aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
AgeCommit message (Collapse)Author
2019-09-26openssl: use strerror on SSL_ERROR_SYSCALLDaniel Stenberg
Instead of showing the somewhat nonsensical errno number, use strerror() to provide a more relatable error message. Closes #4411
2019-09-23vtls: fix narrowing conversion warningsMarcel Raad
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on 32-bit systems since commit b1616dad8f0. Closes https://github.com/curl/curl/pull/4398
2019-09-22openssl: fix compiler warning with LibreSSLMarcel Raad
It was already fixed for BoringSSL in commit a0f8fccb1e0. LibreSSL has had the second argument to SSL_CTX_set_min_proto_version as uint16_t ever since the function was added in [0]. [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda Closes https://github.com/curl/curl/pull/4397
2019-09-16openssl: fix warning with boringssl and SSL_CTX_set_min_proto_versionDaniel Stenberg
Follow-up to ffe34b7b59 Closes #4359
2019-09-13openssl: close_notify on the FTP data connection doesn't mean closureDaniel Stenberg
For FTPS transfers, curl gets close_notify on the data connection without that being a signal to close the control connection! Regression since 3f5da4e59a556fc (7.65.0) Reported-by: Zenju on github Reviewed-by: Jay Satiro Fixes #4329 Closes #4340
2019-09-10openssl: use SSL_CTX_set_<min|max>_proto_version() when availableClément Notin
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL. Closes #4304
2019-09-10openssl: indent, re-organize and add commentsClément Notin
2019-08-20openssl: build warning free with boringsslDaniel Stenberg
Closes #4244
2019-07-19source: remove names from source commentsDaniel Stenberg
Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
2019-07-14openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju
Closes #4100
2019-06-30docs: Fix links to OpenSSL docsJay Satiro
OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
2019-06-26openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
2019-06-18openssl: fix pubkey/signature algorithm detection in certinfoGergely Nagy
Certinfo gives the same result for all OpenSSL versions. Also made printing RSA pubkeys consistent with older versions. Reported-by: Michael Wallner Fixes #3706 Closes #4030
2019-06-17openssl: remove outdated commentDaniel Gustafsson
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), which is why we switched to CONF_modules_load_file() and introduced a comment stating why. This behavior was however changed in OpenSSL commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now outdated and incorrect comment. The mentioned commit also declares OPENSSL_config() deprecated so keep the current coding. Closes #4033 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-05-21ftp: move ftp_ccc in under featureflagDaniel Gustafsson
Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-16cleanup: remove FIXME and TODO commentsDaniel Stenberg
They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
2019-05-08OpenSSL: Report -fips in version if OpenSSL is built with FIPSRicky Leverence
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771
2019-05-01multi: provide Curl_multiuse_state to update informationDaniel Stenberg
As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state.
2019-04-12openssl: mark connection for close on TLS close_notifyDaniel Stenberg
Without this, detecting and avoid reusing a closed TLS connection (without a previous GOAWAY) when doing HTTP/2 is tricky. Reported-by: Tom van der Woerdt Fixes #3750 Closes #3763
2019-03-20openssl: if cert type is ENG and no key specified, key is ENG tooDavid Woodhouse
Fixes #3692 Closes #3692
2019-03-15configure: add --with-amisslChris Young
AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677
2019-02-25OpenSSL: add support for TLS ASYNC stateBernd Mueller
Closes #3591
2019-01-16openssl: fix the SSL_get_tlsext_status_ocsp_resp callDaniel Stenberg
.... to not pass in a const in the second argument as that's not how it is supposed to be used and might cause compiler warnings. Reported-by: Pavel Pavlov Fixes #3477 Closes #3478
2019-01-13openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecatedDaniel Stenberg
OpenSSL_version() replaces OpenSSL_version_num() Closes #3462
2018-12-07openssl: fix unused variable compiler warning with old opensslBen Greear
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html Closes #3347
2018-12-05openssl: do not use file BIOs if not requestedGergely Nagy
Moves the file handling BIO calls to the branch of the code where they are actually used. Closes #3339
2018-11-23snprintf: renamed and we now only use msnprintf()Daniel Stenberg
The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
2018-11-21openssl: support session resume with TLS 1.3Michael Kaufmann
Session resumption information is not available immediately after a TLS 1.3 handshake. The client must wait until the server has sent a session ticket. Use OpenSSL's "new session" callback to get the session information and put it into curl's session cache. For TLS 1.3 sessions, this callback will be invoked after the server has sent a session ticket. The "new session" callback is invoked only if OpenSSL's session cache is enabled, so enable it and use the "external storage" mode which lets curl manage the contents of the session cache. A pointer to the connection data and the sockindex are now saved as "SSL extra data" to make them available to the callback. This approach also works for old SSL/TLS versions and old OpenSSL versions. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Fixes #3202 Closes #3271
2018-11-21ssl: fix compilation with OpenSSL 0.9.7Michael Kaufmann
- ENGINE_cleanup() was used without including "openssl/engine.h" - enable engine support for OpenSSL 0.9.7 Closes #3266
2018-11-21openssl: disable TLS renegotiation with BoringSSLDaniel Stenberg
Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293
