#
f36e32b5 |
| 06-Dec-2021 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
bearssl: fix EXC_BAD_ACCESS on incomplete CA cert - Do not create trust anchor object for a CA certificate until after it is processed. Prior to this change the object was cre
bearssl: fix EXC_BAD_ACCESS on incomplete CA cert - Do not create trust anchor object for a CA certificate until after it is processed. Prior to this change the object was created at state BR_PEM_BEGIN_OBJ (certificate processing begin state). An incomplete certificate (for example missing a newline at the end) never reaches BR_PEM_END_OBJ (certificate processing end state) and therefore the trust anchor data was not set in those objects, which caused EXC_BAD_ACCESS. Ref: https://github.com/curl/curl/pull/8106 Closes https://github.com/curl/curl/pull/8476
show more ...
|
#
8af1cef2 |
| 06-Dec-2021 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
bearssl: fix connect error on expired cert and no verify - When peer verification is disabled use the x509_decode engine instead of the x509_minimal engine to parse and extract the pub
bearssl: fix connect error on expired cert and no verify - When peer verification is disabled use the x509_decode engine instead of the x509_minimal engine to parse and extract the public key from the first cert of the chain. Prior to this change in such a case no key was extracted and that caused CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if any validity check fails but the x509_decode won't. Ref: https://github.com/curl/curl/pull/8106 Closes https://github.com/curl/curl/pull/8475
show more ...
|
#
b8443719 |
| 06-Dec-2021 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
bearssl: fix session resumption (session id) Prior to this change br_ssl_client_reset was mistakenly called with resume_session param set to 0, which disabled session resumption.
bearssl: fix session resumption (session id) Prior to this change br_ssl_client_reset was mistakenly called with resume_session param set to 0, which disabled session resumption. Ref: https://github.com/curl/curl/pull/8106 Closes https://github.com/curl/curl/pull/8474
show more ...
|
#
2218c3a5 |
| 22-Jan-2022 |
Daniel Stenberg |
vtls: pass on the right SNI name The TLS backends convert the host name to SNI name and need to use that. This involves cutting off any trailing dot and lowercasing. Co-authored
vtls: pass on the right SNI name The TLS backends convert the host name to SNI name and need to use that. This involves cutting off any trailing dot and lowercasing. Co-authored-by: Jay Satiro Closes #8320
show more ...
|
#
60738f39 |
| 22-Sep-2021 |
Michael Kaufmann |
vtls: Fix a memory leak if an SSL session cannot be added to the cache On connection shutdown, a new TLS session ticket may arrive after the SSL session cache has already been destructed
vtls: Fix a memory leak if an SSL session cannot be added to the cache On connection shutdown, a new TLS session ticket may arrive after the SSL session cache has already been destructed. In this case, the new SSL session cannot be added to the SSL session cache. The callers of Curl_ssl_addsessionid() need to know whether the SSL session has been added to the cache. If it has not been added, the reference counter of the SSL session must not be incremented, or memory used by the SSL session must be freed. This is now possible with the new output parameter "added" of Curl_ssl_addsessionid(). Fixes #7683 Closes #7752
show more ...
|
#
beb1b1cb |
| 21-Jul-2021 |
Aleksandr Krotov |
bearssl: support CURLOPT_CAINFO_BLOB Closes #7468
|
#
e7416cfd |
| 06-Jul-2021 |
Daniel Stenberg |
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes info
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes infof() work like failf() and consistency is good - there's an assert that triggers on newlines in the format string - Also removes a few instances of "..." - Removes the code that would append "..." to the end of the data *iff* it was truncated in infof() Closes #7357
show more ...
|
#
7f9c5af8 |
| 26-May-2021 |
Michael Forney |
bearssl: explicitly initialize all fields of Curl_ssl Also, add comments like the other vtls backends. Closes #7133
|
#
a03ea622 |
| 26-May-2021 |
Michael Forney |
bearssl: remove incorrect const on variable that is modified hostname may be set to NULL later on in this function if it is an IP address. Closes #7133
|
#
a3268eca |
| 25-Apr-2021 |
Jacob Hoffman-Andrews |
tls: add USE_HTTP2 define This abstracts across the two HTTP/2 backends: nghttp2 and Hyper. Add our own define for the "h2" ALPN protocol, so TLS backends can use it without dep
tls: add USE_HTTP2 define This abstracts across the two HTTP/2 backends: nghttp2 and Hyper. Add our own define for the "h2" ALPN protocol, so TLS backends can use it without depending on a specific HTTP backend. Closes #6959
show more ...
|
Revision tags: curl-7_76_1, curl-7_76_0 |
|
#
e4ba9996 |
| 25-Feb-2021 |
Michał Antoniak |
vtls: deduplicate some DISABLE_PROXY ifdefs continue from #5735 - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other tls backend - create SSL_HOST_P
vtls: deduplicate some DISABLE_PROXY ifdefs continue from #5735 - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other tls backend - create SSL_HOST_PORT Closes #6660
show more ...
