summaryrefslogtreecommitdiff
path: root/libs/libcurl/src/vtls/gtls.c
diff options
context:
space:
mode:
authordartraiden <wowemuh@gmail.com>2021-07-29 03:58:47 +0300
committerdartraiden <wowemuh@gmail.com>2021-07-29 04:00:29 +0300
commitfe19d22eaddb5383337114ab7a611d781de24b59 (patch)
tree618312785cafc338b2f3369184ef17364c20e6ec /libs/libcurl/src/vtls/gtls.c
parentd60a8d0c45ea7903274c570f523b7775125f4e89 (diff)
libcurl: update to 7.78
Diffstat (limited to 'libs/libcurl/src/vtls/gtls.c')
-rw-r--r--libs/libcurl/src/vtls/gtls.c129
1 files changed, 64 insertions, 65 deletions
diff --git a/libs/libcurl/src/vtls/gtls.c b/libs/libcurl/src/vtls/gtls.c
index ecde5c44de..1b145d8ebb 100644
--- a/libs/libcurl/src/vtls/gtls.c
+++ b/libs/libcurl/src/vtls/gtls.c
@@ -147,7 +147,7 @@ static void showtime(struct Curl_easy *data,
msnprintf(str,
sizeof(str),
- "\t %s: %s, %02d %s %4d %02d:%02d:%02d GMT",
+ " %s: %s, %02d %s %4d %02d:%02d:%02d GMT",
text,
Curl_wkday[tm->tm_wday?tm->tm_wday-1:6],
tm->tm_mday,
@@ -156,7 +156,7 @@ static void showtime(struct Curl_easy *data,
tm->tm_hour,
tm->tm_min,
tm->tm_sec);
- infof(data, "%s\n", str);
+ infof(data, "%s", str);
}
#endif
@@ -266,7 +266,7 @@ static CURLcode handshake(struct Curl_easy *data,
if(!strerr)
strerr = gnutls_strerror(rc);
- infof(data, "gnutls_handshake() warning: %s\n", strerr);
+ infof(data, "gnutls_handshake() warning: %s", strerr);
continue;
}
else if(rc < 0) {
@@ -330,6 +330,9 @@ set_ssl_version_min_max(struct Curl_easy *data,
ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
}
}
+ else if(ssl_version_max == CURL_SSLVERSION_MAX_DEFAULT) {
+ ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_3;
+ }
switch(ssl_version | ssl_version_max) {
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
@@ -338,11 +341,11 @@ set_ssl_version_min_max(struct Curl_easy *data,
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1";
+ "+VERS-TLS1.1:+VERS-TLS1.0";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2";
+ "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
@@ -350,7 +353,7 @@ set_ssl_version_min_max(struct Curl_easy *data,
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1:+VERS-TLS1.2";
+ "+VERS-TLS1.2:+VERS-TLS1.1";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
@@ -360,25 +363,16 @@ set_ssl_version_min_max(struct Curl_easy *data,
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
"+VERS-TLS1.3";
return CURLE_OK;
- case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"
- ":+VERS-TLS1.3";
- return CURLE_OK;
- case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
- *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1:+VERS-TLS1.2"
- ":+VERS-TLS1.3";
+ case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_3:
+ *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";
return CURLE_OK;
- case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
+ case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_3:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2"
- ":+VERS-TLS1.3";
+ "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1";
return CURLE_OK;
- case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT:
+ case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_3:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2"
- ":+VERS-TLS1.3";
+ "+VERS-TLS1.3:+VERS-TLS1.2";
return CURLE_OK;
}
@@ -438,7 +432,7 @@ gtls_connect_step1(struct Curl_easy *data,
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
- infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
+ infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username));
