1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 16:18:48 -05:00
Commit Graph

386 Commits

Author SHA1 Message Date
Marc Hoersken
9a91e8059b schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
Reported-by: Brian Chrisman
2015-04-26 17:59:01 +02:00
Daniel Stenberg
3447c973d0 schannel: re-indented file to follow curl style better
white space changes only
2015-04-26 17:40:40 +02:00
Daniel Stenberg
cae43a10cb Curl_ossl_init: load builtin modules
To have engine modules work, we must tell openssl to load builtin
modules first.

Bug: https://github.com/bagder/curl/pull/206
2015-04-26 17:26:31 +02:00
Daniel Stenberg
aff153f83a openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.

Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
2015-04-26 16:36:19 +02:00
Jay Satiro
0675abbc75 cyassl: Implement public key pinning
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22 17:07:19 -04:00
Kamil Dudka
b47c17d67c nss: implement public key pinning for NSS backend
Bug: https://bugzilla.redhat.com/1195771
2015-04-22 13:21:31 +02:00
byronhe
6088fbce06 openssl: add OPENSSL_NO_SSL3_METHOD check 2015-04-21 15:25:21 -04:00
Viktor Szakáts
3a87bdebd1 vtls/openssl: use https in URLs and a comment typo fixed 2015-04-19 19:52:37 +02:00
Jay Satiro
f70112522f cyassl: Fix include order
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-17 15:24:04 -04:00
Jay Satiro
9430dd583e cyassl: Add support for TLS extension SNI 2015-04-14 02:05:25 -04:00
Matthew Hall
a471a9f3b6 vtls_openssl: improve PKCS#12 load failure error message 2015-04-13 22:25:04 +02:00
Matthew Hall
27ac643455 vtls_openssl: fix minor typo in PKCS#12 load routine 2015-04-13 22:25:04 +02:00
Matthew Hall
b3175a767d vtls_openssl: improve client certificate load failure error messages 2015-04-13 22:25:04 +02:00
Matthew Hall
58b0a8b059 vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant 2015-04-13 22:25:04 +02:00
Jay Satiro
72bea7cc65 cyassl: Include the CyaSSL build config
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
2015-04-11 23:58:42 -04:00
Jay Satiro
d363c07912 cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
Also fix it so that all ERR_error_string calls use an error buffer.
CyaSSL's implementation of ERR_error_string only writes the error when
an error buffer is passed.

http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-06 17:54:14 +02:00
Jay Satiro
a30be951d6 cyassl: Remove 'Connecting to' message from cyassl_connect_step2
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
messages since cyassl_connect_step2 is called multiple times, typically.
The message is superfluous even once since libcurl already informs the
user elsewhere in code that it is connecting.
2015-04-05 18:18:11 +02:00
Jay Satiro
f203edc544 cyassl: Set minimum protocol version before CTX callback
This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
2015-04-03 10:51:58 +02:00
Jay Satiro
0b5efa57ad cyassl: Fix certificate load check
SSL_CTX_load_verify_locations can return negative values on fail,
therefore to check for failure we check if load is != 1 (success)
instead of if load is == 0 (failure), the latter being incorrect given
that behavior.
2015-04-02 17:18:42 +02:00
Jay Satiro
b121633402 cyassl: Fix library initialization return value
(Curl_cyassl_init)
- Return 1 on success, 0 in failure.

