summaryrefslogtreecommitdiff
path: root/lib/vtls
Commit message (Collapse)AuthorAgeFilesLines
* GnuTLS: Always send client certjethrogb2020-02-211-1/+1
| | | | | | | | | | | | | | TLS servers may request a certificate from the client. This request includes a list of 0 or more acceptable issuer DNs. The client may use this list to determine which certificate to send. GnuTLS's default behavior is to not send a client certificate if there is no match. However, OpenSSL's default behavior is to send the configured certificate. The `GNUTLS_FORCE_CLIENT_CERT` flag mimics OpenSSL behavior. Authored-by: jethrogb on github Fixes #1411 Closes #4958
* openssl: remove redundant assignmentMarcel Raad2020-02-031-1/+0
| | | | | | Fixes a scan-build failure on Bionic. Closes https://github.com/curl/curl/pull/4872
* cleanup: fix typos and wording in docs and commentsPedro Monreal2020-02-022-3/+3
| | | | | Closes #4869 Reviewed-by: Emil Engler and Daniel Gustafsson
* openssl: make CURLINFO_CERTINFO not truncate x509v3 fieldsDaniel Stenberg2020-01-231-25/+6
| | | | | | | | | | Avoid "reparsing" the content and instead deliver more exactly what is provided in the certificate and avoid truncating the data after 512 bytes as done previously. This no longer removes embedded newlines. Fixes #4837 Reported-by: bnfp on github Closes #4841
* wolfssl: use the wc-prefixed symbol alternativesDaniel Stenberg2020-01-161-6/+6
| | | | | | | | The symbols without wc_ prefix are not always provided. Ref: https://github.com/wolfSSL/wolfssl/issues/2744 Closes #4827
* polarssl: removedDaniel Stenberg2020-01-167-1012/+43
| | | | | | | | | | | | As detailed in DEPRECATE.md, the polarssl support is now removed after having been disabled for 6 months and nobody has missed it. The threadlock files used by mbedtls are renamed to an 'mbedtls' prefix instead of the former 'polarssl' and the common functions that previously were shared between mbedtls and polarssl and contained the name 'polarssl' have now all been renamed to instead say 'mbedtls'. Closes #4825
* schannel_verify: Fix alt names manual verify for UNICODE buildsJay Satiro2020-01-131-1/+1
| | | | | | | Follow-up to 29e40a6 from two days ago, which added that feature for Windows 7 and earlier. The bug only occurred in same. Ref: https://github.com/curl/curl/pull/4761
* misc: Copyright year out of date, should be 2020Daniel Stenberg2020-01-122-2/+2
| | | | | | Follow-up to recent commits [skip ci]
* schannel: Make CURLOPT_CAINFO work better on Windows 7Faizur Rahman2020-01-111-20/+130
| | | | | | | | | | | | | | | | | | | | | - Support hostname verification via alternative names (SAN) in the peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier. CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a result CertGetNameString doesn't quite work on those versions of Windows. This change provides an alternative solution for CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier versions of Windows. Prior to this change many certificates failed the hostname validation when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates now represent multiple hostnames and rely on the alternative names field exclusively to represent their hostnames. Reported-by: Jeroen Ooms Fixes https://github.com/curl/curl/issues/3711 Closes https://github.com/curl/curl/pull/4761
* vtls: Refactor Curl_multissl_version to make the code clearerJay Satiro2020-01-111-16/+21
| | | | | | | | Reported-by: Johannes Schindelin Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121 Closes https://github.com/curl/curl/pull/4803
* lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`Marcel Raad2020-01-031-1/+3
| | | | Closes https://github.com/curl/curl/pull/4775
* bearssl: Improve I/O handlingMichael Forney2019-12-311-85/+77
| | | | | | | | | | | | | | | | | Factor out common I/O loop as bearssl_run_until, which reads/writes TLS records until the desired engine state is reached. This is now used for the handshake, read, write, and close. Match OpenSSL SSL_write behavior, and don't return the number of bytes written until the corresponding records have been completely flushed across the socket. This involves keeping track of the length of data buffered into the TLS engine, and assumes that when CURLE_AGAIN is returned, the write function will be called again with the same data and length arguments. This is the same requirement of SSL_write. Handle TLS close notify as EOF when reading by returning 0. Closes https://github.com/curl/curl/pull/4748
* vtls: make BearSSL possible to set with CURL_SSL_BACKENDGisle Vanem2019-12-101-0/+3
| | | | | | Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 Closes #4698
* openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chainsDaniel Stenberg2019-12-031-6/+8
