Commit Graph

124 Commits

Author SHA1 Message Date
Daniel Stenberg
d57d041d67 curlssl: make tls backend symbols use curlssl in the name 2014-09-13 15:31:12 +02:00
Daniel Stenberg
4c2e40a488 url: let the backend decide CURLOPT_SSL_CTX_ support
... to further remove specific TLS backend knowledge from url.c
2014-09-13 15:28:08 +02:00
Daniel Stenberg
7494f0f498 vtls: have the backend tell if it supports CERTINFO 2014-09-13 15:11:26 +02:00
Daniel Stenberg
8250f93d41 CURLOPT_CAPATH: return failure if set without backend support 2014-09-13 14:56:27 +02:00
Paul Howarth
785395b07e openssl: build fix for versions < 0.9.8e
Bug: http://curl.haxx.se/mail/lib-2014-09/0064.html
2014-09-10 13:09:42 +02:00
Daniel Stenberg
921a0c22a6 polarassl: avoid memset() when clearing the first byte is enough 2014-09-08 10:11:34 +02:00
Catalin Patulea
af45542cfe polarssl: support CURLOPT_CAPATH / --capath
Signed-off-by: Catalin Patulea <cat@vv.carleton.ca>
2014-09-08 10:09:54 +02:00
Vilmos Nebehaj
fd1ce3856a darwinssl: Use CopyCertSubject() to check CA cert.
SecCertificateCopyPublicKey() is not available on iPhone. Use
CopyCertSubject() instead to see if the certificate returned by
SecCertificateCreateWithData() is valid.

Reported-by: Toby Peterson
2014-09-04 19:00:02 -05:00
Andre Heinecke
e608324f9f polarssl: implement CURLOPT_SSLVERSION
Forwards the setting as minimum ssl version (if set) to polarssl.  If
the server does not support the requested version the SSL Handshake will
fail.

Bug: http://curl.haxx.se/bug/view.cgi?id=1419
2014-09-01 22:42:58 +02:00
Vilmos Nebehaj
0426670f0a Check CA certificate in curl_darwinssl.c.
SecCertificateCreateWithData() returns a non-NULL SecCertificateRef even
if the buffer holds an invalid or corrupt certificate. Call
SecCertificateCopyPublicKey() to make sure cacert is a valid
certificate.
2014-09-01 00:34:37 +02:00
Vilmos Nebehaj
4c134bcfce Fix CA certificate bundle handling in darwinssl.
If the --cacert option is used with a CA certificate bundle that
contains multiple CA certificates, iterate through it, adding each
certificate as a trusted root CA.
2014-08-30 20:10:07 +02:00
Steve Holme
98633c2a19 openssl.c: Fixed longer than 79 columns 2014-08-22 07:44:03 +01:00
Steve Holme
bdfc75e751 openssl.c: Fixed compilation warning
warning: declaration of 'minor' shadows a global declaration
2014-08-21 20:37:29 +01:00
Jose Alf
fc5a5a4f07 openssl: fix version report for the 0.9.8 branch
Fixed libcurl to correctly output the newer versions of OpenSSL 0.9.8,
starting from openssl-0.9.8za.
2014-08-13 08:49:19 +02:00
Steve Holme
cda4aaba4d schannel: Fixed compilation warning in vtls.c
vtls.c:688:43: warning: unused parameter 'data'
2014-08-08 21:34:05 +01:00
Daniel Stenberg
7d2f61f66a openssl: replace call to OPENSSL_config
OPENSSL_config() is "strongly recommended" to use but unfortunately that
function makes an exit() call on wrongly formatted config files which
makes it hard to use in some situations. OPENSSL_config() itself calls
CONF_modules_load_file() and we use that instead and we ignore its
return code!

Reported-by: Jan Ehrhardt
Bug: http://curl.haxx.se/bug/view.cgi?id=1401
2014-08-07 12:40:31 +02:00
Toby Peterson
0e452a02f1 darwinssl: don't use strtok()
The GetDarwinVersionNumber() function uses strtok, which is not
thread-safe.
2014-08-05 08:58:49 +02:00
Daniel Stenberg
ea6d371e7c Curl_ossl_version: adapted to detect BoringSSL
This seems to be the way it should work. Right now we can't build with
BoringSSL and try this out properly due to a minor API breakage.
2014-08-05 00:29:37 +02:00
Daniel Stenberg
7efff86639 Curl_ossl_version: detect and show libressl
LibreSSL is otherwise OpenSSL API compliant (so far)
2014-08-04 23:54:44 +02:00
Dan Fandrich
4d4dd7aea0 gtls: only define Curl_gtls_seed if Nettle is not being used 2014-08-03 11:18:08 +02:00
Dan Fandrich
cac1dd58a8 ssl: provide Curl_ssl_backend even if no SSL library is available 2014-08-03 10:43:31 +02:00
Daniel Stenberg
b9f6ca1d32 openssl: make ossl_send return CURLE_OK better
Previously it only returned a CURLcode for errors, which is when it
returns a different size than what was passed in to it.

