aboutsummaryrefslogtreecommitdiff
path: root/lib/curl_darwinssl.c
AgeCommit message (Collapse)Author
2013-11-12darwinssl: check for SSLSetSessionOption() presence when toggling BEASTNick Zitzmann
Even though this is only a formality (since not many people build on Mavericks while targeting Leopard), since we still support Leopard at the earliest, we might as well be pedantic.
2013-11-12darwinssl: PKCS#12 import feature now requires Lion or laterNick Zitzmann
It turns out that some of the constants necessary to make this feature work are missing from Snow Leopard's Security framework even though they are defined in the headers. Bug: http://curl.haxx.se/mail/lib-2013-11/0076.html Reported by: myriachan
2013-10-15SSL: protocol version can be specified more preciselyGergely Nagy
CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version (CURL_SSLVERSION_TLSv1 means TLS 1.x). axTLS: axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one of these should be used, so we don't allow the new enum values. darwinssl: Added support for the new enum values. SChannel: Added support for the new enum values. CyaSSL: Added support for the new enum values. Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it did the same before this commit), because CyaSSL cannot be configured to use TLS 1.0-1.2. GSKit: GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow those values. Bugfix: There was a typo that caused wrong SSL versions to be passed to GSKit. NSS: TLS minor version cannot be set, so we don't allow the new enum values. QsoSSL: TLS minor version cannot be set, so we don't allow the new enum values. OpenSSL: Added support for the new enum values. Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, now it enables 1.0-1.2. Command-line tool: Added command line options for the new values.
2013-10-14darwinssl: un-break iOS build after PKCS#12 feature addedNick Zitzmann
SecPKCS12Import() returns a few errors that are enumerated in OS X's headers but not in iOS' headers for some reason.
2013-10-02darwinssl: block TLS_RSA_WITH_NULL_SHA256 cipherNick Zitzmann
Credit (for catching a cipher I forgot to add to the blocked ciphers list): https://www.ssllabs.com/ssltest/viewMyClient.html
2013-09-19darwinssl: enable BEAST workaround on iOS 7 & laterNick Zitzmann
iOS 7 finally added the option to enable 1/n-1 when using TLS 1.0 and a CBC cipher, so we now always turn that on unless the user manually turns it off using CURLSSLOPT_ALLOW_BEAST. It appears Apple also added some new PSK ciphers, but no interface to use them yet, so we at least support printing them if we find them.
2013-09-05darwinssl: add support for PKCS#12 files for client authenticationNick Zitzmann
I also documented the fact that the OpenSSL engine also supports them.
2013-07-30darwinssl: added LFs to some strings passed into infof()Nick Zitzmann
(This doesn't need to appear in the release notes.) I noticed a few places where infof() was called, and there should've been an LF at the end of the string, but there wasn't.
2013-07-30darwinssl: fix build error in crypto authentication under Snow LeopardNick Zitzmann
It turns out Snow Leopard not only has SecItemCopyMatching() defined in a header not included by the omnibus header, but it won't work for our purposes, because searching for SecIdentityRef objects wasn't added to that API until Lion. So we now use the old SecKeychainSearch API instead if the user is building under, or running under, Snow Leopard. Bug: http://sourceforge.net/p/curl/bugs/1255/ Reported by: Edward Rudd
2013-07-02darwinssl: SSLv2 connections are aborted if unsupported by the OSNick Zitzmann
I just noticed that OS X no longer supports SSLv2. Other TLS engines return an error if the requested protocol isn't supported by the underlying engine, so we do that now for SSLv2 if the framework returns an error when trying to turn on SSLv2 support. (Note: As always, SSLv2 support is only enabled in curl when starting the app with the -2 argument; it's off by default. SSLv2 is really old and insecure.)
2013-06-22darwinssl: fix crash that started happening in LionNick Zitzmann
Something (a recent security update maybe?) changed in Lion, and now it has changed SSLCopyPeerTrust such that it may return noErr but also give us a null trust, which caught us off guard and caused an eventual crash.
