summaryrefslogtreecommitdiff
path: root/lib/x509asn1.c
Commit message (Collapse)AuthorAgeFilesLines
* curl.se: new homeDaniel Stenberg2020-11-041-1/+1
| | | | Closes #6172
* source cleanup: remove all custom typedef structsDaniel Stenberg2020-05-151-37/+36
| | | | | | | | | | | - Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public headers and examples - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually typedef different types/structs depending on build conditions. Closes #5338
* checksrc: enhance the ASTERISKSPACE and update code accordinglyDaniel Stenberg2020-05-141-2/+2
| | | | | | | | Fine: "struct hello *world" Not fine: "struct hello* world" (and variations) Closes #5386
* wolfssl: refer to it as wolfSSL onlyDaniel Stenberg2019-06-101-2/+2
| | | | | | | | | | Remove support for, references to and use of "cyaSSL" from the source and docs. wolfSSL is the current name and there's no point in keeping references to ancient history. Assisted-by: Daniel Gustafsson Closes #3903
* lib: reduce variable scopesMarcel Raad2019-05-201-6/+9
| | | | | | Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
* cleanup: remove FIXME and TODO commentsDaniel Stenberg2019-05-161-2/+0
| | | | | | | | | They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
* x509asn1: cleanup and unify code layoutDaniel Stenberg2019-02-191-117/+132
| | | | | | | | | | | | | - rename 'n' to buflen in functions, and use size_t for them. Don't pass in negative buffer lengths. - move most function comments to above the function starts like we use to - remove several unnecessary typecasts (especially of NULL) Reviewed-by: Patrick Monnerat Closes #3582
* x509asn1: replace single char with an arrayPatrick Monnerat2019-02-181-2/+2
| | | | | | | Although safe in this context, using a single char as an array may cause invalid accesses to adjacent memory locations. Detected by Coverity.
* x509asn1: "Dereference of null pointer"Patrick Monnerat2019-02-141-5/+6
| | | | Detected by scan-build (false positive).
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-231-1/+1
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* x509asn1: always check return code from getASN1Element()Daniel Stenberg2018-10-271-32/+102
|
* x509asn1: suppress left shift on signed valuePatrick Monnerat2018-10-271-2/+2
| | | | | | | | Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
* x509asn1: Fix SAN IP address verificationMatthew Whitehead2018-10-161-2/+2
| | | | | | | | | | | | | | | For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141
* x509asn1: return CURLE_PEER_FAILED_VERIFICATION on failure to parse certHan Han2018-09-061-1/+1
| | | | | | | | CURLE_PEER_FAILED_VERIFICATION makes more sense because Curl_parseX509 does not allocate memory internally as its first argument is a pointer to the certificate structure. The same error code is also returned by Curl_verifyhost when its call to Curl_parseX509 fails so the change makes error handling more consistent.
* x509asn1: use FALLTHROUGHDaniel Stenberg2018-08-211-2/+2
| | | | ... as no other comments are accepted since 014ed7c22f51463
* x509asn1: make several functions staticDaniel Stenberg2018-08-211-63/+59
| | | | | | and remove the private SIZE_T_MAX define and use the generic one. Closes #2902
* checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg2018-05-211-2/+2
| | | | | | ... and unify the source code to adhere. Closes #2563
* x509asn1: fix implicit-fallthrough warning with GCC 7Marcel Raad2017-06-031-0/+1
|
* checksrc: stricter no-space-before-paren enforcementDaniel Stenberg2016-12-131-7/+7
| | | | In order to make the code style more uniform everywhere
* x509asn1: Restore the parameter check in Curl_getASN1ElementJay Satiro2016-11-241-5/+5
| | | | | | - Restore the removed parts of the parameter check. Follow-up to 945f60e which altered the parameter check.
* checksrc: code style: use 'char *name' styleDaniel Stenberg2016-11-241-63/+63
|
* proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov2016-11-241-8/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
* Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat2016-11-241-12/+21
| | | | See CRL-01-006.
