diff options
| author | robot-contrib <robot-contrib@yandex-team.ru> | 2022-05-15 13:30:59 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.ru> | 2022-05-15 13:30:59 +0300 |
| commit | 00e5165677c67bdda88ef5b51216688eac357a3a (patch) | |
| tree | 230fc76cb76d47655f8481f9ae231c3590f55bfa /contrib/libs/curl/lib/vtls | |
| parent | 7a146619b8d5b192fddae23c34605f0494256956 (diff) | |
| download | ydb-00e5165677c67bdda88ef5b51216688eac357a3a.tar.gz | |
Update contrib/libs/curl to 7.83.1
ref:e0fbfbe6faf65e15f45ef0f846e92356916e91cf
Diffstat (limited to 'contrib/libs/curl/lib/vtls')
| -rw-r--r-- | contrib/libs/curl/lib/vtls/gskit.c | 29 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/gtls.c | 32 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/mbedtls.c | 16 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/nss.c | 14 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/openssl.c | 17 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/sectransp.c | 3 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/vtls.c | 21 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/x509asn1.c | 30 |
8 files changed, 94 insertions, 68 deletions
diff --git a/contrib/libs/curl/lib/vtls/gskit.c b/contrib/libs/curl/lib/vtls/gskit.c index 9b5fbe4dd6..7a65f92f20 100644 --- a/contrib/libs/curl/lib/vtls/gskit.c +++ b/contrib/libs/curl/lib/vtls/gskit.c @@ -293,27 +293,6 @@ static CURLcode set_numeric(struct Curl_easy *data, } -static CURLcode set_callback(struct Curl_easy *data, - gsk_handle h, GSK_CALLBACK_ID id, void *info) -{ - char buffer[STRERROR_LEN]; - int rc = gsk_attribute_set_callback(h, id, info); - - switch(rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_callback() I/O error: %s", - Curl_strerror(errno, buffer, sizeof(buffer))); - break; - default: - failf(data, "gsk_attribute_set_callback(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - static CURLcode set_ciphers(struct Curl_easy *data, gsk_handle h, unsigned int *protoflags) { @@ -796,13 +775,13 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, BACKEND->localfd = sockpair[0]; BACKEND->remotefd = sockpair[1]; setsockopt(BACKEND->localfd, SOL_SOCKET, SO_RCVBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->remotefd, SOL_SOCKET, SO_RCVBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->localfd, SOL_SOCKET, SO_SNDBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->remotefd, SOL_SOCKET, SO_SNDBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); curlx_nonblock(BACKEND->localfd, TRUE); curlx_nonblock(BACKEND->remotefd, TRUE); } diff --git a/contrib/libs/curl/lib/vtls/gtls.c b/contrib/libs/curl/lib/vtls/gtls.c index 0535011911..dd82755852 100644 --- a/contrib/libs/curl/lib/vtls/gtls.c +++ b/contrib/libs/curl/lib/vtls/gtls.c @@ -445,9 +445,10 @@ gtls_connect_step1(struct Curl_easy *data, } #ifdef USE_GNUTLS_SRP - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && Curl_allow_auth_to_host(data)) { - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + infof(data, "Using TLS-SRP username: %s", + SSL_SET_OPTION(primary.username)); rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, } rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, - SSL_SET_OPTION(username), - SSL_SET_OPTION(password)); + SSL_SET_OPTION(primary.username), + SSL_SET_OPTION(primary.password)); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); @@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, } #endif - if(SSL_SET_OPTION(CRLfile)) { + if(SSL_SET_OPTION(primary.CRLfile)) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(backend->cred, - SSL_SET_OPTION(CRLfile), + SSL_SET_OPTION(primary.CRLfile), GNUTLS_X509_FMT_PEM); if(rc < 0) { failf(data, "error reading crl file %s (%s)", - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); return CURLE_SSL_CRL_BADFILE; } else infof(data, "found %d CRL in %s", - rc, SSL_SET_OPTION(CRLfile)); + rc, SSL_SET_OPTION(primary.CRLfile)); } /* Initialize TLS session as a client */ @@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); @@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, SSL_CONN_CONFIG(verifyhost) || SSL_CONN_CONFIG(issuercert)) { #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) && !SSL_CONN_CONFIG(verifypeer) && gnutls_cipher_get(session)) { /* no peer cert, but auth is ok if we have SRP user and cipher and no @@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); + SSL_SET_OPTION(primary.CRLfile) ? + SSL_SET_OPTION(primary.CRLfile) : "none"); return CURLE_PEER_FAILED_VERIFICATION; } else @@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, gnutls_certificate_free_credentials(backend->cred); #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL) + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) != NULL) gnutls_srp_free_client_credentials(backend->srp_client_cred); #endif diff --git a/contrib/libs/curl/lib/vtls/mbedtls.c b/contrib/libs/curl/lib/vtls/mbedtls.c index a1ab6b42c9..70b51b8bdd 100644 --- a/contrib/libs/curl/lib/vtls/mbedtls.c +++ b/contrib/libs/curl/lib/vtls/mbedtls.c @@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, const char * const ssl_capath = SSL_CONN_CONFIG(CApath); char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); const char * const hostname = SSL_HOST_NAME(); #ifndef CURL_DISABLE_VERBOSE_STRINGS const long int port = SSL_HOST_PORT(); @@ -303,8 +303,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, &ts_entropy, NULL, 0); if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); + return CURLE_FAILED_INIT; } #else mbedtls_entropy_init(&backend->entropy); @@ -314,8 +315,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, &backend->entropy, NULL, 0); if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); + return CURLE_FAILED_INIT; } #endif /* THREADING_SUPPORT */ @@ -815,8 +817,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, if(next_protocol) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol); #ifdef USE_HTTP2 - if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) && - !next_protocol[ALPN_H2_LEN]) { + if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) && + !next_protocol[ALPN_H2_LENGTH]) { conn->negnpn = CURL_HTTP_VERSION_2; } else @@ -1015,7 +1017,7 @@ static CURLcode mbedtls_random(struct Curl_easy *data, if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_seed returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); } else { @@ -1023,7 +1025,7 @@ static CURLcode mbedtls_random(struct Curl_easy *data, if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s", -ret, errorbuf); } } diff --git a/contrib/libs/curl/lib/vtls/nss.c b/contrib/libs/curl/lib/vtls/nss.c index 5b7de9f818..cb0509ff5b 100644 --- a/contrib/libs/curl/lib/vtls/nss.c +++ b/contrib/libs/curl/lib/vtls/nss.c @@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, PR_Free(common_name); } +/* A number of certs that will never occur in a real server handshake */ +#define TOO_MANY_CERTS 300 + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) { CURLcode result = CURLE_OK; @@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); while(cert2) { i++; + if(i >= TOO_MANY_CERTS) { + CERT_DestroyCertificate(cert2); + failf(data, "certificate loop"); + return CURLE_SSL_CERTPROBLEM; + } if(cert2->isRoot) { CERT_DestroyCertificate(cert2); break; @@ -2027,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } } - if(SSL_SET_OPTION(CRLfile)) { - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); + if(SSL_SET_OPTION(primary.CRLfile)) { + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); if(rv) { result = rv; goto error; } - infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); + infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); } if(SSL_SET_OPTION(primary.clientcert)) { diff --git a/contrib/libs/curl/lib/vtls/openssl.c b/contrib/libs/curl/lib/vtls/openssl.c index f15ac28a76..0db21b728d 100644 --- a/contrib/libs/curl/lib/vtls/openssl.c +++ b/contrib/libs/curl/lib/vtls/openssl.c @@ -215,11 +215,10 @@ * OpenSSL: supported since 1.0.2, see * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30) - * LibreSSL: not tested. + * LibreSSL: since 2.5.3 (April 12, 2017) */ -#if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) && \ - !defined(LIBRESSL_VERSION_NUMBER)) || \ - defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \ + defined(OPENSSL_IS_BORINGSSL) #define HAVE_SSL_CTX_SET_EC_CURVES #endif @@ -2663,7 +2662,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #endif const long int ssl_version = SSL_CONN_CONFIG(version); #ifdef USE_OPENSSL_SRP - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); #endif char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); @@ -2674,7 +2673,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); char error_buffer[256]; struct ssl_backend_data *backend = connssl->backend; bool imported_native_ca = false; @@ -2926,15 +2925,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef USE_OPENSSL_SRP if((ssl_authtype == CURL_TLSAUTH_SRP) && Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - + char * const ssl_username = SSL_SET_OPTION(primary.username); + char * const ssl_password = SSL_SET_OPTION(primary.password); infof(data, "Using TLS-SRP