1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Commit Graph

759 Commits

Author SHA1 Message Date
Jay Satiro
20c727ec4c polarssl: Fix exclusive SSL protocol version options
Prior to this change the options for exclusive SSL protocol versions did
not actually set the protocol exclusive.

http://curl.haxx.se/mail/lib-2015-01/0002.html
Reported-by: Dan Fandrich
2015-02-09 10:39:17 +01:00
Jay Satiro
9956ef2d33 gskit: Fix exclusive SSLv3 option 2015-02-09 10:38:46 +01:00
Steve Holme
761d5166af schannel: Removed curl_ prefix from source files
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
2015-02-07 21:34:33 +00:00
Daniel Stenberg
d557da5d79 axtls: fix conversion from size_t to int warning 2015-02-06 14:26:32 +01:00
Daniel Stenberg
45b9b62de4 openssl: SSL_SESSION->ssl_version no longer exist
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!

Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
2015-02-05 11:57:33 +01:00
Steve Holme
28c9e1edf4 schannel: Prefer 'CURLcode result' for curl result codes 2015-02-04 00:07:16 +00:00
Marc Hoersken
4161624e94 TODO: moved WinSSL/SChannel todo items into docs 2015-01-31 12:30:11 +01:00
Steve Holme
e1bb13c09f openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
2015-01-27 12:53:41 +00:00
Steve Holme
a268a804b7 openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.

Reported-by: John E. Malmberg
2015-01-27 12:47:48 +00:00
Daniel Stenberg
23c6f0a344 OCSP stapling: disabled when build with BoringSSL 2015-01-22 23:34:43 +01:00
Alessandro Ghedini
d1cf5d5706 openssl: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066
section 8.

Thanks-to: Joe Mason
- for the work-around for the OpenSSL bug.
2015-01-22 23:25:23 +01:00
Daniel Stenberg
d6c4695dcd BoringSSL: no PKCS12 support nor ERR_remove_state 2015-01-22 16:39:01 +01:00
Leith Bade
261208d432 BoringSSL: fix build 2015-01-22 16:39:01 +01:00
Daniel Stenberg
be57f689b0 openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.

Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
2015-01-19 23:20:13 +01:00
Steve Holme
1d25acb038 gskit.h: Code policing of function pointer arguments 2015-01-17 17:02:01 +00:00
Steve Holme
5d5c78b47f vtls: Removed unimplemented overrides of curlssl_close_all()
Carrying on from commit 037cd0d991, removed the following unimplemented
instances of curlssl_close_all():

Curl_axtls_close_all()
Curl_darwinssl_close_all()
Curl_cyassl_close_all()
Curl_gskit_close_all()
Curl_gtls_close_all()
Curl_nss_close_all()
Curl_polarssl_close_all()
2015-01-17 16:41:03 +00:00
Steve Holme
8bb3443a21 vtls: Separate the SSL backend definition from the API setup
Slight code cleanup as the SSL backend #define is mixed up with the API
function setup.
2015-01-17 15:38:22 +00:00
Steve Holme
30ef1a0779 vtls: Fixed compilation errors when SSL not used
Fixed the following warning and error from commit 3af90a6e19 when SSL
is not being used:

url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
            assuming extern returning int

error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
               referenced in function Curl_setopt
2015-01-17 15:16:07 +00:00
Daniel Stenberg
a4065ebf1c copyright years: after OCSP stapling changes 2015-01-16 23:23:29 +01:00
Alessandro Ghedini
f46c6fbee0 nss: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

This requires NSS 3.15 or higher.
2015-01-16 23:23:29 +01:00
Alessandro Ghedini
f13669a375 gtls: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
response verfication to fail even on valid responses.
2015-01-16 23:23:29 +01:00
Alessandro Ghedini
3af90a6e19 url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
2015-01-16 23:23:29 +01:00
Marc Hoersken
e9834808e9 curl_schannel.c: mark session as removed from cache if not freed
If the session is still used by active SSL/TLS connections, it
cannot be closed yet. Thus we mark the session as not being cached
any longer so that the reference counting mechanism in
Curl_schannel_shutdown is used to close and free the session.

Reported-by: Jean-Francois Durand
2015-01-12 21:56:05 +01:00
Daniel Stenberg
e6b4b4b66d NSS: fix compiler error when built http2-enabled 2015-01-09 21:55:52 +01:00
Daniel Stenberg
4ce22c607b darwinssl: fix session ID keys to only reuse identical sessions
...to avoid a session ID getting cached without certificate checking and
then after a subsequent _enabling_ of the check libcurl could still
re-use the session done without cert checks.

Bug: http://curl.haxx.se/docs/adv_20150108A.html
Reported-by: Marc Hesse
2015-01-07 22:55:56 +01:00
Steve Holme
e9d0c7a6f3 vtls: Use '(void) arg' for unused parameters
Prefer void for unused parameters, rather than assigning an argument to
itself as a) unintelligent compilers won't optimize it out, b) it can't
be used for const parameters, c) it will cause compilation warnings for
clang with -Wself-assign and d) is inconsistent with other areas of the
curl source code.
2014-12-30 17:13:07 +00:00
Steve Holme
1933f9d33c schannel: Moved the ISC return flag definitions to the SSPI module
Moved our Initialize Security Context return attribute definitions to
the SSPI module, as a) these can be used by other SSPI based providers
and b) the ISC required attributes are defined there.
2014-12-30 00:14:58 +00:00
Steve Holme
cfc863869f darwinssl: Fixed compilation warning
vtls.c:683:43: warning: unused parameter 'data'
2014-12-28 23:32:07 +00:00
Steve Holme
037cd0d991 vtls: Fixed compilation warning and an ignored return code
curl_schannel.h:123: warning: right-hand operand of comma expression
                     has no effect

Some instances of the curlssl_close_all() function were declared with a
void return type whilst others as int. The schannel version returned
CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
return code was ignored by the calling function Curl_ssl_close_all().

