[GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial rec

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial rec

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial record as pending data
Date:	Sat, 17 Jun 2017 16:50:44 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to annotated tag gnurl-7.54.1
in repository gnurl.

commit 6b39f9c87e48f17533b139b2ddb829aa21227c3d
Author: Jay Satiro <address@hidden>
AuthorDate: Thu Apr 6 03:27:28 2017 -0400

    schannel: Don't treat encrypted partial record as pending data
    
    - Track when the cached encrypted data contains only a partial record
      that can't be decrypted without more data (SEC_E_INCOMPLETE_MESSAGE).
    
    - Change Curl_schannel_data_pending to return false in such a case.
    
    Other SSL libraries have pending data functions that behave similarly.
    
    Ref: https://github.com/curl/curl/pull/1387
    
    Closes https://github.com/curl/curl/pull/1392
---
 lib/urldata.h       |  5 +++++
 lib/vtls/schannel.c | 12 ++++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/lib/urldata.h b/lib/urldata.h
index 34e18ecde..d4a4a2306 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -333,6 +333,11 @@ struct ssl_connect_data {
   size_t encdata_length, decdata_length;
   size_t encdata_offset, decdata_offset;
   unsigned char *encdata_buffer, *decdata_buffer;
+  /* encdata_is_incomplete: if encdata contains only a partial record that
+     can't be decrypted without another Curl_read_plain (that is, status is
+     SEC_E_INCOMPLETE_MESSAGE) then set this true. after Curl_read_plain writes
+     more bytes into encdata then set this back to false. */
+  bool encdata_is_incomplete;
   unsigned long req_flags, ret_flags;
   CURLcode recv_unrecoverable_err; /* schannel_recv had an unrecoverable err */
   bool recv_sspi_close_notify; /* true if connection closed by close_notify */
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index c9b513230..d20f30d89 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -432,6 +432,7 @@ schannel_connect_step1(struct connectdata *conn, int 
sockindex)
   connssl->recv_unrecoverable_err = CURLE_OK;
   connssl->recv_sspi_close_notify = false;
   connssl->recv_connection_closed = false;
+  connssl->encdata_is_incomplete = false;
 
   /* continue to second handshake step */
   connssl->connecting_state = ssl_connect_2;
@@ -480,6 +481,7 @@ schannel_connect_step2(struct connectdata *conn, int 
sockindex)
 
   /* buffer to store previously received and encrypted data */
   if(connssl->encdata_buffer == NULL) {
+    connssl->encdata_is_incomplete = false;
     connssl->encdata_offset = 0;
     connssl->encdata_length = CURL_SCHANNEL_BUFFER_INIT_SIZE;
     connssl->encdata_buffer = malloc(connssl->encdata_length);
@@ -532,6 +534,8 @@ schannel_connect_step2(struct connectdata *conn, int 
sockindex)
 
       /* increase encrypted data buffer offset */
       connssl->encdata_offset += nread;
+      connssl->encdata_is_incomplete = false;
+      infof(data, "schannel: encrypted data got %zd\n", nread);
     }
 
     infof(data, "schannel: encrypted data buffer: offset %zu length %zu\n",
@@ -576,6 +580,7 @@ schannel_connect_step2(struct connectdata *conn, int 
sockindex)
 
     /* check if the handshake was incomplete */
     if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
+      connssl->encdata_is_incomplete = true;
       connssl->connecting_state = ssl_connect_2_reading;
       infof(data, "schannel: received incomplete message, need more data\n");
       return CURLE_OK;
@@ -1177,6 +1182,7 @@ schannel_recv(struct connectdata *conn, int sockindex,
     }
     else if(nread > 0) {
       connssl->encdata_offset += (size_t)nread;
+      connssl->encdata_is_incomplete = false;
       infof(data, "schannel: encrypted data got %zd\n", nread);
     }
   }
@@ -1313,6 +1319,7 @@ schannel_recv(struct connectdata *conn, int sockindex,
       }
     }
     else if(sspi_status == SEC_E_INCOMPLETE_MESSAGE) {
+      connssl->encdata_is_incomplete = true;
       if(!*err)
         *err = CURLE_AGAIN;
       infof(data, "schannel: failed to decrypt data, need more data\n");
@@ -1414,8 +1421,8 @@ bool Curl_schannel_data_pending(const struct connectdata 
*conn, int sockindex)
   const struct ssl_connect_data *connssl = &conn->ssl[sockindex];
 
   if(connssl->use) /* SSL/TLS is in use */
-    return (connssl->encdata_offset > 0 ||
-            connssl->decdata_offset > 0) ? TRUE : FALSE;
+    return (connssl->decdata_offset > 0 ||
+            (connssl->encdata_offset > 0 && !connssl->encdata_is_incomplete));
   else
     return FALSE;
 }
@@ -1518,6 +1525,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int 
sockindex)
     Curl_safefree(connssl->encdata_buffer);
     connssl->encdata_length = 0;
     connssl->encdata_offset = 0;
+    connssl->encdata_is_incomplete = false;
   }
 
   /* free internal buffer for received decrypted data */

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 08/254: llist: no longer uses malloc, (continued)
- [GNUnet-SVN] [gnurl] 08/254: llist: no longer uses malloc, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 66/254: krb5: use private buffer for temp string, not receive buffer, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 22/254: curl: set a 100K buffer size by default, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 34/254: http-proxy: removed unused argument in CURL_DISABLE_PROXY case, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 06/254: mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 20/254: configure: stop prepending to LDFLAGS, CPPFLAGS, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 10/254: lib: fix maybe-uninitialized warnings, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 14/254: configure: fix the -ldl check for openssl, add -lpthread check, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 17/254: nss: adapt to the new Curl_llist API, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 35/254: test1443: test --remote-time, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 12/254: schannel: Don't treat encrypted partial record as pending data, gnunet <=
- [GNUnet-SVN] [gnurl] 58/254: http: don't clobber the receive buffer for timecond, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 15/254: RELEASE-NOTES: synced with c68fed875, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 16/254: curl-compilers.m4: accept -Og and -Ofast GCC flags, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 19/254: if2ip: fix -Wcast-align warning, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 53/254: http: use private user:password output buffer, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 07/254: typecheck-gcc: handle function pointers properly, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 23/254: typecheck-gcc: fix _curl_is_slist_info, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 24/254: nss: do not leak PKCS #11 slot while loading a key, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 09/254: gnutls: removed some code when --disable-verbose is configured, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 69/254: openssl: use local stack for temp storage, gnunet, 2017/06/17

Prev by Date: [GNUnet-SVN] [gnurl] 35/254: test1443: test --remote-time
Next by Date: [GNUnet-SVN] [gnurl] 58/254: http: don't clobber the receive buffer for timecond
Previous by thread: [GNUnet-SVN] [gnurl] 35/254: test1443: test --remote-time
Next by thread: [GNUnet-SVN] [gnurl] 58/254: http: don't clobber the receive buffer for timecond
Index(es):
- Date
- Thread