rc = gnutls_srp_allocate_client_credentials(
&backend->srp_client_cred);
@@ -468,7 +462,7 @@ gtls_connect_step1(struct Curl_easy *data,
SSL_CONN_CONFIG(CAfile),
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
- infof(data, "error reading ca cert file %s (%s)\n",
+ infof(data, "error reading ca cert file %s (%s)",
SSL_CONN_CONFIG(CAfile), gnutls_strerror(rc));
if(SSL_CONN_CONFIG(verifypeer)) {
*certverifyresult = rc;
@@ -476,7 +470,7 @@ gtls_connect_step1(struct Curl_easy *data,
}
}
else
- infof(data, "found %d certificates in %s\n", rc,
+ infof(data, "found %d certificates in %s", rc,
SSL_CONN_CONFIG(CAfile));
}
@@ -486,7 +480,7 @@ gtls_connect_step1(struct Curl_easy *data,
SSL_CONN_CONFIG(CApath),
GNUTLS_X509_FMT_PEM);
if(rc < 0) {
- infof(data, "error reading ca cert file %s (%s)\n",
+ infof(data, "error reading ca cert file %s (%s)",
SSL_CONN_CONFIG(CApath), gnutls_strerror(rc));
if(SSL_CONN_CONFIG(verifypeer)) {
*certverifyresult = rc;
@@ -494,7 +488,7 @@ gtls_connect_step1(struct Curl_easy *data,
}
}
else
- infof(data, "found %d certificates in %s\n",
+ infof(data, "found %d certificates in %s",
rc, SSL_CONN_CONFIG(CApath));
}
@@ -517,7 +511,7 @@ gtls_connect_step1(struct Curl_easy *data,
return CURLE_SSL_CRL_BADFILE;
}
else
- infof(data, "found %d CRL in %s\n",
+ infof(data, "found %d CRL in %s",
rc, SSL_SET_OPTION(CRLfile));
}
@@ -550,7 +544,7 @@ gtls_connect_step1(struct Curl_easy *data,
(gnutls_server_name_set(session, GNUTLS_NAME_DNS, hostname,
strlen(hostname)) < 0))
infof(data, "WARNING: failed to configure server name indication (SNI) "
- "TLS extension\n");
+ "TLS extension");
/* Use default priorities */
rc = gnutls_set_default_priority(session);
@@ -603,11 +597,12 @@ gtls_connect_step1(struct Curl_easy *data,
free(prioritysrp);
if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
- infof(data, "This GnuTLS does not support SRP\n");
+ infof(data, "This GnuTLS does not support SRP");
}
}
else {
#endif
+ infof(data, "GnuTLS ciphers: %s", prioritylist);
rc = gnutls_priority_set_direct(session, prioritylist, &err);
#ifdef HAVE_GNUTLS_SRP
}
@@ -632,14 +627,14 @@ gtls_connect_step1(struct Curl_easy *data,
protocols[cur].data = (unsigned char *)ALPN_H2;
protocols[cur].size = ALPN_H2_LENGTH;
cur++;
- infof(data, "ALPN, offering %.*s\n", ALPN_H2_LENGTH, ALPN_H2);
+ infof(data, "ALPN, offering %.*s", ALPN_H2_LENGTH, ALPN_H2);
}
#endif
protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1;
protocols[cur].size = ALPN_HTTP_1_1_LENGTH;
cur++;
- infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
+ infof(data, "ALPN, offering %s", ALPN_HTTP_1_1);
gnutls_alpn_set_protocols(session, protocols, cur, 0);
}
@@ -745,7 +740,7 @@ gtls_connect_step1(struct Curl_easy *data,
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
- infof(data, "SSL re-using session ID\n");
+ infof(data, "SSL re-using session ID");
}
Curl_ssl_sessionid_unlock(data);
}
@@ -848,7 +843,7 @@ gtls_connect_step3(struct Curl_easy *data,
gnutls_cipher_get(session),
gnutls_mac_get(session));
- infof(data, "SSL connection using %s / %s\n",
+ infof(data, "SSL connection using %s / %s",
gnutls_protocol_get_name(version), ptr);
/* This function will return the peer's raw certificate (chain) as sent by
@@ -861,7 +856,7 @@ gtls_connect_step3(struct Curl_easy *data,
if(!chainp) {
if(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost) ||
- SSL_SET_OPTION(issuercert)) {
+ SSL_CONN_CONFIG(issuercert)) {
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL
@@ -879,7 +874,7 @@ gtls_connect_step3(struct Curl_easy *data,
}
#endif
}
- infof(data, "\t common name: WARNING couldn't obtain\n");