For the time being and to keep the internal API consistent, changed all
declarations to use a void return type.

To reduce code we might want to consider removing the unimplemented
versions and use a void #define like schannel does.
2014-12-28 17:33:01 +00:00
Steve Holme
2728caa613 nss: Don't ignore Curl_extract_certinfo() OOM failure 2014-12-27 22:18:08 +00:00
Steve Holme
0943045108 nss: Don't ignore Curl_ssl_init_certinfo() OOM failure 2014-12-27 21:25:41 +00:00
Steve Holme
b235c29366 nss: Use 'CURLcode result' for curl result codes
...and don't use CURLE_OK in failure/success comparisons.
2014-12-27 21:13:44 +00:00
Steve Holme
e0d265d3eb darwinssl: Use 'CURLcode result' for curl result codes 2014-12-27 17:36:35 +00:00
Steve Holme
98d37c5a0c polarssl: Use 'CURLcode result' for curl result codes 2014-12-27 17:30:51 +00:00
Steve Holme
cdc1cc22e7 vtls: Don't set cert info count until memory allocation is successful
Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
member variable to the requested count, which could then be used
incorrectly as libcurl closes down.
2014-12-26 13:11:43 +00:00
Steve Holme
fe43a662a2 vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
The return type for this function was 0 on success and 1 on error. This
was then examined by the calling functions and, in most cases, used to
return CURLE_OUT_OF_MEMORY.

Instead use CURLcode for the return type and return the out of memory
error directly, propagating it up the call stack.
2014-12-26 13:11:40 +00:00
Steve Holme
6cb7b0c0ac vtls: Use bool for Curl_ssl_getsessionid() return type
The return type of this function is a boolean value, and even uses a
bool internally, so use bool in the function declaration as well as
the variables that store the return value, to avoid any confusion.
2014-12-25 17:15:15 +00:00
Steve Holme
38aaf6c380 schannel: Minor code style policing for casts 2014-12-25 13:48:44 +00:00
Steve Holme
ed4c0b53cc schannel: Prefer 'CURLcode result' for curl result codes 2014-12-25 13:45:29 +00:00
Steve Holme
95f78b2b56 cyassl: Prefer 'CURLcode result' for curl result codes 2014-12-25 13:45:27 +00:00
Steve Holme
8830df8b66 gtls: Use preferred 'CURLcode result' 2014-12-24 17:25:35 +00:00
Steve Holme
2568928070 openssl: Prefer we don't use NULL in comparisons 2014-12-24 16:14:33 +00:00
Steve Holme
a4d9158509 openssl.c Fix for compilation errors with older versions of OpenSSL
openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
2014-12-23 00:16:07 +00:00
Daniel Stenberg
6dae798824 openssl: fix SSL/TLS versions in verbose output 2014-12-22 14:21:17 +01:00
Daniel Stenberg
577286e0e2 openssl: make it compile against openssl 1.1.0-DEV master branch 2014-12-22 14:21:17 +01:00
Daniel Stenberg
03e206d18a openssl: warn for SRP set if SSLv3 is used, not for TLS version
... as it requires TLS and it was was left to warn on the default from
when default was SSL...
2014-12-21 23:25:49 +01:00
Nick Zitzmann
93227ddca5 darwinssl: fix incorrect usage of aprintf()
Commit b13923f changed an snprintf() to use aprintf(), but the API usage
wasn't correct, and was causing a crash to occur. This fixes it.
2014-12-15 00:56:09 -06:00
Daniel Stenberg
b13923f0f7 darwinssl: aprintf() to allocate the session key
... to avoid using a fixed memory size that risks being too large or too
small.
2014-12-14 17:34:02 +01:00
Marc Hoersken
212e3e26bc curl_schannel: Improvements to memory re-allocation strategy
- do not grow memory by doubling its size
- do not leak previously allocated memory if reallocation fails
- replace while-loop with a single check to make sure
  that the requested amount of data fits into the buffer

