aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2018-04-06Revert "openssl: Don't add verify locations when verifypeer==0"Gaurav Malhotra
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. libcurl (with the OpenSSL backend) performs server certificate verification even if verifypeer == 0 and the verification result is available using CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the CURLINFO_SSL_VERIFYRESULT to not have useful information for the verifypeer == 0 use case (it would always have X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Closes #2451
2018-04-06tls: fix mbedTLS 2.7.0 build + handle sha256 failuresWyatt O'Day
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes #2453
2018-04-04openssl: provide defines for argument typecasts to build warning-freeDaniel Stenberg
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
2018-04-04openssl: fix build with LibreSSL 2.7Bernard Spil
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API Fixes #2319 Closes #2447 Closes #2448 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-03-18darwinssl: fix iOS buildChris Araman
2018-03-16cleanup: misc typos in strings and commentsluz.paz
Found via `codespell` Closes #2389
2018-03-05WolfSSL: adding TLSv1.3sergii.kavunenko
Closes #2349
2018-02-28unit1309: fix warning on Windows x64Marcel Raad
When targeting x64, MinGW-w64 complains about conversions between 32-bit long and 64-bit pointers. Fix this by reusing the GNUTLS_POINTER_TO_SOCKET_CAST / GNUTLS_SOCKET_TO_POINTER_CAST logic from gtls.c, moving it to warnless.h as CURLX_POINTER_TO_INTEGER_CAST / CURLX_INTEGER_TO_POINTER_CAST. Closes https://github.com/curl/curl/pull/2341
2018-02-15nss: use PK11_CreateManagedGenericObject() if availableKamil Dudka
... so that the memory allocated by applications using libcurl does not grow per each TLS connection. Bug: https://bugzilla.redhat.com/1510247 Closes #2297
2018-02-09schannel: fix "no previous prototype" compiler warningMichael Kaufmann
2018-02-08schannel: fix compiler warningsMichael Kaufmann
Closes #2296
2018-02-06openssl: Don't add verify locations when verifypeer==0Patrick Schlangen
When peer verification is disabled, calling SSL_CTX_load_verify_locations is not necessary. Only call it when verification is enabled to save resources and increase performance. Closes #2290
2018-01-25GSKit: restore pinnedpubkey functionalitymoparisthebest
inadvertently removed in 283babfaf8d8f3bab9d3c63cea94eb0b84e79c37 Closes #2263
2018-01-25darwinssl: Don't import client certificates into Keychain on macOSDair Grant
Closes #2085
2018-01-25openssl: fix pinned public key build error in FIPS modeMcDonough, Tim
Here is a version that should work with all versions of openssl 0.9.7 through 1.1.0. Links to the docs: https://www.openssl.org/docs/man1.0.2/crypto/EVP_DigestInit.html https://www.openssl.org/docs/man1.1.0/crypto/EVP_DigestInit.html At the very bottom of the 1.1.0 documentation there is a history section that states, " stack allocated EVP_MD_CTXs are no longer supported." If EVP_MD_CTX_create and EVP_MD_CTX_destroy are not defined, then a simple mapping can be used as described here: https://wiki.openssl.org/index.php/Talk:OpenSSL_1.1.0_Changes Closes #2258
2018-01-25SChannel/WinSSL: Replace Curl_none_md5sum with Curl_schannel_md5summoparisthebest
2018-01-25SChannel/WinSSL: Implement public key pinningmoparisthebest
Closes #1429
2018-01-18openssl: fix potential memory leak in SSLKEYLOGFILE logicDaniel Stenberg
Coverity CID 1427646.
2018-01-18openssl: fix the libressl build againDaniel Stenberg
Follow-up to 84fcaa2e7. libressl does not have the API even if it says it is late OpenSSL version... Fixes #2246 Closes #2247 Reported-by: jungle-boogie on github
2018-01-15openssl: enable SSLKEYLOGFILE support by defaultDaniel Stenberg
Fixes #2210 Closes #2236
2018-01-05build: remove HAVE_LIMITS_H checkJay Satiro
.. because limits.h presence isn't optional, it's required by C89. Ref: http://port70.net/~nsz/c/c89/c89-draft.html#2.2.4.2 Closes https://github.com/curl/curl/pull/2215
2018-01-03openssl: fix memory leak of SSLKEYLOGFILE filenameJay Satiro
- Free the copy of SSLKEYLOGFILE env returned by curl_getenv during ossl initialization. Caught by ASAN.
