From 33c91791f989c5882186fd50b086aa46a78feccc Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Wed, 22 Feb 2017 04:37:03 -0800 Subject: [PATCH] patches: update curl 7.51.0 -> 7.53.0 Signed-off-by: Kyle J. McKay --- patches/curl/curl_darwinssl_macosx.c | 234 ++++++++++------------- patches/curl/q/series | 1 - patches/curl/q/t_docs_manpage.diff | 154 +++++++-------- patches/curl/q/t_ntlm_no-one-shot.diff | 2 +- patches/curl/q/t_pinning_darwin.diff | 4 +- patches/curl/q/t_securetransport_extra-data.diff | 4 +- patches/curl/q/t_vtls_reuse-client-session.diff | 33 ---- 7 files changed, 181 insertions(+), 251 deletions(-) delete mode 100644 patches/curl/q/t_vtls_reuse-client-session.diff diff --git a/patches/curl/curl_darwinssl_macosx.c b/patches/curl/curl_darwinssl_macosx.c index 541415a..8e8f780 100644 --- a/patches/curl/curl_darwinssl_macosx.c +++ b/patches/curl/curl_darwinssl_macosx.c @@ -6,15 +6,14 @@ * \___|\___/|_| \_\_____| * * Copyright (C) 2012 - 2014, Nick Zitzmann, . - * Copyright (C) 2012 - 2015, Daniel Stenberg, , et al. - * Copyright (C) 2012 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 2012 - 2017, Daniel Stenberg, , et al. * - * MacOSX modifications copyright (C) 2014, 2015, 2016 Kyle J. McKay. + * MacOSX modifications copyright (C) 2014, 2015, 2016, 2017 Kyle J. McKay. * All rights reserved. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms - * are also available at http://curl.haxx.se/docs/copyright.html. + * are also available at https://curl.haxx.se/docs/copyright.html. * * You may opt to use, copy, modify, merge, publish, distribute and/or sell * copies of the Software, and permit persons to whom the Software is @@ -76,10 +75,9 @@ static __inline void realfree(void *p) /* stupid curl */ #include "urldata.h" /* for the Curl_easy definition */ -#if LIBCURL_VERSION_NUM < 0x073300 /* 7.51.0 */ -#define SOCKET_READABLE(x,z) \ - Curl_socket_check(x, CURL_SOCKET_BAD, CURL_SOCKET_BAD, z) -#endif /* version < 7.51.0 */ +#if LIBCURL_VERSION_NUM < 0x073400 /* 7.52.0 */ +#error cURL 7.52.0 or later required (see tags for older compat) +#endif #ifdef USE_DARWINSSL @@ -133,46 +131,13 @@ static __inline void realfree(void *p) /* stupid curl */ #include "connect.h" #include "select.h" #include "vtls.h" -#if LIBCURL_VERSION_NUM >= 0x072900 #include "darwinssl.h" -#else -#include "curl_darwinssl.h" -#endif - -#define _MPRINTF_REPLACE /* use our functions only */ -#include +#include "curl_printf.h" #include "curl_memory.h" /* The last #include file should be: */ #include "memdebug.h" -/* With cURL version 7.52.0 getsessionid and addsessionid started taking a new - * fourth int parameter, so we implement the "new" version for older builds by - * just discarding the fourth parameter. */ -#if LIBCURL_VERSION_NUM < 0x073400 /* 7.52.0 */ -static __inline bool Curl_ssl_getsessionid_old( - struct connectdata *conn, - void **ssl_sessionid, - size_t *idsize) {return Curl_ssl_getsessionid(conn, ssl_sessionid, idsize);} -static __inline CURLcode Curl_ssl_addsessionid_old( - struct connectdata *conn, - void *ssl_sessionid, - size_t idsize) {return Curl_ssl_addsessionid(conn, ssl_sessionid, idsize);} -#define Curl_ssl_getsessionid(a,b,c,d) Curl_ssl_getsessionid_old(a,b,c) -#define Curl_ssl_addsessionid(a,b,c,d) Curl_ssl_addsessionid_old(a,b,c) -#endif /* version < 7.52.0 */ - -/* With cURL version 7.50.0 struct SessionHandle was renamed to struct Curl_easy - * so we use the new name (Curl_easy) but #define it to the old one for older - * versions of cURL. In addition, two new functions Curl_ssl_sessionid_lock and - * Curl_ssl_sessionid_unlock must be used so those are defined away to nothing - * for older cURL versions as well. */ -#if LIBCURL_VERSION_NUM < 0x073200 -#define Curl_easy SessionHandle -#define Curl_ssl_sessionid_lock(c) (void)0 -#define Curl_ssl_sessionid_unlock(c) (void)0 -#endif - /* The following two functions were ripped from Apple sample code, * with some modifications: */ static OSStatus SocketRead(SSLConnectionRef connection, @@ -257,7 +222,7 @@ static OSStatus SocketWrite(SSLConnectionRef connection, do { length = write(sock, - (char*)dataPtr + bytesSent, + (char *)dataPtr + bytesSent, dataLen - bytesSent); } while((length > 0) && ( (bytesSent += length) < dataLen) ); @@ -279,7 +244,8 @@ static OSStatus SocketWrite(SSLConnectionRef connection, return ortn; } -CF_INLINE const char *SSLCipherNameForNumber(SSLCipherSuite