1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 04:55:03 -05:00
Commit Graph

160 Commits

Author SHA1 Message Date
Daniel Stenberg
bbb71507b7
schannel: don't use static to store selected ciphers
CVE-2021-22897

Bug: https://curl.se/docs/CVE-2021-22897.html
2021-05-24 07:56:05 +02:00
Joel Depooter
ba3452cafc schannel: Ensure the security context request flags are always set
As of commit 54e7475, these flags would only be set when using a new
credential handle. When re-using an existing credential handle, the
flags would not be set.

Closes https://github.com/curl/curl/pull/7051
2021-05-13 03:07:21 -04:00
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
Jacob Hoffman-Andrews
a3268eca79
tls: add USE_HTTP2 define
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.

Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.

Closes #6959
2021-04-29 15:04:39 +02:00
Morten Minde Neergaard
67d3afa73f schannel: Support strong crypto option
- Support enabling strong crypto via optional user cipher list when
  USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.

MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
versions that may be otherwise enabled for better interoperability."

Ref: https://curl.se/mail/lib-2021-02/0066.html
Ref: https://curl.se/docs/manpage.html#--ciphers
Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred

Closes https://github.com/curl/curl/pull/6734
2021-04-22 17:40:19 -04:00
Jay Satiro
54e7475016 schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change
  for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
  to automatically locate and use a client certificate for
  authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
  --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673
2021-04-22 16:53:37 -04:00
Michał Antoniak
e4ba999646
vtls: deduplicate some DISABLE_PROXY ifdefs
continue from #5735

- using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
  tls backend

- create SSL_HOST_PORT

Closes #6660
2021-04-22 22:50:56 +02:00
Daniel Stenberg
063d3f3b96
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'

Closes #6912
2021-04-22 09:10:17 +02:00
Daniel Stenberg
eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00
Daniel Stenberg
f573998c22
TLS: fix HTTP/2 selection
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827
2021-04-02 22:53:17 +02:00
Daniel Stenberg
b09c8ee157
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890
2021-03-28 23:19:56 +02:00
Jay Satiro
7a33c4dff9 schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
- Change use of those options from CURLOPT_SSL_OPTIONS that are not
  already evaluated via SSL_SET_OPTION in schannel and secure transport
  to use that instead of data->set.ssl.optname.

Example:

Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.

This change is because options set via CURLOPT_SSL_OPTIONS
(data->set.ssl.optname) are separate from those set for HTTPS proxy via
CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
SSL_SET_OPTION macro determines whether the connection is for HTTPS
proxy and based on that which option to evaluate.

Since neither Schannel nor Secure Transport backends currently support
HTTPS proxy in libcurl, this change is for posterity and has no other
effect.

Closes https://github.com/curl/curl/pull/6690
2021-03-06 02:01:35 -05:00
Daniel Stenberg
70472a44de
urldata: remove the _ORIG suffix from string names
It doesn't provide any useful info but only makes the names longer.

Closes #6624
2021-02-19 08:07:19 +01:00
Daniel Stenberg
88dd1a8a11
urldata: don't touch data->set.httpversion at run-time
Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-supported HTTP versions. Verified with test 129.

Closes #6585
2021-02-12 08:13:37 +01:00
Jacob Hoffman-Andrews
c30bf22f1c
vtls: factor out Curl_ssl_getsock to field of Curl_ssl
Closes #6558
2021-02-08 14:10:55 +01:00
Daniel Stenberg
2c4b338f7e
vtls: remove md5sum
As it is not used anymore.

Reported-by: Jacob Hoffman-Andrews
Bug: https://curl.se/mail/lib-2021-02/0000.html

Closes #6557
2021-02-02 08:13:09 +01:00
Patrick Monnerat
bbe3aa9f88
vtls: reduce conn->data use
Closes #6474
2021-01-19 09:14:40 +01:00
Daniel Stenberg
215db086e0
lib: pass in 'struct Curl_easy *' to most functions
... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
  libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
  better.

- We should avoid "conn->data". Since individual connections can be used
  by many transfers when multiplexing, making sure that conn->data
  points to the current and correct transfer at all times is difficult
  and has been notoriously error-prone over the years. The goal is to
  ultimately remove the conn->data pointer for this reason.

Closes #6425
2021-01-17 23:56:09 +01:00
Daniel Stenberg
68dde8e330
schannel: fix "empty expression statement has no effect"
Bug: 8ab78f720a (commitcomment-45445950)
Reported-by: Gisle Vanem
Closes #6381
2020-12-29 17:10:47 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
abeeffb11c
schannel: return CURLE_PEER_FAILED_VERIFICATION for untrusted root
This matches what is returned in other TLS backends in the same
situation.

Reviewed-by: Jay Satiro
Reviewed-by: Emil Engler
Follow-up to 5a3efb1
Reported-by: iammrtau on github
Fixes #6003
Closes #6018
2020-09-28 10:41:51 +02:00
Gergely Nagy
182ff2d63c
vtls: deduplicate client certificates in ssl_config_data
Closes #5629
2020-09-14 12:56:47 +02:00
Daniel Stenberg
add7022666
schannel: make it 'struct Curl_schannel*'
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:59 +02:00
fullincome
01e2679b49
schannel: fix memory leak when using get_cert_location
The get_cert_location function allocates memory only on success.
Previously get_cert_location was able to allocate memory and return
error. It wasn't obvious and in this case the memory wasn't
released.

