Commit Graph

1280 Commits

Author SHA1 Message Date
Stefan Eissing
e8b00fcd6a
openssl: store the CA after first send (ClientHello)
move Curl_ssl_setup_x509_store() call after the first send (ClientHello)
this gives time to parse CA anchors while waiting on the server reply

Ref: #10389
Closes #10432
2023-02-08 10:41:11 +01:00
Anthony Hu
12e9186fc4
wolfssl: remove deprecated post-quantum algorithms
Closes #10440
2023-02-08 08:31:45 +01:00
John Bampton
0065b146eb
misc: fix spelling
Closes #10437
2023-02-08 08:30:05 +01:00
Daniel Stenberg
1c91ba3939
vtls: infof using %.*s needs to provide the length as int
Fixes a Coverity warning.

Closes #10436
2023-02-07 16:33:04 +01:00
Stefan Eissing
7dad86a03f
vrls: addressing issues reported by coverity
I believe the code was secure before this, but limiting the accepted
name length to what is used in the structures should help Coverity's
analysis.

Closes #10431
2023-02-07 14:05:21 +01:00
Daniel Stenberg
82123417ff
vtls: fix failf() format argument type for %.*s handling
Reported by Coverity

Closes #10422
2023-02-06 23:41:21 +01:00
Daniel Stenberg
b0b33fe71d
openssl: fix "Improper use of negative value"
By getting the socket first and returning error in case of bad socket.

Detected by Coverity.

Closes #10423
2023-02-06 23:40:20 +01:00
Stefan Eissing
671158242d
connections: introduce http/3 happy eyeballs
New cfilter HTTP-CONNECT for h3/h2/http1.1 eyeballing.
- filter is installed when `--http3` in the tool is used (or
  the equivalent CURLOPT_ done in the library)
- starts a QUIC/HTTP/3 connect right away. Should that not
  succeed after 100ms (subject to change), a parallel attempt
  is started for HTTP/2 and HTTP/1.1 via TCP
- both attempts are subject to IPv6/IPv4 eyeballing, same
  as happens for other connections
- tie timeout to the ip-version HAPPY_EYEBALLS_TIMEOUT
- use a `soft` timeout at half the value. When the soft timeout
  expires, the HTTPS-CONNECT filter checks if the QUIC filter
  has received any data from the server. If not, it will start
  the HTTP/2 attempt.

HTTP/3(ngtcp2) improvements.
- setting call_data in all cfilter calls similar to http/2 and vtls filters
  for use in callback where no stream data is available.
- returning CURLE_PARTIAL_FILE for prematurely terminated transfers
- enabling pytest test_05 for h3
- shifting functionality to "connect" UDP sockets from ngtcp2
  implementation into the udp socket cfilter. Because unconnected
  UDP sockets are weird. For example they error when adding to a
  pollset.

HTTP/3(quiche) improvements.
- fixed upload bug in quiche implementation, now passes 251 and pytest
- error codes on stream RESET
- improved debug logs
- handling of DRAIN during connect
- limiting pending event queue

HTTP/2 cfilter improvements.
- use LOG_CF macros for dynamic logging in debug build
- fix CURLcode on RST streams to be CURLE_PARTIAL_FILE
- enable pytest test_05 for h2
- fix upload pytests and improve parallel transfer performance.

GOAWAY handling for ngtcp2/quiche
- during connect, when the remote server refuses to accept new connections
  and closes immediately (so the local conn goes into DRAIN phase), the
  connection is torn down and a another attempt is made after a short grace
  period.
  This is the behaviour observed with nghttpx when we tell it to  shut
  down gracefully. Tested in pytest test_03_02.

TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
  copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
  and connection related things based on the negotiated protocol (or lack thereof).

- new tests/tests-httpd/scorecard.py for testing h3/h2 protocol implementation.
  Invoke:
    python3 tests/tests-httpd/scorecard.py --help
  for usage.

Improvements on gathering connect statistics and socket access.
- new CF_CTRL_CONN_REPORT_STATS cfilter control for having cfilters
  report connection statistics. This is triggered when the connection
  has completely connected.
- new void Curl_pgrsTimeWas(..) method to report a timer update with
  a timestamp of when it happend. This allows for updating timers
  "later", e.g. a connect statistic after full connectivity has been
  reached.
- in case of HTTP eyeballing, the previous changes will update
  statistics only from the filter chain that "won" the eyeballing.
- new cfilter query CF_QUERY_SOCKET for retrieving the socket used
  by a filter chain.
  Added methods Curl_conn_cf_get_socket() and Curl_conn_get_socket()
  for convenient use of this query.
- Change VTLS backend to query their sub-filters for the socket when
  checks during the handshake are made.