Prior to this change the fail path returned an incorrect value and the
evaluation to determine whether CyaSSL_Init had succeeded was incorrect.
Ironically that combined with the way curl_global_init tests SSL library
initialization (!Curl_ssl_init()) meant that CyaSSL having been
successfully initialized would be seen as that even though the code path
and return value in Curl_cyassl_init were wrong.
2015-04-01 08:10:58 +02:00
Dan Fandrich
049fe7fb53 axtls: add timeout within Curl_axtls_connect
This allows test 405 to pass on axTLS.
2015-03-31 02:04:22 +02:00
Jay Satiro
fcdc597b1a cyassl: CTX callback cosmetic changes and doc fix
- More descriptive fail message for NO_FILESYSTEM builds.
- Cosmetic changes.
- Change more of CURLOPT_SSL_CTX_* doc to not be OpenSSL specific.
2015-03-28 16:41:51 +01:00
Kyle L. Huff
d2feb71752 cyassl: add SSL context callback support for CyaSSL
Adds support for CURLOPT_SSL_CTX_FUNCTION when using CyaSSL, and better
handles CyaSSL instances using NO_FILESYSTEM.
2015-03-27 23:32:14 +01:00
Kyle L. Huff
211f1e3c6b cyassl: remove undefined reference to CyaSSL_no_filesystem_verify
CyaSSL_no_filesystem_verify is not (or no longer) defined by cURL or
CyaSSL. This reference causes build errors when compiling with
NO_FILESYSTEM.
2015-03-27 23:31:12 +01:00
Jay Satiro
e7a289ebb9 vtls: Don't accept unknown CURLOPT_SSLVERSION values 2015-03-27 09:32:23 +01:00
Daniel Stenberg
5b58bface3 polarssl: called mbedTLS in 1.3.10 and later 2015-03-25 09:19:57 +01:00
Daniel Stenberg
83b29e43cd polarssl: remove dead code
and simplify code by changing if-elses to a switch()

CID 1291706: Logically dead code. Execution cannot reach this statement
2015-03-25 09:01:11 +01:00
Daniel Stenberg
24908c12d7 polarssl: remove superfluous for(;;) loop
"unreachable: Since the loop increment is unreachable, the loop body
will never execute more than once."

Coverity CID 1291707
2015-03-25 08:49:34 +01:00
Daniel Stenberg
4e299192ed Curl_ssl_md5sum: return CURLcode
... since the funciton can fail on OOM. Check this return code.

Coverity CID 1291705.
2015-03-25 08:32:12 +01:00
Jay Satiro
e35f2e61ec cyassl: default to highest possible TLS version
(cyassl_connect_step1)
- Use TLS 1.0-1.2 by default when available.

CyaSSL/wolfSSL >= v3.3.0 supports setting a minimum protocol downgrade
version.

