aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/gtls.c
AgeCommit message (Collapse)Author
2020-04-21GnuTLS: Don't skip really long certificate fieldsEmil Engler
Closes #5271
2020-04-21gnutls: bump lowest supported version to 3.1.10Daniel Stenberg
GnuTLS 3.1.10 added new functions we want to use. That version was released on Mar 22, 2013. Removing support for older versions also greatly simplifies the code. Ref: #5271 Closes #5276
2020-04-13gnutls: ensure TLS 1.3 when SRP isn't requestedDirkjan Bussink
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support. With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed. Closes #5223
2020-03-19gnutls: remove the BACKEND define kludgeDaniel Stenberg
2020-02-27gtls: Fixed compilation when using GnuTLS < 3.5.0Steve Holme
Reverts the functionality from 41fcb4f when compiling with GnuTLS older than 3.5.0. Reviewed-by: Daniel Stenberg Closes #4984
2020-02-21gtls: fix the copyright yearDaniel Stenberg
Follow-up from 41fcb4f609
2020-02-21GnuTLS: Always send client certjethrogb
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. GnuTLS's default behavior is to not send a client certificate if there is no match. However, OpenSSL's default behavior is to send the configured certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL behavior. Authored-by: jethrogb on github Fixes #1411 Closes #4958
2019-10-31gtls: make gnutls_bye() not wait for response on shutdownDaniel Stenberg
... as it can make it wait there for a long time for no good purpose. Patched-by: Jay Satiro Reported-by: Bylon2 on github Adviced-by: Nikos Mavrogiannopoulos Fixes #4487 Closes #4541
2019-09-23vtls: fix narrowing conversion warningsMarcel Raad
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on 32-bit systems since commit b1616dad8f0. Closes https://github.com/curl/curl/pull/4398
2019-05-21ftp: move ftp_ccc in under featureflagDaniel Gustafsson
Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-20lib: reduce variable scopesMarcel Raad
Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
2019-05-16cleanup: remove FIXME and TODO commentsDaniel Stenberg
They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
2019-05-01multi: provide Curl_multiuse_state to update informationDaniel Stenberg
As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state.
2019-03-02gnutls: remove call to deprecated gnutls_compression_get_nameDaniel Stenberg
It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-20ssl: replace all internal uses of CURLE_SSL_CACERTHan Han
Closes #3291
2018-10-26gtls: Values stored to but never readDaniel Stenberg
Detected by clang-tidy Closes #3176
2018-09-21GnutTLS: TLS 1.3 supportLoganaden Velvindron
Closes #2971
2018-09-20vtls: fix ssl version "or later" behavior change for many backendsJay Satiro
- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
2018-05-04vtls: use unified "supports" bitfield member in backendsDaniel Stenberg
... instead of previous separate struct fields, to make it easier to extend and change individual backends without having to modify them all. closes #2547
2018-04-08build: cleanup to fix clang warnings/errorsDaniel Stenberg
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension Reported-by: Rikard Falkeborn Fixes #2466 Closes #2468
2018-04-06tls: fix mbedTLS 2.7.0 build + handle sha256 failuresWyatt O'Day
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes #2453
2018-02-28unit1309: fix warning on Windows x64Marcel Raad
When targeting x64, MinGW-w64 complains about conversions between 32-bit long and 64-bit pointers. Fix this by reusing the GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / CURLX_INTEGER_TO_POINTER_CAST. Closes https://github.com/curl/curl/pull/2341
2017-10-19vtls: change struct Curl_ssl `close' field name to `close_one'.Patrick Monnerat
On OS/400, `close' is an ASCII system macro that corrupts the code if not used in a context not targetting the close() system API.
2017-09-11code style: use spaces around equals signsDaniel Stenberg
2017-08-28vtls: refactor out essential information about the SSL backendsJohannes Schindelin
There is information about the compiled-in SSL backends that is really no concern of any code other than the SSL backend itself, such as which function (if any) implements SHA-256 summing. And there is information that is really interesting to the user, such as the name, or the curl_sslbackend value. Let's factor out the latter into a publicly visible struct. This information will be used in the upcoming API to set the SSL backend globally. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: allow selecting which SSL backend to use at runtimeJohannes Schindelin
When building software for the masses, it is sometimes not possible to decide for all users which SSL backend is appropriate. Git for Windows, for example, uses cURL to perform clones, fetches and pushes via HTTPS, and some users strongly prefer OpenSSL, while other users really need to use Secure Channel because it offers enterprise-ready tools to manage credentials via Windows' Credential Store. The current Git for Windows versions use the ugly work-around of building libcurl once with OpenSSL support and once with Secure Channel support, and switching out the binaries in the installer depending on the user's choice. Needless to say, this is a super ugly workaround that actually only works in some cases: Git for Windows also comes in a portable form, and in a form intended for third-party applications requiring Git functionality, in which cases this "swap out libcurl-4.dll" simply is not an option. Therefore, the Git for Windows project has a vested interest in teaching cURL to make the SSL backend a *runtime* option. This patch makes that possible. By running ./configure with multiple --with-<backend> options, cURL will be built with multiple backends. For the moment, the backend can be configured using the environment variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and "schannel"). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: fold the backend ID into the Curl_ssl structureJohannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: encapsulate SSL backend-specific dataJohannes Schindelin
