summaryrefslogtreecommitdiff
path: root/lib/vtls
Commit message (Collapse)AuthorAgeFilesLines
* url: only reuse TLS connections with matching pinningDaniel Stenberg2019-09-191-1/+4
| | | | | | | | | | If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the connection should not be reused. Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html Reported-by: Sebastian Haglund Closes #4347
* openssl: fix warning with boringssl and SSL_CTX_set_min_proto_versionDaniel Stenberg2019-09-161-4/+9
| | | | | Follow-up to ffe34b7b59 Closes #4359
* openssl: close_notify on the FTP data connection doesn't mean closureDaniel Stenberg2019-09-131-1/+4
| | | | | | | | | | | | For FTPS transfers, curl gets close_notify on the data connection without that being a signal to close the control connection! Regression since 3f5da4e59a556fc (7.65.0) Reported-by: Zenju on github Reviewed-by: Jay Satiro Fixes #4329 Closes #4340
* openssl: use SSL_CTX_set_<min|max>_proto_version() when availableClément Notin2019-09-101-11/+105
| | | | | | | | OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use when available. Existing code is preserved for older versions of OpenSSL. Closes #4304
* openssl: indent, re-organize and add commentsClément Notin2019-09-101-32/+38
|
* openssl: build warning free with boringsslDaniel Stenberg2019-08-201-5/+27
| | | | Closes #4244
* nss: use TLSv1.3 as default if supportedPeter Wu2019-08-131-10/+6
| | | | | | | | | | | | SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported range in NSS 3.45. It looks like the intention is to raise the minimum version rather than lowering the maximum, so adjust accordingly. Note that the caller (nss_setup_connect) initializes the version range to (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. Closes #4187 Reviewed-by: Daniel Stenberg Reviewed-by: Kamil Dudka
* mesalink: implement client authenticationYiming Jing2019-08-061-13/+49
| | | | Closes #4184
* cleanup: remove the 'numsocks' argument used in many placesDaniel Stenberg2019-07-302-10/+3
| | | | | | | | | It was used (intended) to pass in the size of the 'socks' array that is also passed to these functions, but was rarely actually checked/used and the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries that should be used instead. Closes #4169
* source: remove names from source commentsDaniel Stenberg2019-07-191-16/+9
| | | | | | | | | | | | | | Several reasons: - we can't add everyone who's helping out so its unfair to just a few selected ones. - we already list all helpers in THANKS and in RELEASE-NOTES for each release - we don't want to give the impression that some parts of the code is "owned" or "controlled" by specific persons Assisted-by: Daniel Gustafsson Closes #4129
* nss: inspect returnvalue of token checkDaniel Gustafsson2019-07-171-1/+4
| | | | | | | | PK11_IsPresent() checks for the token for the given slot is available, and sets needlogin flags for the PK11_Authenticate() call. Should it return false, we should however treat it as an error and bail out. Closes https://github.com/curl/curl/pull/4110
* openssl: define HAVE_SSL_GET_SHUTDOWN based on version numberZenju2019-07-141-0/+4
| | | | Closes #4100
* nss: support using libnss on macOSDaniel Gustafsson2019-07-061-1/+4
| | | | | | | | The file suffix for dynamically loadable objects on macOS is .dylib, which need to be added for the module definitions in order to get the NSS TLS backend to work properly on macOS. Closes https://github.com/curl/curl/pull/4046
* nss: don't set unused parameterDaniel Gustafsson2019-07-061-1/+1
| | | | | | | | | | | The value of the maxPTDs parameter to PR_Init() has since at least NSPR 2.1, which was released sometime in 1998, been marked ignored as is accordingly not used in the initialization code. Setting it to a value when calling PR_Init() is thus benign, but indicates an intent which may be misleading. Reset the value to zero to improve clarity. Closes https://github.com/curl/curl/pull/4054
* nss: only cache valid CRL entriesDaniel Gustafsson2019-07-061-6/+8
| | | | | | | | | Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
* docs: Fix links to OpenSSL docsJay Satiro2019-06-301-2/+0
| | | | | | | | OpenSSL changed their manual locations and does not redirect to the new locations. Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html Reported-by: Daniel Stenberg