cyassl/cyassl@322f79f
2015-03-25 08:10:24 +01:00
Jay Satiro
d29f8b460c cyassl: Check for invalid length parameter in Curl_cyassl_random 2015-03-25 08:08:12 +01:00
Jay Satiro
ec31962640 cyassl: If wolfSSL then identify as such in version string 2015-03-25 08:08:12 +01:00
Dan Fandrich
35648f2e79 curl_memory: make curl_memory.h the second-last header file loaded
This header file must be included after all header files except
memdebug.h, as it does similar memory function redefinitions and can be
similarly affected by conflicting definitions in system or dependent
library headers.
2015-03-24 23:47:01 +01:00
Daniel Stenberg
ac2827ac09 openssl: do the OCSP work-around for libressl too
I tested with libressl git master now (v2.1.4-27-g34bf96c) and it seems to
still require the work-around for stapling to work.
2015-03-24 23:39:52 +01:00
Daniel Stenberg
bd9ac3cff2 openssl: verifystatus: only use the OCSP work-around <= 1.0.2a
URL: http://curl.haxx.se/mail/lib-2015-03/0205.html
Reported-by: Alessandro Ghedini
2015-03-24 23:06:37 +01:00
Daniel Stenberg
7e6ca87a72 openssl: adapt to ASN1/X509 things gone opaque in 1.1 2015-03-24 22:59:33 +01:00
Dan Fandrich
56ae66d518 vtls: fix compile with --disable-crypto-auth but with SSL
This is a strange combination of options, but is allowed.
2015-03-24 21:41:22 +01:00
Dan Fandrich
430006c5e2 cyassl: include version.h to ensure the version macros are defined 2015-03-23 10:10:03 +01:00
Nick Zitzmann
7f5a170442 darwinsssl: add support for TLS False Start
TLS False Start support requires iOS 7.0 or later, or OS X 10.9 or later.
2015-03-21 12:22:56 -05:00
Daniel Stenberg
ed429b72d7 gtls: add check of return code
Coverity CID 1291167 pointed out that 'rc' was received but never used when
gnutls_credentials_set() was used. Added return code check now.
2015-03-21 16:53:43 +01:00
Daniel Stenberg
fea13a17d8 gtls: dereferencing NULL pointer
Coverity CID 1291165 pointed out 'chainp' could be dereferenced when
NULL if gnutls_certificate_get_peers() had previously failed.
2015-03-21 16:53:23 +01:00
Daniel Stenberg
5f6f9e8b59 gtls: avoid uninitialized variable.
Coverity CID 1291166 pointed out that we could read this variable
uninitialized.
2015-03-21 16:53:09 +01:00
Daniel Stenberg
b734518371 nss: error: unused variable 'connssl' 2015-03-21 15:47:03 +01:00
Dan Fandrich
6779c50e26 cyassl: use new library version macro when available 2015-03-20 23:49:53 +01:00
Alessandro Ghedini
185914fd31 nss: add support for TLS False Start 2015-03-20 20:14:35 +01:00
Alessandro Ghedini
4dcd25e138 url: add CURLOPT_SSL_FALSESTART option
This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.
2015-03-20 20:14:33 +01:00
Alessandro Ghedini
a332922a52 gtls: implement CURLOPT_CERTINFO 2015-03-20 19:03:53 +01:00
Alessandro Ghedini
8854f8d45a openssl: try to avoid accessing OCSP structs when possible 2015-03-20 15:36:05 +01:00
Dan Fandrich
9e66d3f4d3 axtls: version 1.5.2 now requires that config.h be manually included 2015-03-19 10:11:17 +01:00
Kamil Dudka
e3fbdc7c8a nss: explicitly tell NSS to disable NPN/ALPN
... if disabled at libcurl level.  Otherwise, we would allow to
negotiate NPN despite curl was invoked with the --no-npn option.
2015-03-18 19:43:14 +01:00
Daniel Stenberg
2dc1a5ce93 checksrc: detect and remove space before trailing semicolons 2015-03-17 14:06:48 +01:00
Daniel Stenberg
9395999543 checksrc: use space after comma 2015-03-17 13:57:37 +01:00
Markus Elfring
29c655c0a6 Bug #149: Deletion of unnecessary checks before calls of the function "free"
The function "free" is documented in the way that no action shall occur for
a passed null pointer. It is therefore not needed that a function caller
repeats a corresponding check.
http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first

This issue was fixed by using the software Coccinelle 1.0.0-rc24.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-16 12:13:56 +01:00
Daniel Stenberg
186e46d88d openssl: use colons properly in the ciphers list
While the previous string worked, this is the documented format.

Reported-by: Richard Moore
2015-03-12 23:29:46 +01:00
Daniel Stenberg
0d1060f21e openssl: sort the ciphers on strength
This makes curl pick better (stronger) ciphers by default. The strongest
available ciphers are fine according to the HTTP/2 spec so an OpenSSL
built curl is no longer rejected by string HTTP/2 servers.

