summaryrefslogtreecommitdiff
path: root/libs/libcurl/src/vtls
diff options
context:
space:
mode:
authordartraiden <wowemuh@gmail.com>2019-02-10 02:02:38 +0300
committerdartraiden <wowemuh@gmail.com>2019-02-10 02:06:58 +0300
commiteee2c11f79a8958e65cc485af1e7afcbd394db1e (patch)
tree9ab4418393997629ef9dc7ae78089cbece595d0c /libs/libcurl/src/vtls
parent33d2c8e71902aa37d3fc978cb91e0a842a600960 (diff)
libcurl: update to 7.64
Diffstat (limited to 'libs/libcurl/src/vtls')
-rw-r--r--libs/libcurl/src/vtls/cyassl.c8
-rw-r--r--libs/libcurl/src/vtls/darwinssl.c3
-rw-r--r--libs/libcurl/src/vtls/mbedtls.c16
-rw-r--r--libs/libcurl/src/vtls/openssl.c16
-rw-r--r--libs/libcurl/src/vtls/schannel.c62
-rw-r--r--libs/libcurl/src/vtls/schannel_verify.c6
6 files changed, 74 insertions, 37 deletions
diff --git a/libs/libcurl/src/vtls/cyassl.c b/libs/libcurl/src/vtls/cyassl.c
index 0d45afbf0c..ea96cf65e5 100644
--- a/libs/libcurl/src/vtls/cyassl.c
+++ b/libs/libcurl/src/vtls/cyassl.c
@@ -794,6 +794,12 @@ static int Curl_cyassl_init(void)
}
+static void Curl_cyassl_cleanup(void)
+{
+ CyaSSL_Cleanup();
+}
+
+
static bool Curl_cyassl_data_pending(const struct connectdata* conn,
int connindex)
{
@@ -1004,7 +1010,7 @@ const struct Curl_ssl Curl_ssl_cyassl = {
sizeof(struct ssl_backend_data),
Curl_cyassl_init, /* init */
- Curl_none_cleanup, /* cleanup */
+ Curl_cyassl_cleanup, /* cleanup */
Curl_cyassl_version, /* version */
Curl_none_check_cxn, /* check_cxn */
Curl_cyassl_shutdown, /* shutdown */
diff --git a/libs/libcurl/src/vtls/darwinssl.c b/libs/libcurl/src/vtls/darwinssl.c
index 25b101282c..bb251cdb30 100644
--- a/libs/libcurl/src/vtls/darwinssl.c
+++ b/libs/libcurl/src/vtls/darwinssl.c
@@ -1298,7 +1298,6 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
ssl_version = CURL_SSLVERSION_TLSv1_0;
- ssl_version_max = max_supported_version_by_os;
break;
}
@@ -1430,7 +1429,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLSetProtocolVersionMax != NULL) {
switch(conn->ssl_config.version) {
- case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
(void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kTLSProtocol1);
#if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && HAVE_BUILTIN_AVAILABLE == 1
@@ -1445,6 +1443,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
#endif /* (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) &&
HAVE_BUILTIN_AVAILABLE == 1 */
break;
+ case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c
index 6a20e276e3..bb6a757bf2 100644
--- a/libs/libcurl/src/vtls/mbedtls.c
+++ b/libs/libcurl/src/vtls/mbedtls.c
@@ -6,7 +6,7 @@
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
- * Copyright (C) 2012 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -373,7 +373,7 @@ mbed_connect_step1(struct connectdata *conn,
}
}
- infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port);
+ infof(data, "mbedTLS: Connecting to %s:%ld\n", hostname, port);
mbedtls_ssl_config_init(&BACKEND->config);
@@ -574,19 +574,21 @@ mbed_connect_step2(struct connectdata *conn,
ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl);
+ if(!SSL_CONN_CONFIG(verifyhost))
+ /* Ignore hostname errors if verifyhost is disabled */
+ ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
+
if(ret && SSL_CONN_CONFIG(verifypeer)) {
if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
failf(data, "Cert verify failed: BADCERT_EXPIRED");
- if(ret & MBEDTLS_X509_BADCERT_REVOKED) {
+ else if(ret & MBEDTLS_X509_BADCERT_REVOKED)
failf(data, "Cert verify failed: BADCERT_REVOKED");
- return CURLE_PEER_FAILED_VERIFICATION;
- }
- if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
+ else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
- if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
+ else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