The http2 code only checked the curlcode and thus failed.
2014-08-01 00:01:02 +02:00
Marcel Raad
f8f2188888 schannel: use CryptGenRandom for random numbers
This function is available for every Windows version since Windows 95/NT.

reference:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa379942.aspx
2014-07-31 13:10:54 +02:00
Daniel Stenberg
a439e438f3 ssl: generalize how the ssl backend identifier is set
Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS
one which was missing previously.
2014-07-31 12:19:51 +02:00
Dan Fandrich
028a408d57 axtls: define curlssl_random using axTLS's PRNG 2014-07-31 01:12:38 +02:00
Dan Fandrich
3d5be801b9 cyassl: fix the test for ASN_NO_SIGNER_E
It's an enum so a macro test won't work. The CyaSSL changelog doesn't
say exactly when this error code was introduced, but it's likely
to be 2.7.0.
2014-07-31 00:31:36 +02:00
Dan Fandrich
1aa6418af9 cyassl: use RNG_GenerateBlock to generate a good random number 2014-07-31 00:09:13 +02:00
Daniel Stenberg
01a0168806 vtls: repair build without TLS support
... by defining Curl_ssl_random() properly
2014-07-30 23:17:41 +02:00
Daniel Stenberg
0e811d8c59 polarssl: provide a (weak) random function
This now provides a weak random function since PolarSSL doesn't have a
quick and easy way to provide a good one. It does however provide the
framework to make one so it _can_ and _should_ be done...
2014-07-30 20:59:16 +02:00
Daniel Stenberg
f0369223cd cyassl: use the default (weeker) random
I couldn't find any dedicated function in its API to get a "good" random
with.
2014-07-30 10:08:27 +02:00
Daniel Stenberg
16cb818a74 cyassl: made it compile with version 2.0.6 again
ASN_NO_SIGNER_E didn't exist back then!
2014-07-30 10:07:42 +02:00
Daniel Stenberg
8dfd22089c vtls: make the random function mandatory in the TLS backend
To force each backend implementation to really attempt to provide proper
random. If a proper random function is missing, then we can explicitly
make use of the default one we use when TLS support is missing.

This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-30 00:05:47 +02:00
Kamil Dudka
30b093f6fc nss: do not check the version of NSS at run time
The minimal required version of NSS is 3.14.x so it does not make sense
to check for NSS 3.12.0+ at run time.
2014-07-28 16:27:04 +02:00
Dan Fandrich
713f96ee0c cyassl.c: return the correct error code on no CA cert
CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
is requested.
2014-07-23 00:52:56 +02:00
Daniel Stenberg
f069b40f9d gnutls: fix compiler warning
conversion to 'int' from 'long int' may alter its value
2014-07-15 21:28:10 +02:00
Dan Fandrich
9087b7e8f5 gnutls: detect lack of SRP support in GnuTLS at run-time and try without
Reported-by: David Woodhouse
2014-07-14 22:31:11 +02:00
David Woodhouse
98866008a9 gnutls: handle IP address in cert name check
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
2014-07-14 20:14:15 +02:00
Dan Fandrich
425459b8ae gnutls: improved error message if setting cipher list fails
Reported-by: David Woodhouse
2014-07-13 01:32:11 +02:00
Dan Fandrich
efc71583e7 gnutls: fixed a couple of uninitialized variable references 2014-07-12 01:31:12 +02:00
Dan Fandrich
3d2e1724cb gnutls: fixed compilation against versions < 2.12.0
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
2014-07-12 00:33:16 +02:00
Dan Fandrich
447c31ce9d gnutls: explicitly added SRP to the priority string
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
2014-07-12 00:11:44 +02:00
Dan Fandrich
baf8b57b1d gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
2014-07-11 23:21:31 +02:00
Kamil Dudka
ca2aa61b66 nss: make the list of CRL items global
Otherwise NSS could use an already freed item for another connection.
2014-07-04 13:15:03 +02:00
Kamil Dudka
52cd5ac21c nss: fix a memory leak when CURLOPT_CRLFILE is used 2014-07-04 08:25:05 +02:00
Kamil Dudka
caa4db8a51 nss: make crl_der allocated on heap
... and spell it as crl_der instead of crlDER
2014-07-04 00:37:40 +02:00
Kamil Dudka
2968f957aa nss: let nss_{cache,load}_crl return CURLcode 2014-07-04 00:20:59 +02:00
Kamil Dudka
7581dee10a nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
2014-07-02 18:11:05 +02:00
Kamil Dudka
7c21558503 nss: do not abort on connection failure
... due to calling SSL_VersionRangeGet() with NULL file descriptor

reported-by: upstream tests 305 and 404
2014-07-02 17:59:03 +02:00
Daniel Stenberg
e95ca7cec9 NTLM: set a fake entropy for debug builds with CURL_ENTROPY set
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.

Also, fake timestamp with CURL_FORCETIME set.

Only when built debug enabled of course.

Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.

create_digest_md5_message: generate base64 instead of hex string

curl_sasl: also fix memory leaks in some OOM situations
2014-06-11 23:15:48 +02:00
Steve Holme
51bb067a42 Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set 2014-06-11 21:13:40 +01:00