aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
AgeCommit message (Collapse)Author
2019-07-17nss: inspect returnvalue of token checkDaniel Gustafsson
PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110
2019-07-14openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju
Closes #4100
2019-07-06nss: support using libnss on macOSDaniel Gustafsson
The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046
2019-07-06nss: don't set unused parameterDaniel Gustafsson
The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054
2019-07-06nss: only cache valid CRL entriesDaniel Gustafsson
Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
2019-06-30docs: Fix links to OpenSSL docsJay Satiro
OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
2019-06-26openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
2019-06-18openssl: fix pubkey/signature algorithm detection in certinfoGergely Nagy
Certinfo gives the same result for all OpenSSL versions. Also made printing RSA pubkeys consistent with older versions. Reported-by: Michael Wallner Fixes #3706 Closes #4030
2019-06-17openssl: remove outdated commentDaniel Gustafsson
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), which is why we switched to CONF_modules_load_file() and introduced a comment stating why. This behavior was however changed in OpenSSL commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now outdated and incorrect comment. The mentioned commit also declares OPENSSL_config() deprecated so keep the current coding. Closes #4033 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-11wolfssl: fix key pinning build errorDaniel Stenberg
follow-up from deb9462ff2de8
2019-06-10wolfssl: fixup for SNI useDaniel Stenberg
follow-up from deb9462ff2de8 Closes #4007
2019-06-10wolfssl: refer to it as wolfSSL onlyDaniel Stenberg
Remove support for, references to and use of "cyaSSL" from the source and docs. wolfSSL is the current name and there's no point in keeping references to ancient history. Assisted-by: Daniel Gustafsson Closes #3903
2019-06-05build: fix Codacy warningsMarcel Raad
Reduce variable scopes and remove redundant variable stores. Closes https://github.com/curl/curl/pull/3975
2019-05-27nss: allow to specify TLS 1.3 ciphers if supported by NSSHubert Kario
Closes #3916
2019-05-24sectransp: handle errSSLPeerAuthCompleted from SSLRead()Daniel Stenberg
Reported-by: smuellerDD on github Fixes #3932 Closes #3933
2019-05-21ftp: move ftp_ccc in under featureflagDaniel Gustafsson
Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-20mbedtls: enable use of EC keysGuy Poizat
Closes #3892
2019-05-20lib: reduce variable scopesMarcel Raad
Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
2019-05-16cleanup: remove FIXME and TODO commentsDaniel Stenberg
They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
2019-05-13vtls: fix potential ssl_buffer stack overflowDaniel Gustafsson
In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg
2019-05-08OpenSSL: Report -fips in version if OpenSSL is built with FIPSRicky Leverence
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771
2019-05-07nss: allow fifos and character devices for certificates.Frank Gevaerts
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed. Closes #3807
2019-05-01travis: upgrade the MesaLink TLS backend to v1.0.0Yiming Jing
Closes #3823 Closes #3776
2019-05-01multi: provide Curl_multiuse_state to update informationDaniel Stenberg
As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state.
2019-04-29nss: provide more specific error messages on failed initKamil Dudka
Closes #3808
2019-04-12openssl: mark connection for close on TLS close_notifyDaniel Stenberg
Without this, detecting and avoid reusing a closed TLS connection (without a previous GOAWAY) when doing HTTP/2 is tricky. Reported-by: Tom van der Woerdt Fixes #3750 Closes #3763
2019-04-11build: fix Codacy/CppCheck warningsMarcel Raad
- remove unused variables - declare conditionally used variables conditionally - suppress unused variable warnings in the CMake tests - remove dead variable stores - consistently use WIN32 macro to detect Windows Closes https://github.com/curl/curl/pull/3739
2019-04-11polarssl_threadlock: remove conditionally unused codeMarcel Raad
Make functions no-ops if neither both USE_THREADS_POSIX and HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are defined. Previously, if only one of them was defined, there was either code compiled that did nothing useful or the wrong header included for the functions used. Also, move POLARSSL_MUTEX_T define to implementation file as it's not used externally. Closes https://github.com/curl/curl/pull/3739
2019-03-20openssl: if cert type is ENG and no key specified, key is ENG tooDavid Woodhouse
Fixes #3692 Closes #3692
2019-03-20sectransp: tvOS 11 is required for ALPN supportDaniel Stenberg
Reported-by: nianxuejie on github Assisted-by: Nick Zitzmann Assisted-by: Jay Satiro Fixes #3689 Closes #3690
2019-03-15configure: add --with-amisslChris Young
AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677
2019-03-15vtls: rename some of the SSL functionsChris Young
... in the SSL structure as AmiSSL is using macros for the socket API functions.