HTTP/3 documentation on how https eyeballing works.

TLS improvements
- ALPN selection for SSL/SSL-PROXY filters in one vtls set of functions, replaces
  copy of logic in all tls backends.
- standardized the infof logging of offered ALPNs
- ALPN negotiated: have common function for all backends that sets alpn proprty
  and connection related things based on the negotiated protocol (or lack thereof).

Scorecard with Caddy.
- configure can be run with `--with-test-caddy=path` to specify which caddy to use for testing
- tests/tests-httpd/scorecard.py now measures download speeds with caddy

pytest improvements
- adding Makfile to clean gen dir
- adding nghttpx rundir creation on start
- checking httpd version 2.4.55 for test_05 cases where it is needed. Skipping with message if too old.
- catch exception when checking for caddy existance on system.

Closes #10349
2023-02-02 09:57:34 +01:00
Stefan Eissing
5651a36d1a
cf-socket: improvements in socket I/O handling
- Curl_write_plain/Curl_read_plain have been eliminated. Last code use
  now uses Curl_conn_send/recv so that requests use conn->send/revc
  callbacks which defaults to cfilters use.
- Curl_recv_plain/Curl_send_plain have been internalized in cf-socket.c.
- USE_RECV_BEFORE_SEND_WORKAROUND (active on Windows) has been moved
  into cf-socket.c. The pre_recv buffer is held at the socket filter
  context.  `postponed_data` structures have been removed from
  `connectdata`.
- the hanger in HTTP/2 request handling was a result of read buffering
  on all sends and the multi handling is not prepared for this. The
  following happens:

   - multi preforms on a HTTP/2 easy handle
   - h2 reads and processes data
   - this leads to a send of h2 data
   - which receives and buffers before the send
   - h2 returns
   - multi selects on the socket, but no data arrives (its in the buffer already)
   the workaround now receives data in a loop as long as there is something in
   the buffer. The real fix would be for multi to change, so that `data_pending`
   is evaluated before deciding to wait on the socket.

io_buffer, optional, in cf-socket.c, http/2 sets state.drain if lower
filter have pending data.

This io_buffer is only available/used when the
-DUSE_RECV_BEFORE_SEND_WORKAROUND is active, e.g. on Windows
configurations. It also maintains the original checks on protocol
handler being HTTP and conn->send/recv not being replaced.

The HTTP/2 (nghttp2) cfilter now sets data->state.drain when it finds
out that the "lower" filter chain has still pending data at the end of
its IO operation. This prevents the processing from becoming stalled.

Closes #10280
2023-01-31 11:23:59 +01:00
Daniel Stenberg
a3bcfab4b5
openssl: only use CA_BLOB if verifying peer
Reported-by: Paul Groke
Bug: https://curl.se/mail/lib-2023-01/0070.html
Fixes #10351
Closes #10359
2023-01-31 11:10:42 +01:00
Daniel Stenberg
fc10d86011
openssl: adapt to boringssl's error code type
BoringSSL uses uint32_t, OpenSSL uses 'unsigned 'long'

Closes #10360
2023-01-29 22:35:40 +01:00
Stefan Eissing
22d3e89e6f
vtls: do not null-check when we already assume cf-ctx exists
Fixes #10361
Closes #10362
2023-01-29 15:39:09 +01:00
Stefan Eissing
9e93bd47c2 vtls: Manage current easy handle in nested cfilter calls
The previous implementation cleared `data` so the outer invocation lost
its data, which could lead to a crash.

Bug: https://github.com/curl/curl/issues/10336
Reported-by: Fujii Hironori

Closes https://github.com/curl/curl/pull/10340
2023-01-26 03:05:01 -05:00
Cherish98
bde24fac7c openssl: don't log raw record headers
- Skip content type SSL3_RT_HEADER in verbose TLS output.

This commit prevents bogus and misleading verbose TLS header messages as
discussed in #10299.

Assisted-by: Peter Wu

Closes https://github.com/curl/curl/pull/10299
2023-01-24 03:31:07 -05:00
Stefan Eissing
f8da4f2f2d vtls: fix hostname handling in filters
- Copy the hostname and dispname to ssl_connect_data.

Use a copy instead of referencing the `connectdata` instance since this
may get free'ed on connection reuse.

