1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 14:35:03 -05:00
Commit Graph

839 Commits

Author SHA1 Message Date
Jay Satiro
a3f385393a openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
- Support handling verbose-mode trace messages of type
  SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
  SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
  SSL3_MT_MESSAGE_HASH

Reported-by: iz8mbw@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/2403
2018-04-20 01:28:32 -04:00
Dan McNulty
8996300211 schannel: add support for CURLOPT_CAINFO
- Move verify_certificate functionality in schannel.c into a new
  file called schannel_verify.c. Additionally, some structure defintions
  from schannel.c have been moved to schannel.h to allow them to be
  used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
  all versions of Windows instead of just Windows CE. verify_certificate
  will be invoked on Windows CE or when the user specifies
  CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
  exclusively trusts the certificate store backed by the CURLOPT_CAINFO
  file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
  when available. This implements a TODO in schannel.c to improve
  handling of multiple SANs in a certificate. In particular, all SANs
  will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
  when using Schannel to maintain backward compatibility. Previously,
  any curl-ca-bundle.crt file found in that search would have been
  ignored by Schannel. But, with CAINFO support, the file found by
  that search would have been used as the certificate store and
  could cause issues for any users that have curl-ca-bundle.crt in
  the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
  SSL backend is Schannel. We allow setting CA location for schannel
  only when explicitly specified by the user via CURLOPT_CAINFO /
  --cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
  and last SAN, respectively, matches the connection hostname. New test
  certificates have been added for these cases. For 3000, the certificate
  prefix is Server-localhost-firstSAN and for 3001, the certificate
  prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
  validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325
2018-04-18 03:59:47 -04:00
Jay Satiro
4d660fdcb0 schannel: fix warning
- Fix warning 'integer from pointer without a cast' on 3rd arg in
  CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
  type of the same size.

Follow-up to e35b025.

Caught by Marc's CI builds.
2018-04-17 15:43:30 -04:00
Archangel_SDY
e35b0256eb
schannel: add client certificate authentication
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`

Closes #2376
2018-04-17 00:23:01 +02:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Daniel Stenberg
dc1b6c5a00
build: cleanup to fix clang warnings/errors
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
cast from integer to pointer is a GNU extension

Reported-by: Rikard Falkeborn

Fixes #2466
Closes #2468
2018-04-08 13:59:30 +02:00
Gaurav Malhotra
2536e2450b
Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736.

libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).

Closes #2451
2018-04-06 14:25:00 +02:00
Wyatt O'Day
336b6a32c0
tls: fix mbedTLS 2.7.0 build + handle sha256 failures
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)

Closes #2453
2018-04-06 14:21:50 +02:00
Daniel Stenberg
256b80fe81
openssl: provide defines for argument typecasts to build warning-free
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
2018-04-04 13:24:36 +02:00
Bernard Spil
7c90c93c0b
openssl: fix build with LibreSSL 2.7
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API

Fixes #2319
Closes #2447
Closes #2448

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-04-04 11:24:51 +02:00
Chris Araman
b7b2809a21 darwinssl: fix iOS build 2018-03-18 10:57:04 +01:00
luz.paz
236402fc2d
cleanup: misc typos in strings and comments
Found via `codespell`

Closes #2389
2018-03-16 11:08:31 +01:00
sergii.kavunenko
613ccbf26c
WolfSSL: adding TLSv1.3
Closes #2349
2018-03-05 00:02:34 +01:00
Marcel Raad
24753bcd48
unit1309: fix warning on Windows x64
When targeting x64, MinGW-w64 complains about conversions between
32-bit long and 64-bit pointers. Fix this by reusing the
GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic
from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST /
CURLX_INTEGER_TO_POINTER_CAST.

Closes https://github.com/curl/curl/pull/2341
2018-02-28 20:04:48 +01:00
Kamil Dudka
1605d93a7b nss: use PK11_CreateManagedGenericObject() if available
... so that the memory allocated by applications using libcurl does not
grow per each TLS connection.

Bug: https://bugzilla.redhat.com/1510247

Closes #2297
2018-02-15 10:18:34 +01:00
Michael Kaufmann
1c680e35ab schannel: fix "no previous prototype" compiler warning 2018-02-09 20:10:25 +01:00
Michael Kaufmann
a64b002e3a schannel: fix compiler warnings
Closes #2296
2018-02-08 22:31:45 +01:00
Patrick Schlangen
dc85437736
openssl: Don't add verify locations when verifypeer==0
When peer verification is disabled, calling
SSL_CTX_load_verify_locations is not necessary. Only call it when
verification is enabled to save resources and increase performance.

Closes #2290
2018-02-06 10:48:03 +01:00
5c497343d9
GSKit: restore pinnedpubkey functionality
inadvertently removed in 283babfaf8

Closes #2263
2018-01-25 23:16:14 +01:00
Dair Grant
f8475c6941
darwinssl: Don't import client certificates into Keychain on macOS
Closes #2085
2018-01-25 23:13:35 +01:00
McDonough, Tim
1433e4645b
openssl: fix pinned public key build error in FIPS mode
Here is a version that should work with all versions of openssl 0.9.7
through 1.1.0.

Links to the docs:
https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html
https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html

At the very bottom of the 1.1.0 documentation there is a history section
that states, " stack allocated EVP_MD_CTXs are no longer supported."

If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a
simple mapping can be used as described here:
https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes

Closes #2258
2018-01-25 22:16:24 +01:00
1c00519499
SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5sum 2018-01-25 22:14:40 +01:00
e178fbd40a
SChannel/WinSSL: Implement public key pinning
Closes #1429
2018-01-25 22:14:39 +01:00
Daniel Stenberg
9e4ad1e2af
openssl: fix potential memory leak in SSLKEYLOGFILE logic
Coverity CID 1427646.
2018-01-18 12:10:58 +01:00
Daniel Stenberg
ca9c93e3e1
openssl: fix the libressl build again
Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is
late OpenSSL version...

Fixes #2246
Closes #2247

Reported-by: jungle-boogie on github
2018-01-18 09:07:23 +01:00
Daniel Stenberg
84fcaa2e73
openssl: enable SSLKEYLOGFILE support by default
Fixes #2210
Closes #2236
2018-01-15 10:33:08 +01:00
Jay Satiro
908a9a6742 build: remove HAVE_LIMITS_H check
.. because limits.h presence isn't optional, it's required by C89.

Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2

Closes https://github.com/curl/curl/pull/2215
2018-01-05 23:34:30 -05:00
Jay Satiro
129390a518 openssl: fix memory leak of SSLKEYLOGFILE filename
- Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl
  initialization.

Caught by ASAN.
2018-01-03 15:22:41 -05:00
dmitrykos
2437dbbf12
vtls: replaced getenv() with curl_getenv()
Fixed undefined symbol of getenv() which does not exist when compiling
for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with
curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP
is defined.