Bug: http://curl.haxx.se/bug/view.cgi?id=1450
Reported-by: Warren Menzer
2014-12-14 17:27:31 +01:00
Marc Hoersken
c98b50753f curl_schannel.c: Data may be available before connection shutdown 2014-12-14 16:40:49 +01:00
Daniel Stenberg
145c263a4b schannel_recv: return the correct code
Bug: http://curl.haxx.se/bug/view.cgi?id=1462
Reported-by: Tae Hyoung Ahn
2014-12-09 11:46:11 +01:00
Daniel Stenberg
680d5fd041 http2: avoid logging neg "failure" if h2 was not requested 2014-12-09 00:09:24 +01:00
Daniel Stenberg
26b57832fe NSS: enable the CAPATH option
Bug: http://curl.haxx.se/bug/view.cgi?id=1457
Patch-by: Tomasz Kojm
2014-12-03 06:21:29 -08:00
be1a505189 SSL: Add PEM format support for public key pinning 2014-11-24 19:30:09 +01:00
Steve Holme
bfc63bfb19 vtls.h: Fixed compiler warning when compiled without SSL
vtls.c:185:46: warning: unused parameter 'data'
2014-11-09 18:09:58 +00:00
Jay Satiro
e819c3a4ca SSL: PolarSSL default min SSL version TLS 1.0
- Prior to this change no SSL minimum version was set by default at
runtime for PolarSSL. Therefore in most cases PolarSSL would probably
have defaulted to a minimum version of SSLv3 which is no longer secure.
2014-11-04 11:40:51 +01:00
Steve Holme
b04eef1318 openssl: Use 'CURLcode result'
More CURLcode fixes.
2014-11-02 00:14:07 +00:00
Steve Holme
f0b4bc12f8 openssl: Use 'CURLcode result'
More standardisation of CURLcode usage and coding style.
2014-11-01 17:16:42 +00:00
Steve Holme
14b4707d9a openssl: Use 'CURLcode result'
...and some minor code style changes.
2014-11-01 16:14:05 +00:00
Steve Holme
befbc8f56b code cleanup: Use 'CURLcode result' 2014-10-30 23:14:45 +00:00
Daniel Stenberg
697aa67d18 openssl: enable NPN separately from ALPN
... and allow building with nghttp2 but completely without NPN and ALPN,
as nghttp2 can still be used for plain-text HTTP.

Reported-by: Lucas Pardue
2014-10-29 22:42:46 +01:00
Steve Holme
32913182dc vtls.c: Fixed compilation warning
conversion from 'size_t' to 'unsigned int', possible loss of data
2014-10-29 19:12:27 +00:00
Kamil Dudka
3f430c9c3a nss: drop the code for libcurl-level downgrade to SSLv3
This code was already deactivated by commit
ec783dc142.
2014-10-29 14:34:46 +01:00
Kamil Dudka
07048941a4 openssl: fix a line length warning 2014-10-29 14:34:46 +01:00
Guenter Knauf
357a15a649 Fixed error message since we require ALPN support. 2014-10-29 01:37:18 +01:00
Guenter Knauf
e42e3a4fac Check for ALPN via OpenSSL version number.
This check works also with to non-configure platforms.
2014-10-29 00:59:38 +01:00
Nick Zitzmann
bd87aec5a7 darwinssl: detect possible future removal of SSLv3 from the framework
If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
2014-10-24 18:59:13 -05:00
Patrick Monnerat
3ca560439c gskit.c: remove SSLv3 from SSL default. 2014-10-24 16:08:21 +02:00
Patrick Monnerat
897ef500e5 gskit.c: use 'CURLcode result' 2014-10-24 15:16:05 +02:00
Jay Satiro
ec783dc142 SSL: Remove SSLv3 from SSL default due to POODLE attack
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.

- Update CURLOPT_SSLVERSION doc
2014-10-24 13:41:56 +02:00
Daniel Stenberg
0eb3d15ccb code cleanup: we prefer 'CURLcode result'
... for the local variable name in functions holding the return
code. Using the same name universally makes code easier to read and
follow.

Also, unify code for checking for CURLcode errors with:

 if(result) or if(!result)

instead of

 if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-24 08:23:19 +02:00
Daniel Stenberg
9f5744a72f gnutls: removed dead code
Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:58 +02:00
Daniel Stenberg
e36115d688 Curl_rand: Uninitialized variable: r
This is not actually used uninitialized but we silence warnings.

Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:36 +02:00
Kamil Dudka
0aecdf6828 nss: reset SSL handshake state machine
... when the handshake succeeds

This fixes a connection failure when FTPS handle is reused.
2014-10-20 18:55:51 +02:00
Patrick Monnerat
473322ec66 Implement pinned public key in GSKit backend 2014-10-14 14:58:26 +02:00
Daniel Stenberg
9d64ab7d5a pinning: minor code style policing 2014-10-13 22:22:49 +02:00
Patrick Monnerat
357ff4d1dc Factorize pinned public key code into generic file handling and backend specific 2014-10-13 18:34:51 +02:00
Patrick Monnerat
265b9a2e49 vtls: remove QsoSSL 2014-10-13 16:33:47 +02:00
Patrick Monnerat
ec8330b21d gskit: supply dummy randomization function 2014-10-13 15:02:58 +02:00
Patrick Monnerat
8fdf832e5f vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementation 2014-10-13 14:39:50 +02:00
Daniel Stenberg
6637b237e6 vtls: have vtls.h include the backend header files
It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.

CURLOPT_CERTINFO was one such feature that was accidentally disabled.
2014-10-09 22:34:34 +02:00
Kamil Dudka
9e37a7f9a5 nss: do not fail if a CRL is already cached
This fixes a copy-paste mistake from commit 2968f957.
2014-10-08 17:31:04 +02:00
e644866caf GnuTLS: Implement public key pinning 2014-10-07 14:55:39 +02:00
93e450793c SSL: implement public key pinning
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).

Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().

Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
2014-10-07 14:44:19 +02:00
Marc Hoersken
330346d51c curl_schannel.c: Fixed possible memory or handle leak
First try to fix possible memory leaks, in this case:
Only connssl->ctxt xor onnssl->cred being initialized.
2014-10-04 18:24:23 +02:00
Daniel Stenberg
d57d041d67 curlssl: make tls backend symbols use curlssl in the name 2014-09-13 15:31:12 +02:00
Daniel Stenberg
4c2e40a488 url: let the backend decide CURLOPT_SSL_CTX_ support
... to further remove specific TLS backend knowledge from url.c
2014-09-13 15:28:08 +02:00
Daniel Stenberg
7494f0f498 vtls: have the backend tell if it supports CERTINFO 2014-09-13 15:11:26 +02:00
Daniel Stenberg
8250f93d41 CURLOPT_CAPATH: return failure if set without backend support 2014-09-13 14:56:27 +02:00
Paul Howarth
785395b07e openssl: build fix for versions < 0.9.8e
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-10 13:09:42 +02:00
Daniel Stenberg
921a0c22a6 polarassl: avoid memset() when clearing the first byte is enough 2014-09-08 10:11:34 +02:00
Catalin Patulea
af45542cfe polarssl: support CURLOPT_CAPATH / --capath
Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
2014-09-08 10:09:54 +02:00
Vilmos Nebehaj
fd1ce3856a darwinssl: Use CopyCertSubject() to check CA cert.
SecCertificateCopyPublicKey() is not available on iPhone. Use
CopyCertSubject() instead to see if the certificate returned by
SecCertificateCreateWithData() is valid.

Reported-by: Toby Peterson
2014-09-04 19:00:02 -05:00
Andre Heinecke
e608324f9f polarssl: implement CURLOPT_SSLVERSION
Forwards the setting as minimum ssl version (if set) to polarssl.  If
the server does not support the requested version the SSL Handshake will
fail.

Bug: http://curl.haxx.se/bug/view.cgi?id=1419
2014-09-01 22:42:58 +02:00
Vilmos Nebehaj
0426670f0a Check CA certificate in curl_darwinssl.c.
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
if the buffer holds an invalid or corrupt certificate. Call
SecCertificateCopyPublicKey() to make sure cacert is a valid
certificate.
2014-09-01 00:34:37 +02:00
Vilmos Nebehaj
4c134bcfce Fix CA certificate bundle handling in darwinssl.
If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.
2014-08-30 20:10:07 +02:00
Steve Holme
98633c2a19 openssl.c: Fixed longer than 79 columns 2014-08-22 07:44:03 +01:00
Steve Holme
bdfc75e751 openssl.c: Fixed compilation warning
warning: declaration of 'minor' shadows a global declaration
2014-08-21 20:37:29 +01:00
Jose Alf
fc5a5a4f07 openssl: fix version report for the 0.9.8 branch
Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8,
starting from openssl-0.9.8za.
2014-08-13 08:49:19 +02:00
Steve Holme
cda4aaba4d schannel: Fixed compilation warning in vtls.c
vtls.c:688:43: warning: unused parameter 'data'
2014-08-08 21:34:05 +01:00
Daniel Stenberg
7d2f61f66a openssl: replace call to OPENSSL_config
OPENSSL_config() is "strongly recommended" to use but unfortunately that
function makes an exit() call on wrongly formatted config files which
makes it hard to use in some situations. OPENSSL_config() itself calls
CONF_modules_load_file() and we use that instead and we ignore its
return code!

Reported-by: Jan Ehrhardt
Bug: http://curl.haxx.se/bug/view.cgi?id=1401
2014-08-07 12:40:31 +02:00
Toby Peterson
0e452a02f1 darwinssl: don't use strtok()
The GetDarwinVersionNumber() function uses strtok, which is not
thread-safe.
2014-08-05 08:58:49 +02:00
Daniel Stenberg
ea6d371e7c Curl_ossl_version: adapted to detect BoringSSL
This seems to be the way it should work. Right now we can't build with
BoringSSL and try this out properly due to a minor API breakage.
2014-08-05 00:29:37 +02:00
Daniel Stenberg
7efff86639 Curl_ossl_version: detect and show libressl
LibreSSL is otherwise OpenSSL API compliant (so far)
2014-08-04 23:54:44 +02:00
Dan Fandrich
4d4dd7aea0 gtls: only define Curl_gtls_seed if Nettle is not being used 2014-08-03 11:18:08 +02:00
Dan Fandrich
cac1dd58a8 ssl: provide Curl_ssl_backend even if no SSL library is available 2014-08-03 10:43:31 +02:00
Daniel Stenberg
b9f6ca1d32 openssl: make ossl_send return CURLE_OK better
Previously it only returned a CURLcode for errors, which is when it
returns a different size than what was passed in to it.

The http2 code only checked the curlcode and thus failed.
2014-08-01 00:01:02 +02:00
Marcel Raad
f8f2188888 schannel: use CryptGenRandom for random numbers
This function is available for every Windows version since Windows 95/NT.

reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
2014-07-31 13:10:54 +02:00
Daniel Stenberg
a439e438f3 ssl: generalize how the ssl backend identifier is set
Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
one which was missing previously.
2014-07-31 12:19:51 +02:00
Dan Fandrich
028a408d57 axtls: define curlssl_random using axTLS's PRNG 2014-07-31 01:12:38 +02:00
Dan Fandrich
3d5be801b9 cyassl: fix the test for ASN_NO_SIGNER_E
It's an enum so a macro test won't work. The CyaSSL changelog doesn't
say exactly when this error code was introduced, but it's likely
to be 2.7.0.
2014-07-31 00:31:36 +02:00
Dan Fandrich
1aa6418af9 cyassl: use RNG_GenerateBlock to generate a good random number 2014-07-31 00:09:13 +02:00
Daniel Stenberg
01a0168806 vtls: repair build without TLS support
... by defining Curl_ssl_random() properly
2014-07-30 23:17:41 +02:00
Daniel Stenberg
0e811d8c59 polarssl: provide a (weak) random function
This now provides a weak random function since PolarSSL doesn't have a
quick and easy way to provide a good one. It does however provide the
framework to make one so it _can_ and _should_ be done...
2014-07-30 20:59:16 +02:00
Daniel Stenberg
f0369223cd cyassl: use the default (weeker) random
I couldn't find any dedicated function in its API to get a "good" random
with.
2014-07-30 10:08:27 +02:00
Daniel Stenberg
16cb818a74 cyassl: made it compile with version 2.0.6 again
ASN_NO_SIGNER_E didn't exist back then!
2014-07-30 10:07:42 +02:00
Daniel Stenberg
8dfd22089c vtls: make the random function mandatory in the TLS backend
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.

This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-30 00:05:47 +02:00
Kamil Dudka
30b093f6fc nss: do not check the version of NSS at run time
The minimal required version of NSS is 3.14.x so it does not make sense
to check for NSS 3.12.0+ at run time.
2014-07-28 16:27:04 +02:00
Dan Fandrich
713f96ee0c cyassl.c: return the correct error code on no CA cert
CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
is requested.
2014-07-23 00:52:56 +02:00
Daniel Stenberg
f069b40f9d gnutls: fix compiler warning
conversion to 'int' from 'long int' may alter its value
2014-07-15 21:28:10 +02:00
Dan Fandrich
9087b7e8f5 gnutls: detect lack of SRP support in GnuTLS at run-time and try without
Reported-by: David Woodhouse
2014-07-14 22:31:11 +02:00
David Woodhouse
98866008a9 gnutls: handle IP address in cert name check
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
2014-07-14 20:14:15 +02:00
Dan Fandrich
425459b8ae gnutls: improved error message if setting cipher list fails
Reported-by: David Woodhouse
2014-07-13 01:32:11 +02:00
Dan Fandrich
efc71583e7 gnutls: fixed a couple of uninitialized variable references 2014-07-12 01:31:12 +02:00
Dan Fandrich
3d2e1724cb gnutls: fixed compilation against versions < 2.12.0
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
2014-07-12 00:33:16 +02:00
Dan Fandrich
447c31ce9d gnutls: explicitly added SRP to the priority string
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
2014-07-12 00:11:44 +02:00
Dan Fandrich
baf8b57b1d gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
2014-07-11 23:21:31 +02:00
Kamil Dudka
ca2aa61b66 nss: make the list of CRL items global
Otherwise NSS could use an already freed item for another connection.
2014-07-04 13:15:03 +02:00
Kamil Dudka
52cd5ac21c nss: fix a memory leak when CURLOPT_CRLFILE is used 2014-07-04 08:25:05 +02:00
Kamil Dudka
caa4db8a51 nss: make crl_der allocated on heap
... and spell it as crl_der instead of crlDER
2014-07-04 00:37:40 +02:00
Kamil Dudka
2968f957aa nss: let nss_{cache,load}_crl return CURLcode 2014-07-04 00:20:59 +02:00
Kamil Dudka
7581dee10a nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
2014-07-02 18:11:05 +02:00
Kamil Dudka
7c21558503 nss: do not abort on connection failure
... due to calling SSL_VersionRangeGet() with NULL file descriptor

reported-by: upstream tests 305 and 404
2014-07-02 17:59:03 +02:00
Daniel Stenberg
e95ca7cec9 NTLM: set a fake entropy for debug builds with CURL_ENTROPY set
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.

Also, fake timestamp with CURL_FORCETIME set.

Only when built debug enabled of course.

Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.

create_digest_md5_message: generate base64 instead of hex string

curl_sasl: also fix memory leaks in some OOM situations
2014-06-11 23:15:48 +02:00
Steve Holme
51bb067a42 Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set 2014-06-11 21:13:40 +01:00
Daniel Stenberg
c50ce85918 Curl_ossl_init: call OPENSSL_config for initing engines
Bug: http://curl.haxx.se/mail/lib-2014-06/0003.html
Reported-by: Дмитрий Фалько
2014-06-03 22:15:38 +02:00
Daniel Stenberg
b99f8e8b4e gnutls: allow building with nghttp2 but without ALPN support
It might not be the most useful combo, but...
2014-05-28 00:30:23 +02:00
Alessandro Ghedini
345bfab518 gnutls: don't use deprecated type names anymore 2014-05-28 00:27:33 +02:00
Fabian Frank
1439dfb576 polarssl: add ALPN support
PolarSSL added ALPN support in their 1.3.6 release.

See:
https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released
2014-05-25 23:11:24 +02:00
Tatsuhiro Tsujikawa
c7638d93b0 openssl: Fix uninitialized variable use in NPN callback
OpenSSL passes out and outlen variable uninitialized to
select_next_proto_cb callback function.  If the callback function
returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled
values in out and outlen and processes as such.  Previously, if there
is no overlap in protocol lists, curl code does not fill any values in
these variables and returns SSL_TLSEXT_ERR_OK, which means we are
triggering undefined behavior.  valgrind warns this.

