History log of /curl/lib/vtls/bearssl.c (Results 51 – 75 of 76)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
# f36e32b5 06-Dec-2021 Jan Venekamp <1422460+jan2000@users.noreply.github.com>

bearssl: fix EXC_BAD_ACCESS on incomplete CA cert

- Do not create trust anchor object for a CA certificate until after it
is processed.

Prior to this change the object was cre

bearssl: fix EXC_BAD_ACCESS on incomplete CA cert

- Do not create trust anchor object for a CA certificate until after it
is processed.

Prior to this change the object was created at state BR_PEM_BEGIN_OBJ
(certificate processing begin state). An incomplete certificate (for
example missing a newline at the end) never reaches BR_PEM_END_OBJ
(certificate processing end state) and therefore the trust anchor data
was not set in those objects, which caused EXC_BAD_ACCESS.

Ref: https://github.com/curl/curl/pull/8106

Closes https://github.com/curl/curl/pull/8476

show more ...


# 8af1cef2 06-Dec-2021 Jan Venekamp <1422460+jan2000@users.noreply.github.com>

bearssl: fix connect error on expired cert and no verify

- When peer verification is disabled use the x509_decode engine instead
of the x509_minimal engine to parse and extract the pub

bearssl: fix connect error on expired cert and no verify

- When peer verification is disabled use the x509_decode engine instead
of the x509_minimal engine to parse and extract the public key from
the first cert of the chain.

Prior to this change in such a case no key was extracted and that caused
CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if
any validity check fails but the x509_decode won't.

Ref: https://github.com/curl/curl/pull/8106

Closes https://github.com/curl/curl/pull/8475

show more ...


# b8443719 06-Dec-2021 Jan Venekamp <1422460+jan2000@users.noreply.github.com>

bearssl: fix session resumption (session id)

Prior to this change br_ssl_client_reset was mistakenly called with
resume_session param set to 0, which disabled session resumption.

bearssl: fix session resumption (session id)

Prior to this change br_ssl_client_reset was mistakenly called with
resume_session param set to 0, which disabled session resumption.

Ref: https://github.com/curl/curl/pull/8106

Closes https://github.com/curl/curl/pull/8474

show more ...


# 2218c3a5 22-Jan-2022 Daniel Stenberg

vtls: pass on the right SNI name

The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.

Co-authored

vtls: pass on the right SNI name

The TLS backends convert the host name to SNI name and need to use that.
This involves cutting off any trailing dot and lowercasing.

Co-authored-by: Jay Satiro
Closes #8320

show more ...


# 60738f39 22-Sep-2021 Michael Kaufmann

vtls: Fix a memory leak if an SSL session cannot be added to the cache

On connection shutdown, a new TLS session ticket may arrive after the
SSL session cache has already been destructed

vtls: Fix a memory leak if an SSL session cannot be added to the cache

On connection shutdown, a new TLS session ticket may arrive after the
SSL session cache has already been destructed. In this case, the new
SSL session cannot be added to the SSL session cache.

The callers of Curl_ssl_addsessionid() need to know whether the SSL
session has been added to the cache. If it has not been added, the
reference counter of the SSL session must not be incremented, or memory
used by the SSL session must be freed. This is now possible with the new
output parameter "added" of Curl_ssl_addsessionid().

Fixes #7683
Closes #7752

show more ...


# beb1b1cb 21-Jul-2021 Aleksandr Krotov

bearssl: support CURLOPT_CAINFO_BLOB

Closes #7468


# e7416cfd 06-Jul-2021 Daniel Stenberg

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes info

infof: remove newline from format strings, always append it

- the data needs to be "line-based" anyway since it's also passed to the
debug callback/application

- it makes infof() work like failf() and consistency is good

- there's an assert that triggers on newlines in the format string

- Also removes a few instances of "..."

- Removes the code that would append "..." to the end of the data *iff*
it was truncated in infof()

Closes #7357

show more ...


# 7f9c5af8 26-May-2021 Michael Forney

bearssl: explicitly initialize all fields of Curl_ssl

Also, add comments like the other vtls backends.

Closes #7133


# a03ea622 26-May-2021 Michael Forney

bearssl: remove incorrect const on variable that is modified

hostname may be set to NULL later on in this function if it is an
IP address.

Closes #7133


# a3268eca 25-Apr-2021 Jacob Hoffman-Andrews

tls: add USE_HTTP2 define

This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.

Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without dep

tls: add USE_HTTP2 define

This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.

Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.

Closes #6959

show more ...


