aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-08-31darwinssl: handle long strings in TLS certs (follow-up)Jay Satiro
- Fix handling certificate subjects that are already UTF-8 encoded. Follow-up to b3b75d1 from two days ago. Since then a copy would be skipped if the subject was already UTF-8, possibly resulting in a NULL deref later on. Ref: https://github.com/curl/curl/issues/1823 Ref: https://github.com/curl/curl/pull/1831 Closes https://github.com/curl/curl/pull/1836
2017-08-31cyassl: call it the "WolfSSL" backendDaniel Stenberg
... instead of cyassl, as this is the current name for it. Closes #1844
2017-08-31polarssl: fix multissl breakageDaniel Stenberg
Reported-by: Dan Fandrich Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html Closes #1843
2017-08-31configure: remove the leading comma from the backends listDaniel Stenberg
... when darwinssl is used. Reported-by: Viktor Szakats Bug: https://github.com/curl/curl/commit/b0989cd3abaff4f9a0717b4875022fa79e33b481#commitcomment-23943493 Closes #1845
2017-08-30examples/sslbackend.c: fix failure of 'make checksrc'Kamil Dudka
./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE) } else if(isdigit(*name)) { ^ ./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE) } else ^
2017-08-30makefile.m32: add multissl supportViktor Szakats
Closes https://github.com/curl/curl/pull/1840
2017-08-30curl.h: CURLSSLBACKEND_WOLFSSL used wrong valueDaniel Stenberg
The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk for a similar mistake, define the backend aliases to use the enum values instead. Reported-by: Gisle Vanem Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
2017-08-30curl_global_sslset.3: clarifyDaniel Stenberg
it is a one time *set*, not necessarily a one time use... it can be called again if the first call failed or just listed the alternatives. clarify that the available backends are the ones this build supports plus add some formatting Reported-by: Rich Gray Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
2017-08-29curl/multi.h: remove duplicated closing c++ braceDaniel Stenberg
Regression since 1328f69d53f2f2e93 Fixes #1841 Reported-by: Andrei Karas
2017-08-29RELEASE-NOTES: synced with 8c33c963aDaniel Stenberg
2017-08-29HELP-US.md: spellingDaniel Stenberg
2017-08-29HELP-US.md: "How to get started helping out in the curl project"Daniel Stenberg
Closes #1837
2017-08-29asyn-thread: Fixed cleanup after OOMDan Fandrich
destroy_async_data() assumes that if the flag "done" is not set yet, the thread itself will clean up once the request is complete. But if an error (generally OOM) occurs before the thread even has a chance to start, it will never get a chance to clean up and memory will be leaked. By clearing "done" only just before starting the thread, the correct cleanup sequence will happen in all cases.
2017-08-28curl_global_init.3: mention curl_global_sslset(3)Daniel Stenberg
2017-08-28unit1606: Fixed shadowed variable warningDan Fandrich
2017-08-28asyn-thread: Improved cleanup after OOM situationsDan Fandrich
2017-08-28asyn-thread: Set errno to the proper value ENOMEM in OOM situationDan Fandrich
This used to be set in some configurations to EAI_MEMORY which is not a valid value for errno and caused Curl_strerror to fail an assertion.