Bug: http://curl.haxx.se/bug/view.cgi?id=1487
2015-03-12 23:16:28 +01:00
Daniel Stenberg
1d3f1a80d0 openssl: show the cipher selection to use 2015-03-12 15:53:45 +01:00
Alessandro Ghedini
fa895f2aa2 gtls: correctly align certificate status verification messages 2015-03-10 15:48:34 +01:00
Alessandro Ghedini
a6a264ef2c gtls: don't print double newline after certificate dates 2015-03-10 15:20:03 +01:00
Alessandro Ghedini
3a757fddbb gtls: print negotiated TLS version and full cipher suite name
Instead of priting cipher and MAC algorithms names separately, print the
whole cipher suite string which also includes the key exchange algorithm,
along with the negotiated TLS version.
2015-03-10 15:18:14 +01:00
Daniel Stenberg
d9973eaeb8 gtls: fix compiler warnings 2015-03-10 15:16:59 +01:00
Alessandro Ghedini
5a1614cecd gtls: add support for CURLOPT_CAPATH 2015-03-10 15:03:54 +01:00
Daniel Stenberg
00ea0e7db0 http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
Since they already exist and will make comparing easier
2015-03-07 11:10:30 +01:00
Alessandro Ghedini
adb4e41a1a polarssl: make it possible to enable ALPN/NPN without HTTP2 2015-03-07 10:36:10 +01:00
Alessandro Ghedini
42bc45be8e nss: make it possible to enable ALPN/NPN without HTTP2 2015-03-07 10:36:10 +01:00
Alessandro Ghedini
870a67e01f gtls: make it possible to enable ALPN/NPN without HTTP2 2015-03-07 10:36:10 +01:00
Alessandro Ghedini
2e9494b15d openssl: make it possible to enable ALPN/NPN without HTTP2 2015-03-07 10:36:10 +01:00
Daniel Stenberg
709cf76f6b openssl: remove all uses of USE_SSLEAY
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
2015-03-05 10:57:52 +01:00
Daniel Stenberg
8aabbf5f8c vtls: use curl_printf.h all over
No need to use _MPRINTF_REPLACE internally.
2015-03-03 23:17:43 +01:00
Kamil Dudka
4909f7c795 nss: do not skip Curl_nss_seed() if data is NULL
In that case, we only skip writing the error message for failed NSS
initialization (while still returning the correct error code).
2015-02-25 10:23:07 +01:00
Kamil Dudka
7a1538d9cc nss: improve error handling in Curl_nss_random()
The vtls layer now checks the return value, so it is no longer necessary
to abort if a random number cannot be provided by NSS.  This also fixes
the following Coverity report:

Error: FORWARD_NULL (CWE-476):
lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
2015-02-25 10:23:06 +01:00
Alessandro Ghedini
63b4b8c7bd nss: fix NPN/ALPN protocol negotiation
Correctly check for memcmp() return value (it returns 0 if the strings match).

This is not really important, since curl is going to use http/1.1 anyway, but
it's still a bug I guess.
2015-02-19 23:09:12 +01:00
Alessandro Ghedini
633b3895d7 polarssl: fix ALPN protocol negotiation
Correctly check for strncmp() return value (it returns 0 if the strings
match).
2015-02-19 23:07:40 +01:00
Alessandro Ghedini
676ac46ff5 gtls: fix build with HTTP2 2015-02-19 19:00:51 +01:00
Nick Zitzmann
b1c7fc050b By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]" 2015-02-15 17:11:01 -06:00
Kamil Dudka
aba2c4dca2 openssl: fix a compile-time warning
lib/vtls/openssl.c:1450:7: warning: extra tokens at end of #endif directive
2015-02-12 08:39:19 +01:00
Steve Holme
c1878e8f52 openssl: Use OPENSSL_IS_BORINGSSL for BoringSSL detection
For consistency with other conditionally compiled code in openssl.c,
use OPENSSL_IS_BORINGSSL rather than HAVE_BORINGSSL and try to use
HAVE_BORINGSSL outside of openssl.c when the OpenSSL header files are
not included.
2015-02-11 21:03:23 +00:00
Steve Holme
d771b44e53 openssl: Disable OCSP in old versions of OpenSSL
Versions of OpenSSL prior to v0.9.8h do not support the necessary
functions for OCSP stapling.
2015-02-09 21:01:39 +00:00
Jay Satiro
20c727ec4c polarssl: Fix exclusive SSL protocol version options
Prior to this change the options for exclusive SSL protocol versions did
not actually set the protocol exclusive.