Closes #2171
2017-12-12 08:02:07 +01:00
Jay Satiro
7ab4e7adb9 openssl: Disable file buffering for Win32 SSLKEYLOGFILE
Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just
like it does for other platforms. However, the Windows CRT does not
actually support line buffering (_IOLBF) and will use full buffering
(_IOFBF) instead. We can't use full buffering because multiple processes
may be writing to the file and that could lead to corruption, and since
full buffering is the only buffering available this commit disables
buffering for Windows SSLKEYLOGFILE entirely (_IONBF).

Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
2017-12-10 02:48:41 -05:00
Jay Satiro
9dfb194833 openssl: improve data-pending check for https proxy
- Allow proxy_ssl to be checked for pending data even when connssl does
  not yet have an SSL handle.

This change is for posterity. Currently there doesn't seem to be a code
path that will cause a pending data check when proxyssl could have
pending data and the connssl handle doesn't yet exist [1].

[1]: Recall that an https proxy connection starts out in connssl but if
the destination is also https then the proxy SSL backend data is moved
from connssl to proxyssl, which means connssl handle is temporarily
empty until an SSL handle for the destination can be created.

Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542

Closes https://github.com/curl/curl/pull/1916
2017-12-08 17:43:36 -05:00
Daniel Stenberg
10bb0b4719
openssl: pkcs12 is supported by boringssl
Removes another #ifdef for BoringSSL

Pointed-out-by: David Benjamin

Closes #2134
2017-12-02 11:55:01 +01:00
Daniel Stenberg
cd276c3cca
openssl: fix boringssl build again
commit d3ab7c5a21 broke the boringssl build since it doesn't have
RSA_flags(), so we disable that code block for boringssl builds.

Reported-by: W. Mark Kubacki
Fixes #2117
2017-11-27 19:39:09 +01:00
Daniel Stenberg
3d97e37441
openssl: fix "Value stored to 'rc' is never read" scan-build error 2017-11-21 09:02:40 +01:00
Dirk Feytons
d3ab7c5a21
openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY
Fixes #2079
Closes #2081
2017-11-15 11:09:21 +01:00
Daniel Stenberg
5d543fe906 time: rename Curl_tvnow to Curl_now
... since the 'tv' stood for timeval and this function does not return a
timeval struct anymore.

Also, cleaned up the Curl_timediff*() functions to avoid typecasts and
clean up the descriptive comments.

Closes #2011
2017-10-25 18:48:05 +02:00
Daniel Stenberg
b9d25f9a6b timediff: return timediff_t from the time diff functions
... to cater for systems with unsigned time_t variables.

- Renamed the functions to curlx_timediff and Curl_timediff_us.

- Added overflow protection for both of them in either direction for
  both 32 bit and 64 bit time_ts

- Reprefixed the curlx_time functions to use Curl_*

Reported-by: Peter Piekarski
Fixes #2004
Closes #2005
2017-10-25 09:54:37 +02:00
Patrick Monnerat
8aee8a6a2d vtls: change struct Curl_ssl close' field name to close_one'.
On OS/400, `close' is an ASCII system macro that corrupts the code if
not used in a context not targetting the close() system API.
2017-10-19 19:55:17 +01:00
David Benjamin
de7597f155
openssl: don't use old BORINGSSL_YYYYMM macros
Those were temporary things we'd add and remove for our own convenience
long ago. The last few stayed around for too long as an oversight but
have since been removed. These days we have a running
BORINGSSL_API_VERSION counter which is bumped when we find it
convenient, but 2015-11-19 was quite some time ago, so just check
OPENSSL_IS_BORINGSSL.

Closes #1979
2017-10-11 08:12:19 +02:00
Daniel Stenberg
62a721ea47
openssl: enable PKCS12 support for !BoringSSL
Enable PKCS12 for all non-boringssl builds without relying on configure
or cmake checks.

Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html
Reported-by: Christian Schmitz
Closes #1948
2017-10-09 11:29:53 +02:00
Marcel Raad
202189ff2c
vtls: fix warnings with --disable-crypto-auth
When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters
are not used.
2017-10-06 19:01:19 +02:00
Daniel Stenberg
2dcc378381
openssl: fix build without HAVE_OPAQUE_EVP_PKEY
Reported-by: Javier Sixto
Fixes #1955
Closes #1956
2017-10-06 14:42:40 +02:00
Daniel Stenberg
7bc5308db3
build: fix --disable-crypto-auth
Reported-by: Wyatt O'Day
Fixes #1945
Closes #1947
2017-10-05 14:06:23 +02:00
Nick Zitzmann
3e492e03b3 darwinssl: add support for TLSv1.3
Closes https://github.com/curl/curl/pull/1794
2017-10-05 00:51:38 -04:00
Michael Kaufmann
9d3dde37a8 vtls: compare and clone ssl configs properly
Compare these settings in Curl_ssl_config_matches():
- verifystatus (CURLOPT_SSL_VERIFYSTATUS)
- random_file (CURLOPT_RANDOM_FILE)
- egdsocket (CURLOPT_EGDSOCKET)

Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
and copy the setting "sessionid" unconditionally.

This means that reusing connections that are secured with a client
certificate is now possible, and the statement "TLS session resumption
is disabled when a client certificate is used" in the old advisory at
https://curl.haxx.se/docs/adv_20170419.html is obsolete.

Reviewed-by: Daniel Stenberg

Closes #1917
2017-10-03 18:08:50 +02:00
Jay Satiro
953b5c4e26 ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header
.. and include the core NTLM header in all NTLM-related source files.

Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT
but did not include vtls.h where it was defined.

Closes https://github.com/curl/curl/pull/1911
2017-09-23 13:58:14 -04:00
Viktor Szakats
6f86022df2 ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL

One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when
eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.

So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.

Ref: https://github.com/curl/curl/pull/1848
2017-09-22 19:01:28 +00:00
Daniel Stenberg
b8e0fe19ec
vtls: provide curl_global_sslset() even in non-SSL builds
... it just returns error:

Bug: 1328f69d53 (commitcomment-24470367)
Reported-by: Marcel Raad

Closes #1906
2017-09-22 12:09:13 +02:00
Dirk Feytons
fa9482ab09
openssl: only verify RSA private key if supported
In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c

Closes #1904
2017-09-21 20:17:06 +02:00
Marc Aldorasi
c8666089c8 schannel: Support partial send for when data is too large
Schannel can only encrypt a certain amount of data at once.  Instead of
failing when too much data is to be sent at once, send as much data as
we can and let the caller send the remaining data by calling send again.

Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html

Closes https://github.com/curl/curl/pull/1890
2017-09-16 03:19:35 -04:00
David Benjamin
843200c5b9 openssl: add missing includes
lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
their headers directly rather than relying on other OpenSSL headers
including things.

