test_10_08, uploading larger files for a h2 proxy, sporadically fails
with a decrpytion error on received data in AWS-LC. The frequency can
be increased by simulated network receive blocks.
Not setting a 4 * TLS record sized buffer, leaving AWS-LC at its
default buffer size seems to mitigate this problem.
- drop `ALLOW_RENEG` undocumented (insecure) build-time option.
- drop unnecessary check for `OPENSSL_VERSION_NUMBER`.
It's present in all supported OpenSSL versions and forks.
Follow-up to 80c10c5d5d#18351
Follow-up to 59311bd3df#3293#3283Closes#18359
- assume:
- `BIO_CTRL_EOF`
- `SSL_CTRL_SET_MSG_CALLBACK`
- `SSL_CTRL_SET_MSG_CALLBACK`
- `SSL_CTRL_SET_TLSEXT_HOSTNAME`
- `SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER`
- `SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS`
- `SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG`
- `SSL_OP_NO_COMPRESSION`
- `SSL_OP_NO_TICKET`
- `X509_V_FLAG_PARTIAL_CHAIN`
- `X509_V_FLAG_TRUSTED_FIRST`
They are present in all supported OpenSSL (and fork) versions.
- replace `SSL_ERROR_WANT_EARLY` with `SSL_ERROR_WANT_CLIENT_HELLO_CB`.
The former appeared in OpenSSL 1.1.1-dev, but renamed before
the stable release.
- document support for macros:
- `ENGINE_CTRL_GET_CMD_FROM_NAME`
- `SSL_ERROR_WANT_ASYNC_JOB`
- `SSL_ERROR_WANT_ASYNC`
- `SSL2_VERSION_MAJOR`
- `TLS1_3_VERSION`
- drop legacy fallback for `CONF_MFLAGS_DEFAULT_SECTION`.
It was there for OpenSSL 0.9.8 support.
- fix `SSL_CTRL_SET_MSG_CALLBACK` accidentally serving as a guard for
OpenSSL (and forks) as a whole.
Tested OK with OpenSSL 1.0.2 and 1.1.0 in CI.
Closes#18351
When an application install its own OpenSSL verify callback and that
callback invokes `SSL_set_retry_verify()`, the transfer is automatically
paused and does not progress the connect attempt any further until
unpaused via `curl_easy_pause().
Added test758 to verify.
Ref: #18284
Original PR by @Natris
Bug: https://curl.se/mail/lib-2025-08/0012.htmlCloses#18288
Without it, subsequent OpenSSL API calls may fail with an error caught
within the OpenSSL `d2i_X509()` (decode) call.
It was seen to happen when importing from the Windows certificate store
(e.g. with `--ca-native`), and any one of the certificates failed while
decoding, then skipped.
Behind the scene (and undocumented), the failed decode call is adding
an error to an internal OpenSSL error queue. This error is picked up
later, at the connect phase, by another OpenSSL API call, which happens
to check the error queue, without clearing it first. It made the connect
fail with the error collected earlier, while decoding the malformed and
discarded certificate.
Fix by explicitly clearing the error queue if the decode call fails.
Ref: https://docs.openssl.org/3.5/man3/d2i_X509/
`-vvvv` output before this patch:
```
[0-0] == Info: successfully imported Windows ROOT store
[0-0] == Info: successfully imported Windows CA store
[0-0] == Info: [SSL] SSL_connect() -> err=-1, detail=1
[0-0] == Info: TLS connect error: error:068000DD:asn1 encoding routines::illegal padding
[0-0] == Info: [SSL] cf_connect() -> 35, done=0
```
Mainline OpenSSL (as of 3.5.2) and quictls (as of 3.3.0) are affected.
LibreSSL is not affected. (I did not test BoringSSL and AWS-LC)
Assisted-by: Stefan Eissing
Reported-by: Michał Petryka
Fixes#18190Closes#18228
When an SSL_write() blocks we need to retry it with the
same length as before or stupid OpenSSL freaks out. Remember
it, limit any longer sends and fail shorter ones.
Fixes#18121
Reported-by: adamse on github
Closes#18132
- codespell: break logic out into its own runnable script. Allowing
to run it on local machines.