http://curl.haxx.se/mail/lib-2015-01/0002.html
Reported-by: Dan Fandrich
2015-02-09 10:39:17 +01:00
Jay Satiro
9956ef2d33 gskit: Fix exclusive SSLv3 option 2015-02-09 10:38:46 +01:00
Steve Holme
761d5166af schannel: Removed curl_ prefix from source files
Removed the curl_ prefix from the schannel source files as discussed
with Marc and Daniel at FOSDEM.
2015-02-07 21:34:33 +00:00
Daniel Stenberg
d557da5d79 axtls: fix conversion from size_t to int warning 2015-02-06 14:26:32 +01:00
Daniel Stenberg
45b9b62de4 openssl: SSL_SESSION->ssl_version no longer exist
The struct went private in 1.0.2 so we cannot read the version number
from there anymore. Use SSL_version() instead!

Reported-by: Gisle Vanem
Bug: http://curl.haxx.se/mail/lib-2015-02/0034.html
2015-02-05 11:57:33 +01:00
Steve Holme
28c9e1edf4 schannel: Prefer 'CURLcode result' for curl result codes 2015-02-04 00:07:16 +00:00
Marc Hoersken
4161624e94 TODO: moved WinSSL/SChannel todo items into docs 2015-01-31 12:30:11 +01:00
Steve Holme
e1bb13c09f openssl: Fixed Curl_ossl_cert_status_request() not returning FALSE
Modified the Curl_ossl_cert_status_request() function to return FALSE
when built with BoringSSL or when OpenSSL is missing the necessary TLS
extensions.
2015-01-27 12:53:41 +00:00
Steve Holme
a268a804b7 openssl: Fixed compilation errors when OpenSSL built with 'no-tlsext'
Fixed the build of openssl.c when OpenSSL is built without the necessary
TLS extensions for OCSP stapling.

Reported-by: John E. Malmberg
2015-01-27 12:47:48 +00:00
Daniel Stenberg
23c6f0a344 OCSP stapling: disabled when build with BoringSSL 2015-01-22 23:34:43 +01:00
Alessandro Ghedini
d1cf5d5706 openssl: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066
section 8.

Thanks-to: Joe Mason
- for the work-around for the OpenSSL bug.
2015-01-22 23:25:23 +01:00
Daniel Stenberg
d6c4695dcd BoringSSL: no PKCS12 support nor ERR_remove_state 2015-01-22 16:39:01 +01:00
Leith Bade
261208d432 BoringSSL: fix build 2015-01-22 16:39:01 +01:00
Daniel Stenberg
be57f689b0 openssl: do public key pinning check independently
... of the other cert verification checks so that you can set verifyhost
and verifypeer to FALSE and still check the public key.

Bug: http://curl.haxx.se/bug/view.cgi?id=1471
Reported-by: Kyle J. McKay
2015-01-19 23:20:13 +01:00
Steve Holme
1d25acb038 gskit.h: Code policing of function pointer arguments 2015-01-17 17:02:01 +00:00
Steve Holme
5d5c78b47f vtls: Removed unimplemented overrides of curlssl_close_all()
Carrying on from commit 037cd0d991, removed the following unimplemented
instances of curlssl_close_all():

Curl_axtls_close_all()
Curl_darwinssl_close_all()
Curl_cyassl_close_all()
Curl_gskit_close_all()
Curl_gtls_close_all()
Curl_nss_close_all()
Curl_polarssl_close_all()
2015-01-17 16:41:03 +00:00
Steve Holme
8bb3443a21 vtls: Separate the SSL backend definition from the API setup
Slight code cleanup as the SSL backend #define is mixed up with the API
function setup.
2015-01-17 15:38:22 +00:00
Steve Holme
30ef1a0779 vtls: Fixed compilation errors when SSL not used
Fixed the following warning and error from commit 3af90a6e19 when SSL
is not being used:

url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined;
            assuming extern returning int

error LNK2019: unresolved external symbol Curl_ssl_cert_status_request
               referenced in function Curl_setopt
2015-01-17 15:16:07 +00:00
Daniel Stenberg
a4065ebf1c copyright years: after OCSP stapling changes 2015-01-16 23:23:29 +01:00
Alessandro Ghedini
f46c6fbee0 nss: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

This requires NSS 3.15 or higher.
2015-01-16 23:23:29 +01:00
Alessandro Ghedini
f13669a375 gtls: add support for the Certificate Status Request TLS extension
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8.

