diff options
| author | Brad King <brad.king@kitware.com> | 2018-01-24 19:17:42 (GMT) |
|---|---|---|
| committer | Brad King <brad.king@kitware.com> | 2018-01-24 19:18:16 (GMT) |
| commit | cd8e31a1bf7429514078c2923a1a9580113f9d4f (patch) | |
| tree | 6a0b8a01e3e0e52bb4b3abb66ce9e992614af6a7 /Utilities/cmcurl/lib/vtls | |
| parent | e9c8ea75575afdb4e87b262641ee4071ef42b4c6 (diff) | |
| parent | af9e654045f11028e50dac4781e297834129a749 (diff) | |
| download | CMake-cd8e31a1bf7429514078c2923a1a9580113f9d4f.zip CMake-cd8e31a1bf7429514078c2923a1a9580113f9d4f.tar.gz CMake-cd8e31a1bf7429514078c2923a1a9580113f9d4f.tar.bz2 | |
Merge branch 'upstream-curl' into update-curl
* upstream-curl:
curl 2018-01-23 (d6c21c8e)
Diffstat (limited to 'Utilities/cmcurl/lib/vtls')
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/axtls.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/cyassl.c | 4 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/darwinssl.c | 96 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/gskit.c | 6 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/gtls.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/mbedtls.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/nss.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/openssl.c | 88 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/polarssl.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/schannel.c | 2 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/vtls.c | 25 | ||||
| -rw-r--r-- | Utilities/cmcurl/lib/vtls/vtls.h | 2 |
12 files changed, 160 insertions, 73 deletions
diff --git a/Utilities/cmcurl/lib/vtls/axtls.c b/Utilities/cmcurl/lib/vtls/axtls.c index 6b42708..9294f49 100644 --- a/Utilities/cmcurl/lib/vtls/axtls.c +++ b/Utilities/cmcurl/lib/vtls/axtls.c @@ -728,7 +728,7 @@ const struct Curl_ssl Curl_ssl_axtls = { Curl_axtls_connect, /* connect */ Curl_axtls_connect_nonblocking, /* connect_nonblocking */ Curl_axtls_get_internals, /* get_internals */ - Curl_axtls_close, /* close */ + Curl_axtls_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_axtls_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/cyassl.c b/Utilities/cmcurl/lib/vtls/cyassl.c index ba5ee15..46b71bf 100644 --- a/Utilities/cmcurl/lib/vtls/cyassl.c +++ b/Utilities/cmcurl/lib/vtls/cyassl.c @@ -76,9 +76,7 @@ and that's a problem since options.h hasn't been included yet. */ #endif #endif -#ifdef HAVE_LIMITS_H #include <limits.h> -#endif #include "urldata.h" #include "sendf.h" @@ -1003,7 +1001,7 @@ const struct Curl_ssl Curl_ssl_cyassl = { Curl_cyassl_connect, /* connect */ Curl_cyassl_connect_nonblocking, /* connect_nonblocking */ Curl_cyassl_get_internals, /* get_internals */ - Curl_cyassl_close, /* close */ + Curl_cyassl_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_cyassl_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/darwinssl.c b/Utilities/cmcurl/lib/vtls/darwinssl.c index a98f433..53a7ec3 100644 --- a/Utilities/cmcurl/lib/vtls/darwinssl.c +++ b/Utilities/cmcurl/lib/vtls/darwinssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2014, Nick Zitzmann, <nickzman@gmail.com>. + * Copyright (C) 2012 - 2017, Nick Zitzmann, <nickzman@gmail.com>. * Copyright (C) 2012 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which @@ -22,7 +22,7 @@ ***************************************************************************/ /* - * Source file for all iOS and Mac OS X SecureTransport-specific code for the + * Source file for all iOS and macOS