This patch fixes this issue by fallback to HTTP/1.1 if there is no
overlap.
2014-05-23 17:00:07 +02:00
Nick Zitzmann
32e9275edb darwinssl: fix lint & build warnings in the previous commit 2014-05-21 19:21:15 -05:00
Vilmos Nebehaj
cd2cedf002 Add support for --cacert in DarwinSSL.
Security Framework on OS X makes it possible to supply extra anchor (CA)
certificates via the Certificate, Key, and Trust Services API. This
commit makes the '--cacert' option work using this API.

More information:

https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html

The HTTPS tests now pass on OS X except 314, which requires the '--crl'
option to work.
2014-05-21 18:48:14 -05:00
Fabian Frank
316f79cef2 ALPN: fix typo in http/1.1 identifier
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05
it is "http/1.1" and not "http/1.0".
2014-05-20 12:57:56 +02:00
Dan Fandrich
5a067c4b39 axtls: Fixed too long source line 2014-05-17 11:54:48 +02:00
Dan Fandrich
c9ea1d341a axtls: Add a TODO to a potential blocking call with no timeout 2014-05-16 23:27:07 +02:00
Daniel Stenberg
53a5b95c21 CURLINFO_SSL_VERIFYRESULT: assign at first connect call
The variable wasn't assigned at all until step3 which would lead to a
failed connect never assigning the variable and thus returning a bad
value.

Reported-by: Larry Lin
Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-15 22:02:00 +02:00
Steve Holme
678239df54 darwinssl: Updated copyright following recent changes 2014-05-15 18:38:42 +01:00
Nick Zitzmann
69cdc95932 darwinssl: fix potential crash when attempting to copy an identity
from a P12 file

This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
2014-05-14 17:48:14 -05:00
Daniel Stenberg
52d16c84d2 openssl: unbreak PKCS12 support
Regression introduced in ce362e8eb9 (7.31.0)

Bug: http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
2014-05-12 13:06:50 +02:00
Daniel Stenberg
a18a2ba0bb schannel: don't use the connect-timeout during send
As there's a default connection timeout and this wrongly used the
connection timeout during a transfer after the connection is completed,
this function would trigger timeouts during transfers erroneously.

Bug: http://curl.haxx.se/bug/view.cgi?id=1352
Figured-out-by: Radu Simionescu
2014-05-05 00:10:37 +02:00
Daniel Stenberg
21aafd09f6 openssl: biomem->data is not zero terminated
So printf(%s) on it or reading before bounds checking is wrong, fixing
it. Could previously lead to reading out of boundary.

Reported-by: Török Edwin
2014-05-04 00:50:10 +02:00
Kamil Dudka
9c941e92c4 nss: propagate blocking direction from NSPR I/O
... during the non-blocking SSL handshake
2014-04-25 15:08:12 +02:00
Dan Fandrich
0204e17bc6 cyassl: Use error-ssl.h when available
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use
whichever one is available.
2014-04-23 11:01:30 +02:00
Daniel Stenberg
386ed2d590 gtls: fix NULL pointer dereference
gnutls_x509_crt_import() must not be called with a NULL certificate

Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
2014-04-22 23:24:31 +02:00
Kamil Dudka
8868a226cd nss: implement non-blocking SSL handshake 2014-04-22 22:56:14 +02:00
Kamil Dudka
a43bba3a34 nss: split Curl_nss_connect() into 4 functions 2014-04-22 22:56:14 +02:00
Marc Hoersken
6f72c2fe31 curl_schannel.c: added explicit cast of structure pointers 2014-04-18 22:38:42 +02:00
Marc Hoersken
a703914e60 curl_schannel.c: fix possible dereference of null pointer 2014-04-18 22:36:12 +02:00
Daniel Stenberg
97f214d0c9 http2+openssl: fix compiler warnings in ALPN using code 2014-04-03 17:03:02 +02:00
Daniel Stenberg
6448946ac3 http2: let openssl mention the exact protocol negotiated
Remove a superfluous "negotiated http2" info line
2014-03-31 09:00:58 +02:00
Daniel Stenberg
ef813c7097 http2: remove _DRAFT09 from the NPN_HTTP2 enum
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
2014-03-31 08:40:24 +02:00
Gisle Vanem
196140dcaf polarssl: avoid extra newlines in debug messages
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
2014-03-22 16:55:39 +01:00
Gaël PORTAY
ff25f437a5 polarssl: break compatibility with version older than 1.3.
Remove all #ifdef/else/endif macros that ensure compatibility with polarssl
version previous than 1.3.
2014-03-18 21:01:11 +01:00
Gaël PORTAY
31265376bc polarssl: drop use of 1.2 compatibility header.
API has changed since version 1.3. A compatibility header has been created
to ensure forward compatibility for code using old API:
 * x509 certificate structure has been renamed to from x509_cert to
   x509_crt
 * new dedicated setter for RSA certificates ssl_set_own_cert_rsa,
   ssl_set_own_cert is for generic keys
 * ssl_default_ciphersuites has been replaced by function
   ssl_list_ciphersuites()

