- de-complex Curl_gtls_verifyserver() by splitting of static
functions for parts of it.
- follow the `goto out` style with common deallocation code
Closes#17941
- rename Curl_oss_check_peer_cert() to Curl_ossl_check_peer_cert()
- leave altname match loop after the first success when the match
was an ip address
- remove static subj_alt_hostcheck() since it did not really do much
- use length based infof() output of altname, even though it does
seem always to be nul terminated
Closes#17940
The `transport` to use for a transfer, e.g. TCP/QUIC/UNIX/UDP, is
initially selected by options and protocol used. This is set at the
`struct connectdata` as `transport` member.
During connection establishment, this transport may change due to
Alt-Svc or Happy-Eyeballing. Most common is the switch from TCP to QUIC.
Rename the connection member to `transport_wanted` and add a way to
query the connection for the transport in use via a new connection
filter query.
The filter query can also be used in the happy eyeballing attempts when
code needs to know which transport is used by the "filter below". This
happens in wolfssl initialization, as one example.
Closes#17923
In gtls.c there was a typo'd comment that I think was missing the word
"no" to indicate there's "no GnuTLS way to signal no EarlyData".
This commit fixes that typo, and also updates a copy-pasted instance
that made it into wolfssl.c where it should refer to the WolfSSL API
missing the capability, not GnuTLS.
Closes#17907
This callback was permanently mapped to libcurl's internal
`Curl_wcsdup()`, which always uses the customizable malloc for
allocation, thus making a custom mapping redundant anyway.
To simplify, drop the callback and map `_tcsdup()` in Unicode mode
directly to `Curl_wcsdup()`.
Also fixes:
- `curl_global_init()` which, before this patch, (re)initialized its
mapping to `_wcsdup()`, returning buffers potentially incompatible
with a custom allocator.
Bug: https://github.com/curl/curl/pull/17840#issuecomment-3044361245
Bug: https://github.com/curl/curl/pull/7540#issuecomment-2380995349
Co-reported-by: Luca Kellermann
Follow-up to 76e047fc27#7540
Assisted-by: Jay Satiro
Closes#17843
Replace the old Curl_ssl_get_internals() with a new connection filter
query to retrieve the information. Implement that filter query for TCP
and QUIC TLS filter types.
Add tests in client tls_session_reuse to use the info option and check
that pointers are returned.
Reported-by: Larry Campbell
Fixes#17801Closes#17809
Fixing:
- a raw `free()` in ECH code that's malloced in lib code, causing
an invalid free, also reported by valgrind (in non-unity builds).
And in unity builds adjusted to behave like non-unity via #17827:
Ref: https://github.com/curl/curl/actions/runs/16093372427/job/45421778472?pr=17827#step:39:3321
- a local pair of `malloc()`/`free()` to use curl's memory allocators,
and participate in memory tracking when enabled.
Cherry-picked from #17827Closes#17830
Commit f2ce6c46 among other things added the use of own library context
instead of the default context. Default context has access to OpenSSL
configuration file, own context doesn't have it.
Therefore if a pkcs11 provider is loaded via config file, the function
OSSL_PROVIDER_available() incorrectly detects the provider as
unavailable.
Fix this by loading the OpenSSL config to the library context according
to OpenSSL documentation:
"OSSL_LIB_CTX_load_config() loads a configuration file using the given
ctx. This can be used to associate a library context with providers that
are loaded from a configuration."
Moreover use the provider_loaded flag instead of provider pointer to
determine if a provider is available, as the latter is not set when the
provider is loaded from a configuration.
Closes#17804
Drop `strcasecompare` and `strncasecompare` in favor of libcurl API
calls `curl_strequal` and `curl_strnequal` respectively.
Also drop unnecessary `strcase.h` includes. Include `curl/curl.h`
instead where it wasn't included before.
Closes#17772
- tests/libtest: move exception to `stub_gssapi.h`.
- tests/libtest: move remaining exception to `testtrace.c`.
- tests/server: drop obsolete exception.
- docs/examples: move `BANNEDFUNC` exceptions to local files (3 lines).
- docs/examples: move `ERRNOVAR` exception to `ephiperfifo.c`.
- docs/examples: drop `typedef struct` (8 files).
- lib/curlx: add `.checksrc` with banned funcs copied from lib.
- checksrc: ban `strncpy`, `strtok_r`, `strtoul` by default.
Drop local bans. Add exception for `strtoul` to `tests/server'.
- lib, src: sync banned funcs.
Also:
- REUSE: drop `stunnel.pem`, it no longer exists.
- docs/examples: formatting.
- docs/examples: simplify some `sizeof()`s.
Closes#17764
Change the signature of `bufq` functions from
* `ssize_t Curl_bufq_*(..., CURLcode *err)` to
* `CURLcode Curl_bufq_*(..., size_t *pn)`
This allows us to write slightly less code and avoids the ssize_t/size_t
conversions in many cases. Also, it gets the function in line with all
the other send/recv signatures.
Added helper functions in `cfilters.h` for sending from/receving into
a bufq.
Fuzzer now fails to build due to these changes and its testing of
the bufq API.
Closes#17396
For consistency. RFC 3986 section 2.1 says:
"URI producers and normalizers should use uppercase hexadecimal digits
for all percent-encodings."