cipher) { +CF_INLINE const char *SSLCipherNameForNumber(SSLCipherSuite cipher) +{ switch (cipher) { #define CIPHER(x) case x: return #x /* SSL version 3.0 */ @@ -336,7 +302,8 @@ CF_INLINE const char *SSLCipherNameForNumber(SSLCipherSuite cipher) { return "SSL_NULL_WITH_NULL_NULL"; } -CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) { +CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) +{ switch(cipher) { #define CIPHER(x) case x: return #x CIPHER(TLS_RSA_WITH_NULL_MD5); @@ -597,6 +564,19 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char *ssl_cafile = SSL_CONN_CONFIG(CAfile); + bool ssl_verifypeer = SSL_CONN_CONFIG(verifypeer); + bool ssl_verifyhost = SSL_CONN_CONFIG(verifyhost); + char *ssl_cert = SSL_SET_OPTION(cert); + char *ssl_cert_type = SSL_SET_OPTION(cert_type); + char *ssl_key = SSL_SET_OPTION(key); + char *ssl_key_passwd = SSL_SET_OPTION(key_passwd); + const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + long port = SSL_IS_PROXY() ? conn->port : conn->remote_port; + const char *ssl_pinpubkey = SSL_IS_PROXY() ? + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL, i; SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL; OSStatus err = noErr; @@ -612,7 +592,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, connssl->ssl_write_buffered_length = 0UL; /* reset buffered write length */ /* check to see if we've been told to use an explicit SSL/TLS version */ - switch(data->set.ssl.version) { + switch(conn->ssl_config.version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: (void)cSSLSetProtocolVersionMinMax(connssl->ssl_ctx, kTLSProtocol1, @@ -638,7 +618,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } break; - case CURL_SSLVERSION_TLSv1_2 + 1 /* CURL_SSLVERSION_TLSv1_3 */: + case CURL_SSLVERSION_TLSv1_3: failf(data, "DarwinSSL: TLS 1.3 is not yet supported"); return CURLE_SSL_CONNECT_ERROR; break; @@ -663,9 +643,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - if(data->set.str[STRING_CERT]) { + if(ssl_cert) { CFArrayRef certs = NULL; - bool is_cert_file = is_file(data->set.str[STRING_CERT]); + bool is_cert_file = is_file(ssl_cert); /* User wants to authenticate with a client cert. Look for it: If we detect that this is a file on disk, then let's load it. @@ -680,44 +660,39 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, CFMutableStringRef hint = NULL; e.f = (errinfo_func_t)failf; e.u = data; - if(data->set.str[STRING_CERT_TYPE]) { - if(strcmp(data->set.str[STRING_CERT_TYPE], "DER") && - strcmp(data->set.str[STRING_CERT_TYPE], "PEM")) { - failf(data, "not supported file type '%s' for certificate", - data->set.str[STRING_CERT_TYPE]); + if(ssl_cert_type) { + if(strcmp(ssl_cert_type, "DER") && + strcmp(ssl_cert_type, "PEM")) { + failf(data, "unsupported file type '%s' for certificate", + ssl_cert_type); return CURLE_SSL_CERTPROBLEM; } } - certdata = CFDataCreateWithContentsOfFile(NULL, - data->set.str[STRING_CERT]); + certdata = CFDataCreateWithContentsOfFile(NULL, ssl_cert); if(!certdata) { - failf(data, "unable to read certificate data file '%s'", - data->set.str[STRING_CERT]); + failf(data, "unable to read certificate data file '%s'", ssl_cert); return CURLE_SSL_CERTPROBLEM; } - hintstr = data->set.str[STRING_CERT]; + hintstr = ssl_cert; certs = CreateCertsArrayWithData(certdata, &e); if(!certs) { CFRelease(certdata); - failf(data, "unable to load certificate data file '%s'", - data->set.str[STRING_CERT]); + failf(data, "unable to load certificate data file '%s'", ssl_cert); return CURLE_SSL_CERTPROBLEM; } - if(data->set.str[STRING_KEY]) { + if(ssl_key) { CFRelease(certdata); - certdata = CFDataCreateWithContentsOfFile(NULL, - data->set.str[STRING_KEY]); + certdata = CFDataCreateWithContentsOfFile(NULL, ssl_key); if(!certdata) { CFRelease(certs); - failf(data, "unable to read certificate key file '%s'", - data->set.str[STRING_KEY]); + failf(data, "unable to read certificate key file '%s'", ssl_key); return CURLE_SSL_CERTPROBLEM; } - hintstr = data->set.str[STRING_KEY]; + hintstr = ssl_key; } - if(data->set.str[STRING_KEY_PASSWD]) { - keypw = CFDataCreate(NULL, (UInt8 *)data->set.str[STRING_KEY_PASSWD], - strlen(data->set.str[STRING_KEY_PASSWD])); + if(ssl_key_passwd) { + keypw = CFDataCreate(NULL, (UInt8 *)ssl_key_passwd, + strlen(ssl_key_passwd)); } if(hintstr) { const char *base = strrchr(hintstr, '/'); @@ -754,38 +729,37 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, else { SecIdentityRef cert_and_key = NULL; CFTypeRef certs_c[1]; - if(data->set.str[STRING_KEY]) { + if(ssl_key) { infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure Trans" "port when CURLOPT_SSLCERT is a Keychain item label.