aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/schannel.c
AgeCommit message (Collapse)Author
2016-06-06schannel: Disable ALPN on Windows < 8.1Steve Holme
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL fails on Windows < 8.1 so we need to disable ALPN on these OS versions. Inspiration provide by: Daniel Seither Closes #848 Fixes #840
2016-06-04win32: Used centralised verify windows version functionSteve Holme
Closes #845
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01schannel: add CURLOPT_CERTINFO supportAndrew Kurushin
Closes #822
2016-05-18schannel: fix compile break with MSVC XP toolsetMarcel Raad
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK 7.1 is used. In this case, _USING_V110_SDK71_ is defined. Closes #812
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-04-03code: style updatesDaniel Stenberg
2016-03-26schannel: Fixed compilation warning from commit f8d88a4913Steve Holme
warning C4244: '=': conversion from 'int' to 'unsigned short', possible loss of data
2016-03-24schannel: Add ALPN supportJDepooter
Add ALPN support for schannel. This allows cURL to negotiate HTTP/2.0 connections when built with schannel. Closes #724
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-11-21schannel: Corrected copy/paste error in commit 8d17117683Steve Holme
2015-11-21schannel: Use GetVersionEx() when VerifyVersionInfo() isn't availableSteve Holme
Regression from commit 7a8e861a5 as highlighted in the msys autobuilds.
2015-08-01schannel: Fix compilation warning from commit 7a8e861a56Steve Holme
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion' of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
2015-07-22schannel: Replace deprecated GetVersion with VerifyVersionInfoMarcel Raad
2015-07-17SSL: Add an option to disable certificate revocation checksJay Satiro
New tool option --ssl-no-revoke. New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. Currently this option applies only to WinSSL where we have automatic certificate revocation checking by default. According to the ssl-compared chart there are other backends that have automatic checking (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at some later point. Bug: https://github.com/bagder/curl/issues/264 Reported-by: zenden2k <zenden2k@gmail.com>
2015-06-17schannel: schannel_recv overhaulJay Satiro
This commit is several drafts squashed together. The changes from each draft are noted below. If any changes are similar and possibly contradictory the change in the latest draft takes precedence. Bug: https://github.com/bagder/curl/issues/244 Reported-by: Chris Araman %% %% Draft 1 %% - return 0 if len == 0. that will have to be documented. - continue on and process the caches regardless of raw recv - if decrypted data will be returned then set the error code to CURLE_OK and return its count - if decrypted data will not be returned and the connection has closed (eg nread == 0) then return 0 and CURLE_OK - if decrypted data will not be returned and the connection *hasn't* closed then set the error code to CURLE_AGAIN --only if an error code isn't already set-- and return -1 - narrow the Win2k workaround to only Win2k %% %% Draft 2 %% - Trying out a change in flow to handle corner cases. %% %% Draft 3 %% - Back out the lazier decryption change made in draft2. %% %% Draft 4 %% - Some formatting and branching changes - Decrypt all encrypted cached data when len == 0 - Save connection closed state - Change special Win2k check to use connection closed state %% %% Draft 5 %% - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the connection isn't closed. %% %% Draft 6 %% - Save the last error only if it is an unrecoverable error. Prior to this I saved the last error state in all cases; unfortunately the logic to cover that in all cases would lead to some muddle and I'm concerned that could then lead to a bug in the future so I've replaced it by only recording an unrecoverable error and that state will persist. - Do not recurse on renegotiation. Instead we'll continue on to process any trailing encrypted data received during the renegotiation only. - Move the err checks in cleanup after the check for decrypted data. In either case decrypted data is always returned but I think it's easier to understand when those err checks come after the decrypted data check. %% %% Draft 7 %% - Regardless of len value go directly to cleanup if there is an unrecoverable error or a close_notify was already received. Prior to this change we only acknowledged those two states if len != 0. - Fix a bug in connection closed behavior: Set the error state in the cleanup, because we don't know for sure it's an error until that time. - (Related to above) In the case the connection is closed go "greedy" with the decryption to make sure all remaining encrypted data has been decrypted even if it is not needed at that time by the caller. This is necessary because we can only tell if the connection closed gracefully (close_notify) once all encrypted data has been decrypted. - Do not renegotiate when an unrecoverable error is pending. %% %% Draft 8 %% - Don't show 'server closed the connection' info message twice. - Show an info message if server closed abruptly (missing close_notify).
2015-06-11schannel: Add support for optional client certificatesJoel Depooter
Some servers will request a client certificate, but not require one. This change allows libcurl to connect to such servers when using schannel as its ssl/tls backend. When a server requests a client certificate, libcurl will now continue the handshake without one, rather than terminating the handshake. The server can then decide if that is acceptable or not. Prior to this change, libcurl would terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS error.
2015-05-02schannel.c: Small changesMarc Hoersken
2015-05-02schannel.c: Improve code path and readabilityMarc Hoersken
2015-05-02schannel.c: Improve error and return code handling upon aa99a63f03Marc Hoersken
2015-05-02schannel: fix regression in schannel_recvChris Araman
https://github.com/bagder/curl/issues/244 Commit 145c263 changed the behavior when Curl_read_plain returns CURLE_AGAIN. We now handle CURLE_AGAIN and SEC_I_CONTEXT_EXPIRED correctly.
2015-05-01Bug born in changes made several days ago 9a91e80.Marc Hoersken
Commit: https://github.com/bagder/curl/commit/926cb9f Reported-by: Ray Satiro
2015-04-30schannel: Fix out of bounds arrayJay Satiro
Bug born in changes made several days ago 9a91e80. Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html Reported-by: Brian Chrisman
2015-04-26schannel.c: Fix typo introduced with 3447c973d0Marc Hoersken
2015-04-26schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL errorMarc Hoersken
Reported-by: Brian Chrisman
2015-04-26schannel: re-indented file to follow curl style betterDaniel Stenberg
white space changes only
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-07schannel: Removed curl_ prefix from source filesSteve Holme
Removed the curl_ prefix from the schannel source files as discussed with Marc and Daniel at FOSDEM.