Commit Graph

22543 Commits

Author SHA1 Message Date
Daniel Stenberg
f7512d7bec
curl_global_sslset.3: show the struct and enum too
... so that users can actually write code based on the man page alone,
not having to read the header file.
2017-08-31 10:13:49 +02:00
Jay Satiro
aa2ea66cda darwinssl: handle long strings in TLS certs (follow-up)
- Fix handling certificate subjects that are already UTF-8 encoded.

Follow-up to b3b75d1 from two days ago. Since then a copy would be
skipped if the subject was already UTF-8, possibly resulting in a NULL
deref later on.

Ref: https://github.com/curl/curl/issues/1823
Ref: https://github.com/curl/curl/pull/1831

Closes https://github.com/curl/curl/pull/1836
2017-08-31 02:37:35 -04:00
Daniel Stenberg
410bf6b7b1
cyassl: call it the "WolfSSL" backend
... instead of cyassl, as this is the current name for it.

Closes #1844
2017-08-31 00:55:36 +02:00
Daniel Stenberg
5734f73f0d
polarssl: fix multissl breakage
Reported-by: Dan Fandrich
Bug: https://curl.haxx.se/mail/lib-2017-08/0121.html
Closes #1843
2017-08-31 00:53:05 +02:00
Daniel Stenberg
5fbb494292
configure: remove the leading comma from the backends list
... when darwinssl is used.

Reported-by: Viktor Szakats
Bug: b0989cd3ab (commitcomment-23943493)

Closes #1845
2017-08-31 00:51:11 +02:00
Kamil Dudka
7ec797b13a examples/sslbackend.c: fix failure of 'make checksrc'
./sslbackend.c:58:3: warning: else after closing brace on same line (BRACEELSE)
   } else if(isdigit(*name)) {
   ^
./sslbackend.c:62:3: warning: else after closing brace on same line (BRACEELSE)
   } else
   ^
2017-08-30 14:16:35 +02:00
Viktor Szakats
c86e21b624 makefile.m32: add multissl support
Closes https://github.com/curl/curl/pull/1840
2017-08-30 10:44:50 +00:00
Daniel Stenberg
29c2bdee93
curl.h: CURLSSLBACKEND_WOLFSSL used wrong value
The CURLSSLBACKEND_WOLFSSL is supposed to be an alias for
CURLSSLBACKEND_CYASSL, but used an erronous value. To reduce the risk
for a similar mistake, define the backend aliases to use the enum values
instead.

Reported-by: Gisle Vanem
Bug: https://curl.haxx.se/mail/lib-2017-08/0120.html
2017-08-30 10:04:00 +02:00
Daniel Stenberg
860443bee4
curl_global_sslset.3: clarify
it is a one time *set*, not necessarily a one time use... it can be
called again if the first call failed or just listed the alternatives.

clarify that the available backends are the ones this build supports

plus add some formatting

Reported-by: Rich Gray
Bug: https://curl.haxx.se/mail/lib-2017-08/0119.html
2017-08-30 09:57:05 +02:00
Daniel Stenberg
73fa6aa00a
curl/multi.h: remove duplicated closing c++ brace
Regression since 1328f69d53

Fixes #1841
Reported-by: Andrei Karas
2017-08-29 17:14:36 +02:00
Daniel Stenberg
ff40c89b8d
RELEASE-NOTES: synced with 8c33c963a 2017-08-29 10:51:01 +02:00
Daniel Stenberg
8c33c963a0
HELP-US.md: spelling 2017-08-29 08:31:59 +02:00
Daniel Stenberg
f93bf2c79b
HELP-US.md: "How to get started helping out in the curl project"
Closes #1837
2017-08-29 08:29:36 +02:00
Dan Fandrich
df29455dbc asyn-thread: Fixed cleanup after OOM
destroy_async_data() assumes that if the flag "done" is not set yet, the
thread itself will clean up once the request is complete.  But if an
error (generally OOM) occurs before the thread even has a chance to
start, it will never get a chance to clean up and memory will be leaked.
By clearing "done" only just before starting the thread, the correct
cleanup sequence will happen in all cases.
2017-08-29 00:35:19 +02:00
Daniel Stenberg
edcb1ef60f
curl_global_init.3: mention curl_global_sslset(3) 2017-08-28 23:58:42 +02:00
Dan Fandrich
82604c5007 unit1606: Fixed shadowed variable warning 2017-08-28 23:55:55 +02:00
Dan Fandrich
d5d736726c asyn-thread: Improved cleanup after OOM situations 2017-08-28 23:55:55 +02:00
Dan Fandrich
11a8778e0b asyn-thread: Set errno to the proper value ENOMEM in OOM situation
This used to be set in some configurations to EAI_MEMORY which is not a
valid value for errno and caused Curl_strerror to fail an assertion.
2017-08-28 23:55:55 +02:00
Johannes Schindelin
a330bab353
configure: Handle "MultiSSL" specially When versioning symbols
There is a mode in which libcurl is compiled with versioned symbols,
depending on the active SSL backend.