- codespell: install via `pip`, bump to latest version.
- codespell: show version number in CI log.
- codespell: drop no longer needed word exception: `msdos`.
- codespell: include all curl source tree, except `packages` and
`winbuild`. Drop an obsolete file exclusion.
- add new spellchecker job using the `typos` tool. It includes
the codespell dictionary and a couple more. Use linuxbrew to install
it. This takes 10 seconds, while installing via `cargo` from source
would take over a minute.
- codespell: introduce an inline ignore filter compatible with `cspell`
Make `typos` recognize it, too. Move single exceptions inline.
Fix new typos found. Also rename variables and words to keep
spellchecking exceptions at minumum. This involves touching some tests.
Also switch base64 strings to `%b64[]` to avoid false positives.
Ref: https://github.com/crate-ci/typos/blob/master/docs/reference.md
Ref: https://github.com/codespell-project/codespell?tab=readme-ov-file#inline-ignore
Ref: https://github.com/codespell-project/codespell/issues/1212#issuecomment-1721152455
Ref: https://cspell.org/docs/Configuration/document-settingsCloses#17905
- rename Curl_oss_check_peer_cert() to Curl_ossl_check_peer_cert()
- leave altname match loop after the first success when the match
was an ip address
- remove static subj_alt_hostcheck() since it did not really do much
- use length based infof() output of altname, even though it does
seem always to be nul terminated
Closes#17940
Commit f2ce6c46 among other things added the use of own library context
instead of the default context. Default context has access to OpenSSL
configuration file, own context doesn't have it.
Therefore if a pkcs11 provider is loaded via config file, the function
OSSL_PROVIDER_available() incorrectly detects the provider as
unavailable.
Fix this by loading the OpenSSL config to the library context according
to OpenSSL documentation:
"OSSL_LIB_CTX_load_config() loads a configuration file using the given
ctx. This can be used to associate a library context with providers that
are loaded from a configuration."
Moreover use the provider_loaded flag instead of provider pointer to
determine if a provider is available, as the latter is not set when the
provider is loaded from a configuration.
Closes#17804
Drop `strcasecompare` and `strncasecompare` in favor of libcurl API
calls `curl_strequal` and `curl_strnequal` respectively.
Also drop unnecessary `strcase.h` includes. Include `curl/curl.h`
instead where it wasn't included before.
Closes#17772
- Return CURLE_OK if the engine successfully loaded.
Prior to this change:
When loading an openssl engine, the result code is initialized to
CURLE_SSL_ENGINE_NOTFOUND, but is never set to CURLE_OK when the engine
was successfully loaded. This causes curl to error out, falsely stating
engine not found when it actually was.
Broken since f2ce6c46 (precedes 8.14.0) which added support for using
engines and providers at the same time.
Fixes https://github.com/curl/curl/issues/17617
Closes https://github.com/curl/curl/pull/17618
`SSL_pending()` only checks if the *current* TLS packet has more data.
There might be more data in SSL's buffers.
`SSL_has_pending()` only checks if there is data in buffers, but does
*not* check if there is a complete TLS packet that can be decoded.
If we only check the first, we will poll on socket events without having
processed all data and may stall. If we only check the second, we would
busy loop without SSL_read() ever giving something.
Add the flag `connssl->input_pending` that is set on incoming data in
the BIO receive. Clear the flag when encountering a CURLE_AGAIN on
the filters receive (via SSL_read()) or see an EOF.
Ref: #17596Closes#17601
The secure transport vTLS backend was the only Curl_ssl struct instance
that populated the false_start field. Since its removed, we can now
remove that field entirely. This was a protocol feature specific to TLS
1.2 that has been replaced by the more widely adopted TLS 1.3 early data
mechanisms.
--false-start is now deprecated
Closes#17595
cfilter/conn: change send/recv function signatures. Unify the
calling/return conventions in our send/receive handling.
Curl_conn_recv(), adjust pnread type
Parameter `pnread` was a `ssize_t *`, but `size_t *` is better since the
function returns any error in its `CURLcode` return value.
Closes#17546
Convert the debug-only handling of SSL_ERROR_SYSCALL so that it is
enabled in all builds with openssl. This should not make a difference in
supported OpenSSL versions, but if whatever version or fork we link
against *does* return SSL_ERROR_SYSCALL, handle this as a fatal error.
