aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2016-09-18darwinssl: disable RC4 cipher-suite supportNick Zitzmann
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-14openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2Daniel Stenberg
OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread so we need to clean it when easy handles are freed, in case the thread will be killed in which the easy handle was used. All OpenSSL code in libcurl should extract the error in association with the error already so clearing this queue here should be harmless at worst. Fixes #964
2016-09-09openssl: fix bad memory free (regression)Daniel Stenberg
... by partially reverting f975f06033b1. The allocation could be made by OpenSSL so the free must be made with OPENSSL_free() to avoid problems. Reported-by: Harold Stuart Fixes #1005
2016-09-06openssl: fix CURLINFO_SSL_VERIFYRESULTGaurav Malhotra
CURLINFO_SSL_VERIFYRESULT does not get the certificate verification result when SSL_connect fails because of a certificate verification error. This fix saves the result of SSL_get_verify_result so that it is returned by CURLINFO_SSL_VERIFYRESULT. Closes https://github.com/curl/curl/pull/995
2016-09-06darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)Daniel Gustafsson
While noErr and errSecSuccess are defined as the same value, the API documentation states that SecPKCS12Import() returns errSecSuccess if there were no errors in importing. Ensure that a future change of the defined value doesn't break (however unlikely) and be consistent with the API docs.
2016-09-05openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000LMarcel Raad
With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is now called OpenSSL_version_num(). [1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html [2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html Closes #992
2016-08-26schannel: Disable ALPN for Wine since it is causing problemsJay Satiro
- Disable ALPN on Wine. - Don't pass input secbuffer when ALPN is disabled. When ALPN support was added a change was made to pass an input secbuffer to initialize the context. When ALPN is enabled the buffer contains the ALPN information, and when it's disabled the buffer is empty. In either case this input buffer caused problems with Wine and connections would not complete. Bug: https://github.com/curl/curl/issues/983 Reported-by: Christian Fillion
2016-08-26nss: work around race condition in PK11_FindSlotByName()Peter Wang
Serialise the call to PK11_FindSlotByName() to avoid spurious errors in a multi-threaded environment. The underlying cause is a race condition in nssSlot_IsTokenPresent(). Bug: https://bugzilla.mozilla.org/1297397 Closes #985
2016-08-26nss: refuse previously loaded certificate from fileKamil Dudka
... when we are not asked to use a certificate from file
2016-08-26TLS: random file/egd doesn't have to match for conn reuseDaniel Stenberg
2016-08-25openssl: make build with 1.1.0 againDaniel Stenberg
synced with OpenSSL git master commit cc06906707
2016-08-17nss: make the global variables staticDaniel Stenberg
2016-08-16openssl: use regular malloc instead of OPENSSL_mallocDaniel Stenberg
This allows for better memmory debugging and torture tests.
2016-08-13openssl: accept subjectAltName iPAddress if no dNSName matchJay Satiro
Undo change introduced in d4643d6 which caused iPAddress match to be ignored if dNSName was present but did not match. Also, if iPAddress is present but does not match, and dNSName is not present, fail as no-match. Prior to this change in such a case the CN would be checked for a match. Bug: https://github.com/curl/curl/issues/959 Reported-by: wmsch@users.noreply.github.com
2016-08-05mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is definedThomas Glanzmann
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal to 0. This patch also adds a comment how mbedtls must be compiled in order to make debugging work, and explains the possible debug levels.
