aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/openssl.c
AgeCommit message (Collapse)Author
2016-03-20openssl: Fixed compilation warning when /Wall enabledSteve Holme
warning C4706: assignment within conditional expression
2016-03-17openssl: adapt to API breakage in ERR_remove_thread_state()Gisle Vanem
The OpenSSL API change that broke this is "Convert ERR_STATE to new multi-threading API": openssl commit 8509dcc. Closes #713
2016-03-17openssl: verbose: show matching SAN patternDaniel Stenberg
... to allow users to see which specfic wildcard that matched when such is used. Also minor logic cleanup to simplify the code, and I removed all tabs from verbose strings.
2016-03-08openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messagesGisle Vanem
2016-02-16openssl: use macro to guard the opaque EVP_PKEY branchViktor Szakats
2016-02-16openssl: avoid direct PKEY access with OpenSSL 1.1.0Viktor Szakats
by using API instead of accessing an internal structure. This is required starting OpenSSL 1.1.0-pre3. Closes #650
2016-02-09openssl: remove most BoringSSL #ifdefs.David Benjamin
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of BoringSSL #ifdefs in cURL should be unnecessary: - BoringSSL provides no-op stubs for compatibility which replaces most #ifdefs. - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove the compatibility codepath. - With a small tweak to an extend_key_56_to_64 call, the NTLM code builds fine. - Switch OCSP-related #ifdefs to the more generally useful OPENSSL_NO_OCSP. The only #ifdefs which remain are Curl_ossl_version and the #undefs to work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves that to the consumer. The in-header workaround makes things sensitive to include order.) This change errs on the side of removing conditionals despite many of the restored codepaths being no-ops. (BoringSSL generally adds no-op compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are bad enough!) Closes #640
2016-02-08configure: --with-ca-fallback: use built-in TLS CA fallbackLudwig Nussel
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
2016-02-06openssl: Fix signed/unsigned mismatch warning in X509V3_extJay Satiro
sk_X509_EXTENSION_num may return an unsigned integer, however the value will fit in an int. Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896 Reported-by: Gisle Vanem
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2015-12-14libressl: the latest openssl x509 funcs are not in libresslDaniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-12-10openssl: adapt to openssl >= 1.1.0 X509 opaque structsDaniel Stenberg
Closes #491
2015-12-10openssl: avoid BIO_reset() warnings since it returns a valueDaniel Stenberg
2015-12-10openssl: adapt to 1.1.0+ name changesDaniel Stenberg
2015-12-07openssl: BoringSSL doesn't have CONF_modules_freeGisle Vanem
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html
2015-11-13openssl: Free modules on cleanupSebastian Pohlschmidt
Curl_ossl_init calls OPENSSL_load_builtin_modules() but Curl_ossl_cleanup doesn't make a call to free these modules. Bug: https://github.com/bagder/curl/issues/526
2015-11-13cleanup: general removal of TODO (and similar) commentsDaniel Stenberg
They tend to never get updated anyway so they're frequently inaccurate and we never go back to revisit them anyway. We document issues to work on properly in KNOWN_BUGS and TODO instead.
2015-11-13openssl: remove #if check for 0.9.7 for ENGINE_load_private_keyDaniel Stenberg
2015-11-13openssl: all supported versions have X509_STORE_set_flagsDaniel Stenberg
Simplify by removing #ifdefs and macros
2015-11-13openssl: remove 0.9.3 checkDaniel Stenberg
2015-11-13openssl: remove #ifdefs for < 0.9.5 supportDaniel Stenberg
We only support >= 0.9.7
2015-11-13lib/vtls/openssl: remove unused traces of yassl ifdefsDaniel Stenberg
2015-11-10BoringSSL: Work with stricter BIO_get_mem_data()Douglas Creager
BoringSSL implements `BIO_get_mem_data` as a function, instead of a macro, and expects the output pointer to be a `char **`. We have to add an explicit cast to grab the pointer as a `const char **`. Closes #524
2015-10-29Revert "openssl: engine: remove double-free"Daniel Stenberg
This reverts commit 370ee919b37cc9a46c36428b2bb1527eae5db2bd. Issue #509 has all the details but it was confirmed that the crash was not due to this, so the previous commit was wrong.
2015-10-27openssl: engine: remove double-freeDaniel Stenberg
After a successful call to SSL_CTX_use_PrivateKey(), we must not call EVP_PKEY_free() on the key. Reported-by: nased0 Closes #509
2015-10-11openssl: Fix set up of pkcs12 certificate verification chainErik Johansson
sk_X509_pop will decrease the size of the stack which means that the loop would end after having added only half of the certificates. Also make sure that the X509 certificate is freed in case SSL_CTX_add_extra_chain_cert fails.
2015-09-28openssl: Fix algorithm initMichael Kalinin
- Change algorithm init to happen after OpenSSL config load. Additional algorithms may be available due to the user's config so we initialize the algorithms after the user's config is loaded. Bug: https://github.com/bagder/curl/issues/447 Reported-by: Denis Feklushkin
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-09-19openssl: don't output certinfo dataAlessandro Ghedini
2015-09-19openssl: refactor certificate parsing to use OpenSSL memory BIOAlessandro Ghedini
Fixes #427
2015-09-17openssl: build with < 0.9.8Daniel Stenberg
... without sha256 support and no define saying so. Reported-by: Rajkumar Mandal
2015-08-21openssl: handle lack of server cert when strict checking disabledAlessandro Ghedini
If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server doesn't present a certificate at all. Closes #392
2015-07-24openssl: work around MSVC warningMarcel Raad
MSVC 12 complains: lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local variable 'verstr' used It's a false positive, but as it's normally not, I have enabled warning-as-error for that warning.
2015-07-14openssl: VMS support for SHA256John Malmberg
setup-vms.h: More symbols for SHA256, hacks for older VAX openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX. openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to allow building on VAX and 64 bit VMS.
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-06-18openssl: fix use of uninitialized bufferDaniel Stenberg
Make sure that the error buffer is always initialized and simplify the use of it to make the logic easier. Bug: https://github.com/bagder/curl/issues/318 Reported-by: sneis
2015-06-18openssl: fix build with BoringSSLDaniel Stenberg
OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression from cae43a1
2015-06-17openssl: Fix build with openssl < ~ 0.9.8fPaul Howarth
The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks builds with older openssls (certainly with 0.9.8b, which is the latest older version I have to try with).
2015-06-08openssl: LibreSSL and BoringSSL do not use TLS_client_methodJay Satiro
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of TLS_client_method LibreSSL and BoringSSL didn't and still use SSLv23_client_method. Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 Reported-by: asavah@users.noreply.github.com
2015-06-07openssl: Fix verification of server-sent legacy intermediatesJay Satiro
- Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Prior to this change server-sent legacy intermediates with missing legacy issuers would cause verification to fail even if the client's CA bundle contained a valid replacement for the intermediate and an alternate chain could be constructed that would verify successfully. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2015-06-05openssl: removed error string #ifdefDaniel Stenberg
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
2015-06-05openssl: removed USERDATA_IN_PWD_CALLBACK kludgeDaniel Stenberg
Code for OpenSSL 0.9.4 serves no purpose anymore!
2015-06-05openssl: remove SSL_get_session()-using codeDaniel Stenberg
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or later.
2015-06-05openssl: remove dummy callback use from SSL_CTX_set_verify()Daniel Stenberg
The existing callback served no purpose.
2015-06-01curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
2015-05-27openssl: typo in commentDaniel Melani