aboutsummaryrefslogtreecommitdiff
path: root/lib/gtls.c
AgeCommit message (Collapse)Author
2013-12-16gtls: respect *VERIFYHOST independently of *VERIFYPEERDaniel Stenberg
Security flaw CVE-2013-6422 This is conceptually the same problem and fix that 3c3622b6 brought to the OpenSSL backend and that resulted in CVE-2013-4545. This version of the problem was independently introduced to the GnuTLS backend with commit 59cf93cc, present in the code since the libcurl 7.21.4 release. Advisory: http://curl.haxx.se/docs/adv_20131217.html Bug: http://curl.haxx.se/mail/lib-2013-11/0214.html Reported-by: Marc Deslauriers
2013-01-09build: fix circular header inclusion with other packagesYang Tse
This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03build: rename 93 lib/*.c filesYang Tse
93 lib/*.c source files renamed to use our standard naming scheme. This commit only does the file renaming. ---------------------------------------- renamed: lib/amigaos.c -> lib/curl_amigaos.c renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c renamed: lib/axtls.c -> lib/curl_axtls.c renamed: lib/base64.c -> lib/curl_base64.c renamed: lib/bundles.c -> lib/curl_bundles.c renamed: lib/conncache.c -> lib/curl_conncache.c renamed: lib/connect.c -> lib/curl_connect.c renamed: lib/content_encoding.c -> lib/curl_content_encoding.c renamed: lib/cookie.c -> lib/curl_cookie.c renamed: lib/cyassl.c -> lib/curl_cyassl.c renamed: lib/dict.c -> lib/curl_dict.c renamed: lib/easy.c -> lib/curl_easy.c renamed: lib/escape.c -> lib/curl_escape.c renamed: lib/file.c -> lib/curl_file.c renamed: lib/fileinfo.c -> lib/curl_fileinfo.c renamed: lib/formdata.c -> lib/curl_formdata.c renamed: lib/ftp.c -> lib/curl_ftp.c renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c renamed: lib/getenv.c -> lib/curl_getenv.c renamed: lib/getinfo.c -> lib/curl_getinfo.c renamed: lib/gopher.c -> lib/curl_gopher.c renamed: lib/gtls.c -> lib/curl_gtls.c renamed: lib/hash.c -> lib/curl_hash.c renamed: lib/hmac.c -> lib/curl_hmac.c renamed: lib/hostasyn.c -> lib/curl_hostasyn.c renamed: lib/hostcheck.c -> lib/curl_hostcheck.c renamed: lib/hostip.c -> lib/curl_hostip.c renamed: lib/hostip4.c -> lib/curl_hostip4.c renamed: lib/hostip6.c -> lib/curl_hostip6.c renamed: lib/hostsyn.c -> lib/curl_hostsyn.c renamed: lib/http.c -> lib/curl_http.c renamed: lib/http_chunks.c -> lib/curl_http_chunks.c renamed: lib/http_digest.c -> lib/curl_http_digest.c renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c renamed: lib/http_proxy.c -> lib/curl_http_proxy.c renamed: lib/idn_win32.c -> lib/curl_idn_win32.c renamed: lib/if2ip.c -> lib/curl_if2ip.c renamed: lib/imap.c -> lib/curl_imap.c renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c renamed: lib/inet_pton.c -> lib/curl_inet_pton.c renamed: lib/krb4.c -> lib/curl_krb4.c renamed: lib/krb5.c -> lib/curl_krb5.c renamed: lib/ldap.c -> lib/curl_ldap.c renamed: lib/llist.c -> lib/curl_llist.c renamed: lib/md4.c -> lib/curl_md4.c renamed: lib/md5.c -> lib/curl_md5.c renamed: lib/memdebug.c -> lib/curl_memdebug.c renamed: lib/mprintf.c -> lib/curl_mprintf.c renamed: lib/multi.c -> lib/curl_multi.c renamed: lib/netrc.c -> lib/curl_netrc.c renamed: lib/non-ascii.c -> lib/curl_non_ascii.c renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h renamed: lib/nonblock.c -> lib/curl_nonblock.c renamed: lib/nss.c -> lib/curl_nss.c renamed: lib/nwlib.c -> lib/curl_nwlib.c renamed: lib/nwos.c -> lib/curl_nwos.c renamed: lib/openldap.c -> lib/curl_openldap.c renamed: lib/parsedate.c -> lib/curl_parsedate.c renamed: lib/pingpong.c -> lib/curl_pingpong.c renamed: lib/polarssl.c -> lib/curl_polarssl.c renamed: lib/pop3.c -> lib/curl_pop3.c renamed: lib/progress.c -> lib/curl_progress.c renamed: lib/qssl.c -> lib/curl_qssl.c renamed: lib/rawstr.c -> lib/curl_rawstr.c renamed: lib/rtsp.c -> lib/curl_rtsp.c renamed: lib/security.c -> lib/curl_security.c renamed: lib/select.c -> lib/curl_select.c renamed: lib/sendf.c -> lib/curl_sendf.c renamed: lib/share.c -> lib/curl_share.c renamed: lib/slist.c -> lib/curl_slist.c renamed: lib/smtp.c -> lib/curl_smtp.c renamed: lib/socks.c -> lib/curl_socks.c renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c