\n"); } - if(data->set.str[STRING_KEY_PASSWD]) { + if(ssl_key_passwd) { infof(data, "WARNING: SSL: CURLOPT_SSLKEYPASSWD is ignored by Secure T" "ransport when CURLOPT_SSLCERT is a Keychain item label.\n" ); } - err = CopyIdentityWithLabel(data->set.str[STRING_CERT], &cert_and_key); + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); if(err) { switch(err) { case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */ failf(data, "SSL: Incorrect password for the certificate \"%s\" " - "and its private key.", data->set.str[STRING_CERT]); + "and its private key.", ssl_cert); break; case -26275: /* errSecDecode */ case -25257:/* errSecUnknownFormat */ failf(data, "SSL: Couldn't make sense of the data in the " - "certificate \"%s\" and its private key.", - data->set.str[STRING_CERT]); + "certificate \"%s\" and its private key.", ssl_cert); break; case -25260: /* errSecPassphraseRequired */ failf(data, "SSL The certificate \"%s\" requires a password.", - data->set.str[STRING_CERT]); + ssl_cert); break; case errSecItemNotFound: failf(data, "SSL: Can't find the certificate \"%s\" and its privat" - "e key in the Keychain.", data->set.str[STRING_CERT]); + "e key in the Keychain.", ssl_cert); break; default: failf(data, "SSL: Can't load the certificate \"%s\" and its privat" - "e key: OSStatus %d", data->set.str[STRING_CERT], err); + "e key: OSStatus %d", ssl_cert, err); break; } return CURLE_SSL_CERTPROBLEM; @@ -815,23 +789,22 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; } - if(data->set.ssl.verifypeer) { + if(ssl_verifypeer) { /* The default anchors will be used unless SSLSetTrustedRoots is called * with an array containing at least 1 element */ - if(data->set.str[STRING_SSL_CAPATH]) { + if(SSL_CONN_CONFIG(CApath)) { failf(data, "SSL: CURLOPT_CAPATH is not supported by Secure Transport"); /* same error cURL would give without -Dhave_curlssl_ca_path */ return CURLE_NOT_BUILT_IN; } - if(data->set.str[STRING_SSL_CAFILE]) { + if(ssl_cafile) { errinfo_t e; CFArrayRef cacerts; CFDataRef cadata = CFDataCreateWithContentsOfFile(kCFAllocatorDefault, - data->set.str[STRING_SSL_CAFILE]); + ssl_cafile); if(!cadata) { - failf(data, "SSL: can't read CA certificate file %s", - data->set.str[STRING_SSL_CAFILE]); + failf(data, "SSL: can't read CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } e.f = (errinfo_func_t)failf; @@ -843,8 +816,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, cacerts = CreateCertsArrayWithData(cadata, &e); CFRelease(cadata); if(!cacerts) { - failf(data, "SSL: can't load CA certificate file %s", - data->set.str[STRING_SSL_CAFILE]); + failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } connssl->ra = (void *)cacerts; @@ -857,45 +829,43 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } } else { - if(data->set.str[STRING_SSL_CAFILE] || data->set.str[STRING_SSL_CAPATH]) { + if(ssl_cafile || SSL_CONN_CONFIG(CApath)) { infof(data, "WARNING: SSL: CA certificate(s) configured, but certificate" " verification is disabled\n"); } } connssl->cf = 0; -#if LIBCURL_VERSION_NUM >= 0x072700 /* Collect public key pinning key(s). */ - if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { + if(ssl_pinpubkey) { errinfo_t e; CFArrayRef pubkeys; CFDataRef pindata; e.f = (errinfo_func_t)failf; e.u = data; - if(IsSha256HashList(data->set.str[STRING_SSL_PINNEDPUBLICKEY])) { - pubkeys = CreatePubKeySha256Array( - data->set.str[STRING_SSL_PINNEDPUBLICKEY], &e); + if(IsSha256HashList(ssl_pinpubkey)) { + pubkeys = CreatePubKeySha256Array(ssl_pinpubkey, &e); if(!pubkeys) { failf(data, "SSL: can't parse pinned public key hashes %s", - data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + ssl_pinpubkey); return CURLE_READ_ERROR; } connssl->cf |= 0x08; } else { pindata = CFDataCreateWithContentsOfFile(kCFAllocatorDefault, - data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + ssl_pinpubkey); if(!pindata) { failf(data, "SSL: can't read pinned public key file %s", - data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + ssl_pinpubkey); return CURLE_READ_ERROR; } pubkeys = CreatePubKeyArrayWithData(pindata, &e); CFRelease(pindata); if(!pubkeys) { failf(data, "SSL: