1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 01:28:51 -05:00
Commit Graph

961 Commits

Author SHA1 Message Date
Daniel Stenberg
81a54b12c6
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
2020-05-13 16:39:36 +02:00
Gilles Vollant
148534db57
CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)
Closes #4346
2020-05-08 15:55:04 +02:00
Emil Engler
42d8d9a7e8
GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
Closes #5287
2020-04-30 14:40:54 +02:00
Daniel Stenberg
d39b4128d5
schannel: source code reindent
White space edits only. Conform better to standard curl source code
indenting style.

Closes #5305
2020-04-29 14:43:59 +02:00
Daniel Stenberg
cad15b9f92
nss: check for PK11_CreateDigestContext() returning NULL
... to avoid crashes!

Reported-by: Hao Wu
Fixes #5302
Closes #5303
2020-04-27 16:25:59 +02:00
Daniel Stenberg
a96c7529eb
select: make Curl_socket_check take timediff_t timeout
Coverity found CID 1461718:

Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".

Closes #5240
2020-04-23 15:57:23 +02:00
Emil Engler
2d137dedb3
GnuTLS: Don't skip really long certificate fields
Closes #5271
2020-04-21 08:10:55 +02:00
Daniel Stenberg
0891fe7ade
gnutls: bump lowest supported version to 3.1.10
GnuTLS 3.1.10 added new functions we want to use. That version was
released on Mar 22, 2013. Removing support for older versions also
greatly simplifies the code.

Ref: #5271
Closes #5276
2020-04-21 08:09:41 +02:00
Daniel Gustafsson
10822c652c lib: fix typos in comments and errormessages
This fixes a few randomly spotted typos in recently merged code, most
notably one in a userfacing errormessage the schannel code.
2020-04-20 10:12:22 +02:00
Johannes Schindelin
ff7a3107ed
multi-ssl: reset the SSL backend on Curl_global_cleanup()
When cURL is compiled with support for multiple SSL backends, it is
possible to configure an SSL backend via `curl_global_sslset()`, but
only *before* `curl_global_init()` was called.

If another SSL backend should be used after that, a user might be
tempted to call `curl_global_cleanup()` to start over. However, we did
not foresee that use case and forgot to reset the SSL backend in that
cleanup.

Let's allow that use case.

Fixes #5255
Closes #5257
Reported-by: davidedec on github
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2020-04-20 09:15:47 +02:00
Andrew Kurushin
c35af29222 schannel: Fix blocking timeout logic
- Fix schannel_send for the case when no timeout was set.

Prior to this change schannel would error if the socket was not ready
to send data and no timeout was set.

This commit is similar to parent commit 89dc6e0 which recently made the
same change for SOCKS, for the same reason. Basically it was not well
understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms
but actually means no timeout.

Fixes https://github.com/curl/curl/issues/5177
Closes https://github.com/curl/curl/pull/5221
2020-04-12 18:32:17 -04:00
Dirkjan Bussink
d590908318
gnutls: ensure TLS 1.3 when SRP isn't requested
When SRP is requested in the priority string, GnuTLS will disable
support for TLS 1.3. Before this change, curl would always add +SRP to
the priority list, effectively always disabling TLS 1.3 support.

With this change, +SRP is only added to the priority list when SRP
authentication is also requested. This also allows updating the error
handling here to not have to retry without SRP. This is because SRP is
only added when requested and in that case a retry is not needed.

Closes #5223
2020-04-13 00:06:02 +02:00
Jay Satiro
53f4070827 lib: fix conversion warnings for SOCKET_WRITABLE/READABLE
- If loss of data may occur converting a timediff_t to time_t and
  the time value is > TIME_T_MAX then treat it as TIME_T_MAX.

This is a follow-up to 8843678 which removed the (time_t) typecast
from the macros so that conversion warnings could be identified.