renamed: lib/speedcheck.c -> lib/curl_speedcheck.c renamed: lib/splay.c -> lib/curl_splay.c renamed: lib/ssh.c -> lib/curl_ssh.c renamed: lib/sslgen.c -> lib/curl_sslgen.c renamed: lib/ssluse.c -> lib/curl_ssluse.c renamed: lib/strdup.c -> lib/curl_strdup.c renamed: lib/strequal.c -> lib/curl_strequal.c renamed: lib/strerror.c -> lib/curl_strerror.c renamed: lib/strtok.c -> lib/curl_strtok.c renamed: lib/strtoofft.c -> lib/curl_strtoofft.c renamed: lib/telnet.c -> lib/curl_telnet.c renamed: lib/tftp.c -> lib/curl_tftp.c renamed: lib/timeval.c -> lib/curl_timeval.c renamed: lib/transfer.c -> lib/curl_transfer.c renamed: lib/url.c -> lib/curl_url.c renamed: lib/version.c -> lib/curl_version.c renamed: lib/warnless.c -> lib/curl_warnless.c renamed: lib/wildcard.c -> lib/curl_wildcard.c ----------------------------------------
2013-01-03build: make use of 93 lib/*.c renamed filesYang Tse
93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-12-14setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>Yang Tse
Inclusion of top two most included header files now done in setup_once.h
2012-11-06CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg
After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
2012-11-06gnutls: fix compiler warningsDaniel Stenberg
2012-11-06gnutls: print alerts during handshakeAlessandro Ghedini
2012-11-06gnutls: fix the error_is_fatal logicAlessandro Ghedini
2012-10-16gnutls: put reset code into else blockAlessandro Ghedini
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551
2012-09-04gnutls: do not fail on non-fatal handshake errorsAlessandro Ghedini
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685402
2012-08-06gtls: fix build failure by including nettle-specific headersDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=3554668 Reported by: Anthony G. Basile
2012-06-26SSL cleanup: use crypto functions through the sslgen layerDaniel Stenberg
curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose.
2012-06-14Fix bad failf() and info() usageYang Tse
Calls to failf() are not supposed to provide trailing newline. Calls to infof() must provide trailing newline. Fixed 30 or so strings.
2012-01-24gnutls: enforced use of SSLv3Daniel Stenberg
With advice from Nikos Mavrogiannopoulos, changed the priority string to add "actual priorities" and favour ARCFOUR. This makes libcurl work better when enforcing SSLv3 with GnuTLS. Both in the sense that the libmicrohttpd test is now working again but also that it mitigates a weakness in the older SSL/TLS protocols. Bug: http://curl.haxx.se/mail/lib-2012-01/0225.html Reported by: Christian Grothoff
2012-01-16add LF termination to infof() trace stringYang Tse
2011-11-24Fix unreleased regression when using windows gnutls versions older than 2.8Yang Tse
2011-11-23gnutls: only translate winsock errors for old versionsMark Brand
Bugfix: https handshake fails using gnutls 3 on windows http://sourceforge.net/tracker/index.php?func=detail&aid=3441084&group_id=976&atid=100976 New gnutls versions have an error handler that knows about Winsock errors, which is why gnutls_transport_set_global_errno() was deprecated and then removed. This is a correction of commit f5bb370 (blame me) which meant to reimplement gnutls_transport_set_global_errno(), which is not necessary.
2011-11-19Add support for using nettle instead of gcrypt as gnutls backendMartin Storsjo
2011-11-02gtls_connect_step1: remove use of deprecated functionsDaniel Stenberg
Use gnutls_priority_set_direct() instead of gnutls_protocol_set_priority(). Remove the gnutls_certificate_type_set_priority() use since x509 is the default certificate type anyway. Reported by: Vincent Torri
2011-10-29gtls.c: gnutls_transport_set_global_errno() deprecated in version 2.12.3Yang Tse
2011-10-20gtls: only call gnutls_transport_set_lowat with <gnutls-2.12.0Tim Harder
The default lowat level for gnutls-2.12* is set to zero to avoid unnecessary system calls and the gnutls_transport_set_lowat function has been totally removed in >=gnutls-3 which causes build failures. Therefore, the function shouldn't be used except for versions that require it, <gnutls-2.12.0.