SecureTransport-specific code for the * TLS/SSL layer. No code but vtls.c should ever call or use these functions. */ @@ -39,9 +39,7 @@ #pragma clang diagnostic ignored "-Wtautological-pointer-compare" #endif /* __clang__ */ -#ifdef HAVE_LIMITS_H #include <limits.h> -#endif #include <Security/Security.h> /* For some reason, when building for iOS, the omnibus header above does @@ -50,12 +48,14 @@ #include <CoreFoundation/CoreFoundation.h> #include <CommonCrypto/CommonDigest.h> -/* The Security framework has changed greatly between iOS and different OS X +/* The Security framework has changed greatly between iOS and different macOS versions, and we will try to support as many of them as we can (back to Leopard and iOS 5) by using macros and weak-linking. - IMPORTANT: If TLS 1.1 and 1.2 support are important for you on OS X, then - you must build this project against the 10.8 SDK or later. */ + In general, you want to build this using the most recent OS SDK, since some + features require curl to be built against the latest SDK. TLS 1.1 and 1.2 + support, for instance, require the macOS 10.8 SDK or later. TLS 1.3 + requires the macOS 10.13 or iOS 11 SDK or later. */ #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) #if MAC_OS_X_VERSION_MAX_ALLOWED < 1050 @@ -64,6 +64,7 @@ #define CURL_BUILD_IOS 0 #define CURL_BUILD_IOS_7 0 +#define CURL_BUILD_IOS_11 0 #define CURL_BUILD_MAC 1 /* This is the maximum API level we are allowed to use when building: */ #define CURL_BUILD_MAC_10_5 MAC_OS_X_VERSION_MAX_ALLOWED >= 1050 @@ -71,10 +72,11 @@ #define CURL_BUILD_MAC_10_7 MAC_OS_X_VERSION_MAX_ALLOWED >= 1070 #define CURL_BUILD_MAC_10_8 MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 #define CURL_BUILD_MAC_10_9 MAC_OS_X_VERSION_MAX_ALLOWED >= 1090 +#define CURL_BUILD_MAC_10_13 MAC_OS_X_VERSION_MAX_ALLOWED >= 101300 /* These macros mean "the following code is present to allow runtime backward compatibility with at least this cat or earlier": - (You set this at build-time by setting the MACOSX_DEPLOYMENT_TARGET - environmental variable.) */ + (You set this at build-time using the compiler command line option + "-mmacos-version-min.") */ #define CURL_SUPPORT_MAC_10_5 MAC_OS_X_VERSION_MIN_REQUIRED <= 1050 #define CURL_SUPPORT_MAC_10_6 MAC_OS_X_VERSION_MIN_REQUIRED <= 1060 #define CURL_SUPPORT_MAC_10_7 MAC_OS_X_VERSION_MIN_REQUIRED <= 1070 @@ -84,11 +86,14 @@ #elif TARGET_OS_EMBEDDED || TARGET_OS_IPHONE #define CURL_BUILD_IOS 1 #define CURL_BUILD_IOS_7 __IPHONE_OS_VERSION_MAX_ALLOWED >= 70000 +#define CURL_BUILD_IOS_11 __IPHONE_OS_VERSION_MAX_ALLOWED >= 110000 #define CURL_BUILD_MAC 0 #define CURL_BUILD_MAC_10_5 0 #define CURL_BUILD_MAC_10_6 0 #define CURL_BUILD_MAC_10_7 0 #define CURL_BUILD_MAC_10_8 0 +#define CURL_BUILD_MAC_10_9 0 +#define CURL_BUILD_MAC_10_13 0 #define CURL_SUPPORT_MAC_10_5 0 #define CURL_SUPPORT_MAC_10_6 0 #define CURL_SUPPORT_MAC_10_7 0 @@ -838,6 +843,30 @@ CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) return "TLS_RSA_PSK_WITH_NULL_SHA384"; break; #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */ +#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 + /* New ChaCha20+Poly1305 cipher-suites used by TLS 1.3: */ + case TLS_AES_128_GCM_SHA256: + return "TLS_AES_128_GCM_SHA256"; + break; + case TLS_AES_256_GCM_SHA384: + return "TLS_AES_256_GCM_SHA384"; + break; + case TLS_CHACHA20_POLY1305_SHA256: + return "TLS_CHACHA20_POLY1305_SHA256"; + break; + case TLS_AES_128_CCM_SHA256: + return "TLS_AES_128_CCM_SHA256"; + break; + case