aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/vtls.h
AgeCommit message (Collapse)Author
2017-08-28vtls: refactor out essential information about the SSL backendsJohannes Schindelin
There is information about the compiled-in SSL backends that is really no concern of any code other than the SSL backend itself, such as which function (if any) implements SHA-256 summing. And there is information that is really interesting to the user, such as the name, or the curl_sslbackend value. Let's factor out the latter into a publicly visible struct. This information will be used in the upcoming API to set the SSL backend globally. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: fold the backend ID into the Curl_ssl structureJohannes Schindelin
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: encapsulate SSL backend-specific dataJohannes Schindelin
So far, all of the SSL backends' private data has been declared as part of the ssl_connect_data struct, in one big #if .. #elif .. #endif block. This can only work as long as the SSL backend is a compile-time option, something we want to change in the next commits. Therefore, let's encapsulate the exact data needed by each SSL backend into a private struct, and let's avoid bleeding any SSL backend-specific information into urldata.h. This is also necessary to allow multiple SSL backends to be compiled in at the same time, as e.g. OpenSSL's and CyaSSL's headers cannot be included in the same .c file. To avoid too many malloc() calls, we simply append the private structs to the connectdata struct in allocate_conn(). This requires us to take extra care of alignment issues: struct fields often need to be aligned on certain boundaries e.g. 32-bit values need to be stored at addresses that divide evenly by 4 (= 32 bit / 8 bit-per-byte). We do that by assuming that no SSL backend's private data contains any fields that need to be aligned on boundaries larger than `long long` (typically 64-bit) would need. Under this assumption, we simply add a dummy field of type `long long` to the `struct connectdata` struct. This field will never be accessed but acts as a placeholder for the four instances of ssl_backend_data instead. the size of each ssl_backend_data struct is stored in the SSL backend-specific metadata, to allow allocate_conn() to know how much extra space to allocate, and how to initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend pointers. This would appear to be a little complicated at first, but is really necessary to encapsulate the private data of each SSL backend correctly. And we need to encapsulate thusly if we ever want to allow selecting CyaSSL and OpenSSL at runtime, as their headers cannot be included within the same .c file (there are just too many conflicting definitions and declarations for that). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28getinfo: access SSL internals via Curl_sslJohannes Schindelin
In the ongoing endeavor to abstract out all SSL backend-specific functionality, this is the next step: Instead of hard-coding how the different SSL backends access their internal data in getinfo.c, let's implement backend-specific functions to do that task. This will also allow for switching SSL backends as a runtime option. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl structJohannes Schindelin
That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: convert the have_curlssl_* constants to runtime flagsJohannes Schindelin
The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runtime. To that end, convert all the #ifdef have_curlssl_* style conditionals to use bit flags instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move sha256sum into the Curl_ssl structJohannes Schindelin
The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: move md5sum into the Curl_ssl structJohannes Schindelin
The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function now: Curl_none_md5sum(). To allow for that, the signature had to be changed so that an error could be returned from the implementation (Curl_none_md5sum() can run out of memory). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: use the Curl_ssl struct to access all SSL backends' functionalityJohannes Schindelin
This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is accessed via a global instance of the Curl_ssl struct. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: declare Curl_ssl structs for every SSL backendJohannes Schindelin
The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an instance of the Curl_ssl struct for each and every SSL backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28vtls: introduce a new struct for SSL backendsJohannes Schindelin
This new struct is similar in nature to Curl_handler: it will define the functions and capabilities of all the SSL backends (where Curl_handler defines the functions and capabilities of protocol handlers). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-14Curl_rand: fixed and moved to rand.cDaniel Stenberg
Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-04-19vtls.h: remove a space before semicolonDaniel Stenberg
... that the new checksrc detected
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-10-20vtls: added support for mbedTLSJonas Minnberg
closes #496
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-03-25Curl_ssl_md5sum: return CURLcodeDaniel Stenberg
... since the funciton can fail on OOM. Check this return code. Coverity CID 1291705.
2015-03-20url: add CURLOPT_SSL_FALSESTART optionAlessandro Ghedini
This option can be used to enable/disable TLS False Start defined in the RFC draft-bmoeller-tls-falsestart.