This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use
at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP
response verfication to fail even on valid responses.
2015-01-16 23:23:29 +01:00
Alessandro Ghedini
3af90a6e19 url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
2015-01-16 23:23:29 +01:00
Marc Hoersken
e9834808e9 curl_schannel.c: mark session as removed from cache if not freed
If the session is still used by active SSL/TLS connections, it
cannot be closed yet. Thus we mark the session as not being cached
any longer so that the reference counting mechanism in
Curl_schannel_shutdown is used to close and free the session.

Reported-by: Jean-Francois Durand
2015-01-12 21:56:05 +01:00
Daniel Stenberg
e6b4b4b66d NSS: fix compiler error when built http2-enabled 2015-01-09 21:55:52 +01:00
Daniel Stenberg
4ce22c607b darwinssl: fix session ID keys to only reuse identical sessions
...to avoid a session ID getting cached without certificate checking and
then after a subsequent _enabling_ of the check libcurl could still
re-use the session done without cert checks.

Bug: http://curl.haxx.se/docs/adv_20150108A.html
Reported-by: Marc Hesse
2015-01-07 22:55:56 +01:00
Steve Holme
e9d0c7a6f3 vtls: Use '(void) arg' for unused parameters
Prefer void for unused parameters, rather than assigning an argument to
itself as a) unintelligent compilers won't optimize it out, b) it can't
be used for const parameters, c) it will cause compilation warnings for
clang with -Wself-assign and d) is inconsistent with other areas of the
curl source code.
2014-12-30 17:13:07 +00:00
Steve Holme
1933f9d33c schannel: Moved the ISC return flag definitions to the SSPI module
Moved our Initialize Security Context return attribute definitions to
the SSPI module, as a) these can be used by other SSPI based providers
and b) the ISC required attributes are defined there.
2014-12-30 00:14:58 +00:00
Steve Holme
cfc863869f darwinssl: Fixed compilation warning
vtls.c:683:43: warning: unused parameter 'data'
2014-12-28 23:32:07 +00:00
Steve Holme
037cd0d991 vtls: Fixed compilation warning and an ignored return code
curl_schannel.h:123: warning: right-hand operand of comma expression
                     has no effect

Some instances of the curlssl_close_all() function were declared with a
void return type whilst others as int. The schannel version returned
CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the
return code was ignored by the calling function Curl_ssl_close_all().

For the time being and to keep the internal API consistent, changed all
declarations to use a void return type.

To reduce code we might want to consider removing the unimplemented
versions and use a void #define like schannel does.
2014-12-28 17:33:01 +00:00
Steve Holme
2728caa613 nss: Don't ignore Curl_extract_certinfo() OOM failure 2014-12-27 22:18:08 +00:00
Steve Holme
0943045108 nss: Don't ignore Curl_ssl_init_certinfo() OOM failure 2014-12-27 21:25:41 +00:00
Steve Holme
b235c29366 nss: Use 'CURLcode result' for curl result codes
...and don't use CURLE_OK in failure/success comparisons.
2014-12-27 21:13:44 +00:00
Steve Holme
e0d265d3eb darwinssl: Use 'CURLcode result' for curl result codes 2014-12-27 17:36:35 +00:00
Steve Holme
98d37c5a0c polarssl: Use 'CURLcode result' for curl result codes 2014-12-27 17:30:51 +00:00
Steve Holme
cdc1cc22e7 vtls: Don't set cert info count until memory allocation is successful
Otherwise Curl_ssl_init_certinfo() can fail and set the num_of_certs
member variable to the requested count, which could then be used
incorrectly as libcurl closes down.
2014-12-26 13:11:43 +00:00
Steve Holme
fe43a662a2 vtls: Use CURLcode for Curl_ssl_init_certinfo() return type
The return type for this function was 0 on success and 1 on error. This
was then examined by the calling functions and, in most cases, used to
return CURLE_OUT_OF_MEMORY.

