# if (GNUTLS_VERSION_NUMBER >= 0x020c03)
# define GNUTLS_MAPS_WINSOCK_ERRORS 1
# endif
+
+# ifdef USE_NGHTTP2
+# undef HAS_ALPN
+# if (GNUTLS_VERSION_NUMBER >= 0x030200)
+# define HAS_ALPN
+# endif
+# endif
#endif
/*
infof(data, "%s\n", data->state.buffer);
}
-static gnutls_datum load_file (const char *file)
+static gnutls_datum_t load_file (const char *file)
{
FILE *f;
- gnutls_datum loaded_file = { NULL, 0 };
+ gnutls_datum_t loaded_file = { NULL, 0 };
long filelen;
void *ptr;
return loaded_file;
}
-static void unload_file(gnutls_datum data) {
+static void unload_file(gnutls_datum_t data) {
free(data.data);
}
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
- gnutls_session session = conn->ssl[sockindex].session;
+ gnutls_session_t session = conn->ssl[sockindex].session;
curl_socket_t sockfd = conn->sock[sockindex];
long timeout_ms;
int rc;
}
}
-static gnutls_x509_crt_fmt do_file_type(const char *type)
+static gnutls_x509_crt_fmt_t do_file_type(const char *type)
{
if(!type || !type[0])
return GNUTLS_X509_FMT_PEM;
int sockindex)
{
struct SessionHandle *data = conn->data;
- gnutls_session session;
+ gnutls_session_t session;
int rc;
void *ssl_sessionid;
size_t ssl_idsize;
struct in_addr addr;
#endif
#ifndef USE_GNUTLS_PRIORITY_SET_DIRECT
- static int cipher_priority[] = { GNUTLS_CIPHER_AES_128_GCM,
- GNUTLS_CIPHER_AES_256_GCM, GNUTLS_CIPHER_AES_128_CBC,
- GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_CAMELLIA_128_CBC,
- GNUTLS_CIPHER_CAMELLIA_256_CBC, GNUTLS_CIPHER_3DES_CBC,
+ static const int cipher_priority[] = {
+ /* These two ciphers were added to GnuTLS as late as ver. 3.0.1,
+ but this code path is only ever used for ver. < 2.12.0.
+ GNUTLS_CIPHER_AES_128_GCM,
+ GNUTLS_CIPHER_AES_256_GCM,
+ */
+ GNUTLS_CIPHER_AES_128_CBC,
+ GNUTLS_CIPHER_AES_256_CBC,
+ GNUTLS_CIPHER_CAMELLIA_128_CBC,
+ GNUTLS_CIPHER_CAMELLIA_256_CBC,
+ GNUTLS_CIPHER_3DES_CBC,
};
static const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 };
static int protocol_priority[] = { 0, 0, 0, 0 };
const char* prioritylist;
const char *err;
#endif
+#ifdef HAS_ALPN
+ int protocols_size = 2;
+ gnutls_datum_t protocols[2];
+#endif
if(conn->ssl[sockindex].state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
- prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0";
+ prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:+SRP";
break;
case CURL_SSLVERSION_TLSv1_0:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0";
+ "+VERS-TLS1.0:+SRP";
break;
case CURL_SSLVERSION_TLSv1_1:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1";
+ "+VERS-TLS1.1:+SRP";
break;
case CURL_SSLVERSION_TLSv1_2:
prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2";
+ "+VERS-TLS1.2:+SRP";
break;
case CURL_SSLVERSION_SSLv2:
default:
rc = gnutls_priority_set_direct(session, prioritylist, &err);
#endif
+#ifdef HAS_ALPN
+ if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {
+ if(data->set.ssl_enable_alpn) {
+ protocols[0].data = NGHTTP2_PROTO_VERSION_ID;
+ protocols[0].size = NGHTTP2_PROTO_VERSION_ID_LEN;
+ protocols[1].data = ALPN_HTTP_1_1;
+ protocols[1].size = ALPN_HTTP_1_1_LENGTH;
+ gnutls_alpn_set_protocols(session, protocols, protocols_size, 0);
+ infof(data, "ALPN, offering %s, %s\n", NGHTTP2_PROTO_VERSION_ID,
+ ALPN_HTTP_1_1);
+ }
+ else {
+ infof(data, "SSL, can't negotiate HTTP/2.0 without ALPN\n");
+ }
+ }
+#endif
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Did you pass a valid GnuTLS cipher list?");
int sockindex)
{
unsigned int cert_list_size;
- const gnutls_datum *chainp;
+ const gnutls_datum_t *chainp;
unsigned int verify_status;
- gnutls_x509_crt x509_cert,x509_issuer;
- gnutls_datum issuerp;
- char certbuf[256]; /* big enough? */
+ gnutls_x509_crt_t x509_cert,x509_issuer;
+ gnutls_datum_t issuerp;
+ char certbuf[256] = ""; /* big enough? */
size_t size;
unsigned int algo;
unsigned int bits;
time_t certclock;
const char *ptr;
