aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/schannel.c
AgeCommit message (Collapse)Author
2020-03-18schannel: add "best effort" revocation check optionJohannes Schindelin
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
2020-03-17windows: suppress UI in all CryptAcquireContext() callsViktor Szakats
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters Reviewed-by: Marc Hörsken Closes https://github.com/curl/curl/pull/5088
2020-03-05polarssl: remove more references and mentionsDaniel Stenberg
Assisted-by: Jay Satiro Follow-up to 6357a19ff29dac04 Closes #5036
2020-02-02cleanup: fix typos and wording in docs and commentsPedro Monreal
Closes #4869 Reviewed-by: Emil Engler and Daniel Gustafsson
2020-01-03lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`Marcel Raad
Closes https://github.com/curl/curl/pull/4775
2019-11-24schannel: fix --tls-max for when min is --tlsv1 or defaultXiaoyin Liu
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. Closes https://github.com/curl/curl/pull/4633
2019-10-24schannel: reverse the order of certinfo insertionsFrancois Rivard
Fixes #4518 Closes #4519
2019-09-23vtls: fix narrowing conversion warningsMarcel Raad
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on 32-bit systems since commit b1616dad8f0. Closes https://github.com/curl/curl/pull/4398
2019-05-20lib: reduce variable scopesMarcel Raad
Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
2019-05-16cleanup: remove FIXME and TODO commentsDaniel Stenberg
They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
2019-05-01multi: provide Curl_multiuse_state to update informationDaniel Stenberg
As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state.
2019-02-26strerror: make the strerror function use local buffersDaniel Stenberg
Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612
2019-02-25schannel: support CALG_ECDH_EPHEM algorithmgeorgeok
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608
2019-02-12schannel: restore some debug output but only for debug buildsJay Satiro
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
2019-02-12schannel: be quietDaniel Stenberg
Convert numerous infof() calls into debug-build only messages since they are annoyingly verbose for regular applications. Removed a few. Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html Reported-by: Volker Schmid Closes #3552
2019-02-06url: close TLS before removing conn from cacheChris Araman
- Fix potential crashes in schannel shutdown. Ensure any TLS shutdown messages are sent before removing the association between the connection and the easy handle. Reverts @bagder's previous partial fix for #3412. Fixes https://github.com/curl/curl/issues/3412 Fixes https://github.com/curl/curl/issues/3505 Closes https://github.com/curl/curl/pull/3531
2019-02-01spnego_sspi: add support for channel bindinggeorgeok
Attempt to add support for Secure Channel binding when negotiate authentication is used. The problem to solve is that by default IIS accepts channel binding and curl doesn't utilise them. The result was a 401 response. Scope affects only the Schannel(winssl)-SSPI combination. Fixes https://github.com/curl/curl/issues/3503 Closes https://github.com/curl/curl/pull/3509
2019-02-01schannel: stop calling it "winssl"Daniel Stenberg
Stick to "Schannel" everywhere. The configure option --with-winssl is kept to allow existing builds to work but --with-schannel is added as an alias. Closes #3504
2019-01-21schannel: preserve original certificate path parameterArchangel_SDY
Fixes #3480 Closes #3487
2019-01-19ntlm_sspi: add support for channel bindinggeorgeok
Windows extended potection (aka ssl channel binding) is required to login to ntlm IIS endpoint, otherwise the server returns 401 responses. Fixes #3280 Closes #3321
2019-01-18schannel: on connection close there might not be a transferDaniel Stenberg
Reported-by: Marcel Raad Fixes #3412 Closes #3483
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-07winssl: be consistent in Schannel capitalizationDaniel Gustafsson
The productname from Microsoft is "Schannel", but in infof/failf reporting we use "schannel". This removes different versions. Closes #3243 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-01schannel: make CURLOPT_CERTINFO support using Issuer chainmarcosdiazr
Closes #3197
2018-11-01schannel: use Curl_ prefix for global private symbolsDaniel Stenberg
Curl_verify_certificate() must use the Curl_ prefix since it is globally available in the lib and otherwise steps outside of our namespace! Closes #3201
2018-09-20vtls: fix ssl version "or later" behavior change for many backendsJay Satiro
- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
2018-09-07schannel: avoid switch-cases that go to default anywayDaniel Stenberg
SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of mingw and would require an ifdef otherwise. Reported-by: Thomas Glanzmann Approved-by: Marc Hörsken Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html Closes #2950
2018-09-06schannel: unified error code handlingHan Han
Closes #2901
2018-08-24schannel: client certificate store opening fixIhor Karpenko
1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG ) while opening certificate store would be sufficient in this scenario and less-demanding in sense of required user credentials ( for example, IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore call without any of flags mentioned above ), 2) as 'cert_store_name' is a DWORD, attempt to format its value like a string ( in "Failed to open cert store" error message ) will throw null pointer exception 3) adding GetLastError(), in my opinion, will make error message more useful. Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html Closes #2909
2018-07-12schannel: enable CALG_TLS1PRF for w32api >= 5.1Marcel Raad
The definition of CALG_TLS1PRF has been fixed in the 5.1 branch: https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5
2018-07-11schannel: fix MinGW compile breakMarcel Raad