return CURLE_PEER_FAILED_VERIFICATION;
diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c
index 8bddb9a8c6..9d11b89e59 100644
--- a/libs/libcurl/src/vtls/openssl.c
+++ b/libs/libcurl/src/vtls/openssl.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -1692,6 +1692,7 @@ static CURLcode verifystatus(struct connectdata *conn,
struct ssl_connect_data *connssl)
{
int i, ocsp_status;
+ unsigned char *status;
const unsigned char *p;
CURLcode result = CURLE_OK;
struct Curl_easy *data = conn->data;
@@ -1701,14 +1702,14 @@ static CURLcode verifystatus(struct connectdata *conn,
X509_STORE *st = NULL;
STACK_OF(X509) *ch = NULL;
- long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
+ long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status);
- if(!p) {
+ if(!status) {
failf(data, "No OCSP response received");
result = CURLE_SSL_INVALIDCERTSTATUS;
goto end;
}
-
+ p = status;
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
if(!rsp) {
failf(data, "Invalid OCSP response");
@@ -3774,7 +3775,12 @@ static size_t Curl_ossl_version(char *buffer, size_t size)
{
#ifdef OPENSSL_IS_BORINGSSL
return msnprintf(buffer, size, OSSL_PACKAGE);
-#else /* OPENSSL_IS_BORINGSSL */
+#elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
+ return msnprintf(buffer, size, "%s/%s",
+ OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
+#else
+ /* not BoringSSL and not using OpenSSL_version */
+
char sub[3];
unsigned long ssleay_value;
sub[2]='\0';
diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c
index 56fd93e1e5..c8574f56c1 100644
--- a/libs/libcurl/src/vtls/schannel.c
+++ b/libs/libcurl/src/vtls/schannel.c
@@ -7,7 +7,7 @@
*
* Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
* Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
- * Copyright (C) 2012 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -356,6 +356,7 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
TCHAR **thumbprint)
{
TCHAR *sep;
+ TCHAR *store_path_start;
size_t store_name_len;
sep = _tcschr(path, TEXT('\\'));
@@ -386,13 +387,17 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
else
return CURLE_SSL_CERTPROBLEM;
- *store_path = sep + 1;
+ store_path_start = sep + 1;
- sep = _tcschr(*store_path, TEXT('\\'));
+ sep = _tcschr(store_path_start, TEXT('\\'));
if(sep == NULL)
return CURLE_SSL_CERTPROBLEM;
- *sep = 0;
+ *sep = TEXT('\0');
+ *store_path = _tcsdup(store_path_start);
+ *sep = TEXT('\\');
+ if(*store_path == NULL)
+ return CURLE_OUT_OF_MEMORY;
*thumbprint = sep + 1;
if(_tcslen(*thumbprint) != CERT_THUMBPRINT_STR_LEN)
@@ -435,7 +440,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
VERSION_LESS_THAN_EQUAL)) {
/* Schannel in Windows XP (OS version 5.1) uses legacy handshakes and
algorithms that may not be supported by all servers. */
- infof(data, "schannel: WinSSL version is old and may not be able to "
+ infof(data, "schannel: Windows version is old and may not be able to "
"connect to some servers due to lack of SNI, algorithms, etc.\n");
}
@@ -608,9 +613,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
failf(data, "schannel: Failed to open cert store %x %s, "
"last error is %x",
cert_store_name, cert_store_path, GetLastError());
+ free(cert_store_path);
Curl_unicodefree(cert_path);
return CURLE_SSL_CERTPROBLEM;
}
+ free(cert_store_path);
cert_thumbprint.pbData = cert_thumbprint_data;
cert_thumbprint.cbData = CERT_THUMBPRINT_DATA_LEN;
@@ -1414,6 +1421,16 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
connssl->state = ssl_connection_complete;
conn->recv[sockindex] = schannel_recv;
conn->send[sockindex] = schannel_send;
+
+#ifdef SECPKG_ATTR_ENDPOINT_BINDINGS
+ /* When SSPI is used in combination with Schannel
+ * we need the Schannel context to create the Schannel
+ * binding to pass the IIS extended protection checks.