2018-11-20ssl: replace all internal uses of CURLE_SSL_CACERTHan Han
Closes #3291
2018-11-16openssl: do not log excess "TLS app data" lines for TLS 1.3Peter Wu
The SSL_CTX_set_msg_callback callback is not just called for the Handshake or Alert protocols, but also for the raw record header (SSL3_RT_HEADER) and the decrypted inner record type (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid excess debug spam when using `curl -v` against a TLSv1.3-enabled server: * TLSv1.3 (IN), TLS app data, [no content] (0): (Following this message, another callback for the decrypted handshake/alert messages will be be present anyway.) Closes https://github.com/curl/curl/pull/3281
2018-11-09openssl: support BoringSSL TLS renegotiationJérémy Rocher
As per BoringSSL porting documentation [1], BoringSSL rejects peer renegotiations by default. curl fails when trying to authenticate to server through client certificate if it is requested by server after the initial TLS handshake. Enable renegotiation by default with BoringSSL to get same behavior as with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] which was introduced in commit 1d5ef3bb1eb9 [3]. 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> Fixes #3258 Closes #3259
2018-10-27openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg
When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
2018-10-26openssl: make 'done' a proper booleanDaniel Gustafsson
Closes #3176
2018-10-18travis: add build for "configure --disable-verbose"Daniel Stenberg
Closes #3144
2018-10-08spelling fixes [ci skip]Viktor Szakats
as detected by codespell 1.14.0 Closes https://github.com/curl/curl/pull/3114 Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-09-24openssl: load built-in engines tooDaniel Stenberg
Regression since 38203f1 Reported-by: Jean Fabrice Fixes #3023 Closes #3040
2018-09-24OpenSSL: enable TLS 1.3 post-handshake authChristian Heimes
OpenSSL 1.1.1 requires clients to opt-in for post-handshake authentication. Fixes: https://github.com/curl/curl/issues/3026 Signed-off-by: Christian Heimes <christian@python.org> Closes https://github.com/curl/curl/pull/3027
2018-09-20vtls: fix ssl version "or later" behavior change for many backendsJay Satiro
- Treat CURL_SSLVERSION_MAX_NONE the same as CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use the minimum version also as the maximum. This is a follow-up to 6015cef which changed the behavior of setting the SSL version so that the requested version would only be the minimum and not the maximum. It appears it was (mostly) implemented in OpenSSL but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to mean use just TLS v1.0 and now it means use TLS v1.0 *or later*. - Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL. Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was erroneously treated as always TLS 1.3, and would cause an error if OpenSSL was built without TLS 1.3 support. Co-authored-by: Daniel Gustafsson Fixes https://github.com/curl/curl/issues/2969 Closes https://github.com/curl/curl/pull/3012
2018-09-14openssl: show "proper" version number for libressl buildsDaniel Stenberg
Closes #2989
2018-09-14openssl: assume engine support in 0.9.8 or laterRainer Jung
Fixes #2983 Closes #2988
2018-09-12openssl: fix gcc8 warningJay Satiro
- Use memcpy instead of strncpy to copy a string without termination, since gcc8 warns about using strncpy to copy as many bytes from a string as its length. Suggested-by: Viktor Szakats Closes https://github.com/curl/curl/issues/2980
2018-09-07configure: add option to disable automatic OpenSSL config loadingPhilipp Waehnert
Sometimes it may be considered a security risk to load an external OpenSSL configuration automatically inside curl_global_init(). The configuration option --disable-ssl-auto-load-config disables this automatism. The Windows build scripts winbuild/Makefile.vs provide a corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value. Setting neither of these options corresponds to the previous behavior loading the external OpenSSL configuration automatically. Fixes #2724 Closes #2791
2018-09-06openssl: return CURLE_PEER_FAILED_VERIFICATION on failure to parse issuerHan Han
Failure to extract the issuer name from the server certificate should return a more specific error code like on other TLS backends.
2018-09-03openssl: Fix setting TLS 1.3 cipher suitesJay Satiro
The flag indicating TLS 1.3 cipher support in the OpenSSL backend was missing. Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187 Reported-by: Kamil Dudka Closes #2926
2018-08-10openssl: fix potential NULL pointer deref in is_pkcs11_uriDaniel Stenberg
Follow-up to 298d2565e Coverity CID 1438387
2018-08-09openssl: fix debug messagesDaniel Jelinski
Fixes #2806 Closes #2843
2018-08-08ssl: set engine implicitly when a PKCS#11 URI is providedAnderson Toshiyuki Sasaki
This allows the use of PKCS#11 URI for certificates and keys without setting the corresponding type as "ENG" and the engine as "pkcs11" explicitly. If a PKCS#11 URI is provided for certificate, key, proxy_certificate or proxy_key, the corresponding type is set as "ENG" if not provided and the engine is set to "pkcs11" if not provided. Acked-by: Nikos Mavrogiannopoulos Closes #2333
2018-07-11openssl: assume engine support in 1.0.0 or laterPaul Howarth
Commit 38203f1585da changed engine detection to be version-based, with a baseline of openssl 1.0.1. This does in fact break builds with openssl 1.0.0, which has engine support - the configure script detects that ENGINE_cleanup() is available - but <openssl/engine.h> doesn't get included to declare it. According to upstream documentation, engine support was added to mainstream openssl builds as of version 0.9.7: https://github.com/openssl/openssl/blob/master/README.ENGINE This commit drops the version test down to 1.0.0 as version 1.0.0d is the oldest version I have to test with. Closes #2732