Reported-by: Stefan Talpalaru
Reported-by: sergio-nsk@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/10273
Fixes https://github.com/curl/curl/issues/10309

Closes https://github.com/curl/curl/pull/10310
2023-01-20 00:40:18 -05:00
Jay Satiro
c4cd0e2be9 openssl: Don't ignore CA paths when using Windows CA store (redux)
.. and remove 'experimental' designation from CURLSSLOPT_NATIVE_CA.

This commit restores the behavior of CURLSSLOPT_NATIVE_CA so that it
does not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded
default locations. Instead the native Windows CA store can be used at
the same time.

---

This behavior was originally added over two years ago in abbc5d60
(#5585) but then 83393b1a (#7892) broke it over a year ago, I assume
inadvertently.

The CURLSSLOPT_NATIVE_CA feature was marked experimental and likely
rarely used.

Ref: https://github.com/curl/curl/pull/5585
Ref: https://github.com/curl/curl/pull/7892
Ref: https://curl.se/mail/lib-2023-01/0019.html

Closes https://github.com/curl/curl/pull/10244
2023-01-17 03:32:58 -05:00
Stefan Eissing
12157aa924
openssl: make the BIO_METHOD a local variable in the connection filter
This avoids UAF issues when `curl_global_cleanup()` is called before all
transfers have been completely handled. Unfortunately this seems to be a
more common pattern than we like.

Closes #10285
2023-01-12 23:43:56 +01:00
Stefan Eissing
db91dbbf2c
curl_log: for failf/infof and debug logging implementations
- new functions and macros for cfilter debugging
 - set CURL_DEBUG with names of cfilters where debug logging should be
   enabled
 - use GNUC __attribute__ to enable printf format checks during compile

Closes #10271
2023-01-12 10:14:17 +01:00
Stefan Eissing
088c08a7e4
ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
Using common method for SSL_CTX initialization of verfiy peer and CA
settings. This also provides X509_STORE sharing to become available for
ngtcp2+openssl HTTP/3.

Reported-by: violetlige on github

Fixes #10222
Closes #10239
2023-01-10 13:41:21 +01:00
Patrick Monnerat
ee0f73919a
nss: implement data_pending method
NSS currently uses the default Curl_none_data_pending() method which
always returns false, causing TLS buffered input data to be missed.

The current commit implements the nss_data_pending() method that properly
monitors the presence of available TLS data.

Ref:#10077

Closes #10225
2023-01-07 14:19:31 +01:00
jonrumsey
1f693e0aca
x509asn1: fix compile errors and warnings
Various small issues when built for GSKit

Closes #10238
2023-01-05 23:51:27 +01:00
Stefan Eissing
16bb32e104
sectransp: fix for incomplete read/writes
SecureTransport expects result code errSSLWouldBlock when the requested
length could not be sent/recieved in full. The previous code returned
noErr, which let SecureTransport to believe that the IO had terminated
prematurely.

Fixes #10227
Closes #10235
2023-01-05 16:04:12 +01:00
Daniel Stenberg
1485e89213
misc: reduce struct and struct field sizes
- by using BIT() instead of bool
- imap: shrink struct
- ftp: make state 'unsigned char'
- ftp: sort ftp_conn struct entries on size
- urldata: use smaller fields for SSL version info storage
- pop3: reduce the pop3_conn struct size
- smtp: reduce the size of the smtp structs

Closes #10186
2023-01-04 15:36:36 +01:00
Daniel Stenberg
2bc1d775f5
copyright: update all copyright lines and remove year ranges
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205
2023-01-03 09:19:21 +01:00
Daniel Stenberg
4fc7737742
Revert "x509asn1: avoid freeing unallocated pointers"
This reverts commit 6b19247e79.

Fixes #10163
Closes #10207
2023-01-03 09:02:15 +01:00
Daniel Stenberg
becfe2ec78
urldata: cease storing TLS auth type
The only TLS auth type libcurl ever supported is SRP and that is the
default type. Since nobody ever sets any other type, there is no point
in wasting space to store the set type and code to check the type.

If TLS auth is used, SRP is now implied.

Closes #10181
2022-12-31 16:56:21 +01:00
Daniel Stenberg
df856cb5c9
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
Previously libcurl would use the HTTP/1.1 ALPN id even when the
application specified HTTP/1.0.

Reported-by: William Tang
Ref: #10183
2022-12-31 16:53:21 +01:00
Stefan Eissing
71b7e01610
lib: connect/h2/h3 refactor
Refactoring of connection setup and happy eyeballing. Move
nghttp2. ngtcp2, quiche and msh3 into connection filters.