2013-06-22darwinssl: reform OS-specific #definesNick Zitzmann
This doesn't need to be in the release notes. I cleaned up a lot of the #if lines in the code to use MAC_OS_X_VERSION_MIN_REQUIRED and MAC_OS_X_VERSION_MAX_ALLOWED instead of checking for whether things like __MAC_10_6 or whatever were defined, because for some SDKs Apple has released they were defined out of place.
2013-04-27darwinssl: add TLS crypto authenticationNick Zitzmann
Users using the Secure Transport (darwinssl) back-end can now use a certificate and private key to authenticate with a site using TLS. Because Apple's security system is based around the keychain and does not have any non-public function to create a SecIdentityRef data structure from data loaded outside of the Keychain, the certificate and private key have to be loaded into the Keychain first (using the certtool command line tool or the Security framework's C API) before we can find it and use it.
2013-04-12darwinssl: add TLS session resumptionNick Zitzmann
This ought to speed up additional TLS handshakes, at least in theory.
2013-04-08darwinssl: disable insecure ciphers by defaultNick Zitzmann
I noticed that aria2's SecureTransport code disables insecure ciphers such as NULL, anonymous, IDEA, and weak-key ciphers used by SSLv3 and later. That's a good idea, and now we do the same thing in order to prevent curl from accessing a "secure" site that only negotiates insecure ciphersuites.
2013-04-01darwinssl: additional descriptive messages of SSL handshake errorsNick Zitzmann
(This doesn't need to appear in the release notes.)
2013-03-19darwinssl: disable ECC ciphers under Mountain Lion by defaultNick Zitzmann
I found out that ECC doesn't work as of OS X 10.8.3, so those ciphers are turned off until the next point release of OS X.
2013-03-03darwinssl: fix infinite loop if server disconnected abruptlyNick Zitzmann
If the server hung up the connection without sending a closure alert, then we'd keep probing the socket for data even though it's dead. Now we're ready for this situation. Bug: http://curl.haxx.se/mail/lib-2013-03/0014.html Reported by: Aki Koskinen
2013-02-12darwinssl: Fix send glitchiness with data > 32 or so KBNick Zitzmann
An ambiguity in the SSLWrite() documentation lead to a bad inference in the code where we assumed SSLWrite() returned the amount of bytes written to the socket, when that is not actually true; it returns the amount of data that is buffered for writing to the socket if it returns errSSLWouldBlock. Now darwinssl_send() returns CURLE_AGAIN if data is buffered but not written. Reference URL: http://curl.haxx.se/mail/lib-2013-02/0145.html
2013-02-08darwinssl: Make certificate errors less techyNick Zitzmann
Previously if a problem was found with one of the server's certificates, we'd log an OSStatus for the end user to look up. Now we explain what was wrong with the site's certificate chain. Also un-did part of the previous commit where the code wouldn't catch errSSLServerAuthCompleted if built under Leopard.
2013-02-07darwinssl: Fix build under LeopardNick Zitzmann
It turns out that Leopard (OS X 10.5) doesn't have constants for the ECDH ciphers in its headers, so the cases for them have been taken out of the build when building under Leopard. Also added a standard function for getting a string description of a SecCertificateRef.
2013-01-29darwinssl: Fix bug where packets were sometimes transmitted twiceNick Zitzmann
There was a bug where, if SSLWrite() returned errSSLWouldBlock but did succeed in transmitting at least something, then we'd incorrectly resend the packet. Now we never take errSSLWouldBlock as a sign that nothing was transferred to/from the server. Bug: http://curl.haxx.se/mail/lib-2013-01/0295.html Reported by: Bruno de Carvalho
2013-01-09build: fix circular header inclusion with other packagesYang Tse
This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03build: make use of 93 lib/*.c renamed filesYang Tse
93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-12-27darwinssl: Fixed inability to disable peer verificationNick Zitzmann
... on Snow Leopard and Lion Snow Leopard introduced the SSLSetSessionOption() function, but it doesn't disable peer verification as expected on Snow Leopard or Lion (it works as expected in Mountain Lion). So we now use sysctl() to detect whether or not the user is using Snow Leopard or Lion, and if that's the case, then we now use the deprecated SSLSetEnableCertVerify() function instead to disable peer verification.