* openssl: disable engine if OPENSSL_NO_UI_CONSOLE is definedDaniel Stenberg2019-06-261-1/+1
| | | | | | | | | | ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for UWP (with "VC-WIN32-UWP"). Reported-by: Vasily Lobaskin Fixes #4073 Closes #4077
* openssl: fix pubkey/signature algorithm detection in certinfoGergely Nagy2019-06-181-10/+17
| | | | | | | | | Certinfo gives the same result for all OpenSSL versions. Also made printing RSA pubkeys consistent with older versions. Reported-by: Michael Wallner Fixes #3706 Closes #4030
* openssl: remove outdated commentDaniel Gustafsson2019-06-171-8/+2
| | | | | | | | | | | | OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), which is why we switched to CONF_modules_load_file() and introduced a comment stating why. This behavior was however changed in OpenSSL commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now outdated and incorrect comment. The mentioned commit also declares OPENSSL_config() deprecated so keep the current coding. Closes #4033 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* wolfssl: fix key pinning build errorDaniel Stenberg2019-06-111-1/+1
| | | | follow-up from deb9462ff2de8
* wolfssl: fixup for SNI useDaniel Stenberg2019-06-101-1/+1
| | | | | | follow-up from deb9462ff2de8 Closes #4007
* wolfssl: refer to it as wolfSSL onlyDaniel Stenberg2019-06-104-133/+107
| | | | | | | | | | Remove support for, references to and use of "cyaSSL" from the source and docs. wolfSSL is the current name and there's no point in keeping references to ancient history. Assisted-by: Daniel Gustafsson Closes #3903
* build: fix Codacy warningsMarcel Raad2019-06-052-4/+3
| | | | | | Reduce variable scopes and remove redundant variable stores. Closes https://github.com/curl/curl/pull/3975
* nss: allow to specify TLS 1.3 ciphers if supported by NSSHubert Kario2019-05-271-0/+5
| | | | Closes #3916
* sectransp: handle errSSLPeerAuthCompleted from SSLRead()Daniel Stenberg2019-05-241-7/+20
| | | | | | Reported-by: smuellerDD on github Fixes #3932 Closes #3933
* ftp: move ftp_ccc in under featureflagDaniel Gustafsson2019-05-214-0/+8
| | | | | | | | | | Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under the FTP featureflag in the UserDefined struct, but vtls callsites were still using it unprotected. Closes #3912 Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 Reviewed-by: Daniel Stenberg, Marcel Raad
* mbedtls: enable use of EC keysGuy Poizat2019-05-201-1/+2
| | | | Closes #3892
* lib: reduce variable scopesMarcel Raad2019-05-207-72/+63
| | | | | | Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
* cleanup: remove FIXME and TODO commentsDaniel Stenberg2019-05-166-17/+1
| | | | | | | | | They serve very little purpose and mostly just add noise. Most of them have been around for a very long time. I read them all before removing or rephrasing them. Ref: #3876 Closes #3883
* vtls: fix potential ssl_buffer stack overflowDaniel Gustafsson2019-05-131-4/+5
| | | | | | | | | | | | In Curl_multissl_version() it was possible to overflow the passed in buffer if the generated version string exceeded the size of the buffer. Fix by inverting the logic, and also make sure to not exceed the local buffer during the string generation. Closes #3863 Reported-by: nevv on HackerOne/curl Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg
* OpenSSL: Report -fips in version if OpenSSL is built with FIPSRicky Leverence2019-05-081-1/+5
| | | | | | | | | | | | | Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Closes #3771
* nss: allow fifos and character devices for certificates.Frank Gevaerts2019-05-071-1/+1
| | | | | | | | | | Currently you can do things like --cert <(cat ./cert.crt) with (at least) the openssl backend, but that doesn't work for nss because is_file rejects fifos. I don't actually know if this is sufficient, nss might do things internally (like seeking back) that make this not work, so actual testing is needed. Closes #3807
* travis: upgrade the MesaLink TLS backend to v1.0.0Yiming Jing2019-05-011-1/+1
| | | | | Closes #3823 Closes #3776
* multi: provide Curl_multiuse_state to update informationDaniel Stenberg2019-05-018-2/+29
| | | | | | As soon as a TLS backend gets ALPN conformation about the specific HTTP version it can now set the multiplex situation for the "bundle" and trigger moving potentially queued up transfers to the CONNECT state.
