1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 23:15:08 -05:00
Commit Graph

1057 Commits

Author SHA1 Message Date
Daniel Stenberg
4aed7a1923
openssl: avoid static variable for seed flag
Avoid the race condition risk by instead storing the "seeded" flag in
the multi handle. Modern OpenSSL versions handle the seeding itself so
doing the seeding once per multi-handle instead of once per process is
less of an issue.

Reported-by: Gerrit Renker
Fixes #7296
Closes #7306
2021-06-29 14:18:15 +02:00
Jay Satiro
b31d9ccfc2 vtls: fix warning due to function prototype mismatch
b09c8ee changed the function prototype. Caught by Visual Studio.
2021-06-21 01:59:05 -04:00
Daniel Stenberg
a6da296867
vtls: only store TIMER_APPCONNECT for non-proxy connect
Introducing a 'isproxy' argument to the connect function so that it
knows wether to store the time stamp or not.

Reported-by: Yongkang Huang
Fixes #7274
Closes #7274
2021-06-19 23:02:16 +02:00
Daniel Stenberg
bfa0309175
gnutls: set the preferred TLS versions in correct order
Regression since 781864bedb (curl 7.77.0)

Reported-by: civodul on github
Assisted-by: Nikos Mavrogiannopoulos
Fixes #7277
Closes #7278
2021-06-18 23:22:21 +02:00
Daniel Stenberg
720b4a1a43
TLS: prevent shutdown loops to get stuck
... by making sure the loops are only allowed to read the shutdown
traffic a limited number of times.

Reported-by: Harry Sintonen
Closes #7271
2021-06-17 17:06:21 +02:00
Jacob Hoffman-Andrews
8fa0a298c6
rustls: remove native_roots fallback
For the commandline tool, we expect to be passed
SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
trusted roots (like in other TLS backends).

This also removes a dependency on Security.framework when building on
macOS.

Closes #7250
2021-06-14 11:01:41 +02:00
Daniel Stenberg
a5adf8cb14
openssl: don't remove session id entry in disassociate
When a connection is disassociated from a transfer, the Session ID entry
should remain.

Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
Reported-by: Gergely Nagy
Reported-by: Paul Groke

Fixes #7222
Closes #7230
2021-06-11 12:52:55 +02:00
Ebe Janchivdorj
68d388061c
schannel: move code out of SChannel_connect_step1
Reviewed-by: Marc Hoersken
Closes #7168
2021-06-04 23:16:55 +02:00
Daniel Stenberg
a2b1bbeef0
mbedtls: make mbedtls_strerror always work
If the function doesn't exist, provide a macro that just clears the
error message. Removes #ifdef uses from the code.

Closes #7162
2021-06-01 17:53:44 +02:00
Daniel Stenberg
c7b93a76ea
vtls: exit addsessionid if no cache is inited
Follow-up to b249592d29

Avoids NULL pointer derefs.

Closes #7165
2021-06-01 13:40:30 +02:00
Michael Kaufmann
b249592d29 ssl: read pending close notify alert before closing the connection
This avoids a TCP reset (RST) if the server initiates a connection
shutdown by sending an SSL close notify alert and then closes the TCP
connection.

For SSL connections, usually the server announces that it will close the
connection with an SSL close notify alert. curl should read this alert.
If curl does not read this alert and just closes the connection, some
operating systems close the TCP connection with an RST flag.

See RFC 1122, section 4.2.2.13

If curl reads the close notify alert, the TCP connection is closed
normally with a FIN flag.

The new code is similar to existing code in the "SSL shutdown" function:
try to read an alert (non-blocking), and ignore any read errors.

Closes #7095
2021-06-01 09:40:40 +02:00
Laurent Dufresne
05e0453050
mbedtls: add support for cert and key blob options
CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB weren't usable with
mbedtls backend, so the support was added.

Closes #7157
2021-06-01 09:35:17 +02:00
Daniel Stenberg
894c74738f
Curl_ssl_getsessionid: fail if no session cache exists
This function might get called for an easy handle for which the session
cache hasn't been setup. It now just returns a "miss" in that case.