2017-12-12vtls: replaced getenv() with curl_getenv()dmitrykos
Fixed undefined symbol of getenv() which does not exist when compiling for Windows 10 App (CURL_WINDOWS_APP). Replaced getenv() with curl_getenv() which is aware of getenv() absence when CURL_WINDOWS_APP is defined. Closes #2171
2017-12-10openssl: Disable file buffering for Win32 SSLKEYLOGFILEJay Satiro
Prior to this change SSLKEYLOGFILE used line buffering on WIN32 just like it does for other platforms. However, the Windows CRT does not actually support line buffering (_IOLBF) and will use full buffering (_IOFBF) instead. We can't use full buffering because multiple processes may be writing to the file and that could lead to corruption, and since full buffering is the only buffering available this commit disables buffering for Windows SSLKEYLOGFILE entirely (_IONBF). Ref: https://github.com/curl/curl/pull/1346#issuecomment-350530901
2017-12-08openssl: improve data-pending check for https proxyJay Satiro
- Allow proxy_ssl to be checked for pending data even when connssl does not yet have an SSL handle. This change is for posterity. Currently there doesn't seem to be a code path that will cause a pending data check when proxyssl could have pending data and the connssl handle doesn't yet exist [1]. [1]: Recall that an https proxy connection starts out in connssl but if the destination is also https then the proxy SSL backend data is moved from connssl to proxyssl, which means connssl handle is temporarily empty until an SSL handle for the destination can be created. Ref: https://github.com/curl/curl/commit/f4a6238#commitcomment-24396542 Closes https://github.com/curl/curl/pull/1916
2017-12-02openssl: pkcs12 is supported by boringsslDaniel Stenberg
Removes another #ifdef for BoringSSL Pointed-out-by: David Benjamin Closes #2134
2017-11-27openssl: fix boringssl build againDaniel Stenberg
commit d3ab7c5a21e broke the boringssl build since it doesn't have RSA_flags(), so we disable that code block for boringssl builds. Reported-by: W. Mark Kubacki Fixes #2117
2017-11-21openssl: fix "Value stored to 'rc' is never read" scan-build errorDaniel Stenberg
2017-11-15openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEYDirk Feytons
Fixes #2079 Closes #2081
2017-10-25time: rename Curl_tvnow to Curl_nowDaniel Stenberg
... since the 'tv' stood for timeval and this function does not return a timeval struct anymore. Also, cleaned up the Curl_timediff*() functions to avoid typecasts and clean up the descriptive comments. Closes #2011
2017-10-25timediff: return timediff_t from the time diff functionsDaniel Stenberg
... to cater for systems with unsigned time_t variables. - Renamed the functions to curlx_timediff and Curl_timediff_us. - Added overflow protection for both of them in either direction for both 32 bit and 64 bit time_ts - Reprefixed the curlx_time functions to use Curl_* Reported-by: Peter Piekarski Fixes #2004 Closes #2005
2017-10-19vtls: change struct Curl_ssl `close' field name to `close_one'.Patrick Monnerat
On OS/400, `close' is an ASCII system macro that corrupts the code if not used in a context not targetting the close() system API.
2017-10-11openssl: don't use old BORINGSSL_YYYYMM macrosDavid Benjamin
Those were temporary things we'd add and remove for our own convenience long ago. The last few stayed around for too long as an oversight but have since been removed. These days we have a running BORINGSSL_API_VERSION counter which is bumped when we find it convenient, but 2015-11-19 was quite some time ago, so just check OPENSSL_IS_BORINGSSL. Closes #1979
2017-10-09openssl: enable PKCS12 support for !BoringSSLDaniel Stenberg
Enable PKCS12 for all non-boringssl builds without relying on configure or cmake checks. Bug: https://curl.haxx.se/mail/lib-2017-10/0007.html Reported-by: Christian Schmitz Closes #1948
2017-10-06vtls: fix warnings with --disable-crypto-authMarcel Raad
When CURL_DISABLE_CRYPTO_AUTH is defined, Curl_none_md5sum's parameters are not used.
