diff options
| author | robot-contrib <robot-contrib@yandex-team.ru> | 2022-04-28 16:36:59 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.ru> | 2022-04-28 16:36:59 +0300 |
| commit | 1d80f65d6a77d0e4c1b3a18a6a970715934ecd75 (patch) | |
| tree | e0363932ca34036e90ac4cd461092c763acb3a4d /contrib/libs/curl/lib/vtls | |
| parent | 505c75794e448a38ffa0b066ccef3299aec10239 (diff) | |
| download | ydb-1d80f65d6a77d0e4c1b3a18a6a970715934ecd75.tar.gz | |
Update contrib/libs/curl to 7.83.0
ref:72dd794f7af62e3844c14f0a9bcee77e66f30a36
Diffstat (limited to 'contrib/libs/curl/lib/vtls')
| -rw-r--r-- | contrib/libs/curl/lib/vtls/bearssl.c | 242 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/gskit.c | 13 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/gtls.c | 44 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/mbedtls.c | 37 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/nss.c | 20 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/openssl.c | 55 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/openssl.h | 8 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/rustls.c | 10 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/schannel.c | 12 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/schannel_verify.c | 4 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/sectransp.c | 14 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/vtls.c | 21 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/vtls.h | 11 | ||||
| -rw-r--r-- | contrib/libs/curl/lib/vtls/wolfssl.c | 21 |
14 files changed, 394 insertions, 118 deletions
diff --git a/contrib/libs/curl/lib/vtls/bearssl.c b/contrib/libs/curl/lib/vtls/bearssl.c index 77e22cf3e0..91f4416e8f 100644 --- a/contrib/libs/curl/lib/vtls/bearssl.c +++ b/contrib/libs/curl/lib/vtls/bearssl.c @@ -35,6 +35,7 @@ #include "multiif.h" #include "curl_printf.h" #include "curl_memory.h" +#include "strcase.h" struct x509_context { const br_x509_class *vtable; @@ -353,6 +354,216 @@ static const br_x509_class x509_vtable = { x509_get_pkey }; +struct st_cipher { + const char *name; /* Cipher suite IANA name. It starts with "TLS_" prefix */ + const char *alias_name; /* Alias name is the same as OpenSSL cipher name */ + uint16_t num; /* BearSSL cipher suite */ +}; + +/* Macro to initialize st_cipher data structure */ +#define CIPHER_DEF(num, alias) { #num, alias, BR_##num } + +static const struct st_cipher ciphertable[] = { + /* RFC 2246 TLS 1.0 */ + CIPHER_DEF(TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */ + "DES-CBC3-SHA"), + + /* RFC 3268 TLS 1.0 AES */ + CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */ + "AES128-SHA"), + CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x0035 */ + "AES256-SHA"), + + /* RFC 5246 TLS 1.2 */ + CIPHER_DEF(TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */ + "AES128-SHA256"), + CIPHER_DEF(TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */ + "AES256-SHA256"), + + /* RFC 5288 TLS 1.2 AES GCM */ + CIPHER_DEF(TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */ + "AES128-GCM-SHA256"), + CIPHER_DEF(TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */ + "AES256-GCM-SHA384"), + + /* RFC 4492 TLS 1.0 ECC */ + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */ + "ECDH-ECDSA-DES-CBC3-SHA"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */ + "ECDH-ECDSA-AES128-SHA"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC005 */ + "ECDH-ECDSA-AES256-SHA"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC008 */ + "ECDHE-ECDSA-DES-CBC3-SHA"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC009 */ + "ECDHE-ECDSA-AES128-SHA"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC00A */ + "ECDHE-ECDSA-AES256-SHA"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC00D */ + "ECDH-RSA-DES-CBC3-SHA"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, /* 0xC00E */ + "ECDH-RSA-AES128-SHA"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, /* 0xC00F */ + "ECDH-RSA-AES256-SHA"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */ + "ECDHE-RSA-DES-CBC3-SHA"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */ + "ECDHE-RSA-AES128-SHA"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */ + "ECDHE-RSA-AES256-SHA"), + + /* RFC 5289 TLS 1.2 ECC HMAC SHA256/384 */ + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC023 */ + "ECDHE-ECDSA-AES128-SHA256"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC024 */ + "ECDHE-ECDSA-AES256-SHA384"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC025 */ + "ECDH-ECDSA-AES128-SHA256"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC026 */ + "ECDH-ECDSA-AES256-SHA384"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */ + "ECDHE-RSA-AES128-SHA256"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */ + "ECDHE-RSA-AES256-SHA384"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, /* 0xC029 */ + "ECDH-RSA-AES128-SHA256"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, /* 