Closes https://github.com/curl/curl/pull/5199
2020-04-11 02:52:25 -04:00
Gilles Vollant
0fdf965126
schannel: support .P12 or .PFX client certificates
Used with curl command line option like this: --cert
<filename>:<password> --cert-type p12

Closes #5193
2020-04-08 14:13:12 +02:00
Daniel Stenberg
0e607542dc
cleanup: insert newline after if() conditions
Our code style mandates we put the conditional block on a separate
line. These mistakes are now detected by the updated checksrc.
2020-03-30 16:05:30 +02:00
Daniel Stenberg
02174e41f5
openssl: adapt to functions marked as deprecated since version 3
OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
functions we use.

Fix the MD4 and SSL_CTX_load_verify_locations warnings.

In configure, detect OpenSSL v3 and if so, inhibit the deprecation
warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
until we rewrite the code to use non-deprecated functions we better
ignore these warnings as they don't help us.

Closes #5139
2020-03-26 00:40:32 +01:00
Daniel Stenberg
cb2f57c0cd
secure transport: remove the BACKEND define kludge
Closes #5122
2020-03-19 13:22:46 +01:00
Daniel Stenberg
2efc3a424a
mbedtls: remove the BACKEND define kludge 2020-03-19 13:22:35 +01:00
Daniel Stenberg
52182e4b8f
bearssl: remove the BACKEND define kludge 2020-03-19 13:22:34 +01:00
Daniel Stenberg
5076b8668f
wolfssl: remove the BACKEND define kludge 2020-03-19 13:22:34 +01:00
Daniel Stenberg
259d62c7c0
nss: remove the BACKEND define kludge 2020-03-19 13:22:34 +01:00
Daniel Stenberg
89865c149d
gnutls: remove the BACKEND define kludge 2020-03-19 13:22:34 +01:00
Daniel Stenberg
aec0b49df3
openssl: remove the BACKEND define kludge
Use a proper variable instead to make it easier to use a debugger and
read the code.
2020-03-19 13:22:34 +01:00
Johannes Schindelin
5450428491 schannel: add "best effort" revocation check option
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981
2020-03-18 03:23:39 -04:00
Viktor Szakats
7284061361 windows: suppress UI in all CryptAcquireContext() calls
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters
Reviewed-by: Marc Hörsken
Closes https://github.com/curl/curl/pull/5088
2020-03-17 23:08:02 +00:00
Daniel Stenberg
2eba5e4c7b
vtls: free ssl_config leftovers on out-of-memory
Torture testing 2034 and 2037 found this.

Reported-by: Marc Hörsken
Fixes #5108
Closes #5109
2020-03-16 08:10:30 +01:00
Daniel Stenberg
92c152c2ef
gskit: update the copyright year range
Follow-up from 083603c63a
2020-03-15 23:43:50 +01:00
Marc Hoersken
083603c63a
gskit: use our internal select wrapper for portability
Follow up to c52b342
Closes #5106
2020-03-15 23:39:40 +01:00
Daniel Stenberg
e364546fb3
version: make curl_version* thread-safe without using global context
Closes #5010
2020-03-07 12:10:11 +01:00
Daniel Stenberg
52d302ed64
polarssl: remove more references and mentions
Assisted-by: Jay Satiro
Follow-up to 6357a19ff2
Closes #5036
2020-03-05 07:57:45 +01:00
Steve Holme
9d5893105d
gtls: Fixed compilation when using GnuTLS < 3.5.0
Reverts the functionality from 41fcb4f when compiling with GnuTLS older
than 3.5.0.

Reviewed-by: Daniel Stenberg
Closes #4984
2020-02-27 15:17:57 +00:00
Daniel Stenberg
3a34b930aa
gtls: fix the copyright year
Follow-up from 41fcb4f609
2020-02-21 15:43:45 +01:00
jethrogb
41fcb4f609
GnuTLS: Always send client cert
TLS servers may request a certificate from the client. This request
includes a list of 0 or more acceptable issuer DNs. The client may use
this list to determine which certificate to send. GnuTLS's default
behavior is to not send a client certificate if there is no
match. However, OpenSSL's default behavior is to send the configured
certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL
behavior.

Authored-by: jethrogb on github
Fixes #1411
Closes #4958
2020-02-21 15:33:36 +01:00
Marcel Raad
5cd0f5cc7f
openssl: remove redundant assignment
Fixes a scan-build failure on Bionic.

