1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 13:05:03 -05:00
Commit Graph

1018 Commits

Author SHA1 Message Date
Daniel Stenberg
063d3f3b96
tidy-up: make conditional checks more consistent
... remove '== NULL' and '!= 0'

Closes #6912
2021-04-22 09:10:17 +02:00
Michael Kolechkin
dd2bb48552
sectransp: allow cipher name to be specified
Add parser for CURLOPT_SSL_CIPHER_LIST option for Secure Transport (ST)
back-end. Similar to NSS and GSKit back-ends, new code parses string
value and configures ST library to use those ciphers for communication.
Create cipher spec data structure and initialize the array of specs with
cipher number, name, alias, and 'weak' flag.

Mark triple-DES ciphers as 'weak', and exclude them from the default
ciphers list.

Closes #6464
2021-04-21 12:00:22 +02:00
Michael Kolechkin
df44138b1f
NSS: add ciphers to map
Add cipher names to the `cipherlist` map, based on the list of ciphers
implemented by the NSS in the source code file
https://github.com/nss-dev/nss/blob/master/lib/ssl/sslenum.c

Closes #6670
2021-04-21 11:50:20 +02:00
Georeth Zhou
6e3f2febcb openssl: fix build error with OpenSSL < 1.0.2
Closes https://github.com/curl/curl/pull/6920
2021-04-20 00:08:36 -04:00
Daniel Stenberg
eff614fb02
vtls: refuse setting any SSL version
... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773
2021-04-19 08:16:02 +02:00
Javier Blazquez
40d2d39f86
rustls: only return CURLE_AGAIN when TLS session is fully drained
The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.

We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.

Reviewed-by: Jacob Hoffman-Andrews
Closes #6894
2021-04-15 08:19:49 +02:00
Daniel Stenberg
f573998c22
TLS: fix HTTP/2 selection
for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a11 (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827
2021-04-02 22:53:17 +02:00
Gilles Vollant
06a7f2745e
openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY
Reported-by: Christian Schmitz
Fixes #6816
Closes #6820
2021-03-31 23:35:59 +02:00
Daniel Stenberg
2c26eeef12
vtls: fix addsessionid for non-proxy builds
Follow-up to b09c8ee157
Fixes #6812
Closes #6811
2021-03-29 14:20:13 +02:00
Daniel Stenberg
b09c8ee157
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890
2021-03-28 23:19:56 +02:00
Daniel Stenberg
85e6975643
copyright: update copyright year ranges to 2021
Reviewed-by: Emil Engler
Closes #6802
2021-03-27 23:00:14 +01:00
Jean-Philippe Menil
5930cb1c46
openssl: ensure to check SSL_CTX_set_alpn_protos return values
SSL_CTX_set_alpn_protos() return 0 on success, and non-0 on failure

Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>

Closes #6794
2021-03-25 22:57:20 +01:00
Daniel Stenberg
db4e0bd85f
openssl: set the transfer pointer for logging early
Otherwise, the transfer will be NULL in the trace function when the
early handshake details arrive and then curl won't show them.

Regresssion in 7.75.0

Reported-by: David Hu
Fixes #6783
Closes #6792
2021-03-25 16:16:55 +01:00
Jacob Hoffman-Andrews
7488ef2960
rustls: Handle close_notify.
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).

Closes #6763
2021-03-21 00:16:27 +01:00
Jacob Hoffman-Andrews
3780717db0
rustls: allocate a buffer for TLS data.
Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
initialized before writing to them. By using calloc, we can ensure the
buffer is initialized once and then reuse it across calls.

Closes #6742
2021-03-16 10:11:04 +01:00
Jacob Hoffman-Andrews
43a56e34e1
rustls: support CURLOPT_SSL_VERIFYPEER
This requires the latest main branch of crustls, which provides
rustls_client_config_builder_dangerous_set_certificate_verifier and
rustls_client_config_builder_set_enable_sni.

This refactors the session setup into its own function, and adds a new
function cr_hostname_is_ip. Because crustls doesn't support verification
of IP addresses, special handling is needed: We disable SNI and set a
placeholder hostname (which never actually gets sent on the wire).

Closes #6719
2021-03-12 13:15:00 +01:00
Daniel Stenberg
b7e01382d6
openssl: adapt to v3's new const for a few API calls
Closes #6703
2021-03-09 08:15:36 +01:00
Jay Satiro
7a33c4dff9 schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
- Change use of those options from CURLOPT_SSL_OPTIONS that are not
  already evaluated via SSL_SET_OPTION in schannel and secure transport
  to use that instead of data->set.ssl.optname.