 - eyeballing cfilter that uses sub-filters for performing parallel connects
 - socket cfilter for all transport types, including QUIC
 - QUIC implementations in cfilter, can now participate in eyeballing
 - connection setup is more dynamic in order to adapt to what filter did
   really connect.  Relevant to see if a SSL filter needs to be added or
   if SSL has already been provided
 - HTTP/3 test cases similar to HTTP/2
 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche

 - Fix for data attach/detach in VTLS filters that could lead to crashes
   during parallel transfers.
 - Eliminating setup() methods in cfilters, no longer needed.
 - Improving Curl_conn_is_alive() to replace Curl_connalive() and
   integrated ssl alive checks into cfilter.
 - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update
   connection into and persist it at the easy handle.

 - Several more cfilter related cleanups and moves:
   - stream_weigth and dependency info is now wrapped in struct
     Curl_data_priority
   - Curl_data_priority members depend is available in HTTP2|HTTP3
   - Curl_data_priority members depend on NGHTTP2 support
   - handling init/reset/cleanup of priority part of url.c
   - data->state.priority same struct, but shallow copy for compares only

 - PROTOPT_STREAM has been removed
   - Curl_conn_is_mulitplex() now available to check on capability

 - Adding query method to connection filters.
   - ngtcp2+quiche: implementing query for max concurrent transfers.

 - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event.
   - setting keepalive timestamp on connect
   - DATA_SETUP is called after the connection has been completely
     setup (but may not connected yet) to allow filters to initialize
     data members they use.

 - there is no socket to be had with msh3, it is unclear how select
   shall work

 - manual test via "curl --http3 https://curl.se" fail with "empty
   reply from server".

 - Various socket/conn related cleanups:
   - Curl_socket is now Curl_socket_open and in cf-socket.c
   - Curl_closesocket is now Curl_socket_close and in cf-socket.c
   - Curl_ssl_use has been replaced with Cur_conn_is_ssl
   - Curl_conn_tcp_accepted_set has been split into
     Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set
     with a clearer purpose

Closes #10141
2022-12-30 16:43:19 +01:00
Stefan Eissing
f39472ea9f
openssl: remove attached easy handles from SSL instances
- keeping the "current" easy handle registered at SSL* is no longer
   necessary, since the "calling" data object is already stored in the
   cfilter's context (and used by other SSL backends from there).
 - The "detach" of an easy handle that goes out of scope is then avoided.
 - using SSL_set0_wbio for clear reference counting where available.

Closes #10151
2022-12-28 13:30:05 +01:00
Daniel Stenberg
57d2d9b6be
lib: use size_t or int etc instead of longs
Since long is not using a consistent data size in curl builds, making it
often "waste" 32 bits.

Closes #10088
2022-12-14 12:31:01 +01:00
Daniel Gustafsson
6b19247e79 x509asn1: avoid freeing unallocated pointers
When utf8asn1str fails there is no allocation returned, so freeing
the return pointer in **to is at best a no-op and at worst a double-
free bug waiting to happen. The current coding isn't hiding any such
bugs but to future proof, avoid freeing the return value pointer iff
the function failed.

Closes: #10087
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-12-14 10:14:27 +01:00
Stefan Eissing
b42156b825
cfilter: improve SSL connection checks
- fixes `Curl_ssl_cf_get_ssl()` to detect also the first filter instance
  as ssl (refs #10053)

- replaces `Curl_ssl_use()` with the correct `Curl_conn_is_ssl()`

Closes #10054
Fixes #10053

Reported-by: Patrick Monnerat
2022-12-08 14:27:06 +01:00
Stefan Eissing
2d3e20a2fc
wolfssl: remove special BIO return code handling
- rely solely on the retry flag in BIO, similar to OpenSSL vtls
  implementation.

Ref: https://github.com/curl/curl/pull/10021#issuecomment-1336147053

Closes #10033
2022-12-06 11:08:12 +01:00
Daniel Stenberg
5ec759247a
openssl: return -1 on error in the BIO callbacks
BIO_read and BIO_write return negative numbers on error, including
retryable ones. A regression from 55807e6. Both branches should be
returning -1.

The APIs are patterned after POSIX read and write which, similarly,
return -1 on errors, not zero, with EAGAIN treated as an error.