Reported-by: Christoph M. Becker
Fixes #7148
Closes #7153
2021-05-31 20:41:40 +02:00
Joel Depooter
ee97f17697
schannel: set ALPN length correctly for HTTP/2
In a3268eca79 this code was changed to use the ALPN_H2 constant
instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
not the same. The nghttp2 constant included the length of the string,
like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
to re-add the length of the string to the ALPN buffer.

Closes #7138
2021-05-27 08:27:35 +02:00
Michael Forney
7f9c5af8b3
bearssl: explicitly initialize all fields of Curl_ssl
Also, add comments like the other vtls backends.

Closes #7133
2021-05-26 14:43:45 +02:00
Michael Forney
a03ea62239
bearssl: remove incorrect const on variable that is modified
hostname may be set to NULL later on in this function if it is an
IP address.

Closes #7133
2021-05-26 14:43:40 +02:00
ejanchivdorj
a63dae5d07
sectransp: fix EXC_BAD_ACCESS caused by uninitialized buffer
When the SecCertificateCopyCommonName function fails, it leaves
common_name in a invalid state so CFStringCompare uses the invalid
result, causing EXC_BAD_ACCESS.

The fix is to check the return value of the function before using the
name.

Closes #7126
2021-05-25 11:22:09 +02:00
Jacob Hoffman-Andrews
a62e6435f4
rustls: switch read_tls and write_tls to callbacks
And update to 0.6.0, including a rename from session to connection for
many fields.

Closes #7071
2021-05-24 16:40:59 +02:00
Koichi Shiraishi
98770344b2
sectransp: fix 7f4a9a9b2a commit about missing comma
Follow-up to 7f4a9a9b2a

Closes #7119
2021-05-24 14:50:11 +02:00
Harry Sintonen
7f4a9a9b2a
openssl: associate/detach the transfer from connection
CVE-2021-22901

Bug: https://curl.se/docs/CVE-2021-22901.html
2021-05-24 13:15:10 +02:00
Daniel Stenberg
bbb71507b7
schannel: don't use static to store selected ciphers
CVE-2021-22897

Bug: https://curl.se/docs/CVE-2021-22897.html
2021-05-24 07:56:05 +02:00
Sergey Markelov
96adbf5cdb
NSS: make colons, commas and spaces valid separators in cipher list
Fixes #7110
Closes #7115
2021-05-23 00:11:30 +02:00
Daniel Stenberg
7b6d771a19
wolfssl: remove SSLv3 support leftovers
Closes #7088
2021-05-18 16:23:17 +02:00
Joel Depooter
ba3452cafc schannel: Ensure the security context request flags are always set
As of commit 54e7475, these flags would only be set when using a new
credential handle. When re-using an existing credential handle, the
flags would not be set.

Closes https://github.com/curl/curl/pull/7051
2021-05-13 03:07:21 -04:00
Cameron Cawley
3f25c01fce
openssl: remove unneeded cast for CertOpenSystemStore()
Closes #7025
2021-05-09 00:17:16 +02:00
Daniel Stenberg
577f19397c
GnuTLS: don't allow TLS 1.3 for versions that don't support it
Follow-up to 781864bedb

... as they don't understand it and will return error at us!

Closes #7014
2021-05-06 16:04:30 +02:00
Daniel Stenberg
781864bedb
gnutls: make setting only the MAX TLS allowed version work
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!

As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb02).

Reported-by: Daniel Carpenter
Fixes #6998
Closes #7000
2021-05-05 12:51:56 +02:00
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
ejanchivdorj
94241a9e78
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
2021-05-03 17:11:01 +02:00
Jacob Hoffman-Andrews
8228002cd1
rustls: use ALPN
Update required rustls to 0.5.0

Closes #6960
2021-04-30 08:27:37 +02:00
MAntoniak
ea17a022b3
gskit: fix CURL_DISABLE_PROXY build
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
used.

Closes #6981
2021-04-30 00:30:43 +02:00
MAntoniak
71bffe73f8
gskit: fix undefined reference to 'conn'
Closes #6980
2021-04-29 23:01:19 +02:00
Jacob Hoffman-Andrews
a3268eca79
tls: add USE_HTTP2 define
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.

Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.

Closes #6959
2021-04-29 15:04:39 +02:00
Daniel Stenberg
9fc284427c
wolfssl: handle SSL_write() returns 0 for error
Reported-by: Timo Lange

Closes #6967
2021-04-26 14:27:45 +02:00
Harry Sintonen
f2e1163bc8
nss_set_blocking: avoid static for sock_opt
Reviewed-by: Kamil Dudka
Closes #6945
2021-04-26 08:45:54 +02:00
Patrick Monnerat
a4554b2c5e
vtls: reset ssl use flag upon negotiation failure
Fixes the segfault in ldaps disconnect.

Reported-by: Illarion Taev
Fixes #6934
Closes #6937
2021-04-23 14:41:39 +02:00
Morten Minde Neergaard
67d3afa73f schannel: Support strong crypto option
- Support enabling strong crypto via optional user cipher list when
  USE_STRONG_CRYPTO or SCH_USE_STRONG_CRYPTO is in the list.

MSDN says SCH_USE_STRONG_CRYPTO "Instructs Schannel to disable known
weak cryptographic algorithms, cipher suites, and SSL/TLS protocol
versions that may be otherwise enabled for better interoperability."

Ref: https://curl.se/mail/lib-2021-02/0066.html
Ref: https://curl.se/docs/manpage.html#--ciphers
Ref: https://curl.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
Ref: https://docs.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-schannel_cred

Closes https://github.com/curl/curl/pull/6734
2021-04-22 17:40:19 -04:00
Jay Satiro
54e7475016 schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change
  for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
  to automatically locate and use a client certificate for
  authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
  --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673
2021-04-22 16:53:37 -04:00
Michał Antoniak
e4ba999646
vtls: deduplicate some DISABLE_PROXY ifdefs
continue from #5735

- using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
  tls backend

- create SSL_HOST_PORT

Closes #6660
2021-04-22 22:50:56 +02:00
Daniel Stenberg
063d3f3b96
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'

Closes #6912
2021-04-22 09:10:17 +02:00
Michael Kolechkin
dd2bb48552
sectransp: allow cipher name to be specified
Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
back-end. Similar to NSS and GSKit back-ends, new code parses string
value and configures ST library to use those ciphers for communication.
Create cipher spec data structure and initialize the array of specs with
cipher number, name, alias, and 'weak' flag.

Mark triple-DES ciphers as 'weak', and exclude them from the default
ciphers list.

Closes #6464
2021-04-21 12:00:22 +02:00
Michael Kolechkin
df44138b1f
NSS: add ciphers to map
Add cipher names to the `cipherlist` map, based on the list of ciphers
implemented by the NSS in the source code file
https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c

Closes #6670
2021-04-21 11:50:20 +02:00
Georeth Zhou
6e3f2febcb openssl: fix build error with OpenSSL < 1.0.2
Closes https://github.com/curl/curl/pull/6920
2021-04-20 00:08:36 -04:00
Daniel Stenberg
eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00
Javier Blazquez
40d2d39f86
rustls: only return CURLE_AGAIN when TLS session is fully drained
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.

We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.

Reviewed-by: Jacob Hoffman-Andrews
Closes #6894
2021-04-15 08:19:49 +02:00
Daniel Stenberg
f573998c22
TLS: fix HTTP/2 selection
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827
2021-04-02 22:53:17 +02:00
Gilles Vollant
06a7f2745e
openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
Reported-by: Christian Schmitz
Fixes #6816
Closes #6820
2021-03-31 23:35:59 +02:00
Daniel Stenberg
2c26eeef12
vtls: fix addsessionid for non-proxy builds
Follow-up to b09c8ee157
Fixes #6812
Closes #6811
2021-03-29 14:20:13 +02:00
Daniel Stenberg
b09c8ee157
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890
2021-03-28 23:19:56 +02:00
Daniel Stenberg
85e6975643
copyright: update copyright year ranges to 2021
Reviewed-by: Emil Engler
Closes #6802
2021-03-27 23:00:14 +01:00