2017-08-28configure: Handle "MultiSSL" specially When versioning symbolsJohannes Schindelin
There is a mode in which libcurl is compiled with versioned symbols, depending on the active SSL backend. When multiple SSL backends are active, it does not make sense to favor one over the others, so let's not: introduce a new prefix for the case where multiple SSL backends are compiled into cURL. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28configure: allow setting the default SSL backendJohannes Schindelin
Previously, we used as default SSL backend whatever was first in the `available_backends` array. However, some users may want to override that default without patching the source code. Now they can: with the --with-default-ssl-backend=<backend> option of the ./configure script. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: use Curl_ssl_multi pseudo backend only when neededJohannes Schindelin
When only one SSL backend is configured, it is totally unnecessary to let multissl_init() configure the backend at runtime, we can select the correct backend at build time already. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28version: if built with more than one SSL backend, report all of themJohannes Schindelin
To discern the active one from the inactive ones, put the latter into parentheses. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28version: add the CURL_VERSION_MULTI_SSL feature flagJohannes Schindelin
This new feature flag reports When cURL was built with multiple SSL backends. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28metalink: allow compiling with multiple SSL backendsJohannes Schindelin
Previously, the code assumed that at most one of the SSL backends would be compiled in, emulating OpenSSL's functions if the configured backend was not OpenSSL itself. However, now we allow building with multiple SSL backends and choosing one at runtime. Therefore, metalink needs to be adjusted to handle this scenario, too. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28docs/examples: demonstrate how to select SSL backendsJohannes Schindelin
The newly-introduced curl_global_sslset() function deserves to be show-cased. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28Add a man page for curl_global_sslset()Johannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: introduce curl_global_sslset()Johannes Schindelin
Let's add a compile time safe API to select an SSL backend. This function needs to be called *before* curl_global_init(), and can be called only once. Side note: we do not explicitly test that it is called before curl_global_init(), but we do verify that it is not called multiple times (even implicitly). If SSL is used before the function was called, it will use whatever the CURL_SSL_BACKEND environment variable says (or default to the first available SSL backend), and if a subsequent call to curl_global_sslset() disagrees with the previous choice, it will fail with CURLSSLSET_TOO_LATE. The function also accepts an "avail" parameter to point to a (read-only) NULL-terminated list of available backends. This comes in real handy if an application wants to let the user choose between whatever SSL backends the currently available libcurl has to offer: simply call curl_global_sslset(-1, NULL, &avail); which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail variable to point to the relevant information to present to the user. Just like with the HTTP/2 push functions, we have to add the function declaration of curl_global_sslset() function to the header file *multi.h* because VMS and OS/400 require a stable order of functions declared in include/curl/*.h (where the header files are sorted alphabetically). This looks a bit funny, but it cannot be helped. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: refactor out essential information about the SSL backendsJohannes Schindelin
There is information about the compiled-in SSL backends that is really no concern of any code other than the SSL backend itself, such as which function (if any) implements SHA-256 summing. And there is information that is really interesting to the user, such as the name, or the curl_sslbackend value. Let's factor out the latter into a publicly visible struct. This information will be used in the upcoming API to set the SSL backend globally. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: allow selecting which SSL backend to use at runtimeJohannes Schindelin
When building software for the masses, it is sometimes not possible to decide for all users which SSL backend is appropriate. Git for Windows, for example, uses cURL to perform clones, fetches and pushes via HTTPS, and some users strongly prefer OpenSSL, while other users really need to use Secure Channel because it offers enterprise-ready tools to manage credentials via Windows' Credential Store. The current Git for Windows versions use the ugly work-around of building libcurl once with OpenSSL support and once with Secure Channel support, and switching out the binaries in the installer depending on the user's choice. Needless to say, this is a super ugly workaround that actually only works in some cases: Git for Windows also comes in a portable form, and in a form intended for third-party applications requiring Git functionality, in which cases this "swap out libcurl-4.dll" simply is not an option. Therefore, the Git for Windows project has a vested interest in teaching cURL to make the SSL backend a *runtime* option. This patch makes that possible. By running ./configure with multiple --with-<backend> options, cURL will be built with multiple backends. For the moment, the backend can be configured using the environment variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and "schannel"). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: fold the backend ID into the Curl_ssl structureJohannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28curl_ntlm_core: don't complain but #include OpenSSL header if neededJohannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: encapsulate SSL backend-specific dataJohannes Schindelin
So far, all of the SSL backends' private data has been declared as part of the ssl_connect_data struct, in one big #if .. #elif .. #endif block. This can only work as long as the SSL backend is a compile-time option, something we want to change in the next commits. Therefore, let's encapsulate the exact data needed by each SSL backend into a private struct, and let's avoid bleeding any SSL backend-specific information into urldata.h. This is also necessary to allow multiple SSL backends to be compiled in at the same time, as e.g. OpenSSL's and CyaSSL's headers cannot be included in the same .c file. To avoid too many malloc() calls, we simply append the private structs to the connectdata struct in allocate_conn(). This requires us to take extra care of alignment issues: struct fields often need to be aligned on certain boundaries e.g. 32-bit values need to be stored at addresses that divide evenly by 4 (= 32 bit / 8 bit-per-byte). We do that by assuming that no SSL backend's private data contains any fields that need to be aligned on boundaries larger than `long long` (typically 64-bit) would need. Under this assumption, we simply add a dummy field of type `long long` to the `struct connectdata` struct. This field will never be accessed but acts as a placeholder for the four instances of ssl_backend_data instead. the size of each ssl_backend_data struct is stored in the SSL backend-specific metadata, to allow allocate_conn() to know how much extra space to allocate, and how to initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend pointers. This would appear to be a little complicated at first, but is really necessary to encapsulate the private data of each SSL backend correctly. And we need to encapsulate thusly if we ever want to allow selecting CyaSSL and OpenSSL at runtime, as their headers cannot be included within the same .c file (there are just too many conflicting definitions and declarations for that). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: prepare the SSL backends for encapsulated private dataJohannes Schindelin
