[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial rec
From: |
gnunet |
Subject: |
[GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial record as pending data |
Date: |
Sat, 17 Jun 2017 16:50:44 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to annotated tag gnurl-7.54.1
in repository gnurl.
commit 6b39f9c87e48f17533b139b2ddb829aa21227c3d
Author: Jay Satiro <address@hidden>
AuthorDate: Thu Apr 6 03:27:28 2017 -0400
schannel: Don't treat encrypted partial record as pending data
- Track when the cached encrypted data contains only a partial record
that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE).
- Change Curl_schannel_data_pending to return false in such a case.
Other SSL libraries have pending data functions that behave similarly.
Ref: https://github.com/curl/curl/pull/1387
Closes https://github.com/curl/curl/pull/1392
---
lib/urldata.h | 5 +++++
lib/vtls/schannel.c | 12 ++++++++++--
2 files changed, 15 insertions(+), 2 deletions(-)
diff --git a/lib/urldata.h b/lib/urldata.h
index 34e18ecde..d4a4a2306 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -333,6 +333,11 @@ struct ssl_connect_data {
size_t encdata_length, decdata_length;
size_t encdata_offset, decdata_offset;
unsigned char *encdata_buffer, *decdata_buffer;
+ /* encdata_is_incomplete: if encdata contains only a partial record that
+ can't be decrypted without another Curl_read_plain (that is, status is
+ SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
+ more bytes into encdata then set this back to false. */
+ bool encdata_is_incomplete;
unsigned long req_flags, ret_flags;
CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
bool recv_sspi_close_notify; /* true if connection closed by close_notify */
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index c9b513230..d20f30d89 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -432,6 +432,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
connssl->recv_unrecoverable_err = CURLE_OK;
connssl->recv_sspi_close_notify = false;
connssl->recv_connection_closed = false;
+ connssl->encdata_is_incomplete = false;
/* continue to second handshake step */
connssl->connecting_state = ssl_connect_2;
@@ -480,6 +481,7 @@ schannel_connect_step2(struct connectdata *conn, int
sockindex)
/* buffer to store previously received and encrypted data */
if(connssl->encdata_buffer == NULL) {
+ connssl->encdata_is_incomplete = false;
connssl->encdata_offset = 0;
connssl->encdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
connssl->encdata_buffer = malloc(connssl->encdata_length);
@@ -532,6 +534,8 @@ schannel_connect_step2(struct connectdata *conn, int
sockindex)
/* increase encrypted data buffer offset */
connssl->encdata_offset += nread;
+ connssl->encdata_is_incomplete = false;
+ infof(data, "schannel: encrypted data got %zd\n", nread);
}
infof(data, "schannel: encrypted data buffer: offset %zu length %zu\n",
@@ -576,6 +580,7 @@ schannel_connect_step2(struct connectdata *conn, int
sockindex)
/* check if the handshake was incomplete */
if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
+ connssl->encdata_is_incomplete = true;
connssl->connecting_state = ssl_connect_2_reading;
infof(data, "schannel: received incomplete message, need more data\n");
return CURLE_OK;
@@ -1177,6 +1182,7 @@ schannel_recv(struct connectdata *conn, int sockindex,
}
else if(nread > 0) {
connssl->encdata_offset += (size_t)nread;
+ connssl->encdata_is_incomplete = false;
infof(data, "schannel: encrypted data got %zd\n", nread);
}
}
@@ -1313,6 +1319,7 @@ schannel_recv(struct connectdata *conn, int sockindex,
}
}
else if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
+ connssl->encdata_is_incomplete = true;
if(!*err)
*err = CURLE_AGAIN;
infof(data, "schannel: failed to decrypt data, need more data\n");
@@ -1414,8 +1421,8 @@ bool Curl_schannel_data_pending(const struct connectdata
*conn, int sockindex)
const struct ssl_connect_data *connssl = &conn->ssl[sockindex];
if(connssl->use) /* SSL/TLS is in use */
- return (connssl->encdata_offset > 0 ||
- connssl->decdata_offset > 0) ? TRUE : FALSE;
+ return (connssl->decdata_offset > 0 ||
+ (connssl->encdata_offset > 0 && !connssl->encdata_is_incomplete));
else
return FALSE;
}
@@ -1518,6 +1525,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int
sockindex)
Curl_safefree(connssl->encdata_buffer);
connssl->encdata_length = 0;
connssl->encdata_offset = 0;
+ connssl->encdata_is_incomplete = false;
}
/* free internal buffer for received decrypted data */
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 08/254: llist: no longer uses malloc, (continued)
- [GNUnet-SVN] [gnurl] 08/254: llist: no longer uses malloc, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 66/254: krb5: use private buffer for temp string, not receive buffer, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 22/254: curl: set a 100K buffer size by default, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 34/254: http-proxy: removed unused argument in CURL_DISABLE_PROXY case, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 06/254: mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 20/254: configure: stop prepending to LDFLAGS, CPPFLAGS, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 10/254: lib: fix maybe-uninitialized warnings, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 14/254: configure: fix the -ldl check for openssl, add -lpthread check, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 17/254: nss: adapt to the new Curl_llist API, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 35/254: test1443: test --remote-time, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial record as pending data,
gnunet <=
- [GNUnet-SVN] [gnurl] 58/254: http: don't clobber the receive buffer for timecond, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 15/254: RELEASE-NOTES: synced with c68fed875, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 16/254: curl-compilers.m4: accept -Og and -Ofast GCC flags, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 19/254: if2ip: fix -Wcast-align warning, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 53/254: http: use private user:password output buffer, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 07/254: typecheck-gcc: handle function pointers properly, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 23/254: typecheck-gcc: fix _curl_is_slist_info, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 24/254: nss: do not leak PKCS #11 slot while loading a key, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 09/254: gnutls: removed some code when --disable-verbose is configured, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 69/254: openssl: use local stack for temp storage, gnunet, 2017/06/17