summaryrefslogtreecommitdiff
path: root/lib/vtls/gtls.h
Commit message (Collapse)AuthorAgeFilesLines
* copyright: update all copyright lines and remove year rangesDaniel Stenberg2023-01-031-1/+1
| | | | | | | | | | | | - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
* gnutls: use common gnutls init and verify code for ngtcp2Stefan Eissing2022-12-011-5/+39
| | | | Closes #10007
* vtls: localization of state data in filtersStefan Eissing2022-11-221-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
* copyright: make repository REUSE compliantmax.mehl2022-06-131-1/+3
| | | | | | | | | | | Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
* gtls: add gnutls include for the session typeDaniel Stenberg2021-12-291-1/+1
| | | | Follow-up to 8fbd6feddfa5 to make it build more universally
* ngtcp2: verify the server certificate for the gnutls caseDaniel Stenberg2021-12-281-1/+5
| | | | Closes #8178
* copyright: fix year rangesDaniel Stenberg2020-11-051-1/+1
| | | | Follow-up from 4d2f8006777
* curl.se: new homeDaniel Stenberg2020-11-041-1/+1
| | | | Closes #6172
* vtls: fold the backend ID into the Curl_ssl structureJohannes Schindelin2017-08-281-3/+0
| | | | Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: remove obsolete declarations of SSL backend functionalityJohannes Schindelin2017-08-281-21/+0
| | | | | | | | | | | | | | | | | | | These functions are all available via the Curl_ssl struct now, no need to declare them separately anymore. As the global declarations are removed, the corresponding function definitions are marked as file-local. The only two exceptions here are Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the declarations were removed, there are no function definitions to mark file-local. Please note that Curl_nss_force_init() is *still* declared globally, as the only SSL backend-specific function, because it was introduced specifically for the use case where cURL was compiled with `--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add support for NSS, 2010-06-27). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl structJohannes Schindelin2017-08-281-3/+0
| | | | | | That will allow us to choose the SSL backend at runtime. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: convert the have_curlssl_* constants to runtime flagsJohannes Schindelin2017-08-281-9/+0
| | | | | | | | | | The entire idea of introducing the Curl_ssl struct to describe SSL backends is to prepare for choosing the SSL backend at runtime. To that end, convert all the #ifdef have_curlssl_* style conditionals to use bit flags instead. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: move sha256sum into the Curl_ssl structJohannes Schindelin2017-08-281-6/+0
| | | | | | | | | | | | The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: move md5sum into the Curl_ssl structJohannes Schindelin2017-08-281-5/+0
| | | | | | | | | | The MD5 summing is also an SSL backend-specific function. So let's include it, offering the previous fall-back code as a separate function now: Curl_none_md5sum(). To allow for that, the signature had to be changed so that an error could be returned from the implementation (Curl_none_md5sum() can run out of memory). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: use the Curl_ssl struct to access all SSL backends' functionalityJohannes Schindelin2017-08-281-17/+0
| | | | | | | | This is the first step to unify the SSL backend handling. Now all the SSL backend-specific functionality is accessed via a global instance of the Curl_ssl struct. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: declare Curl_ssl structs for every SSL backendJohannes Schindelin2017-08-281-0/+2
| | | | | | | | The idea of introducing the Curl_ssl struct was to unify how the SSL backends are declared and called. To this end, we now provide an instance of the Curl_ssl struct for each and every SSL backend. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* vtls: make sure all _cleanup() functions return voidJohannes Schindelin2017-08-281-1/+1
| | | | | | | | This patch makes the signature of the _cleanup() functions consistent among the SSL backends, in preparation for unifying the way all SSL backends are accessed. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
* rand: make it work without TLS backingDaniel Stenberg2017-01-121-4/+4
| | | | | | | Regression introduced in commit f682156a4fc6c4 Reported-by: John Kohl Bug: https://curl.haxx.se/mail/lib-2017-01/0055.html
* curl_version_info: add CURL_VERSION_HTTPS_PROXYOkhin Vasilij2016-11-261-0/+3
| | | | Closes #1142
* proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov2016-11-241-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
* internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg2016-06-221-1/+1
|
* tls: make setting pinnedkey option fail if not supportedDaniel Stenberg2016-05-011-1/+4
| | | | | | | | to make it obvious to users trying to use the feature with TLS backends not supporting it. Discussed in #781 Reported-by: Travis Burtrum
* URLs: change all http:// URLs to https://Daniel Stenberg2016-02-031-1/+1
|
* SSL: Pinned public key hash supportmoparisthebest2015-07-011-0/+5
|
* gtls: implement CURLOPT_CERTINFOAlessandro Ghedini2015-03-201-0/+3
|
* gtls: add support for CURLOPT_CAPATHAlessandro Ghedini2015-03-101-0/+3
|
* vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme2015-01-171-5/+1
| | | | | | | | | | | | | Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
* vtls: Separate the SSL backend definition from the API setupSteve Holme2015-01-171-1/+3
| | | | | Slight code cleanup as the SSL backend #define is mixed up with the API function setup.
* copyright years: after OCSP stapling changesDaniel Stenberg2015-01-161-1/+1
|
* gtls: add support for the Certificate Status Request TLS extensionAlessandro Ghedini2015-01-161-0/+3
| | | | | | | | Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires GnuTLS 3.1.3 or higher to build, however it's recommended to use at least GnuTLS 3.3.11 since previous versions had a bug that caused the OCSP response verfication to fail even on valid responses.
* vtls: Use '(void) arg' for unused parametersSteve Holme2014-12-301-5/+5
| | | | | | | | Prefer void for unused parameters, rather than assigning an argument to itself as a) unintelligent compilers won't optimize it out, b) it can't be used for const parameters, c) it will cause compilation warnings for clang with -Wself-assign and d) is inconsistent with other areas of the curl source code.
* vtls/*: deprecate have_curlssl_md5sum and set-up default md5sum implementationPatrick Monnerat2014-10-131-3/+0
|
* ssl: generalize how the ssl backend identifier is setDaniel Stenberg2014-07-311-0/+1
| | | | | Each backend now defines CURL_SSL_BACKEND accordingly. Added the *AXTLS one which was missing previously.
* vtls: make the random function mandatory in the TLS backendDaniel Stenberg2014-07-301-7/+4
| | | | | | | | To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
* vtls: moved all TLS/SSL source and header files into subdirDaniel Stenberg2013-12-201-0/+81
View Lorry Controller Status