Closes https://github.com/curl/curl/pull/4872
2020-02-03 14:20:51 +01:00
Pedro Monreal
4b6fd29f1a cleanup: fix typos and wording in docs and comments
Closes #4869
Reviewed-by: Emil Engler and Daniel Gustafsson
2020-02-02 18:43:01 +01:00
Daniel Stenberg
3ecdfb1958
openssl: make CURLINFO_CERTINFO not truncate x509v3 fields
Avoid "reparsing" the content and instead deliver more exactly what is
provided in the certificate and avoid truncating the data after 512
bytes as done previously. This no longer removes embedded newlines.

Fixes #4837
Reported-by: bnfp on github
Closes #4841
2020-01-23 09:25:52 +01:00
Daniel Stenberg
59c1caf7f6
wolfssl: use the wc-prefixed symbol alternatives
The symbols without wc_ prefix are not always provided.

Ref: https://github.com/wolfSSL/wolfssl/issues/2744

Closes #4827
2020-01-16 16:02:17 +01:00
Daniel Stenberg
6357a19ff2
polarssl: removed
As detailed in DEPRECATE.md, the polarssl support is now removed after
having been disabled for 6 months and nobody has missed it.

The threadlock files used by mbedtls are renamed to an 'mbedtls' prefix
instead of the former 'polarssl' and the common functions that
previously were shared between mbedtls and polarssl and contained the
name 'polarssl' have now all been renamed to instead say 'mbedtls'.

Closes #4825
2020-01-16 11:55:56 +01:00
Jay Satiro
16da8bcd71 schannel_verify: Fix alt names manual verify for UNICODE builds
Follow-up to 29e40a6 from two days ago, which added that feature for
Windows 7 and earlier. The bug only occurred in same.

Ref: https://github.com/curl/curl/pull/4761
2020-01-13 18:25:12 -05:00
Daniel Stenberg
29babeafec
misc: Copyright year out of date, should be 2020
Follow-up to recent commits

[skip ci]
2020-01-12 16:55:50 +01:00
Faizur Rahman
29e40a6d8a schannel: Make CURLOPT_CAINFO work better on Windows 7
- Support hostname verification via alternative names (SAN) in the
  peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier.

CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a
result CertGetNameString doesn't quite work on those versions of
Windows. This change provides an alternative solution for
CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier
versions of Windows.

Prior to this change many certificates failed the hostname validation
when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates
now represent multiple hostnames and rely on the alternative names field
exclusively to represent their hostnames.

Reported-by: Jeroen Ooms

Fixes https://github.com/curl/curl/issues/3711
Closes https://github.com/curl/curl/pull/4761
2020-01-11 18:23:46 -05:00
Jay Satiro
c9c551f1f9 vtls: Refactor Curl_multissl_version to make the code clearer
Reported-by: Johannes Schindelin

Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121

Closes https://github.com/curl/curl/pull/4803
2020-01-11 17:50:33 -05:00
Marcel Raad
291ed52122
lib: fix compiler warnings with CURL_DISABLE_VERBOSE_STRINGS
Closes https://github.com/curl/curl/pull/4775
2020-01-03 17:02:30 +01:00
Michael Forney
9024b01387 bearssl: Improve I/O handling
Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
records until the desired engine state is reached. This is now used for
the handshake, read, write, and close.

Match OpenSSL SSL_write behavior, and don't return the number of bytes
written until the corresponding records have been completely flushed
across the socket. This involves keeping track of the length of data
buffered into the TLS engine, and assumes that when CURLE_AGAIN is
returned, the write function will be called again with the same data
and length arguments. This is the same requirement of SSL_write.

Handle TLS close notify as EOF when reading by returning 0.