+ infof(data, " common name: WARNING couldn't obtain");
}
if(data->set.ssl.certinfo && chainp) {
@@ -926,13 +921,13 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_PEER_FAILED_VERIFICATION;
}
else
- infof(data, "\t server certificate verification FAILED\n");
+ infof(data, " server certificate verification FAILED");
}
else
- infof(data, "\t server certificate verification OK\n");
+ infof(data, " server certificate verification OK");
}
else
- infof(data, "\t server certificate verification SKIPPED\n");
+ infof(data, " server certificate verification SKIPPED");
if(SSL_CONN_CONFIG(verifystatus)) {
if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
@@ -944,7 +939,7 @@ gtls_connect_step3(struct Curl_easy *data,
rc = gnutls_ocsp_status_request_get(session, &status_request);
- infof(data, "\t server certificate status verification FAILED\n");
+ infof(data, " server certificate status verification FAILED");
if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
failf(data, "No OCSP response received");
@@ -1032,10 +1027,10 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_SSL_INVALIDCERTSTATUS;
}
else
- infof(data, "\t server certificate status verification OK\n");
+ infof(data, " server certificate status verification OK");
}
else
- infof(data, "\t server certificate status verification SKIPPED\n");
+ infof(data, " server certificate status verification SKIPPED");
/* initialize an X.509 certificate structure. */
gnutls_x509_crt_init(&x509_cert);
@@ -1045,21 +1040,21 @@ gtls_connect_step3(struct Curl_easy *data,
gnutls_x509_crt_t format */
gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
- if(SSL_SET_OPTION(issuercert)) {
+ if(SSL_CONN_CONFIG(issuercert)) {
gnutls_x509_crt_init(&x509_issuer);
- issuerp = load_file(SSL_SET_OPTION(issuercert));
+ issuerp = load_file(SSL_CONN_CONFIG(issuercert));
gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
gnutls_x509_crt_deinit(x509_issuer);
unload_file(issuerp);
if(rc <= 0) {
failf(data, "server certificate issuer check failed (IssuerCert: %s)",
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
gnutls_x509_crt_deinit(x509_cert);
return CURLE_SSL_ISSUER_ERROR;
}
- infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
+ infof(data, " server certificate issuer check OK (Issuer Cert: %s)",
+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
}
size = sizeof(certname);
@@ -1069,7 +1064,7 @@ gtls_connect_step3(struct Curl_easy *data,
certname,
&size);
if(rc) {
- infof(data, "error fetching CN from cert:%s\n",
+ infof(data, "error fetching CN from cert:%s",
gnutls_strerror(rc));
}
@@ -1129,11 +1124,11 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_PEER_FAILED_VERIFICATION;
}
else
- infof(data, "\t common name: %s (does not match '%s')\n",
+ infof(data, " common name: %s (does not match '%s')",
certname, SSL_HOST_DISPNAME());
}
else
- infof(data, "\t common name: %s (matched)\n", certname);
+ infof(data, " common name: %s (matched)", certname);
/* Check for time-based validity */
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
@@ -1146,7 +1141,7 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate expiration date verify FAILED\n");
+ infof(data, " server certificate expiration date verify FAILED");
}
else {
if(certclock < time(NULL)) {
@@ -1157,10 +1152,10 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_PEER_FAILED_VERIFICATION;
}
else
- infof(data, "\t server certificate expiration date FAILED\n");
+ infof(data, " server certificate expiration date FAILED");
}
else
- infof(data, "\t server certificate expiration date OK\n");