can't load pinned public key file %s", - data->set.str[STRING_SSL_PINNEDPUBLICKEY]); + ssl_pinpubkey); return CURLE_SSL_CACERT_BADFILE; /* no really good choice here */ } } @@ -905,21 +875,20 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } connssl->pa = (void *)pubkeys; } -#endif /* Configure hostname for SNI. * SNI requires SSLSetPeerDomainName(). * RFC 6066 section 3 forbids IPv4 and IPv6 literal addresses in SNI. */ - connssl->vh = data->set.ssl.verifyhost ? true : false; - if(conn->host.name && conn->host.name[0] && !strchr(conn->host.name, ':')) { - size_t hnl = strlen(conn->host.name); + connssl->vh = ssl_verifyhost ? true : false; + if(hostname && hostname[0] && !strchr(hostname, ':')) { + size_t hnl = strlen(hostname); - if(!IsIPv4Name(conn->host.name, hnl)) { - if(data->set.ssl.verifypeer) + if(!IsIPv4Name(hostname, hnl)) { + if(ssl_verifypeer) connssl->vh = true; - err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, - strlen(conn->host.name)); + err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname, + strlen(hostname)); if(err != noErr) { infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d" @@ -1041,15 +1010,13 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, /* We want to enable 1/n-1 when using a CBC cipher unless the user specifically doesn't want us doing that: */ cSSLSetSessionOption(connssl->ssl_ctx, kSSLSessionOptionSendOneByteRecord, - !data->set.ssl_enable_beast); -#if LIBCURL_VERSION_NUM >= 0x072a00 + !data->set.ssl.enable_beast); cSSLSetSessionOption(connssl->ssl_ctx, kSSLSessionOptionFalseStart, data->set.ssl.falsestart); /* false start support */ -#endif } /* Check if there's a cached ID we can/should use here! */ - if(conn->ssl_config.sessionid) { + if(data->set.general_ssl.sessionid) { char *ssl_sessionid; size_t ssl_sessionid_len; @@ -1070,25 +1037,20 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, to starting the handshake. */ else { CURLcode result; -#if LIBCURL_VERSION_NUM >= 0x072700 -#define PKSTR data->set.str[STRING_SSL_PINNEDPUBLICKEY] -#else -#define PKSTR NULL -#endif #define NSTR(s) ((s)?(s):"") ssl_sessionid = NULL; asprintf(&ssl_sessionid, "%s:%s:%s:%d:%d:%s:%hu", - NSTR(data->set.str[STRING_SSL_CAFILE]), - NSTR(PKSTR), NSTR(data->set.str[STRING_CERT]), - data->set.ssl.verifypeer, data->set.ssl.verifyhost, - NSTR(conn->host.name), (unsigned short)conn->remote_port); + NSTR(ssl_cafile), + NSTR(ssl_pinpubkey), + NSTR(ssl_cert), + ssl_verifypeer, ssl_verifyhost, + NSTR(hostname), (unsigned short)conn->remote_port); if(ssl_sessionid == NULL) { failf(data, "SSL: asprintf failed: out of memory"); return CURLE_SSL_CONNECT_ERROR; } ssl_sessionid_len = strlen(ssl_sessionid); #undef NSTR -#undef PKSTR err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len); if(err != noErr) { @@ -1145,6 +1107,10 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) SSLCipherSuite cipher; SSLProtocol protocol = 0; unsigned vflags = 0; + bool ssl_verifypeer = SSL_CONN_CONFIG(verifypeer); + bool ssl_verifyhost = SSL_CONN_CONFIG(verifyhost); + const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state @@ -1154,14 +1120,13 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) err = SSLHandshake(connssl->ssl_ctx); /* set up the verify flags now */ - if(data->set.ssl.verifyhost && !data->set.ssl.verifypeer && conn->host.name - && conn->host.name[0]) + if(ssl_verifyhost && !ssl_verifypeer && hostname && hostname[0]) vflags |= 0x04; - if(connssl->pa && !data->set.ssl.verifypeer && !vflags) + if(connssl->pa && !ssl_verifypeer && !vflags) vflags |= 0x02; if(err == errSSLServerAuthCompleted) { - if(data->set.ssl.verifypeer || vflags) { + if(ssl_verifypeer || vflags) { SecTrustRef trust = NULL; err = cSSLCopyPeerTrust(connssl->ssl_ctx, &trust); if(err) { @@ -1169,7 +1134,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) return CURLE_SSL_CONNECT_ERROR; } err = VerifyTrustChain(trust, connssl->ra, connssl->cf|vflags, 0, - connssl->vh ? conn->host.name : NULL, (CFArrayRef)connssl->pa); + connssl->vh ? hostname : NULL, (CFArrayRef)connssl->pa); CFRelease(trust); } else { @@ -1202,18 +1167,18 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) err2 = cSSLCopyPeerTrust(connssl->ssl_ctx, &trust); resumed = !err2 && !trust && is_ssl_ctx_connected(connssl->ssl_ctx); if(resumed) infof(data, "SSL successfully resumed session\n"); - if(!err && !resumed && (data->set.ssl.verifypeer || vflags)) { + if(!err && !resumed && (ssl_verifypeer || vflags)) { if(err2) { failf(data, "SSL failed to retrieve SecTrust (%i)", (int)err); return CURLE_SSL_CONNECT_ERROR; } err = VerifyTrustChain(trust, connssl->ra, connssl->cf|vflags, 0, - connssl->vh ? conn->host.name : NULL, (CFArrayRef)connssl->pa); + connssl->vh ? hostname : NULL, (CFArrayRef)connssl->pa); } /* Try to show the peer certificates unless we've connected successfully * and have verified the peer */ - if(err || !data->set.ssl.verifypeer) { + if(err || !ssl_verifypeer) { CFArrayRef srv_certs; OSStatus err3 = cSSLCopyPeerCertificates(connssl->ssl_ctx, &srv_certs); @@ -1240,7 +1205,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) switch (err) { case errSSLServerAuthCompleted: failf(data, "SSL unexpected errSSLServerAuthCompleted error in " - "connection to %s", conn->host.name); + "connection to %s", hostname); return CURLE_SSL_CONNECT_ERROR; /* These are all certificate problems with the server: */ @@ -1297,14 +1262,12 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) "certificate did not match \"%s\"", conn->host.dispname); return CURLE_PEER_FAILED_VERIFICATION; -#if LIBCURL_VERSION_NUM >= 0x072700 /* This error is raised if public key pinning is enabled and the server certificate's public key does not match: */ case errSecPinnedKeyMismatch: failf(data, "SSL certificate public key does not match pinned public " "key(s)"); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; -#endif /* Generic handshake errors: */ case errSSLConnectionRefused: @@ -1327,7 +1290,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) return CURLE_SSL_CONNECT_ERROR; default: failf(data, "Unknown SSL protocol error in connection to %s: %d", - conn->host.name, err); + hostname, err); return CURLE_SSL_CONNECT_ERROR; } } @@ -1663,8 +1626,8 @@ bool Curl_darwinssl_data_pending(const struct connectdata *conn, return false; } -int Curl_darwinssl_random(unsigned char *entropy, - size_t length) +CURLcode Curl_darwinssl_random(unsigned char *entropy, + size_t length) { /* arc4random_buf() isn't available on cats older than Lion, so let's do this manually for the benefit of the older cats. */ @@ -1678,7 +1641,7 @@ int Curl_darwinssl_random(unsigned char *entropy, random_number >>= 8; } i = random_number = 0; - return 0; + return CURLE_OK; } void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */ @@ -1698,7 +1661,8 @@ void Curl_darwinssl_md5sum(unsigned char *tmp, /* input */ } bool Curl_darwinssl_false_start(void); -bool Curl_darwinssl_false_start(void) { +bool Curl_darwinssl_false_start(void) +{ return kCFCoreFoundationVersionNumber >= kCFCoreFoundationVersionNumber10_9; } diff --git a/patches/curl/q/series b/patches/curl/q/series index ca3ec4e..821970d 100644 --- a/patches/curl/q/series +++ b/patches/curl/q/series @@ -3,5 +3,4 @@ t_ntlm_no-one-shot.diff -p1 t_pinning_dummy-key.diff -p1 t_pinning_darwin.diff -p1 t_securetransport_extra-data.diff -p1 -t_vtls_reuse-client-session.diff -p1 t_docs_manpage.diff -p1 diff --git a/patches/curl/q/t_docs_manpage.diff b/patches/curl/q/t_docs_manpage.diff index 25ecd16..9b2adef 100644 --- a/patches/curl/q/t_docs_manpage.diff +++ b/patches/curl/q/t_docs_manpage.diff @@ -9,48 +9,85 @@ Update it to provide accurate information. Signed-off-by: Kyle J. McKay --- - docs/curl.1 | 82 +++++++++++++++++++++++++------------------------------------ - 1 file changed, 33 insertions(+), 49 deletions(-) + docs/curl.1 | 85 +++++++++++++++++++++++++------------------------------------ + 1 file changed, 34 insertions(+), 51 deletions(-) diff --git a/docs/curl.1 b/docs/curl.1 -index f5375ed7..be997c9e 100644 +index 600853eb..bb5e1368 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -18,6 +18,9 @@ .\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY .\" * KIND, either express or implied. .\" * -+.\" * Updates for improved DarwinSSL vtls Copyright (C) 2016 Kyle J. McKay. ++.\" * Updates for improved DarwinSSL vtls Copyright (C) 2016,2017 Kyle J. McKay. +.\" * All rights reserved. +.\" * .\" ************************************************************************** .\" - .TH curl 1 "30 Nov 2014" "Curl 7.40.0" "Curl Manual" -@@ -330,6 +333,9 @@ List that may specify peer certificates that are to be considered revoked. + .