Граф коммитов

286 Коммитов

Автор SHA1 Сообщение Дата
Cristian Rodríguez 3d919440c8 OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available, reduces memory use
See also :
http://www.openssl.org/docs/ssl/SSL_CTX_set_mode.html
http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html

Signed-off-by: Cristian Rodríguez <crrodriguez@opensuse.org>
2011-08-07 22:58:31 +02:00
Yang Tse f1586cb477 stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h 2011-07-26 17:23:27 +02:00
Daniel Stenberg 4f170ee8f9 Curl_socket_ready: make timeout a 'long'
It was mostly typecasted to int all over the code so switching to long
instead all over should be a net gain.
2011-06-04 21:19:14 +02:00
Yang Tse 970117ef2d OpenSSL enabled: require OPENSSL_VERSION_NUMBER definition before usage. 2011-06-02 12:52:52 +02:00
Yang Tse 79cc6c244a compiler warning: fix
Fix compiler warning: enumerated type mixed with another type
2011-05-21 14:59:03 +02:00
Daniel Stenberg b903186fa0 source cleanup: unify look, style and indent levels
By the use of a the new lib/checksrc.pl script that checks that our
basic source style rules are followed.
2011-04-27 09:09:35 +02:00
Fabian Keil 1702a2c08d Fix a couple of spelling errors in lib/
Found with codespell.
2011-04-21 07:55:53 -07:00
Daniel Stenberg c828646f60 CURL_DOES_CONVERSIONS: cleanup
Massively reduce #ifdefs all over (23 #ifdef lines less so far)
Moved conversion-specific code to non-ascii.c
2011-04-20 00:50:07 +02:00
Andrei Benea fb80a0a082 Fix a buffer overflow in pubkey_show(). 2011-04-14 23:02:29 +02:00
Daniel Stenberg c66b0b32fb OpenSSL: no-sslv2 aware
Allow openSSL without SSL2 to be used. This fix is inspired by the fix
provided by Cristian Rodrguez.

Reported by: Cristian Rodrguez
2011-04-10 19:14:22 +02:00
Peter Sylvester 2531cd94a5 TSL-SRP: enabled with OpenSSL
If a new enough OpenSSL version is used, configure detects the TLS-SRP
support and enables it.
2011-03-25 23:09:28 +01:00
Dan Fandrich 61fc9044c7 Call ERR_peek_error instead of ERR_peek_last_error
The latter isn't available in older OpenSSL versions, and is
less useful since it returns the most recent error instead of
the first one encountered.
2011-02-10 12:29:34 -08:00
Bjoern Sikora 0e9626ba39 ssluse: improved error message on SSL_CTX_new failures
"SSL: couldn't create a context" really isn't that helpful, now it'll
also extract an explanation from OpenSSL and append to the right.
2011-02-02 18:25:57 +01:00
Darshan Mody 03be2c99ba Fixed compile using OpenSSL versions < 0.9.4a 2011-01-20 12:11:22 -08:00
Daniel Stenberg adb49ad8bb Curl_timeleft: s/conn/data in first argument
As the function doesn't really use the connectdata struct but only the
SessionHanadle struct I modified what argument it wants.
2011-01-04 23:13:10 +01:00
Daniel Stenberg c0c89cd44e get_cert_chain: support larger data sets
512 bytes turned out too short for some data, so now we allocate a
larger buffer instead

Bug: http://curl.haxx.se/mail/archive-2011-01/0002.html
2011-01-04 10:20:28 +01:00
Daniel Stenberg ae29142198 pubkey_show: allocate buffer to fit any-size result
The loop condition was wrong so keys larger than 340 bits would overflow
the local stack-based buffer.
2011-01-01 15:33:57 +01:00
Daniel Stenberg 2dded8fedb ossl_seed: no more RAND_screen
RAND_screen() is slow, not thread-safe and not needed anymore since OpenSSL
uses the thread-safe win32 CryptoAPI nowadays.
2010-12-23 14:36:07 +01:00
Heinrich Ko 315e5277dc ossl_connect_common: detect connection re-use
ossl_connect_common() now checks whether or not 'struct
connectdata->state' is equal 'ssl_connection_complete' and if so, will
return CURLE_OK with 'done' set to 'TRUE'. This check prevents
ossl_connect_common() from creating a new ssl connection on an existing
ssl session which causes openssl to fail when it tries to parse an
encrypted TLS packet since the cipher data was effectively thrown away
when the new ssl connection was created.

