Age | Commit message (Collapse) | Author |
|
... by defining Curl_ssl_random() properly
|
|
This now provides a weak random function since PolarSSL doesn't have a
quick and easy way to provide a good one. It does however provide the
framework to make one so it _can_ and _should_ be done...
|
|
I couldn't find any dedicated function in its API to get a "good" random
with.
|
|
ASN_NO_SIGNER_E didn't exist back then!
|
|
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.
This commit makes sure it works for darwinssl, gnutls, nss and openssl.
|
|
The minimal required version of NSS is 3.14.x so it does not make sense
to check for NSS 3.12.0+ at run time.
|
|
CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
is requested.
|
|
conversion to 'int' from 'long int' may alter its value
|
|
Reported-by: David Woodhouse
|
|
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
|
|
Reported-by: David Woodhouse
|
|
|
|
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
|
|
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
|
|
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
|
|
Otherwise NSS could use an already freed item for another connection.
|
|
|
|
... and spell it as crl_der instead of crlDER
|
|
|
|
This feature was unintentionally disabled by commit ff92fcfb.
|
|
... due to calling SSL_VersionRangeGet() with NULL file descriptor
reported-by: upstream tests 305 and 404
|
|
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.
Also, fake timestamp with CURL_FORCETIME set.
Only when built debug enabled of course.
Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.
create_digest_md5_message: generate base64 instead of hex string
curl_sasl: also fix memory leaks in some OOM situations
|
|
|
|
Bug: http://curl.haxx.se/mail/lib-2014-06/0003.html
Reported-by: Дмитрий Фалько
|
|
It might not be the most useful combo, but...
|
|
|
|
PolarSSL added ALPN support in their 1.3.6 release.
See:
https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released
|
|
OpenSSL passes out and outlen variable uninitialized to
select_next_proto_cb callback function. If the callback function
returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled
values in out and outlen and processes as such. Previously, if there
is no overlap in protocol lists, curl code does not fill any values in
these variables and returns SSL_TLSEXT_ERR_OK, which means we are
triggering undefined behavior. valgrind warns this.
This patch fixes this issue by fallback to HTTP/1.1 if there is no
overlap.
|
|
|
|
Security Framework on OS X makes it possible to supply extra anchor (CA)
certificates via the Certificate, Key, and Trust Services API. This
commit makes the '--cacert' option work using this API.
More information:
https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html
The HTTPS tests now pass on OS X except 314, which requires the '--crl'
option to work.
|
|
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05
it is "http/1.1" and not "http/1.0".
|
|
|
|
|
|
The variable wasn't assigned at all until step3 which would lead to a
failed connect never assigning the variable and thus returning a bad
value.
Reported-by: Larry Lin
Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
|
|
|
|
from a P12 file
This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
|
|
Regression introduced in ce362e8eb9c (7.31.0)
Bug: http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
|
|
As there's a default connection timeout and this wrongly used the
connection timeout during a transfer after the connection is completed,
this function would trigger timeouts during transfers erroneously.
Bug: http://curl.haxx.se/bug/view.cgi?id=1352
Figured-out-by: Radu Simionescu
|
|
So printf(%s) on it or reading before bounds checking is wrong, fixing
it. Could previously lead to reading out of boundary.
Reported-by: Török Edwin
|
|
... during the non-blocking SSL handshake
|
|
Versions since at least 2.9.4 renamed error.h to error-ssl.h, so use
whichever one is available.
|
|
gnutls_x509_crt_import() must not be called with a NULL certificate
Bug: http://curl.haxx.se/mail/lib-2014-04/0145.html
Reported-by: Damian Dixon
|
|
|
|
|
|
|
|
|
|
|
|
Remove a superfluous "negotiated http2" info line
|
|
We're progressing throught drafts so there's no point in having a fixed
one in a symbol that'll survive.
|
|
The debug messages printed inside PolarSSL always seems to end with a
newline. So 'infof()' should not add one. Besides the trace 'line'
should be 'const'.
|