Closes https://github.com/curl/curl/pull/1891
2017-09-16 03:11:18 -04:00
Daniel Stenberg
93843c372f
conversions: fix several compiler warnings 2017-09-15 16:58:35 +02:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Daniel Stenberg
6b84438d9a
code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
Jay Satiro
64bb7ae6ae mbedtls: enable CA path processing
CA path processing was implemented when mbedtls.c was added to libcurl
in fe7590f, but it was never enabled.

Bug: https://github.com/curl/curl/issues/1877
Reported-by: SBKarr@users.noreply.github.com
2017-09-10 03:22:05 -04:00
Johannes Schindelin
f4a623825b
OpenSSL: fix yet another mistake while encapsulating SSL backend data
Another mistake in my manual fixups of the largely mechanical
search-and-replace ("connssl->" -> "BACKEND->"), just like the previous
commit concerning HTTPS proxies (and hence not caught during my
earlier testing).

Fixes #1855
Closes #1871

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:08:24 +02:00
Johannes Schindelin
dde4f5c81a
OpenSSL: fix erroneous SSL backend encapsulation
In d65e6cc4f (vtls: prepare the SSL backends for encapsulated private
data, 2017-06-21), this developer prepared for a separation of the
private data of the SSL backends from the general connection data.

This conversion was partially automated (search-and-replace) and
partially manual (e.g. proxy_ssl's backend data).

Sadly, there was a crucial error in the manual part, where the wrong
handle was used: rather than connecting ssl[sockindex]' BIO to the
proxy_ssl[sockindex]', we reconnected proxy_ssl[sockindex]. The reason
was an incorrect location to paste "BACKEND->"... d'oh.

Reported by Jay Satiro in https://github.com/curl/curl/issues/1855.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Jay Satiro
955c21939e
vtls: fix memory corruption
Ever since 70f1db321 (vtls: encapsulate SSL backend-specific data,
2017-07-28), the code handling HTTPS proxies was broken because the
pointer to the SSL backend data was not swapped between
conn->ssl[sockindex] and conn->proxy_ssl[sockindex] as intended, but
instead set to NULL (causing segmentation faults).

[jes: provided the commit message, tested and verified the patch]

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-09-07 16:06:50 +02:00
Daniel Stenberg
4bb80d532e
vtls: switch to CURL_SHA256_DIGEST_LENGTH define
... instead of the prefix-less version since WolfSSL 3.12 now uses an
enum with that name that causes build failures for us.

Fixes #1865
Closes #1867
Reported-by: Gisle Vanem
2017-09-07 15:59:42 +02:00
Jay Satiro
70a69f3718 SSL: fix unused parameter warnings 2017-09-06 15:11:55 -04:00
Gisle Vanem
61825be02b vtls: select ssl backend case-insensitive (follow-up)
- Do a case-insensitive comparison of CURL_SSL_BACKEND env as well.

- Change Curl_strcasecompare calls to strcasecompare
  (maps to the former but shorter).

Follow-up to c290b8f.

Bug: https://github.com/curl/curl/commit/c290b8f#commitcomment-24094313

Co-authored-by: Jay Satiro
2017-09-06 02:27:33 -04:00
Jay Satiro
6cdba64e13 openssl: Integrate Peter Wu's SSLKEYLOGFILE implementation
This is an adaptation of 2 of Peter Wu's SSLKEYLOGFILE implementations.

The first one, written for old OpenSSL versions:
https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c

The second one, written for BoringSSL and new OpenSSL versions:
https://github.com/curl/curl/pull/1346

Note the first one is GPL licensed but the author gave permission to
waive that license for libcurl.

As of right now this feature is disabled by default, and does not have
a configure option to enable it. To enable this feature define
ENABLE_SSLKEYLOGFILE when building libcurl and set environment
variable SSLKEYLOGFILE to a pathname that will receive the keys.

And in Wireshark change your preferences to point to that key file:
Edit > Preferences > Protocols > SSL > Master-Secret

Co-authored-by: Peter Wu

Ref: https://github.com/curl/curl/pull/1030
Ref: https://github.com/curl/curl/pull/1346

Closes https://github.com/curl/curl/pull/1866
2017-09-05 23:56:54 -04:00
Kamil Dudka
ea142a837e openssl: use OpenSSL's default ciphers by default
Up2date versions of OpenSSL maintain the default reasonably secure
without breaking compatibility, so it is better not to override the
default by curl.  Suggested at https://bugzilla.redhat.com/1483972

Closes #1846
2017-09-05 12:13:38 +02:00
Daniel Stenberg
202c1cc22f
schannel: return CURLE_SSL_CACERT on failed verification
... not *CACERT_BADFILE as it isn't really because of a bad file.

Bug: https://curl.haxx.se/mail/lib-2017-09/0002.html
Closes #1858
2017-09-04 11:48:38 +02:00
Daniel Stenberg
c290b8fb23
curl_global_sslset: select backend by name case insensitively
Closes #1849
2017-09-01 11:51:32 +02:00
Jay Satiro
aa2ea66cda darwinssl: handle long strings in TLS certs (follow-up)
- Fix handling certificate subjects that are already UTF-8 encoded.

Follow-up to b3b75d1 from two days ago. Since then a copy would be
skipped if the subject was already UTF-8, possibly resulting in a NULL
deref later on.

Ref: https://github.com/curl/curl/issues/1823
Ref: https://github.com/curl/curl/pull/1831

Closes https://github.com/curl/curl/pull/1836
2017-08-31 02:37:35 -04:00
Daniel Stenberg
410bf6b7b1
cyassl: call it the "WolfSSL" backend
... instead of cyassl, as this is the current name for it.

Closes #1844
2017-08-31 00:55:36 +02:00
Daniel Stenberg
5734f73f0d
polarssl: fix multissl breakage
Reported-by: Dan Fandrich
Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
Closes #1843
2017-08-31 00:53:05 +02:00
Johannes Schindelin
c7170e20d0
configure: allow setting the default SSL backend
Previously, we used as default SSL backend whatever was first in the
`available_backends` array.

However, some users may want to override that default without patching
the source code.

Now they can: with the --with-default-ssl-backend=<backend> option of
the ./configure script.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:50 +02:00
Johannes Schindelin
3063254e32
vtls: use Curl_ssl_multi pseudo backend only when needed
When only one SSL backend is configured, it is totally unnecessary to
let multissl_init() configure the backend at runtime, we can select the
correct backend at build time already.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Johannes Schindelin
81d318fa95
version: if built with more than one SSL backend, report all of them
To discern the active one from the inactive ones, put the latter into
parentheses.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Johannes Schindelin
1328f69d53
vtls: introduce curl_global_sslset()
Let's add a compile time safe API to select an SSL backend. This
function needs to be called *before* curl_global_init(), and can be
called only once.

Side note: we do not explicitly test that it is called before
curl_global_init(), but we do verify that it is not called multiple times
(even implicitly).