+ * Available on Windows 7 or later.
+ */
+ conn->sslContext = &BACKEND->ctxt->ctxt_handle;
+#endif
+
*done = TRUE;
}
else
@@ -2013,9 +2030,16 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
/* free SSPI Schannel API credential handle */
if(BACKEND->cred) {
- Curl_ssl_sessionid_lock(conn);
+ /*
+ * When this function is called from Curl_schannel_close() the connection
+ * might not have an associated transfer so the check for conn->data is
+ * necessary.
+ */
+ if(conn->data)
+ Curl_ssl_sessionid_lock(conn);
Curl_schannel_session_free(BACKEND->cred);
- Curl_ssl_sessionid_unlock(conn);
+ if(conn->data)
+ Curl_ssl_sessionid_unlock(conn);
BACKEND->cred = NULL;
}
@@ -2049,7 +2073,7 @@ static void Curl_schannel_cleanup(void)
static size_t Curl_schannel_version(char *buffer, size_t size)
{
- size = msnprintf(buffer, size, "WinSSL");
+ size = msnprintf(buffer, size, "Schannel");
return size;
}
@@ -2137,11 +2161,11 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
}
static void Curl_schannel_checksum(const unsigned char *input,
- size_t inputlen,
- unsigned char *checksum,
- size_t checksumlen,
- DWORD provType,
- const unsigned int algId)
+ size_t inputlen,
+ unsigned char *checksum,
+ size_t checksumlen,
+ DWORD provType,
+ const unsigned int algId)
{
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
@@ -2191,9 +2215,9 @@ static CURLcode Curl_schannel_md5sum(unsigned char *input,
unsigned char *md5sum,
size_t md5len)
{
- Curl_schannel_checksum(input, inputlen, md5sum, md5len,
- PROV_RSA_FULL, CALG_MD5);
- return CURLE_OK;
+ Curl_schannel_checksum(input, inputlen, md5sum, md5len,
+ PROV_RSA_FULL, CALG_MD5);
+ return CURLE_OK;
}
static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
@@ -2201,9 +2225,9 @@ static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
unsigned char *sha256sum,
size_t sha256len)
{
- Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
- PROV_RSA_AES, CALG_SHA_256);
- return CURLE_OK;
+ Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
+ PROV_RSA_AES, CALG_SHA_256);
+ return CURLE_OK;
}
static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl,
diff --git a/libs/libcurl/src/vtls/schannel_verify.c b/libs/libcurl/src/vtls/schannel_verify.c
index 8b21624ba4..680f6ec5d6 100644
--- a/libs/libcurl/src/vtls/schannel_verify.c
+++ b/libs/libcurl/src/vtls/schannel_verify.c
@@ -7,7 +7,7 @@
*
* Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de>
* Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com>
- * Copyright (C) 2012 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -87,14 +87,14 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store,
LARGE_INTEGER file_size;
char *ca_file_buffer = NULL;
char *current_ca_file_ptr = NULL;
- const TCHAR *ca_file_tstr = NULL;
+ TCHAR *ca_file_tstr = NULL;
size_t ca_file_bufsize = 0;
DWORD total_bytes_read = 0;
bool more_certs = 0;
int num_certs = 0;
size_t END_CERT_LEN;
- ca_file_tstr = Curl_convert_UTF8_to_tchar(ca_file);
+ ca_file_tstr = Curl_convert_UTF8_to_tchar((char *)ca_file);
if(!ca_file_tstr) {
failf(data,
"schannel: invalid path name for CA file '%s': %s",
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-07 22:02:56 +0000