1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 01:28:51 -05:00
Commit Graph

122 Commits

Author SHA1 Message Date
Johannes Schindelin
5450428491 schannel: add "best effort" revocation check option
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981
2020-03-18 03:23:39 -04:00
Viktor Szakats
7284061361 windows: suppress UI in all CryptAcquireContext() calls
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
2020-03-17 23:08:02 +00:00
Daniel Stenberg
52d302ed64
polarssl: remove more references and mentions
Assisted-by: Jay Satiro
Follow-up to 6357a19ff2
Closes #5036
2020-03-05 07:57:45 +01:00
Pedro Monreal
4b6fd29f1a cleanup: fix typos and wording in docs and comments
Closes #4869
Reviewed-by: Emil Engler and Daniel Gustafsson
2020-02-02 18:43:01 +01:00
Marcel Raad
291ed52122
lib: fix compiler warnings with CURL_DISABLE_VERBOSE_STRINGS
Closes https://github.com/curl/curl/pull/4775
2020-01-03 17:02:30 +01:00
Xiaoyin Liu
0a65febccf schannel: fix --tls-max for when min is --tlsv1 or default
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.

Closes https://github.com/curl/curl/pull/4633
2019-11-24 03:16:26 -05:00
Francois Rivard
8986df802d
schannel: reverse the order of certinfo insertions
Fixes #4518
Closes #4519
2019-10-24 16:30:40 +02:00
Marcel Raad
527461285f
vtls: fix narrowing conversion warnings
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f.

Closes https://github.com/curl/curl/pull/4398
2019-09-23 09:44:35 +02:00
Marcel Raad
10db3ef21e
lib: reduce variable scopes
Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872
2019-05-20 08:51:11 +02:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Daniel Stenberg
be6e281cf2
multi: provide Curl_multiuse_state to update information
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
880cd5dd20
strerror: make the strerror function use local buffers
Instead of using a fixed 256 byte buffer in the connectdata struct.

In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.

This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.

Co-authored-by: Jay Satiro

Closes #3612
2019-02-26 10:20:21 +01:00
georgeok
531b7ad43a schannel: support CALG_ECDH_EPHEM algorithm
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
algorithm option when selecting ciphers. This became available on the
Win10 SDK.

Closes https://github.com/curl/curl/pull/3608
2019-02-25 01:38:35 -05:00
Jay Satiro
0648070423 schannel: restore some debug output but only for debug builds
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.

Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
2019-02-12 19:54:08 -05:00
Daniel Stenberg
84c10dc1ba
schannel: be quiet
Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.

Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
Reported-by: Volker Schmid
Closes #3552
2019-02-12 22:53:10 +01:00
Chris Araman
927a5bd1b4 url: close TLS before removing conn from cache
- Fix potential crashes in schannel shutdown.

Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.

Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531
2019-02-06 13:33:21 -05:00
georgeok
a730432e59
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
2019-02-01 09:56:27 +01:00
Daniel Stenberg
180501cb02
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504
2019-02-01 08:20:38 +01:00
Archangel_SDY
ce6f73b912
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487
2019-01-21 23:21:45 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Stenberg
6ee6729709
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
2019-01-18 16:43:21 +01:00
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
Daniel Gustafsson
8a49b291cb winssl: be consistent in Schannel capitalization
The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07 10:11:13 +01:00
marcosdiazr
7f4c358541
schannel: make CURLOPT_CERTINFO support using Issuer chain
Closes #3197
2018-11-01 10:21:51 +01:00
Daniel Stenberg
832661b3a7
schannel: use Curl_ prefix for global private symbols
Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201
2018-11-01 09:39:45 +01:00
Jay Satiro
2e5651a5ce vtls: fix ssl version "or later" behavior change for many backends
- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
2018-09-20 14:12:25 -04:00
Daniel Stenberg
10009222fe
schannel: avoid switch-cases that go to default anyway
SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
mingw and would require an ifdef otherwise.

Reported-by: Thomas Glanzmann
Approved-by: Marc Hörsken
Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html
Closes #2950
2018-09-07 08:23:00 +02:00
Han Han
5a3efb1dba
schannel: unified error code handling
Closes #2901
2018-09-06 08:27:15 +02:00
Ihor Karpenko
6b6c2b8d57
schannel: client certificate store opening fix
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
while opening certificate store would be sufficient in this scenario and
less-demanding in sense of required user credentials ( for example,
IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore
call without any of flags mentioned above ),

2) as 'cert_store_name' is a DWORD, attempt to format its value like a
string ( in "Failed to open cert store" error message ) will throw null
pointer exception

3) adding GetLastError(), in my opinion, will make error message more
useful.

Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html

Closes #2909
2018-08-24 09:03:28 +02:00
Marcel Raad
2c33105dbf
schannel: enable CALG_TLS1PRF for w32api >= 5.1
The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
73aedcc0f2
2018-07-12 14:38:55 +02:00
Marcel Raad
48cf45c5aa
schannel: fix MinGW compile break
Original MinGW's w32api has a sytax error in its definition of
CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
until this bug [1] is fixed.

