[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 171/264: gnutls: ensure TLS 1.3 when SRP isn't requested
From: |
gnunet |
Subject: |
[gnurl] 171/264: gnutls: ensure TLS 1.3 when SRP isn't requested |
Date: |
Thu, 30 Apr 2020 16:07:54 +0200 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit d59090831892210c2b0d38e92b492d6b36a3c70c
Author: Dirkjan Bussink <address@hidden>
AuthorDate: Sun Apr 12 11:29:09 2020 +0000
gnutls: ensure TLS 1.3 when SRP isn't requested
When SRP is requested in the priority string, GnuTLS will disable
support for TLS 1.3. Before this change, curl would always add +SRP to
the priority list, effectively always disabling TLS 1.3 support.
With this change, +SRP is only added to the priority list when SRP
authentication is also requested. This also allows updating the error
handling here to not have to retry without SRP. This is because SRP is
only added when requested and in that case a retry is not needed.
Closes #5223
---
lib/vtls/gtls.c | 81 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 45 insertions(+), 36 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index ec4904ee2..7192dd2e7 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -446,32 +446,32 @@ set_ssl_version_min_max(const char **prioritylist, struct
connectdata *conn)
switch(ssl_version | ssl_version_max) {
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_0:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:" GNUTLS_SRP;
+ "+VERS-TLS1.0";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_1:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1:" GNUTLS_SRP;
+ "+VERS-TLS1.0:+VERS-TLS1.1";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:" GNUTLS_SRP;
+ "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_1:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1:" GNUTLS_SRP;
+ "+VERS-TLS1.1";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1:+VERS-TLS1.2:" GNUTLS_SRP;
+ "+VERS-TLS1.1:+VERS-TLS1.2";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_TLSv1_2:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2:" GNUTLS_SRP;
+ "+VERS-TLS1.2";
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_TLSv1_3:
#ifdef HAS_TLS13
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.3:" GNUTLS_SRP;
+ "+VERS-TLS1.3";
return CURLE_OK;
#else
failf(data, "GnuTLS: TLS 1.3 is not yet supported");
@@ -479,35 +479,35 @@ set_ssl_version_min_max(const char **prioritylist, struct
connectdata *conn)
#endif
case CURL_SSLVERSION_TLSv1_0 | CURL_SSLVERSION_MAX_DEFAULT:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2:"
+ "+VERS-TLS1.0:+VERS-TLS1.1:+VERS-TLS1.2"
#ifdef HAS_TLS13
- "+VERS-TLS1.3:"
+ ":+VERS-TLS1.3"
#endif
- GNUTLS_SRP;
+ ;
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_1 | CURL_SSLVERSION_MAX_DEFAULT:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.1:+VERS-TLS1.2:"
+ "+VERS-TLS1.1:+VERS-TLS1.2"
#ifdef HAS_TLS13
- "+VERS-TLS1.3:"
+ ":+VERS-TLS1.3"
#endif
- GNUTLS_SRP;
+ ;
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_2 | CURL_SSLVERSION_MAX_DEFAULT:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2:"
+ "+VERS-TLS1.2"
#ifdef HAS_TLS13
- "+VERS-TLS1.3:"
+ ":+VERS-TLS1.3"
#endif
- GNUTLS_SRP;
+ ;
return CURLE_OK;
case CURL_SSLVERSION_TLSv1_3 | CURL_SSLVERSION_MAX_DEFAULT:
*prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:"
- "+VERS-TLS1.2:"
+ "+VERS-TLS1.2"
#ifdef HAS_TLS13
- "+VERS-TLS1.3:"
+ ":+VERS-TLS1.3"
#endif
- GNUTLS_SRP;
+ ;
return CURLE_OK;
}
@@ -764,11 +764,11 @@ gtls_connect_step1(struct connectdata *conn,
break;
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
- prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:"
+ prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"
#ifdef HAS_TLS13
- "+VERS-TLS1.3:"
+ ":+VERS-TLS1.3"
#endif
- GNUTLS_SRP;
+ ;
break;
case CURL_SSLVERSION_TLSv1_0:
case CURL_SSLVERSION_TLSv1_1:
@@ -787,24 +787,33 @@ gtls_connect_step1(struct connectdata *conn,
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
return CURLE_SSL_CONNECT_ERROR;
}
- rc = gnutls_priority_set_direct(session, prioritylist, &err);
- if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
- if(!strcmp(err, GNUTLS_SRP)) {
- /* This GnuTLS was probably compiled without support for SRP.
- * Note that fact and try again without it. */
- int validprioritylen = curlx_uztosi(err - prioritylist);
- char *prioritycopy = strdup(prioritylist);
- if(!prioritycopy)
- return CURLE_OUT_OF_MEMORY;
+#ifdef USE_TLS_SRP
+ /* Only add SRP to the cipher list if SRP is requested. Otherwise
+ * GnuTLS will disable TLS 1.3 support. */
+ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
+ size_t len = strlen(prioritylist);
+
+ char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1);
+ if(!prioritysrp)
+ return CURLE_OUT_OF_MEMORY;
+ strcpy(prioritysrp, prioritylist);
+ strcpy(prioritysrp + len, ":" GNUTLS_SRP);
+
+ rc = gnutls_priority_set_direct(session, prioritysrp, &err);
+ free(prioritysrp);
+
+ if((rc == GNUTLS_E_INVALID_REQUEST) && err) {
infof(data, "This GnuTLS does not support SRP\n");
- if(validprioritylen)
- /* Remove the :+SRP */
- prioritycopy[validprioritylen - 1] = 0;
- rc = gnutls_priority_set_direct(session, prioritycopy, &err);
- free(prioritycopy);
}
}
+ else {
+#endif
+ rc = gnutls_priority_set_direct(session, prioritylist, &err);
+#ifdef USE_TLS_SRP
+ }
+#endif
+
if(rc != GNUTLS_E_SUCCESS) {
failf(data, "Error %d setting GnuTLS cipher list starting with %s",
rc, err);
--
To stop receiving notification emails like this one, please contact
address@hidden.
- [gnurl] 251/264: lib: clean up whitespace, (continued)
- [gnurl] 251/264: lib: clean up whitespace, gnunet, 2020/04/30
- [gnurl] 257/264: travis: bump the wolfssl CI build to use 4.4.0, gnunet, 2020/04/30
- [gnurl] 217/264: runtests: use a unix domain socket path with the pid in the name, gnunet, 2020/04/30
- [gnurl] 220/264: ensure all references to ports are replaced by vars, gnunet, 2020/04/30
- [gnurl] 221/264: release-notes.pl: fix parsing typo, gnunet, 2020/04/30
- [gnurl] 222/264: RELEASE-NOTES: synced, gnunet, 2020/04/30
- [gnurl] 225/264: tests: run the TFTP test server on a dynamic port number, gnunet, 2020/04/30
- [gnurl] 172/264: gopher: check remaining time left during write busy loop, gnunet, 2020/04/30
- [gnurl] 187/264: azure: add mqtt support to one of the Windows builds, gnunet, 2020/04/30
- [gnurl] 168/264: tests/server: move all signal handling routines to util.[ch], gnunet, 2020/04/30
- [gnurl] 171/264: gnutls: ensure TLS 1.3 when SRP isn't requested,
gnunet <=
- [gnurl] 206/264: tests: introduce preprocessed test cases, gnunet, 2020/04/30
- [gnurl] 207/264: test1448: work with dynamic HTTP server port, gnunet, 2020/04/30
- [gnurl] 208/264: test1056: work with dynamic HTTP ipv6 port, gnunet, 2020/04/30