2
lib/multi.c
View File

@ -813,8 +813,10 @@ static int waitconnect_getsock(struct connectdata *conn,
if(!numsocks)
return GETSOCK_BLANK;
#ifdef USE_SSL
if(CONNECT_FIRSTSOCKET_PROXY_SSL())
return Curl_ssl_getsock(conn, sock, numsocks);
#endif
for(i=0; i<2; i++) {
if(conn->tempsock[i] != CURL_SOCKET_BAD) {

6
lib/url.c
View File

@ -3786,10 +3786,6 @@ ConnectionExists(struct Curl_easy *data,
CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
/* if(!conn->bits.proxy || sockindex) */
/* this magic only works for the primary socket as the secondary is used
for FTP only and it has FTP specific magic in ftp.c */
/* return CURLE_OK; */
if(conn->bits.socksproxy) {
#ifndef CURL_DISABLE_PROXY
@ -3823,6 +3819,8 @@ CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex)
result = CURLE_COULDNT_CONNECT;
} /* switch proxytype */
conn->bits.socksproxy_connecting = FALSE;
#else
(void)sockindex;
#endif /* CURL_DISABLE_PROXY */
}

77
lib/vtls/darwinssl.c
View File

@ -1038,6 +1038,12 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
char * const ssl_cert = SSL_SET_OPTION(cert);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
@ -1233,34 +1239,33 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
if(data->set.str[STRING_KEY_ORIG]) {
if(SSL_SET_OPTION(key)) {
infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure "
"Transport. The private key must be in the Keychain.\n");
}
if(data->set.str[STRING_CERT_ORIG]) {
if(ssl_cert) {
SecIdentityRef cert_and_key = NULL;
bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]);
bool is_cert_file = is_file(ssl_cert);
/* User wants to authenticate with a client cert. Look for it:
If we detect that this is a file on disk, then let's load it.
Otherwise, assume that the user wants to use an identity loaded
from the Keychain. */
if(is_cert_file) {
if(!data->set.ssl.cert_type)
if(!SSL_SET_OPTION(cert_type))
infof(data, "WARNING: SSL: Certificate type not set, assuming "
"PKCS#12 format.\n");
else if(strncmp(data->set.ssl.cert_type, "P12",
strlen(data->set.ssl.cert_type)))
"PKCS#12 format.\n");
else if(strncmp(SSL_SET_OPTION(cert_type), "P12",
strlen(SSL_SET_OPTION(cert_type))) != 0)
infof(data, "WARNING: SSL: The Security framework only supports "
"loading identities that are in PKCS#12 format.\n");
err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG],
data->set.ssl.key_passwd,
&cert_and_key);
"loading identities that are in PKCS#12 format.\n");
err = CopyIdentityFromPKCS12File(ssl_cert,
SSL_SET_OPTION(key_passwd), &cert_and_key);
}
else
err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG],
&cert_and_key);
err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
if(err == noErr) {
SecCertificateRef cert = NULL;
@ -1301,24 +1306,24 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
switch(err) {
case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */
failf(data, "SSL: Incorrect password for the certificate \"%s\" "
"and its private key.", data->set.str[STRING_CERT_ORIG]);
"and its private key.", ssl_cert);
break;
case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */
failf(data, "SSL: Couldn't make sense of the data in the "
"certificate \"%s\" and its private key.",
data->set.str[STRING_CERT_ORIG]);
"certificate \"%s\" and its private key.",
ssl_cert);
break;