TLS_AES_128_CCM_8_SHA256: + return "TLS_AES_128_CCM_8_SHA256"; + break; + case TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: + return "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256"; + break; + case TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: + return "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"; + break; +#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */ } return "TLS_NULL_WITH_NULL_NULL"; } @@ -1171,6 +1200,15 @@ static CURLcode darwinssl_version_from_curl(SSLProtocol *darwinver, *darwinver = kTLSProtocol12; return CURLE_OK; case CURL_SSLVERSION_TLSv1_3: + /* TLS 1.3 support first appeared in iOS 11 and macOS 10.13 */ +#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 + /* We can assume __builtin_available() will always work in the + 10.13/11.0 SDK: */ + if(__builtin_available(macOS 10.13, iOS 11.0, *)) { + *darwinver = kTLSProtocol13; + return CURLE_OK; + } +#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */ break; } return CURLE_SSL_CONNECT_ERROR; @@ -1184,12 +1222,27 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); + long max_supported_version_by_os; + + /* macOS 10.5-10.7 supported TLS 1.0 only. + macOS 10.8 and later, and iOS 5 and later, added TLS 1.1 and 1.2. + macOS 10.13 and later, and iOS 11 and later, added TLS 1.3. */ +#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 + if(__builtin_available(macOS 10.13, iOS 11.0, *)) { + max_supported_version_by_os = CURL_SSLVERSION_MAX_TLSv1_3; + } + else { + max_supported_version_by_os = CURL_SSLVERSION_MAX_TLSv1_2; + } +#else + max_supported_version_by_os = CURL_SSLVERSION_MAX_TLSv1_2; +#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */ switch(ssl_version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: ssl_version = CURL_SSLVERSION_TLSv1_0; - ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; + ssl_version_max = max_supported_version_by_os; break; } @@ -1198,7 +1251,7 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) ssl_version_max = ssl_version << 16; break; case CURL_SSLVERSION_MAX_DEFAULT: - ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2; + ssl_version_max = max_supported_version_by_os; break; } @@ -1247,7 +1300,7 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) true); break; case CURL_SSLVERSION_TLSv1_3: - failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); + failf(data, "Your version of the OS does not support TLSv1.3"); return CURLE_SSL_CONNECT_ERROR; } } @@ -1326,7 +1379,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: (void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kTLSProtocol1); +#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 + if(__builtin_available(macOS 10.13, iOS 11.0, *)) { + (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol13); + } + else { + (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol12); + } +#else (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol12); +#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */ break; case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: @@ -2341,7 +2403,13 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) infof(data, "TLS 1.2 connection using %s\n", TLSCipherNameForNumber(cipher)); break; -#endif +#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ +#if CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 + case kTLSProtocol13: + infof(data, "TLS 1.3 connection using %s\n", + TLSCipherNameForNumber(cipher)); + break; +#endif /* CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11 */ default: infof(data, "Unknown protocol connection\n"); break; @@ -2932,7 +3000,7 @@ const struct Curl_ssl Curl_ssl_darwinssl = { Curl_darwinssl_connect, /* connect */ Curl_darwinssl_connect_nonblocking, /* connect_nonblocking */ Curl_darwinssl_get_internals, /* get_internals */ - Curl_darwinssl_close, /* close */ + Curl_darwinssl_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_darwinssl_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/gskit.c b/Utilities/cmcurl/lib/vtls/gskit.c index ba5faef..8f0cc0b 100644 --- a/Utilities/cmcurl/lib/vtls/gskit.c +++ b/Utilities/cmcurl/lib/vtls/gskit.c @@ -61,9 +61,7 @@ #endif -#ifdef HAVE_LIMITS_H -# include <limits.h> -#endif +#include <limits.h> #include <curl/curl.h> #include "urldata.h" @@ -1375,7 +1373,7 @@ const struct Curl_ssl Curl_ssl_gskit = { Curl_gskit_connect, /* connect */ Curl_gskit_connect_nonblocking, /* connect_nonblocking */ Curl_gskit_get_internals, /* get_internals */ - Curl_gskit_close, /* close */ + Curl_gskit_close, /* close_one */ Curl_none_close_all, /* close_all */ /* No session handling for GSKit */ Curl_none_session_free, /* session_free */ diff --git a/Utilities/cmcurl/lib/vtls/gtls.c b/Utilities/cmcurl/lib/vtls/gtls.c index a844915..30b255b 100644 --- a/Utilities/cmcurl/lib/vtls/gtls.c +++ b/Utilities/cmcurl/lib/vtls/gtls.c @@ -1827,7 +1827,7 @@ const struct Curl_ssl Curl_ssl_gnutls = { Curl_gtls_connect, /* connect */ Curl_gtls_connect_nonblocking, /* connect_nonblocking */ Curl_gtls_get_internals, /* get_internals */ - Curl_gtls_close, /* close */ + Curl_gtls_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_gtls_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/mbedtls.c b/Utilities/cmcurl/lib/vtls/mbedtls.c index ce1f8eb..28251a3 100644 --- a/Utilities/cmcurl/lib/vtls/mbedtls.c +++ b/Utilities/cmcurl/lib/vtls/mbedtls.c @@ -1061,7 +1061,7 @@ const struct Curl_ssl Curl_ssl_mbedtls = { Curl_mbedtls_connect, /* connect */ Curl_mbedtls_connect_nonblocking, /* connect_nonblocking */ Curl_mbedtls_get_internals, /* get_internals */ - Curl_mbedtls_close, /* close */ + Curl_mbedtls_close, /* close_one */ Curl_mbedtls_close_all, /* close_all */ Curl_mbedtls_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/nss.c b/Utilities/cmcurl/lib/vtls/nss.c index c0b7e63..a3ef37a 100644 --- a/Utilities/cmcurl/lib/vtls/nss.c +++ b/Utilities/cmcurl/lib/vtls/nss.c @@ -2365,7 +2365,7 @@ const struct Curl_ssl Curl_ssl_nss = { Curl_nss_connect, /* connect */ Curl_nss_connect_nonblocking, /* connect_nonblocking */ Curl_nss_get_internals, /* get_internals */ - Curl_nss_close, /* close */ + Curl_nss_close, /* close_one */ Curl_none_close_all, /* close_all */ /* NSS has its own session ID cache */ Curl_none_session_free, /* session_free */ diff --git a/Utilities/cmcurl/lib/vtls/openssl.c b/Utilities/cmcurl/lib/vtls/openssl.c index 4253160..93faa6f 100644 --- a/Utilities/cmcurl/lib/vtls/openssl.c +++ b/Utilities/cmcurl/lib/vtls/openssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -34,9 +34,7 @@ #ifdef USE_OPENSSL -#ifdef HAVE_LIMITS_H #include <limits.h> -#endif #include "urldata.h" #include "sendf.h" @@ -68,10 +66,7 @@ #include <openssl/rsa.h> #include <openssl/bio.h> #include <openssl/buffer.h> - -#ifdef HAVE_OPENSSL_PKCS12_H #include <openssl/pkcs12.h> -#endif #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) #include <openssl/ocsp.h> @@ -151,14 +146,13 @@ static unsigned long