1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 21:15:08 -05:00
Commit Graph

948 Commits

Author SHA1 Message Date
Daniel Stenberg
b3fbb2fb9d
openssl: avoid error conditions when importing native CA
The code section that is OpenSSL 3+ specific now uses the same logic as
is used in the version < 3 section. It caused a compiler error without
it.

Closes #5907
2020-09-02 22:47:52 +02:00
Daniel Stenberg
3acb2abdf5
vtls: make it 'struct Curl_ssl_session'
Use uppercase C for internal symbols.

Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
add7022666
schannel: make it 'struct Curl_schannel*'
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:59 +02:00
Daniel Stenberg
9b3f888a00
llist: make it "struct Curl_llist"
As internal global names should use captical C.

Closes #5906
2020-09-02 22:41:58 +02:00
Michael Baentsch
ede125b7b7
tls: add CURLOPT_SSL_EC_CURVES and --curves
Closes #5892
2020-08-30 17:24:04 +02:00
Daniel Stenberg
68a5132474
TLS: fix SRP detection by using the proper #ifdefs
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP

HAVE_OPENSSL_SRP is defined when OpenSSL can use it

HAVE_GNUTLS_SRP is defined when GnuTLS can use it

Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.

Reported-by: Stefan Strogin
Fixes #5865
Closes #5870
2020-08-28 14:13:05 +02:00
Jay Satiro
fbe07c6829 openssl: Fix wincrypt symbols conflict with BoringSSL
OpenSSL undefines the conflicting symbols but BoringSSL does not so we
must do it ourselves.

Reported-by: Samuel Tranchet
Assisted-by: Javier Blazquez

Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371
Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73

Fixes https://github.com/curl/curl/issues/5669
Closes https://github.com/curl/curl/pull/5857
2020-08-26 23:24:41 -04:00
fullincome
01e2679b49
schannel: fix memory leak when using get_cert_location
The get_cert_location function allocates memory only on success.
Previously get_cert_location was able to allocate memory and return
error. It wasn't obvious and in this case the memory wasn't
released.

Fixes #5855
Closes #5860
2020-08-26 22:54:11 +02:00
Daniel Stenberg
80d73bcca2
tls: provide the CApath verbose log on its own line
... not newline separated from the previous line. This makes it output
asterisk prefixed properly like other verbose putput!

Reported-by: jmdavitt on github
Fixes #5826
Closes #5827
2020-08-19 15:55:50 +02:00
Daniel Stenberg
aecce3551c
ftp: don't do ssl_shutdown instead of ssl_close
The shutdown function is for downgrading a connection from TLS to plain,
and this is not requested here.

Have ssl_close reset the TLS connection state.

This partially reverts commit f002c850d9

Reported-by: Rasmus Melchior Jacobsen
Reported-by: Denis Goleshchikhin
Fixes #5797
2020-08-10 14:32:06 +02:00
Daniel Stenberg
a0c461434c
gtls: survive not being able to get name/issuer
Closes #5778
2020-08-05 14:44:48 +02:00
Cameron Cawley
790137b0f7
win32: Add Curl_verify_windows_version() to curlx
Closes https://github.com/curl/curl/pull/5754
2020-08-02 17:58:44 +02:00
Marcel Raad
c71d8bb56d
openssl: fix build with LibreSSL < 2.9.1
`SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
introduced in LibreSSL 2.9.1 [0].

[0] 0db809ee17

Closes https://github.com/curl/curl/pull/5757
2020-08-01 17:47:32 +02:00
Marcel Raad
0c6112a139
WIN32: stop forcing narrow-character API
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.

Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
2020-07-27 10:42:38 +02:00
Baruch Siach
2f5d0e497e
nss: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Closes #5667
2020-07-14 23:42:20 +02:00
Baruch Siach
81bf2713ae
bearssl: fix build with disabled proxy support
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Reviewed-by: Nicolas Sterchele
Closes #5666
2020-07-12 16:22:38 +02:00
Alex Kiernan
0fda8db95c
gnutls: repair the build with CURL_DISABLE_PROXY
`http_proxy`/`proxy_ssl`/`tunnel_proxy` will not be available in `conn`
if `CURL_DISABLE_PROXY` is enabled.  Repair the build with that
configuration.

Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Closes #5645
2020-07-04 00:18:43 +02:00
Alex Kiernan
691df98d51 gnutls: Fetch backend when using proxy
Fixes: 89865c149 ("gnutls: remove the BACKEND define kludge")
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
2020-07-03 14:11:37 +01:00
Daniel Stenberg
9bfe665913
vtls: compare cert blob when finding a connection to reuse
Reported-by: Gergely Nagy
Fixes #5617
Closes #5619
2020-06-29 09:01:55 +02:00
Daniel Stenberg
032e838b73
terminology: call them null-terminated strings
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).

Reported-by: coinhubs on github
Fixes #5598
Closes #5608
2020-06-28 00:31:24 +02:00
Baruch Siach
989e6dffc5
mbedtls: fix build with disabled proxy support
Don't reference fields that do not exist. Fixes build failure:

vtls/mbedtls.c: In function 'mbed_connect_step1':
vtls/mbedtls.c:249:54: error: 'struct connectdata' has no member named 'http_proxy'

Closes #5615
2020-06-26 14:20:20 +02:00
Javier Blazquez
ae3d1e04f6 openssl: Fix compilation on Windows when ngtcp2 is enabled
- Include wincrypt before OpenSSL includes so that the latter can
  properly handle any conflicts between the two.

Closes https://github.com/curl/curl/pull/5606
2020-06-25 03:11:46 -04:00
Jay Satiro
abbc5d6044 openssl: Don't ignore CA paths when using Windows CA store
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.

The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.

Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585
2020-06-22 15:31:38 -04:00
Jay Satiro
c9c31b9245 openssl: Fix CA fallback logic for OpenSSL 3.0 build
Prior to this change I assume a build error would occur when
CURL_CA_FALLBACK was used.

Closes https://github.com/curl/curl/pull/5587
2020-06-22 12:24:57 -04:00
Ruurd Beerstra
d80d419d3e
ntlm: enable NTLM support with wolfSSL
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.

Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
2020-06-16 09:06:19 +02:00
François Rigault
e2de2d5397
openssl: set FLAG_TRUSTED_FIRST unconditionally
On some systems, openssl 1.0.x is still the default, but it has been
patched to contain all the recent security fixes. As a result of this
patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
defined, while the previous behavior of openssl to not look at trusted
chains first, remains.

Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
probe for the behavior of openssl based on the existence ofmacros.

Closes #5530
2020-06-06 18:01:24 +02:00
Saleem Abdulrasool
21ed48e8d9
vtls: repair the build with CURL_DISABLE_PROXY
`http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
is enabled.  Repair the build with that configuration.

Follow-up to f3d501dc67

Closes #5498
2020-06-01 23:03:31 +02:00
Daniel Stenberg
f3d501dc67
build: disable more code/data when built without proxy support
Added build to travis to verify

Closes #5466
2020-05-30 23:18:16 +02:00
Daniel Stenberg
842f73de58
timeouts: change millisecond timeouts to timediff_t from time_t
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.

Closes #5479
2020-05-30 23:10:57 +02:00
Peter Wu
7be7c56be9 wolfssl: add SSLKEYLOGFILE support
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.

Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.

Closes #5327
2020-05-27 21:19:51 +02:00
Peter Wu
6011a986ca vtls: Extract and simplify key log file handling from OpenSSL
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:

 - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
 - Do not perform dynamic memory allocation when preparing a log entry.
   Unless the TLS specifications change we can suffice with a reasonable
   fixed-size buffer.
 - Simplify state tracking when SSL_CTX_set_keylog_callback is
   unavailable. My original sslkeylog.c code included this tracking in
   order to handle multiple calls to SSL_connect and detect new keys
   after renegotiation (via SSL_read/SSL_write). For curl however we can
   be sure that a single master secret eventually becomes available
   after SSL_connect, so a simple flag is sufficient. An alternative to
   the flag is examining SSL_state(), but this seems more complex and is
   not pursued. Capturing keys after server renegotiation was already
   unsupported in curl and remains unsupported.

Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:

    # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
    openssl s_server -www -tls1
    # Likewise, but fail the server handshake.
    openssl s_server -www -tls1 -Verify 2
    # TLS 1.3 test. No need to test the failing server handshake.
    openssl s_server -www -tls1_3

Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.

    tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
        -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
        -dtls.port==4433,http -ohttp.desegment_body:FALSE \
        -Y 'tls.handshake.verify_data or http'

A single connection can easily be identified via the `tcp.stream` field.
2020-05-27 21:19:51 +02:00
Daniel Stenberg
d23cc224e6
cleanup: use a single space after equals sign in assignments 2020-05-26 08:28:38 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Gilles Vollant
cac5374298
setopt: support certificate options in memory with struct curl_blob
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357
2020-05-15 13:03:59 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Marcel Raad
a55c835e6b
curl_multibyte: add to curlx
This will also be needed in the tool and tests.

Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512
Closes https://github.com/curl/curl/pull/3784
2020-05-14 18:13:27 +02:00
Daniel Stenberg
66b0775763
checksrc: enhance the ASTERISKSPACE and update code accordingly
Fine: "struct hello *world"

Not fine: "struct hello* world" (and variations)

Closes #5386
2020-05-14 00:02:05 +02:00
Daniel Stenberg
81a54b12c6
OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
2020-05-13 16:39:36 +02:00
Gilles Vollant
148534db57
CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)
Closes #4346
2020-05-08 15:55:04 +02:00
Emil Engler
42d8d9a7e8
GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
Closes #5287
2020-04-30 14:40:54 +02:00
Daniel Stenberg
d39b4128d5
schannel: source code reindent
White space edits only. Conform better to standard curl source code
indenting style.

Closes #5305
2020-04-29 14:43:59 +02:00
Daniel Stenberg
cad15b9f92
nss: check for PK11_CreateDigestContext() returning NULL
... to avoid crashes!

Reported-by: Hao Wu
Fixes #5302
Closes #5303
2020-04-27 16:25:59 +02:00
Daniel Stenberg
a96c7529eb
select: make Curl_socket_check take timediff_t timeout
Coverity found CID 1461718:

Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".

Closes #5240
2020-04-23 15:57:23 +02:00
Emil Engler
2d137dedb3
GnuTLS: Don't skip really long certificate fields
Closes #5271
2020-04-21 08:10:55 +02:00
Daniel Stenberg
0891fe7ade
gnutls: bump lowest supported version to 3.1.10
GnuTLS 3.1.10 added new functions we want to use. That version was
released on Mar 22, 2013. Removing support for older versions also
greatly simplifies the code.

Ref: #5271
Closes #5276
2020-04-21 08:09:41 +02:00
Daniel Gustafsson
10822c652c lib: fix typos in comments and errormessages
This fixes a few randomly spotted typos in recently merged code, most
notably one in a userfacing errormessage the schannel code.
2020-04-20 10:12:22 +02:00
Johannes Schindelin
ff7a3107ed
multi-ssl: reset the SSL backend on Curl_global_cleanup()
When cURL is compiled with support for multiple SSL backends, it is
possible to configure an SSL backend via `curl_global_sslset()`, but
only *before* `curl_global_init()` was called.

If another SSL backend should be used after that, a user might be
tempted to call `curl_global_cleanup()` to start over. However, we did
not foresee that use case and forgot to reset the SSL backend in that
cleanup.

Let's allow that use case.

Fixes #5255
Closes #5257
Reported-by: davidedec on github
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2020-04-20 09:15:47 +02:00
Andrew Kurushin
c35af29222 schannel: Fix blocking timeout logic
- Fix schannel_send for the case when no timeout was set.

Prior to this change schannel would error if the socket was not ready
to send data and no timeout was set.

This commit is similar to parent commit 89dc6e0 which recently made the
same change for SOCKS, for the same reason. Basically it was not well
understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms
but actually means no timeout.

Fixes https://github.com/curl/curl/issues/5177
Closes https://github.com/curl/curl/pull/5221
2020-04-12 18:32:17 -04:00
Dirkjan Bussink
d590908318
gnutls: ensure TLS 1.3 when SRP isn't requested
When SRP is requested in the priority string, GnuTLS will disable
support for TLS 1.3. Before this change, curl would always add +SRP to
the priority list, effectively always disabling TLS 1.3 support.

With this change, +SRP is only added to the priority list when SRP
authentication is also requested. This also allows updating the error
handling here to not have to retry without SRP. This is because SRP is
only added when requested and in that case a retry is not needed.

Closes #5223
2020-04-13 00:06:02 +02:00
Jay Satiro
53f4070827 lib: fix conversion warnings for SOCKET_WRITABLE/READABLE
- If loss of data may occur converting a timediff_t to time_t and
  the time value is > TIME_T_MAX then treat it as TIME_T_MAX.

This is a follow-up to 8843678 which removed the (time_t) typecast
from the macros so that conversion warnings could be identified.

Closes https://github.com/curl/curl/pull/5199
2020-04-11 02:52:25 -04:00