If SSL is used before the function was called, it will use whatever the
CURL_SSL_BACKEND environment variable says (or default to the first
available SSL backend), and if a subsequent call to
curl_global_sslset() disagrees with the previous choice, it will fail
with CURLSSLSET_TOO_LATE.

The function also accepts an "avail" parameter to point to a (read-only)
NULL-terminated list of available backends. This comes in real handy if
an application wants to let the user choose between whatever SSL backends
the currently available libcurl has to offer: simply call

	curl_global_sslset(-1, NULL, &avail);

which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
variable to point to the relevant information to present to the user.

Just like with the HTTP/2 push functions, we have to add the function
declaration of curl_global_sslset() function to the header file
*multi.h* because VMS and OS/400 require a stable order of functions
declared in include/curl/*.h (where the header files are sorted
alphabetically). This looks a bit funny, but it cannot be helped.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:59 +02:00
Johannes Schindelin
b59288f881
vtls: refactor out essential information about the SSL backends
There is information about the compiled-in SSL backends that is really
no concern of any code other than the SSL backend itself, such as which
function (if any) implements SHA-256 summing.

And there is information that is really interesting to the user, such as
the name, or the curl_sslbackend value.

Let's factor out the latter into a publicly visible struct. This
information will be used in the upcoming API to set the SSL backend
globally.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
b0989cd3ab
vtls: allow selecting which SSL backend to use at runtime
When building software for the masses, it is sometimes not possible to
decide for all users which SSL backend is appropriate.

Git for Windows, for example,  uses cURL to perform clones, fetches and
pushes via HTTPS, and some users strongly prefer OpenSSL, while other
users really need to use Secure Channel because it offers
enterprise-ready tools to manage credentials via Windows' Credential
Store.

The current Git for Windows versions use the ugly work-around of
building libcurl once with OpenSSL support and once with Secure Channel
support, and switching out the binaries in the installer depending on
the user's choice.

Needless to say, this is a super ugly workaround that actually only
works in some cases: Git for Windows also comes in a portable form, and
in a form intended for third-party applications requiring Git
functionality, in which cases this "swap out libcurl-4.dll" simply is
not an option.

Therefore, the Git for Windows project has a vested interest in teaching
cURL to make the SSL backend a *runtime* option.

This patch makes that possible.

By running ./configure with multiple --with-<backend> options, cURL will
be built with multiple backends.

For the moment, the backend can be configured using the environment
variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
"schannel").

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
a53bda35e9
vtls: fold the backend ID into the Curl_ssl structure
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
70f1db321a
vtls: encapsulate SSL backend-specific data
So far, all of the SSL backends' private data has been declared as
part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
block.

This can only work as long as the SSL backend is a compile-time option,
something we want to change in the next commits.

Therefore, let's encapsulate the exact data needed by each SSL backend
into a private struct, and let's avoid bleeding any SSL backend-specific
information into urldata.h. This is also necessary to allow multiple SSL
backends to be compiled in at the same time, as e.g. OpenSSL's and
CyaSSL's headers cannot be included in the same .c file.

To avoid too many malloc() calls, we simply append the private structs
to the connectdata struct in allocate_conn().

This requires us to take extra care of alignment issues: struct fields
often need to be aligned on certain boundaries e.g. 32-bit values need to
be stored at addresses that divide evenly by 4 (= 32 bit / 8
bit-per-byte).

We do that by assuming that no SSL backend's private data contains any
fields that need to be aligned on boundaries larger than `long long`
(typically 64-bit) would need. Under this assumption, we simply add a
dummy field of type `long long` to the `struct connectdata` struct. This
field will never be accessed but acts as a placeholder for the four
instances of ssl_backend_data instead. the size of each ssl_backend_data
struct is stored in the SSL backend-specific metadata, to allow
allocate_conn() to know how much extra space to allocate, and how to
initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
pointers.

This would appear to be a little complicated at first, but is really
necessary to encapsulate the private data of each SSL backend correctly.
And we need to encapsulate thusly if we ever want to allow selecting
CyaSSL and OpenSSL at runtime, as their headers cannot be included within
the same .c file (there are just too many conflicting definitions and
declarations for that).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
d65e6cc4fc
vtls: prepare the SSL backends for encapsulated private data
At the moment, cURL's SSL backend needs to be configured at build time.
As such, it is totally okay for them to hard-code their backend-specific
data in the ssl_connect_data struct.

In preparation for making the SSL backend a runtime option, let's make
the access of said private data a bit more abstract so that it can be
adjusted later in an easy manner.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
69039fd1fa
getinfo: access SSL internals via Curl_ssl
In the ongoing endeavor to abstract out all SSL backend-specific
functionality, this is the next step: Instead of hard-coding how the
different SSL backends access their internal data in getinfo.c, let's
implement backend-specific functions to do that task.

This will also allow for switching SSL backends as a runtime option.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
118b074fba
vtls: move SSL backends' private constants out of their header files
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
5d9fcd2165
axtls: use Curl_none_* versions of init() and cleanup()
There are convenient no-op versions of the init/cleanup functions now,
no need to define private ones for axTLS.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
6f1eec14e0
vtls: remove obsolete declarations of SSL backend functionality
These functions are all available via the Curl_ssl struct now, no need
to declare them separately anymore.

As the global declarations are removed, the corresponding function
definitions are marked as file-local. The only two exceptions here are
Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
declarations were removed, there are no function definitions to mark
file-local.

Please note that Curl_nss_force_init() is *still* declared globally, as
the only SSL backend-specific function, because it was introduced
specifically for the use case where cURL was compiled with
`--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
support for NSS, 2010-06-27).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
742ddc9d8f
schannel: reorder functions topologically
The _shutdown() function calls the _session_free() function; While this
is not a problem now (because schannel.h declares both functions), a
patch looming in the immediate future with make all of these functions
file-local.

So let's just move the _session_free() function's definition before it
is called.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
3ea5461d4e
axtls: reorder functions topologically
The connect_finish() function (like many other functions after it) calls
the Curl_axtls_close() function; While this is not a problem now
(because axtls.h declares the latter function), a patch looming in the
immediate future with make all of these functions file-local.

So let's just move the Curl_axtls_close() function's definition before
it is called.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
f0b4db1ab0
vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
That will allow us to choose the SSL backend at runtime.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
937899a3b8
vtls: convert the have_curlssl_* constants to runtime flags
The entire idea of introducing the Curl_ssl struct to describe SSL
backends is to prepare for choosing the SSL backend at runtime.

To that end, convert all the #ifdef have_curlssl_* style conditionals
to use bit flags instead.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
0a083a66bc
vtls: move sha256sum into the Curl_ssl struct
The SHA-256 checksumming is also an SSL backend-specific function.
Let's include it in the struct declaring the functionality of SSL
backends.

