aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2016-08-13openssl: accept subjectAltName iPAddress if no dNSName matchJay Satiro
Undo change introduced in d4643d6 which caused iPAddress match to be ignored if dNSName was present but did not match. Also, if iPAddress is present but does not match, and dNSName is not present, fail as no-match. Prior to this change in such a case the CN would be checked for a match. Bug: https://github.com/curl/curl/issues/959 Reported-by: wmsch@users.noreply.github.com
2016-08-05mbedtls: set debug threshold to 4 (verbose) when MBEDTLS_DEBUG is definedThomas Glanzmann
In order to make MBEDTLS_DEBUG work, the debug threshold must be unequal to 0. This patch also adds a comment how mbedtls must be compiled in order to make debugging work, and explains the possible debug levels.
2016-08-03TLS: only reuse connections with the same client certDaniel Stenberg
CVE-2016-5420 Bug: https://curl.haxx.se/docs/adv_20160803B.html
2016-08-03TLS: switch off SSL session id when client cert is usedDaniel Stenberg
CVE-2016-5419 Bug: https://curl.haxx.se/docs/adv_20160803A.html Reported-by: Bru Rom Contributions-by: Eric Rescorla and Ray Satiro
2016-08-01mbedtls: Fix debug function nameThomas Glanzmann
This patch is necessary so that curl compiles if MBEDTLS_DEBUG is defined. Bug: https://curl.haxx.se/mail/lib-2016-08/0001.html
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-22vtls: Only call add/getsession if session id is enabledJay Satiro
Prior to this change we called Curl_ssl_getsessionid and Curl_ssl_addsessionid regardless of whether session ID reusing was enabled. According to comments that is in case session ID reuse was disabled but then later enabled. The old way was not intuitive and probably not something users expected. When a user disables session ID caching I'd guess they don't expect the session ID to be cached anyway in case the caching is later enabled.
2016-06-19openssl: use more 'const' to fix build warnings with 1.1.0 branchDaniel Stenberg
2016-06-16openssl: fix cert check with non-DNS name fields presentDaniel Stenberg
Regression introduced in 5f5b62635 (released in 7.48.0) Reported-by: Fabian Ruff Fixes #875
2016-06-16axtls: Use Curl_wait_ms instead of the less-portable usleepDan Fandrich
2016-06-16axtls: Fixed compile after compile 31c521b0Dan Fandrich
2016-06-06schannel: Disable ALPN on Windows < 8.1Steve Holme
Calling QueryContextAttributes with SECPKG_ATTR_APPLICATION_PROTOCOL fails on Windows < 8.1 so we need to disable ALPN on these OS versions. Inspiration provide by: Daniel Seither Closes #848 Fixes #840
2016-06-04win32: Used centralised verify windows version functionSteve Holme
Closes #845
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-06-01schannel: add CURLOPT_CERTINFO supportAndrew Kurushin
Closes #822
2016-05-31openssl: rename the private SSL_strerrorDaniel Stenberg
... to make it not look like an OpenSSL function
2016-05-31openssl: Use correct buffer sizes for error messagesMichael Kaufmann
Closes #844
2016-05-30mbedtls: removed unused variablesRenaud Lehoux
Closes #838
2016-05-30openssl: fix build with OPENSSL_NO_COMPMarcel Raad
With OPENSSL_NO_COMP defined, there is no function SSL_COMP_free_compression_methods Closes #836
2016-05-24mbedtls: fix includes so snprintf() worksDaniel Stenberg
Regression from the previous *printf() rearrangements, this file missed to include the correct header to make sure snprintf() works universally. Reported-by: Moti Avrahami Bug: https://curl.haxx.se/mail/lib-2016-05/0196.html
2016-05-20openssl: cleanup must free compression methodsJay Satiro
- Free compression methods if OpenSSL 1.0.2 to avoid a memory leak. Bug: https://github.com/curl/curl/issues/817 Reported-by: jveazey@users.noreply.github.com
2016-05-19openssl: ERR_remove_thread_state() is deprecated in latest 1.1.0Daniel Stenberg
See OpenSSL commit 21e001747d4a
2016-05-18schannel: fix compile break with MSVC XP toolsetMarcel Raad
For the Windows XP toolset of Visual C++ 2013/2015, the old Windows SDK 7.1 is used. In this case, _USING_V110_SDK71_ is defined. Closes #812
2016-05-17mbedtls/polarssl: set "hostname" unconditionallyDaniel Stenberg
...as otherwise the TLS libs will skip the CN/SAN check and just allow connection to any server. curl previously skipped this function when SNI wasn't used or when connecting to an IP address specified host. CVE-2016-3739 Bug: https://curl.haxx.se/docs/adv_20160518A.html Reported-by: Moti Avrahami