[0] d1d4a17e51/w32api/include/wincrypt.h
[1] https://osdn.net/projects/mingw/ticket/38391

Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
Closes https://github.com/curl/curl/pull/2728
2018-07-11 13:04:15 +02:00
Marcel Raad
424f1cfefb
schannel: fix -Wsign-compare warning
MinGW warns:
/lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
conditional expression [-Wsign-compare]

Fix this by casting the ptrdiff_t to size_t as we know it's positive.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:09:05 +02:00
Marcel Raad
07f7c93f92
schannel: workaround for wrong function signature in w32api
Original MinGW's w32api has CryptHashData's second parameter as BYTE *
instead of const BYTE *.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:08:56 +02:00
Marcel Raad
a189ab91fe
schannel: make more cipher options conditional
They are not defined in the original MinGW's <wincrypt.h>.

Closes https://github.com/curl/curl/pull/2721
2018-07-09 18:08:46 +02:00
Robert Prag
9aefbff30d
schannel: support selecting ciphers
Given the contstraints of SChannel, I'm exposing these as the algorithms
themselves instead; while replicating the ciphersuite as specified by
OpenSSL would have been preferable, I found no way in the SChannel API
to do so.

To use this from the commandline, you need to pass the names of contants
defining the desired algorithms. For example, curl --ciphers
"CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM"
https://github.com The specific names come from wincrypt.h

Closes #2630
2018-06-12 12:08:40 +02:00
ralcock
45eefbd0dd
schannel: add failf calls for client certificate failures
Closes #2604
2018-05-27 23:30:23 +02:00
Daniel Stenberg
cb529b713f
checksrc: make sure sizeof() is used *with* parentheses
... and unify the source code to adhere.

Closes #2563
2018-05-21 23:21:47 +02:00
Jay Satiro
4584cc4499 schannel: disable manual verify if APIs not available
.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.
2018-05-16 02:21:05 -04:00
Archangel_SDY
1592ea9792 schannel: disable client cert option if APIs not available
Original MinGW targets Windows 2000 by default, which lacks some APIs and
definitions for this feature. Disable it if these APIs are not available.

Closes https://github.com/curl/curl/pull/2522
2018-05-16 02:21:04 -04:00
Daniel Stenberg
babd55e25f
vtls: fix missing commas
follow-up to e66cca046c
2018-05-04 23:02:57 +02:00
Daniel Stenberg
e66cca046c
vtls: use unified "supports" bitfield member in backends
... instead of previous separate struct fields, to make it easier to
extend and change individual backends without having to modify them all.

closes #2547
2018-05-04 22:31:19 +02:00
Daniel Gustafsson
2f13e3d23d
checksrc: force indentation of lines after an else
This extends the INDENTATION case to also handle 'else' statements
and require proper indentation on the following line. Also fixes the
offending cases found in the codebase.

Closes #2532
2018-04-27 00:51:35 +02:00
Archangel_SDY
ab988caef6 schannel: fix build error on targets <= XP
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
  support the latter.

Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668

Closes https://github.com/curl/curl/pull/2504
2018-04-23 03:16:49 -04:00
Dan McNulty
8996300211 schannel: add support for CURLOPT_CAINFO
- Move verify_certificate functionality in schannel.c into a new
  file called schannel_verify.c. Additionally, some structure defintions
  from schannel.c have been moved to schannel.h to allow them to be
  used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
  all versions of Windows instead of just Windows CE. verify_certificate
  will be invoked on Windows CE or when the user specifies
  CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
  exclusively trusts the certificate store backed by the CURLOPT_CAINFO
  file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
  when available. This implements a TODO in schannel.c to improve
  handling of multiple SANs in a certificate. In particular, all SANs
  will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
  when using Schannel to maintain backward compatibility. Previously,
  any curl-ca-bundle.crt file found in that search would have been
  ignored by Schannel. But, with CAINFO support, the file found by
  that search would have been used as the certificate store and
  could cause issues for any users that have curl-ca-bundle.crt in
  the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
  SSL backend is Schannel. We allow setting CA location for schannel
  only when explicitly specified by the user via CURLOPT_CAINFO /
  --cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
  and last SAN, respectively, matches the connection hostname. New test
  certificates have been added for these cases. For 3000, the certificate
  prefix is Server-localhost-firstSAN and for 3001, the certificate
  prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
  validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325
2018-04-18 03:59:47 -04:00
Jay Satiro
4d660fdcb0 schannel: fix warning
- Fix warning 'integer from pointer without a cast' on 3rd arg in
  CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
  type of the same size.

Follow-up to e35b025.

Caught by Marc's CI builds.
2018-04-17 15:43:30 -04:00
Archangel_SDY
e35b0256eb
schannel: add client certificate authentication
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`

Closes #2376
2018-04-17 00:23:01 +02:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Wyatt O'Day
336b6a32c0
tls: fix mbedTLS 2.7.0 build + handle sha256 failures
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)

Closes #2453
2018-04-06 14:21:50 +02:00
Michael Kaufmann
1c680e35ab schannel: fix "no previous prototype" compiler warning 2018-02-09 20:10:25 +01:00
Michael Kaufmann
a64b002e3a schannel: fix compiler warnings
Closes #2296
2018-02-08 22:31:45 +01:00