aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2017-05-15SecureTransport/DarwinSSL: Implement public key pinningmoparisthebest
Closes #1400
2017-05-12mbedtls: Support server renegotiation requestRon Eldor
Tested with servers: IIS 7.5; OpenSSL 1.0.2. Closes https://github.com/curl/curl/pull/1475
2017-05-04schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOTDan Fandrich
2017-05-02gtls: fixed a lingering BUFSIZE referenceDan Fandrich
2017-05-01openssl: use local stack for temp storageDaniel Stenberg
2017-04-25nss: load libnssckbi.so if no other trust is specifiedKamil Dudka
The module contains a more comprehensive set of trust information than supported by nss-pem, because libnssckbi.so also includes information about distrusted certificates. Reviewed-by: Kai Engert Closes #1414
2017-04-25nss: factorize out nss_{un,}load_module to separate fncsKamil Dudka
No change of behavior is intended by this commit.
2017-04-25nss: do not leak PKCS #11 slot while loading a keyKamil Dudka
It could prevent nss-pem from being unloaded later on. Bug: https://bugzilla.redhat.com/1444860
2017-04-24nss: adapt to the new Curl_llist APIKamil Dudka
This commit fixes compilation failure caused by cbae73e1dd95946597ea74ccb580c30f78e3fa73.
2017-04-22schannel: Don't treat encrypted partial record as pending dataJay Satiro
- Track when the cached encrypted data contains only a partial record that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE). - Change Curl_schannel_data_pending to return false in such a case. Other SSL libraries have pending data functions that behave similarly. Ref: https://github.com/curl/curl/pull/1387 Closes https://github.com/curl/curl/pull/1392
2017-04-22gnutls: removed some code when --disable-verbose is configuredDan Fandrich
This reduces the binary size and fixes a compile warning.
2017-04-20openssl: fix memory leak in servercertDaniel Stenberg
... when failing to get the server certificate.
2017-04-18nss: fix MinGW compiler warningsMarcel Raad
This fixes 3 warnings issued by MinGW: 1. PR_ImportTCPSocket actually has a paramter of type PROsfd instead of PRInt32, which is 64 bits on Windows. Fixed this by including the corresponding header file instead of redeclaring the function, which is supported even though it is in the private include folder. [1] 2. In 64-bit mode, size_t is 64 bits while CK_ULONG is 32 bits, so an explicit narrowing cast is needed. 3. Curl_timeleft returns time_t instead of long since commit 21aa32d30dbf319f2d336e0cb68d3a3235869fbb. [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR/Reference/PR_ImportTCPSocket Closes https://github.com/curl/curl/pull/1393
2017-04-18TLS: Fix switching off SSL session id when client cert is usedJay Satiro
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl will each have their own sessionid flag. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that this issue had been fixed in 247d890, CVE-2016-5419. Bug: https://github.com/curl/curl/issues/1341 Reported-by: lijian996@users.noreply.github.com The new incarnation of this bug is called CVE-2017-7468 and is documented here: https://curl.haxx.se/docs/adv_20170419.html
2017-04-17openssl: don't try to print nonexistant peer private keysDavid Benjamin
X.509 certificates carry public keys, not private keys. Fields corresponding to the private half of the key will always be NULL. Closes #1425
2017-04-17openssl: fix thread-safety bugs in error-handlingDavid Benjamin
ERR_error_string with NULL parameter is not thread-safe. The library writes the string into some static buffer. Two threads doing this at once may clobber each other and run into problems. Switch to ERR_error_string_n which avoids this problem and is explicitly bounds-checked. Also clean up some remnants of OpenSSL 0.9.5 around here. A number of comments (fixed buffer size, explaining that ERR_error_string_n was added in a particular version) date to when ossl_strerror tried to support pre-ERR_error_string_n OpenSSLs. Closes #1424
2017-04-17openssl: make SSL_ERROR_to_str more future-proofDavid Benjamin
Rather than making assumptions about the values, use a switch-case. Closes #1424
2017-04-15mbedtls: fix memory leak in error pathLarry Stefani
Add missing our_ssl_sessionid free call in mbed_connect_step3(). Closes #1417
2017-04-11polarssl: unbreak build with versions < 1.3.8Marcel Raad
ssl_session_init was only introduced in version 1.3.8, the penultimate version. The function only contains a memset, so replace it with that. Suggested-by: Jay Satiro Fixes https://github.com/curl/curl/issues/1401
2017-04-10openssl: fix this statement may fall through [-Wimplicit-fallthrough=]Alexis La Goutte
Closes #1402
2017-04-10nss: load CA certificates even with --insecureKamil Dudka
... because they may include an intermediate certificate for a client certificate and the intermediate certificate needs to be presented to the server, no matter if we verify the peer or not. Reported-by: thraidh Closes #851
2017-04-08vtls: fix unreferenced variable warningsMarcel Raad
... by moving the variables into the correct #ifdef block.
2017-04-07schannel: fix compiler warningsMarcel Raad
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps directly to its argument. As it is declared as a pointer to const and InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW issue a warning about implicitly casting away the const. Fix this by declaring the variables as pointers to non-const. Closes https://github.com/curl/curl/pull/1394
2017-04-06gtls: fix compiler warningMarcel Raad
Curl_timeleft returns time_t instead of long since commit 21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
2017-04-06nss: fix build after e60fe20fdf94e829ba5fce33f7a9d6c281149f7dMarcel Raad
Curl_llist_alloc is now Curl_llist_init. Closes https://github.com/curl/curl/pull/1391
2017-03-30schannel: fix unused variable warningMarcel Raad
If CURL_DISABLE_VERBOSE_STRINGS is defined, hostname is not used in schannel_connect_step3.