Bug: http://curl.haxx.se/mail/lib-2010-11/0169.html
2010-12-06 14:41:18 +01:00
Yang Tse dc3e7df1c9 fix compiler warning 2010-11-08 04:03:11 +01:00
Daniel Stenberg 87374a47c9 Revert: use Host: name for SNI and cert name checks
This reverts commit b0fd03f5b8,
4b2fbe1e97, afecd1aa13, 68cde058f6
2010-11-05 10:25:58 +01:00
Daniel Stenberg b0fd03f5b8 certcheck: use the custom Host: name for checks
If you use a custom Host: name in a request to a SSL server, libcurl
will now use that given name when it verifies the server certificate to
be correct rather than using the host name used in the actual URL.
2010-11-04 15:18:35 +01:00
Daniel Stenberg 4b2fbe1e97 SNI: simplify the custom host name use
The redirect check is already done at the position where the customhost
field is assigned so there's no point in doing that a second time.
2010-11-04 15:16:27 +01:00
Daniel Stenberg afecd1aa13 host: get the custom Host: name more genericly
When given a custom host name in a Host: header, we can use it for
several different purposes other than just cookies, so we rename it and
use it for SSL SNI etc.
2010-11-04 14:58:15 +01:00
Hongli Lai (Phusion) 68cde058f6 SNI: set name to custom Host header
OpenSSL SNI host name should be set to the custom Host header, if the
user provided one.
2010-11-04 14:10:56 +01:00
Daniel Stenberg aca67e2775 ssluse: removed redundant check that is always true 2010-09-12 16:29:04 +02:00
Daniel Stenberg 811fcccfc9 multi: fix FTPS connecting the data connection with OpenSSL
Commit 496002ea1c (released in 7.20.1) broke FTPS when using the
multi interface and OpenSSL was used. The condition for the non-blocking
connect was incorrect.

Reported by: Georg Lippitsch
Bug: http://curl.haxx.se/mail/lib-2010-07/0270.html
2010-08-01 23:50:46 +02:00
Constantine Sapuntzakis a0dd9df9ab OpenSSL: fix spurious SSL connection aborts
Was seeing spurious SSL connection aborts using libcurl and
OpenSSL. I tracked it down to uncleared error state on the
OpenSSL error stack - patch attached deals with that.

Rough idea of problem:

Code that uses libcurl calls some library that uses OpenSSL but
don't clear the OpenSSL error stack after an error.

ssluse.c calls SSL_read which eventually gets an EWOULDBLOCK from
the OS. Returns -1 to indicate an error

ssluse.c calls SSL_get_error. First thing, SSL_get_error calls
ERR_get_error to check the OpenSSL error stack, finds an old
error and returns SSL_ERROR_SSL instead of SSL_ERROR_WANT_READ or
SSL_ERROR_WANT_WRITE.

ssluse.c returns an error and aborts the connection

Solution:

Clear the openssl error stack before calling SSL_* operation if
we're going to call SSL_get_error afterwards.

Notes:

This is much more likely to happen with multi because it's easier
to intersperse other calls to the OpenSSL library in the same
thread.
2010-06-05 23:41:58 +02:00
Daniel Stenberg 77cfeadfa6 OpenSSL: multi interface handshake could hang
John-Mark Bell filed bug #3000052 that identified a problem (with
an associated patch) with the OpenSSL handshake state machine
when the multi interface is used:

Performing an https request using a curl multi handle and using
select or epoll to wait for events results in a hang. It appears
that the cause is the fix for bug #2958179, which makes
ossl_connect_common unconditionally return from the step 2 loop
when fetching from a multi handle.

When ossl_connect_step2 has completed, it updates
connssl->connecting_state to ssl_connect_3. ossl_connect_common
will then return to the caller, as a multi handle is in
use. Eventually, the client code will call curl_multi_fdset to
obtain an updated fdset to select or epoll on. For https
requests, curl_multi_fdset will cause https_getsock to be called.
https_getsock will only return a socket handle if the
connecting_state is ssl_connect_2_reading or
ssl_connect_2_writing.  Therefore, the client will never obtain a
valid fdset, and thus not drive the multi handle, resulting in a
hang.

(http://curl.haxx.se/bug/view.cgi?id=3000052)
2010-05-14 22:35:08 +02:00
Howard Chu bc8fc9803f sendrecv: make them two pairs of send/recv to properly deal with FTPS
FTP(S) use two connections that can be set to different recv and
send functions independently, so by introducing recv+send pairs
in the same manner we already have sockets/connections we can
work with FTPS fine.

This commit fixes the FTPS regression introduced in change d64bd82.
2010-05-11 22:48:38 +02:00
Howard Chu d64bd82bdc sendrecv: split the I/O handling into private handler
Howard Chu brought the bulk work of this patch that properly
moves out the sending and recving of data to the parts of the
code that are properly responsible for the various ways of doing
so.

