1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-14 21:45:13 -05:00
Commit Graph

32 Commits

Author SHA1 Message Date
Jay Satiro
895168bfd3 schannel: Disable ALPN for Wine since it is causing problems
- Disable ALPN on Wine.

- Don't pass input secbuffer when ALPN is disabled.

When ALPN support was added a change was made to pass an input secbuffer
to initialize the context. When ALPN is enabled the buffer contains the
ALPN information, and when it's disabled the buffer is empty. In either
case this input buffer caused problems with Wine and connections would
not complete.

Bug: https://github.com/curl/curl/issues/983
Reported-by: Christian Fillion
2016-08-26 15:35:16 -04:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Jay Satiro
04b4ee5498 vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and
Curl_ssl_addsessionid regardless of whether session ID reusing was
enabled. According to comments that is in case session ID reuse was
disabled but then later enabled.

The old way was not intuitive and probably not something users expected.
When a user disables session ID caching I'd guess they don't expect the
session ID to be cached anyway in case the caching is later enabled.
2016-06-22 02:33:29 -04:00
Steve Holme
34855feeb4 schannel: Disable ALPN on Windows < 8.1
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL
fails on Windows < 8.1 so we need to disable ALPN on these OS versions.

Inspiration provide by: Daniel Seither

Closes #848
Fixes #840
2016-06-06 20:53:30 +01:00
Steve Holme
332e8d6164 win32: Used centralised verify windows version function
Closes #845
2016-06-04 21:24:09 +01:00
Ivan Avdeev
31c521b047 vtls: fix ssl session cache race condition
Sessionid cache management is inseparable from managing individual
session lifetimes. E.g. for reference-counted sessions (like those in
SChannel and OpenSSL engines) every session addition and removal
should be accompanied with refcount increment and decrement
respectively. Failing to do so synchronously leads to a race condition
that causes symptoms like use-after-free and memory corruption.
This commit:
 - makes existing session cache locking explicit, thus allowing
   individual engines to manage lock's scope.
 - fixes OpenSSL and SChannel engines by putting refcount management
   inside this lock's scope in relevant places.
 - adds these explicit locking calls to other engines that use
   sessionid cache to accommodate for this change. Note, however,
   that it is unknown whether any of these engines could also have
   this race.

Bug: https://github.com/curl/curl/issues/815
Fixes #815
Closes #847
2016-06-01 09:40:55 +02:00
Andrew Kurushin
6cabd78531 schannel: add CURLOPT_CERTINFO support
Closes #822
2016-06-01 08:50:01 +02:00
Marcel Raad
125827e60e schannel: fix compile break with MSVC XP toolset
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK
7.1 is used. In this case, _USING_V110_SDK71_ is defined.

Closes #812
2016-05-18 12:52:41 +02:00
Daniel Stenberg
f6767f5435 TLS: move the ALPN/NPN enable bits to the connection
Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.

Reported-by: Jay Satiro

Fixes #789
2016-05-09 15:30:25 -04:00
Daniel Stenberg
a71012c03e code: style updates 2016-04-03 22:38:36 +02:00
Steve Holme
107cb78487 schannel: Fixed compilation warning from commit f8d88a4913
warning C4244: '=': conversion from 'int' to 'unsigned short', possible
                    loss of data
2016-03-26 11:14:07 +00:00
JDepooter
f8d88a4913 schannel: Add ALPN support
Add ALPN support for schannel. This allows cURL to negotiate
HTTP/2.0 connections when built with schannel.

Closes #724
2016-03-24 09:56:12 +01:00
Viktor Szakats
d49881cb19 URLs: change more http to https 2016-02-04 18:46:54 -05:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Steve Holme
c2f1730e17 schannel: Corrected copy/paste error in commit 8d17117683 2015-11-21 02:54:44 +00:00
Steve Holme
8d17117683 schannel: Use GetVersionEx() when VerifyVersionInfo() isn't available
Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
2015-11-21 02:43:17 +00:00
Steve Holme
a1b2a6bd93 schannel: Fix compilation warning from commit 7a8e861a56
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
                   of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
2015-08-01 22:54:57 +01:00
Marcel Raad
7a8e861a56 schannel: Replace deprecated GetVersion with VerifyVersionInfo 2015-07-22 01:55:42 -04:00
Jay Satiro
172b2beba6 SSL: Add an option to disable certificate revocation checks
New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-17 02:40:16 -04:00
Jay Satiro
3e7ec1e849 schannel: schannel_recv overhaul
This commit is several drafts squashed together. The changes from each
draft are noted below. If any changes are similar and possibly
contradictory the change in the latest draft takes precedence.