Bug: https://github.com/curl/curl/issues/10013#issuecomment-1335308146
Reported-by: David Benjamin
Closes #10021
2022-12-06 09:50:29 +01:00
Stefan Eissing
5c27f6c452
openssl: fix for BoringSSL BIO result interpretation mixups
Reported-by: Robin Marx
Fixes #10013
Closes #10015
2022-12-01 18:27:27 +01:00
Stefan Eissing
27ec767ebd
gnutls: use common gnutls init and verify code for ngtcp2
Closes #10007
2022-12-01 10:57:36 +01:00
Daniel Stenberg
39bbd1cafb
openssl: prefix errors with '[lib]/[version]: '
To help users understand where this (cryptic) error message comes from.

Suggested-by: Philip Sanetra
Ref: #10002
Closes #10004
2022-11-30 14:05:57 +01:00
Daniel Stenberg
07203b0bb8
openssl/mbedtls: use %d for outputing port with failf (int)
Coverity CID 1517100

Also, remove some int typecasts in vtls.c for the port number

Closes #10001
2022-11-29 23:16:47 +01:00
Ikko Ashimine
ae99ac6ffb vtls: fix typo in vtls_int.h
paramter -> parameter

Closes: #9996
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2022-11-28 19:51:22 +01:00
Stefan Eissing
55807e6c05
tls: backends use connection filters for IO, enabling HTTPS-proxy
- OpenSSL (and compatible)
 - BearSSL
 - gnutls
 - mbedtls
 - rustls
 - schannel
 - secure-transport
 - wolfSSL (v5.0.0 and newer)

 This leaves only the following without HTTPS-proxy support:
 - gskit
 - nss
 - wolfSSL (versions earlier than v5.0.0)

Closes #9962
2022-11-28 13:56:23 +01:00
Stefan Eissing
f18956d0ca
cfilter: re-add conn as parameter to cfilter setup methods
- `Curl_ssl_get_config()` now returns the first config if no SSL proxy
  filter is active

- socket filter starts connection only on first invocation of its
  connect method

Fixes #9982
Closes #9983
2022-11-26 16:56:46 +01:00
Daniel Stenberg
9ecebb5d00
vtls: repair build with disabled proxy
Closes #9974
2022-11-24 09:04:14 +01:00
Daniel Gustafsson
3ae63a121d openssl: silence compiler warning when not using IPv6
In non-IPv6 builds the conn parameter is unused, and compilers which
run with "-Werror=unused-parameter" (or similar) warnings turned on
fails to build. Below is an excerpt from a CI job:

  vtls/openssl.c: In function ‘Curl_ossl_verifyhost’:
  vtls/openssl.c:2016:75: error: unused parameter ‘conn’ [-Werror=unused-parameter]
   2016 | CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
        |                                                       ~~~~~~~~~~~~~~~~~~~~^~~~

Closes: #9970
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2022-11-23 12:10:30 +01:00
Stefan Eissing
af22c2a546
vtls: localization of state data in filters
- almost all backend calls pass the Curl_cfilter intance instead of
   connectdata+sockindex
 - ssl_connect_data is remove from struct connectdata and made internal
   to vtls
 - ssl_connect_data is allocated in the added filter, kept at cf->ctx

 - added function to let a ssl filter access its ssl_primary_config and
   ssl_config_data this selects the propert subfields in conn and data,
   for filters added as plain or proxy
 - adjusted all backends to use the changed api
 - adjusted all backends to access config data via the exposed
   functions, no longer using conn or data directly

cfilter renames for clear purpose:

 - methods `Curl_conn_*(data, conn, sockindex)` work on the complete
   filter chain at `sockindex` and connection `conn`.
 - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
   instance.
 - methods `Curl_conn_cf()` work on/with filter instances at a
   connection.
 - rebased and resolved some naming conflicts
 - hostname validation (und session lookup) on SECONDARY use the same
   name as on FIRST (again).

new debug macros and removing connectdata from function signatures where not
needed.

adapting schannel for new Curl_read_plain paramter.

Closes #9919
2022-11-22 14:25:50 +01:00
Stefan Eissing
4a8b4a1b66
cfiler: filter types have flags indicating what they do
- Adding Curl_conn_is_ip_connected() to check if network connectivity
  has been reached

- having ftp wait for network connectivity before proceeding with
  transfers.

Fixes test failures 1631 and 1632 with hyper.

Closes #9952
2022-11-22 08:20:38 +01:00
Jay Satiro
4f42150d04 sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)
Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv data may be
cached by libcurl and that data is only drained using Curl_recv_plain.

Rather than rewrite Curl_read_plain to handle cached recv data, I
changed it to wrap Curl_recv_plain, in much the same way that
Curl_write_plain already wraps Curl_send_plain.