2017-10-06openssl: fix build without HAVE_OPAQUE_EVP_PKEYDaniel Stenberg
Reported-by: Javier Sixto Fixes #1955 Closes #1956
2017-10-05build: fix --disable-crypto-authDaniel Stenberg
Reported-by: Wyatt O'Day Fixes #1945 Closes #1947
2017-10-05darwinssl: add support for TLSv1.3Nick Zitzmann
Closes https://github.com/curl/curl/pull/1794
2017-10-03vtls: compare and clone ssl configs properlyMichael Kaufmann
Compare these settings in Curl_ssl_config_matches(): - verifystatus (CURLOPT_SSL_VERIFYSTATUS) - random_file (CURLOPT_RANDOM_FILE) - egdsocket (CURLOPT_EGDSOCKET) Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(), and copy the setting "sessionid" unconditionally. This means that reusing connections that are secured with a client certificate is now possible, and the statement "TLS session resumption is disabled when a client certificate is used" in the old advisory at https://curl.haxx.se/docs/adv_20170419.html is obsolete. Reviewed-by: Daniel Stenberg Closes #1917
2017-09-23ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM headerJay Satiro
.. and include the core NTLM header in all NTLM-related source files. Follow up to 6f86022. Since then http_ntlm checks NTLM_NEEDS_NSS_INIT but did not include vtls.h where it was defined. Closes https://github.com/curl/curl/pull/1911
2017-09-22ntlm: use strict order for SSL backend #if branchesViktor Szakats
With the recently introduced MultiSSL support multiple SSL backends can be compiled into cURL That means that now the order of the SSL One option would be to use the same SSL backend as was configured via `curl_global_sslset()`, however, NTLMv2 support would appear to be available only with some SSL backends. For example, when eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced support for NTLMv1 using Windows' Crypt API, it specifically did *not* introduce NTLMv2 support using Crypt API at the same time. So let's select one specific SSL backend for NTLM support when compiled with multiple SSL backends, using a priority order such that we support NTLMv2 even if only one compiled-in SSL backend can be used for that. Ref: https://github.com/curl/curl/pull/1848
2017-09-22vtls: provide curl_global_sslset() even in non-SSL buildsDaniel Stenberg
... it just returns error: Bug: https://github.com/curl/curl/commit/1328f69d53f2f2e937696ea954c480412b018451#commitcomment-24470367 Reported-by: Marcel Raad Closes #1906
2017-09-21openssl: only verify RSA private key if supportedDirk Feytons
In some cases the RSA key does not support verifying it because it's located on a smart card, an engine wants to hide it, ... Check the flags on the key before trying to verify it. OpenSSL does the same thing internally; see ssl/ssl_rsa.c Closes #1904
2017-09-16schannel: Support partial send for when data is too largeMarc Aldorasi
Schannel can only encrypt a certain amount of data at once. Instead of failing when too much data is to be sent at once, send as much data as we can and let the caller send the remaining data by calling send again. Bug: https://curl.haxx.se/mail/lib-2014-07/0033.html Closes https://github.com/curl/curl/pull/1890
2017-09-16openssl: add missing includesDavid Benjamin
lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include their headers directly rather than relying on other OpenSSL headers including things. Closes https://github.com/curl/curl/pull/1891
2017-09-15conversions: fix several compiler warningsDaniel Stenberg
2017-09-11code style: use spaces around plusesDaniel Stenberg
2017-09-11code style: use spaces around equals signsDaniel Stenberg
2017-09-10mbedtls: enable CA path processingJay Satiro
CA path processing was implemented when mbedtls.c was added to libcurl in fe7590f, but it was never enabled. Bug: https://github.com/curl/curl/issues/1877 Reported-by: SBKarr@users.noreply.github.com
2017-09-07OpenSSL: fix yet another mistake while encapsulating SSL backend dataJohannes Schindelin
Another mistake in my manual fixups of the largely mechanical search-and-replace ("connssl->" -> "BACKEND->"), just like the previous commit concerning HTTPS proxies (and hence not caught during my earlier testing). Fixes #1855 Closes #1871 Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>