0xC02A */ + "ECDH-RSA-AES256-SHA384"), + + /* RFC 5289 TLS 1.2 GCM */ + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02B */ + "ECDHE-ECDSA-AES128-GCM-SHA256"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02C */ + "ECDHE-ECDSA-AES256-GCM-SHA384"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02D */ + "ECDH-ECDSA-AES128-GCM-SHA256"), + CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02E */ + "ECDH-ECDSA-AES256-GCM-SHA384"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F */ + "ECDHE-RSA-AES128-GCM-SHA256"), + CIPHER_DEF(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, /* 0xC030 */ + "ECDHE-RSA-AES256-GCM-SHA384"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, /* 0xC031 */ + "ECDH-RSA-AES128-GCM-SHA256"), + CIPHER_DEF(TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, /* 0xC032 */ + "ECDH-RSA-AES256-GCM-SHA384"), +#ifdef BR_TLS_RSA_WITH_AES_128_CCM + + /* RFC 6655 TLS 1.2 CCM + Supported since BearSSL 0.6 */ + CIPHER_DEF(TLS_RSA_WITH_AES_128_CCM, /* 0xC09C */ + "AES128-CCM"), + CIPHER_DEF(TLS_RSA_WITH_AES_256_CCM, /* 0xC09D */ + "AES256-CCM"), + CIPHER_DEF(TLS_RSA_WITH_AES_128_CCM_8, /* 0xC0A0 */ + "AES128-CCM8"), + CIPHER_DEF(TLS_RSA_WITH_AES_256_CCM_8, /* 0xC0A1 */ + "AES256-CCM8"), + + /* RFC 7251 TLS 1.2 ECC CCM + Supported since BearSSL 0.6 */ + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CCM, /* 0xC0AC */ + "ECDHE-ECDSA-AES128-CCM"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CCM, /* 0xC0AD */ + "ECDHE-ECDSA-AES256-CCM"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, /* 0xC0AE */ + "ECDHE-ECDSA-AES128-CCM8"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, /* 0xC0AF */ + "ECDHE-ECDSA-AES256-CCM8"), +#endif + + /* RFC 7905 TLS 1.2 ChaCha20-Poly1305 + Supported since BearSSL 0.2 */ + CIPHER_DEF(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA8 */ + "ECDHE-RSA-CHACHA20-POLY1305"), + CIPHER_DEF(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA9 */ + "ECDHE-ECDSA-CHACHA20-POLY1305"), +}; + +#define NUM_OF_CIPHERS (sizeof(ciphertable) / sizeof(ciphertable[0])) +#define CIPHER_NAME_BUF_LEN 64 + +static bool is_separator(char c) +{ + /* Return whether character is a cipher list separator. */ + switch(c) { + case ' ': + case '\t': + case ':': + case ',': + case ';': + return true; + } + return false; +} + +static CURLcode bearssl_set_selected_ciphers(struct Curl_easy *data, + br_ssl_engine_context *ssl_eng, + const char *ciphers) +{ + uint16_t selected_ciphers[NUM_OF_CIPHERS]; + size_t selected_count = 0; + char cipher_name[CIPHER_NAME_BUF_LEN]; + const char *cipher_start = ciphers; + const char *cipher_end; + size_t i, j; + + if(!cipher_start) + return CURLE_SSL_CIPHER; + + while(true) { + /* Extract the next cipher name from the ciphers string */ + while(is_separator(*cipher_start)) + ++cipher_start; + if(*cipher_start == '\0') + break; + cipher_end = cipher_start; + while(*cipher_end != '\0' && !is_separator(*cipher_end)) + ++cipher_end; + j = cipher_end - cipher_start < CIPHER_NAME_BUF_LEN - 1 ? + cipher_end - cipher_start : CIPHER_NAME_BUF_LEN - 1; + strncpy(cipher_name, cipher_start, j); + cipher_name[j] = '\0'; + cipher_start = cipher_end; + + /* Lookup the cipher name in the table of available ciphers. If the cipher + name starts with "TLS_" we do the lookup by IANA name. Otherwise, we try + to match cipher name by an (OpenSSL) alias. */ + if(strncasecompare(cipher_name, "TLS_", 4)) { + for(i = 0; i < NUM_OF_CIPHERS && + !strcasecompare(cipher_name, ciphertable[i].name); ++i); + } + else { + for(i = 0; i < NUM_OF_CIPHERS && + !strcasecompare(cipher_name, ciphertable[i].alias_name); ++i); + } + if(i == NUM_OF_CIPHERS) { + infof(data, "BearSSL: unknown cipher in list: %s", cipher_name); + continue; + } + + /* No duplicates allowed */ + for(j = 0; j < selected_count && + selected_ciphers[j] != ciphertable[i].num; j++); + if(j < selected_count) { + infof(data, "BearSSL: duplicate cipher in list: %s", cipher_name); + continue; + } + + DEBUGASSERT(selected_count < NUM_OF_CIPHERS); + selected_ciphers[selected_count] = ciphertable[i].num; + ++selected_count; + } + + if(selected_count == 0) { + failf(data, "BearSSL: no supported cipher in list"); + return CURLE_SSL_CIPHER; + } + + br_ssl_engine_set_suites(ssl_eng, selected_ciphers, selected_count); + return CURLE_OK; +} + static CURLcode bearssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, int sockindex) { @@ -446,6 +657,15 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, br_ssl_engine_set_buffer(&backend->ctx.eng, backend->buf, sizeof(backend->buf), 1); + if(SSL_CONN_CONFIG(cipher_list)) { + /* Override the ciphers as specified. For the default cipher list see the + BearSSL source code of br_ssl_client_init_full() */ + ret = bearssl_set_selected_ciphers(data, &backend->ctx.eng, + SSL_CONN_CONFIG(cipher_list)); + if(ret) + return ret; + } + /* initialize X.509 context */ backend->x509.vtable = &x509_vtable; backend->x509.verifypeer = verifypeer; @@ -478,12 +698,12 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, #endif ) { backend->protocols[cur++] = ALPN_H2; - infof(data, "ALPN, offering %s", ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif backend->protocols[cur++] = ALPN_HTTP_1_1; - infof(data, "ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); br_ssl_engine_set_protocol_names(&backend->ctx.eng, backend->protocols, cur); @@ -510,6 +730,18 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, hostname = snihost; } + /* give application a chance to interfere with SSL set up. */ + if(data->set.ssl.fsslctx) { + Curl_set_in_callback(data, true); + ret = (*data->set.ssl.fsslctx)(data, &backend->ctx, + data->set.ssl.fsslctxp); + Curl_set_in_callback(data, false); + if(ret) { + failf(data, "BearSSL: error signaled by ssl ctx callback"); + return ret; + } + } + if(!br_ssl_client_reset(&backend->ctx, hostname, 1)) return CURLE_FAILED_INIT; backend->active = TRUE; @@ -637,7 +869,7 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, protocol = br_ssl_engine_get_selected_protocol(&backend->ctx.eng); if(protocol) { - infof(data, "ALPN, server accepted to use %s", protocol); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, protocol); #ifdef USE_HTTP2 if(!strcmp(protocol, ALPN_H2)) @@ -652,7 +884,7 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); } if(SSL_SET_OPTION(primary.sessionid)) { @@ -950,7 +1182,7 @@ static CURLcode bearssl_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_bearssl = { { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */ - SSLSUPP_CAINFO_BLOB, + SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX, sizeof(struct ssl_backend_data), Curl_none_init, /* init */ diff --git a/contrib/libs/curl/lib/vtls/gskit.c b/contrib/libs/curl/lib/vtls/gskit.c index 56d48497db..9b5fbe4dd6 100644 --- a/contrib/libs/curl/lib/vtls/gskit.c +++ b/contrib/libs/curl/lib/vtls/gskit.c @@ -74,6 +74,7 @@ #include "connect.h" /* for the connect timeout */ #include "select.h" #include "strcase.h" +#include "timediff.h" #include "x509asn1.h" #include "curl_printf.h" @@ -449,8 +450,7 @@ static CURLcode set_ciphers(struct Curl_easy *data, static int gskit_init(void) { - /* No initialisation needed. */ - + /* No initialization needed. */ return 1; } @@ -976,11 +976,12 @@ static CURLcode gskit_connect_step2(struct Curl_easy *data, for(;;) { timediff_t timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE); + stmv.tv_sec = 0; + stmv.tv_usec = 0; if(timeout_ms < 0) timeout_ms = 0; - stmv.tv_sec = timeout_ms / 1000; - stmv.tv_usec = (timeout_ms - stmv.tv_sec * 1000) * 1000; - switch(QsoWaitForIOCompletion(BACKEND->iocport, &cstat, &stmv)) { + switch(QsoWaitForIOCompletion(BACKEND->iocport, &cstat, + curlx_mstotv(&stmv, timeout_ms))) { case 1: /* Operation complete. */ break; case -1: /* An error occurred: handshake still in progress. */ @@ -1095,7 +1096,7 @@ static CURLcode gskit_connect_step3(struct Curl_easy *data, p = &x509.subjectPublicKeyInfo; result = Curl_pin_peer_pubkey(data, ptr, p->header, p->end - p->header); if(result) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); return result; } } diff --git a/contrib/libs/curl/lib/vtls/gtls.c b/contrib/libs/curl/lib/vtls/gtls.c index 57493767e5..0535011911 100644 --- a/contrib/libs/curl/lib/vtls/gtls.c +++ b/contrib/libs/curl/lib/vtls/gtls.c @@ -55,6 +55,14 @@ /* The last #include file should be: */ #include "memdebug.h" +#ifdef HAVE_GNUTLS_SRP +/* the function exists */ +#ifdef USE_TLS_SRP +/* the functionality is not disabled */ +#define USE_GNUTLS_SRP +#endif +#endif + /* Enable GnuTLS debugging by defining GTLSDEBUG */ /*#define GTLSDEBUG */ @@ -75,7 +83,7 @@ static bool gtls_inited = FALSE; struct ssl_backend_data { gnutls_session_t session; gnutls_certificate_credentials_t cred; -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP gnutls_srp_client_credentials_t srp_client_cred; #endif }; @@ -436,12 +444,12 @@ gtls_connect_step1(struct Curl_easy *data, return CURLE_SSL_CONNECT_ERROR; } -#ifdef HAVE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { +#ifdef USE_GNUTLS_SRP + if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); - rc = gnutls_srp_allocate_client_credentials( - &backend->srp_client_cred); + rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_allocate_client_cred() failed: %s", gnutls_strerror(rc)); @@ -587,7 +595,7 @@ gtls_connect_step1(struct Curl_easy *data, if(result) return result; -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { @@ -609,7 +617,7 @@ gtls_connect_step1(struct Curl_easy *data, #endif infof(data, "GnuTLS ciphers: %s", prioritylist); rc = gnutls_priority_set_direct(session, prioritylist, &err); -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP } #endif @@ -632,14 +640,14 @@ gtls_connect_step1(struct Curl_easy *data, protocols[cur].data = (unsigned char *)ALPN_H2; protocols[cur].size = ALPN_H2_LENGTH; cur++; - infof(data, "ALPN, offering %.