diff options
| author | dartraiden <wowemuh@gmail.com> | 2019-05-22 15:38:52 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2019-05-22 15:38:52 +0300 |
| commit | 2dc913b65c76e8f51989cc20ce0ce8b1b087db37 (patch) | |
| tree | 6b44ea975bd3fac9562ac10213aa67c1b95da03a /libs/libcurl/src/vtls | |
| parent | 06eb563066b96fc1c4931f3a5dcf17c4f6fa32c5 (diff) | |
libcurl: update to 7.65
Diffstat (limited to 'libs/libcurl/src/vtls')
| -rw-r--r-- | libs/libcurl/src/vtls/cyassl.c | 5 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/gskit.c | 18 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/gtls.c | 49 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/mbedtls.c | 17 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/mesalink.c | 2 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/nss.c | 18 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/openssl.c | 20 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/polarssl.c | 9 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/polarssl_threadlock.c | 59 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/polarssl_threadlock.h | 9 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/schannel.c | 20 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/sectransp.c | 7 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/vtls.c | 31 |
13 files changed, 141 insertions, 123 deletions
diff --git a/libs/libcurl/src/vtls/cyassl.c b/libs/libcurl/src/vtls/cyassl.c index c7a3268efa..44a2bdda62 100644 --- a/libs/libcurl/src/vtls/cyassl.c +++ b/libs/libcurl/src/vtls/cyassl.c @@ -79,6 +79,7 @@ and that's a problem since options.h hasn't been included yet. */ #include "strcase.h" #include "x509asn1.h" #include "curl_printf.h" +#include "multiif.h" #include <cyassl/openssl/ssl.h> #include <cyassl/ssl.h> @@ -142,7 +143,6 @@ static CURLcode cyassl_connect_step1(struct connectdata *conn, int sockindex) { - char error_buffer[CYASSL_MAX_ERROR_SZ]; char *ciphers; struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; @@ -419,6 +419,7 @@ cyassl_connect_step1(struct connectdata *conn, if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { + char error_buffer[CYASSL_MAX_ERROR_SZ]; Curl_ssl_sessionid_unlock(conn); failf(data, "SSL: SSL_set_session failed: %s", ERR_error_string(SSL_get_error(BACKEND->handle, 0), @@ -599,6 +600,8 @@ cyassl_connect_step2(struct connectdata *conn, else infof(data, "ALPN, unrecognized protocol %.*s\n", protocol_len, protocol); + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else if(rc == SSL_ALPN_NOT_FOUND) infof(data, "ALPN, server did not agree to a protocol\n"); diff --git a/libs/libcurl/src/vtls/gskit.c b/libs/libcurl/src/vtls/gskit.c index c4afc89041..b93ff5d4f4 100644 --- a/libs/libcurl/src/vtls/gskit.c +++ b/libs/libcurl/src/vtls/gskit.c @@ -734,12 +734,11 @@ static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf, { struct ssl_connect_data *connssl = &conn->ssl[num]; struct Curl_easy *data = conn->data; - int buffsize; int nread; CURLcode cc = CURLE_RECV_ERROR; if(pipe_ssloverssl(conn, num, SOS_READ) >= 0) { - buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize; + int buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize; cc = gskit_status(data, gsk_secure_soc_read(BACKEND->handle, buf, buffsize, &nread), "gsk_secure_soc_read()", CURLE_RECV_ERROR); @@ -806,7 +805,6 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) conn->host.name; const char *sni; unsigned int protoflags = 0; - long timeout; Qso_OverlappedIO_t commarea; int sockpair[2]; static const int sobufsize = CURL_MAX_WRITE_SIZE; @@ -914,7 +912,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) if(!result) { /* Compute the handshake timeout. Since GSKit granularity is 1 second, we round up the required value. */ - timeout = Curl_timeleft(data, NULL, TRUE); + long timeout = Curl_timeleft(data, NULL, TRUE); if(timeout < 0) result = CURLE_OPERATION_TIMEDOUT; else @@ -1021,14 +1019,13 @@ static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex, struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; Qso_OverlappedIO_t cstat; - long timeout_ms; struct timeval stmv; CURLcode result; /* Poll or wait for end of SSL asynchronous handshake. */ for(;;) { - timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE); + long timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE); if(timeout_ms < 0) timeout_ms = 0; stmv.tv_sec = timeout_ms / 1000; @@ -1077,7 +1074,6 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) const char *cert = (const char *) NULL; const char *certend; const char *ptr; - int i; CURLcode result; /* SSL handshake done: gather certificate info and verify host. */ @@ -1087,6 +1083,8 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) &cdev, &cdec), "gsk_attribute_get_cert_info()", CURLE_SSL_CONNECT_ERROR) == CURLE_OK) { + int i; + infof(data, "Server certificate:\n"); p = cdev; for(i = 0; i++ < cdec; p++) @@ -1160,7 +1158,6 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; long timeout_ms; - Qso_OverlappedIO_t cstat; CURLcode result = CURLE_OK; *done = connssl->state == ssl_connection_complete; @@ -1262,7 +1259,6 @@ static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct Curl_easy *data = conn->data; - ssize_t nread; int what; int rc; char buf[120]; @@ -1270,8 +1266,10 @@ static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) if(!BACKEND->handle) return 0; +#ifndef CURL_DISABLE_FTP if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE) return 0; +#endif close_one(connssl, conn, sockindex); rc = 0; @@ -1279,6 +1277,8 @@ static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) SSL_SHUTDOWN_TIMEOUT); for(;;) { + ssize_t nread; + if(what < 0) { /* anything that gets here is fatally bad */ failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); diff --git a/libs/libcurl/src/vtls/gtls.c b/libs/libcurl/src/vtls/gtls.c index e224861c45..8693cdce3f 100644 --- a/libs/libcurl/src/vtls/gtls.c +++ b/libs/libcurl/src/vtls/gtls.c @@ -55,6 +55,7 @@ #include "strcase.h" #include "warnless.h" #include "x509asn1.h" +#include "multiif.h" #include "curl_printf.h" #include "curl_memory.h" /* The last #include file should be: */ @@ -285,11 +286,11 @@ static CURLcode handshake(struct connectdata *conn, struct ssl_connect_data *connssl = &conn->ssl[sockindex]; gnutls_session_t session = BACKEND->session; curl_socket_t sockfd = conn->sock[sockindex]; - time_t timeout_ms; - int rc; - int what; for(;;) { + time_t timeout_ms; + int rc; + /* check allowed time left */ timeout_ms = Curl_timeleft(data, NULL, duringconnect); @@ -302,7 +303,7 @@ static CURLcode handshake(struct connectdata *conn, /* if ssl is expecting something, check if it's available. */ if(connssl->connecting_state == ssl_connect_2_reading || connssl->connecting_state == ssl_connect_2_writing) { - + int what; curl_socket_t writefd = ssl_connect_2_writing == connssl->connecting_state?sockfd:CURL_SOCKET_BAD; curl_socket_t readfd = ssl_connect_2_reading == @@ -956,7 +957,6 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, gnutls_pubkey_t key = NULL; /* Result is returned to caller */ - int ret = 0; CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH; /* if a path wasn't specified, don't pin */ @@ -967,6 +967,8 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, return result; do { + int ret; + /* Begin Gyrations to get the public key */ gnutls_pubkey_init(&key); @@ -1278,10 +1280,7 @@ gtls_connect_step3(struct connectdata *conn, #define use_addr in_addr #endif unsigned char addrbuf[sizeof(struct