case -25260: /* errSecPassphraseRequired */
failf(data, "SSL The certificate \"%s\" requires a password.",
data->set.str[STRING_CERT_ORIG]);
ssl_cert);
break;
case errSecItemNotFound:
failf(data, "SSL: Can't find the certificate \"%s\" and its private "
"key in the Keychain.", data->set.str[STRING_CERT_ORIG]);
"key in the Keychain.", ssl_cert);
break;
default:
failf(data, "SSL: Can't load the certificate \"%s\" and its private "
"key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err);
"key: OSStatus %d", ssl_cert, err);
break;
}
return CURLE_SSL_CERTPROBLEM;
@ -1350,8 +1355,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#else
if(SSLSetSessionOption != NULL) {
#endif /* CURL_BUILD_MAC */
bool break_on_auth = !conn->ssl_config.verifypeer ||
data->set.str[STRING_SSL_CAFILE_ORIG];
bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile;
err = SSLSetSessionOption(connssl->ssl_ctx,
kSSLSessionOptionBreakOnServerAuth,
break_on_auth);
@ -1379,15 +1383,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]);
if(ssl_cafile) {
bool is_cert_file = is_file(ssl_cafile);
if(!is_cert_file) {
failf(data, "SSL: can't load CA certificate file %s",
data->set.str[STRING_SSL_CAFILE_ORIG]);
failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE;
}
if(!data->set.ssl.primary.verifypeer) {
if(!verifypeer) {
failf(data, "SSL: CA certificate set, but certificate verification "
"is disabled");
return CURLE_SSL_CONNECT_ERROR;
@ -1398,17 +1401,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
if(conn->ssl_config.verifyhost) {
err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name,
strlen(conn->host.name));
err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname,
strlen(hostname));
if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
err);
}
if((Curl_inet_pton(AF_INET, conn->host.name, &addr))
if((Curl_inet_pton(AF_INET, hostname, &addr))
#ifdef ENABLE_IPV6
|| (Curl_inet_pton(AF_INET6, conn->host.name, &addr))
|| (Curl_inet_pton(AF_INET6, hostname, &addr))
#endif
) {
infof(data, "WARNING: using IP address, SNI is being disabled by "
@ -1558,10 +1561,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
else {
CURLcode result;
ssl_sessionid =
aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG],
data->set.ssl.primary.verifypeer,
data->set.ssl.primary.verifyhost,
conn->host.name, conn->remote_port);
aprintf("%s:%d:%d:%s:%hu", ssl_cafile,
verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port);
ssl_sessionid_len = strlen(ssl_sessionid);
err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
@ -1898,6 +1899,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
OSStatus err;
SSLCipherSuite cipher;
SSLProtocol protocol = 0;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
@ -1916,8 +1919,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
/* The below is errSSLServerAuthCompleted; it's not defined in
Leopard's headers */
case -9841:
if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data,
if(SSL_CONN_CONFIG(CAfile)) {
int res = verify_cert(SSL_CONN_CONFIG(CAfile), data,
connssl->ssl_ctx);
if(res != CURLE_OK)
return res;
@ -1986,7 +1989,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "Unknown SSL protocol error in connection to %s:%d",
conn->host.name, err);
hostname, err);
return CURLE_SSL_CONNECT_ERROR;
}
}