*s", ALPN_H2_LENGTH, ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif protocols[cur].data = (unsigned char *)ALPN_HTTP_1_1; protocols[cur].size = ALPN_HTTP_1_1_LENGTH; cur++; - infof(data, "ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); if(gnutls_alpn_set_protocols(session, protocols, cur, 0)) { failf(data, "failed setting ALPN"); @@ -683,7 +691,7 @@ gtls_connect_step1(struct Curl_easy *data, } } -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, @@ -866,7 +874,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, if(SSL_CONN_CONFIG(verifypeer) || SSL_CONN_CONFIG(verifyhost) || SSL_CONN_CONFIG(issuercert)) { -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP && SSL_SET_OPTION(username) != NULL && !SSL_CONN_CONFIG(verifypeer) @@ -879,7 +887,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "failed to get server cert"); *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; return CURLE_PEER_FAILED_VERIFICATION; -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP } #endif } @@ -1198,7 +1206,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, if(ptr) { result = pkp_pin_peer_pubkey(data, x509_cert, ptr); if(result != CURLE_OK) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); gnutls_x509_crt_deinit(x509_cert); return result; } @@ -1255,8 +1263,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, if(conn->bits.tls_enable_alpn) { rc = gnutls_alpn_get_selected_protocol(session, &proto); if(rc == 0) { - infof(data, "ALPN, server accepted to use %.*s", proto.size, - proto.data); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, proto.size, + proto.data); #ifdef USE_HTTP2 if(proto.size == ALPN_H2_LENGTH && @@ -1272,7 +1280,7 @@ Curl_gtls_verifyserver(struct Curl_easy *data, } } else - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); @@ -1469,7 +1477,7 @@ static void close_one(struct ssl_connect_data *connssl) gnutls_certificate_free_credentials(backend->cred); backend->cred = NULL; } -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP if(backend->srp_client_cred) { gnutls_srp_free_client_credentials(backend->srp_client_cred); backend->srp_client_cred = NULL; @@ -1555,7 +1563,7 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, } gnutls_certificate_free_credentials(backend->cred); -#ifdef HAVE_GNUTLS_SRP +#ifdef USE_GNUTLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP && SSL_SET_OPTION(username) != NULL) gnutls_srp_free_client_credentials(backend->srp_client_cred); diff --git a/contrib/libs/curl/lib/vtls/mbedtls.c b/contrib/libs/curl/lib/vtls/mbedtls.c index d59ad92581..a1ab6b42c9 100644 --- a/contrib/libs/curl/lib/vtls/mbedtls.c +++ b/contrib/libs/curl/lib/vtls/mbedtls.c @@ -70,11 +70,18 @@ #include "curl_memory.h" #include "memdebug.h" +/* ALPN for http2 */ +#ifdef USE_HTTP2 +# undef HAS_ALPN +# ifdef MBEDTLS_SSL_ALPN +# define HAS_ALPN +# endif +#endif + struct ssl_backend_data { mbedtls_ctr_drbg_context ctr_drbg; mbedtls_entropy_context entropy; mbedtls_ssl_context ssl; - int server_fd; mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; #ifdef MBEDTLS_X509_CRL_PARSE_C @@ -82,7 +89,9 @@ struct ssl_backend_data { #endif mbedtls_pk_context pk; mbedtls_ssl_config config; +#ifdef HAS_ALPN const char *protocols[3]; +#endif }; /* apply threading? */ @@ -144,15 +153,6 @@ static void mbed_debug(void *context, int level, const char *f_name, #else #endif -/* ALPN for http2? */ -#ifdef USE_NGHTTP2 -# undef HAS_ALPN -# ifdef MBEDTLS_SSL_ALPN -# define HAS_ALPN -# endif -#endif - - /* * profile */ @@ -614,9 +614,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { const char **p = &backend->protocols[0]; -#ifdef USE_NGHTTP2 +#ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2) - *p++ = NGHTTP2_PROTO_VERSION_ID; + *p++ = ALPN_H2; #endif *p++ = ALPN_HTTP_1_1; *p = NULL; @@ -628,7 +628,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } for(p = &backend->protocols[0]; *p; ++p) - infof(data, "ALPN, offering %s", *p); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, *p); } #endif @@ -813,11 +813,10 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, const char *next_protocol = mbedtls_ssl_get_alpn_protocol(&backend->ssl); if(next_protocol) { - infof(data, "ALPN, server accepted to use %s", next_protocol); -#ifdef USE_NGHTTP2 - if(!strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID, - NGHTTP2_PROTO_VERSION_ID_LEN) && - !next_protocol[NGHTTP2_PROTO_VERSION_ID_LEN]) { + infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol); +#ifdef USE_HTTP2 + if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) && + !next_protocol[ALPN_H2_LEN]) { conn->negnpn = CURL_HTTP_VERSION_2; } else @@ -828,7 +827,7 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, } } else { - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); } Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); diff --git a/contrib/libs/curl/lib/vtls/nss.c b/contrib/libs/curl/lib/vtls/nss.c index 558e3bed39..5b7de9f818 100644 --- a/contrib/libs/curl/lib/vtls/nss.c +++ b/contrib/libs/curl/lib/vtls/nss.c @@ -434,7 +434,7 @@ static char *dup_nickname(struct Curl_easy *data, const char *str) /* search the first slash; we require at least one slash in a file name */ n = strchr(str, '/'); if(!n) { - infof(data, "warning: certificate file name \"%s\" handled as nickname; " + infof(data, "WARNING: certificate file name \"%s\" handled as nickname; " "please use \"./%s\" to force file name", str, str); return strdup(str); } @@ -862,11 +862,11 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) #endif case SSL_NEXT_PROTO_NO_SUPPORT: case SSL_NEXT_PROTO_NO_OVERLAP: - infof(data, "ALPN/NPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); return; #ifdef SSL_ENABLE_ALPN case SSL_NEXT_PROTO_SELECTED: - infof(data, "ALPN, server accepted to use %.*s", buflen, buf); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, buflen, buf); break; #endif case SSL_NEXT_PROTO_NEGOTIATED: @@ -874,7 +874,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) break; } -#ifdef USE_NGHTTP2 +#ifdef USE_HTTP2 if(buflen == ALPN_H2_LENGTH && !memcmp(ALPN_H2, buf, ALPN_H2_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_2; @@ -1146,7 +1146,7 @@ static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl, /* report the resulting status */ switch(result) { case CURLE_OK: - infof(data, "pinned public key verified successfully!"); + infof(data, "pinned public key verified successfully"); break; case CURLE_SSL_PINNEDPUBKEYNOTMATCH: failf(data, "failed to verify pinned public key"); @@ -1748,7 +1748,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, PR_CloseDir(dir); } else - infof(data, "warning: CURLOPT_CAPATH not a directory (%s)", capath); + infof(data, "WARNING: CURLOPT_CAPATH not a directory (%s)", capath); } return CURLE_OK; @@ -1985,11 +1985,11 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, /* unless the user explicitly asks to allow the protocol vulnerability, we use the work-around */ if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) - infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d", + infof(data, "WARNING: failed to set SSL_CBC_RANDOM_IV = %d", ssl_cbc_random_iv); #else if(ssl_cbc_random_iv) - infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in"); + infof(data, "WARNING: support for SSL_CBC_RANDOM_IV not compiled in"); #endif if(SSL_CONN_CONFIG(cipher_list)) { @@ -2000,7 +2000,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost)) - infof(data, "warning: ignoring value of ssl.verifyhost"); + infof(data, "WARNING: ignoring value of ssl.verifyhost"); /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ @@ -2020,7 +2020,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex); if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) /* not a fatal error because we are not going to verify the peer */ - infof(data, "warning: CA certificates failed to load"); + infof(data, "WARNING: CA certificates failed to load"); else if(rv) { result = rv; goto error; diff --git a/contrib/libs/curl/lib/vtls/openssl.c b/contrib/libs/curl/lib/vtls/openssl.c index d3ed3e7ba0..f15ac28a76 100644 --- a/contrib/libs/curl/lib/vtls/openssl.c +++ b/contrib/libs/curl/lib/vtls/openssl.c @@ -208,9 +208,18 @@ !defined(OPENSSL_IS_BORINGSSL)) #define HAVE_SSL_CTX_SET_CIPHERSUITES #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH -/* SET_EC_CURVES is available under the same preconditions: see - * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html +#endif + +/* + * Whether SSL_CTX_set1_curves_list is available. + * OpenSSL: supported since 1.0.2, see + * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html + * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30) + * LibreSSL: not tested. */ +#if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) && \ + !defined(LIBRESSL_VERSION_NUMBER)) || \ + defined(OPENSSL_IS_BORINGSSL) #define HAVE_SSL_CTX_SET_EC_CURVES #endif @@ -548,7 +557,7 @@ static CURLcode ossl_seed(struct Curl_easy *data) } } - infof(data, "libcurl is now using a weak random seed!"); + infof(data, "libcurl is now using a weak random seed"); return (rand_enough() ? CURLE_OK : CURLE_SSL_CONNECT_ERROR /* confusing error code */); #endif @@ -1158,6 +1167,22 @@ int cert_stuff(struct Curl_easy *data, return 1; } +CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, SSL_CTX *ctx, + char *cert_file, + const struct curl_blob *cert_blob, + const char *cert_type, char *key_file, + const struct curl_blob *key_blob, + const char *key_type, char *key_passwd) +{ + int rv = cert_stuff(data, ctx, cert_file, cert_blob, cert_type, key_file, + key_blob, key_type, key_passwd); + if(rv != 1) { + return CURLE_SSL_CERTPROBLEM; + } + + return CURLE_OK; +} + /* returns non-zero on failure */ static int x509_name_oneline(X509_NAME *a, char *buf, size_t