username: %s", ssl_username); if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { failf(data, "Unable to set SRP user name"); return CURLE_BAD_FUNCTION_ARGUMENT; } - if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { + if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { failf(data, "failed setting SRP password"); return CURLE_BAD_FUNCTION_ARGUMENT; } diff --git a/contrib/libs/curl/lib/vtls/sectransp.c b/contrib/libs/curl/lib/vtls/sectransp.c index 8ee8fe997f..2e57d83785 100644 --- a/contrib/libs/curl/lib/vtls/sectransp.c +++ b/contrib/libs/curl/lib/vtls/sectransp.c @@ -2045,8 +2045,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, err = SSLSetPeerDomainName(backend->ssl_ctx, snihost, snilen); if(err != noErr) { - infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d", + failf(data, "SSL: SSLSetPeerDomainName() failed: OSStatus %d", err); + return CURLE_SSL_CONNECT_ERROR; } if((Curl_inet_pton(AF_INET, hostname, &addr)) diff --git a/contrib/libs/curl/lib/vtls/vtls.c b/contrib/libs/curl/lib/vtls/vtls.c index a40ac06f68..e2d34388cc 100644 --- a/contrib/libs/curl/lib/vtls/vtls.c +++ b/contrib/libs/curl/lib/vtls/vtls.c @@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, { if((data->version == needle->version) && (data->version_max == needle->version_max) && + (data->ssl_options == needle->ssl_options) && (data->verifypeer == needle->verifypeer) && (data->verifyhost == needle->verifyhost) && (data->verifystatus == needle->verifystatus) && @@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, Curl_safecmp(data->clientcert, needle->clientcert) && Curl_safecmp(data->random_file, needle->random_file) && Curl_safecmp(data->egdsocket, needle->egdsocket) && +#ifdef USE_TLS_SRP + Curl_safecmp(data->username, needle->username) && + Curl_safecmp(data->password, needle->password) && + (data->authtype == needle->authtype) && +#endif Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && Curl_safe_strcasecompare(data->curves, needle->curves) && + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) return TRUE; @@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, dest->verifyhost = source->verifyhost; dest->verifystatus = source->verifystatus; dest->sessionid = source->sessionid; + dest->ssl_options = source->ssl_options; +#ifdef USE_TLS_SRP + dest->authtype = source->authtype; +#endif CLONE_BLOB(cert_blob); CLONE_BLOB(ca_info_blob); @@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, CLONE_STRING(cipher_list13); CLONE_STRING(pinned_key); CLONE_STRING(curves); + CLONE_STRING(CRLfile); +#ifdef USE_TLS_SRP + CLONE_STRING(username); + CLONE_STRING(password); +#endif return TRUE; } @@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) Curl_safefree(sslc->ca_info_blob); Curl_safefree(sslc->issuercert_blob); Curl_safefree(sslc->curves); + Curl_safefree(sslc->CRLfile); +#ifdef USE_TLS_SRP + Curl_safefree(sslc->username); + Curl_safefree(sslc->password); +#endif } #ifdef USE_SSL diff --git a/contrib/libs/curl/lib/vtls/x509asn1.c b/contrib/libs/curl/lib/vtls/x509asn1.c index f64acb83c9..dfb938621c 100644 --- a/contrib/libs/curl/lib/vtls/x509asn1.c +++ b/contrib/libs/curl/lib/vtls/x509asn1.c @@ -945,6 +945,24 @@ static int do_pubkey(struct Curl_easy *data, int certnum, /* Generate all information records for the public key. */ + if(strcasecompare(algo, "ecPublicKey")) { + /* + * ECC public key is all the data, a value of type BIT STRING mapped to + * OCTET STRING and should not be parsed as an ASN.1 value. + */ + const unsigned long len = + (unsigned long)((pubkey->end - pubkey->beg - 2) * 4); + if(!certnum) + infof(data, " ECC Public Key (%lu bits)", len); + if(data->set.ssl.certinfo) { + char q[sizeof(len) * 8 / 3 + 1]; + msnprintf(q, sizeof(q), "%lu", len); + if(Curl_ssl_push_certinfo(data, certnum, "ECC Public Key", q)) + return 1; + } + return do_pubkey_field(data, certnum, "ecPublicKey", pubkey); + } + /* Get the public key (single element). */ if(!getASN1Element(&pk, pubkey->beg + 1, pubkey->end)) return 1; @@ -971,14 +989,10 @@ static int do_pubkey(struct Curl_easy *data, int certnum, if(!certnum) infof(data, " RSA Public Key (%lu bits)", len); if(data->set.ssl.certinfo) { - q = curl_maprintf("%lu", len); - if(q) { - CURLcode result = - Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", q); - free((char *) q); - if(result) - return 1; - } + char r[sizeof(len) * 8 / 3 + 1]; + msnprintf(r, sizeof(r), "%lu", len); + if(Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", r)) + return 1; } /* Generate coefficients. */ if(do_pubkey_field(data, certnum, "rsa(n)", &elem)) |