Example:

Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.

This change is because options set via CURLOPT_SSL_OPTIONS
(data->set.ssl.optname) are separate from those set for HTTPS proxy via
CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
SSL_SET_OPTION macro determines whether the connection is for HTTPS
proxy and based on that which option to evaluate.

Since neither Schannel nor Secure Transport backends currently support
HTTPS proxy in libcurl, this change is for posterity and has no other
effect.

Closes https://github.com/curl/curl/pull/6690
2021-03-06 02:01:35 -05:00
Jean-Philippe Menil
8779bfe77b openssl: remove get_ssl_version_txt in favor of SSL_get_version
openssl: use SSL_get_version to get connection protocol

Replace our bespoke get_ssl_version_txt in favor of SSL_get_version.
We can get rid of few lines of code, since SSL_get_version achieve
the exact same thing

Closes #6665
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Signed-off-by: Jean-Philippe Menil <jpmenil@gmail.com>
2021-02-26 04:15:04 +01:00
Daniel Stenberg
70472a44de
urldata: remove the _ORIG suffix from string names
It doesn't provide any useful info but only makes the names longer.

Closes #6624
2021-02-19 08:07:19 +01:00
Daniel Stenberg
e06fa7462a
gnutls: assume nettle crypto support
nettle has been the default crypto library with GnuTLS since 2010. By
dropping support for the previous libcrypto, we simplify code.

Closes #6625
2021-02-18 23:06:47 +01:00
Daniel Stenberg
bc928be02c
wolfssl: don't store a NULL sessionid
This caused a memory leak as the session id cache entry was still
erroneously stored with a NULL sessionid and that would later be treated
as not needed to get freed.

Reported-by: Gisle Vanem
Fixes #6616
Closes #6617
2021-02-17 22:55:45 +01:00
Daniel Stenberg
cfff12a0b3
lib: remove 'conn->data' completely
The Curl_easy pointer struct entry in connectdata is now gone. Just
before commit 215db086e0 landed on January 8, 2021 there were 919
references to conn->data.

Closes #6608
2021-02-16 10:48:57 +01:00
Daniel Stenberg
f2f91ac709
openssl: remove conn->data use
We still make the trace callback function get the connectdata struct
passed to it, since the callback is anchored on the connection.

Repeatedly updating the callback pointer to set 'data' with
SSL_CTX_set_msg_callback_arg() doesn't seem to work, probably because
there might already be messages in the queue with the old pointer.

This code therefore makes sure to set the "logger" handle before using
OpenSSL calls so that the right easy handle gets used for tracing.

Closes #6522
2021-02-15 09:08:59 +01:00
Daniel Stenberg
88dd1a8a11
urldata: don't touch data->set.httpversion at run-time
Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-supported HTTP versions. Verified with test 129.

Closes #6585
2021-02-12 08:13:37 +01:00
Marcel Raad
1cd823ed5a
lib: remove redundant code
Closes https://github.com/curl/curl/pull/6576
2021-02-10 16:47:27 +01:00
Marcel Raad
a774b3f304
lib: reduce variable scopes
Closes https://github.com/curl/curl/pull/6576
2021-02-10 16:47:03 +01:00
Jacob Hoffman-Andrews
246399a874
vtls: initial implementation of rustls backend
This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
from https://github.com/abetterinternet/crustls.

Rustls is at https://github.com/ctz/rustls/.

There is still a fair bit to be done, like sending CloseNotify on
connection shutdown, respecting CAPATH, and properly indicating features
like "supports TLS 1.3 ciphersuites." But it works well enough to make
requests and receive responses.

Blog post for context:
https://www.abetterinternet.org/post/memory-safe-curl/

Closes #6350
2021-02-09 11:06:18 +01:00
Jacob Hoffman-Andrews
c30bf22f1c
vtls: factor out Curl_ssl_getsock to field of Curl_ssl
Closes #6558
2021-02-08 14:10:55 +01:00
Jon Rumsey
4a6a5f0b4a
gskit: correct the gskit_send() prototype
gskit_send() first paramater is a pointer to Curl_easy not connectdata
struct.

Closes #6570
Fixes #6569
2021-02-05 08:43:32 +01:00
Daniel Stenberg
2c4b338f7e
vtls: remove md5sum
As it is not used anymore.

