aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/mbedtls.c
AgeCommit message (Collapse)Author
2016-10-18select: switch to macros in uppercaseDaniel Stenberg
Curl_select_ready() was the former API that was replaced with Curl_select_check() a while back and the former arg setup was provided with a define (in order to leave existing code unmodified). Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most common shortcuts where only one socket is checked. They're also more visibly macros.
2016-08-05mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is definedThomas Glanzmann
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal to 0. This patch also adds a comment how mbedtls must be compiled in order to make debugging work, and explains the possible debug levels.
2016-08-01mbedtls: Fix debug function nameThomas Glanzmann
This patch is necessary so that curl compiles if MBEDTLS_DEBUG is defined. Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-05-30mbedtls: removed unused variablesRenaud Lehoux
Closes #838
2016-05-24mbedtls: fix includes so snprintf() worksDaniel Stenberg
Regression from the previous *printf() rearrangements, this file missed to include the correct header to make sure snprintf() works universally. Reported-by: Moti Avrahami Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
2016-05-17mbedtls/polarssl: set "hostname" unconditionallyDaniel Stenberg
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-04-28mbedtls: Fix session resumeJay Satiro
This also fixes PolarSSL session resume. Prior to this change the TLS session information wasn't properly saved and restored for PolarSSL and mbedTLS. Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html Reported-by: Thomas Glanzmann Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html Reported-by: Moti Avrahami
2016-04-26mbedtls.c: silly spellfix of a commentDaniel Stenberg
2016-04-07mbedtls: fix MBEDTLS_DEBUG buildsDamien Vielpeau
2016-04-07mbedtls: implement and provide *_data_pending()Daniel Stenberg
... as otherwise we might get stuck thinking there's no more data to handle. Reported-by: Damien Vielpeau Fixes #737
2016-04-07mbedtls.c: name space pollution fix, Use 'Curl_'Daniel Stenberg
2016-04-07mbedtls.c: changed private prefix to mbed_Daniel Stenberg
mbedtls_ is the prefix used by the mbedTLS library itself so we should avoid using that for our private functions.
2016-04-03code: style updatesDaniel Stenberg
2016-03-19mbedtls: fix compiler warningDaniel Stenberg
vtls/mbedtls.h:67:36: warning: implicit declaration of function ‘mbedtls_sha256’ [-Wimplicit-function-declaration]
2016-03-05mbedtls: fix user-specified SSL protocol versionJay Satiro
Prior to this change when a single protocol CURL_SSLVERSION_ was specified by the user that version was set only as the minimum version but not as the maximum version as well.
2016-02-10mbedtls.c: re-indent to better match curl standardsDaniel Stenberg
2016-02-09mbedtls: fix memory leak when destroying SSL connection dataRafael Antonio
Closes #626
2016-02-09mbedtls: fix ALPN usage segfaultDaniel Stenberg
Since we didn't keep the input argument around after having called mbedtls, it could end up accessing the wrong memory when figuring out the ALPN protocols. Closes #642
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-10mbedtls: implement CURLOPT_PINNEDPUBLICKEYThomas Glanzmann
2016-01-07mbedtls: Fix ALPN supportJay Satiro
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-10-29mbedtls: fix "Structurally dead code"Daniel Stenberg
CID 1332129
2015-10-29mbedtls: fix "Logically dead code"Daniel Stenberg
CID 1332128
2015-10-23polarssl/mbedtls: fix name space pollutionDaniel Stenberg
Global private symbols MUST start with Curl_!
2015-10-23mbedTLS: THREADING_SUPPORT compilation fixDmitry S. Baikov
Closes #505
2015-10-22mbedtls:new profile with RSA min key len = 1024.m-gardet
Closes #502
2015-10-20vtls: added support for mbedTLSJonas Minnberg
closes #496