This function is currently located in the lib/http.c module and is
therefore disabled by the CURL_DISABLE_HTTP conditional token.
As it may be called by TLS backends, disabling HTTP results in an
undefined reference error at link time.
Move this function to vauth/vauth.c to always provide it and rename it
as Curl_auth_allowed_to_host() to respect the vauth module naming
convention.
Closes#9600
Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
connections as well.
The *certchain function was moved to the top of the file for this reason.
Reported-by: Eloy Degen
Fixes#9584Closes#9597
Instances of ISSPACE() use that should rather use ISBLANK(). I think
somewhat carelessly used because it sounds as if it checks for space or
whitespace, but also includes %0a to %0d.
For parsing purposes, we should only accept what we must and not be
overly liberal. It leads to surprises and surprises lead to bad things.
Closes#9432
Next Protocol Negotiation is a TLS extension that was created and used
for agreeing to use the SPDY protocol (the precursor to HTTP/2) for
HTTPS. In the early days of HTTP/2, before the spec was finalized and
shipped, the protocol could be enabled using this extension with some
servers.
curl supports the NPN extension with some TLS backends since then, with
a command line option `--npn` and in libcurl with
`CURLOPT_SSL_ENABLE_NPN`.
HTTP/2 proper is made to use the ALPN (Application-Layer Protocol
Negotiation) extension and the NPN extension has no purposes
anymore. The HTTP/2 spec was published in May 2015.
Today, use of NPN in the wild should be extremely rare and most likely
totally extinct. Chrome removed NPN support in Chrome 51, shipped in
June 2016. Removed in Firefox 53, April 2017.
Closes#9307
from: "curl: (58) unable to set client certificate"
to: curl: (58) unable to set client certificate [error:0A00018F:SSL
routines::ee key too small]
Closes#9228
AmiSSL v5 is the latest version, featuring a port of OpenSSL 3.0.
Support for previous OpenSSL 1.1.x versions has been dropped, so
makes sense to enforce v5 as the minimum requirement. This also
allows all the AmiSSL stub workarounds to be removed as they are
now provided in a link library in the AmiSSL SDK.
Closes#9267
BoringSSL doesn't keep a version number, and doesn't self-identify itself
via any other revision number via its own headers. We can identify
BoringSSL revisions by their commit hash. This hash is typically known by
the builder. This patch adds a way to pass this hash to libcurl, so that
it can display in the curl version string:
For example:
`CFLAGS=-DCURL_BORINGSSL_VERSION="c239ffd0"`
```
curl 7.84.0 (x86_64-w64-mingw32) libcurl/7.84.0 BoringSSL/c239ffd0 (Schannel) zlib/1.2.12 [...]
Release-Date: 2022-06-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 [...]
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos [...]
```
The setting is optional, and if not passed, BoringSSL will appear without
a version number, like before this patch.
Closes#9113
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
These two options were only ever used for the OpenSSL backend for
versions before 1.1.0. They were never used for other backends and they
are not used with recent OpenSSL versions. They were never used much by
applications.
The defines RANDOM_FILE and EGD_SOCKET can still be set at build-time
for ancient EOL OpenSSL versions.
Closes#8670
Also rephrase to make it sound less dangerous:
"ALPN: server did not agree on a protocol. Uses default."
Reported-by: Nick Coghlan
Fixes#8643Closes#8651
The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag) in
libcurl was ignored when compiling with BoringSSL because
HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was
detected. However, this feature is supported in BoringSSL since
5fd1807d. This commit enables it, and also reduces the required minimal
OpenSSL version to 1.0.2 as per OpenSSL's official documentation.
Fixes#8553Closes#8556
Ideally, Curl_ssl_getsessionid should not be called unless sessionid
caching is enabled. There is a debug assertion in the function to help
ensure that. Therefore, the pattern in all vtls is basically:
if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();}
There was one instance in openssl.c where sessionid was not checked
beforehand and this change fixes that.
Prior to this change an assertion would occur in openssl debug builds
during connection stage if session caching was disabled.
Reported-by: Jim Beveridge
Fixes https://github.com/curl/curl/issues/8472
Closes https://github.com/curl/curl/pull/8484
The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.
Co-authored-by: Jay Satiro
Closes#8320
Reverts 5de8d84098 (May 2014, shipped in 7.37.0) and the
follow-up changes done afterward.
Keep the dot in names for everything except the SNI to make curl behave
more similar to current browsers. This means 'name' and 'name.' send the
same SNI for different 'Host:' headers.
Updated test 1322 accordingly
Fixes#8290
Reported-by: Charles Cazabon
Closes#8320
The tools.ietf.org domain has been deprecated a while now, with the
links being redirected to datatracker.ietf.org.
Rather than make people eat that redirect time, this change switches the
URL to a more canonical source.
Closes#8317
Previously curl would just silently ignore it if the necessary defines
are not present at build-time.
Reported-by: Stefan Eissing
Fixes#8309Closes#8310
... and double-check in the OpenSSL shutdown that the socket is actually
still there before it is used.
Fixes#8193Closes#8195
Reported-by: Leszek Kubik
Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.
The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.
Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.
Ref: #8173Closes#8178
Prior to this change OpenSSL_version was only detected in configure
builds. For other builds the old version parsing code was used which
would result in incorrect versioning for OpenSSL 3:
Before:
curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.0a zlib/1.2.11
WinIDN libssh2/1.9.0
After:
curl 7.80.0 (i386-pc-win32) libcurl/7.80.0 OpenSSL/3.0.1 zlib/1.2.11
WinIDN libssh2/1.9.0
Reported-by: lllaffer@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/8154
Closes https://github.com/curl/curl/pull/8155
It was previously done mostly to show a match/non-match in the verbose
output even when verification was not asked for. This change skips the
loading of the CA certs unless verifypeer is set to save memory and CPU.
Closes#7892
One reason we know it can fail is if a provider is used that doesn't do
a proper job or is wrongly configured.
Reported-by: Michael Baentsch
Fixes#7840Closes#7856
On connection shutdown, a new TLS session ticket may arrive after the
SSL session cache has already been destructed. In this case, the new
SSL session cannot be added to the SSL session cache.
The callers of Curl_ssl_addsessionid() need to know whether the SSL
session has been added to the cache. If it has not been added, the
reference counter of the SSL session must not be incremented, or memory
used by the SSL session must be freed. This is now possible with the new
output parameter "added" of Curl_ssl_addsessionid().
Fixes#7683Closes#7752
This adds support for the previously unhandled supplemental data which
in -v output was printed like:
TLSv1.2 (IN), TLS header, Unknown (23):
These will now be printed with proper annotation:
TLSv1.2 (OUT), TLS header, Supplemental data (23):
Closes#7652
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Remove the previous handling that would call SSL_CTX_free(), and instead
add an assert that halts a debug build if there ever is a context
already set at this point.
Closes#7585