\" DO NOT EDIT. Generated by the curl project gen.pl man page generator. +@@ -179,22 +182,9 @@ may contain multiple CA certificates. The certificate(s) must be in PEM + format. Normally curl is built to use a default file for this, so this option + is typically used to alter that default file. + +-curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is +-set, and uses the given path as a path to a CA cert bundle. This option +-overrides that variable. +- +-The windows version of curl will automatically look for a CA certs file named +-\'curl-ca-bundle.crt\', either in the same directory as curl.exe, or in the +-Current Working Directory, or in any folder along your PATH. +- +-If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module +-(libnsspem.so) needs to be available for this option to work properly. +- +-(iOS and macOS only) If curl is built against Secure Transport, then this +-option is supported for backward compatibility with other SSL engines, but it +-should not be set. If the option is not set, then curl will use the +-certificates in the system and user Keychain to verify the peer, which is the +-preferred method of verifying the peer's certificate chain. ++If this option is not set, then curl will use the certificates in the system ++and user Keychains to verify the peer, which is the preferred method of ++verifying the peer's certificate chain. If this option is used several times, the last one will be used. + .IP "--capath " +@@ -208,6 +198,8 @@ OpenSSL-powered curl to make SSL-connections much more efficiently than using -+This option is NOT supported in this build. Certificates may be added to the -+System keychain and marked as "Never Trust" as an alternative. + If this option is set, the default capath value will be ignored, and if it is + used several times, the last one will be used. + - (Added in 7.19.7) - .IP "-d, --data " - (HTTP) Sends the specified data in a POST request to the HTTP server, in the -@@ -503,28 +509,18 @@ automatically set the previous URL when it follows a Location: header. The ++This option is NOT supported with this SecureTransport-based build of curl. + .IP "--cert-status" + (TLS) Tells curl to verify the status of the server certificate by using the + Certificate Status Request (aka. OCSP stapling) TLS extension. +@@ -216,40 +208,32 @@ If this option is enabled and the server sends an invalid (e.g. expired) + response, if the response suggests that the server certificate has been revoked, + or no response at all is received, the verification fails. + +-This is currently only implemented in the OpenSSL, GnuTLS and NSS backends. ++This is currently only implemented in the OpenSSL, GnuTLS and NSS backends which ++means it is NOT supported in this build. + + Added in 7.41.0. + .IP "--cert-type " + (TLS) Tells curl what certificate type the provided certificate is in. PEM, DER and +-ENG are recognized types. If not specified, PEM is assumed. ++ENG are recognized types. If not specified, PEM is assumed. Use of DER format ++is not recommended as only a single client leaf certificate is supported in that case. + If this option is used several times, the last one will be used. + + See also \fI-E, --cert\fP and \fI--key\fP and \fI--key-type\fP. .IP "-E, --cert " - (SSL) Tells curl to use the specified client certificate file when getting a --file with HTTPS, FTPS or another SSL-based protocol. The certificate must be --in PKCS#12 format if using Secure Transport, or PEM format if using any other + (TLS) Tells curl to use the specified client certificate file when getting a file +-with HTTPS, FTPS or another SSL-based protocol. The certificate must be in +-PKCS#12 format if using Secure Transport, or PEM format if using any other -engine. If the optional password isn't specified, it will be queried for on -the terminal. Note that this option assumes a \&"certificate" file that is the --private key and the client certificate concatenated! See \fI--cert\fP and -+file with HTTPS, FTPS or another SSL-based protocol. The client certificate(s) -+must be in PEM format. If the optional password isn't specified, it will be -+queried for. Note that this option assumes a \&"certificate" file that is the -+private key and the client certificate(s) concatenated! See \fI--cert\fP and - \fI--key\fP to specify them independently. - +-private key and the client certificate concatenated! See \fI-E, --cert\fP and \fI--key\fP to +-specify them independently. +- -If curl is built against the NSS SSL library then this option can tell -curl the