aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2020-05-15setopt: support certificate options in memory with struct curl_blobGilles Vollant
This change introduces a generic way to provide binary data in setopt options, called BLOBs. This change introduces these new setopts: CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB, CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB. Reviewed-by: Daniel Stenberg Closes #5357
2020-05-15source cleanup: remove all custom typedef structsDaniel Stenberg
- Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public headers and examples - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually typedef different types/structs depending on build conditions. Closes #5338
2020-05-14curl_multibyte: add to curlxMarcel Raad
This will also be needed in the tool and tests. Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512 Closes https://github.com/curl/curl/pull/3784
2020-05-14checksrc: enhance the ASTERISKSPACE and update code accordinglyDaniel Stenberg
Fine: "struct hello *world" Not fine: "struct hello* world" (and variations) Closes #5386
2020-05-13OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAINDaniel Stenberg
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376
2020-05-08CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)Gilles Vollant
Closes #4346
2020-04-30GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULTEmil Engler
Closes #5287
2020-04-29schannel: source code reindentDaniel Stenberg
White space edits only. Conform better to standard curl source code indenting style. Closes #5305
2020-04-27nss: check for PK11_CreateDigestContext() returning NULLDaniel Stenberg
... to avoid crashes! Reported-by: Hao Wu Fixes #5302 Closes #5303
2020-04-23select: make Curl_socket_check take timediff_t timeoutDaniel Stenberg
Coverity found CID 1461718: Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms > 9223372036854775807L" is always false regardless of the values of its operands. This occurs as the logical second operand of "||". Closes #5240
2020-04-21GnuTLS: Don't skip really long certificate fieldsEmil Engler
Closes #5271
2020-04-21gnutls: bump lowest supported version to 3.1.10Daniel Stenberg
GnuTLS 3.1.10 added new functions we want to use. That version was released on Mar 22, 2013. Removing support for older versions also greatly simplifies the code. Ref: #5271 Closes #5276
2020-04-20lib: fix typos in comments and errormessagesDaniel Gustafsson
This fixes a few randomly spotted typos in recently merged code, most notably one in a userfacing errormessage the schannel code.
2020-04-20multi-ssl: reset the SSL backend on `Curl_global_cleanup()`Johannes Schindelin
When cURL is compiled with support for multiple SSL backends, it is possible to configure an SSL backend via `curl_global_sslset()`, but only *before* `curl_global_init()` was called. If another SSL backend should be used after that, a user might be tempted to call `curl_global_cleanup()` to start over. However, we did not foresee that use case and forgot to reset the SSL backend in that cleanup. Let's allow that use case. Fixes #5255 Closes #5257 Reported-by: davidedec on github Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2020-04-12schannel: Fix blocking timeout logicAndrew Kurushin
- Fix schannel_send for the case when no timeout was set. Prior to this change schannel would error if the socket was not ready to send data and no timeout was set. This commit is similar to parent commit 89dc6e0 which recently made the same change for SOCKS, for the same reason. Basically it was not well understood that when Curl_timeleft returns 0 it is not a timeout of 0 ms but actually means no timeout. Fixes https://github.com/curl/curl/issues/5177 Closes https://github.com/curl/curl/pull/5221
2020-04-13gnutls: ensure TLS 1.3 when SRP isn't requestedDirkjan Bussink
When SRP is requested in the priority string, GnuTLS will disable support for TLS 1.3. Before this change, curl would always add +SRP to the priority list, effectively always disabling TLS 1.3 support. With this change, +SRP is only added to the priority list when SRP authentication is also requested. This also allows updating the error handling here to not have to retry without SRP. This is because SRP is only added when requested and in that case a retry is not needed. Closes #5223
2020-04-11lib: fix conversion warnings for SOCKET_WRITABLE/READABLEJay Satiro
- If loss of data may occur converting a timediff_t to time_t and the time value is > TIME_T_MAX then treat it as TIME_T_MAX. This is a follow-up to 8843678 which removed the (time_t) typecast from the macros so that conversion warnings could be identified. Closes https://github.com/curl/curl/pull/5199
2020-04-08schannel: support .P12 or .PFX client certificatesGilles Vollant
Used with curl command line option like this: --cert <filename>:<password> --cert-type p12 Closes #5193
2020-03-30cleanup: insert newline after if() conditionsDaniel Stenberg
Our code style mandates we put the conditional block on a separate line. These mistakes are now detected by the updated checksrc.
2020-03-26openssl: adapt to functions marked as deprecated since version 3Daniel Stenberg
OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES functions we use. Fix the MD4 and SSL_CTX_load_verify_locations warnings. In configure, detect OpenSSL v3 and if so, inhibit the deprecation warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and until we rewrite the code to use non-deprecated functions we better ignore these warnings as they don't help us. Closes #5139
2020-03-19secure transport: remove the BACKEND define kludgeDaniel Stenberg
Closes #5122
2020-03-19mbedtls: remove the BACKEND define kludgeDaniel Stenberg
2020-03-19bearssl: remove the BACKEND define kludgeDaniel Stenberg
2020-03-19wolfssl: remove the BACKEND define kludgeDaniel Stenberg
2020-03-19nss: remove the BACKEND define kludgeDaniel Stenberg
2020-03-19gnutls: remove the BACKEND define kludgeDaniel Stenberg
2020-03-19openssl: remove the BACKEND define kludgeDaniel Stenberg
Use a proper variable instead to make it easier to use a debugger and read the code.