At the moment, cURL's SSL backend needs to be configured at build time. As such, it is totally okay for them to hard-code their backend-specific data in the ssl_connect_data struct. In preparation for making the SSL backend a runtime option, let's make the access of said private data a bit more abstract so that it can be adjusted later in an easy manner. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28urldata.h: move SSPI-specific #include to correct locationJohannes Schindelin
In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables, 2014-12-03), an SSPI-specific field was added to the kerberos5data struct without moving the #include "curl_sspi.h" later in the same file. This broke the build when SSPI was enabled, unless Secure Channel was used as SSL backend, because it just so happens that Secure Channel also requires "curl_sspi.h" to be #included. In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled, 2017-02-21), this bug was fixed incorrectly: Instead of moving the appropriate conditional #include, the Secure Channel-conditional part was now also SSPI-conditional. Fix this problem by moving the correct #include instead. This is also required for an upcoming patch that moves all the Secure Channel-specific stuff out of urldata.h and encapsulates it properly in vtls/schannel.c instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28urldata.h: remove support for obsolete PolarSSL versionJohannes Schindelin
Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require a newer PolarSSL version. No need to keep code trying to support any older version. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28getinfo: access SSL internals via Curl_sslJohannes Schindelin
In the ongoing endeavor to abstract out all SSL backend-specific functionality, this is the next step: Instead of hard-coding how the different SSL backends access their internal data in getinfo.c, let's implement backend-specific functions to do that task. This will also allow for switching SSL backends as a runtime option. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move SSL backends' private constants out of their header filesJohannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28axtls: use Curl_none_* versions of init() and cleanup()Johannes Schindelin
There are convenient no-op versions of the init/cleanup functions now, no need to define private ones for axTLS. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: remove obsolete declarations of SSL backend functionalityJohannes Schindelin
These functions are all available via the Curl_ssl struct now, no need to declare them separately anymore. As the global declarations are removed, the corresponding function definitions are marked as file-local. The only two exceptions here are Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the declarations were removed, there are no function definitions to mark file-local. Please note that Curl_nss_force_init() is *still* declared globally, as the only SSL backend-specific function, because it was introduced specifically for the use case where cURL was compiled with `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add support for NSS, 2010-06-27). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28schannel: reorder functions topologicallyJohannes Schindelin
The _shutdown() function calls the _session_free() function; While this is not a problem now (because schannel.h declares both functions), a patch looming in the immediate future with make all of these functions file-local. So let's just move the _session_free() function's definition before it is called. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28axtls: reorder functions topologicallyJohannes Schindelin
The connect_finish() function (like many other functions after it) calls the Curl_axtls_close() function; While this is not a problem now (because axtls.h declares the latter function), a patch looming in the immediate future with make all of these functions file-local. So let's just move the Curl_axtls_close() function's definition before it is called. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl structJohannes Schindelin
That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: convert the have_curlssl_* constants to runtime flagsJohannes Schindelin
The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runtime. To that end, convert all the #ifdef have_curlssl_* style conditionals to use bit flags instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move sha256sum into the Curl_ssl structJohannes Schindelin
The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move md5sum into the Curl_ssl structJohannes Schindelin
The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function now: Curl_none_md5sum(). To allow for that, the signature had to be changed so that an error could be returned from the implementation (Curl_none_md5sum() can run out of memory). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: use the Curl_ssl struct to access all SSL backends' functionalityJohannes Schindelin
This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is accessed via a global instance of the Curl_ssl struct. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: declare Curl_ssl structs for every SSL backendJohannes Schindelin
The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an instance of the Curl_ssl struct for each and every SSL backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: introduce a new struct for SSL backendsJohannes Schindelin
This new struct is similar in nature to Curl_handler: it will define the functions and capabilities of all the SSL backends (where Curl_handler defines the functions and capabilities of protocol handlers). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: make sure every _sha256sum()'s first arg is constJohannes Schindelin
This patch makes the signature of the _sha256sum() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: make sure all _data_pending() functions return boolJohannes Schindelin
This patch makes the signature of the _data_pending() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: make sure all _cleanup() functions return voidJohannes Schindelin
This patch makes the signature of the _cleanup() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>