- badwords.pl: add `-a` option to check all lines in source code files.
Before this patch indented lines were skipped (to avoid Markdown code
fences.)
- GHA/checksrc: use `-a` when verifying the source code.
- GHA/checksrc: disable `So` and `But` rules for source code.
- GHA/checksrc: add docs/examples to the verified sources.
- badwords.txt: delete 4 duplicates.
- badwords.txt: group and sort contractions.
- badwords.txt: allow ` url = `, `DIR`, `<file name`.
Closes#19536
Cleanup the vtls pinned key matching somewhat. Add a DEBUGF
for pinned key hashes that do not match, so we can see in
traces what was going on.
Ref #19489Closes#19529
Move out logic from a switch() expression and return error directly
instead of using goto. This also removes the odd-looking two subsequent
closing braces at the same indent level.
Closes#19509
Rename `Curl_timeleft()` to `Curl_timeleft_ms()` to make the units in
the returned `timediff_t` clear. (We used to always have ms there, but
with QUIC started to sometimes calc ns as well).
Rename some assigned vars without `_ms` suffix for clarity as well.
Closes#19486
Also:
- replace `manpage` with `man page`, add to `badwords.txt`.
- badwords.pl: import `-w` feature from curl-www, syncing the two
scripts fully.
- badwords.txt: import missing items from curl-www, syncing the two
files fully.
- pyspelling.words: drop `cURL` allowed word.
Closes#19468
Verify that wolfSSL_BIO_meth_new() actually works and handle situations
where it returns NULL.
Reported-by: Stanislav Fort (Aisle Research)
Closes#19459
A regression in curl 8.17.0 led to a customer CAPATH set by the
application (or the curl command) to be ignored unless licurl was built
with a default CAPATH.
Add test cases using `--capath` on the custom pytest CA, generated with
the help of the openssl command when available.
Fixes#19401
Reported-by: Brad King
Closes#19308
Resumed TLS sessions skip OCSP stapled-response verification. Force a
full handshake so verifystatus() runs.
Follow-up to 4bfd7a9615
Pointed out by ZeroPath
When Curl_conn_cf_recv() returns error, the variable might not be
assigned and the tracing output may (harmlessly) use it uninitialized.
Also add a comment about the typecast from size_t to int being fine.
Pointed out by ZeroPath
Closes#19393
With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds.
It's also disabled by default in these GnuTLS versions.
When using TLS-SRP without it being available in GnuTLS, report
the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory
error reported before this patch.
Also add comments to autotools and cmake scripts about this feature
detection property.
Detecting it at build-time would need to run code which doesn't work
in cross-builds. Once curl requires 3.8.0 as minimum, the build-time
checks can be deleted.
```
# before:
curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested.
# after:
curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested.
```
Ref: dab063fca2
Ref: a21e89edacCloses#19365
This commit does the following things:
1. Update the description of gtls_init()
2. In gtls_client_init(), check the invaild SSLVERSION at first. Note
that this part refactors the duplicate/incompatible checks and removes
the useless local variable `sni`.
3. Check the return value of gnutls_ocsp_resp_init(). Although the
original code is safe because gnutls_ocsp_resp_import() will check
the validity of `ocsp_resp`, it is better to catch the error in time
and record the proper message to output log.
Closes#19366
find_ssl_filter used while(cf && cf->next) and skipped the last node.
If the SSL filter was last, channel binding lookup failed and we returned
CURLE_BAD_FUNCTION_ARGUMENT. Switch to while(cf) so the tail is examined.
This bug was found with ZeroPath.
Closes#19229
The definition of these constants does not give a numeric ordering
and MAX_DEFAULT needs to be checked in addition of ciphers and QUIC
checks to apply correctly.
Fixes#19340
Reported-by: Peter Piekarski
Closes#19341
When openssl does not verify the certificate, but apple sectrust
does, we also pass it the ocsp stapled response when configured and
available.
When openssl does not verify the cert chain, it will also not be able
to verify the ocsp stapling. Do not call it if sectrust is the
verifier of the cert chain.
Fixes#19307
Reported-by: Harry Sintonen
Closes#19308
socks_gssapi: the malloc + memcpy was superflous and can be skipped
cleartext: avoid malloc + three memcpy with aprintf()
digest_sspi: use memdup0 instead of malloc + memcpy
vtls: use memdup0 instead of malloc + memcpy
Closes#19282
Replace the check if a ssl session cache is configured with
a function checking if it is configured *and* if an ssl session
cache is available.
During normal operations, a session cache is always there, however
for "connect-only" transfers this might not be the case. When such
transfers receive new sessions/tickets, they need to silently
discard those and not fail.