use_addr)]; - unsigned char certaddr[sizeof(struct use_addr)]; - size_t addrlen = 0, certaddrlen; - int i; - int ret = 0; + size_t addrlen = 0; if(Curl_inet_pton(AF_INET, hostname, addrbuf) > 0) addrlen = 4; @@ -1291,10 +1290,13 @@ gtls_connect_step3(struct connectdata *conn, #endif if(addrlen) { + unsigned char certaddr[sizeof(struct use_addr)]; + int i; + for(i = 0; ; i++) { - certaddrlen = sizeof(certaddr); - ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr, - &certaddrlen, NULL); + size_t certaddrlen = sizeof(certaddr); + int ret = gnutls_x509_crt_get_subject_alt_name(x509_cert, i, certaddr, + &certaddrlen, NULL); /* If this happens, it wasn't an IP address. */ if(ret == GNUTLS_E_SHORT_MEMORY_BUFFER) continue; @@ -1449,6 +1451,9 @@ gtls_connect_step3(struct connectdata *conn, } else infof(data, "ALPN, server did not agree to a protocol\n"); + + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -1461,8 +1466,6 @@ gtls_connect_step3(struct connectdata *conn, already got it from the cache and asked to use it in the connection, it might've been rejected and then a new one is in use now and we need to detect that. */ - bool incache; - void *ssl_sessionid; void *connect_sessionid; size_t connect_idsize = 0; @@ -1471,6 +1474,9 @@ gtls_connect_step3(struct connectdata *conn, connect_sessionid = malloc(connect_idsize); /* get a buffer for it */ if(connect_sessionid) { + bool incache; + void *ssl_sessionid; + /* extract session ID to the allocated buffer */ gnutls_session_get_data(session, connect_sessionid, &connect_idsize); @@ -1631,12 +1637,10 @@ static void Curl_gtls_close(struct connectdata *conn, int sockindex) static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - ssize_t result; int retval = 0; struct Curl_easy *data = conn->data; - bool done = FALSE; - char buf[120]; +#ifndef CURL_DISABLE_FTP /* This has only been tested on the proftpd server, and the mod_tls code sends a close notify alert without waiting for a close notify alert in response. Thus we wait for a close notify alert from the server, but @@ -1644,8 +1648,13 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE) gnutls_bye(BACKEND->session, GNUTLS_SHUT_WR); +#endif if(BACKEND->session) { + ssize_t result; + bool done = FALSE; + char buf[120]; + while(!done) { int what = SOCKET_READABLE(conn->sock[sockindex], SSL_SHUTDOWN_TIMEOUT); @@ -1758,12 +1767,6 @@ static int Curl_gtls_seed(struct Curl_easy *data) if(!ssl_seeded || data->set.str[STRING_SSL_RANDOM_FILE] || data->set.str[STRING_SSL_EGDSOCKET]) { - - /* TODO: to a good job seeding the RNG - This may involve the gcry_control function and these options: - GCRYCTL_SET_RANDOM_SEED_FILE - GCRYCTL_SET_RNDEGD_SOCKET - */ ssl_seeded = TRUE; } return 0; diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c index 27a9402cbc..63d1f4c81b 100644 --- a/libs/libcurl/src/vtls/mbedtls.c +++ b/libs/libcurl/src/vtls/mbedtls.c @@ -54,6 +54,7 @@ #include "parsedate.h" #include "connect.h" /* for the connect timeout */ #include "select.h" +#include "multiif.h" #include "polarssl_threadlock.h" /* The last 3 #include files should be in this order */ @@ -342,7 +343,8 @@ mbed_connect_step1(struct connectdata *conn, if(SSL_SET_OPTION(key)) { ret = mbedtls_pk_parse_keyfile(&BACKEND->pk, SSL_SET_OPTION(key), SSL_SET_OPTION(key_passwd)); - if(ret == 0 && !mbedtls_pk_can_do(&BACKEND->pk, MBEDTLS_PK_RSA)) + if(ret == 0 && !