In contrast to MD5, there is no fall-back code. To indicate this, the
respective entries are NULL for those backends that offer no support for
SHA-256 checksumming.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e35205a0c4
vtls: move md5sum into the Curl_ssl struct
The MD5 summing is also an SSL backend-specific function. So let's
include it, offering the previous fall-back code as a separate function
now: Curl_none_md5sum(). To allow for that, the signature had to be
changed so that an error could be returned from the implementation
(Curl_none_md5sum() can run out of memory).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
52e8237bfc
vtls: use the Curl_ssl struct to access all SSL backends' functionality
This is the first step to unify the SSL backend handling. Now all the
SSL backend-specific functionality is accessed via a global instance of
the Curl_ssl struct.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e09bb63ed8
vtls: declare Curl_ssl structs for every SSL backend
The idea of introducing the Curl_ssl struct was to unify how the SSL
backends are declared and called. To this end, we now provide an
instance of the Curl_ssl struct for each and every SSL backend.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e7e03e47d4
vtls: introduce a new struct for SSL backends
This new struct is similar in nature to Curl_handler: it will define the
functions and capabilities of all the SSL backends (where Curl_handler
defines the functions and capabilities of protocol handlers).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
c9d526cdbf
vtls: make sure every _sha256sum()'s first arg is const
This patch makes the signature of the _sha256sum() functions consistent
among the SSL backends, in preparation for unifying the way all SSL
backends are accessed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00
Johannes Schindelin
2568cfed2d
vtls: make sure all _data_pending() functions return bool
This patch makes the signature of the _data_pending() functions
consistent among the SSL backends, in preparation for unifying the way
all SSL backends are accessed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00
Johannes Schindelin
b31d1dcddb
vtls: make sure all _cleanup() functions return void
This patch makes the signature of the _cleanup() functions consistent
among the SSL backends, in preparation for unifying the way all SSL
backends are accessed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00
Johannes Schindelin
dd02a9a341
vtls: use consistent signature for _random() implementations
This will make the upcoming multissl backend much easier to implement.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00
Daniel Stenberg
b3b75d1778
darwinssl: handle long strings in TLS certs
... as the previous fixed length 128 bytes buffer was sometimes too
small.

Fixes #1823
Closes #1831

Reported-by: Benjamin Sergeant
Assisted-by: Bill Pyne, Ray Satiro, Nick Zitzmann
2017-08-27 19:06:02 +02:00
Daniel Stenberg
75536e529a
darwinssi: fix error: variable length array used 2017-08-16 07:58:44 +02:00
Daniel Stenberg
fd07ca1e20
openssl: fix "error: this statement may fall through"
A gcc7 warning.
2017-08-11 08:16:17 +02:00
David Benjamin
f26f6d258f
openssl: remove CONST_ASN1_BIT_STRING.
Just making the pointer as const works for the pre-1.1.0 path too.

Closes #1759
2017-08-11 08:15:58 +02:00
Marcel Raad
61046e7bd5
darwinssl: fix compiler warning
clang complains:
vtls/darwinssl.c:40:8: error: extra tokens at end of #endif directive
[-Werror,-Wextra-tokens]

This breaks the darwinssl build on Travis. Fix it by making this token
a comment.

Closes https://github.com/curl/curl/pull/1734
2017-08-05 00:11:01 +02:00
Daniel Stenberg
af271ce9b9 darwin: silence compiler warnings
With a clang pragma and three type fixes

Fixes #1722
2017-08-04 00:07:02 +02:00
Daniel Stenberg
fa2f134cbd darwinssl: fix curlssl_sha256sum() compiler warnings on first argument 2017-08-03 10:24:06 +02:00
Daniel Stenberg
4dee50b9c8 timeval: struct curltime is a struct timeval replacement
... to make all libcurl internals able to use the same data types for
the struct members. The timeval struct differs subtly on several
platforms so it makes it cumbersome to use everywhere.

Ref: #1652
Closes #1693
2017-07-28 15:51:25 +02:00
Daniel Stenberg
7551e55d66 darwinssl: fix variable type mistake (regression)
... which made --tlsv1.2 not work because it would blank the max tls
version variable.

Reported-by: Nick Miyake
Bug: #1703
2017-07-27 18:30:11 +02:00
Kamil Dudka
42a4cd4c78 nss: fix a possible use-after-free in SelectClientCert()
... causing a SIGSEGV in showit() in case the handle used to initiate
the connection has already been freed.

This commit fixes a bug introduced in curl-7_19_5-204-g5f0cae803.

Reported-by: Rob Sanders
Bug: https://bugzilla.redhat.com/1436158
2017-07-20 08:09:01 +02:00
Kamil Dudka
c89eb6d0f8 nss: unify the coding style of nss_send() and nss_recv()
No changes in behavior intended by this commit.
2017-07-20 08:08:47 +02:00
Jay Satiro
798ad5d924 darwinssl: fix pinnedpubkey build error
- s/SessionHandle/Curl_easy/

Bug: https://github.com/curl/curl/commit/eb16305#commitcomment-23035670
Reported-by: Gisle Vanem
2017-07-17 02:46:07 -04:00
Johannes Schindelin
c0cdc68c7e gtls: fix build when sizeof(long) < sizeof(void *)
- Change gnutls pointer/int macros to pointer/curl_socket_t.
  Prior to this change they used long type as well.

The size of the `long` data type can be shorter than that of pointer
types. This is the case most notably on Windows.

If C99 were acceptable, we could simply use `intptr_t` here. But we
want to retain C89 compatibility.

Simply use the trick of performing pointer arithmetic with the NULL
pointer: to convert an integer `i` to a pointer, simply take the
address of the `i`th element of a hypothetical character array
starting at address NULL. To convert back, simply cast the pointer
difference.

Thanks to Jay Satiro for the initial modification to use curl_socket_t
instead of int/long.

Closes #1617

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-07-03 15:45:25 +02:00
dmitrykos
192877058e openssl: improve fallback seed of PRNG with a time based hash
Fixes #1620
2017-06-30 09:21:03 +02:00
Jay Satiro
17c5d05285 HTTPS-Proxy: don't offer h2 for https proxy connections
Bug: https://github.com/curl/curl/issues/1254

Closes #1546
2017-06-16 12:16:41 +02:00
Stuart Henderson
9f54ad8f15 libressl: OCSP and intermediate certs workaround no longer needed
lib/vtls/openssl.c has a workaround for a bug with OCSP responses signed
by intermediate certs, this was fixed in LibreSSL in
912c64f68f

Bug: https://curl.haxx.se/mail/lib-2017-06/0038.html
2017-06-13 12:28:22 +02:00
Marcel Raad
7207affe28
cyassl: define build macros before including ssl.h
cyassl/ssl.h needs the macros from cyassl/options.h, so define them
before including cyassl/ssl.h the first time, which happens in
urldata.h.
This broke the build on Ubuntu Xenial, which comes with WolfSSL 3.4.8
and therefore redefines the symbols from cyassl/options.h instead of
including the header.