2020-03-18schannel: add "best effort" revocation check optionJohannes Schindelin
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
2020-03-17windows: suppress UI in all CryptAcquireContext() callsViktor Szakats
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters Reviewed-by: Marc Hörsken Closes https://github.com/curl/curl/pull/5088
2020-03-16vtls: free ssl_config leftovers on out-of-memoryDaniel Stenberg
Torture testing 2034 and 2037 found this. Reported-by: Marc Hörsken Fixes #5108 Closes #5109
2020-03-15gskit: update the copyright year rangeDaniel Stenberg
Follow-up from 083603c63a3
2020-03-15gskit: use our internal select wrapper for portabilityMarc Hoersken
Follow up to c52b342 Closes #5106
2020-03-07version: make curl_version* thread-safe without using global contextDaniel Stenberg
Closes #5010
2020-03-05polarssl: remove more references and mentionsDaniel Stenberg
Assisted-by: Jay Satiro Follow-up to 6357a19ff29dac04 Closes #5036
2020-02-27gtls: Fixed compilation when using GnuTLS < 3.5.0Steve Holme
Reverts the functionality from 41fcb4f when compiling with GnuTLS older than 3.5.0. Reviewed-by: Daniel Stenberg Closes #4984
2020-02-21gtls: fix the copyright yearDaniel Stenberg
Follow-up from 41fcb4f609
2020-02-21GnuTLS: Always send client certjethrogb
TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. GnuTLS's default behavior is to not send a client certificate if there is no match. However, OpenSSL's default behavior is to send the configured certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL behavior. Authored-by: jethrogb on github Fixes #1411 Closes #4958
2020-02-03openssl: remove redundant assignmentMarcel Raad
Fixes a scan-build failure on Bionic. Closes https://github.com/curl/curl/pull/4872
2020-02-02cleanup: fix typos and wording in docs and commentsPedro Monreal
Closes #4869 Reviewed-by: Emil Engler and Daniel Gustafsson
2020-01-23openssl: make CURLINFO_CERTINFO not truncate x509v3 fieldsDaniel Stenberg
Avoid "reparsing" the content and instead deliver more exactly what is provided in the certificate and avoid truncating the data after 512 bytes as done previously. This no longer removes embedded newlines. Fixes #4837 Reported-by: bnfp on github Closes #4841
2020-01-16wolfssl: use the wc-prefixed symbol alternativesDaniel Stenberg
The symbols without wc_ prefix are not always provided. Ref: https://github.com/wolfSSL/wolfssl/issues/2744 Closes #4827
2020-01-16polarssl: removedDaniel Stenberg
As detailed in DEPRECATE.md, the polarssl support is now removed after having been disabled for 6 months and nobody has missed it. The threadlock files used by mbedtls are renamed to an 'mbedtls' prefix instead of the former 'polarssl' and the common functions that previously were shared between mbedtls and polarssl and contained the name 'polarssl' have now all been renamed to instead say 'mbedtls'. Closes #4825
2020-01-13schannel_verify: Fix alt names manual verify for UNICODE buildsJay Satiro
Follow-up to 29e40a6 from two days ago, which added that feature for Windows 7 and earlier. The bug only occurred in same. Ref: https://github.com/curl/curl/pull/4761
2020-01-12misc: Copyright year out of date, should be 2020Daniel Stenberg
Follow-up to recent commits [skip ci]
2020-01-11schannel: Make CURLOPT_CAINFO work better on Windows 7Faizur Rahman
- Support hostname verification via alternative names (SAN) in the peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier. CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a result CertGetNameString doesn't quite work on those versions of Windows. This change provides an alternative solution for CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier versions of Windows. Prior to this change many certificates failed the hostname validation when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates now represent multiple hostnames and rely on the alternative names field exclusively to represent their hostnames. Reported-by: Jeroen Ooms Fixes https://github.com/curl/curl/issues/3711 Closes https://github.com/curl/curl/pull/4761
2020-01-11vtls: Refactor Curl_multissl_version to make the code clearerJay Satiro
Reported-by: Johannes Schindelin Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121 Closes https://github.com/curl/curl/pull/4803
2020-01-03lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`Marcel Raad
Closes https://github.com/curl/curl/pull/4775
2019-12-31bearssl: Improve I/O handlingMichael Forney
Factor out common I/O loop as bearssl_run_until, which reads/writes TLS records until the desired engine state is reached. This is now used for the handshake, read, write, and close. Match OpenSSL SSL_write behavior, and don't return the number of bytes written until the corresponding records have been completely flushed across the socket. This involves keeping track of the length of data buffered into the TLS engine, and assumes that when CURLE_AGAIN is returned, the write function will be called again with the same data and length arguments. This is the same requirement of SSL_write. Handle TLS close notify as EOF when reading by returning 0. Closes https://github.com/curl/curl/pull/4748
2019-12-10vtls: make BearSSL possible to set with CURL_SSL_BACKENDGisle Vanem
Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 Closes #4698
2019-12-03openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chainsDaniel Stenberg
Closes #4655