+ infof(data, " server certificate expiration date OK");
}
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
@@ -1173,7 +1168,7 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate activation date verify FAILED\n");
+ infof(data, " server certificate activation date verify FAILED");
}
else {
if(certclock > time(NULL)) {
@@ -1184,10 +1179,10 @@ gtls_connect_step3(struct Curl_easy *data,
return CURLE_PEER_FAILED_VERIFICATION;
}
else
- infof(data, "\t server certificate activation date FAILED\n");
+ infof(data, " server certificate activation date FAILED");
}
else
- infof(data, "\t server certificate activation date OK\n");
+ infof(data, " server certificate activation date OK");
}
ptr = SSL_PINNED_PUB_KEY();
@@ -1213,19 +1208,19 @@ gtls_connect_step3(struct Curl_easy *data,
#ifndef CURL_DISABLE_VERBOSE_STRINGS
/* public key algorithm's parameters */
algo = gnutls_x509_crt_get_pk_algorithm(x509_cert, &bits);
- infof(data, "\t certificate public key: %s\n",
+ infof(data, " certificate public key: %s",
gnutls_pk_algorithm_get_name(algo));
/* version of the X.509 certificate. */
- infof(data, "\t certificate version: #%d\n",
+ infof(data, " certificate version: #%d",
gnutls_x509_crt_get_version(x509_cert));
rc = gnutls_x509_crt_get_dn2(x509_cert, &certfields);
if(rc)
- infof(data, "Failed to get certificate name\n");
+ infof(data, "Failed to get certificate name");
else {
- infof(data, "\t subject: %s\n", certfields.data);
+ infof(data, " subject: %s", certfields.data);
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
showtime(data, "start date", certclock);
@@ -1238,9 +1233,9 @@ gtls_connect_step3(struct Curl_easy *data,
rc = gnutls_x509_crt_get_issuer_dn2(x509_cert, &certfields);
if(rc)
- infof(data, "Failed to get certificate issuer\n");
+ infof(data, "Failed to get certificate issuer");
else {
- infof(data, "\t issuer: %s\n", certfields.data);
+ infof(data, " issuer: %s", certfields.data);
gnutls_free(certfields.data);
}
@@ -1251,7 +1246,7 @@ gtls_connect_step3(struct Curl_easy *data,
if(conn->bits.tls_enable_alpn) {
rc = gnutls_alpn_get_selected_protocol(session, &proto);
if(rc == 0) {
- infof(data, "ALPN, server accepted to use %.*s\n", proto.size,
+ infof(data, "ALPN, server accepted to use %.*s", proto.size,
proto.data);
#ifdef USE_HTTP2
@@ -1268,7 +1263,7 @@ gtls_connect_step3(struct Curl_easy *data,
}
}
else
- infof(data, "ALPN, server did not agree to a protocol\n");
+ infof(data, "ALPN, server did not agree to a protocol");
Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
@@ -1438,6 +1433,10 @@ static void close_one(struct ssl_connect_data *connssl)
{
struct ssl_backend_data *backend = connssl->backend;
if(backend->session) {
+ char buf[32];
+ /* Maybe the server has already sent a close notify alert.
+ Read it to avoid an RST on the TCP connection. */
+ (void)gnutls_record_recv(backend->session, buf, sizeof(buf));
gnutls_bye(backend->session, GNUTLS_SHUT_WR);
gnutls_deinit(backend->session);
backend->session = NULL;
@@ -1506,7 +1505,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
break;
case GNUTLS_E_AGAIN:
case GNUTLS_E_INTERRUPTED:
- infof(data, "GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED\n");
+ infof(data, "GNUTLS_E_AGAIN || GNUTLS_E_INTERRUPTED");
break;
default:
retval = -1;
@@ -1620,7 +1619,7 @@ static bool gtls_cert_status_request(void)
}
static void *gtls_get_internals(struct ssl_connect_data *connssl,
- CURLINFO info UNUSED_PARAM)
+ CURLINFO info UNUSED_PARAM)
{
struct ssl_backend_data *backend = connssl->backend;
(void)info;
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-13 01:25:44 +0000