Closes https://github.com/curl/curl/pull/1536
2017-06-03 00:39:46 +02:00
Marcel Raad
10e02bc36a
mbedtls: make TU-local variable static
mbedtls_x509_crt_profile_fr is only used locally.
This fixes a missing-variable-declarations warning with clang.
2017-06-02 22:05:01 +02:00
Jay Satiro
35e9281ef8 mbedtls: fix variable shadow warning
vtls/mbedtls.c:804:69: warning: declaration of 'entropy' shadows a global declaration [-Wshadow]
 CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
                                                                     ^~~~~~~
2017-05-29 17:38:33 -04:00
Nick Zitzmann
c58063b4f8 darwinssl: Fix exception when processing a client-side certificate file
if no error was raised by the API but the SecIdentityRef was null

Fixes #1450
2017-05-16 19:21:12 -05:00
eb16305e6a SecureTransport/DarwinSSL: Implement public key pinning
Closes #1400
2017-05-15 22:54:33 +02:00
Ron Eldor
bc3866e3eb mbedtls: Support server renegotiation request
Tested with servers: IIS 7.5; OpenSSL 1.0.2.

Closes https://github.com/curl/curl/pull/1475
2017-05-12 01:39:10 -04:00
Dan Fandrich
07fd7871b3 schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOT 2017-05-04 18:19:33 +02:00
Dan Fandrich
6943085b50 gtls: fixed a lingering BUFSIZE reference 2017-05-02 09:14:26 +02:00
Daniel Stenberg
799c7048dc openssl: use local stack for temp storage 2017-05-01 22:55:29 +02:00
Kamil Dudka
e3e8d0204b nss: load libnssckbi.so if no other trust is specified
The module contains a more comprehensive set of trust information than
supported by nss-pem, because libnssckbi.so also includes information
about distrusted certificates.

Reviewed-by: Kai Engert
Closes #1414
2017-04-25 13:24:24 +02:00
Kamil Dudka
fab3d1ec65 nss: factorize out nss_{un,}load_module to separate fncs
No change of behavior is intended by this commit.
2017-04-25 13:22:37 +02:00
Kamil Dudka
c8ea86f377 nss: do not leak PKCS #11 slot while loading a key
It could prevent nss-pem from being unloaded later on.

Bug: https://bugzilla.redhat.com/1444860
2017-04-25 13:22:33 +02:00
Kamil Dudka
c8ac0b6a7f nss: adapt to the new Curl_llist API
This commit fixes compilation failure caused by
cbae73e1dd.
2017-04-24 17:50:27 +02:00
Jay Satiro
6b39f9c87e schannel: Don't treat encrypted partial record as pending data
- Track when the cached encrypted data contains only a partial record
  that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE).

- Change Curl_schannel_data_pending to return false in such a case.

Other SSL libraries have pending data functions that behave similarly.

Ref: https://github.com/curl/curl/pull/1387

Closes https://github.com/curl/curl/pull/1392
2017-04-22 22:39:40 -04:00
Dan Fandrich
f761da76f6 gnutls: removed some code when --disable-verbose is configured
This reduces the binary size and fixes a compile warning.
2017-04-22 12:20:25 +02:00
Daniel Stenberg
da2af5c04d openssl: fix memory leak in servercert
... when failing to get the server certificate.
2017-04-20 15:46:03 +02:00
Marcel Raad
a4ff8a1a0e
nss: fix MinGW compiler warnings
This fixes 3 warnings issued by MinGW:
1. PR_ImportTCPSocket actually has a paramter of type PROsfd instead of
PRInt32, which is 64 bits on Windows. Fixed this by including the
corresponding header file instead of redeclaring the function, which is
supported even though it is in the private include folder. [1]
2. In 64-bit mode, size_t is 64 bits while CK_ULONG is 32 bits, so an explicit
narrowing cast is needed.
3. Curl_timeleft returns time_t instead of long since commit
21aa32d30d.

[1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket

Closes https://github.com/curl/curl/pull/1393
2017-04-18 16:38:04 +02:00
Jay Satiro
33cfcfd9f0 TLS: Fix switching off SSL session id when client cert is used
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl
will each have their own sessionid flag.

Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
this issue had been fixed in 247d890, CVE-2016-5419.

Bug: https://github.com/curl/curl/issues/1341
Reported-by: lijian996@users.noreply.github.com

The new incarnation of this bug is called CVE-2017-7468 and is documented
here: https://curl.haxx.se/docs/adv_20170419.html
2017-04-18 07:56:34 +02:00
David Benjamin
997504ea50 openssl: don't try to print nonexistant peer private keys
X.509 certificates carry public keys, not private keys. Fields
corresponding to the private half of the key will always be NULL.

Closes #1425
2017-04-17 23:22:51 +02:00
David Benjamin
1c92b5b609 openssl: fix thread-safety bugs in error-handling
ERR_error_string with NULL parameter is not thread-safe. The library
writes the string into some static buffer. Two threads doing this at
once may clobber each other and run into problems. Switch to
ERR_error_string_n which avoids this problem and is explicitly
bounds-checked.

Also clean up some remnants of OpenSSL 0.9.5 around here. A number of
comments (fixed buffer size, explaining that ERR_error_string_n was
added in a particular version) date to when ossl_strerror tried to
support pre-ERR_error_string_n OpenSSLs.

Closes #1424
2017-04-17 23:20:30 +02:00
David Benjamin
47b2f89d7c openssl: make SSL_ERROR_to_str more future-proof
Rather than making assumptions about the values, use a switch-case.

Closes #1424
2017-04-17 23:20:22 +02:00
Larry Stefani
fc347820a2 mbedtls: fix memory leak in error path
Add missing our_ssl_sessionid free call in mbed_connect_step3().

Closes #1417
2017-04-15 23:29:25 +02:00
Marcel Raad
580da62d84
polarssl: unbreak build with versions < 1.3.8
ssl_session_init was only introduced in version 1.3.8, the penultimate
version. The function only contains a memset, so replace it with that.

Suggested-by: Jay Satiro
Fixes https://github.com/curl/curl/issues/1401
2017-04-11 12:56:57 +02:00
Alexis La Goutte
5ed16e6a7a openssl: fix this statement may fall through [-Wimplicit-fallthrough=]
Closes #1402
2017-04-10 14:21:49 +02:00
Kamil Dudka
d29e9de146 nss: load CA certificates even with --insecure
... because they may include an intermediate certificate for a client
certificate and the intermediate certificate needs to be presented to
the server, no matter if we verify the peer or not.