Reported-by: Jacob Hoffman-Andrews
Bug: https://curl.se/mail/lib-2021-02/0000.html

Closes #6557
2021-02-02 08:13:09 +01:00
Daniel Stenberg
60de76e2ad
openssl: lowercase the hostname before using it for SNI
... because it turns out several servers out there don't actually behave
correctly otherwise in spite of the fact that the SNI field is
specifically said to be case insensitive in RFC 6066 section 3.

Reported-by: David Earl
Fixes #6540
Closes #6543
2021-01-29 10:40:01 +01:00
Patrick Monnerat
bbe3aa9f88
vtls: reduce conn->data use
Closes #6474
2021-01-19 09:14:40 +01:00
Daniel Stenberg
215db086e0
lib: pass in 'struct Curl_easy *' to most functions
... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
  libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
  better.

- We should avoid "conn->data". Since individual connections can be used
  by many transfers when multiplexing, making sure that conn->data
  points to the current and correct transfer at all times is difficult
  and has been notoriously error-prone over the years. The goal is to
  ultimately remove the conn->data pointer for this reason.

Closes #6425
2021-01-17 23:56:09 +01:00
Daniel Stenberg
3d0b62fdbe
schannel_verify: fix safefree call typo
Follow-up from e87ad71d1b

Closes #6459
2021-01-15 10:16:17 +01:00
Gisle Vanem
e87ad71d1b
schannel: plug a memory-leak
... when built without -DUNICODE.

Closes #6457
2021-01-14 22:59:56 +01:00
Daniel Stenberg
c2c9e44a4d
vtls: remove Curl_ prefix from static functions 2021-01-14 08:09:09 +01:00
Daniel Stenberg
7e72b9b547
bearssl: remove Curl_ prefix from static functions 2021-01-14 08:09:08 +01:00
Daniel Stenberg
4b55d0468a
mbedtls: remove Curl_ prefix from static functions 2021-01-14 08:09:08 +01:00
Daniel Stenberg
5beed3e742
wolfssl: remove Curl_ prefix from static functions 2021-01-14 08:09:08 +01:00
Daniel Stenberg
39df93a875
nss: remove Curl_ prefix from static functions 2021-01-14 08:09:08 +01:00
Daniel Stenberg
a3e1e6b3b4
gnutls: remove Curl_ prefix from static functions 2021-01-14 08:09:08 +01:00
Daniel Stenberg
3112ede57c
openssl: remove Curl_ prefix from static functions
... as we reserve this prefix to library-wide functions.

Closes #6443
2021-01-14 08:08:54 +01:00
Daniel Stenberg
a79555291e
nss: get the run-time version instead of build-time
Closes #6445
2021-01-13 23:22:07 +01:00
Fabian Keil
4f61fd87b2
misc: fix typos
Bug: https://curl.se/mail/lib-2021-01/0063.html
Closes #6434
2021-01-11 15:12:25 +01:00
Himanshu Gupta
f927f38f1e
wolfssl: add SECURE_RENEGOTIATION support
Closes #6411
2021-01-05 10:05:46 +01:00
Daniel Stenberg
4eb908cd87
wolfssl: update copyright year range
Follow-up to 7de2e96535
2021-01-05 09:40:27 +01:00
Jay Satiro
7de2e96535 wolfssl: Support wolfSSL builds missing TLS 1.1
The wolfSSL TLS library defines NO_OLD_TLS in some of their build
configurations and that causes the library to be built without TLS 1.1.
For example if MD5 is explicitly disabled when building wolfSSL then
that defines NO_OLD_TLS and the library is built without TLS 1.1 [1].

Prior to this change attempting to build curl with a wolfSSL that was
built with NO_OLD_TLS would cause a build link error undefined reference
to wolfTLSv1_client_method.

[1]: https://github.com/wolfSSL/wolfssl/blob/v4.5.0-stable/configure.ac#L2366

Bug: https://curl.se/mail/lib-2020-12/0121.html
Reported-by: Julian Montes

Closes https://github.com/curl/curl/pull/6388
2021-01-04 18:00:37 -05:00
Daniel Stenberg
68dde8e330
schannel: fix "empty expression statement has no effect"
Bug: 8ab78f720a (commitcomment-45445950)
Reported-by: Gisle Vanem
Closes #6381
2020-12-29 17:10:47 +01:00
Daniel Stenberg
8ab78f720a
misc: fix "warning: empty expression statement has no effect"
Turned several macros into do-while(0) style to allow their use to work
find with semicolon.

Bug: 08e8455ddd (commitcomment-45433279)
Follow-up to 08e8455ddd
Reported-by: Gisle Vanem
Closes #6376
2020-12-26 23:44:17 +01:00