Age | Commit message (Collapse) | Author |
|
This also fixes PolarSSL session resume.
Prior to this change the TLS session information wasn't properly
saved and restored for PolarSSL and mbedTLS.
Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
Reported-by: Thomas Glanzmann
Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
Reported-by: Moti Avrahami
|
|
OpenSSL 1.1.0-pre seems to return NULL(?) for a whole lot of those
numbers so make sure the function handles this.
Reported-by: Linus Nordberg
|
|
|
|
|
|
The RSA, DSA and DH structs are now opaque and require use of new APIs
Fixes #763
|
|
... that the new checksrc detected
|
|
|
|
Makes curl connect to the given host+port instead of the host+port found
in the URL.
|
|
|
|
... as otherwise we might get stuck thinking there's no more data to
handle.
Reported-by: Damien Vielpeau
Fixes #737
|
|
|
|
|
|
mbedtls_ is the prefix used by the mbedTLS library itself so we should
avoid using that for our private functions.
|
|
|
|
|
|
When compiling with OpenSSL 1.1.0 (so that the HAVE_X509_GET0_SIGNATURE
&& HAVE_X509_GET0_EXTENSIONS pre-processor block is active), Visual C++
14 complains:
warning C4701: potentially uninitialized local variable 'palg' used
warning C4701: potentially uninitialized local variable 'psig' used
|
|
https://github.com/wolfSSL/wolfssl/issues/366
|
|
|
|
warning C4244: '=': conversion from 'int' to 'unsigned short', possible
loss of data
|
|
Add ALPN support for schannel. This allows cURL to negotiate
HTTP/2.0 connections when built with schannel.
Closes #724
|
|
... so we don't need extra boringssl precautions for for
HAVE_ERR_REMOVE_THREAD_STATE_NOARG.
Pointed-out-by: David Benjamin
|
|
The removed arg is only done in OpenSSL
Bug: https://twitter.com/xtraemeat/status/712564874098917376
|
|
warning C4706: assignment within conditional expression
|
|
vtls/mbedtls.h:67:36: warning: implicit declaration of function
‘mbedtls_sha256’ [-Wimplicit-function-declaration]
|
|
The OpenSSL API change that broke this is "Convert ERR_STATE to new
multi-threading API": openssl commit 8509dcc.
Closes #713
|
|
... to allow users to see which specfic wildcard that matched when such
is used.
Also minor logic cleanup to simplify the code, and I removed all tabs
from verbose strings.
|
|
|
|
Prior to this change when a single protocol CURL_SSLVERSION_ was
specified by the user that version was set only as the minimum version
but not as the maximum version as well.
|
|
|
|
by using API instead of accessing an internal structure.
This is required starting OpenSSL 1.1.0-pre3.
Closes #650
|
|
Bug: https://github.com/curl/curl/pull/651
|
|
It is wasteful to search it backwards if we look for _any_ slash.
|
|
We only care if at least one cipher-suite is enabled, so it does
not make any sense to iterate till the end and count all enabled
cipher-suites.
|
|
|
|
Closes #626
|
|
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.
Closes #642
|
|
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:
- BoringSSL provides no-op stubs for compatibility which replaces most
#ifdefs.
- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
the compatibility codepath.
- With a small tweak to an extend_key_56_to_64 call, the NTLM code
builds fine.
- Switch OCSP-related #ifdefs to the more generally useful
OPENSSL_NO_OCSP.
The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)
This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)
Closes #640
|
|
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.
Closes #569
|
|
sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.
Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem
|
|
|
|
|
|
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.
The callback method had three problems:
1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.
2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.
3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.
Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.
Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
|
|
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
|
|
|
|
|
|
- Fix ALPN reply detection.
- Wrap nghttp2 code in ifdef USE_NGHTTP2.
Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
|
|
The function is only present in wolfssl/cyassl if it was built with
--enable-opensslextra. With these checks added, pinning support is disabled
unless the TLS lib has that function available.
Also fix the mistake in configure that checks for the wrong lib name.
Closes #566
|
|
|
|
|
|
|