2019-03-02gnutls: remove call to deprecated gnutls_compression_get_nameDaniel Stenberg
It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636
2019-02-28Secure Transport: no more "darwinssl"Daniel Stenberg
Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619
2019-02-26strerror: make the strerror function use local buffersDaniel Stenberg
Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612
2019-02-25OpenSSL: add support for TLS ASYNC stateBernd Mueller
Closes #3591
2019-02-25schannel: support CALG_ECDH_EPHEM algorithmgeorgeok
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608
2019-02-23wolfssl: stop custom-adding curvesDaniel Stenberg
since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599
2019-02-16mbedtls: release sessionid resources on errorDaniel Gustafsson
If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: MichaƂ Antoniak <M.Antoniak@posnet.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-12schannel: restore some debug output but only for debug buildsJay Satiro
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
2019-02-12schannel: be quietDaniel Stenberg
Convert numerous infof() calls into debug-build only messages since they are annoyingly verbose for regular applications. Removed a few. Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html Reported-by: Volker Schmid Closes #3552
2019-02-12mbedtls: make it build even if MBEDTLS_VERSION_C isn't setDaniel Stenberg
Reported-by: MAntoniak on github Fixes #3553 Closes #3556
2019-02-06url: close TLS before removing conn from cacheChris Araman
- Fix potential crashes in schannel shutdown. Ensure any TLS shutdown messages are sent before removing the association between the connection and the easy handle. Reverts @bagder's previous partial fix for #3412. Fixes https://github.com/curl/curl/issues/3412 Fixes https://github.com/curl/curl/issues/3505 Closes https://github.com/curl/curl/pull/3531
2019-02-01spnego_sspi: add support for channel bindinggeorgeok
Attempt to add support for Secure Channel binding when negotiate authentication is used. The problem to solve is that by default IIS accepts channel binding and curl doesn't utilise them. The result was a 401 response. Scope affects only the Schannel(winssl)-SSPI combination. Fixes https://github.com/curl/curl/issues/3503 Closes https://github.com/curl/curl/pull/3509
2019-02-01schannel: stop calling it "winssl"Daniel Stenberg
Stick to "Schannel" everywhere. The configure option --with-winssl is kept to allow existing builds to work but --with-schannel is added as an alias. Closes #3504
2019-01-21schannel: preserve original certificate path parameterArchangel_SDY
Fixes #3480 Closes #3487
2019-01-19ntlm_sspi: add support for channel bindinggeorgeok
Windows extended potection (aka ssl channel binding) is required to login to ntlm IIS endpoint, otherwise the server returns 401 responses. Fixes #3280 Closes #3321
2019-01-18schannel: on connection close there might not be a transferDaniel Stenberg
Reported-by: Marcel Raad Fixes #3412 Closes #3483
2019-01-16openssl: fix the SSL_get_tlsext_status_ocsp_resp callDaniel Stenberg
.... to not pass in a const in the second argument as that's not how it is supposed to be used and might cause compiler warnings. Reported-by: Pavel Pavlov Fixes #3477 Closes #3478
2019-01-13openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecatedDaniel Stenberg
OpenSSL_version() replaces OpenSSL_version_num() Closes #3462