size) { @@ -1902,6 +1927,11 @@ static CURLcode verifystatus(struct Curl_easy *data, } ch = SSL_get_peer_cert_chain(backend->handle); + if(!ch) { + failf(data, "Could not get peer certificate chain"); + result = CURLE_SSL_INVALIDCERTSTATUS; + goto end; + } st = SSL_CTX_get_cert_store(backend->ctx); #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \ @@ -2821,14 +2851,14 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, memcpy(&protocols[cur], ALPN_H2, ALPN_H2_LENGTH); cur += ALPN_H2_LENGTH; - infof(data, "ALPN, offering %s", ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif protocols[cur++] = ALPN_HTTP_1_1_LENGTH; memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH); cur += ALPN_HTTP_1_1_LENGTH; - infof(data, "ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); /* expects length prefixed preference ordered list of protocols in wire * format @@ -2894,7 +2924,8 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #endif #ifdef USE_OPENSSL_SRP - if(ssl_authtype == CURL_TLSAUTH_SRP) { + if((ssl_authtype == CURL_TLSAUTH_SRP) && + Curl_allow_auth_to_host(data)) { char * const ssl_username = SSL_SET_OPTION(username); infof(data, "Using TLS-SRP username: %s", ssl_username); @@ -3201,7 +3232,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, SSL_free(backend->handle); backend->handle = SSL_new(backend->ctx); if(!backend->handle) { - failf(data, "SSL: couldn't create a context (handle)!"); + failf(data, "SSL: couldn't create a context (handle)"); return CURLE_OUT_OF_MEMORY; } @@ -3427,7 +3458,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, unsigned int len; SSL_get0_alpn_selected(backend->handle, &neg_protocol, &len); if(len) { - infof(data, "ALPN, server accepted to use %.*s", len, neg_protocol); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, len, neg_protocol); #ifdef USE_HTTP2 if(len == ALPN_H2_LENGTH && @@ -3442,7 +3473,7 @@ static CURLcode ossl_connect_step2(struct Curl_easy *data, } } else - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); @@ -3892,7 +3923,7 @@ static CURLcode servercert(struct Curl_easy *data, if(!strict) return CURLE_OK; - failf(data, "SSL: couldn't get peer certificate!"); + failf(data, "SSL: couldn't get peer certificate"); return CURLE_PEER_FAILED_VERIFICATION; } @@ -3932,7 +3963,7 @@ static CURLcode servercert(struct Curl_easy *data, buffer, sizeof(buffer)); if(rc) { if(strict) - failf(data, "SSL: couldn't get X509-issuer name!"); + failf(data, "SSL: couldn't get X509-issuer name"); result = CURLE_PEER_FAILED_VERIFICATION; } else { @@ -4050,7 +4081,7 @@ static CURLcode servercert(struct Curl_easy *data, if(!result && ptr) { result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr); if(result) - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); } X509_free(backend->server_cert); diff --git a/contrib/libs/curl/lib/vtls/openssl.h b/contrib/libs/curl/lib/vtls/openssl.h index 7df642bc9a..0a7536ea3e 100644 --- a/contrib/libs/curl/lib/vtls/openssl.h +++ b/contrib/libs/curl/lib/vtls/openssl.h @@ -43,5 +43,13 @@ CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, struct x509_st *server_cert); extern const struct Curl_ssl Curl_ssl_openssl; +struct ssl_ctx_st; +CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, + struct ssl_ctx_st *ctx, char *cert_file, + const struct curl_blob *cert_blob, + const char *cert_type, char *key_file, + const struct curl_blob *key_blob, + const char *key_type, char *key_passwd); + #endif /* USE_OPENSSL */ #endif /* HEADER_CURL_SSLUSE_H */ diff --git a/contrib/libs/curl/lib/vtls/rustls.c b/contrib/libs/curl/lib/vtls/rustls.c index 0e651aed9d..16970b7c36 100644 --- a/contrib/libs/curl/lib/vtls/rustls.c +++ b/contrib/libs/curl/lib/vtls/rustls.c @@ -325,12 +325,12 @@ cr_init_backend(struct Curl_easy *data, struct connectdata *conn, config_builder = rustls_client_config_builder_new(); #ifdef USE_HTTP2 - infof(data, "offering ALPN for HTTP/1.1 and HTTP/2"); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); rustls_client_config_builder_set_alpn_protocols(config_builder, alpn, 2); #else - infof(data, "offering ALPN for HTTP/1.1 only"); rustls_client_config_builder_set_alpn_protocols(config_builder, alpn, 1); #endif + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); if(!verifypeer) { rustls_client_config_builder_dangerous_set_certificate_verifier( config_builder, cr_verify_none); @@ -406,20 +406,20 @@ cr_set_negotiated_alpn(struct Curl_easy *data, struct connectdata *conn, rustls_connection_get_alpn_protocol(rconn, &protocol, &len); if(!protocol) { - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); return; } #ifdef USE_HTTP2 if(len == ALPN_H2_LENGTH && 0 == memcmp(ALPN_H2, protocol, len)) { - infof(data, "ALPN, negotiated h2"); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_H2); conn->negnpn = CURL_HTTP_VERSION_2; } else #endif if(len == ALPN_HTTP_1_1_LENGTH && 0 == memcmp(ALPN_HTTP_1_1, protocol, len)) { - infof(data, "ALPN, negotiated