2015-02-15By request, change the name of "curl_darwinssl.[ch]" to "darwinssl.[ch]"Nick Zitzmann
2015-02-07schannel: Removed curl_ prefix from source filesSteve Holme
Removed the curl_ prefix from the schannel source files as discussed with Marc and Daniel at FOSDEM.
2015-01-17vtls: Separate the SSL backend definition from the API setupSteve Holme
Slight code cleanup as the SSL backend #define is mixed up with the API function setup.
2015-01-17vtls: Fixed compilation errors when SSL not usedSteve Holme
Fixed the following warning and error from commit 3af90a6e19 when SSL is not being used: url.c:2004: warning C4013: 'Curl_ssl_cert_status_request' undefined; assuming extern returning int error LNK2019: unresolved external symbol Curl_ssl_cert_status_request referenced in function Curl_setopt
2015-01-16url: add CURLOPT_SSL_VERIFYSTATUS optionAlessandro Ghedini
This option can be used to enable/disable certificate status verification using the "Certificate Status Request" TLS extension defined in RFC6066 section 8. This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the certificate status verification fails, and the Curl_ssl_cert_status_request() function, used to check whether the SSL backend supports the status_request extension.
2014-12-26vtls: Use CURLcode for Curl_ssl_init_certinfo() return typeSteve Holme
The return type for this function was 0 on success and 1 on error. This was then examined by the calling functions and, in most cases, used to return CURLE_OUT_OF_MEMORY. Instead use CURLcode for the return type and return the out of memory error directly, propagating it up the call stack.
2014-12-25vtls: Use bool for Curl_ssl_getsessionid() return typeSteve Holme
The return type of this function is a boolean value, and even uses a bool internally, so use bool in the function declaration as well as the variables that store the return value, to avoid any confusion.
2014-11-24SSL: Add PEM format support for public key pinningmoparisthebest
2014-11-09vtls.h: Fixed compiler warning when compiled without SSLSteve Holme
vtls.c:185:46: warning: unused parameter 'data'
2014-10-13Factorize pinned public key code into generic file handling and backend specificPatrick Monnerat
2014-10-13vtls: remove QsoSSLPatrick Monnerat
2014-10-13vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementationPatrick Monnerat
2014-10-09vtls: have vtls.h include the backend header filesDaniel Stenberg
It turned out some features were not enabled in the build since for example url.c #ifdefs on features that are defined on a per-backend basis but vtls.h didn't include the backend headers. CURLOPT_CERTINFO was one such feature that was accidentally disabled.
2014-08-03ssl: provide Curl_ssl_backend even if no SSL library is availableDan Fandrich
2014-07-31ssl: generalize how the ssl backend identifier is setDaniel Stenberg
Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS one which was missing previously.
2014-07-30vtls: repair build without TLS supportDaniel Stenberg
... by defining Curl_ssl_random() properly
2014-07-30vtls: make the random function mandatory in the TLS backendDaniel Stenberg
To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-06-11NTLM: set a fake entropy for debug builds with CURL_ENTROPY setDaniel Stenberg
Curl_rand() will return a dummy and repatable random value for this case. Makes it possible to write test cases that verify output. Also, fake timestamp with CURL_FORCETIME set. Only when built debug enabled of course. Curl_ssl_random() was not used anymore so it has been removed. Curl_rand() is enough. create_digest_md5_message: generate base64 instead of hex string curl_sasl: also fix memory leaks in some OOM situations
2014-05-20ALPN: fix typo in http/1.1 identifierFabian Frank
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05 it is "http/1.1" and not "http/1.0".
2014-02-04gtls: add ALPN supportFabian Frank
Add ALPN support when using GnuTLS >= 3.2.0. This allows libcurl to negotiate HTTP/2.0 for https connections when built with GnuTLS. See: http://www.gnutls.org/manual/gnutls.html#Application-Layer-Protocol-Negotiation-_0028ALPN_0029 http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-04
2013-12-20vtls: renamed sslgen.[ch] to vtls.[ch]Daniel Stenberg