Closes https://github.com/curl/curl/pull/4748
2019-12-31 02:43:47 -05:00
Gisle Vanem
2c0362ee04
vtls: make BearSSL possible to set with CURL_SSL_BACKEND
Ref: 9b879160df (commitcomment-36355622)

Closes #4698
2019-12-10 15:35:23 +01:00
Daniel Stenberg
564d88a8bd
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
2019-12-03 16:28:50 +01:00
Daniel Stenberg
94f1f77158
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
2019-12-03 16:28:50 +01:00
Jay Satiro
9c1806ae46 build: Disable Visual Studio warning "conditional expression is constant"
- Disable warning C4127 "conditional expression is constant" globally
  in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

    #define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658
2019-12-01 19:01:02 -05:00
Jay Satiro
0436d4438a openssl: retrieve reported LibreSSL version at runtime
- Retrieve LibreSSL runtime version when supported (>= 2.7.1).

For earlier versions we continue to use the compile-time version.

Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3

Closes https://github.com/curl/curl/pull/2425
2019-12-01 18:56:24 -05:00
Jay Satiro
5b22e1a5a9 strerror: Add Curl_winapi_strerror for Win API specific errors
- In all code call Curl_winapi_strerror instead of Curl_strerror when
  the error code is known to be from Windows GetLastError.

Curl_strerror prefers CRT error codes (errno) over Windows API error
codes (GetLastError) when the two overlap. When we know the error code
is from GetLastError it is more accurate to prefer the Windows API error
messages.

Reported-by: Richard Alcock

Fixes https://github.com/curl/curl/issues/4550
Closes https://github.com/curl/curl/pull/4581
2019-12-01 18:12:36 -05:00
Michael Forney
9b879160df
TLS: add BearSSL vtls implementation
Closes #4597
2019-11-26 08:32:23 +01:00
Xiaoyin Liu
0a65febccf schannel: fix --tls-max for when min is --tlsv1 or default
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.

Closes https://github.com/curl/curl/pull/4633
2019-11-24 03:16:26 -05:00
Jay Satiro
78cef06847 openssl: Revert to less sensitivity for SYSCALL errors
- Disable the extra sensitivity except in debug builds (--enable-debug).

- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
  "No error" / "Success" socket error text isn't shown on SYSCALL error.

Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.

To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.

Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.

This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.

Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke

Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
2019-11-22 22:29:39 -05:00
Daniel Stenberg
1f4e7dc661 openssl: improve error message for SYSCALL during connect
Reported-by: Paulo Roberto Tomasi
Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html

Closes https://github.com/curl/curl/pull/4593
2019-11-22 22:29:37 -05:00
Daniel Stenberg
8686aab694
openssl: prevent recursive function calls from ctx callbacks
Follow the pattern of many other callbacks.

Ref: #4546
Closes #4585
2019-11-12 09:40:00 +01:00
Daniel Stenberg
0bc60d91de
copyrights: fix copyright year range
.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549
2019-11-08 14:51:42 +01:00
Bastien Bouclet
9910d6b9a4
mbedtls: add error message for cert validity starting in the future
Closes #4552
2019-11-02 22:59:13 +01:00
Jay Satiro
9c49824902 schannel_verify: Fix concurrent openings of CA file
- Open the CA file using FILE_SHARE_READ mode so that others can read
  from it as well.

Prior to this change our schannel code opened the CA file without
sharing which meant concurrent openings (eg an attempt from another
thread or process) would fail during the time it was open without
sharing, which in curl's case would cause error:
"schannel: failed to open CA file".

Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
Reported-by: Richard Alcock
2019-11-01 18:02:59 -04:00
Daniel Stenberg
c2b01cce5c
gtls: make gnutls_bye() not wait for response on shutdown
... as it can make it wait there for a long time for no good purpose.

Patched-by: Jay Satiro
Reported-by: Bylon2 on github
Adviced-by: Nikos Mavrogiannopoulos

Fixes #4487
Closes #4541
2019-10-31 09:10:50 +01:00
Francois Rivard
8986df802d
schannel: reverse the order of certinfo insertions
Fixes #4518
Closes #4519
2019-10-24 16:30:40 +02:00
Daniel Stenberg
1b843bb5ed
gskit: use the generic Curl_socketpair 2019-10-10 11:04:38 +02:00
julian
c7e6b71e5a vtls: Fix comment typo about macosx-version-min compiler flag
Closes https://github.com/curl/curl/pull/4425
2019-09-27 01:46:49 -04:00
Daniel Stenberg
0ab38f5fd6
openssl: use strerror on SSL_ERROR_SYSCALL
Instead of showing the somewhat nonsensical errno number, use strerror()
to provide a more relatable error message.