2
lib/vtls/gskit.c
View File

@ -833,7 +833,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
}
/* Determine which SSL/TLS version should be enabled. */
sni = conn->host.name;
sni = hostname;
switch (ssl_version) {
case CURL_SSLVERSION_SSLv2:
protoflags = CURL_GSKPROTO_SSLV2_MASK;

4
lib/vtls/gtls.c
View File

@ -502,8 +502,8 @@ gtls_connect_step1(struct connectdata *conn,
#ifdef CURL_CA_FALLBACK
/* use system ca certificate store as fallback */
if(data->set.ssl.verifypeer &&
!(data->set.ssl.CAfile || data->set.ssl.CApath)) {
if(SSL_CONN_CONFIG(verifypeer) &&
!(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) {
gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred);
}
#endif

62
lib/vtls/mbedtls.c
View File

@ -163,13 +163,21 @@ mbed_connect_step1(struct connectdata *conn,
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data* connssl = &conn->ssl[sockindex];
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
char * const ssl_cert = SSL_SET_OPTION(cert);
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
int ret = -1;
char errorbuf[128];
errorbuf[0]=0;
/* mbedTLS only supports SSLv3 and TLSv1 */
if(data->set.ssl.primary.version == CURL_SSLVERSION_SSLv2) {
if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
failf(data, "mbedTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
@ -205,34 +213,32 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the trusted CA */
mbedtls_x509_crt_init(&connssl->cacert);
if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
ret = mbedtls_x509_crt_parse_file(&connssl->cacert,
data->set.str[STRING_SSL_CAFILE_ORIG]);
if(ssl_cafile) {
ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
data->set.str[STRING_SSL_CAFILE_ORIG], -ret, errorbuf);
ssl_cafile, -ret, errorbuf);
if(data->set.ssl.primary.verifypeer)
if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
ret = mbedtls_x509_crt_parse_path(&connssl->cacert,
data->set.str[STRING_SSL_CAPATH_ORIG]);
if(ssl_capath) {
ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath);
if(ret<0) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
data->set.str[STRING_SSL_CAPATH_ORIG], -ret, errorbuf);
ssl_capath, -ret, errorbuf);
if(data->set.ssl.primary.verifypeer)
if(verifypeer)
return CURLE_SSL_CACERT_BADFILE;
}
}
@ -240,16 +246,15 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the client certificate */
mbedtls_x509_crt_init(&connssl->clicert);
if(data->set.str[STRING_CERT_ORIG]) {
ret = mbedtls_x509_crt_parse_file(&connssl->clicert,
data->set.str[STRING_CERT_ORIG]);
if(ssl_cert) {
ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
data->set.str[STRING_CERT_ORIG], -ret, errorbuf);
ssl_cert, -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
@ -258,10 +263,9 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the client private key */
mbedtls_pk_init(&connssl->pk);
if(data->set.str[STRING_KEY_ORIG]) {
ret = mbedtls_pk_parse_keyfile(&connssl->pk,
data->set.str[STRING_KEY_ORIG],
data->set.str[STRING_KEY_ORIG]);
if(SSL_SET_OPTION(key)) {
ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key),
SSL_SET_OPTION(key_passwd));
if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA))
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
@ -270,7 +274,7 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
data->set.str[STRING_KEY_ORIG], -ret, errorbuf);
SSL_SET_OPTION(key), -ret, errorbuf);
return CURLE_SSL_CERTPROBLEM;
}
@ -279,23 +283,21 @@ mbed_connect_step1(struct connectdata *conn,
/* Load the CRL */
mbedtls_x509_crl_init(&connssl->crl);
if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
ret = mbedtls_x509_crl_parse_file(&connssl->crl,
data->set.str[STRING_SSL_CRLFILE_ORIG]);
if(ssl_crlfile) {
ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile);
if(ret) {
#ifdef MBEDTLS_ERROR_C
mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
#endif /* MBEDTLS_ERROR_C */
failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
data->set.str[STRING_SSL_CRLFILE_ORIG], -ret, errorbuf);
ssl_crlfile, -ret, errorbuf);
return CURLE_SSL_CRL_BADFILE;
}
}
infof(data, "mbedTLS: Connecting to %s:%d\n",
conn->host.name, conn->remote_port);
infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port);
mbedtls_ssl_config_init(&connssl->config);
@ -317,7 +319,7 @@ mbed_connect_step1(struct connectdata *conn,
mbedtls_ssl_conf_cert_profile(&connssl->config,
&mbedtls_x509_crt_profile_fr);
switch(data->set.ssl.primary.version) {
switch(SSL_CONN_CONFIG(version)) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
@ -393,11 +395,11 @@ mbed_connect_step1(struct connectdata *conn,
&connssl->cacert,
&connssl->crl);
if(data->set.str[STRING_KEY_ORIG]) {
if(SSL_SET_OPTION(key)) {
mbedtls_ssl_conf_own_cert(&connssl->config,
&connssl->clicert, &connssl->pk);
}
if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) {
/* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
the name to set in the SNI extension. So even if curl connects to a
host specified as an IP address, this function must be used. */
@ -487,7 +489,7 @@ mbed_connect_step2(struct connectdata *conn,
ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl);
if(ret && data->set.ssl.primary.verifypeer) {
if(ret && SSL_CONN_CONFIG(verifypeer)) {
if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED");