2016-08-03TLS: only reuse connections with the same client certDaniel Stenberg
CVE-2016-5420 Bug: https://curl.haxx.se/docs/adv_20160803B.html
2016-08-03TLS: switch off SSL session id when client cert is usedDaniel Stenberg
CVE-2016-5419 Bug: https://curl.haxx.se/docs/adv_20160803A.html Reported-by: Bru Rom Contributions-by: Eric Rescorla and Ray Satiro
2016-08-01mbedtls: Fix debug function nameThomas Glanzmann
This patch is necessary so that curl compiles if MBEDTLS_DEBUG is defined. Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-19openssl: use more 'const' to fix build warnings with 1.1.0 branchDaniel Stenberg
2016-06-16openssl: fix cert check with non-DNS name fields presentDaniel Stenberg
Regression introduced in 5f5b62635 (released in 7.48.0) Reported-by: Fabian Ruff Fixes #875
2016-06-16axtls: Use Curl_wait_ms instead of the less-portable usleepDan Fandrich
2016-06-16axtls: Fixed compile after compile 31c521b0Dan Fandrich
2016-06-06schannel: Disable ALPN on Windows < 8.1Steve Holme
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL fails on Windows < 8.1 so we need to disable ALPN on these OS versions. Inspiration provide by: Daniel Seither Closes #848 Fixes #840
2016-06-04win32: Used centralised verify windows version functionSteve Holme
Closes #845
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01schannel: add CURLOPT_CERTINFO supportAndrew Kurushin
Closes #822
2016-05-31openssl: rename the private SSL_strerrorDaniel Stenberg
... to make it not look like an OpenSSL function
2016-05-31openssl: Use correct buffer sizes for error messagesMichael Kaufmann
Closes #844
2016-05-30mbedtls: removed unused variablesRenaud Lehoux
Closes #838
2016-05-30openssl: fix build with OPENSSL_NO_COMPMarcel Raad
With OPENSSL_NO_COMP defined, there is no function SSL_COMP_free_compression_methods Closes #836
2016-05-24mbedtls: fix includes so snprintf() worksDaniel Stenberg
Regression from the previous *printf() rearrangements, this file missed to include the correct header to make sure snprintf() works universally. Reported-by: Moti Avrahami Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
2016-05-20openssl: cleanup must free compression methodsJay Satiro
- Free compression methods if OpenSSL 1.0.2 to avoid a memory leak. Bug: https://github.com/curl/curl/issues/817 Reported-by: jveazey@users.noreply.github.com
2016-05-19openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0Daniel Stenberg
See OpenSSL commit 21e001747d4a
2016-05-18schannel: fix compile break with MSVC XP toolsetMarcel Raad
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK 7.1 is used. In this case, _USING_V110_SDK71_ is defined. Closes #812
2016-05-17mbedtls/polarssl: set "hostname" unconditionallyDaniel Stenberg
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
2016-05-17openssl: get_cert_chain: fix NULL dereferenceDaniel Stenberg
CID 1361815: Explicit null dereferenced (FORWARD_NULL)
2016-05-17openssl: get_cert_chain: avoid NULL dereferenceDaniel Stenberg
CID 1361811: Explicit null dereferenced (FORWARD_NULL)
2016-05-13darwinssl.c: fix OS X codename typo in commentViktor Szakats
2016-05-12darwinssl: fix certificate verification disable on OS X 10.8Per Malmberg
The new way of disabling certificate verification doesn't work on Mountain Lion (OS X 10.8) so we need to use the old way in that version too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 and 10.11. Closes #802
2016-05-12openssl: fix compile-time warning in Curl_ossl_check_cxn()Kamil Dudka
... introduced in curl-7_48_0-293-g2968c83: Error: COMPILER_WARNING: lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’ may alter its value [-Wconversion]
2016-05-11openssl: stricter connection check functionJay Satiro
- In the case of recv error, limit returning 'connection still in place' to EINPROGRESS, EAGAIN and EWOULDBLOCK. This is an improvement on the parent commit which changed the openssl connection check to use recv MSG_PEEK instead of SSL_peek. Ref: https://github.com/curl/curl/commit/856baf5#comments
2016-05-11TLS: SSL_peek is not a const operationAnders Bakken
Calling SSL_peek can cause bytes to be read from the raw socket which in turn can upset the select machinery that determines whether there's data available on the socket. Since Curl_ossl_check_cxn only tries to determine whether the socket is alive and doesn't actually need to see the bytes SSL_peek seems like the wrong function to call. We're able to occasionally reproduce a connect timeout due to this bug. What happens is that Curl doesn't know to call SSL_connect again after the peek happens since data is buffered in the SSL buffer and thus select won't fire for this socket. Closes #795
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-01tls: make setting pinnedkey option fail if not supportedDaniel Stenberg
to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
2016-04-28mbedtls: Fix session resumeJay Satiro
This also fixes PolarSSL session resume. Prior to this change the TLS session information wasn't properly saved and restored for PolarSSL and mbedTLS. Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html Reported-by: Thomas Glanzmann Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html Reported-by: Moti Avrahami
2016-04-26openssl: avoid BN_print a NULL bignumDaniel Stenberg
OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those numbers so make sure the function handles this. Reported-by: Linus Nordberg
2016-04-26mbedtls.c: silly spellfix of a commentDaniel Stenberg
2016-04-24PolarSSL: Implement public key pinningmoparisthebest