Fixes#17471
Reported-by: Michael Kaufmann
Closes#17531
Reduce Curl_ossl_ctx_init() complexity by splitting it up into
sub functions.
While splitting if ECH, add pytest fixed for AWS-LC and enable
it in CI.
Closes#17404
Move curlx_ functions into its own subdir.
The idea is to use the curlx_ prefix proper on these functions, and use
these same function names both in tool, lib and test suite source code.
Stop the previous special #define setup for curlx_ names.
The printf defines are now done for the library alone. Tests no longer
use the printf defines. The tool code sets its own defines. The printf
functions are not curlx, they are publicly available.
The strcase defines are not curlx_ functions and should not be used by
tool or server code.
dynbuf, warnless, base64, strparse, timeval, timediff are now proper
curlx functions.
When libcurl is built statically, the functions from the library can be
used as-is. The key is then that the functions must work as-is, without
having to be recompiled for use in tool/tests. This avoids symbol
collisions - when libcurl is built statically, we use those functions
directly when building the tool/tests. When libcurl is shared, we
build/link them separately for the tool/tests.
Assisted-by: Jay Satiro
Closes#17253
OpenSSL3 can in fact have both enabled at once. Load the provider and
key/cert appropriately. When loading a provider, the user can now also
set an associated "property string".
Work on this was sponsored by Valantic.
Closes#17165
With the new addition of OpenSSL QUIC API support and the support in
ngtcp2 main branch, make the necessary adjustments in curl to support
this combination.
- add support in configure.ac to detect the feature OPENSSL_QUIC_API2 in
openssl
- initialise ngtcp2 properly in this combination
- add a Curl_vquic_init() for global initialisation that ngtcp2 likes
for performance reasons
- add documentation on how to build in docs/HTTP3.md
- add CI testing in http3-linux.yml
Assisted-by: Viktor Szakats
Closes#17027
"asyn" is the internal name under which both c-ares and threaded
resolver operate. Make the naming more consistent. Implement the c-ares
resolver in `asyn-ares.*` and the threaded resolver in `asyn-thrdd.*`.
The common functions are in `asyn-base.c`.
When `CURLRES_ASYNCH` is defined, either of the two is used and
`data->state.async` exists. Members of that struct vary for the selected
implementation, but have the fields `hostname`, `port` and `ip_version`
always present. This are populated when the async resolving starts and
eliminate the need to pass them again when checking on the status and
processing the results of the resolving.
Add a `Curl_resolv_blocking()` to `hostip.h` that relieves FTP and SOCKS
from having to repeat the same code.
`Curl_resolv_check()` remains the function to check for status of
ongoing resolving. Now it also performs internally the check if the
needed DNS entry exists in the dnscache and if so, aborts the asnyc
operation. (libcurl right now does not check for duplicate resolve
attempts. an area for future improvements).
The number of functions in `asyn.h` has been reduced. There were subtle
difference in "cancel()" and "kill()" calls, both replaced by
`Curl_async_shutdown()` now. This changes behaviour for threaded
resolver insofar as the resolving thread is now always joined unless
`data->set.quick_exit` is set. Before this was only done on some code
paths. A future improvement would be a thread pool that keeps a limit
and also could handle joins more gracefully.
DoH, not previously tagged under "asny", has its struct `doh_probes` now
also in `data->state.async`, moved there from `data->req` because it
makes more sense. Further integration of DoH underneath the "asyn"
umbrella seems like a good idea.
Closes#16963
by including headers using "../[header]" when done from C files in
subdirectories, we do not need to specify the lib source dir as an
include path and we reduce the risk of header name collisions with
headers in the SDK using the same file names.
Idea-by: Kai Pastor
Ref: #16949Closes#16991
- Return 0 for password length if OpenSSL is expecting a certificate
password but the user did not provide one.
Prior to this change libcurl would crash if OpenSSL called the certificate
password callback in libcurl but no password was provided (NULL).
Reported-by: Roman Zharkov
Fixes https://github.com/curl/curl/issues/16806
Closes https://github.com/curl/curl/pull/16807