So far, all of the SSL backends' private data has been declared as part of the ssl_connect_data struct, in one big #if .. #elif .. #endif block. This can only work as long as the SSL backend is a compile-time option, something we want to change in the next commits. Therefore, let's encapsulate the exact data needed by each SSL backend into a private struct, and let's avoid bleeding any SSL backend-specific information into urldata.h. This is also necessary to allow multiple SSL backends to be compiled in at the same time, as e.g. OpenSSL's and CyaSSL's headers cannot be included in the same .c file. To avoid too many malloc() calls, we simply append the private structs to the connectdata struct in allocate_conn(). This requires us to take extra care of alignment issues: struct fields often need to be aligned on certain boundaries e.g. 32-bit values need to be stored at addresses that divide evenly by 4 (= 32 bit / 8 bit-per-byte). We do that by assuming that no SSL backend's private data contains any fields that need to be aligned on boundaries larger than `long long` (typically 64-bit) would need. Under this assumption, we simply add a dummy field of type `long long` to the `struct connectdata` struct. This field will never be accessed but acts as a placeholder for the four instances of ssl_backend_data instead. the size of each ssl_backend_data struct is stored in the SSL backend-specific metadata, to allow allocate_conn() to know how much extra space to allocate, and how to initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend pointers. This would appear to be a little complicated at first, but is really necessary to encapsulate the private data of each SSL backend correctly. And we need to encapsulate thusly if we ever want to allow selecting CyaSSL and OpenSSL at runtime, as their headers cannot be included within the same .c file (there are just too many conflicting definitions and declarations for that). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: prepare the SSL backends for encapsulated private dataJohannes Schindelin
At the moment, cURL's SSL backend needs to be configured at build time. As such, it is totally okay for them to hard-code their backend-specific data in the ssl_connect_data struct. In preparation for making the SSL backend a runtime option, let's make the access of said private data a bit more abstract so that it can be adjusted later in an easy manner. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28getinfo: access SSL internals via Curl_sslJohannes Schindelin
In the ongoing endeavor to abstract out all SSL backend-specific functionality, this is the next step: Instead of hard-coding how the different SSL backends access their internal data in getinfo.c, let's implement backend-specific functions to do that task. This will also allow for switching SSL backends as a runtime option. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: remove obsolete declarations of SSL backend functionalityJohannes Schindelin
These functions are all available via the Curl_ssl struct now, no need to declare them separately anymore. As the global declarations are removed, the corresponding function definitions are marked as file-local. The only two exceptions here are Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the declarations were removed, there are no function definitions to mark file-local. Please note that Curl_nss_force_init() is *still* declared globally, as the only SSL backend-specific function, because it was introduced specifically for the use case where cURL was compiled with `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add support for NSS, 2010-06-27). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl structJohannes Schindelin
That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: convert the have_curlssl_* constants to runtime flagsJohannes Schindelin
The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runtime. To that end, convert all the #ifdef have_curlssl_* style conditionals to use bit flags instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move sha256sum into the Curl_ssl structJohannes Schindelin
The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move md5sum into the Curl_ssl structJohannes Schindelin
The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function now: Curl_none_md5sum(). To allow for that, the signature had to be changed so that an error could be returned from the implementation (Curl_none_md5sum() can run out of memory). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: use the Curl_ssl struct to access all SSL backends' functionalityJohannes Schindelin
This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is accessed via a global instance of the Curl_ssl struct. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: declare Curl_ssl structs for every SSL backendJohannes Schindelin
The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an instance of the Curl_ssl struct for each and every SSL backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: make sure all _cleanup() functions return voidJohannes Schindelin
This patch makes the signature of the _cleanup() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-07-03gtls: fix build when sizeof(long) < sizeof(void *)Johannes Schindelin
- Change gnutls pointer/int macros to pointer/curl_socket_t. Prior to this change they used long type as well. The size of the `long` data type can be shorter than that of pointer types. This is the case most notably on Windows. If C99 were acceptable, we could simply use `intptr_t` here. But we want to retain C89 compatibility. Simply use the trick of performing pointer arithmetic with the NULL pointer: to convert an integer `i` to a pointer, simply take the address of the `i`th element of a hypothetical character array starting at address NULL. To convert back, simply cast the pointer difference. Thanks to Jay Satiro for the initial modification to use curl_socket_t instead of int/long. Closes #1617 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-06-16HTTPS-Proxy: don't offer h2 for https proxy connectionsJay Satiro
Bug: https://github.com/curl/curl/issues/1254 Closes #1546
2017-05-02gtls: fixed a lingering BUFSIZE referenceDan Fandrich
2017-04-22gnutls: removed some code when --disable-verbose is configuredDan Fandrich
This reduces the binary size and fixes a compile warning.
2017-04-18TLS: Fix switching off SSL session id when client cert is usedJay Satiro
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl will each have their own sessionid flag. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that this issue had been fixed in 247d890, CVE-2016-5419. Bug: https://github.com/curl/curl/issues/1341 Reported-by: lijian996@users.noreply.github.com The new incarnation of this bug is called CVE-2017-7468 and is documented here: https://curl.haxx.se/docs/adv_20170419.html
2017-04-08vtls: fix unreferenced variable warningsMarcel Raad
... by moving the variables into the correct #ifdef block.
2017-04-06gtls: fix compiler warningMarcel Raad
Curl_timeleft returns time_t instead of long since commit 21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
2017-03-08vtls: add options to specify range of enabled TLS versionsJozef Kralik
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
2017-01-28gnutls: disable TLS session ticketsMichael Kaufmann
SSL session reuse with TLS session tickets is not supported yet. Use SSL session IDs instead. Fixes https://github.com/curl/curl/issues/1109
2017-01-13gnutls: check for alpn and ocsp in configureMarcus Hoffmann
Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during configure instead of relying on the version number. GnuTLS has options to turn these features off and we ca just work with with such builds like we work with older versions. Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com> Closes #1204
2017-01-12rand: make it work without TLS backingDaniel Stenberg
Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html