(mbedtls_pk_can_do(&BACKEND->pk, MBEDTLS_PK_RSA) || + mbedtls_pk_can_do(&BACKEND->pk, MBEDTLS_PK_ECKEY))) ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; if(ret) { @@ -539,13 +541,6 @@ mbed_connect_step2(struct connectdata *conn, data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -#ifdef HAS_ALPN - const char *next_protocol; -#endif - - char errorbuf[128]; - errorbuf[0] = 0; - conn->recv[sockindex] = mbed_recv; conn->send[sockindex] = mbed_send; @@ -560,6 +555,8 @@ mbed_connect_step2(struct connectdata *conn, return CURLE_OK; } else if(ret) { + char errorbuf[128]; + errorbuf[0] = 0; #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ @@ -664,7 +661,7 @@ mbed_connect_step2(struct connectdata *conn, #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { - next_protocol = mbedtls_ssl_get_alpn_protocol(&BACKEND->ssl); + const char *next_protocol = mbedtls_ssl_get_alpn_protocol(&BACKEND->ssl); if(next_protocol) { infof(data, "ALPN, server accepted to use %s\n", next_protocol); @@ -684,6 +681,8 @@ mbed_connect_step2(struct connectdata *conn, else { infof(data, "ALPN, server did not agree to a protocol\n"); } + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif diff --git a/libs/libcurl/src/vtls/mesalink.c b/libs/libcurl/src/vtls/mesalink.c index db14115593..718c282ee5 100644 --- a/libs/libcurl/src/vtls/mesalink.c +++ b/libs/libcurl/src/vtls/mesalink.c @@ -268,7 +268,7 @@ mesalink_connect_step2(struct connectdata *conn, int sockindex) char error_buffer[MESALINK_MAX_ERROR_SZ]; int detail = SSL_get_error(BACKEND->handle, ret); - if(SSL_ERROR_WANT_CONNECT == detail) { + if(SSL_ERROR_WANT_CONNECT == detail || SSL_ERROR_WANT_READ == detail) { connssl->connecting_state = ssl_connect_2_reading; return CURLE_OK; } diff --git a/libs/libcurl/src/vtls/nss.c b/libs/libcurl/src/vtls/nss.c index 08ee1aaaf2..491def106d 100644 --- a/libs/libcurl/src/vtls/nss.c +++ b/libs/libcurl/src/vtls/nss.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -38,6 +38,7 @@ #include "select.h" #include "vtls.h" #include "llist.h" +#include "multiif.h" #include "curl_printf.h" #include "nssg.h" #include <nspr.h> @@ -377,7 +378,7 @@ static int is_file(const char *filename) return 0; if(stat(filename, &st) == 0) - if(S_ISREG(st.st_mode)) + if(S_ISREG(st.st_mode) || S_ISFIFO(st.st_mode) || S_ISCHR(st.st_mode)) return 1; return 0; @@ -843,6 +844,8 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_1_1; } + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } @@ -1305,6 +1308,8 @@ static void nss_unload_module(SECMODModule **pmod) static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) { NSSInitParameters initparams; + PRErrorCode err; + const char *err_name; if(nss_context != NULL) return CURLE_OK; @@ -1325,7 +1330,9 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) if(nss_context != NULL) return CURLE_OK; - infof(data, "Unable to initialize NSS database\n"); + err = PR_GetError(); + err_name = nss_error_to_name(err); + infof(data, "Unable to initialize NSS database: %d (%s)\n", err, err_name); } infof(data, "Initializing NSS with certpath: none\n"); @@ -1335,7 +1342,9 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) if(nss_context != NULL) return CURLE_OK; - infof(data, "Unable to initialize NSS\n"); + err = PR_GetError(); + err_name = nss_error_to_name(err); + failf(data, "Unable to initialize NSS: %d (%s)", err, err_name); return CURLE_SSL_CACERT_BADFILE; } @@ -1822,7 +1831,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) /* list of all NSS objects we need to destroy in Curl_nss_close() */ Curl_llist_init(&BACKEND->obj_list, nss_destroy_object); - /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); result = nss_init(conn->data); if(result) { diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index eff5c2106c..85e9be6161 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -48,6 +48,7 @@ #include "vtls.h" #include "strcase.h" #include "hostcheck.h" +#include "multiif.h" #include "curl_printf.h" #include <openssl/ssl.h> #include <openssl/rand.h> @@ -1307,6 +1308,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) int err; bool