8
lib/vtls/openssl.c
View File

@ -2074,7 +2074,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
ssl_capath ? ssl_capath : "none");
}
#ifdef CURL_CA_FALLBACK
else if(data->set.ssl.verifypeer) {
else if(verifypeer) {
/* verfying the peer without any CA certificates won't
work so use openssl's built in default as fallback */
SSL_CTX_set_default_verify_paths(connssl->ctx);
@ -2108,7 +2108,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
*/
#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
if(data->set.ssl.verifypeer) {
if(verifypeer) {
X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx),
X509_V_FLAG_TRUSTED_FIRST);
}
@ -2204,6 +2204,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
@ -2253,7 +2255,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
lerr = SSL_get_verify_result(connssl->handle);
if(lerr != X509_V_OK) {
data->set.ssl.certverifyresult = lerr;
*certverifyresult = lerr;
snprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s",
X509_verify_cert_error_string(lerr));

35
lib/vtls/schannel.c
View File

@ -123,9 +123,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
#endif
TCHAR *host_name;
CURLcode result;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n",
conn->host.name, conn->remote_port);
hostname, conn->remote_port);
#ifdef HAS_ALPN
/* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above.
@ -259,9 +261,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
/* Warn if SNI is disabled due to use of an IP address */
if(Curl_inet_pton(AF_INET, conn->host.name, &addr)
if(Curl_inet_pton(AF_INET, hostname, &addr)
#ifdef ENABLE_IPV6
|| Curl_inet_pton(AF_INET6, conn->host.name, &addr6)
|| Curl_inet_pton(AF_INET6, hostname, &addr6)
#endif
) {
infof(data, "schannel: using IP address, SNI is not supported by OS.\n");
@ -339,7 +341,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
memset(connssl->ctxt, 0, sizeof(struct curl_schannel_ctxt));
host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@ -412,11 +414,13 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
TCHAR *host_name;
CURLcode result;
bool doread;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE;
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n",
conn->host.name, conn->remote_port);
hostname, conn->remote_port);
if(!connssl->cred || !connssl->ctxt)
return CURLE_SSL_CONNECT_ERROR;
@ -512,7 +516,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer,
connssl->encdata_offset);
host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@ -644,6 +648,8 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
#ifdef HAS_ALPN
SecPkgContext_ApplicationProtocol alpn_result;
#endif
@ -651,7 +657,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
infof(data, "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n",
conn->host.name, conn->remote_port);
hostname, conn->remote_port);
if(!connssl->cred)
return CURLE_SSL_CONNECT_ERROR;
@ -1384,9 +1390,11 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
*/
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n",
conn->host.name, conn->remote_port);
hostname, conn->remote_port);
if(connssl->cred && connssl->ctxt) {
SecBufferDesc BuffDesc;
@ -1408,7 +1416,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
failf(data, "schannel: ApplyControlToken failure: %s",
Curl_sspi_strerror(conn, sspi_status));
host_name = Curl_convert_UTF8_to_tchar(conn->host.name);
host_name = Curl_convert_UTF8_to_tchar(hostname);
if(!host_name)
return CURLE_OUT_OF_MEMORY;
@ -1533,6 +1541,9 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
const CERT_CHAIN_CONTEXT *pChainContext = NULL;
const char * const conn_hostname = SSL_IS_PROXY() ?
conn->http_proxy.host.name :
conn->host.name;
status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle,
SECPKG_ATTR_REMOTE_CERT_CONTEXT,
@ -1597,7 +1608,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
DWORD len;
cert_hostname.const_tchar_ptr = cert_hostname_buff;
hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name);
hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn_hostname);
/* TODO: Fix this for certificates with multiple alternative names.
Right now we're only asking for the first preferred alternative name.
@ -1615,7 +1626,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
128);
if(len > 0 && *cert_hostname.tchar_ptr == '*') {
/* this is a wildcard cert. try matching the last len - 1 chars */
int hostname_len = strlen(conn->host.name);
int hostname_len = strlen(conn_hostname);
cert_hostname.tchar_ptr++;
if(_tcsicmp(cert_hostname.const_tchar_ptr,
hostname.const_tchar_ptr + hostname_len - len + 2) != 0)
@ -1630,7 +1641,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
_cert_hostname = Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr);
failf(data, "schannel: CertGetNameString() certificate hostname "
"(%s) did not match connection (%s)",
_cert_hostname, conn->host.name);
_cert_hostname, conn_hostname);
Curl_unicodefree(_cert_hostname);
}
Curl_unicodefree(hostname.tchar_ptr);