Revision tags: curl-7_76_1, curl-7_76_0
# e4ba9996 25-Feb-2021 Michał Antoniak

vtls: deduplicate some DISABLE_PROXY ifdefs

continue from #5735

- using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
tls backend

- create SSL_HOST_P

vtls: deduplicate some DISABLE_PROXY ifdefs

continue from #5735

- using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other
tls backend

- create SSL_HOST_PORT

Closes #6660

show more ...


# f573998c 01-Apr-2021 Daniel Stenberg

TLS: fix HTTP/2 selection

for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
Reported-by:

TLS: fix HTTP/2 selection

for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and
wolfSSL...

Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0)
Reported-by: Kenneth Davidson
Reported-by: romamik om github
Fixes #6825
Closes #6827

show more ...


# b09c8ee1 19-Mar-2021 Daniel Stenberg

vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-228

vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()

To make sure we set and extract the correct session.

Reported-by: Mingtao Yang
Bug: https://curl.se/docs/CVE-2021-22890.html

CVE-2021-22890

show more ...


# 88dd1a8a 11-Feb-2021 Daniel Stenberg

urldata: don't touch data->set.httpversion at run-time

Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-support

urldata: don't touch data->set.httpversion at run-time

Rename it to 'httpwant' and make a cloned field in the state struct as
well for run-time updates.

Also: refuse non-supported HTTP versions. Verified with test 129.

Closes #6585

show more ...


Revision tags: curl-7_75_0
# c30bf22f 03-Feb-2021 Jacob Hoffman-Andrews

vtls: factor out Curl_ssl_getsock to field of Curl_ssl

Closes #6558


# 2c4b338f 01-Feb-2021 Daniel Stenberg

vtls: remove md5sum

As it is not used anymore.

Reported-by: Jacob Hoffman-Andrews
Bug: https://curl.se/mail/lib-2021-02/0000.html

Closes #6557


# bbe3aa9f 13-Jan-2021 Patrick Monnerat

vtls: reduce conn->data use

Closes #6474


# 215db086 08-Jan-2021 Daniel Stenberg

lib: pass in 'struct Curl_easy *' to most functions

... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and no

lib: pass in 'struct Curl_easy *' to most functions

... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
better.

- We should avoid "conn->data". Since individual connections can be used
by many transfers when multiplexing, making sure that conn->data
points to the current and correct transfer at all times is difficult
and has been notoriously error-prone over the years. The goal is to
ultimately remove the conn->data pointer for this reason.

Closes #6425

show more ...


# 7e72b9b5 13-Jan-2021 Daniel Stenberg

bearssl: remove Curl_ prefix from static functions


# aba01da6 23-Dec-2020 Daniel Stenberg

failf: remove newline from formatting strings

... as failf adds one itself.

Also: add an assert() to failf() that triggers on a newline in the
format string!

Closes #63

failf: remove newline from formatting strings

... as failf adds one itself.

Also: add an assert() to failf() that triggers on a newline in the
format string!

Closes #6365

show more ...


Revision tags: curl-7_74_0
# 4d2f8006 04-Nov-2020 Daniel Stenberg

curl.se: new home

Closes #6172


Revision tags: curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0
# 81bf2713 09-Jul-2020 Baruch Siach

bearssl: fix build with disabled proxy support

Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
defined.

Reviewed-by: Nicolas Sterchele
Closes #5666


Revision tags: curl-7_71_1, curl-7_71_0
# 842f73de 28-May-2020 Daniel Stenberg

timeouts: change millisecond timeouts to timediff_t from time_t

For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work

timeouts: change millisecond timeouts to timediff_t from time_t

For millisecond timers we like timediff_t better. Also, time_t can be
unsigned so returning a negative value doesn't work then.

Closes #5479

show more ...


Revision tags: curl-7_70_0
# 52182e4b 18-Mar-2020 Daniel Stenberg

bearssl: remove the BACKEND define kludge


Revision tags: curl-7_69_1, curl-7_69_0, curl-7_68_0
# 9024b013 21-Dec-2019 Michael Forney

bearssl: Improve I/O handling

Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
records until the desired engine state is reached. This is now used for
the hand

bearssl: Improve I/O handling

Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
records until the desired engine state is reached. This is now used for
the handshake, read, write, and close.

Match OpenSSL SSL_write behavior, and don't return the number of bytes
written until the corresponding records have been completely flushed
across the socket. This involves keeping track of the length of data
buffered into the TLS engine, and assumes that when CURLE_AGAIN is
returned, the write function will be called again with the same data
and length arguments. This is the same requirement of SSL_write.

Handle TLS close notify as EOF when reading by returning 0.

Closes https://github.com/curl/curl/pull/4748

show more ...


1234