2017-03-28openssl: exclude DSA code when OPENSSL_NO_DSA is definedJay Satiro
- Fix compile errors that occur in openssl.c when OpenSSL lib was built without DSA support. Bug: https://github.com/curl/curl/issues/1361 Reported-by: neheb@users.noreply.github.com
2017-03-28schannel: fix variable shadowing warningMarcel Raad
No need to redeclare the variable.
2017-03-26spelling fixesklemens
Closes #1356
2017-03-23openssl: fix comparison between signed and unsigned integer expressionsDaniel Stenberg
2017-03-23openssl: made the error table static constDan Fandrich
2017-03-23openssl: fall back on SSL_ERROR_* string when no error detailJay Satiro
- If SSL_get_error is called but no extended error detail is available then show that SSL_ERROR_* as a string. Prior to this change there was some inconsistency in that case: the SSL_ERROR_* code may or may not have been shown, or may have been shown as unknown even if it was known. Ref: https://github.com/curl/curl/issues/1300 Closes https://github.com/curl/curl/pull/1348
2017-03-21mbedtls: add support for CURLOPT_SSL_CTX_FUNCTIONAles Mlakar
Ref: https://curl.haxx.se/mail/lib-2017-02/0097.html Closes https://github.com/curl/curl/pull/1272
2017-03-18darwinssl: fix typo in variable namePalo Markovic
Broken a week ago in 6448f98. Closes https://github.com/curl/curl/pull/1337
2017-03-13Improve code readbilitySylvestre Ledru
... by removing the else branch after a return, break or continue. Closes #1310
2017-03-11mbedtls: fix typo in variable nameThomas Glanzmann
Broken a few days ago in 6448f98. Bug: https://curl.haxx.se/mail/lib-2017-03/0015.html
2017-03-10openssl: add two /* FALLTHROUGH */ to satisfy coverityDaniel Stenberg
CID 1402159 and 1402158
2017-03-09polarssl: fixed compile errors introduced in 6448f98cDan Fandrich
2017-03-08openssl: unbreak the build after 6448f98c1857deDaniel Stenberg
Verified with OpenSSL 1.1.0e and OpenSSL master (1.1.1)
2017-03-08vtls: add options to specify range of enabled TLS versionsJozef Kralik
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as the --tls-max option of the curl tool. Closes https://github.com/curl/curl/pull/1166
2017-03-03build: fix gcc7 implicit fallthrough warningsAlexis La Goutte
Mark intended fallthroughs with /* FALLTHROUGH */ so that gcc will know it's expected and won't warn on [-Wimplicit-fallthrough=]. Closes https://github.com/curl/curl/pull/1297
2017-03-02darwinssl: Warn that disabling host verify also disables SNIJDepooter
In DarwinSSL the SSLSetPeerDomainName function is used to enable both sending SNI and verifying the host. When host verification is disabled the function cannot be called, therefore SNI is disabled as well. Closes https://github.com/curl/curl/pull/1240
2017-02-26cyassl: get library version string at runtimeJay Satiro
wolfSSL >= 3.6.0 supports getting its library version string at runtime.
2017-02-21cyassl: fix typoJay Satiro
2017-02-15axtls: adapt to API changesDaniel Stenberg
Builds with axTLS 2.1.2. This then also breaks compatibility with axTLS < 2.1.0 (the older API) ... and fix the session_id mixup brought in 04b4ee549 Fixes #1220
2017-02-09nss: make FTPS work with --proxytunnelKamil Dudka
If the NSS code was in the middle of a non-blocking handshake and it was asked to finish the handshake in blocking mode, it unexpectedly continued in the non-blocking mode, which caused a FTPS connection over CONNECT to fail with "(81) Socket not ready for send/recv". Bug: https://bugzilla.redhat.com/1420327
2017-02-08polarssl, mbedtls: Fix detection of pending dataMichael Kaufmann
Reported-by: Dan Fandrich Bug: https://curl.haxx.se/mail/lib-2017-02/0032.html
2017-02-07darwinssl: Avoid parsing certificates when not in verbose modeDaniel Gustafsson
The information extracted from the server certificates in step 3 is only used when in verbose mode, and there is no error handling or validation performed as that has already been done. Only run the certificate information extraction when in verbose mode and libcurl was built with verbose strings. Closes https://github.com/curl/curl/pull/1246
2017-02-07schannel: Remove incorrect SNI disabled messageJDepooter
- Remove the SNI disabled when host verification disabled message since that is incorrect. - Show a message for legacy versions of Windows <= XP that connections may fail since those versions of WinSSL lack SNI, algorithms, etc. Bug: https://github.com/curl/curl/pull/1240
2017-01-31openssl: Don't use certificate after transferring ownershipAdam Langley
SSL_CTX_add_extra_chain_cert takes ownership of the given certificate while, despite the similar name, SSL_CTX_add_client_CA does not. Thus it's best to call SSL_CTX_add_client_CA before SSL_CTX_add_extra_chain_cert, while the code still has ownership of the argument. Closes https://github.com/curl/curl/pull/1236