Bug: https://github.com/bagder/curl/issues/244
Reported-by: Chris Araman

%%
%% Draft 1
%%
- return 0 if len == 0. that will have to be documented.
- continue on and process the caches regardless of raw recv
- if decrypted data will be returned then set the error code to CURLE_OK
and return its count
- if decrypted data will not be returned and the connection has closed
(eg nread == 0) then return 0 and CURLE_OK
- if decrypted data will not be returned and the connection *hasn't*
closed then set the error code to CURLE_AGAIN --only if an error code
isn't already set-- and return -1
- narrow the Win2k workaround to only Win2k

%%
%% Draft 2
%%
- Trying out a change in flow to handle corner cases.

%%
%% Draft 3
%%
- Back out the lazier decryption change made in draft2.

%%
%% Draft 4
%%
- Some formatting and branching changes
- Decrypt all encrypted cached data when len == 0
- Save connection closed state
- Change special Win2k check to use connection closed state

%%
%% Draft 5
%%
- Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
connection isn't closed.

%%
%% Draft 6
%%
- Save the last error only if it is an unrecoverable error.

Prior to this I saved the last error state in all cases; unfortunately
the logic to cover that in all cases would lead to some muddle and I'm
concerned that could then lead to a bug in the future so I've replaced
it by only recording an unrecoverable error and that state will persist.

- Do not recurse on renegotiation.

Instead we'll continue on to process any trailing encrypted data
received during the renegotiation only.

- Move the err checks in cleanup after the check for decrypted data.

In either case decrypted data is always returned but I think it's easier
to understand when those err checks come after the decrypted data check.

%%
%% Draft 7
%%
- Regardless of len value go directly to cleanup if there is an
unrecoverable error or a close_notify was already received. Prior to
this change we only acknowledged those two states if len != 0.

- Fix a bug in connection closed behavior: Set the error state in the
cleanup, because we don't know for sure it's an error until that time.

- (Related to above) In the case the connection is closed go "greedy"
with the decryption to make sure all remaining encrypted data has been
decrypted even if it is not needed at that time by the caller. This is
necessary because we can only tell if the connection closed gracefully
(close_notify) once all encrypted data has been decrypted.

- Do not renegotiate when an unrecoverable error is pending.

%%
%% Draft 8
%%
- Don't show 'server closed the connection' info message twice.

- Show an info message if server closed abruptly (missing close_notify).
2015-06-17 00:17:03 -04:00
Joel Depooter
a3e5a4371b schannel: Add support for optional client certificates
Some servers will request a client certificate, but not require one.
This change allows libcurl to connect to such servers when using
schannel as its ssl/tls backend. When a server requests a client
certificate, libcurl will now continue the handshake without one,
rather than terminating the handshake. The server can then decide
if that is acceptable or not. Prior to this change, libcurl would
terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS
error.
2015-06-11 15:53:01 -04:00
Marc Hoersken
3c104448d6 schannel.c: Small changes 2015-05-02 22:21:25 +02:00
Marc Hoersken
ae8387b91c schannel.c: Improve code path and readability 2015-05-02 20:14:53 +02:00
Marc Hoersken
d93619ca5d schannel.c: Improve error and return code handling upon aa99a63f03 2015-05-02 20:05:22 +02:00
Chris Araman
aa99a63f03 schannel: fix regression in schannel_recv
https://github.com/bagder/curl/issues/244

Commit 145c263 changed the behavior when Curl_read_plain returns
CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED
correctly.
2015-05-02 18:54:13 +02:00
Marc Hoersken
4bb8bad964 Bug born in changes made several days ago 9a91e80.
Commit: https://github.com/bagder/curl/commit/926cb9f
Reported-by: Ray Satiro
2015-05-01 09:39:34 +02:00
Jay Satiro
926cb9ff65 schannel: Fix out of bounds array
Bug born in changes made several days ago 9a91e80.

Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
2015-04-30 01:44:45 -04:00
Marc Hoersken
92e754de78 schannel.c: Fix typo introduced with 3447c973d0 2015-04-26 19:57:05 +02:00
Marc Hoersken
9a91e8059b schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
Reported-by: Brian Chrisman
2015-04-26 17:59:01 +02:00
Daniel Stenberg
3447c973d0 schannel: re-indented file to follow curl style better
white space changes only
2015-04-26 17:40:40 +02:00
Daniel Stenberg
8aabbf5f8c vtls: use curl_printf.h all over
No need to use _MPRINTF_REPLACE internally.
2015-03-03 23:17:43 +01:00
Steve Holme
761d5166af schannel: Removed curl_ prefix from source files
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
2015-02-07 21:34:33 +00:00