| | | | Closes #4655
* openssl: set X509_V_FLAG_PARTIAL_CHAINDaniel Stenberg2019-12-031-9/+17
| | | | | | | | | | | | Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. Other TLS backends already accept partial chains. Reported-by: Jeffrey Walton Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
* build: Disable Visual Studio warning "conditional expression is constant"Jay Satiro2019-12-012-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658
* openssl: retrieve reported LibreSSL version at runtimeJay Satiro2019-12-011-6/+24
| | | | | | | | | | - Retrieve LibreSSL runtime version when supported (>= 2.7.1). For earlier versions we continue to use the compile-time version. Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3 Closes https://github.com/curl/curl/pull/2425
* strerror: Add Curl_winapi_strerror for Win API specific errorsJay Satiro2019-12-011-9/+14
| | | | | | | | | | | | | | | - In all code call Curl_winapi_strerror instead of Curl_strerror when the error code is known to be from Windows GetLastError. Curl_strerror prefers CRT error codes (errno) over Windows API error codes (GetLastError) when the two overlap. When we know the error code is from GetLastError it is more accurate to prefer the Windows API error messages. Reported-by: Richard Alcock Fixes https://github.com/curl/curl/issues/4550 Closes https://github.com/curl/curl/pull/4581
* TLS: add BearSSL vtls implementationMichael Forney2019-11-264-1/+910
| | | | Closes #4597
* schannel: fix --tls-max for when min is --tlsv1 or defaultXiaoyin Liu2019-11-241-4/+0
| | | | | | | | Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. Closes https://github.com/curl/curl/pull/4633
* openssl: Revert to less sensitivity for SYSCALL errorsJay Satiro2019-11-221-13/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Disable the extra sensitivity except in debug builds (--enable-debug). - Improve SYSCALL error message logic in ossl_send and ossl_recv so that "No error" / "Success" socket error text isn't shown on SYSCALL error. Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were also considered errors. For example, a server that does not send a known protocol termination point (eg HTTP content length or chunked encoding) _and_ does not send a TLS termination point (close_notify alert) would cause an error if it closed the connection. To be clear that behavior made it into release build 7.67.0 unintentionally. Several users have reported it as an issue. Ultimately the idea is a good one, since it can help prevent against a truncation attack. Other SSL backends may already behave similarly (such as Windows native OS SSL Schannel). However much more of our user base is using OpenSSL and there is a mass of legacy users in that space, so I think that behavior should be partially reverted and then rolled out slowly. This commit changes the behavior so that the increased sensitivity is disabled in all curl builds except curl debug builds (DEBUGBUILD). If after a period of time there are no major issues then it can be enabled in dev and release builds with the newest OpenSSL (1.1.1+), since users using the newest OpenSSL are the least likely to have legacy problems. Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794 Reported-by: Bjoern Franke Fixes https://github.com/curl/curl/issues/4624 Closes https://github.com/curl/curl/pull/4623
* openssl: improve error message for SYSCALL during connectDaniel Stenberg2019-11-221-1/+6
| | | | | | | Reported-by: Paulo Roberto Tomasi Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html Closes https://github.com/curl/curl/pull/4593
* openssl: prevent recursive function calls from ctx callbacksDaniel Stenberg2019-11-121-0/+2
| | | | | | | Follow the pattern of many other callbacks. Ref: #4546 Closes #4585
* copyrights: fix copyright year rangeDaniel Stenberg2019-11-085-5/+5
| | | | | | | | .. because checksrc's copyright year check stopped working. Ref: https://github.com/curl/curl/pull/4547 Closes https://github.com/curl/curl/pull/4549
* mbedtls: add error message for cert validity starting in the futureBastien Bouclet2019-11-021-0/+3
| | | | Closes #4552
* schannel_verify: Fix concurrent openings of CA fileJay Satiro2019-11-011-1/+1
| | | | | | | | | | | | | | - Open the CA file using FILE_SHARE_READ mode so that others can read from it as well. Prior to this change our schannel code opened the CA file without sharing which meant concurrent openings (eg an attempt from another thread or process) would fail during the time it was open without sharing, which in curl's case would cause error: "schannel: failed to open CA file". Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html Reported-by: Richard Alcock