Fixes #5855
Closes #5860
2020-08-26 22:54:11 +02:00
Cameron Cawley
790137b0f7
win32: Add Curl_verify_windows_version() to curlx
Closes https://github.com/curl/curl/pull/5754
2020-08-02 17:58:44 +02:00
Marcel Raad
0c6112a139
WIN32: stop forcing narrow-character API
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.

Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
2020-07-27 10:42:38 +02:00
Saleem Abdulrasool
21ed48e8d9
vtls: repair the build with CURL_DISABLE_PROXY
`http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
is enabled.  Repair the build with that configuration.

Follow-up to f3d501dc67

Closes #5498
2020-06-01 23:03:31 +02:00
Daniel Stenberg
842f73de58
timeouts: change millisecond timeouts to timediff_t from time_t
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.

Closes #5479
2020-05-30 23:10:57 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Gilles Vollant
cac5374298
setopt: support certificate options in memory with struct curl_blob
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357
2020-05-15 13:03:59 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Marcel Raad
a55c835e6b
curl_multibyte: add to curlx
This will also be needed in the tool and tests.

Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:27 +02:00
Daniel Stenberg
d39b4128d5
schannel: source code reindent
White space edits only. Conform better to standard curl source code
indenting style.

Closes #5305
2020-04-29 14:43:59 +02:00
Daniel Stenberg
a96c7529eb
select: make Curl_socket_check take timediff_t timeout
Coverity found CID 1461718:

Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".

Closes #5240
2020-04-23 15:57:23 +02:00
Daniel Gustafsson
10822c652c lib: fix typos in comments and errormessages
This fixes a few randomly spotted typos in recently merged code, most
notably one in a userfacing errormessage the schannel code.
2020-04-20 10:12:22 +02:00
Andrew Kurushin
c35af29222 schannel: Fix blocking timeout logic
- Fix schannel_send for the case when no timeout was set.

Prior to this change schannel would error if the socket was not ready
to send data and no timeout was set.

This commit is similar to parent commit 89dc6e0 which recently made the
same change for SOCKS, for the same reason. Basically it was not well
understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms
but actually means no timeout.

Fixes https://github.com/curl/curl/issues/5177
Closes https://github.com/curl/curl/pull/5221
2020-04-12 18:32:17 -04:00
Jay Satiro
53f4070827 lib: fix conversion warnings for SOCKET_WRITABLE/READABLE
- If loss of data may occur converting a timediff_t to time_t and
  the time value is > TIME_T_MAX then treat it as TIME_T_MAX.

This is a follow-up to 8843678 which removed the (time_t) typecast
from the macros so that conversion warnings could be identified.

Closes https://github.com/curl/curl/pull/5199
2020-04-11 02:52:25 -04:00
Gilles Vollant
0fdf965126
schannel: support .P12 or .PFX client certificates
Used with curl command line option like this: --cert
<filename>:<password> --cert-type p12

Closes #5193
2020-04-08 14:13:12 +02:00
Johannes Schindelin
5450428491 schannel: add "best effort" revocation check option
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981
2020-03-18 03:23:39 -04:00
Viktor Szakats
7284061361 windows: suppress UI in all CryptAcquireContext() calls
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
2020-03-17 23:08:02 +00:00
Daniel Stenberg
52d302ed64
polarssl: remove more references and mentions
Assisted-by: Jay Satiro
Follow-up to 6357a19ff2
Closes #5036
2020-03-05 07:57:45 +01:00
Pedro Monreal
4b6fd29f1a cleanup: fix typos and wording in docs and comments
Closes #4869
Reviewed-by: Emil Engler and Daniel Gustafsson
2020-02-02 18:43:01 +01:00
Marcel Raad
291ed52122
lib: fix compiler warnings with CURL_DISABLE_VERBOSE_STRINGS
Closes https://github.com/curl/curl/pull/4775
2020-01-03 17:02:30 +01:00
Xiaoyin Liu
0a65febccf schannel: fix --tls-max for when min is --tlsv1 or default
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.

Closes https://github.com/curl/curl/pull/4633
2019-11-24 03:16:26 -05:00
Francois Rivard
8986df802d
schannel: reverse the order of certinfo insertions
Fixes #4518
Closes #4519
2019-10-24 16:30:40 +02:00
Marcel Raad
527461285f
vtls: fix narrowing conversion warnings
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f.

Closes https://github.com/curl/curl/pull/4398
2019-09-23 09:44:35 +02:00
Marcel Raad
10db3ef21e
lib: reduce variable scopes
Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872
2019-05-20 08:51:11 +02:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Daniel Stenberg
be6e281cf2
multi: provide Curl_multiuse_state to update information
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
880cd5dd20
strerror: make the strerror function use local buffers
Instead of using a fixed 256 byte buffer in the connectdata struct.

In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.

This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.

Co-authored-by: Jay Satiro

Closes #3612
2019-02-26 10:20:21 +01:00