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-06-04Curl_socket_ready: make timeout a 'long'Daniel Stenberg
It was mostly typecasted to int all over the code so switching to long instead all over should be a net gain.
2011-05-18GnuTLS handshake: fix timeoutDaniel Stenberg
Commit cbf4961bf3e garbled the timeout handling while doing SSL handshaking (in an attempt at fixing another bug). This puts sanity back. Bug: http://curl.haxx.se/mail/lib-2011-05/0167.html Reported by: Ethan Glasser Camp
2011-04-27whitespace cleanup: no space first in conditionalsDaniel Stenberg
"if(a)" is our style, not "if( a )"
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-02-09CURLE_TLSAUTH_FAILED: removedQuinn Slack
On second thought, I think CURLE_TLSAUTH_FAILED should be eliminated. It was only being raised when an internal error occurred while allocating or setting the GnuTLS SRP client credentials struct. For TLS authentication failures, the general CURLE_SSL_CONNECT_ERROR seems appropriate; its error string already includes "passwords" as a possible cause. Having a separate TLS auth error code might also cause people to think that a TLS auth failure means the wrong username or password was entered, when it could also be a sign of a man-in-the-middle attack.
2011-02-07Curl_gmtime: added a portable gmtimeDaniel Stenberg
Instead of polluting many places with #ifdefs, we create a single place for this function, and also check return code properly so that a NULL pointer returned won't cause problems.
2011-01-19TLS-SRP: support added when using GnuTLSQuinn Slack
2011-01-08gtls: fix memory leakDaniel Stenberg
Bug: http://curl.haxx.se/mail/lib-2011-01/0079.html Reported by: Quinn Slack
2011-01-04Curl_timeleft: s/conn/data in first argumentDaniel Stenberg
As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
2010-11-20gtls: define and use gtls_EAGAIN, gtls_EINTR and gtls_EIO.Yang Tse
Winsock builds clobber some errno.h defines in setup_once.
2010-11-19Detect socket errors in GnuTLS on WindowsMatthias Bolte
On Windows, translate WSAGetLastError() to errno values as GNU TLS does it internally, too. This is necessary because send() and recv() on Windows don't set errno when they fail but GNU TLS expects a proper errno value. Bug: http://curl.haxx.se/bug/view.cgi?id=3110991
2010-11-14gnutls->handshake: improved timeout handlingDaniel Stenberg
When no timeout is set, we call the socket_ready function with a timeout value of 0 during handshake, which makes it loop too much/fast in this function. It also made this function return CURLE_OPERATION_TIMEDOUT wrongly on a slow handshake. However, the particular bug report that highlighted this problem is not solved by this fix, as this fix only makes the more proper error get reported instead. Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150 Reported by: Johannes Ernst
2010-11-08fix compiler warningYang Tse
2010-05-11sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu
FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
2010-05-07sendrecv: split the I/O handling into private handlerHoward Chu
Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-04-16GnuTLS: make the connection phase non-blockingJerome Vouillon
When multi interface is used, the SSL handshake is no longer blocking when GnuTLS is used.
2010-04-16SSL_RECV: EOF is not an error hereDaniel Stenberg
The recent overhaul of the SSL recv function made this treat a zero returned from gnutls_record_recv() as an error, and this caused our HTTPS test cases to fail. We leave it to upper layer code to detect if an EOF is a problem or not.
2010-04-04refactorize interface of Curl_ssl_recv/Curl_ssl_sendKamil Dudka
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg
2009-10-19added cast macros to silent compiler warnings with 64-bit systems.Gunter Knauf
2009-08-30add casts to silent compiler warnings with 64bit systems.Gunter Knauf
2009-08-01- Curt Bogmine reported a problem with SNI enabled on a particular server. WeDaniel Stenberg
should introduce an option to disable SNI, but as we're in feature freeze now I've addressed the obvious bug here (pointed out by Peter Sylvester): we shouldn't try to enable SNI when SSLv2 or SSLv3 is explicitly selected. Code for OpenSSL and GnuTLS was fixed. NSS doesn't seem to have a particular option for SNI, or are we simply not using it?
2009-07-22- David Binderman found a memory and fd leak in lib/gtls.c:load_file()Michal Marek
(https://bugzilla.novell.com/523919). When looking at the code, I found that also the ptr pointer can leak.
2009-05-05I simplified the SSL session id re-use code now to *always* ditch the previousDaniel Stenberg
one and store the current one, as it makes the code less complex and I'm not even sure I can check for the same session id using memcmp() like that.
2009-05-04- Inspired by Michael Smith's session id fix for OpenSSL, I did theDaniel Stenberg
corresponding fix in the GnuTLS code: make sure to store the new session id in case the re-used one is rejected.