|
#
f573998c |
| 01-Apr-2021 |
Daniel Stenberg |
TLS: fix HTTP/2 selection for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and wolfSSL... Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0) Reported-by:
TLS: fix HTTP/2 selection for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and wolfSSL... Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0) Reported-by: Kenneth Davidson Reported-by: romamik om github Fixes #6825 Closes #6827
show more ...
|
#
b09c8ee1 |
| 19-Mar-2021 |
Daniel Stenberg |
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-228
vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() To make sure we set and extract the correct session. Reported-by: Mingtao Yang Bug: https://curl.se/docs/CVE-2021-22890.html CVE-2021-22890
show more ...
|
#
88dd1a8a |
| 11-Feb-2021 |
Daniel Stenberg |
urldata: don't touch data->set.httpversion at run-time Rename it to 'httpwant' and make a cloned field in the state struct as well for run-time updates. Also: refuse non-support
urldata: don't touch data->set.httpversion at run-time Rename it to 'httpwant' and make a cloned field in the state struct as well for run-time updates. Also: refuse non-supported HTTP versions. Verified with test 129. Closes #6585
show more ...
|
Revision tags: curl-7_75_0 |
|
#
c30bf22f |
| 03-Feb-2021 |
Jacob Hoffman-Andrews |
vtls: factor out Curl_ssl_getsock to field of Curl_ssl Closes #6558
|
#
2c4b338f |
| 01-Feb-2021 |
Daniel Stenberg |
vtls: remove md5sum As it is not used anymore. Reported-by: Jacob Hoffman-Andrews Bug: https://curl.se/mail/lib-2021-02/0000.html Closes #6557
|
#
bbe3aa9f |
| 13-Jan-2021 |
Patrick Monnerat |
vtls: reduce conn->data use Closes #6474
|
#
215db086 |
| 08-Jan-2021 |
Daniel Stenberg |
lib: pass in 'struct Curl_easy *' to most functions ... in most cases instead of 'struct connectdata *' but in some cases in addition to. - We mostly operate on transfers and no
lib: pass in 'struct Curl_easy *' to most functions ... in most cases instead of 'struct connectdata *' but in some cases in addition to. - We mostly operate on transfers and not connections. - We need the transfer handle to log, store data and more. Everything in libcurl is driven by a transfer (the CURL * in the public API). - This work clarifies and separates the transfers from the connections better. - We should avoid "conn->data". Since individual connections can be used by many transfers when multiplexing, making sure that conn->data points to the current and correct transfer at all times is difficult and has been notoriously error-prone over the years. The goal is to ultimately remove the conn->data pointer for this reason. Closes #6425
show more ...
|
#
7e72b9b5 |
| 13-Jan-2021 |
Daniel Stenberg |
bearssl: remove Curl_ prefix from static functions
|
#
aba01da6 |
| 23-Dec-2020 |
Daniel Stenberg |
failf: remove newline from formatting strings ... as failf adds one itself. Also: add an assert() to failf() that triggers on a newline in the format string! Closes #63
failf: remove newline from formatting strings ... as failf adds one itself. Also: add an assert() to failf() that triggers on a newline in the format string! Closes #6365
show more ...
|
Revision tags: curl-7_74_0 |
|
#
4d2f8006 |
| 04-Nov-2020 |
Daniel Stenberg |
curl.se: new home Closes #6172
|
Revision tags: curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0 |
|
#
81bf2713 |
| 09-Jul-2020 |
Baruch Siach |
bearssl: fix build with disabled proxy support Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is defined. Reviewed-by: Nicolas Sterchele Closes #5666
|
Revision tags: curl-7_71_1, curl-7_71_0 |
|
#
842f73de |
| 28-May-2020 |
Daniel Stenberg |
timeouts: change millisecond timeouts to timediff_t from time_t For millisecond timers we like timediff_t better. Also, time_t can be unsigned so returning a negative value doesn't work
timeouts: change millisecond timeouts to timediff_t from time_t For millisecond timers we like timediff_t better. Also, time_t can be unsigned so returning a negative value doesn't work then. Closes #5479
show more ...
|
Revision tags: curl-7_70_0 |
|
#
52182e4b |
| 18-Mar-2020 |
Daniel Stenberg |
bearssl: remove the BACKEND define kludge
|
Revision tags: curl-7_69_1, curl-7_69_0, curl-7_68_0 |
|
#
9024b013 |
| 21-Dec-2019 |
Michael Forney |
bearssl: Improve I/O handling Factor out common I/O loop as bearssl_run_until, which reads/writes TLS records until the desired engine state is reached. This is now used for the hand
bearssl: Improve I/O handling Factor out common I/O loop as bearssl_run_until, which reads/writes TLS records until the desired engine state is reached. This is now used for the handshake, read, write, and close. Match OpenSSL SSL_write behavior, and don't return the number of bytes written until the corresponding records have been completely flushed across the socket. This involves keeping track of the length of data buffered into the TLS engine, and assumes that when CURLE_AGAIN is returned, the write function will be called again with the same data and length arguments. This is the same requirement of SSL_write. Handle TLS close notify as EOF when reading by returning 0. Closes https://github.com/curl/curl/pull/4748
show more ...
|