When multiple SSL backends are active, it does not make sense to favor
one over the others, so let's not: introduce a new prefix for the case
where multiple SSL backends are compiled into cURL.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 23:01:17 +02:00
Johannes Schindelin
c7170e20d0
configure: allow setting the default SSL backend
Previously, we used as default SSL backend whatever was first in the
`available_backends` array.

However, some users may want to override that default without patching
the source code.

Now they can: with the --with-default-ssl-backend=<backend> option of
the ./configure script.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:50 +02:00
Johannes Schindelin
3063254e32
vtls: use Curl_ssl_multi pseudo backend only when needed
When only one SSL backend is configured, it is totally unnecessary to
let multissl_init() configure the backend at runtime, we can select the
correct backend at build time already.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Johannes Schindelin
81d318fa95
version: if built with more than one SSL backend, report all of them
To discern the active one from the inactive ones, put the latter into
parentheses.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Johannes Schindelin
9d96a5f0b5
version: add the CURL_VERSION_MULTI_SSL feature flag
This new feature flag reports When cURL was built with multiple SSL
backends.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Johannes Schindelin
b180a273fa
metalink: allow compiling with multiple SSL backends
Previously, the code assumed that at most one of the SSL backends would
be compiled in, emulating OpenSSL's functions if the configured backend
was not OpenSSL itself.

However, now we allow building with multiple SSL backends and choosing
one at runtime. Therefore, metalink needs to be adjusted to handle this
scenario, too.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:59 +02:00
Johannes Schindelin
a34e141c09
docs/examples: demonstrate how to select SSL backends
The newly-introduced curl_global_sslset() function deserves to be
show-cased.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:59 +02:00
Johannes Schindelin
0fb4125554
Add a man page for curl_global_sslset()
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:59 +02:00
Johannes Schindelin
1328f69d53
vtls: introduce curl_global_sslset()
Let's add a compile time safe API to select an SSL backend. This
function needs to be called *before* curl_global_init(), and can be
called only once.

Side note: we do not explicitly test that it is called before
curl_global_init(), but we do verify that it is not called multiple times
(even implicitly).

If SSL is used before the function was called, it will use whatever the
CURL_SSL_BACKEND environment variable says (or default to the first
available SSL backend), and if a subsequent call to
curl_global_sslset() disagrees with the previous choice, it will fail
with CURLSSLSET_TOO_LATE.

The function also accepts an "avail" parameter to point to a (read-only)
NULL-terminated list of available backends. This comes in real handy if
an application wants to let the user choose between whatever SSL backends
the currently available libcurl has to offer: simply call

	curl_global_sslset(-1, NULL, &avail);

which will return CURLSSLSET_UNKNOWN_BACKEND and populate the avail
variable to point to the relevant information to present to the user.

Just like with the HTTP/2 push functions, we have to add the function
declaration of curl_global_sslset() function to the header file
*multi.h* because VMS and OS/400 require a stable order of functions
declared in include/curl/*.h (where the header files are sorted
alphabetically). This looks a bit funny, but it cannot be helped.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:59 +02:00
Johannes Schindelin
b59288f881
vtls: refactor out essential information about the SSL backends
There is information about the compiled-in SSL backends that is really
no concern of any code other than the SSL backend itself, such as which
function (if any) implements SHA-256 summing.

And there is information that is really interesting to the user, such as
the name, or the curl_sslbackend value.

Let's factor out the latter into a publicly visible struct. This
information will be used in the upcoming API to set the SSL backend
globally.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
b0989cd3ab
vtls: allow selecting which SSL backend to use at runtime
When building software for the masses, it is sometimes not possible to
decide for all users which SSL backend is appropriate.