Reported-by: Jeroen Ooms
Fixes#17685Closes#17739
Caught by gcc (Ubuntu 12.3.0-1ubuntu1~22.04) 12.3.0:
```
vtls/rustls.c: In function ‘cr_connect’:
vtls/rustls.c:857:61: warning: ‘%s’ directive argument is null [-Wformat-overflow=]
857 | failf(data, "rustls: must provide certificate with key '%s'",
| ^~
```
Closes#17704
Connection filters had a method `get_host()` which had not really been
documented. Since then, the cf had the `query()` method added. Replace
the separate get_host with query.
Add `CF_QUERY_HOST_PORT` as query to connection filters to retrieve
which remote hostname and port the filter (or its sub-filter) is talking
to. The query is implemented by HTTP and SOCKS filters, all others pass
it through.
Add `Curl_conn_get_current_host()` to retrieve the remote host and port
for a connection. During connect, this will return the host the
connection is talking to right now. Before/After connect, this will
return `conn->host.name`.
This is used by SASL authentication.
Closes#17419
- Return CURLE_OK if the engine successfully loaded.
Prior to this change:
When loading an openssl engine, the result code is initialized to
CURLE_SSL_ENGINE_NOTFOUND, but is never set to CURLE_OK when the engine
was successfully loaded. This causes curl to error out, falsely stating
engine not found when it actually was.
Broken since f2ce6c46 (precedes 8.14.0) which added support for using
engines and providers at the same time.
Fixes https://github.com/curl/curl/issues/17617
Closes https://github.com/curl/curl/pull/17618
- Align --cacert behaviour with OpenSSL and LibreSSL.
This changes the default behavior of Schannel manual certificate
verification, which is used when the user provides their own CA
certificates for verification, to accept partial chains. In other words,
the user may provide an intermediate certificate without having to
provide the root CA.
Win8/Server2012 widened the PKIX chain traversal API to allow
certificate traversal to terminate at an intermediate.
This behaviour (terminate at the fist matching intermediate) is the
default for LibreSSL and OpenSSL (with OpenSSL allowing control via
CURLSSLOPT_NO_PARTIALCHAIN).
This change uses the new API if it is available, and also allows the
behaviour to revert legacy if CURLSSLOPT_NO_PARTIALCHAIN is present.
Closes https://github.com/curl/curl/pull/17418
`SSL_pending()` only checks if the *current* TLS packet has more data.
There might be more data in SSL's buffers.
`SSL_has_pending()` only checks if there is data in buffers, but does
*not* check if there is a complete TLS packet that can be decoded.
If we only check the first, we will poll on socket events without having
processed all data and may stall. If we only check the second, we would
busy loop without SSL_read() ever giving something.
Add the flag `connssl->input_pending` that is set on incoming data in
the BIO receive. Clear the flag when encountering a CURLE_AGAIN on
the filters receive (via SSL_read()) or see an EOF.
Ref: #17596Closes#17601
The secure transport vTLS backend was the only Curl_ssl struct instance
that populated the false_start field. Since its removed, we can now
remove that field entirely. This was a protocol feature specific to TLS
1.2 that has been replaced by the more widely adopted TLS 1.3 early data
mechanisms.
--false-start is now deprecated
Closes#17595
cfilter/conn: change send/recv function signatures. Unify the
calling/return conventions in our send/receive handling.
Curl_conn_recv(), adjust pnread type
Parameter `pnread` was a `ssize_t *`, but `size_t *` is better since the
function returns any error in its `CURLcode` return value.
Closes#17546
Convert the debug-only handling of SSL_ERROR_SYSCALL so that it is
enabled in all builds with openssl. This should not make a difference in
supported OpenSSL versions, but if whatever version or fork we link
against *does* return SSL_ERROR_SYSCALL, handle this as a fatal error.
Fixes#17471
Reported-by: Michael Kaufmann
Closes#17531
These libraries do not support TLS 1.3 and have been marked for removal
for over a year. We want to help users select a TLS dependency that is
future-proof and reliable, and not supporting TLS 1.3 in 2025 does not
infer confidence. Users who build libcurl are likely to be served better
and get something more future-proof with a TLS library that supports
1.3.
Closes#16677
With a dash, using two Ls. Also for different forms of the word.
Use NULL in all uppercase if it means a zero pointer.
Follow-up to 307b7543eaCloses#17489
Early data was reported as being sent, but was not. While everything was
aligned with the Gods and early data was reported as accepted, the
actual sending required another call to wolfSSL.
Fixes#17481
Reported-by: Ethan Everett
Closes#17488
Reduce Curl_ossl_ctx_init() complexity by splitting it up into
sub functions.
While splitting if ECH, add pytest fixed for AWS-LC and enable
it in CI.
Closes#17404
Move curlx_ functions into its own subdir.
The idea is to use the curlx_ prefix proper on these functions, and use
these same function names both in tool, lib and test suite source code.
Stop the previous special #define setup for curlx_ names.
The printf defines are now done for the library alone. Tests no longer
use the printf defines. The tool code sets its own defines. The printf
functions are not curlx, they are publicly available.
The strcase defines are not curlx_ functions and should not be used by
tool or server code.
dynbuf, warnless, base64, strparse, timeval, timediff are now proper
curlx functions.
When libcurl is built statically, the functions from the library can be
used as-is. The key is then that the functions must work as-is, without
having to be recompiled for use in tool/tests. This avoids symbol
collisions - when libcurl is built statically, we use those functions
directly when building the tool/tests. When libcurl is shared, we
build/link them separately for the tool/tests.
Assisted-by: Jay Satiro
Closes#17253