2016-05-17openssl: get_cert_chain: fix NULL dereferenceDaniel Stenberg
CID 1361815: Explicit null dereferenced (FORWARD_NULL)
2016-05-17openssl: get_cert_chain: avoid NULL dereferenceDaniel Stenberg
CID 1361811: Explicit null dereferenced (FORWARD_NULL)
2016-05-13darwinssl.c: fix OS X codename typo in commentViktor Szakats
2016-05-12darwinssl: fix certificate verification disable on OS X 10.8Per Malmberg
The new way of disabling certificate verification doesn't work on Mountain Lion (OS X 10.8) so we need to use the old way in that version too. I've tested this solution on versions 10.7.5, 10.8, 10.9, 10.10.2 and 10.11. Closes #802
2016-05-12openssl: fix compile-time warning in Curl_ossl_check_cxn()Kamil Dudka
... introduced in curl-7_48_0-293-g2968c83: Error: COMPILER_WARNING: lib/vtls/openssl.c: scope_hint: In function ‘Curl_ossl_check_cxn’ lib/vtls/openssl.c:767:15: warning: conversion to ‘int’ from ‘ssize_t’ may alter its value [-Wconversion]
2016-05-11openssl: stricter connection check functionJay Satiro
- In the case of recv error, limit returning 'connection still in place' to EINPROGRESS, EAGAIN and EWOULDBLOCK. This is an improvement on the parent commit which changed the openssl connection check to use recv MSG_PEEK instead of SSL_peek. Ref: https://github.com/curl/curl/commit/856baf5#comments
2016-05-11TLS: SSL_peek is not a const operationAnders Bakken
Calling SSL_peek can cause bytes to be read from the raw socket which in turn can upset the select machinery that determines whether there's data available on the socket. Since Curl_ossl_check_cxn only tries to determine whether the socket is alive and doesn't actually need to see the bytes SSL_peek seems like the wrong function to call. We're able to occasionally reproduce a connect timeout due to this bug. What happens is that Curl doesn't know to call SSL_connect again after the peek happens since data is buffered in the SSL buffer and thus select won't fire for this socket. Closes #795
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-05-01tls: make setting pinnedkey option fail if not supportedDaniel Stenberg
to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
2016-04-28mbedtls: Fix session resumeJay Satiro
This also fixes PolarSSL session resume. Prior to this change the TLS session information wasn't properly saved and restored for PolarSSL and mbedTLS. Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html Reported-by: Thomas Glanzmann Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html Reported-by: Moti Avrahami
2016-04-26openssl: avoid BN_print a NULL bignumDaniel Stenberg
OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those numbers so make sure the function handles this. Reported-by: Linus Nordberg
2016-04-26mbedtls.c: silly spellfix of a commentDaniel Stenberg
2016-04-24PolarSSL: Implement public key pinningmoparisthebest
2016-04-21openssl: builds with OpenSSL 1.1.0-pre5Daniel Stenberg
The RSA, DSA and DH structs are now opaque and require use of new APIs Fixes #763
2016-04-19vtls.h: remove a space before semicolonDaniel Stenberg
... that the new checksrc detected
2016-04-19darwinssl: removed commented out codeDaniel Stenberg
2016-04-17news: CURLOPT_CONNECT_TO and --connect-toMichael Kaufmann
Makes curl connect to the given host+port instead of the host+port found in the URL.
2016-04-07mbedtls: fix MBEDTLS_DEBUG buildsDamien Vielpeau
2016-04-07mbedtls: implement and provide *_data_pending()Daniel Stenberg
... as otherwise we might get stuck thinking there's no more data to handle. Reported-by: Damien Vielpeau Fixes #737
2016-04-07mbedtls: follow-up for the previous commitDaniel Stenberg
2016-04-07mbedtls.c: name space pollution fix, Use 'Curl_'Daniel Stenberg
2016-04-07mbedtls.c: changed private prefix to mbed_Daniel Stenberg
mbedtls_ is the prefix used by the mbedTLS library itself so we should avoid using that for our private functions.
2016-04-07mbedtls.h: fix compiler warningsDaniel Stenberg
2016-04-03code: style updatesDaniel Stenberg
2016-03-30openssl: Fix compilation warningsMarcel Raad
When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE && HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++ 14 complains: warning C4701: potentially uninitialized local variable 'palg' used warning C4701: potentially uninitialized local variable 'psig' used
2016-03-29wolfssl: Use ECC supported curves extensionJay Satiro
https://github.com/wolfSSL/wolfssl/issues/366