Git for Windows, for example,  uses cURL to perform clones, fetches and
pushes via HTTPS, and some users strongly prefer OpenSSL, while other
users really need to use Secure Channel because it offers
enterprise-ready tools to manage credentials via Windows' Credential
Store.

The current Git for Windows versions use the ugly work-around of
building libcurl once with OpenSSL support and once with Secure Channel
support, and switching out the binaries in the installer depending on
the user's choice.

Needless to say, this is a super ugly workaround that actually only
works in some cases: Git for Windows also comes in a portable form, and
in a form intended for third-party applications requiring Git
functionality, in which cases this "swap out libcurl-4.dll" simply is
not an option.

Therefore, the Git for Windows project has a vested interest in teaching
cURL to make the SSL backend a *runtime* option.

This patch makes that possible.

By running ./configure with multiple --with-<backend> options, cURL will
be built with multiple backends.

For the moment, the backend can be configured using the environment
variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
"schannel").

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
a53bda35e9
vtls: fold the backend ID into the Curl_ssl structure
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
a243ce7ab2
curl_ntlm_core: don't complain but #include OpenSSL header if needed
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
70f1db321a
vtls: encapsulate SSL backend-specific data
So far, all of the SSL backends' private data has been declared as
part of the ssl_connect_data struct, in one big #if .. #elif .. #endif
block.

This can only work as long as the SSL backend is a compile-time option,
something we want to change in the next commits.

Therefore, let's encapsulate the exact data needed by each SSL backend
into a private struct, and let's avoid bleeding any SSL backend-specific
information into urldata.h. This is also necessary to allow multiple SSL
backends to be compiled in at the same time, as e.g. OpenSSL's and
CyaSSL's headers cannot be included in the same .c file.

To avoid too many malloc() calls, we simply append the private structs
to the connectdata struct in allocate_conn().

This requires us to take extra care of alignment issues: struct fields
often need to be aligned on certain boundaries e.g. 32-bit values need to
be stored at addresses that divide evenly by 4 (= 32 bit / 8
bit-per-byte).

We do that by assuming that no SSL backend's private data contains any
fields that need to be aligned on boundaries larger than `long long`
(typically 64-bit) would need. Under this assumption, we simply add a
dummy field of type `long long` to the `struct connectdata` struct. This
field will never be accessed but acts as a placeholder for the four
instances of ssl_backend_data instead. the size of each ssl_backend_data
struct is stored in the SSL backend-specific metadata, to allow
allocate_conn() to know how much extra space to allocate, and how to
initialize the ssl[sockindex]->backend and proxy_ssl[sockindex]->backend
pointers.

This would appear to be a little complicated at first, but is really
necessary to encapsulate the private data of each SSL backend correctly.
And we need to encapsulate thusly if we ever want to allow selecting
CyaSSL and OpenSSL at runtime, as their headers cannot be included within
the same .c file (there are just too many conflicting definitions and
declarations for that).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
d65e6cc4fc
vtls: prepare the SSL backends for encapsulated private data
At the moment, cURL's SSL backend needs to be configured at build time.
As such, it is totally okay for them to hard-code their backend-specific
data in the ssl_connect_data struct.

In preparation for making the SSL backend a runtime option, let's make
the access of said private data a bit more abstract so that it can be
adjusted later in an easy manner.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
20c6cf7e95
urldata.h: move SSPI-specific #include to correct location
In 86b889485 (sasl_gssapi: Added GSS-API based Kerberos V5 variables,
2014-12-03), an SSPI-specific field was added to the kerberos5data
struct without moving the #include "curl_sspi.h" later in the same file.

This broke the build when SSPI was enabled, unless Secure Channel was
used as SSL backend, because it just so happens that Secure Channel also
requires "curl_sspi.h" to be #included.

In f4739f639 (urldata: include curl_sspi.h when Windows SSPI is enabled,
2017-02-21), this bug was fixed incorrectly: Instead of moving the
appropriate conditional #include, the Secure Channel-conditional part
was now also SSPI-conditional.

Fix this problem by moving the correct #include instead.