nickname of the certificate to use within the NSS database defined -by the environment variable SSL_DIR (or by default /etc/pki/nssdb). If the @@ -66,62 +103,35 @@ index f5375ed7..be997c9e 100644 -system or user keychain, or the path to a PKCS#12-encoded certificate and -private key. If you want to use a file from the current directory, please -precede it with "./" prefix, in order to avoid confusion with a nickname. ++with HTTPS, FTPS or another SSL-based protocol. The certificate(s) must be in ++PEM format. If the optional password isn't specified, it will be prompted for ++interactively. Note that this option assumes a \&"certificate" file that is the ++private key and the client certificate(s) concatenated! Use both the ++\fI-E, --cert\fP and \fI--key\fP options to specify them independently. ++ +The certificate string can either be the name of a certificate/private key in +the system or user keychain, or the path to a PEM format certificate(s) and +(optioanlly) private key file. If you want to use a file from the current -+directory, please precede it with "./" prefix, in order to avoid confusion with ++directory, please precede it with a "./" prefix, in order to avoid confusion with +a nickname. Note that if the client certificate is located in the user/system +keychain then the password must also be in the keychain. If this option is used several times, the last one will be used. - .IP "--engine " -@@ -549,7 +545,9 @@ curl stops waiting, it will continue as if the response has been received. - (Added in 7.47.0) - .IP "--cert-type " - (SSL) Tells curl what certificate type the provided certificate is in. PEM, --DER and ENG are recognized types. If not specified, PEM is assumed. -+DER and ENG are recognized types. If not specified, PEM is assumed. Use of -+DER format is not recommended as only a single client leaf certificate is -+supported in that case. - If this option is used several times, the last one will be used. - .IP "--cacert " -@@ -558,22 +556,9 @@ file may contain multiple CA certificates. The certificate(s) must be in PEM - format. Normally curl is built to use a default file for this, so this option - is typically used to alter that default file. - --curl recognizes the environment variable named 'CURL_CA_BUNDLE' if it is --set, and uses the given path as a path to a CA cert bundle. This option --overrides that variable. -- --The windows version of curl will automatically look for a CA certs file named --\'curl-ca-bundle.crt\', either in the same directory as curl.exe, or in the --Current Working Directory, or in any folder along your PATH. -- --If curl is built against the NSS SSL library, the NSS PEM PKCS#11 module --(libnsspem.so) needs to be available for this option to work properly. -- --(iOS and macOS only) If curl is built against Secure Transport, then this --option is supported for backward compatibility with other SSL engines, but it --should not be set. If the option is not set, then curl will use the --certificates in the system and user Keychain to verify the peer, which is the --preferred method of verifying the peer's certificate chain. -+If this option is not set, then curl will use the certificates in the system -+and user Keychains to verify the peer, which is the preferred method of -+verifying the peer's certificate chain. +@@ -424,6 +408,9 @@ specify peer certificates that are to be considered revoked. If this option is used several times, the last one will be used. - .IP "--capath " -@@ -587,27 +572,25 @@ OpenSSL-powered curl to make SSL-connections much more efficiently than using - If this option is set, the default capath value will be ignored, and if it is - used several times, the last one will be used. ++This option is NOT supported in this build. Certificates may be added to the ++System keychain and marked as "Never Trust" as an alternative. + -+This option is NOT supported with this SecureTransport-based build of curl. - .IP "--pinnedpubkey " - (SSL) Tells curl to use the specified public key file (or hashes) to verify the - peer. This can be a path to a file which contains a single public key in PEM or - DER format, or any number of base64 encoded sha256 hashes preceded by + Added in 7.19.7. + .IP "--data-ascii " + (HTTP) This is just an alias for \fI-d, --data\fP. +@@ -1323,23 +1310,19 @@ Added in 7.42.0. + (TLS) Tells curl to use the specified public key file (or hashes) to