2012-12-14darwinssl: Fix implicit conversion compiler warningsNick Zitzmann
The Clang compiler found a few implicit conversion problems that have now been fixed.
2012-12-14setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>Yang Tse
Inclusion of top two most included header files now done in setup_once.h
2012-11-08SSL: Several SSL-backend related fixesOscar Koeroo
axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
2012-11-06CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg
After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
2012-10-16darwinssl: un-broke iOS build, fix error on server disconnectNick Zitzmann
The iOS build was broken by a reference to a function that only existed under OS X; fixed. Also fixed a hard-to-reproduce problem where, if the server disconnected before libcurl got the chance to hang up first and SecureTransport was in use, then we'd raise an error instead of failing gracefully.
2012-09-08darwinssl: fixed for older Mac OS X versionsNick Zitzmann
SSL didn't work on older cats if built on a newer cat with weak-linking turned on to support the older cat
2012-09-01darwinssl: Bugfix for previous commit for older catsNick Zitzmann
I accidentally broke functionality for versions of OS X prior to Mountain Lion in the previous commit. This commit fixes the problems.
2012-08-18darwinssl: add TLS 1.1 and 1.2 support, replace deprecated functionsNick Zitzmann
In Mountain Lion, Apple added TLS 1.1 and 1.2, and deprecated a number of SecureTransport functions, some of which we were using. We now check to see if the replacement functions are present, and if so, we use them instead. The old functions are still present for users of older cats. Also fixed a build warning that started to appear under Mountain Lion
2012-07-25darwinssl: fixed freeze involving the multi interfaceNick Zitzmann
Previously the curl_multi interface would freeze if darwinssl was enabled and at least one of the handles tried to connect to a Web site using HTTPS. Removed the "wouldblock" state darwinssl was using because I figured out a solution for our "would block but in which direction?" dilemma.
2012-07-08darwinssl: don't use arc4random_bufNick Zitzmann
Re-wrote Curl_darwinssl_random() to not use arc4random_buf() because the function is not available prior to iOS 4.3 and OS X 10.7.
2012-07-07darwinssl: output cipher with text, remove SNI warningNick Zitzmann
The code was printing a warning when SNI was set up successfully. Oops. Printing the cipher number in verbose mode was something only TLS/SSL programmers might understand, so I had it print the name of the cipher, just like in the OpenSSL code. That'll be at least a little bit easier to understand. The SecureTransport API doesn't have a method of getting a string from a cipher like OpenSSL does, so I had to generate the strings manually.
2012-06-27build: add our standard includes to curl_darwinssl.c and curl_multibyte.cYang Tse
2012-06-27DarwinSSL: allow using NTLM authenticationNick Zitzmann
Allow NTLM authentication when building using SecureTransport (Darwin) for SSL. This uses CommonCrypto, a cryptography library that ships with all versions of iOS and Mac OS X. It's like OpenSSL's libcrypto, except that it's missing a few less-common cyphers and doesn't have a big number data structure.
2012-06-26DarwinSSL: several adjustmentsNick Zitzmann
- Renamed st_ function prefix to darwinssl_ - Renamed Curl_st_ function prefix to Curl_darwinssl_ - Moved the duplicated ssl_connect_done out of the #ifdef in lib/urldata.h - Fixed a teensy little bug that made non-blocking connection attempts block - Made it so that it builds cleanly against the iOS 5.1 SDK
2012-06-26darwinssl: add support for native Mac OS X/iOS SSLNick Zitzmann