Daniel Stenberg assisted with polishing a few bits and fixed some
minor flaws in the original patch.

Another upside of this patch is that we now abuse CURLcodes less
with the "magic" -1 return codes and instead use CURLE_AGAIN more
consistently.
2010-05-07 15:05:34 +02:00
Kamil Dudka ff8711135e refactorize interface of Curl_ssl_recv/Curl_ssl_send 2010-04-04 23:37:18 +02:00
Daniel Stenberg 2309b4e330 remove the CVSish $Id$ lines 2010-03-24 11:02:54 +01:00
Daniel Stenberg 6bf071df7e - Andrei Benea filed bug report #2956698 and pointed out that the
CURLOPT_CERTINFO feature leaked memory due to a missing OpenSSL function
  call. He provided the patch to fix it too.

  http://curl.haxx.se/bug/view.cgi?id=2956698
2010-03-02 13:41:18 +00:00
Daniel Stenberg 496002ea1c - Wesley Miaw reported bug #2958179 which identified a case of looping during
OpenSSL based SSL handshaking even though the multi interface was used and
  there was no good reason for it.

  http://curl.haxx.se/bug/view.cgi?id=2958179
2010-03-01 21:59:07 +00:00
Yang Tse 12d01bc5f7 - avoid OpenSSL 0.9.8 ENGINE_by_id memory leak
- cleanup parenthesis usage in return statements
2010-02-05 09:33:36 +00:00
Yang Tse d65cf7889b fix printf-style format strings 2010-01-28 15:34:18 +00:00
Daniel Stenberg 552c3de357 - Johan van Selst found and fixed a OpenSSL session ref count leak:
ossl_connect_step3() increments an SSL session handle reference counter on
  each call. When sessions are re-used this reference counter may be
  incremented many times, but it will be decremented only once when done (by
  Curl_ossl_session_free()); and the internal OpenSSL data will not be freed
  if this reference count remains positive. When a session is re-used the
  reference counter should be corrected by explicitly calling
  SSL_SESSION_free() after each consecutive SSL_get1_session() to avoid
  introducing a memory leak.

  (http://curl.haxx.se/bug/view.cgi?id=2926284)
2010-01-08 23:45:23 +00:00
Daniel Stenberg 10a11e3abe - David Byron fixed Curl_ossl_cleanup to actually call ENGINE_cleanup when
available.
2009-12-17 13:29:41 +00:00
Daniel Stenberg 3b1de97eaa minor indent change 2009-12-10 20:19:56 +00:00
Yang Tse 59939313f8 Make usage of calloc()'s arguments consistent with rest of code base 2009-11-18 10:33:54 +00:00
Yang Tse 3b8d7fddf7 Client certificate ENG file type requires OpenSSL 0.9.7 or newer 2009-11-15 12:58:50 +00:00
Yang Tse a8ddd6ce31 OpenSSL 0.9.7 or newer required for ENGINE_CTRL_GET_CMD_FROM_NAME definition 2009-11-14 11:33:49 +00:00
Daniel Stenberg 9c49e51f7e - Camille Moncelier added support for the file type SSL_FILETYPE_ENGINE for
the client certificate. It also disable the key name test as some engines
  can select a private key/cert automatically (When there is only one key
  and/or certificate on the hardware device used by the engine)
2009-11-14 07:53:34 +00:00
Gunter Knauf 6daede08cb we only need to call ASN1_STRING_length() if ASN1_STRING_type() detects UTF-8,
else ASN1_STRING_to_UTF8() returns the string length.
2009-10-14 02:32:27 +00:00
Daniel Stenberg e3d623f190 - Chris Mumford filed bug report #2861587
(http://curl.haxx.se/bug/view.cgi?id=2861587) identifying that libcurl used
  the OpenSSL function X509_load_crl_file() wrongly and failed if it would
  load a CRL file with more than one certificate within. This is now fixed.
2009-09-25 18:09:38 +00:00
Yang Tse c7c84e7420 fix compiler warning: end-of-loop code not reached 2009-09-25 13:05:36 +00:00
Yang Tse 37489a855f fix compiler warning: variable "sni" was set but never used 2009-09-24 13:24:08 +00:00
Daniel Stenberg 250ba99498 - Sven Anders reported that we introduced a cert verfication flaw for OpenSSL-
powered libcurl in 7.19.6. If there was a X509v3 Subject Alternative Name
  field in the certficate it had to match and so even if non-DNS and non-IP
  entry was present it caused the verification to fail.
2009-09-16 20:44:18 +00:00
Gunter Knauf 68f7d5b8d3 add cast to silent compiler warning with 64bit systems. 2009-08-29 04:34:44 +00:00