This patch drops the use of the compatibly header.
2014-03-18 21:01:11 +01:00
Daniel Stenberg
7a1fb8e816 polarssl: added missing end-of-comment from previous commit 2014-03-18 08:03:45 +01:00
Daniel Stenberg
5017d5ada8 polarssl: now require 1.3.0+
Also fixed a function name change in the version requirement bump
2014-03-17 20:48:06 +01:00
hasufell
4d6108315b polarssl: fix compilation
Rename x509_cert to x509_crt and add "compat-1.2.h"
include.
This would still need some more thorough conversion
in order to drop "compat-1.2.h" include.
2014-03-17 20:08:45 +01:00
Kamil Dudka
67061e3f4e nss: allow to enable/disable new AES GCM cipher-suites
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
c864d81289 nss: allow to enable/disable new HMAC-SHA256 cipher-suites
... if built against a new enough version of NSS
2014-03-15 13:07:55 +01:00
Kamil Dudka
b4f6cd46eb nss: do not enable AES cipher-suites by default
... but allow them to be enabled/disabled explicitly.  The default
policy should be maintained at the NSS level.
2014-03-15 13:07:55 +01:00
Daniel Stenberg
dcdbac2568 openssl: info massage with SSL version used
Patch-by: byte_bucket
2014-03-10 17:13:11 +01:00
Daniel Stenberg
6f416fa462 NSS: avoid compiler warnings when built without http2 support 2014-03-03 08:39:25 +01:00
nickzman
e9665e9658 Merge pull request #93 from d235j/darwinssl_ip_address_fix
darwinssl: don't omit CN verification when an IP address is used
2014-02-25 17:36:44 -06:00
Marc Hoersken
e904b15f21 curl_schannel.c: Updated copyright years 2014-02-24 22:12:55 +01:00
David Ryskalczyk
63fc8ee7be winssl: Enable hostname verification of IP address using SAN or CN
Original commit message was:
 Don't omit CN verification in SChannel when an IP address is used.

Side-effect of this change:
 SChannel and CryptoAPI do not support the iPAddress subjectAltName
 according to RFC 2818. If present, SChannel will first compare the
 IP address to the dNSName subjectAltNames and then fallback to the
 most specific Common Name in the Subject field of the certificate.

 This means that after this change curl will not connect to SSL/TLS
 hosts as long as the IP address is not specified in the SAN or CN
 of the server certificate or the verifyhost option is disabled.
2014-02-24 22:12:55 +01:00
David Ryskalczyk
afc6e5004f Don't omit CN verification in DarwinSSL when an IP address is used. 2014-02-23 12:37:27 -05:00
Dan Fandrich
8749bbe7fd axtls: comment the call ssl_read repeatedly loop 2014-02-18 21:14:09 +01:00
Daniel Stenberg
575a2b684b axtls: bump copyright year 2014-02-16 23:31:47 +01:00
Fabian Frank
86f266b004 axtls: call ssl_read repeatedly
Perform more work in between sleeps. This is work around the
fact that axtls does not expose any knowledge about when work needs
to be performed. Depending on connection and how often perform is
being called this can save ~25% of time on SSL handshakes (measured
on 20ms latency connection calling perform roughly every 10ms).
2014-02-16 23:30:21 +01:00
Fabian Frank
ec9476052d openssl: honor --[no-]alpn|npn command line switch
Disable ALPN or NPN if requested by the user.
2014-02-11 22:55:23 +01:00
Fabian Frank
8f5a9147be gtls: honor --[no-]alpn command line switch
Disable ALPN if requested by the user.
2014-02-11 22:54:37 +01:00
Fabian Frank
909a68c121 NPN/ALPN: allow disabling via command line
when using --http2 one can now selectively disable NPN or ALPN with
--no-alpn and --no-npn. for now honored with NSS only.

TODO: honor this option with GnuTLS and OpenSSL
2014-02-10 13:06:17 +01:00
Fabian Frank
70bd9784de nss: use correct preprocessor macro
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection,
but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a
preprocessor macro.
2014-02-10 08:09:02 +01:00
Daniel Stenberg
09d907ee68 nss: support pre-ALPN versions 2014-02-07 15:38:45 +01:00
Fabian Frank
f3a12460ad nss: ALPN and NPN support
Add ALPN and NPN support for NSS. This allows cURL to negotiate
HTTP/2.0 connections when built with NSS.
2014-02-07 15:35:23 +01:00
Steve Holme
265f2e9ed7 nss: Updated copyright year for recent edits 2014-02-06 22:32:56 +00:00
Fabian Frank
ff92fcfb90 nss: prefer highest available TLS version
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3
if --tlsv1[.N] was not specified on the command line.
2014-02-06 23:09:56 +01:00
Fabian Frank
4d8db595ca gtls: add ALPN support
Add ALPN support when using GnuTLS >= 3.2.0. This allows
libcurl to negotiate HTTP/2.0 for https connections when
built with GnuTLS.

See:
http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-02-04 09:48:27 +01:00
Fabian Frank
8b6654224b openssl: add ALPN support
Add ALPN support when using OpenSSL. This will offer ALPN and NPN to the
server, who can respond with either one or none of the two. OpenSSL >=
1.0.2 is required, which means as of today obtaining a snapshot from
ftp://ftp.openssl.org/snapshot/.

See:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
ba168244a1/ssl/ssl_lib.c (L1787)
2014-02-03 23:46:06 +01:00
Marc Hoersken
82f558366f winssl: improved default SSL/TLS protocol selection
For some reason Windows 7 SP1 chooses TLS 1.0 instead of TLS 1.2
if it is not explicitly enabled within grbitEnabledProtocols.