done = FALSE; +#ifndef CURL_DISABLE_FTP /* This has only been tested on the proftpd server, and the mod_tls code sends a close notify alert without waiting for a close notify alert in response. Thus we wait for a close notify alert from the server, but @@ -1314,6 +1316,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE) (void)SSL_shutdown(BACKEND->handle); +#endif if(BACKEND->handle) { buffsize = (int)sizeof(buf); @@ -2917,6 +2920,9 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) } else infof(data, "ALPN, server did not agree to a protocol\n"); + + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -3223,11 +3229,6 @@ static CURLcode get_cert_chain(struct connectdata *conn, #endif break; } -#if 0 - case EVP_PKEY_EC: /* symbol not present in OpenSSL 0.9.6 */ - /* left TODO */ - break; -#endif } EVP_PKEY_free(pubkey); } @@ -3756,7 +3757,10 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ switch(err) { case SSL_ERROR_NONE: /* this is not an error */ + break; case SSL_ERROR_ZERO_RETURN: /* no more data */ + /* close_notify alert */ + connclose(conn, "TLS close_notify"); break; case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: @@ -3819,7 +3823,11 @@ static size_t Curl_ossl_version(char *buffer, size_t size) sub[0]='\0'; } - return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s", + return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s" +#ifdef OPENSSL_FIPS + "-fips" +#endif + , OSSL_PACKAGE, (ssleay_value>>28)&0xf, (ssleay_value>>20)&0xff, diff --git a/libs/libcurl/src/vtls/polarssl.c b/libs/libcurl/src/vtls/polarssl.c index 6ecabe94b5..7ea26b4425 100644 --- a/libs/libcurl/src/vtls/polarssl.c +++ b/libs/libcurl/src/vtls/polarssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2012 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com> * * This software is licensed as described in the file COPYING, which @@ -55,6 +55,7 @@ #include "select.h" #include "strcase.h" #include "polarssl_threadlock.h" +#include "multiif.h" #include "curl_printf.h" #include "curl_memory.h" /* The last #include file should be: */ @@ -593,6 +594,8 @@ polarssl_connect_step2(struct connectdata *conn, } else infof(data, "ALPN, server did not agree to a protocol\n"); + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -908,9 +911,7 @@ const struct Curl_ssl Curl_ssl_polarssl = { Curl_none_check_cxn, /* check_cxn */ Curl_none_shutdown, /* shutdown */ Curl_polarssl_data_pending, /* data_pending */ - /* This might cause libcurl to use a weeker random! - * TODO: use Polarssl's CTR-DRBG or HMAC-DRBG - */ + /* This might cause libcurl to use a weeker random! */ Curl_none_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ Curl_polarssl_connect, /* connect */ diff --git a/libs/libcurl/src/vtls/polarssl_threadlock.c b/libs/libcurl/src/vtls/polarssl_threadlock.c index dd5fbd7ec2..27c94b11e2 100644 --- a/libs/libcurl/src/vtls/polarssl_threadlock.c +++ b/libs/libcurl/src/vtls/polarssl_threadlock.c @@ -23,16 +23,15 @@ #include "curl_setup.h" #if (defined(USE_POLARSSL) || defined(USE_MBEDTLS)) && \ - (defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32)) - -#if defined(USE_THREADS_POSIX) -# ifdef HAVE_PTHREAD_H -# include <pthread.h> -# endif -#elif defined(USE_THREADS_WIN32) -# ifdef HAVE_PROCESS_H -# include <process.h> -# endif + ((defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \ + (defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H))) + +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) +# include <pthread.h> +# define POLARSSL_MUTEX_T pthread_mutex_t +#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) +# include <process.h> +# define POLARSSL_MUTEX_T HANDLE #endif #include "polarssl_threadlock.h" @@ -50,25 +49,23 @@ static POLARSSL_MUTEX_T *mutex_buf = NULL; int Curl_polarsslthreadlock_thread_setup(void) { int i; - int ret; mutex_buf = calloc(NUMT * sizeof(POLARSSL_MUTEX_T), 1); if(!mutex_buf) return 0; /* error, no number of threads defined */ -#ifdef HAVE_PTHREAD_H for(i = 0; i < NUMT; i++) { + int ret; +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) ret = pthread_mutex_init(&mutex_buf[i], NULL); if(ret) return 0; /* pthread_mutex_init failed */ - } -#elif defined(HAVE_PROCESS_H) - for(i = 0; i < NUMT; i++) { +#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) mutex_buf[i] = CreateMutex(0, FALSE, 0); if(mutex_buf[i] == 0) return 0; /* CreateMutex failed */ +#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */ } -#endif /* HAVE_PTHREAD_H */ return 1; /* OK */ } @@ -76,24 +73,22 @@ int Curl_polarsslthreadlock_thread_setup(void) int Curl_polarsslthreadlock_thread_cleanup(void) { int i; - int ret; if(!mutex_buf) return 0; /* error, no threads locks defined */ -#ifdef HAVE_PTHREAD_H for(i = 0; i < NUMT; i++) { + int ret; +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) ret = pthread_mutex_destroy(&mutex_buf[i]); if(ret) return 0; /* pthread_mutex_destroy failed */ - } -#elif defined(HAVE_PROCESS_H) - for(i = 0; i < NUMT; i++) { +#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) ret = CloseHandle(mutex_buf[i]); if(!ret) return 0; /* CloseHandle failed */ +#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */ } -#endif /* HAVE_PTHREAD_H */ free(mutex_buf); mutex_buf = NULL; @@ -102,51 +97,47 @@ int Curl_polarsslthreadlock_thread_cleanup(void) int Curl_polarsslthreadlock_lock_function(int n) { - int ret; -#ifdef HAVE_PTHREAD_H if(n < NUMT) { + int ret; +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) ret = pthread_mutex_lock(&mutex_buf[n]); if(ret) { DEBUGF(fprintf(stderr, "Error: polarsslthreadlock_lock_function failed\n")); return 0; /* pthread_mutex_lock failed */ } - } -#elif defined(HAVE_PROCESS_H) - if(n < NUMT) { +#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) ret = (WaitForSingleObject(mutex_buf[n], INFINITE) == WAIT_FAILED?1:0); if(ret) { DEBUGF(fprintf(stderr, "Error: polarsslthreadlock_lock_function failed\n")); return 0; /* pthread_mutex_lock failed */ } +#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */ } -#endif /* HAVE_PTHREAD_H */ return 1; /* OK */ } int Curl_polarsslthreadlock_unlock_function(int n) { - int ret; -#ifdef HAVE_PTHREAD_H if(n < NUMT) { + int ret; +#if defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H) ret = pthread_mutex_unlock(&mutex_buf[n]); if(ret) { DEBUGF(fprintf(stderr, "Error: polarsslthreadlock_unlock_function failed\n")); return 0; /* pthread_mutex_unlock failed */ } - } -#elif defined(HAVE_PROCESS_H) - if(n < NUMT) { +#elif defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H) ret = ReleaseMutex(mutex_buf[n]); if(!ret) { DEBUGF(fprintf(stderr, "Error: polarsslthreadlock_unlock_function failed\n")); return 0; /* pthread_mutex_lock failed */ } +#endif /* USE_THREADS_POSIX && HAVE_PTHREAD_H */ } -#endif /* HAVE_PTHREAD_H */ return 1; /* OK */ } diff --git a/libs/libcurl/src/vtls/polarssl_threadlock.h b/libs/libcurl/src/vtls/polarssl_threadlock.h index dda5359b81..122647528d 100644 --- a/libs/libcurl/src/vtls/polarssl_threadlock.h +++ b/libs/libcurl/src/vtls/polarssl_threadlock.h @@ -26,13 +26,8 @@ #if (defined USE_POLARSSL) || (defined USE_MBEDTLS) -#if defined(USE_THREADS_POSIX) -# define POLARSSL_MUTEX_T pthread_mutex_t -#elif defined(USE_THREADS_WIN32) -# define POLARSSL_MUTEX_T HANDLE -#endif - -#if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32) +#if (defined(USE_THREADS_POSIX) && defined(HAVE_PTHREAD_H)) || \ + (defined(USE_THREADS_WIN32) && defined(HAVE_PROCESS_H)) int Curl_polarsslthreadlock_thread_setup(void); int