Closes #4411
2019-09-26 13:55:18 +02:00
Marcel Raad
527461285f
vtls: fix narrowing conversion warnings
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f.

Closes https://github.com/curl/curl/pull/4398
2019-09-23 09:44:35 +02:00
Marcel Raad
367e4b3c4d
openssl: fix compiler warning with LibreSSL
It was already fixed for BoringSSL in commit a0f8fccb1e.
LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
as uint16_t ever since the function was added in [0].

[0] 56f107201b

Closes https://github.com/curl/curl/pull/4397
2019-09-22 20:55:54 +02:00
Daniel Stenberg
3c5f9ba899
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.

Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund

Closes #4347
2019-09-19 14:58:24 +02:00
Daniel Stenberg
a0f8fccb1e
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Follow-up to ffe34b7b59
Closes #4359
2019-09-16 08:49:51 +02:00
Daniel Stenberg
a56a47ac33
openssl: close_notify on the FTP data connection doesn't mean closure
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!

Regression since 3f5da4e59a (7.65.0)

Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
2019-09-13 00:10:47 +02:00
Clément Notin
ffe34b7b59
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available.  Existing code is preserved for older versions of
OpenSSL.

Closes #4304
2019-09-10 08:11:42 +02:00
Clément Notin
9136542d33
openssl: indent, re-organize and add comments 2019-09-10 08:08:44 +02:00
Daniel Stenberg
3e8a9bfd17
openssl: build warning free with boringssl
Closes #4244
2019-08-20 19:55:06 +02:00
Peter Wu
cc5fae5dac nss: use TLSv1.3 as default if supported
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
range in NSS 3.45. It looks like the intention is to raise the minimum
version rather than lowering the maximum, so adjust accordingly. Note
that the caller (nss_setup_connect) initializes the version range to
(TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.

Closes #4187
Reviewed-by: Daniel Stenberg
Reviewed-by: Kamil Dudka
2019-08-13 21:59:30 +01:00
Yiming Jing
9b5f2ad329
mesalink: implement client authentication
Closes #4184
2019-08-06 10:19:17 +02:00
Daniel Stenberg
a55faf33d4
cleanup: remove the 'numsocks' argument used in many places
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.

Closes #4169
2019-07-30 23:16:44 +02:00
Daniel Stenberg
ec3f6f1c36
source: remove names from source comments
Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons

Assisted-by: Daniel Gustafsson
Closes #4129
2019-07-19 23:50:22 +02:00
Daniel Gustafsson
e5b371dc51 nss: inspect returnvalue of token check
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes https://github.com/curl/curl/pull/4110
2019-07-17 00:52:24 -04:00
Zenju
7e8f1916d6
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
Closes #4100
2019-07-14 16:24:46 +02:00
Daniel Gustafsson
24e92a71d5 nss: support using libnss on macOS
The file suffix for dynamically loadable objects on macOS is .dylib,
which need to be added for the module definitions in order to get the
NSS TLS backend to work properly on macOS.

Closes https://github.com/curl/curl/pull/4046
2019-07-06 23:40:21 -04:00
Daniel Gustafsson
6717102503 nss: don't set unused parameter
The value of the maxPTDs parameter to PR_Init() has since at least
NSPR 2.1, which was released sometime in 1998, been marked ignored
as is accordingly not used in the initialization code.  Setting it
to a value when calling PR_Init() is thus benign, but indicates an
intent which may be misleading. Reset the value to zero to improve
clarity.

Closes https://github.com/curl/curl/pull/4054
2019-07-06 23:37:51 -04:00
Daniel Gustafsson
2028a1a977 nss: only cache valid CRL entries
Change the logic around such that we only keep CRLs that NSS actually
ended up caching around for later deletion.  If CERT_CacheCRL() fails
then there is little point in delaying the freeing of the CRL as it
is not used.