More information can be found on MSDN:
http://msdn.microsoft.com/library/windows/desktop/aa379810.aspx
2014-01-31 20:01:25 +01:00
Daniel Stenberg
99b4ff8b6f http2-openssl: verify that NPN functionality is present 2014-01-30 11:24:15 +01:00
Fabian Frank
22c198fa89 openssl: set up hooks with to perform NPN
NPN is what is available in the wild today to negotiate SPDY or HTTP/2.0
connections. It is expected to be replaced by ALPN in the future. If
HTTP/2.0 is negotiated, this is indicated for the entire connection and
http.c is expected to initialize itself for HTTP/2.0 instead of
HTTP/1.1.

see:
http://technotes.googlecode.com/git/nextprotoneg.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2014-01-30 11:13:28 +01:00
Kamil Dudka
665c160f0a nss: do not use the NSS_ENABLE_ECC define
It is not provided by NSS public headers.

Bug: https://bugzilla.redhat.com/1058776
2014-01-29 13:57:21 +01:00
Kamil Dudka
e15e73b741 nss: do not fail if NSS does not implement a cipher
... that the user does not ask for
2014-01-29 13:46:17 +01:00
Fabian Frank
251305cd7f axtls: fix compiler warning on conversion ssize_t => int 2014-01-21 08:21:55 +01:00
Fabian Frank
39f7e80a52 disable GnuTLS insecure ciphers
Make GnuTLS old and new consistent, specify the desired protocol, cipher
and certificate type in always in both modes. Disable insecure ciphers
as reported by howsmyssl.com. Honor not only --sslv3, but also the
--tlsv1[.N] switches.

Related Bug: http://curl.haxx.se/bug/view.cgi?id=1323
2014-01-20 11:32:55 +01:00
Daniel Stenberg
4f334ba017 gtls: fix compiler warnings on conversions size_t => unsigned int 2014-01-19 23:26:01 +01:00
Daniel Stenberg
3b5c75ef3d OpenSSL: deselect weak ciphers by default
By default even recent versions of OpenSSL support and accept both
"export strength" ciphers, small-bitsize ciphers as well as downright
deprecated ones.

This change sets a default cipher set that avoids the worst ciphers, and
subsequently makes https://www.howsmyssl.com/a/check no longer grade
curl/OpenSSL connects as 'Bad'.

Bug: http://curl.haxx.se/bug/view.cgi?id=1323
Reported-by: Jeff Hodges
2014-01-12 00:14:01 +01:00
Nick Zitzmann
21aa79f463 darwinssl: un-break Leopard build after PKCS#12 change
It turns out errSecDecode wasn't defined in Leopard's headers. So
we use the enum's value instead.

Bug: http://curl.haxx.se/mail/lib-2013-12/0150.html
Reported by: Abram Pousada
2014-01-09 17:53:29 -06:00
Daniel Stenberg
3529162405 openssl: allow explicit sslv2 selection
If OpenSSL is built to support SSLv2 this brings back the ability to
explicitly select that as a protocol level.

Reported-by: Steve Holme
Bug: http://curl.haxx.se/mail/lib-2014-01/0013.html
2014-01-03 11:52:49 +01:00
Steve Holme
c50d3ed075 Updated copyright year for recent changes 2014-01-02 23:53:29 +00:00
Barry Abrahamson
4bb7400529 OpenSSL: Fix forcing SSLv3 connections
Some feedback provided by byte_bucket on IRC pointed out that commit
db11750cfa wasn’t really correct because it allows for “upgrading” to a
newer protocol when it should be only allowing for SSLv3.

This change fixes that.

When SSLv3 connection is forced, don't allow SSL negotiations for newer
versions.  Feedback provided by byte_bucket in #curl.  This behavior is
also consistent with the other force flags like --tlsv1.1 which doesn't
allow for TLSv1.2 negotiation, etc

Feedback-by: byte_bucket
Bug: http://curl.haxx.se/bug/view.cgi?id=1319
2014-01-02 23:41:33 +01:00
Barry Abrahamson
db11750cfa OpenSSL: Fix forcing SSLv3 connections
Since ad34a2d5c8 (present in 7.34.0 release) forcing
SSLv3 will always return the error "curl: (35) Unsupported SSL protocol
version" Can be replicated with `curl -I -3 https://www.google.com/`.
This fix simply allows for v3 to be forced.
2014-01-01 21:36:47 +01:00
Steve Holme
f88f9bed00 vtls: Updated comments referencing sslgen.c and ssluse.c 2013-12-26 21:42:22 +00:00
Steve Holme
9aa6e4357a vtls: Fixed up include of vtls.h 2013-12-26 21:25:51 +00:00
Daniel Stenberg
11e8066ef9 vtls: renamed sslgen.[ch] to vtls.[ch] 2013-12-20 17:12:42 +01:00
Daniel Stenberg
92b9ae5c5d openssl: renamed backend files to openssl.[ch] 2013-12-20 17:12:42 +01:00
Daniel Stenberg
a47c142a88 vtls: moved all TLS/SSL source and header files into subdir 2013-12-20 17:12:42 +01:00
Daniel Stenberg
eccf4fb7ee vtls: created subdir, moved sslgen.[ch] there, updated all include lines 2013-12-20 17:12:42 +01:00