http/1.1"); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, ALPN_HTTP_1_1); conn->negnpn = CURL_HTTP_VERSION_1_1; } else { diff --git a/contrib/libs/curl/lib/vtls/schannel.c b/contrib/libs/curl/lib/vtls/schannel.c index 04c8f3b6cf..dfec66d51f 100644 --- a/contrib/libs/curl/lib/vtls/schannel.c +++ b/contrib/libs/curl/lib/vtls/schannel.c @@ -908,14 +908,14 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, alpn_buffer[cur++] = ALPN_H2_LENGTH; memcpy(&alpn_buffer[cur], ALPN_H2, ALPN_H2_LENGTH); cur += ALPN_H2_LENGTH; - infof(data, "schannel: ALPN, offering %s", ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif alpn_buffer[cur++] = ALPN_HTTP_1_1_LENGTH; memcpy(&alpn_buffer[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH); cur += ALPN_HTTP_1_1_LENGTH; - infof(data, "schannel: ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); *list_len = curlx_uitous(cur - list_start_index); *extension_len = *list_len + sizeof(unsigned int) + sizeof(unsigned short); @@ -1286,7 +1286,7 @@ schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, if(pubkey_ptr) { result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr); if(result) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); return result; } } @@ -1416,7 +1416,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, if(alpn_result.ProtoNegoStatus == SecApplicationProtocolNegotiationStatus_Success) { - infof(data, "schannel: ALPN, server accepted to use %.*s", + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, alpn_result.ProtocolIdSize, alpn_result.ProtocolId); #ifdef USE_HTTP2 @@ -1433,7 +1433,7 @@ schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, } } else - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } @@ -2371,7 +2371,7 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, (const unsigned char *)pubkey->header, (size_t)(pubkey->end - pubkey->header)); if(result) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); } } while(0); diff --git a/contrib/libs/curl/lib/vtls/schannel_verify.c b/contrib/libs/curl/lib/vtls/schannel_verify.c index 202a814cd9..4dc2d14e56 100644 --- a/contrib/libs/curl/lib/vtls/schannel_verify.c +++ b/contrib/libs/curl/lib/vtls/schannel_verify.c @@ -286,7 +286,6 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, goto cleanup; } - result = CURLE_OK; while(total_bytes_read < ca_file_bufsize) { DWORD bytes_to_read = (DWORD)(ca_file_bufsize - total_bytes_read); DWORD bytes_read = 0; @@ -313,9 +312,6 @@ static CURLcode add_certs_file_to_store(HCERTSTORE trust_store, /* Null terminate the buffer */ ca_file_buffer[ca_file_bufsize] = '\0'; - if(result != CURLE_OK) { - goto cleanup; - } result = add_certs_data_to_store(trust_store, ca_file_buffer, ca_file_bufsize, ca_file, diff --git a/contrib/libs/curl/lib/vtls/sectransp.c b/contrib/libs/curl/lib/vtls/sectransp.c index b2e1727278..8ee8fe997f 100644 --- a/contrib/libs/curl/lib/vtls/sectransp.c +++ b/contrib/libs/curl/lib/vtls/sectransp.c @@ -938,9 +938,9 @@ static OSStatus SocketWrite(SSLConnectionRef connection, #ifndef CURL_DISABLE_VERBOSE_STRINGS CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) { - /* The first ciphers in the ciphertable are continuos. Here we do small + /* The first ciphers in the ciphertable are continuous. Here we do small optimization and instead of loop directly get SSL name by cipher number. - */ + */ if(cipher <= SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA) { return ciphertable[cipher].name; } @@ -1701,7 +1701,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, CFRelease(backend->ssl_ctx); backend->ssl_ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType); if(!backend->ssl_ctx) { - failf(data, "SSL: couldn't create a context!"); + failf(data, "SSL: couldn't create a context"); return CURLE_OUT_OF_MEMORY; } } @@ -1851,12 +1851,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, #endif ) { CFArrayAppendValue(alpnArr, CFSTR(ALPN_H2)); - infof(data, "ALPN, offering %s", ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif CFArrayAppendValue(alpnArr, CFSTR(ALPN_HTTP_1_1)); - infof(data, "ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); /* expects length prefixed preference ordered list of protocols in wire * format @@ -2788,7 +2788,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, pkp_pin_peer_pubkey(data, backend->ssl_ctx, data->set.str[STRING_SSL_PINNEDPUBLICKEY]); if(result) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); return result; } } @@ -2853,7 +2853,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, conn->negnpn = CURL_HTTP_VERSION_1_1; } else - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); diff --git a/contrib/libs/curl/lib/vtls/vtls.c b/contrib/libs/curl/lib/vtls/vtls.c index 03b85ba065..a40ac06f68 100644 --- a/contrib/libs/curl/lib/vtls/vtls.c +++ b/contrib/libs/curl/lib/vtls/vtls.c @@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) return !memcmp(first->data, second->data, first->len); /* same data */ } -static bool safecmp(char *a, char *b) -{ - if(a && b) - return !strcmp(a, b); - else if(!a && !b) - return TRUE; /* match */ - return FALSE; /* no match */ -} - bool Curl_ssl_config_matches(struct ssl_primary_config *data, @@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, blobcmp(data->cert_blob, needle->cert_blob) && blobcmp(data->ca_info_blob, needle->ca_info_blob) && blobcmp(data->issuercert_blob, needle->issuercert_blob) && - safecmp(data->CApath, needle->CApath) && - safecmp(data->CAfile, needle->CAfile) && - safecmp(data->issuercert, needle->issuercert) && - safecmp(data->clientcert, needle->clientcert) && - safecmp(data->random_file, needle->random_file) && - safecmp(data->egdsocket, needle->egdsocket) && + Curl_safecmp(data->CApath, needle->CApath) && + Curl_safecmp(data->CAfile, needle->CAfile) && + Curl_safecmp(data->issuercert, needle->issuercert) && + Curl_safecmp(data->clientcert, needle->clientcert) && + Curl_safecmp(data->random_file, needle->random_file) && + Curl_safecmp(data->egdsocket, needle->egdsocket) && Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && Curl_safe_strcasecompare(data->curves, needle->curves) && diff --git a/contrib/libs/curl/lib/vtls/vtls.h b/contrib/libs/curl/lib/vtls/vtls.h index af3b8d3c94..6bd1e0dcd3 100644 --- a/contrib/libs/curl/lib/vtls/vtls.h +++ b/contrib/libs/curl/lib/vtls/vtls.h @@ -34,6 +34,17 @@ struct ssl_connect_data; #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */ #define SSLSUPP_CAINFO_BLOB (1<<6) +#define ALPN_ACCEPTED "ALPN: server accepted " + +#define VTLS_INFOF_NO_ALPN \ + "ALPN: server did not agree on a protocol. Uses default." +#define VTLS_INFOF_ALPN_OFFER_1STR \ + "ALPN: offers %s" +#define VTLS_INFOF_ALPN_ACCEPTED_1STR \ + ALPN_ACCEPTED "%s" +#define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ + ALPN_ACCEPTED "%.*s" + struct Curl_ssl { /* * This *must* be the first entry to allow returning the list of available diff --git a/contrib/libs/curl/lib/vtls/wolfssl.c b/contrib/libs/curl/lib/vtls/wolfssl.c index f1f786ffb6..72692b6075 100644 --- a/contrib/libs/curl/lib/vtls/wolfssl.c +++ b/contrib/libs/curl/lib/vtls/wolfssl.c @@ -324,7 +324,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, } if(!req_method) { - failf(data, "SSL: couldn't create a method!"); + failf(data, "SSL: couldn't create a method"); return CURLE_OUT_OF_MEMORY; } @@ -333,7 +333,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, backend->ctx = SSL_CTX_new(req_method); if(!backend->ctx) { - failf(data, "SSL: couldn't create a context!"); + failf(data, "SSL: couldn't create a context"); return CURLE_OUT_OF_MEMORY; } @@ -462,9 +462,9 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, const char * const hostname = SSL_HOST_NAME(); size_t hostname_len = strlen(hostname); if((hostname_len < USHRT_MAX) && - (0 == Curl_inet_pton(AF_INET, hostname, &addr4)) && + !Curl_inet_pton(AF_INET, hostname, &addr4) #ifdef ENABLE_IPV6 - (0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) + && !Curl_inet_pton(AF_INET6, hostname, &addr6) #endif ) { size_t snilen; @@ -503,7 +503,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, SSL_free(backend->handle); backend->handle = SSL_new(backend->ctx); if(!backend->handle) { - failf(data, "SSL: couldn't create a context (handle)!"); + failf(data, "SSL: couldn't create a context"); return CURLE_OUT_OF_MEMORY; } @@ -526,12 +526,12 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2) { strcpy(protocols + strlen(protocols), ALPN_H2 ","); - infof(data, "ALPN, offering %s", ALPN_H2); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2); } #endif strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1); - infof(data, "ALPN, offering %s", ALPN_HTTP_1_1); + infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1); if(wolfSSL_UseALPN(backend->handle, protocols, (unsigned)strlen(protocols), @@ -739,7 +739,7 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, (const unsigned char *)pubkey->header, (size_t)(pubkey->end - pubkey->header)); if(result) { - failf(data, "SSL: public key does not match pinned public key!"); + failf(data, "SSL: public key does not match pinned public key"); return result; } #else @@ -757,8 +757,7 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len); if(rc == SSL_SUCCESS) { - infof(data, "ALPN, server accepted to use %.*s", protocol_len, - protocol); + infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, protocol_len, protocol); if(protocol_len == ALPN_HTTP_1_1_LENGTH && !memcmp(protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) @@ -776,7 +775,7 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else if(rc == SSL_ALPN_NOT_FOUND) - infof(data, "ALPN, server did not agree to a protocol"); + infof(data, VTLS_INFOF_NO_ALPN); else { failf(data, "ALPN, failure getting protocol, error %d", rc); return CURLE_SSL_CONNECT_ERROR; |