Instead use CURLcode for the return type and return the out of memory
error directly, propagating it up the call stack.
2014-12-26 13:11:40 +00:00
Steve Holme
6cb7b0c0ac vtls: Use bool for Curl_ssl_getsessionid() return type
The return type of this function is a boolean value, and even uses a
bool internally, so use bool in the function declaration as well as
the variables that store the return value, to avoid any confusion.
2014-12-25 17:15:15 +00:00
Steve Holme
38aaf6c380 schannel: Minor code style policing for casts 2014-12-25 13:48:44 +00:00
Steve Holme
ed4c0b53cc schannel: Prefer 'CURLcode result' for curl result codes 2014-12-25 13:45:29 +00:00
Steve Holme
95f78b2b56 cyassl: Prefer 'CURLcode result' for curl result codes 2014-12-25 13:45:27 +00:00
Steve Holme
8830df8b66 gtls: Use preferred 'CURLcode result' 2014-12-24 17:25:35 +00:00
Steve Holme
2568928070 openssl: Prefer we don't use NULL in comparisons 2014-12-24 16:14:33 +00:00
Steve Holme
a4d9158509 openssl.c Fix for compilation errors with older versions of OpenSSL
openssl.c:1408: error: 'TLS1_1_VERSION' undeclared
openssl.c:1411: error: 'TLS1_2_VERSION' undeclared
2014-12-23 00:16:07 +00:00
Daniel Stenberg
6dae798824 openssl: fix SSL/TLS versions in verbose output 2014-12-22 14:21:17 +01:00
Daniel Stenberg
577286e0e2 openssl: make it compile against openssl 1.1.0-DEV master branch 2014-12-22 14:21:17 +01:00
Daniel Stenberg
03e206d18a openssl: warn for SRP set if SSLv3 is used, not for TLS version
... as it requires TLS and it was was left to warn on the default from
when default was SSL...
2014-12-21 23:25:49 +01:00
Nick Zitzmann
93227ddca5 darwinssl: fix incorrect usage of aprintf()
Commit b13923f changed an snprintf() to use aprintf(), but the API usage
wasn't correct, and was causing a crash to occur. This fixes it.
2014-12-15 00:56:09 -06:00
Daniel Stenberg
b13923f0f7 darwinssl: aprintf() to allocate the session key
... to avoid using a fixed memory size that risks being too large or too
small.
2014-12-14 17:34:02 +01:00
Marc Hoersken
212e3e26bc curl_schannel: Improvements to memory re-allocation strategy
- do not grow memory by doubling its size
- do not leak previously allocated memory if reallocation fails
- replace while-loop with a single check to make sure
  that the requested amount of data fits into the buffer