Curl_read_plain -> Curl_recv_plain
Curl_write_plain -> Curl_send_plain

This fixes a bug in the schannel backend where decryption of arbitrary
TLS records fails because cached recv data is never drained. We send
data (TLS records formed by Schannel) using Curl_write_plain, which
calls Curl_send_plain, and that may do a recv-before-send
("pre-receive") to cache received data. The code calls Curl_read_plain
to read data (TLS records from the server), which prior to this change
did not call Curl_recv_plain and therefore cached recv data wasn't
retrieved, resulting in malformed TLS records and decryption failure
(SEC_E_DECRYPT_FAILURE).

The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
to the issue and PR for more information.

--

This is take 2 of the original fix. It preserves the original behavior
of Curl_read_plain to write 0 to the bytes read parameter on error,
since apparently some callers expect that (SOCKS tests were hanging).
The original fix which landed in 12e1def5 and was later reverted in
18383fbf failed to work properly because it did not do that.

Also, it changes Curl_write_plain the same way to complement
Curl_read_plain, and it changes Curl_send_plain to return -1 instead of
0 on CURLE_AGAIN to complement Curl_recv_plain.

Behavior on error with these changes:

Curl_recv_plain returns -1 and *code receives error code.
Curl_send_plain returns -1 and *code receives error code.
Curl_read_plain returns error code and *n (bytes read) receives 0.
Curl_write_plain returns error code and *written receives 0.

--

Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

Assisted-by: Joel Depooter
Reported-by: Egor Pugin

Fixes https://github.com/curl/curl/issues/9431
Closes https://github.com/curl/curl/pull/9949
2022-11-20 03:54:36 -05:00
Daniel Stenberg
18383fbf72
Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"
This reverts commit 12e1def51a.

It introduced SOCKS proxy fails, like test 700 never ending.

Reopens #9431
2022-11-18 11:00:29 +01:00
Jay Satiro
12e1def51a sendf: change Curl_read_plain to wrap Curl_recv_plain
Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv data may be
cached by libcurl and that data is only drained using Curl_recv_plain.

Rather than rewrite Curl_read_plain to handle cached recv data, I
changed it to wrap Curl_recv_plain, in much the same way that
Curl_write_plain already wraps Curl_send_plain.

Curl_read_plain -> Curl_recv_plain
Curl_write_plain -> Curl_send_plain

This fixes a bug in the schannel backend where decryption of arbitrary
TLS records fails because cached recv data is never drained. We send
data (TLS records formed by Schannel) using Curl_write_plain, which
calls Curl_send_plain, and that may do a recv-before-send
("pre-receive") to cache received data. The code calls Curl_read_plain
to read data (TLS records from the server), which prior to this change
did not call Curl_recv_plain and therefore cached recv data wasn't
retrieved, resulting in malformed TLS records and decryption failure
(SEC_E_DECRYPT_FAILURE).

The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
to the issue and PR for more information.

Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

Assisted-by: Joel Depooter
Reported-by: Egor Pugin

Fixes https://github.com/curl/curl/issues/9431
Closes https://github.com/curl/curl/pull/9904
2022-11-18 03:04:13 -05:00
Daniel Stenberg
aecc549699
vtls: fix build without proxy support
Follow-up to dafdb20a26

Closes #9895
2022-11-12 00:14:24 +01:00
Stefan Eissing
dafdb20a26
lib: connection filters (cfilter) addition to curl:
- general construct/destroy in connectdata
 - default implementations of callback functions
 - connect: cfilters for connect and accept
 - socks: cfilter for socks proxying
 - http_proxy: cfilter for http proxy tunneling
 - vtls: cfilters for primary and proxy ssl
 - change in general handling of data/conn
 - Curl_cfilter_setup() sets up filter chain based on data settings,
   if none are installed by the protocol handler setup
 - Curl_cfilter_connect() boot straps filters into `connected` status,
   used by handlers and multi to reach further stages
 - Curl_cfilter_is_connected() to check if a conn is connected,
   e.g. all filters have done their work
 - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE
   indicators for multi select to work
 - Curl_cfilter_data_pending() asks filters if the have incoming
   data pending for recv
 - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks
   installed in conn->recv/conn->send for io handling
 - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters
   and addition/removal of a `data` from their connection
 - adding vtl functions to prevent use of Curl_ssl globals directly
   in other parts of the code.

Reviewed-by: Daniel Stenberg
Closes #9855
2022-11-11 15:17:51 +01:00