Reported-by: thraidh
Closes #851
2017-04-10 13:44:52 +02:00
Marcel Raad
45c78ad5b4
vtls: fix unreferenced variable warnings
... by moving the variables into the correct #ifdef block.
2017-04-08 13:40:41 +02:00
Marcel Raad
33ca733ee2
schannel: fix compiler warnings
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps
directly to its argument. As it is declared as a pointer to const and
InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW
issue a warning about implicitly casting away the const. Fix this by declaring
the variables as pointers to non-const.

Closes https://github.com/curl/curl/pull/1394
2017-04-07 08:57:52 +02:00
Marcel Raad
aa2e9e9017
gtls: fix compiler warning
Curl_timeleft returns time_t instead of long since commit
21aa32d30d.
2017-04-06 19:34:44 +02:00
Marcel Raad
c59fcdac90
nss: fix build after e60fe20fdf
Curl_llist_alloc is now Curl_llist_init.

Closes https://github.com/curl/curl/pull/1391
2017-04-06 12:52:13 +02:00
Marcel Raad
f104f7d914
schannel: fix unused variable warning
If CURL_DISABLE_VERBOSE_STRINGS is defined, hostname is not used in
schannel_connect_step3.
2017-03-30 10:35:46 +02:00
Jay Satiro
b04e4ebdd8 openssl: exclude DSA code when OPENSSL_NO_DSA is defined
- Fix compile errors that occur in openssl.c when OpenSSL lib was
  built without DSA support.

Bug: https://github.com/curl/curl/issues/1361
Reported-by: neheb@users.noreply.github.com
2017-03-28 03:54:31 -04:00
Marcel Raad
23d48c35cb
schannel: fix variable shadowing warning
No need to redeclare the variable.
2017-03-28 01:16:12 +02:00
klemens
f7df67cff0 spelling fixes
Closes #1356
2017-03-26 23:56:23 +02:00
Daniel Stenberg
68aac9a831 openssl: fix comparison between signed and unsigned integer expressions 2017-03-23 23:04:38 +01:00
Dan Fandrich
f99fcb0fee openssl: made the error table static const 2017-03-23 22:50:58 +01:00
Jay Satiro
b999d35c71 openssl: fall back on SSL_ERROR_* string when no error detail
- If SSL_get_error is called but no extended error detail is available
  then show that SSL_ERROR_* as a string.

Prior to this change there was some inconsistency in that case: the
SSL_ERROR_* code may or may not have been shown, or may have been shown
as unknown even if it was known.

Ref: https://github.com/curl/curl/issues/1300

Closes https://github.com/curl/curl/pull/1348
2017-03-23 16:48:29 -04:00
Ales Mlakar
a360906de6 mbedtls: add support for CURLOPT_SSL_CTX_FUNCTION
Ref: https://curl.haxx.se/mail/lib-2017-02/0097.html

Closes https://github.com/curl/curl/pull/1272
2017-03-21 23:51:44 -04:00
Palo Markovic
9873431c6f darwinssl: fix typo in variable name
Broken a week ago in 6448f98.

Closes https://github.com/curl/curl/pull/1337
2017-03-18 12:52:37 -04:00
Sylvestre Ledru
66de563482 Improve code readbility
... by removing the else branch after a return, break or continue.

Closes #1310
2017-03-13 23:11:45 +01:00
Thomas Glanzmann
e08c0cd327 mbedtls: fix typo in variable name
Broken a few days ago in 6448f98.

Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html
2017-03-11 17:19:59 -05:00
Daniel Stenberg
12f04142c1 openssl: add two /* FALLTHROUGH */ to satisfy coverity
CID 1402159 and 1402158
2017-03-10 08:46:54 +01:00
Dan Fandrich
7d62502d6c polarssl: fixed compile errors introduced in 6448f98c 2017-03-09 09:07:53 +01:00
Daniel Stenberg
6733acc903 openssl: unbreak the build after 6448f98c18
Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)
2017-03-08 23:38:26 +01:00
Jozef Kralik
6448f98c18 vtls: add options to specify range of enabled TLS versions
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166
2017-03-08 15:54:07 +01:00
Alexis La Goutte
cbff751e95 build: fix gcc7 implicit fallthrough warnings
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know
it's expected and won't warn on [-Wimplicit-fallthrough=].

Closes https://github.com/curl/curl/pull/1297
2017-03-03 03:09:46 -05:00
JDepooter
0966ab5bd4 darwinssl: Warn that disabling host verify also disables SNI
In DarwinSSL the SSLSetPeerDomainName function is used to enable both
sending SNI and verifying the host. When host verification is disabled
the function cannot be called, therefore SNI is disabled as well.

Closes https://github.com/curl/curl/pull/1240
2017-03-02 02:42:15 -05:00
Jay Satiro
a21cae5f97 cyassl: get library version string at runtime
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
2017-02-26 18:49:39 -05:00
Jay Satiro
0e8d3e838e cyassl: fix typo 2017-02-21 22:24:39 -05:00
Daniel Stenberg
a08db49642 axtls: adapt to API changes
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS
< 2.1.0 (the older API)

... and fix the session_id mixup brought in 04b4ee549

Fixes #1220
2017-02-15 08:27:35 +01:00
Kamil Dudka
8fa5409800 nss: make FTPS work with --proxytunnel
If the NSS code was in the middle of a non-blocking handshake and it
was asked to finish the handshake in blocking mode, it unexpectedly
continued in the non-blocking mode, which caused a FTPS connection
over CONNECT to fail with "(81) Socket not ready for send/recv".

Bug: https://bugzilla.redhat.com/1420327
2017-02-09 17:34:14 +01:00
Michael Kaufmann
a7e4348cf8 polarssl, mbedtls: Fix detection of pending data
Reported-by: Dan Fandrich
Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
2017-02-08 22:24:21 +01:00
Daniel Gustafsson
3509aa8023 darwinssl: Avoid parsing certificates when not in verbose mode
The information extracted from the server certificates in step 3 is only
used when in verbose mode, and there is no error handling or validation
performed as that has already been done. Only run the certificate
information extraction when in verbose mode and libcurl was built with
verbose strings.

Closes https://github.com/curl/curl/pull/1246
2017-02-07 02:39:14 -05:00
JDepooter
18495ecacc schannel: Remove incorrect SNI disabled message
- Remove the SNI disabled when host verification disabled message
  since that is incorrect.

- Show a message for legacy versions of Windows <= XP that connections
  may fail since those versions of WinSSL lack SNI, algorithms, etc.

Bug: https://github.com/curl/curl/pull/1240
2017-02-07 02:39:13 -05:00
Adam Langley
028391df5d openssl: Don't use certificate after transferring ownership
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate
while, despite the similar name, SSL_CTX_add_client_CA does not. Thus
it's best to call SSL_CTX_add_client_CA before
SSL_CTX_add_extra_chain_cert, while the code still has ownership of the
argument.

