aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/gtls.c
AgeCommit message (Collapse)Author
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-04-03code: style updatesDaniel Stenberg
2016-02-13gtls: fix for builds lacking encrypted key file supportShine Fan
Bug: https://github.com/curl/curl/pull/651
2016-02-08configure: --with-ca-fallback: use built-in TLS CA fallbackLudwig Nussel
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-09-23gnutls: Report actual GnuTLS error message for certificate errorsMike Crowe
If GnuTLS fails to read the certificate then include whatever reason it provides in the failure message reported to the client. Signed-off-by: Mike Crowe <mac@mcrowe.com>
2015-09-22gnutls: Support CURLOPT_KEYPASSWDMike Crowe
The gnutls vtls back-end was previously ignoring any password set via CURLOPT_KEYPASSWD. Presumably this was because gnutls_certificate_set_x509_key_file did not support encrypted keys. gnutls now has a gnutls_certificate_set_x509_key_file2 function that does support encrypted keys. Let's determine at compile time whether the available gnutls supports this new function. If it does then use it to pass the password. If it does not then emit a helpful diagnostic if a password is set. This is preferable to the previous behaviour of just failing to read the certificate without giving a reason in that case. Signed-off-by: Mike Crowe <mac@mcrowe.com>
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-06-01curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
2015-05-20gtls: don't fail on non-fatal alerts during handshakeDmitry Eremin-Solenikov
Stop curl from failing when non-fatal alert is received during handshake. This e.g. fixes lots of problems when working with https sites through proxies.
2015-05-04gtls: properly retrieve certificate statusAlessandro Ghedini
Also print the revocation reason if appropriate.
2015-03-21gtls: add check of return codeDaniel Stenberg
Coverity CID 1291167 pointed out that 'rc' was received but never used when gnutls_credentials_set() was used. Added return code check now.
2015-03-21gtls: dereferencing NULL pointerDaniel Stenberg
Coverity CID 1291165 pointed out 'chainp' could be dereferenced when NULL if gnutls_certificate_get_peers() had previously failed.
2015-03-21gtls: avoid uninitialized variable.Daniel Stenberg
Coverity CID 1291166 pointed out that we could read this variable uninitialized.
2015-03-20gtls: implement CURLOPT_CERTINFOAlessandro Ghedini
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-10gtls: correctly align certificate status verification messagesAlessandro Ghedini
2015-03-10gtls: don't print double newline after certificate datesAlessandro Ghedini
2015-03-10gtls: print negotiated TLS version and full cipher suite nameAlessandro Ghedini
Instead of priting cipher and MAC algorithms names separately, print the whole cipher suite string which also includes the key exchange algorithm, along with the negotiated TLS version.
2015-03-10gtls: fix compiler warningsDaniel Stenberg
2015-03-10gtls: add support for CURLOPT_CAPATHAlessandro Ghedini
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-07gtls: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-19gtls: fix build with HTTP2Alessandro Ghedini
2015-01-17vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme
Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
2015-01-16copyright years: after OCSP stapling changesDaniel Stenberg
2015-01-16gtls: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP response verfication to fail even on valid responses.
2014-12-25vtls: Use bool for Curl_ssl_getsessionid() return typeSteve Holme
The return type of this function is a boolean value, and even uses a bool internally, so use bool in the function declaration as well as the variables that store the return value, to avoid any confusion.
2014-12-24gtls: Use preferred 'CURLcode result'Steve Holme
2014-12-09http2: avoid logging neg "failure" if h2 was not requestedDaniel Stenberg
2014-10-23gnutls: removed dead codeDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=1437 Reported-by: Julien
2014-10-13pinning: minor code style policingDaniel Stenberg
2014-10-13Factorize pinned public key code into generic file handling and backend specificPatrick Monnerat
2014-10-07GnuTLS: Implement public key pinningmoparisthebest
2014-08-03gtls: only define Curl_gtls_seed if Nettle is not being usedDan Fandrich
2014-07-30vtls: make the random function mandatory in the TLS backendDaniel Stenberg
To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-15gnutls: fix compiler warningDaniel Stenberg
conversion to 'int' from 'long int' may alter its value
2014-07-14gnutls: detect lack of SRP support in GnuTLS at run-time and try withoutDan Fandrich
Reported-by: David Woodhouse
2014-07-14gnutls: handle IP address in cert name checkDavid Woodhouse
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function didn't actually check IP addresses in SubjectAltName, even though it was explicitly documented as doing so. So do it ourselves...
2014-07-13gnutls: improved error message if setting cipher list failsDan Fandrich
Reported-by: David Woodhouse
2014-07-12gnutls: fixed a couple of uninitialized variable referencesDan Fandrich
2014-07-12gnutls: fixed compilation against versions < 2.12.0Dan Fandrich
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but the code path in which they're referenced here is only ever used for somewhat older GnuTLS versions. This caused undeclared identifier errors when compiling against those.