Curl_polarsslthreadlock_thread_cleanup(void); diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c index 39ac080e80..0f6f734fdc 100644 --- a/libs/libcurl/src/vtls/schannel.c +++ b/libs/libcurl/src/vtls/schannel.c @@ -58,6 +58,7 @@ #include "warnless.h" #include "x509asn1.h" #include "curl_printf.h" +#include "multiif.h" #include "system_win32.h" /* The last #include file should be: */ @@ -522,7 +523,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) #endif schannel_cred.dwFlags = SCH_CRED_AUTO_CRED_VALIDATION; - /* TODO s/data->set.ssl.no_revoke/SSL_SET_OPTION(no_revoke)/g */ if(data->set.ssl.no_revoke) { schannel_cred.dwFlags |= SCH_CRED_IGNORE_NO_REVOCATION_CHECK | SCH_CRED_IGNORE_REVOCATION_OFFLINE; @@ -868,13 +868,11 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; unsigned char *reallocated_buffer; - size_t reallocated_length; SecBuffer outbuf[3]; SecBufferDesc outbuf_desc; SecBuffer inbuf[2]; SecBufferDesc inbuf_desc; SECURITY_STATUS sspi_status = SEC_E_OK; - TCHAR *host_name; CURLcode result; bool doread; char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : @@ -917,7 +915,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) if(BACKEND->encdata_length - BACKEND->encdata_offset < CURL_SCHANNEL_BUFFER_FREE_SIZE) { /* increase internal encrypted data buffer */ - reallocated_length = BACKEND->encdata_offset + + size_t reallocated_length = BACKEND->encdata_offset + CURL_SCHANNEL_BUFFER_FREE_SIZE; reallocated_buffer = realloc(BACKEND->encdata_buffer, reallocated_length); @@ -933,6 +931,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) } for(;;) { + TCHAR *host_name; if(doread) { /* read encrypted handshake data from socket */ result = Curl_read_plain(conn->sock[sockindex], @@ -1269,6 +1268,8 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) } else infof(data, "ALPN, server did not agree to a protocol\n"); + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -2129,14 +2130,9 @@ static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM, static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, const char *pinnedpubkey) { - SECURITY_STATUS sspi_status; struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CERT_CONTEXT *pCertContextServer = NULL; - const char *x509_der; - DWORD x509_der_len; - curl_X509certificate x509_parsed; - curl_asn1Element *pubkey; /* Result is returned to caller */ CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH; @@ -2146,6 +2142,12 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, return CURLE_OK; do { + SECURITY_STATUS sspi_status; + const char *x509_der; + DWORD x509_der_len; + curl_X509certificate x509_parsed; + curl_asn1Element *pubkey; + sspi_status = s_pSecFn->QueryContextAttributes(&BACKEND->ctxt->ctxt_handle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, diff --git a/libs/libcurl/src/vtls/sectransp.c b/libs/libcurl/src/vtls/sectransp.c index 971dd78e6a..2fdf662a1d 100644 --- a/libs/libcurl/src/vtls/sectransp.c +++ b/libs/libcurl/src/vtls/sectransp.c @@ -31,6 +31,7 @@ #include "urldata.h" /* for the Curl_easy definition */ #include "curl_base64.h" #include "strtok.h" +#include "multiif.h" #ifdef USE_SECTRANSP @@ -1902,7 +1903,6 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, /* We want to enable 1/n-1 when using a CBC cipher unless the user specifically doesn't want us doing that: */ if(SSLSetSessionOption != NULL) { - /* TODO s/data->set.ssl.enable_beast/SSL_SET_OPTION(enable_beast)/g */ SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionSendOneByteRecord, !data->set.ssl.enable_beast); SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionFalseStart, @@ -2651,6 +2651,9 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) else infof(data, "ALPN, server did not agree to a