* gtls: make gnutls_bye() not wait for response on shutdownDaniel Stenberg2019-10-311-1/+1
| | | | | | | | | | | ... as it can make it wait there for a long time for no good purpose. Patched-by: Jay Satiro Reported-by: Bylon2 on github Adviced-by: Nikos Mavrogiannopoulos Fixes #4487 Closes #4541
* schannel: reverse the order of certinfo insertionsFrancois Rivard2019-10-241-1/+5
| | | | | Fixes #4518 Closes #4519
* gskit: use the generic Curl_socketpairDaniel Stenberg2019-10-101-95/+3
|
* vtls: Fix comment typo about macosx-version-min compiler flagjulian2019-09-271-1/+1
| | | | Closes https://github.com/curl/curl/pull/4425
* openssl: use strerror on SSL_ERROR_SYSCALLDaniel Stenberg2019-09-261-2/+8
| | | | | | | Instead of showing the somewhat nonsensical errno number, use strerror() to provide a more relatable error message. Closes #4411
* vtls: fix narrowing conversion warningsMarcel Raad2019-09-239-19/+20
| | | | | | | Curl_timeleft returns `timediff_t`, which is 64 bits wide also on 32-bit systems since commit b1616dad8f0. Closes https://github.com/curl/curl/pull/4398
* openssl: fix compiler warning with LibreSSLMarcel Raad2019-09-221-1/+1
| | | | | | | | | | It was already fixed for BoringSSL in commit a0f8fccb1e0. LibreSSL has had the second argument to SSL_CTX_set_min_proto_version as uint16_t ever since the function was added in [0]. [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda Closes https://github.com/curl/curl/pull/4397
* url: only reuse TLS connections with matching pinningDaniel Stenberg2019-09-191-1/+4
| | | | | | | | | | If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the connection should not be reused. Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html Reported-by: Sebastian Haglund Closes #4347
* openssl: fix warning with boringssl and SSL_CTX_set_min_proto_versionDaniel Stenberg2019-09-161-4/+9
| | | | | Follow-up to ffe34b7b59 Closes #4359
* openssl: close_notify on the FTP data connection doesn't mean closureDaniel Stenberg2019-09-131-1/+4
| | | | | | | | | | | | For FTPS transfers, curl gets close_notify on the data connection without that being a signal to close the control connection! Regression since 3f5da4e59a556fc (7.65.0) Reported-by: Zenju on github Reviewed-by: Jay Satiro Fixes #4329 Closes #4340
* openssl: use SSL_CTX_set_<min|max>_proto_version() when availableClément Notin2019-09-101-11/+105
| | | | | | | | OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL. Closes #4304
* openssl: indent, re-organize and add commentsClément Notin2019-09-101-32/+38
|
* openssl: build warning free with boringsslDaniel Stenberg2019-08-201-5/+27
| | | | Closes #4244
* nss: use TLSv1.3 as default if supportedPeter Wu2019-08-131-10/+6
| | | | | | | | | | | | SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported range in NSS 3.45. It looks like the intention is to raise the minimum version rather than lowering the maximum, so adjust accordingly. Note that the caller (nss_setup_connect) initializes the version range to (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. Closes #4187 Reviewed-by: Daniel Stenberg Reviewed-by: Kamil Dudka
* mesalink: implement client authenticationYiming Jing2019-08-061-13/+49
| | | | Closes #4184
* cleanup: remove the 'numsocks' argument used in many placesDaniel Stenberg2019-07-302-10/+3
| | | | | | | | | It was used (intended) to pass in the size of the 'socks' array that is also passed to these functions, but was rarely actually checked/used and the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries that should be used instead. Closes #4169
* source: remove names from source commentsDaniel Stenberg2019-07-191-16/+9
| | | | | | | | | | | | | | Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
* nss: inspect returnvalue of token checkDaniel Gustafsson2019-07-171-1/+4
| | | | | | | | PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110
* openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju2019-07-141-0/+4
| | | | Closes #4100
* nss: support using libnss on macOSDaniel Gustafsson2019-07-061-1/+4
| | | | | | | | The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046
* nss: don't set unused parameterDaniel Gustafsson2019-07-061-1/+1
| | | | | | | | | | | The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054
* nss: only cache valid CRL entriesDaniel Gustafsson2019-07-061-6/+8
| | | | | | | | | Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
* docs: Fix links to OpenSSL docsJay Satiro2019-06-301-2/+0
| | | | | | | | OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
* openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg2019-06-261-1/+1
| | | | | | | | | | ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
View Lorry Controller Status