1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-26 01:58:49 -05:00
Commit Graph

82 Commits

Author SHA1 Message Date
Thomas Glanzmann
7b4bf37a44 mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is defined
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal
to 0.  This patch also adds a comment how mbedtls must be compiled in
order to make debugging work, and explains the possible debug levels.
2016-08-05 00:23:17 +02:00
Thomas Glanzmann
aa9f536a18 mbedtls: Fix debug function name
This patch is necessary so that curl compiles if MBEDTLS_DEBUG is
defined.

Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
2016-08-01 13:16:42 -04:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Jay Satiro
04b4ee5498 vtls: Only call add/getsession if session id is enabled
Prior to this change we called Curl_ssl_getsessionid and
Curl_ssl_addsessionid regardless of whether session ID reusing was
enabled. According to comments that is in case session ID reuse was
disabled but then later enabled.

The old way was not intuitive and probably not something users expected.
When a user disables session ID caching I'd guess they don't expect the
session ID to be cached anyway in case the caching is later enabled.
2016-06-22 02:33:29 -04:00
Ivan Avdeev
31c521b047 vtls: fix ssl session cache race condition
Sessionid cache management is inseparable from managing individual
session lifetimes. E.g. for reference-counted sessions (like those in
SChannel and OpenSSL engines) every session addition and removal
should be accompanied with refcount increment and decrement
respectively. Failing to do so synchronously leads to a race condition
that causes symptoms like use-after-free and memory corruption.
This commit:
 - makes existing session cache locking explicit, thus allowing
   individual engines to manage lock's scope.
 - fixes OpenSSL and SChannel engines by putting refcount management
   inside this lock's scope in relevant places.
 - adds these explicit locking calls to other engines that use
   sessionid cache to accommodate for this change. Note, however,
   that it is unknown whether any of these engines could also have
   this race.

Bug: https://github.com/curl/curl/issues/815
Fixes #815
Closes #847
2016-06-01 09:40:55 +02:00
Renaud Lehoux
2072b4ae4f mbedtls: removed unused variables
Closes #838
2016-05-30 23:05:51 +02:00
Daniel Stenberg
b15a17c702 mbedtls: fix includes so snprintf() works
Regression from the previous *printf() rearrangements, this file missed to
include the correct header to make sure snprintf() works universally.

Reported-by: Moti Avrahami
Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
2016-05-24 12:14:18 +02:00
Daniel Stenberg
6efd2fa529 mbedtls/polarssl: set "hostname" unconditionally
...as otherwise the TLS libs will skip the CN/SAN check and just allow
connection to any server. curl previously skipped this function when SNI
wasn't used or when connecting to an IP address specified host.

CVE-2016-3739

Bug: https://curl.haxx.se/docs/adv_20160518A.html
Reported-by: Moti Avrahami
2016-05-17 14:48:17 +02:00
Daniel Stenberg
f6767f5435 TLS: move the ALPN/NPN enable bits to the connection
Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.

Reported-by: Jay Satiro

Fixes #789
2016-05-09 15:30:25 -04:00
Jay Satiro
9f498de9a2 mbedtls: Fix session resume
This also fixes PolarSSL session resume.

Prior to this change the TLS session information wasn't properly
saved and restored for PolarSSL and mbedTLS.

Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
Reported-by: Thomas Glanzmann

Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
Reported-by: Moti Avrahami
2016-04-28 02:57:38 -04:00
Daniel Stenberg
05492fe790 mbedtls.c: silly spellfix of a comment 2016-04-26 00:28:40 +02:00
Damien Vielpeau
83b39a4f4d mbedtls: fix MBEDTLS_DEBUG builds 2016-04-07 16:12:50 +02:00
Daniel Stenberg
c111178bd4 mbedtls: implement and provide *_data_pending()
... as otherwise we might get stuck thinking there's no more data to
handle.

Reported-by: Damien Vielpeau

Fixes #737
2016-04-07 16:10:10 +02:00
Daniel Stenberg
464bbfd6f5 mbedtls.c: name space pollution fix, Use 'Curl_' 2016-04-07 15:19:35 +02:00
Daniel Stenberg
5446549719 mbedtls.c: changed private prefix to mbed_
mbedtls_ is the prefix used by the mbedTLS library itself so we should
avoid using that for our private functions.
2016-04-07 15:16:01 +02:00
Daniel Stenberg
a71012c03e code: style updates 2016-04-03 22:38:36 +02:00
Daniel Stenberg
80851028ef mbedtls: fix compiler warning
vtls/mbedtls.h:67:36: warning: implicit declaration of function
‘mbedtls_sha256’ [-Wimplicit-function-declaration]
2016-03-19 22:37:21 +01:00
Jay Satiro
81bdd85318 mbedtls: fix user-specified SSL protocol version
Prior to this change when a single protocol CURL_SSLVERSION_ was
specified by the user that version was set only as the minimum version
but not as the maximum version as well.
2016-03-05 21:39:36 -05:00
Daniel Stenberg
c276aefee3 mbedtls.c: re-indent to better match curl standards 2016-02-10 10:46:57 +01:00
Rafael Antonio
c62d7944cf mbedtls: fix memory leak when destroying SSL connection data
Closes #626
2016-02-09 23:42:57 +01:00
Daniel Stenberg
716302c2cd mbedtls: fix ALPN usage segfault
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642
2016-02-09 23:37:14 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Jay Satiro
d58ba66eec mbedtls: Fix pinned key return value on fail
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
2016-01-18 03:48:10 -05:00
Thomas Glanzmann
bf93a1217c mbedtls: implement CURLOPT_PINNEDPUBLICKEY 2016-01-10 00:17:26 +01:00
Jay Satiro
89a1eb7b1c mbedtls: Fix ALPN support
- Fix ALPN reply detection.

- Wrap nghttp2 code in ifdef USE_NGHTTP2.


Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2016-01-07 01:49:31 -05:00
Daniel Stenberg
4bcc532de5 http: add libcurl option to allow HTTP/2 for HTTPS only
... and stick to 1.1 for HTTP. This is in line with what browsers do and
should have very little risk.
2015-12-13 09:24:51 +01:00
Daniel Stenberg
fbf09b7775 mbedtls: fix "Structurally dead code"
CID 1332129
2015-10-29 22:59:27 +01:00
Daniel Stenberg
f6ce8c9abb mbedtls: fix "Logically dead code"
CID 1332128
2015-10-29 22:57:09 +01:00
Daniel Stenberg
03b6e07816 polarssl/mbedtls: fix name space pollution
Global private symbols MUST start with Curl_!
2015-10-23 16:14:29 +02:00
Dmitry S. Baikov
6288cb9304 mbedTLS: THREADING_SUPPORT compilation fix
Closes #505
2015-10-23 16:05:25 +02:00
m-gardet
ace68fdc0c mbedtls:new profile with RSA min key len = 1024.
Closes #502
2015-10-22 15:28:57 +02:00
Jonas Minnberg
fe7590f729 vtls: added support for mbedTLS
closes #496
2015-10-20 07:57:24 +02:00