Closes https://github.com/curl/curl/pull/4053
2019-07-06 23:32:39 -04:00
Jay Satiro
3609ab3147 docs: Fix links to OpenSSL docs
OpenSSL changed their manual locations and does not redirect to the new
locations.

Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html
Reported-by: Daniel Stenberg
2019-06-30 17:16:28 -04:00
Daniel Stenberg
c40eb3220c
openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is
built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for
UWP (with "VC-WIN32-UWP").

Reported-by: Vasily Lobaskin
Fixes #4073
Closes #4077
2019-06-26 07:59:46 +02:00
Gergely Nagy
6c2b7d44e3
openssl: fix pubkey/signature algorithm detection in certinfo
Certinfo gives the same result for all OpenSSL versions.
Also made printing RSA pubkeys consistent with older versions.

Reported-by: Michael Wallner
Fixes #3706
Closes #4030
2019-06-18 07:57:31 +02:00
Daniel Gustafsson
03a22a26c6 openssl: remove outdated comment
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(),
which is why we switched to CONF_modules_load_file() and introduced
a comment stating why. This behavior was however changed in OpenSSL
commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now
outdated and incorrect comment. The mentioned commit also declares
OPENSSL_config() deprecated so keep the current coding.

Closes #4033
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-17 13:11:02 +02:00
Daniel Stenberg
342a0c7ddf
wolfssl: fix key pinning build error
follow-up from deb9462ff2
2019-06-11 07:46:04 +02:00
Daniel Stenberg
4da5794d81
wolfssl: fixup for SNI use
follow-up from deb9462ff2

Closes #4007
2019-06-10 13:04:53 +02:00
Daniel Stenberg
deb9462ff2
wolfssl: refer to it as wolfSSL only
Remove support for, references to and use of "cyaSSL" from the source
and docs. wolfSSL is the current name and there's no point in keeping
references to ancient history.

Assisted-by: Daniel Gustafsson

Closes #3903
2019-06-10 09:18:16 +02:00
Marcel Raad
e23c52b329
build: fix Codacy warnings
Reduce variable scopes and remove redundant variable stores.

Closes https://github.com/curl/curl/pull/3975
2019-06-05 20:38:06 +02:00
Hubert Kario
319ae9075e nss: allow to specify TLS 1.3 ciphers if supported by NSS
Closes #3916
2019-05-27 09:04:09 +02:00
Daniel Stenberg
5c9b2e68a4
sectransp: handle errSSLPeerAuthCompleted from SSLRead()
Reported-by: smuellerDD on github
Fixes #3932
Closes #3933
2019-05-24 11:34:13 +02:00
Daniel Gustafsson
8986d3c6f4 ftp: move ftp_ccc in under featureflag
Commit e91e481612 moved ftp_ccc in under
the FTP featureflag in the UserDefined struct, but vtls callsites were
still using it unprotected.

Closes #3912
Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865
Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-21 09:38:11 +02:00
Guy Poizat
0da8441298
mbedtls: enable use of EC keys
Closes #3892
2019-05-20 19:00:59 +02:00
Marcel Raad
10db3ef21e
lib: reduce variable scopes
Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872
2019-05-20 08:51:11 +02:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Daniel Gustafsson
b4bb920405 vtls: fix potential ssl_buffer stack overflow
In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
2019-05-13 20:27:50 +02:00
Ricky Leverence
3a03e59048
OpenSSL: Report -fips in version if OpenSSL is built with FIPS
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Closes #3771
2019-05-08 09:30:15 +02:00
Frank Gevaerts
191ffd0708 nss: allow fifos and character devices for certificates.
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.

I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.

Closes #3807
2019-05-07 17:23:02 +02:00
Yiming Jing
6ab569ce0b
travis: upgrade the MesaLink TLS backend to v1.0.0
Closes #3823
Closes #3776
2019-05-01 23:25:05 +02:00
Daniel Stenberg
be6e281cf2
multi: provide Curl_multiuse_state to update information
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
2019-05-01 22:51:23 +02:00
Kamil Dudka
9e8f28a8f1 nss: provide more specific error messages on failed init
Closes #3808
2019-04-29 10:29:53 +02:00