* strcase: s/strequal/strcasecompareDaniel Stenberg2016-10-311-1/+1
| | | | some more follow-ups to 811a693b80
* strcasecompare: is the new name for strequal()Daniel Stenberg2016-10-311-5/+5
| | | | | | | ... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
* internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg2016-06-221-4/+4
|
* schannel: add CURLOPT_CERTINFO supportAndrew Kurushin2016-06-011-2/+2
| | | | Closes #822
* lib: include curl_printf.h as one of the last headersDaniel Stenberg2016-04-291-2/+3
| | | | | | | | | | | | | | | | | | | | curl_printf.h defines printf to curl_mprintf, etc. This can cause problems with external headers which may use __attribute__((format(printf, ...))) markers etc. To avoid that they cause problems with system includes, we include curl_printf.h after any system headers. That makes the three last headers to always be, and we keep them in this order: curl_printf.h curl_memory.h memdebug.h None of them include system headers, they all do funny #defines. Reported-by: David Benjamin Fixes #743
* URLs: change all http:// URLs to https://Daniel Stenberg2016-02-031-1/+1
|
* x509asn1: Fix host altname verificationJay Satiro2015-12-151-8/+4
| | | | | | | | | | - In Curl_verifyhost check all altnames in the certificate. Prior to this change only the first altname was checked. Only the GSKit SSL backend was affected by this bug. Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html Reported-by: John Kohl
* Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg2015-11-241-0/+5
| | | | | | | This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
* cleanup: general removal of TODO (and similar) commentsDaniel Stenberg2015-11-131-5/+0
| | | | | | They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
* cyassl: Implement public key pinningJay Satiro2015-04-221-2/+3
| | | | Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
* x509asn1: Silence x64 loss-of-data warning on RSA key length assignmentJay Satiro2015-04-061-1/+1
| | | | | | The key length in bits will always fit in an unsigned long so the loss-of-data warning assigning the result of x64 pointer arithmetic to an unsigned long is unnecessary.
* x509asn1: add /* fallthrough */ in switch() caseDaniel Stenberg2015-03-211-0/+2
|
* x509asn1: minor edit to unconfuse CoverityDaniel Stenberg2015-03-211-3/+1
| | | | | | CID 1202732 warns on the previous use, although I cannot fine any problems with it. I'm doing this change only to make the code use a more familiar approach to accomplish the same thing.
* gtls: implement CURLOPT_CERTINFOAlessandro Ghedini2015-03-201-3/+2
|
* Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring2015-03-161-2/+1
| | | | | | | | | | | The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
* mprintf.h: remove #ifdef CURLDEBUGDaniel Stenberg2015-03-031-5/+2
| | | | | ... and as a consequence, introduce curl_printf.h with that re-define magic instead and make all libcurl code use that instead.
* code cleanup: we prefer 'CURLcode result'Daniel Stenberg2014-10-241-6/+6
| | | | | | | | | | | | | | ... for the local variable name in functions holding the return code. Using the same name universally makes code easier to read and follow. Also, unify code for checking for CURLcode errors with: if(result) or if(!result) instead of if(result == CURLE_OK), if(CURLE_OK == result) or if(result != CURLE_OK)
* Implement pinned public key in GSKit backendPatrick Monnerat2014-10-141-3/+12
|
* vtls: remove QsoSSLPatrick Monnerat2014-10-131-4/+4
|
* x509asn: moved out Curl_verifyhost from NSS buildsDaniel Stenberg2014-03-031-27/+29
| | | | ... as it isn't used then!
* vtls: Fixed up include of vtls.hSteve Holme2013-12-261-1/+1
|
* x509asn1.c: Fixed compilation warningsSteve Holme2013-11-031-6/+6
| | | | warning: declaration of 'chsize' shadows a global declaration
* NSS: support for CERTINFO featurePatrick Monnerat2013-10-301-35/+65
|
* OS400: new SSL backend GSKitPatrick Monnerat2013-07-151-2/+2
|
* x509asn1.c,x509asn1.h: new module to support ASN.1/X509 parsing & info extractPatrick Monnerat2013-07-151-0/+1151
Use from qssl backend