OpenSSL_version_num(void) /* * Whether SSL_CTX_set_keylog_callback is available. * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 - * BoringSSL: supported since d28f59c27bac (committed 2015-11-19), the - * BORINGSSL_201512 macro from 2016-01-21 should be close enough. + * BoringSSL: supported since d28f59c27bac (committed 2015-11-19) * LibreSSL: unsupported in at least 2.5.1 (explicitly check for it since it * lies and pretends to be OpenSSL 2.0.0). */ #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ !defined(LIBRESSL_VERSION_NUMBER)) || \ - defined(BORINGSSL_201512) + defined(OPENSSL_IS_BORINGSSL) #define HAVE_KEYLOG_CALLBACK #endif @@ -181,6 +175,8 @@ static unsigned long OpenSSL_version_num(void) "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" #endif +#define ENABLE_SSLKEYLOGFILE + #ifdef ENABLE_SSLKEYLOGFILE typedef struct ssl_tap_state { int master_key_length; @@ -263,11 +259,11 @@ static void tap_ssl_key(const SSL *ssl, ssl_tap_state_t *state) if(!session || !keylog_file_fp) return; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) /* ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that * we have a valid SSL context if we have a non-NULL session. */ SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE); - master_key_length = + master_key_length = (int) SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH); #else if(ssl->s3 && session->master_key_length > 0) { @@ -445,14 +441,14 @@ static CURLcode Curl_ossl_seed(struct Curl_easy *data) size_t len = sizeof(randb); size_t i, i_max; for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) { - struct curltime tv = curlx_tvnow(); + struct curltime tv = Curl_now(); Curl_wait_ms(1); tv.tv_sec *= i + 1; tv.tv_usec *= (unsigned int)i + 2; - tv.tv_sec ^= ((curlx_tvnow().tv_sec + curlx_tvnow().tv_usec) * + tv.tv_sec ^= ((Curl_now().tv_sec + Curl_now().tv_usec) * (i + 3)) << 8; - tv.tv_usec ^= (unsigned int) ((curlx_tvnow().tv_sec + - curlx_tvnow().tv_usec) * + tv.tv_usec ^= (unsigned int) ((Curl_now().tv_sec + + Curl_now().tv_usec) * (i + 4)) << 16; memcpy(&randb[i * sizeof(struct curltime)], &tv, sizeof(struct curltime)); @@ -653,7 +649,6 @@ int cert_stuff(struct connectdata *conn, case SSL_FILETYPE_PKCS12: { -#ifdef HAVE_OPENSSL_PKCS12_H FILE *f; PKCS12 *p12; EVP_PKEY *pri; @@ -740,10 +735,6 @@ int cert_stuff(struct connectdata *conn, if(!cert_done) return 0; /* failure! */ break; -#else - failf(data, "file type P12 for certificate not supported"); - return 0; -#endif } default: failf(data, "not supported file type '%s' for certificate", cert_type); @@ -837,12 +828,18 @@ int cert_stuff(struct connectdata *conn, EVP_PKEY_free(pktmp); } -#ifndef OPENSSL_NO_RSA +#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_IS_BORINGSSL) { /* If RSA is used, don't check the private key if its flags indicate * it doesn't support it. */ EVP_PKEY *priv_key = SSL_get_privatekey(ssl); - if(EVP_PKEY_id(priv_key) == EVP_PKEY_RSA) { + int pktype; +#ifdef HAVE_OPAQUE_EVP_PKEY + pktype = EVP_PKEY_id(priv_key); +#else + pktype = priv_key->type; +#endif + if(pktype == EVP_PKEY_RSA) { RSA *rsa = EVP_PKEY_get1_RSA(priv_key); if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK) check_privkey = FALSE; @@ -907,7 +904,7 @@ static int x509_name_oneline(X509_NAME *a, char *buf, size_t size) static int Curl_ossl_init(void) { #ifdef ENABLE_SSLKEYLOGFILE - const char *keylog_file_name; + char *keylog_file_name; #endif OPENSSL_load_builtin_modules(); @@ -947,14 +944,22 @@ static int