Closes https://github.com/curl/curl/pull/1236
2017-01-31 21:04:31 -05:00
Antoine Aubert
a90a5bccd4 mbedtls: implement CTR-DRBG and HAVEGE random generators
closes #1227
2017-01-29 11:37:22 +01:00
Michael Kaufmann
ab08d82648 mbedtls: disable TLS session tickets
SSL session reuse with TLS session tickets is not supported yet.
Use SSL session IDs instead.

See https://github.com/curl/curl/issues/1109
2017-01-28 20:15:30 +01:00
Michael Kaufmann
511674ab27 gnutls: disable TLS session tickets
SSL session reuse with TLS session tickets is not supported yet.
Use SSL session IDs instead.

Fixes https://github.com/curl/curl/issues/1109
2017-01-28 20:09:37 +01:00
Michael Kaufmann
bcca842e0d polarssl: fix hangs
This bugfix is similar to commit c111178bd4.
2017-01-28 19:47:08 +01:00
Daniel Stenberg
fd3ca89ced vtls: source indentation fix 2017-01-22 12:00:28 +01:00
Daniel Stenberg
01ab7c30bb vtls: fix PolarSSL non-blocking handling
A regression brought in cb4e2be

Reported-by: Michael Kaufmann
Bug: https://github.com/curl/curl/issues/1174#issuecomment-274018791
2017-01-20 10:46:05 +01:00
Antoine Aubert
06b1197eeb vtls: fix mbedtls multi non blocking handshake.
When using multi, mbedtls handshake is in non blocking mode.  vtls must
set wait for read/write flags for the socket.

Closes #1223
2017-01-20 08:31:03 +01:00
Jay Satiro
afd1564215 openssl: Fix random generation
- Fix logic error in Curl_ossl_random.

Broken a few days ago in 807698d.
2017-01-17 02:53:59 -05:00
Kamil Dudka
25ed9ea512 nss: use the correct lock in nss_find_slot_by_name() 2017-01-15 14:46:01 +01:00
Marcus Hoffmann
7ba8020c46 gnutls: check for alpn and ocsp in configure
Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
configure instead of relying on the version number.  GnuTLS has options
to turn these features off and we ca just work with with such builds
like we work with older versions.

Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>

Closes #1204
2017-01-13 09:54:55 +01:00
Daniel Stenberg
807698db02 rand: make it work without TLS backing
Regression introduced in commit f682156a4f

Reported-by: John Kohl
Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
2017-01-12 17:44:21 +01:00
Dan Fandrich
ba19feba94 wolfssl: display negotiated SSL version and cipher 2017-01-07 00:09:10 +01:00
Dan Fandrich
bbee0d4eee wolfssl: support setting cipher list 2017-01-06 23:02:09 +01:00
Nick Zitzmann
ffbb0f0d37 darwinssl: --insecure overrides --cacert if both settings are in use
Fixes #1184
2017-01-03 17:44:57 -06:00
Chris Araman
e53f0736c4 darwinssl: fix CFArrayRef leak
Reviewed-by: Nick Zitzmann
Closes #1173
2016-12-27 22:07:59 +01:00
Chris Araman
8db3afe16c darwinssl: fix iOS build
Reviewed-by: Nick Zitzmann
Fixes #1172
2016-12-27 22:07:28 +01:00
Daniel Stenberg
a7b38c9dc9 vtls: s/SSLEAY/OPENSSL
Fixed an old leftover use of the USE_SSLEAY define which would make a
socket get removed from the applications sockets to monitor when the
multi_socket API was used, leading to timeouts.

Bug: #1174
2016-12-26 00:10:04 +01:00
Jay Satiro
cdbdef6f9f cyassl: use time_t instead of long for timeout 2016-12-24 13:25:03 -05:00
Daniel Stenberg
00c817068e openssl-random: check return code when asking for random
and fail appropriately if it returns error
2016-12-23 15:29:01 +01:00
Daniel Stenberg
c7834ecd45 gnutls-random: check return code for failed random 2016-12-23 15:01:53 +01:00
Dan McNulty
0354eed410 schannel: fix wildcard cert name validation on Win CE
Fixes a few issues in manual wildcard cert name validation in
schannel support code for Win32 CE:
- when comparing the wildcard name to the hostname, the wildcard
  character was removed from the cert name and the hostname
  was checked to see if it ended with the modified cert name.
  This allowed cert names like *.com to match the connection
  hostname. This violates recommendations from RFC 6125.
- when the wildcard name in the certificate is longer than the
  connection hostname, a buffer overread of the connection
  hostname buffer would occur during the comparison of the
  certificate name and the connection hostname.
2016-12-19 07:53:20 +01:00
Michael Kaufmann
f9484d9fb1 openssl: simplify expression in Curl_ossl_version 2016-12-18 13:09:51 +01:00
Daniel Stenberg
1c3e8bbfed checksrc: warn for assignments within if() expressions
... they're already frowned upon in our source code style guide, this
now enforces the rule harder.
2016-12-14 01:29:44 +01:00
Daniel Stenberg
b228d2952b checksrc: stricter no-space-before-paren enforcement
In order to make the code style more uniform everywhere
2016-12-13 23:39:11 +01:00
Adam Langley
71a55534fa openssl: don't use OpenSSL's ERR_PACK.
ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
function name must be specified which is overly specific: the test will
break whenever OpenSSL internally change things so that a different
function creates the error.

Closes #1157
2016-12-07 23:53:03 +01:00
Dan Fandrich
18b02f1964 cyassl: fixed typo introduced in 4f8b1774 2016-11-30 21:57:55 +01:00
Okhin Vasilij
a4b2f7aafd curl_version_info: add CURL_VERSION_HTTPS_PROXY
Closes #1142
2016-11-26 17:28:53 +01:00
Thomas Glanzmann
4f8b17743d HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY 2016-11-25 10:49:38 +01:00
Daniel Stenberg
6832c1d4b2 checksrc: move open braces to comply with function declaration style 2016-11-24 23:58:22 +01:00
Daniel Stenberg
8657c268e1 checksrc: white space edits to comply to stricter checksrc 2016-11-24 23:58:22 +01:00
Daniel Stenberg
dbadaebfc4 checksrc: code style: use 'char *name' style 2016-11-24 23:58:22 +01:00
Daniel Stenberg
74ffa040a4 openssl: remove dead code
Coverity CID 1394666
2016-11-24 23:41:45 +01:00
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Daniel Stenberg
49765cd75c darwinssl: adopted to the HTTPS proxy changes
It builds and runs all test cases. No adaptations for actual HTTPS proxy
support has been made.
2016-11-24 23:41:45 +01:00
Daniel Stenberg
8b4352658a gtls: fix indent to silence compiler warning
vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
   if(conn->proxy_ssl[connindex].session &&
      ^~
      vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
           return res;
2016-11-24 23:41:45 +01:00
Thomas Glanzmann
8cb872df10 mbedtls: Fix compile errors 2016-11-24 23:41:45 +01:00