struct SessionHandle *data = conn->data;
- gnutls_session session = conn->ssl[sockindex].session;
+ gnutls_session_t session = conn->ssl[sockindex].session;
int rc;
int incache;
void *ssl_sessionid;
+#ifdef HAS_ALPN
+ gnutls_datum_t proto;
+#endif
CURLcode result = CURLE_OK;
/* This function will return the peer's raw certificate (chain) as sent by
/* initialize an X.509 certificate structure. */
gnutls_x509_crt_init(&x509_cert);
- /* convert the given DER or PEM encoded Certificate to the native
- gnutls_x509_crt_t format */
- gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
+ if(chainp)
+ /* convert the given DER or PEM encoded Certificate to the native
+ gnutls_x509_crt_t format */
+ gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
if(data->set.ssl.issuercert) {
gnutls_x509_crt_init(&x509_issuer);
certclock = gnutls_x509_crt_get_expiration_time(x509_cert);
if(certclock == (time_t)-1) {
- failf(data, "server cert expiration date verify failed");
- return CURLE_SSL_CONNECT_ERROR;
- }
-
- if(certclock < time(NULL)) {
if(data->set.ssl.verifypeer) {
- failf(data, "server certificate expiration date has passed.");
- return CURLE_PEER_FAILED_VERIFICATION;
+ failf(data, "server cert expiration date verify failed");
+ return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate expiration date FAILED\n");
+ infof(data, "\t server certificate expiration date verify FAILED\n");
+ }
+ else {
+ if(certclock < time(NULL)) {
+ if(data->set.ssl.verifypeer) {
+ failf(data, "server certificate expiration date has passed.");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "\t server certificate expiration date FAILED\n");
+ }
+ else
+ infof(data, "\t server certificate expiration date OK\n");
}
- else
- infof(data, "\t server certificate expiration date OK\n");
certclock = gnutls_x509_crt_get_activation_time(x509_cert);
if(certclock == (time_t)-1) {
- failf(data, "server cert activation date verify failed");
- return CURLE_SSL_CONNECT_ERROR;
- }
-
- if(certclock > time(NULL)) {
if(data->set.ssl.verifypeer) {
- failf(data, "server certificate not activated yet.");
- return CURLE_PEER_FAILED_VERIFICATION;
+ failf(data, "server cert activation date verify failed");
+ return CURLE_SSL_CONNECT_ERROR;
}
else
- infof(data, "\t server certificate activation date FAILED\n");
+ infof(data, "\t server certificate activation date verify FAILED\n");
+ }
+ else {
+ if(certclock > time(NULL)) {
+ if(data->set.ssl.verifypeer) {
+ failf(data, "server certificate not activated yet.");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ else
+ infof(data, "\t server certificate activation date FAILED\n");
+ }
+ else
+ infof(data, "\t server certificate activation date OK\n");
}
- else
- infof(data, "\t server certificate activation date OK\n");
/* Show:
ptr = gnutls_mac_get_name(gnutls_mac_get(session));
infof(data, "\t MAC: %s\n", ptr);
+#ifdef HAS_ALPN
+ if(data->set.ssl_enable_alpn) {
+ rc = gnutls_alpn_get_selected_protocol(session, &proto);
+ if(rc == 0) {
+ infof(data, "ALPN, server accepted to use %.*s\n", proto.size,
+ proto.data);
+
+ if(proto.size == NGHTTP2_PROTO_VERSION_ID_LEN &&
+ memcmp(NGHTTP2_PROTO_VERSION_ID, proto.data,
+ NGHTTP2_PROTO_VERSION_ID_LEN) == 0) {
+ conn->negnpn = NPN_HTTP2;
+ }
+ else if(proto.size == ALPN_HTTP_1_1_LENGTH && memcmp(ALPN_HTTP_1_1,
+ proto.data, ALPN_HTTP_1_1_LENGTH) == 0) {
+ conn->negnpn = NPN_HTTP1_1;
+ }
+ }
+ else {
+ infof(data, "ALPN, server did not agree to a protocol\n");
+ }
+ }
+#endif
+
conn->ssl[sockindex].state = ssl_connection_complete;
conn->recv[sockindex] = gtls_recv;
conn->send[sockindex] = gtls_send;
might've been rejected and then a new one is in use now and we need to
detect that. */
void *connect_sessionid;
- size_t connect_idsize;
+ size_t connect_idsize = 0;
/* get the session ID data size */
gnutls_session_get_data(session, NULL, &connect_idsize);
projects / platform / upstream / curl.git / blobdiff