curl/lib/vtls, branch master cURL mirror with patches applied ntlm: enable NTLM support with wolfSSL 2020-06-16T07:06:19+00:00 Ruurd Beerstra ruurd.beerstra@infor.com 2020-06-11T15:14:43+00:00 d80d419d3e3bf0e5f0dea160df5609c57cb3c5df When wolfSSL is built with its OpenSSL API layer, it fetures the same DES* functions that OpenSSL has. This change take advantage of that. Co-authored-by: Daniel Stenberg Closes #5556 Fixes #5548 
When wolfSSL is built with its OpenSSL API layer, it fetures the same DES*
functions that OpenSSL has. This change take advantage of that.

Co-authored-by: Daniel Stenberg
Closes #5556
Fixes #5548
openssl: set FLAG_TRUSTED_FIRST unconditionally 2020-06-06T16:01:24+00:00 François Rigault rigault.francois@gmail.com 2020-06-05T20:00:58+00:00 e2de2d53979ac6d93303562f5531f75944e70b8b On some systems, openssl 1.0.x is still the default, but it has been patched to contain all the recent security fixes. As a result of this patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be defined, while the previous behavior of openssl to not look at trusted chains first, remains. Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to probe for the behavior of openssl based on the existence ofmacros. Closes #5530 
On some systems, openssl 1.0.x is still the default, but it has been
patched to contain all the recent security fixes. As a result of this
patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
defined, while the previous behavior of openssl to not look at trusted
chains first, remains.

Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
probe for the behavior of openssl based on the existence ofmacros.

Closes #5530
vtls: repair the build with `CURL_DISABLE_PROXY` 2020-06-01T21:03:31+00:00 Saleem Abdulrasool compnerd@compnerd.org 2020-06-01T18:20:47+00:00 21ed48e8d99b8c172ba0a5871bdd8a22ba43612c `http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY` is enabled. Repair the build with that configuration. Follow-up to f3d501dc67 Closes #5498 
`http_proxy` will not be available in `conndata` if `CURL_DISABLE_PROXY`
is enabled.  Repair the build with that configuration.

Follow-up to f3d501dc67

Closes #5498
build: disable more code/data when built without proxy support 2020-05-30T21:18:16+00:00 Daniel Stenberg daniel@haxx.se 2020-05-27T09:51:34+00:00 f3d501dc678d80a93325bd93ab05c48855e1c0d1 Added build to travis to verify Closes #5466 
Added build to travis to verify

Closes #5466
timeouts: change millisecond timeouts to timediff_t from time_t 2020-05-30T21:10:57+00:00 Daniel Stenberg daniel@haxx.se 2020-05-28T22:08:03+00:00 842f73de58f38bd6e285e08bbd1adb6c17cb62cd For millisecond timers we like timediff_t better. Also, time_t can be unsigned so returning a negative value doesn't work then. Closes #5479 
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.

Closes #5479
wolfssl: add SSLKEYLOGFILE support 2020-05-27T19:19:51+00:00 Peter Wu peter@lekensteyn.nl 2020-05-03T22:16:40+00:00 7be7c56be941192c0f9b4ba33a7cb1f12a821035 Tested following the same curl and tshark commands as in commit "vtls: Extract and simplify key log file handling from OpenSSL" using WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`. Full support for this feature requires certain wolfSSL build options, see "Availability note" in lib/vtls/wolfssl.c for details. Closes #5327 
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.

Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.

Closes #5327
vtls: Extract and simplify key log file handling from OpenSSL 2020-05-27T19:19:51+00:00 Peter Wu peter@lekensteyn.nl 2020-05-03T15:10:40+00:00 6011a986ca3a4c162eb0daf9204fa5ddbc20a86e Create a set of routines for TLS key log file handling to enable reuse with other TLS backends. Simplify the OpenSSL backend as follows: - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled. - Do not perform dynamic memory allocation when preparing a log entry. Unless the TLS specifications change we can suffice with a reasonable fixed-size buffer. - Simplify state tracking when SSL_CTX_set_keylog_callback is unavailable. My original sslkeylog.c code included this tracking in order to handle multiple calls to SSL_connect and detect new keys after renegotiation (via SSL_read/SSL_write). For curl however we can be sure that a single master secret eventually becomes available after SSL_connect, so a simple flag is sufficient. An alternative to the flag is examining SSL_state(), but this seems more complex and is not pursued. Capturing keys after server renegotiation was already unsupported in curl and remains unsupported. Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`) against an OpenSSL 1.1.1f server configured with: # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2 openssl s_server -www -tls1 # Likewise, but fail the server handshake. openssl s_server -www -tls1 -Verify 2 # TLS 1.3 test. No need to test the failing server handshake. openssl s_server -www -tls1_3 Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly written using Wireshark. For the first and third case, expect four matches per connection (decrypted Server Finished, Client Finished, HTTP Request, HTTP Response). For the second case where the handshake fails, expect a decrypted Server Finished only. tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \ -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \ -dtls.port==4433,http -ohttp.desegment_body:FALSE \ -Y 'tls.handshake.verify_data or http' A single connection can easily be identified via the `tcp.stream` field. 
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:

 - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
 - Do not perform dynamic memory allocation when preparing a log entry.
   Unless the TLS specifications change we can suffice with a reasonable
   fixed-size buffer.
 - Simplify state tracking when SSL_CTX_set_keylog_callback is
   unavailable. My original sslkeylog.c code included this tracking in
   order to handle multiple calls to SSL_connect and detect new keys
   after renegotiation (via SSL_read/SSL_write). For curl however we can
   be sure that a single master secret eventually becomes available
   after SSL_connect, so a simple flag is sufficient. An alternative to
   the flag is examining SSL_state(), but this seems more complex and is
   not pursued. Capturing keys after server renegotiation was already
   unsupported in curl and remains unsupported.

Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:

    # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
    openssl s_server -www -tls1
    # Likewise, but fail the server handshake.
    openssl s_server -www -tls1 -Verify 2
    # TLS 1.3 test. No need to test the failing server handshake.
    openssl s_server -www -tls1_3

Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.

    tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
        -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
        -dtls.port==4433,http -ohttp.desegment_body:FALSE \
        -Y 'tls.handshake.verify_data or http'

A single connection can easily be identified via the `tcp.stream` field.
cleanup: use a single space after equals sign in assignments 2020-05-26T06:28:38+00:00 Daniel Stenberg daniel@haxx.se 2020-05-26T06:26:20+00:00 d23cc224e6d25eec99a988f4db18c040bde3e97b 






all: fix codespell errors
2020-05-25T19:44:04+00:00

Viktor Szakats
commit@vsz.me

2020-05-25T19:44:04+00:00

308c243db5b7425b454a981d4c0eb7bfac374b8b

Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452





Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452







setopt: support certificate options in memory with struct curl_blob
2020-05-15T11:03:59+00:00

Gilles Vollant
info@winimage.com

2020-05-15T08:47:46+00:00

cac5374298b3e79405bbdabe38941227c73a4c96

This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357





This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357