Curl_ossl_init(void) #endif #ifdef ENABLE_SSLKEYLOGFILE - keylog_file_name = curl_getenv("SSLKEYLOGFILE"); - if(keylog_file_name && !keylog_file_fp) { - keylog_file_fp = fopen(keylog_file_name, FOPEN_APPENDTEXT); - if(keylog_file_fp) { - if(setvbuf(keylog_file_fp, NULL, _IOLBF, 4096)) { - fclose(keylog_file_fp); - keylog_file_fp = NULL; + if(!keylog_file_fp) { + keylog_file_name = curl_getenv("SSLKEYLOGFILE"); + if(keylog_file_name) { + keylog_file_fp = fopen(keylog_file_name, FOPEN_APPENDTEXT); + if(keylog_file_fp) { +#ifdef WIN32 + if(setvbuf(keylog_file_fp, NULL, _IONBF, 0)) +#else + if(setvbuf(keylog_file_fp, NULL, _IOLBF, 4096)) +#endif + { + fclose(keylog_file_fp); + keylog_file_fp = NULL; + } } + Curl_safefree(keylog_file_name); } } #endif @@ -2408,8 +2413,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */ #if defined(ENABLE_SSLKEYLOGFILE) && defined(HAVE_KEYLOG_CALLBACK) - if(keylog_file) { - SSL_CTX_set_keylog_callback(connssl->ctx, ossl_keylog_callback); + if(keylog_file_fp) { + SSL_CTX_set_keylog_callback(BACKEND->ctx, ossl_keylog_callback); } #endif @@ -3060,12 +3065,12 @@ static CURLcode servercert(struct connectdata *conn, ASN1_TIME_print(mem, X509_get0_notBefore(BACKEND->server_cert)); len = BIO_get_mem_data(mem, (char **) &ptr); infof(data, " start date: %.*s\n", len, ptr); - rc = BIO_reset(mem); + (void)BIO_reset(mem); ASN1_TIME_print(mem, X509_get0_notAfter(BACKEND->server_cert)); len = BIO_get_mem_data(mem, (char **) &ptr); infof(data, " expire date: %.*s\n", len, ptr); - rc = BIO_reset(mem); + (void)BIO_reset(mem); BIO_free(mem); @@ -3386,12 +3391,13 @@ static bool Curl_ossl_data_pending(const struct connectdata *conn, { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; const struct ssl_connect_data *proxyssl = &conn->proxy_ssl[connindex]; - if(BACKEND->handle) - /* SSL is in use */ - return (0 != SSL_pending(BACKEND->handle) || - (proxyssl->backend->handle && - 0 != SSL_pending(proxyssl->backend->handle))) ? - TRUE : FALSE; + + if(connssl->backend->handle && SSL_pending(connssl->backend->handle)) + return TRUE; + + if(proxyssl->backend->handle && SSL_pending(proxyssl->backend->handle)) + return TRUE; + return FALSE; } @@ -3636,7 +3642,7 @@ const struct Curl_ssl Curl_ssl_openssl = { Curl_ossl_connect, /* connect */ Curl_ossl_connect_nonblocking, /* connect_nonblocking */ Curl_ossl_get_internals, /* get_internals */ - Curl_ossl_close, /* close */ + Curl_ossl_close, /* close_one */ Curl_ossl_close_all, /* close_all */ Curl_ossl_session_free, /* session_free */ Curl_ossl_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/polarssl.c b/Utilities/cmcurl/lib/vtls/polarssl.c index fc0644f..df29fa9 100644 --- a/Utilities/cmcurl/lib/vtls/polarssl.c +++ b/Utilities/cmcurl/lib/vtls/polarssl.c @@ -923,7 +923,7 @@ const struct Curl_ssl Curl_ssl_polarssl = { Curl_polarssl_connect, /* connect */ Curl_polarssl_connect_nonblocking, /* connect_nonblocking */ Curl_polarssl_get_internals, /* get_internals */ - Curl_polarssl_close, /* close */ + Curl_polarssl_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_polarssl_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/schannel.c b/Utilities/cmcurl/lib/vtls/schannel.c index 9ca1431..85c64cf 100644 --- a/Utilities/cmcurl/lib/vtls/schannel.c +++ b/Utilities/cmcurl/lib/vtls/schannel.c @@ -1838,7 +1838,7 @@ const struct Curl_ssl Curl_ssl_schannel = { Curl_schannel_connect, /* connect */ Curl_schannel_connect_nonblocking, /* connect_nonblocking */ Curl_schannel_get_internals, /* get_internals */ - Curl_schannel_close, /* close */ + Curl_schannel_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_schannel_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ diff --git a/Utilities/cmcurl/lib/vtls/vtls.c b/Utilities/cmcurl/lib/vtls/vtls.c index bb8fda4..def1d30 100644 --- a/Utilities/cmcurl/lib/vtls/vtls.c +++ b/Utilities/cmcurl/lib/vtls/vtls.c @@ -549,7 +549,7 @@ int Curl_ssl_getsock(struct connectdata *conn, void Curl_ssl_close(struct connectdata *conn, int sockindex) { DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); - Curl_ssl->close(conn, sockindex); + Curl_ssl->close_one(conn, sockindex); } CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) @@ -1059,6 +1059,7 @@ bool Curl_none_false_start(void) return FALSE; } +#ifndef CURL_DISABLE_CRYPTO_AUTH CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, unsigned char *md5sum, size_t md5len UNUSED_PARAM) { @@ -1073,6 +1074,19 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, Curl_MD5_final(MD5pw, md5sum); return CURLE_OK; } +#else +CURLcode Curl_none_md5sum(unsigned char *input UNUSED_PARAM, + size_t inputlen UNUSED_PARAM, + unsigned char *md5sum UNUSED_PARAM, + size_t md5len UNUSED_PARAM) +{ + (void)input; + (void)inputlen; + (void)md5sum; + (void)md5len; + return CURLE_NOT_BUILT_IN; +} +#endif static int Curl_multissl_init(void) { @@ -1108,7 +1122,7 @@ static void Curl_multissl_close(struct connectdata *conn, int sockindex) { if(multissl_init(NULL)) return; - Curl_ssl->close(conn, sockindex); + Curl_ssl->close_one(conn, sockindex); } static const struct Curl_ssl Curl_ssl_multi = { @@ -1133,7 +1147,7 @@ static const struct Curl_ssl Curl_ssl_multi = { Curl_multissl_connect, /* connect */ Curl_multissl_connect_nonblocking, /* connect_nonblocking */ Curl_multissl_get_internals, /* get_internals */ - Curl_multissl_close, /* close */ + Curl_multissl_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_none_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ @@ -1246,6 +1260,7 @@ static size_t Curl_multissl_version(char *buffer, size_t size) static int multissl_init(const struct Curl_ssl *backend) { const char *env; + char *env_tmp; int i; if(Curl_ssl != &Curl_ssl_multi) @@ -1259,7 +1274,7 @@ static int multissl_init(const struct Curl_ssl *backend) if(!available_backends[0]) return 1; - env = getenv("CURL_SSL_BACKEND"); + env = env_tmp = curl_getenv("CURL_SSL_BACKEND"); #ifdef CURL_DEFAULT_SSL_BACKEND if(!env) env = CURL_DEFAULT_SSL_BACKEND; @@ -1268,6 +1283,7 @@ static int multissl_init(const struct Curl_ssl *backend) for(i = 0; available_backends[i]; i++) { if(strcasecompare(env, available_backends[i]->info.name)) { Curl_ssl = available_backends[i]; + curl_free(env_tmp); return 0; } } @@ -1275,6 +1291,7 @@ static int multissl_init(const struct Curl_ssl *backend) /* Fall back to first available backend */ Curl_ssl = available_backends[0]; + curl_free(env_tmp); return 0; } diff --git a/Utilities/cmcurl/lib/vtls/vtls.h b/Utilities/cmcurl/lib/vtls/vtls.h index f1a11ea..c5f9d4a 100644 --- a/Utilities/cmcurl/lib/vtls/vtls.h +++ b/Utilities/cmcurl/lib/vtls/vtls.h @@ -60,7 +60,7 @@ struct Curl_ssl { CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex, bool *done); void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info); - void (*close)(struct connectdata *conn, int sockindex); + void (*close_one)(struct connectdata *conn, int sockindex); void (*close_all)(struct Curl_easy *data); void (*session_free)(void *ptr); |