| Age | Commit message (Collapse) | Author |
|---|
|
CVE-2020-8286
Reported by anonymous
Bug: https://curl.se/docs/CVE-2020-8286.html
|
|
Reported-by: Kovalkov Dmitrii and Per Nilsson
Fixes #6254
Fixes #6256
Closes #6260
|
|
To fix a memory-leak.
Closes #6267
|
|
Follow-up to 4c9768565ec3a9 (from Sep 2008)
Closes #6268
|
|
EVP_MD_CTX_create will allocate memory for the context and returns
NULL in case the allocation fails. Make sure to catch any allocation
failures and exit early if so.
In passing, also move to EVP_DigestInit rather than EVP_DigestInit_ex
as the latter is intended for ENGINE selection which we don't do.
Closes #6224
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Emil Engler <me@emilengler.com>
|
|
Closes #6172
|
|
Follow-up to 68a513247409
Use a new separate define that is the combination of both
HAVE_OPENSSL_SRP and USE_TLS_SRP: USE_OPENSSL_SRP
Bug: https://curl.haxx.se/mail/lib-2020-10/0037.html
Closes #6094
|
|
... and fix a few occurances
Closes #6088
|
|
clang 10, mingw-w64:
```
vtls/openssl.c:2917:33: warning: comparison of integers of different signs: 'DWORD' (aka 'unsigned long') and 'HRESULT' (aka 'long')
[-Wsign-compare]
if(GetLastError() != CRYPT_E_NOT_FOUND)
~~~~~~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~
```
Approved-by: Daniel Stenberg
Closes #6062
|
|
... in the code of gtls, nss, and openssl
Closes #5735
|
|
Closes #5629
|
|
If the error reason from the lib is
SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED, libcurl will return
CURLE_PEER_FAILED_VERIFICATION and not CURLE_SSL_CONNECT_ERROR.
This unifies the libcurl return code and makes libressl run test 313
(CRL testing) fine.
Closes #5934
|
|
The code section that is OpenSSL 3+ specific now uses the same logic as
is used in the version < 3 section. It caused a compiler error without
it.
Closes #5907
|
|
Closes #5892
|
|
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP
HAVE_OPENSSL_SRP is defined when OpenSSL can use it
HAVE_GNUTLS_SRP is defined when GnuTLS can use it
Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.
Reported-by: Stefan Strogin
Fixes #5865
Closes #5870
|
|
OpenSSL undefines the conflicting symbols but BoringSSL does not so we
must do it ourselves.
Reported-by: Samuel Tranchet
Assisted-by: Javier Blazquez
Ref: https://bugs.chromium.org/p/boringssl/issues/detail?id=371
Ref: https://github.com/openssl/openssl/blob/OpenSSL_1_1_1g/include/openssl/ossl_typ.h#L66-L73
Fixes https://github.com/curl/curl/issues/5669
Closes https://github.com/curl/curl/pull/5857
|
|
... not newline separated from the previous line. This makes it output
asterisk prefixed properly like other verbose putput!
Reported-by: jmdavitt on github
Fixes #5826
Closes #5827
|
|
`SSL_CTX_add0_chain_cert` and `SSL_CTX_clear_chain_certs` were
introduced in LibreSSL 2.9.1 [0].
[0] https://github.com/libressl-portable/openbsd/commit/0db809ee178457c8170abfae3931d7bd13abf3ef
Closes https://github.com/curl/curl/pull/5757
|
|
Except where the results are only used for character output.
getenv is not touched because it's part of the public API, and having
it return UTF-8 instead of ANSI would be a breaking change.
Fixes https://github.com/curl/curl/issues/5658
Fixes https://github.com/curl/curl/issues/5712
Closes https://github.com/curl/curl/pull/5718
|
|
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).
Reported-by: coinhubs on github
Fixes #5598
Closes #5608
|
|
- Include wincrypt before OpenSSL includes so that the latter can
properly handle any conflicts between the two.
Closes https://github.com/curl/curl/pull/5606
|
|
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.
The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.
Ref: bc052cc (parent commit)
Ref: https://github.com/curl/curl/issues/5585
|
|
Prior to this change I assume a build error would occur when
CURL_CA_FALLBACK was used.
Closes https://github.com/curl/curl/pull/5587
|
|
On some systems, openssl 1.0.x is still the default, but it has been
patched to contain all the recent security fixes. As a result of this
patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
defined, while the previous behavior of openssl to not look at trusted
chains first, remains.
Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
probe for the behavior of openssl based on the existence ofmacros.
Closes #5530
|
|
Added build to travis to verify
Closes #5466
|
|
For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.
Closes #5479
|
|
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:
- Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
- Do not perform dynamic memory allocation when preparing a log entry.
Unless the TLS specifications change we can suffice with a reasonable
fixed-size buffer.
- Simplify state tracking when SSL_CTX_set_keylog_callback is
unavailable. My original sslkeylog.c code included this tracking in
order to handle multiple calls to SSL_connect and detect new keys
after renegotiation (via SSL_read/SSL_write). For curl however we can
be sure that a single master secret eventually becomes available
after SSL_connect, so a simple flag is sufficient. An alternative to
the flag is examining SSL_state(), but this seems more complex and is
not pursued. Capturing keys after server renegotiation was already
unsupported in curl and remains unsupported.
Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:
# Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
openssl s_server -www -tls1
# Likewise, but fail the server handshake.
openssl s_server -www -tls1 -Verify 2
# TLS 1.3 test. No need to test the failing server handshake.
openssl s_server -www -tls1_3
Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.
tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
-eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
-dtls.port==4433,http -ohttp.desegment_body:FALSE \
-Y 'tls.handshake.verify_data or http'
A single connection can easily be identified via the `tcp.stream` field.
|
|
|
|
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.
This change introduces these new setopts:
CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.
Reviewed-by: Daniel Stenberg
Closes #5357
|
|
- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples
- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.
Closes #5338
|
|
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.
Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376
|
|
Closes #4346
|
|
Our code style mandates we put the conditional block on a separate
line. These mistakes are now detected by the updated checksrc.
|
|
OpenSSL 3 deprecates SSL_CTX_load_verify_locations and the MD4, DES
functions we use.
Fix the MD4 and SSL_CTX_load_verify_locations warnings.
In configure, detect OpenSSL v3 and if so, inhibit the deprecation
warnings. OpenSSL v3 deprecates the DES functions we use for NTLM and
until we rewrite the code to use non-deprecated functions we better
ignore these warnings as they don't help us.
Closes #5139
|
|
Use a proper variable instead to make it easier to use a debugger and
read the code.
|
|
Fixes a scan-build failure on Bionic.
Closes https://github.com/curl/curl/pull/4872
|
|
Avoid "reparsing" the content and instead deliver more exactly what is
provided in the certificate and avoid truncating the data after 512
bytes as done previously. This no longer removes embedded newlines.
Fixes #4837
Reported-by: bnfp on github
Closes #4841
|
|
Closes #4655
|
|
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.
Other TLS backends already accept partial chains.
Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
|
|
- Disable warning C4127 "conditional expression is constant" globally
in curl_setup.h for when building with Microsoft's compiler.
This mainly affects building with the Visual Studio project files found
in the projects dir.
Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.
Background:
We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:
#define Curl_resolver_asynch() 1
Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.
Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.
Closes https://github.com/curl/curl/pull/4658
|
|
- Retrieve LibreSSL runtime version when supported (>= 2.7.1).
For earlier versions we continue to use the compile-time version.
Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3
Closes https://github.com/curl/curl/pull/2425
|
|
- Disable the extra sensitivity except in debug builds (--enable-debug).
- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
"No error" / "Success" socket error text isn't shown on SYSCALL error.
Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.
To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.
Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.
This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.
Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke
Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
|
|
Reported-by: Paulo Roberto Tomasi
Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html
Closes https://github.com/curl/curl/pull/4593
|
|
Follow the pattern of many other callbacks.
Ref: #4546
Closes #4585
|
|
Instead of showing the somewhat nonsensical errno number, use strerror()
to provide a more relatable error message.
Closes #4411
|
|
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f0.
Closes https://github.com/curl/curl/pull/4398
|
|
It was already fixed for BoringSSL in commit a0f8fccb1e0.
LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
as uint16_t ever since the function was added in [0].
[0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
Closes https://github.com/curl/curl/pull/4397
|
|
Follow-up to ffe34b7b59
Closes #4359
|
|
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!
Regression since 3f5da4e59a556fc (7.65.0)
Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
|
|
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available. Existing code is preserved for older versions of
OpenSSL.
Closes #4304
|