Reported-by: Marc Aldorasi
Fixes https://github.com/curl/curl/issues/18983
Closes https://github.com/curl/curl/pull/19251
Change the test certificate to carry a altname 'dns:127.0.0.1' which
should *not* match in test_17_05_bad_ip_addr.
wolfSSL: since `wolfSSL_check_domain_name()` does not differentiate
between DNS and IP names, use if only for DNS names. For IP addresses,
get the peer certificate after the handshake and check that using
wolfSSL_X509_check_ip_asc().
Unfortunately, this succeeds where it should not, as wolfSSL internally
used the same check code for both cases. So, skip the test case until
wolfSSL fixes that.
Reported-by: Joshua Rogers
Closes#19252
During TLS renegotiation, the schannel_recv_renegotiate() function is
allowed to block for a short while. Reduce the maximum allowed time to
block from 10 minutes down to 7 seconds.
Closes#19205
Fixing:
```
lib/vtls/mbedtls.c:1505:10: error: call to undeclared function 'Curl_sha256it'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
1505 | return Curl_sha256it(sha256sum, input, inputlen);
| ^
1 error generated.
```
with mbedTLS configuration:
```
tf-psa-crypto/scripts/config.py unset PSA_WANT_ALG_SHA_256
tf-psa-crypto/scripts/config.py unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
tf-psa-crypto/scripts/config.py unset MBEDTLS_LMS_C
```
Follow-up to 3a305831d1#19077Closes#19223
Make autotools and cmake detect DES support in OpenSSL and mbedTLS.
Forward feature macros to C and omit NTLM from the feature preview list.
Use the feature macros in source. This ensure that `-V` output matches
the preview.
OpenSSL doesn't support DES when built with `no-des` or `no-deprecated`.
mbedTLS 4.x no longer supports it, and it's possible to disable it in
<4 with `scripts/config.py unset MBEDTLS_DES_C`.
Before this patch this worked for
mbedTLS 4 only, and with a regression for pending PR #16973.
Also:
- drop NTLM feature check from `curl_setup.h` in favour of autotools/
cmake feature macros. This makes `curl_setup.h` no longer need
to include an mbedTLS header, which in turn makes tests/server build
without depending on mbedTLS.
Fixing, in #16973:
```
In file included from tests/server/first.h:40,
from bld/tests/server/servers.c:3:
lib/curl_setup.h:741:10: fatal error: mbedtls/version.h: No such file or directory
741 | #include <mbedtls/version.h>
| ^~~~~~~~~~~~~~~~~~~
```
Ref: https://github.com/curl/curl/actions/runs/18689537893/job/53291322012?pr=16973
Ref: #19181 (initial fix idea)
Follow-up to 3a305831d1#19077
- move back mbedTLS header include and version check from
`curl_setup.h` to each source which consumes mbedTLS.
- GHA/http3-linux: drop workaround that disabled NTLM for
`no-deprecated` OpenSSL builds.
Follow-up to 006977859d#12384
- curl_ntlm_core: drop pointless macro `CURL_NTLM_NOT_SUPPORTED`.
Follow-up to 006977859d#12384Closes#19206
```
lib/vtls/mbedtls.c:786:3: error: call to undeclared function 'mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
786 | mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(&backend->config,
| ^
lib/vtls/mbedtls.c:787:5: error: use of undeclared identifier 'MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED'; did you mean 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH'?
787 | MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH
dep/mbedtls-3.4.0/_pkg/include/mbedtls/ssl.h:700:5: note: 'MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH' declared here
700 | MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH,
| ^
2 errors generated.
```
Regression from d63e40f8e6#18271 (8.16.0)
Closes#19208
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop
since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE
algorithms to a static table:
b8f702a0afCloses#19201
With GnuTLS, a GNUTLS_E_REHANDSHAKE can be a renegotiate in TLSv1.2 or a
key update in TLSv1.3. This had been made non-blocking in
a1850ad7de but the comment warning about a
blocking call was not updated.
Closes#19187
In init_config_builder_verifier() the call to
rustls_root_cert_store_builder_build() set result on failure but did not
return.
Pointed out by ZeroPath
Closes#19125
- Do not leak memory on failed setting algorithm cipher list.
Discovered by ZeroPath.
- Do not free backend->cred after failed AcquireCredentialsHandle.
backend->cred is always freed later, during cleanup.
Closes https://github.com/curl/curl/pull/19118
In providercheck(), when failing to open the "store", the exit path
would not previously free the created UI_METHOD and instead leak this
resource.
Pointed out by ZeroPath
Closes#19114