* nss: provide more specific error messages on failed initKamil Dudka2019-04-291-2/+8
| | | | Closes #3808
* openssl: mark connection for close on TLS close_notifyDaniel Stenberg2019-04-121-0/+3
| | | | | | | | | Without this, detecting and avoid reusing a closed TLS connection (without a previous GOAWAY) when doing HTTP/2 is tricky. Reported-by: Tom van der Woerdt Fixes #3750 Closes #3763
* build: fix Codacy/CppCheck warningsMarcel Raad2019-04-111-1/+0
| | | | | | | | | | - remove unused variables - declare conditionally used variables conditionally - suppress unused variable warnings in the CMake tests - remove dead variable stores - consistently use WIN32 macro to detect Windows Closes https://github.com/curl/curl/pull/3739
* polarssl_threadlock: remove conditionally unused codeMarcel Raad2019-04-112-29/+23
| | | | | | | | | | | | | Make functions no-ops if neither both USE_THREADS_POSIX and HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are defined. Previously, if only one of them was defined, there was either code compiled that did nothing useful or the wrong header included for the functions used. Also, move POLARSSL_MUTEX_T define to implementation file as it's not used externally. Closes https://github.com/curl/curl/pull/3739
* openssl: if cert type is ENG and no key specified, key is ENG tooDavid Woodhouse2019-03-201-4/+4
| | | | | Fixes #3692 Closes #3692
* sectransp: tvOS 11 is required for ALPN supportDaniel Stenberg2019-03-201-2/+2
| | | | | | | | Reported-by: nianxuejie on github Assisted-by: Nick Zitzmann Assisted-by: Jay Satiro Fixes #3689 Closes #3690
* configure: add --with-amisslChris Young2019-03-151-1/+8
| | | | | | | | | | AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. It also requires all programs using it to use bsdsocket.library directly, rather than accessing socket functions through clib, which libcurl was not necessarily doing previously. Configure will now check for the headers and ensure they are included if found. Closes #3677
* vtls: rename some of the SSL functionsChris Young2019-03-152-5/+5
| | | | | ... in the SSL structure as AmiSSL is using macros for the socket API functions.
* gnutls: remove call to deprecated gnutls_compression_get_nameDaniel Stenberg2019-03-021-6/+1
| | | | | | | | | | It has been deprecated by GnuTLS since a year ago and now causes build warnings. Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html Closes #3636
* Secure Transport: no more "darwinssl"Daniel Stenberg2019-02-284-93/+93
| | | | | | | | Everyone calls it Secure Transport, now we do too. Reviewed-by: Nick Zitzmann Closes #3619
* strerror: make the strerror function use local buffersDaniel Stenberg2019-02-262-33/+52
| | | | | | | | | | | | | | | | Instead of using a fixed 256 byte buffer in the connectdata struct. In my build, this reduces the size of the connectdata struct by 11.8%, from 2160 to 1904 bytes with no functionality or performance loss. This also fixes a bug in schannel's Curl_verify_certificate where it called Curl_sspi_strerror when it should have called Curl_strerror for string from GetLastError. the only effect would have been no text or the wrong text being shown for the error. Co-authored-by: Jay Satiro Closes #3612
* OpenSSL: add support for TLS ASYNC stateBernd Mueller2019-02-251-0/+6
| | | | Closes #3591
* schannel: support CALG_ECDH_EPHEM algorithmgeorgeok2019-02-251-0/+3
| | | | | | | | Add support for Ephemeral elliptic curve Diffie-Hellman key exchange algorithm option when selecting ciphers. This became available on the Win10 SDK. Closes https://github.com/curl/curl/pull/3608
* wolfssl: stop custom-adding curvesDaniel Stenberg2019-02-231-20/+1
| | | | | | | | | since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in wolfSSL 3.10.2 and later) it sends these curves by default already. Pointed-out-by: David Garske Closes #3599
* mbedtls: release sessionid resources on errorDaniel Gustafsson2019-02-161-0/+3
| | | | | | | | | | | If mbedtls_ssl_get_session() fails, it may still have allocated memory that needs to be freed to avoid leaking. Call the library API function to release session resources on this errorpath as well as on Curl_ssl_addsessionid() errors. Closes: #3574 Reported-by: Michał Antoniak <M.Antoniak@posnet.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* schannel: restore some debug output but only for debug buildsJay Satiro2019-02-121-1/+6
| | | | | | | Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy debug output in DEBUGF but omitted a few lines. Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
View Lorry Controller Status