verify the + peer. This can be a path to a file which contains a single public key in PEM + or DER format, or any number of base64 encoded sha256 hashes preceded by -\'sha256//\' and separated by \';\' +\'sha256//\' and separated by \';\'. + @@ -148,15 +158,5 @@ index f5375ed7..be997c9e 100644 +PEM/DER format files AND sha256 hashes. If this option is used several times, the last one will be used. - .IP "--cert-status" -@@ -618,7 +601,8 @@ If this option is enabled and the server sends an invalid (e.g. expired) - response, if the response suggests that the server certificate has been revoked, - or no response at all is received, the verification fails. - --This is currently only implemented in the OpenSSL, GnuTLS and NSS backends. -+This is currently only implemented in the OpenSSL, GnuTLS and NSS backends which -+means it is NOT supported in this build. - (Added in 7.41.0) - .IP "--false-start" - + .IP "--post301" --- diff --git a/patches/curl/q/t_ntlm_no-one-shot.diff b/patches/curl/q/t_ntlm_no-one-shot.diff index 167612f..3b92fe0 100644 --- a/patches/curl/q/t_ntlm_no-one-shot.diff +++ b/patches/curl/q/t_ntlm_no-one-shot.diff @@ -11,7 +11,7 @@ Signed-off-by: Kyle J. McKay 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c -index 812a0731..891bc11d 100644 +index e02983ce..5d32304a 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -573,7 +573,10 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, diff --git a/patches/curl/q/t_pinning_darwin.diff b/patches/curl/q/t_pinning_darwin.diff index 8b9069d..dda1cf9 100644 --- a/patches/curl/q/t_pinning_darwin.diff +++ b/patches/curl/q/t_pinning_darwin.diff @@ -10,7 +10,7 @@ Signed-off-by: Kyle J. McKay 2 files changed, 4 insertions(+) diff --git a/lib/vtls/darwinssl.h b/lib/vtls/darwinssl.h -index 8b185b67..6cafab7d 100644 +index 4bd41ca4..fa369e53 100644 --- a/lib/vtls/darwinssl.h +++ b/lib/vtls/darwinssl.h @@ -53,6 +53,9 @@ bool Curl_darwinssl_false_start(void); @@ -24,7 +24,7 @@ index 8b185b67..6cafab7d 100644 #define curlssl_init() (1) #define curlssl_cleanup() Curl_nop_stmt diff --git a/tests/runtests.pl b/tests/runtests.pl -index b8497f9c..f0dbc1b2 100755 +index 583ba3b7..89e8381b 100755 --- a/tests/runtests.pl +++ b/tests/runtests.pl @@ -2411,6 +2411,7 @@ sub checksystem { diff --git a/patches/curl/q/t_securetransport_extra-data.diff b/patches/curl/q/t_securetransport_extra-data.diff index 5c266b1..6cc1bf9 100644 --- a/patches/curl/q/t_securetransport_extra-data.diff +++ b/patches/curl/q/t_securetransport_extra-data.diff @@ -7,10 +7,10 @@ Signed-off-by: Kyle J. McKay 1 file changed, 5 insertions(+) diff --git a/lib/urldata.h b/lib/urldata.h -index 7c7bf1ba..172319da 100644 +index 648b3e81..cd3e1c43 100644 --- a/lib/urldata.h +++ b/lib/urldata.h -@@ -336,6 +336,11 @@ struct ssl_connect_data { +@@ -341,6 +341,11 @@ struct ssl_connect_data { curl_socket_t ssl_sockfd; bool ssl_direction; /* true if writing, false if reading */ size_t ssl_write_buffered_length; diff --git a/patches/curl/q/t_vtls_reuse-client-session.diff b/patches/curl/q/t_vtls_reuse-client-session.diff deleted file mode 100644 index d327d7d..0000000 --- a/patches/curl/q/t_vtls_reuse-client-session.diff +++ /dev/null @@ -1,33 +0,0 @@ -Subject: [PATCH] allow session resume with same client certificate - -cURL 7.50.1 introduced a fix for CVE-2016-5419 that prevents resuming a TLS session -whenever a client certificate is in use. Stock cURL could have resumed a TLS session -that was actually authenticated using a different client certificate without this fix. - -However, the darwin vtls used by the Git OS X Installer always includes the client -certificate file name in the computed session id so it is incapable of resuming a TLS -session with a mismatched client certificate. - -Re-enable the ability to resume TLS sessions that use client certificates to avoid the -unnecessary performance penalty since the Git OS X Installer darwin vtls is not in any -way vulnerable to the CVE-2016-5419 problem. - -Signed-off-by: Kyle J. McKay - ---- - lib/vtls/vtls.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index 56a88234..794ffa9f 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -159,7 +159,6 @@ Curl_clone_ssl_config(struct ssl_config_data *source, - dest->clientcert = strdup(source->clientcert); - if(!dest->clientcert) - return FALSE; -- dest->sessionid = FALSE; - } - else - dest->clientcert = NULL; ---- -- 2.11.4.GIT