protocol\n"); + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); + /* chosenProtocol is a reference to the string within alpnArr and doesn't need to be freed separately */ if(alpnArr) @@ -2960,8 +2963,10 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) if(!BACKEND->ssl_ctx) return 0; +#ifndef CURL_DISABLE_FTP if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE) return 0; +#endif Curl_sectransp_close(conn, sockindex); diff --git a/libs/libcurl/src/vtls/vtls.c b/libs/libcurl/src/vtls/vtls.c index 8a405c05cd..a7452dcd53 100644 --- a/libs/libcurl/src/vtls/vtls.c +++ b/libs/libcurl/src/vtls/vtls.c @@ -498,9 +498,9 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void Curl_ssl_close_all(struct Curl_easy *data) { - size_t i; /* kill the session ID cache if not shared */ if(data->state.session && !SSLSESSION_SHARED(data)) { + size_t i; for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) /* the single-killer function handles empty table slots */ Curl_ssl_kill_session(&data->state.session[i]); @@ -644,11 +644,11 @@ bool Curl_ssl_data_pending(const struct connectdata *conn, void Curl_ssl_free_certinfo(struct Curl_easy *data) { - int i; struct curl_certinfo *ci = &data->info.certs; if(ci->num_of_certs) { /* free all individual lists used */ + int i; for(i = 0; i<ci->num_of_certs; i++) { curl_slist_free_all(ci->certinfo[i]); ci->certinfo[i] = NULL; @@ -808,14 +808,7 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, { FILE *fp; unsigned char *buf = NULL, *pem_ptr = NULL; - long filesize; - size_t size, pem_len; - CURLcode pem_read; CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH; - CURLcode encode; - size_t encodedlen, pinkeylen; - char *encoded, *pinkeycopy, *begin_pos, *end_pos; - unsigned char *sha256sumdigest = NULL; /* if a path wasn't specified, don't pin */ if(!pinnedpubkey) @@ -825,6 +818,11 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, /* only do this if pinnedpubkey starts with "sha256//", length 8 */ if(strncmp(pinnedpubkey, "sha256//", 8) == 0) { + CURLcode encode; + size_t encodedlen, pinkeylen; + char *encoded, *pinkeycopy, *begin_pos, *end_pos; + unsigned char *sha256sumdigest; + if(!Curl_ssl->sha256sum) { /* without sha256 support, this cannot match */ return result; @@ -895,6 +893,10 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, return result; do { + long filesize; + size_t size, pem_len; + CURLcode pem_read; + /* Determine the file's size */ if(fseek(fp, 0, SEEK_END)) break; @@ -1239,16 +1241,17 @@ static size_t Curl_multissl_version(char *buffer, size_t size) if(current != selected) { char *p = backends; + char *end = backends + sizeof(backends); int i; selected = current; - for(i = 0; available_backends[i]; i++) { + for(i = 0; available_backends[i] && p < (end - 4); i++) { if(i) *(p++) = ' '; if(selected != available_backends[i]) *(p++) = '('; - p += available_backends[i]->version(p, backends + sizeof(backends) - p); + p += available_backends[i]->version(p, end - p - 2); if(selected != available_backends[i]) *(p++) = ')'; } @@ -1256,21 +1259,20 @@ static size_t Curl_multissl_version(char *buffer, size_t size) total = p - backends; } - if(size < total) + if(size > total) memcpy(buffer, backends, total + 1); else { memcpy(buffer, backends, size - 1); buffer[size - 1] = '\0'; } - return total; + return CURLMIN(size - 1, total); } static int multissl_init(const struct Curl_ssl *backend) { const char *env; char *env_tmp; - int i; if(Curl_ssl != &Curl_ssl_multi) return 1; @@ -1289,6 +1291,7 @@ static int multissl_init(const struct Curl_ssl *backend) env = CURL_DEFAULT_SSL_BACKEND; #endif if(env) { + int i; for(i = 0; available_backends[i]; i++) { if(strcasecompare(env, available_backends[i]->info.name)) { Curl_ssl = available_backends[i]; |