Original MinGW's w32api has a sytax error in its definition of CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF until this bug [1] is fixed. [0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h [1] https://osdn.net/projects/mingw/ticket/38391 Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043 Closes https://github.com/curl/curl/pull/2728
2018-07-09schannel: fix -Wsign-compare warningMarcel Raad
MinGW warns: /lib/vtls/schannel.c:219:64: warning: signed and unsigned type in conditional expression [-Wsign-compare] Fix this by casting the ptrdiff_t to size_t as we know it's positive. Closes https://github.com/curl/curl/pull/2721
2018-07-09schannel: workaround for wrong function signature in w32apiMarcel Raad
Original MinGW's w32api has CryptHashData's second parameter as BYTE * instead of const BYTE *. Closes https://github.com/curl/curl/pull/2721
2018-07-09schannel: make more cipher options conditionalMarcel Raad
They are not defined in the original MinGW's <wincrypt.h>. Closes https://github.com/curl/curl/pull/2721
2018-06-12schannel: support selecting ciphersRobert Prag
Given the contstraints of SChannel, I'm exposing these as the algorithms themselves instead; while replicating the ciphersuite as specified by OpenSSL would have been preferable, I found no way in the SChannel API to do so. To use this from the commandline, you need to pass the names of contants defining the desired algorithms. For example, curl --ciphers "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" https://github.com The specific names come from wincrypt.h Closes #2630
2018-05-27schannel: add failf calls for client certificate failuresralcock
Closes #2604
2018-05-21checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg
... and unify the source code to adhere. Closes #2563
2018-05-16schannel: disable manual verify if APIs not availableJay Satiro
.. because original MinGW and old compilers do not have the Windows API definitions needed to support manual verification.
2018-05-16schannel: disable client cert option if APIs not availableArchangel_SDY
Original MinGW targets Windows 2000 by default, which lacks some APIs and definitions for this feature. Disable it if these APIs are not available. Closes https://github.com/curl/curl/pull/2522
2018-05-04vtls: fix missing commasDaniel Stenberg
follow-up to e66cca046cef
2018-05-04vtls: use unified "supports" bitfield member in backendsDaniel Stenberg
... instead of previous separate struct fields, to make it easier to extend and change individual backends without having to modify them all. closes #2547
2018-04-27checksrc: force indentation of lines after an elseDaniel Gustafsson
This extends the INDENTATION case to also handle 'else' statements and require proper indentation on the following line. Also fixes the offending cases found in the codebase. Closes #2532
2018-04-23schannel: fix build error on targets <= XPArchangel_SDY
- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't support the latter. Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668 Closes https://github.com/curl/curl/pull/2504
2018-04-18schannel: add support for CURLOPT_CAINFODan McNulty
- Move verify_certificate functionality in schannel.c into a new file called schannel_verify.c. Additionally, some structure defintions from schannel.c have been moved to schannel.h to allow them to be used in schannel_verify.c. - Make verify_certificate functionality for Schannel available on all versions of Windows instead of just Windows CE. verify_certificate will be invoked on Windows CE or when the user specifies CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. - In verify_certificate, create a custom certificate chain engine that exclusively trusts the certificate store backed by the CURLOPT_CAINFO file. - doc updates of --cacert/CAINFO support for schannel - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString when available. This implements a TODO in schannel.c to improve handling of multiple SANs in a certificate. In particular, all SANs will now be searched instead of just the first name. - Update tool_operate.c to not search for the curl-ca-bundle.crt file when using Schannel to maintain backward compatibility. Previously, any curl-ca-bundle.crt file found in that search would have been ignored by Schannel. But, with CAINFO support, the file found by that search would have been used as the certificate store and could cause issues for any users that have curl-ca-bundle.crt in the search path. - Update url.c to not set the build time CURL_CA_BUNDLE if the selected SSL backend is Schannel. We allow setting CA location for schannel only when explicitly specified by the user via CURLOPT_CAINFO / --cacert. - Add new test cases 3000 and 3001. These test cases check that the first and last SAN, respectively, matches the connection hostname. New test certificates have been added for these cases. For 3000, the certificate prefix is Server-localhost-firstSAN and for 3001, the certificate prefix is Server-localhost-secondSAN. - Remove TODO 15.2 (Add support for custom server certificate validation), this commit addresses it. Closes https://github.com/curl/curl/pull/1325
2018-04-17schannel: fix warningJay Satiro
- Fix warning 'integer from pointer without a cast' on 3rd arg in CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer type of the same size. Follow-up to e35b025. Caught by Marc's CI builds.
2018-04-17schannel: add client certificate authenticationArchangel_SDY
Users can now specify a client certificate in system certificates store explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` Closes #2376
2018-04-15all: Refactor malloc+memset to use callocDaniel Gustafsson
When a zeroed out allocation is required, use calloc() rather than malloc() followed by an explicit memset(). The result will be the same, but using calloc() everywhere increases consistency in the codebase and avoids the risk of subtle bugs when code is injected between malloc and memset by accident. Closes https://github.com/curl/curl/pull/2497
2018-04-06tls: fix mbedTLS 2.7.0 build + handle sha256 failuresWyatt O'Day
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes #2453
2018-02-09schannel: fix "no previous prototype" compiler warningMichael Kaufmann
2018-02-08schannel: fix compiler warningsMichael Kaufmann
Closes #2296