Bug: http://curl.haxx.se/bug/view.cgi?id=1450
Reported-by: Warren Menzer
2014-12-14 17:27:31 +01:00
Marc Hoersken
c98b50753f curl_schannel.c: Data may be available before connection shutdown 2014-12-14 16:40:49 +01:00
Daniel Stenberg
145c263a4b schannel_recv: return the correct code
Bug: http://curl.haxx.se/bug/view.cgi?id=1462
Reported-by: Tae Hyoung Ahn
2014-12-09 11:46:11 +01:00
Daniel Stenberg
680d5fd041 http2: avoid logging neg "failure" if h2 was not requested 2014-12-09 00:09:24 +01:00
Daniel Stenberg
26b57832fe NSS: enable the CAPATH option
Bug: http://curl.haxx.se/bug/view.cgi?id=1457
Patch-by: Tomasz Kojm
2014-12-03 06:21:29 -08:00
be1a505189 SSL: Add PEM format support for public key pinning 2014-11-24 19:30:09 +01:00
Steve Holme
bfc63bfb19 vtls.h: Fixed compiler warning when compiled without SSL
vtls.c:185:46: warning: unused parameter 'data'
2014-11-09 18:09:58 +00:00
Jay Satiro
e819c3a4ca SSL: PolarSSL default min SSL version TLS 1.0
- Prior to this change no SSL minimum version was set by default at
runtime for PolarSSL. Therefore in most cases PolarSSL would probably
have defaulted to a minimum version of SSLv3 which is no longer secure.
2014-11-04 11:40:51 +01:00
Steve Holme
b04eef1318 openssl: Use 'CURLcode result'
More CURLcode fixes.
2014-11-02 00:14:07 +00:00
Steve Holme
f0b4bc12f8 openssl: Use 'CURLcode result'
More standardisation of CURLcode usage and coding style.
2014-11-01 17:16:42 +00:00
Steve Holme
14b4707d9a openssl: Use 'CURLcode result'
...and some minor code style changes.
2014-11-01 16:14:05 +00:00
Steve Holme
befbc8f56b code cleanup: Use 'CURLcode result' 2014-10-30 23:14:45 +00:00
Daniel Stenberg
697aa67d18 openssl: enable NPN separately from ALPN
... and allow building with nghttp2 but completely without NPN and ALPN,
as nghttp2 can still be used for plain-text HTTP.

Reported-by: Lucas Pardue
2014-10-29 22:42:46 +01:00
Steve Holme
32913182dc vtls.c: Fixed compilation warning
conversion from 'size_t' to 'unsigned int', possible loss of data
2014-10-29 19:12:27 +00:00
Kamil Dudka
3f430c9c3a nss: drop the code for libcurl-level downgrade to SSLv3
This code was already deactivated by commit
ec783dc142.
2014-10-29 14:34:46 +01:00
Kamil Dudka
07048941a4 openssl: fix a line length warning 2014-10-29 14:34:46 +01:00
Guenter Knauf
357a15a649 Fixed error message since we require ALPN support. 2014-10-29 01:37:18 +01:00
Guenter Knauf
e42e3a4fac Check for ALPN via OpenSSL version number.
This check works also with to non-configure platforms.
2014-10-29 00:59:38 +01:00
Nick Zitzmann
bd87aec5a7 darwinssl: detect possible future removal of SSLv3 from the framework
If Apple ever drops SSLv3 support from the Security framework, we'll fail with an error if the user insists on using SSLv3.
2014-10-24 18:59:13 -05:00
Patrick Monnerat
3ca560439c gskit.c: remove SSLv3 from SSL default. 2014-10-24 16:08:21 +02:00
Patrick Monnerat
897ef500e5 gskit.c: use 'CURLcode result' 2014-10-24 15:16:05 +02:00
Jay Satiro
ec783dc142 SSL: Remove SSLv3 from SSL default due to POODLE attack
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss,
openssl effectively making the default TLS 1.x. axTLS is not affected
since it supports only TLS, and gnutls is not affected since it already
defaults to TLS 1.x.

- Update CURLOPT_SSLVERSION doc
2014-10-24 13:41:56 +02:00
Daniel Stenberg
0eb3d15ccb code cleanup: we prefer 'CURLcode result'
... for the local variable name in functions holding the return
code. Using the same name universally makes code easier to read and
follow.

Also, unify code for checking for CURLcode errors with:

 if(result) or if(!result)

instead of

 if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
2014-10-24 08:23:19 +02:00
Daniel Stenberg
9f5744a72f gnutls: removed dead code
Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:58 +02:00
Daniel Stenberg
e36115d688 Curl_rand: Uninitialized variable: r
This is not actually used uninitialized but we silence warnings.

Bug: http://curl.haxx.se/bug/view.cgi?id=1437
Reported-by: Julien
2014-10-23 10:01:36 +02:00