This is also required for an upcoming patch that moves all the Secure
Channel-specific stuff out of urldata.h and encapsulates it properly in
vtls/schannel.c instead.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:58 +02:00
Johannes Schindelin
583cb03f91
urldata.h: remove support for obsolete PolarSSL version
Since 5017d5ada (polarssl: now require 1.3.0+, 2014-03-17), we require
a newer PolarSSL version. No need to keep code trying to support any
older version.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
69039fd1fa
getinfo: access SSL internals via Curl_ssl
In the ongoing endeavor to abstract out all SSL backend-specific
functionality, this is the next step: Instead of hard-coding how the
different SSL backends access their internal data in getinfo.c, let's
implement backend-specific functions to do that task.

This will also allow for switching SSL backends as a runtime option.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
118b074fba
vtls: move SSL backends' private constants out of their header files
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
5d9fcd2165
axtls: use Curl_none_* versions of init() and cleanup()
There are convenient no-op versions of the init/cleanup functions now,
no need to define private ones for axTLS.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
6f1eec14e0
vtls: remove obsolete declarations of SSL backend functionality
These functions are all available via the Curl_ssl struct now, no need
to declare them separately anymore.

As the global declarations are removed, the corresponding function
definitions are marked as file-local. The only two exceptions here are
Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
declarations were removed, there are no function definitions to mark
file-local.

Please note that Curl_nss_force_init() is *still* declared globally, as
the only SSL backend-specific function, because it was introduced
specifically for the use case where cURL was compiled with
`--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
support for NSS, 2010-06-27).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
742ddc9d8f
schannel: reorder functions topologically
The _shutdown() function calls the _session_free() function; While this
is not a problem now (because schannel.h declares both functions), a
patch looming in the immediate future with make all of these functions
file-local.

So let's just move the _session_free() function's definition before it
is called.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
3ea5461d4e
axtls: reorder functions topologically
The connect_finish() function (like many other functions after it) calls
the Curl_axtls_close() function; While this is not a problem now
(because axtls.h declares the latter function), a patch looming in the
immediate future with make all of these functions file-local.

So let's just move the Curl_axtls_close() function's definition before
it is called.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:57 +02:00
Johannes Schindelin
f0b4db1ab0
vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct
That will allow us to choose the SSL backend at runtime.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
937899a3b8
vtls: convert the have_curlssl_* constants to runtime flags
The entire idea of introducing the Curl_ssl struct to describe SSL
backends is to prepare for choosing the SSL backend at runtime.

To that end, convert all the #ifdef have_curlssl_* style conditionals
to use bit flags instead.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
0a083a66bc
vtls: move sha256sum into the Curl_ssl struct
The SHA-256 checksumming is also an SSL backend-specific function.
Let's include it in the struct declaring the functionality of SSL
backends.

In contrast to MD5, there is no fall-back code. To indicate this, the
respective entries are NULL for those backends that offer no support for
SHA-256 checksumming.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e35205a0c4
vtls: move md5sum into the Curl_ssl struct
The MD5 summing is also an SSL backend-specific function. So let's
include it, offering the previous fall-back code as a separate function
now: Curl_none_md5sum(). To allow for that, the signature had to be
changed so that an error could be returned from the implementation
(Curl_none_md5sum() can run out of memory).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
52e8237bfc
vtls: use the Curl_ssl struct to access all SSL backends' functionality
This is the first step to unify the SSL backend handling. Now all the
SSL backend-specific functionality is accessed via a global instance of
the Curl_ssl struct.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e09bb63ed8
vtls: declare Curl_ssl structs for every SSL backend
The idea of introducing the Curl_ssl struct was to unify how the SSL
backends are declared and called. To this end, we now provide an
instance of the Curl_ssl struct for each and every SSL backend.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
e7e03e47d4
vtls: introduce a new struct for SSL backends
This new struct is similar in nature to Curl_handler: it will define the
functions and capabilities of all the SSL backends (where Curl_handler
defines the functions and capabilities of protocol handlers).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:56 +02:00
Johannes Schindelin
c9d526cdbf
vtls: make sure every _sha256sum()'s first arg is const
This patch makes the signature of the _sha256sum() functions consistent
among the SSL backends, in preparation for unifying the way all SSL
backends are accessed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00
Johannes Schindelin
2568cfed2d
vtls: make sure all _data_pending() functions return bool
This patch makes the signature of the _data_pending() functions
consistent among the SSL backends, in preparation for unifying the way
all SSL backends are accessed.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 14:56:55 +02:00