openssl: associate/detach the transfer from connection

CVE-2021-22901

Bug: https://curl.se/docs/CVE-2021-22901.html

rustls: use ALPN

Update required rustls to 0.5.0

Closes #6960

tidy-up: make conditional checks more consistent

... remove '== NULL' and '!= 0'

Closes #6912

rustls: only return CURLE_AGAIN when TLS session is fully drained

The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could b

rustls: only return CURLE_AGAIN when TLS session is fully drained

The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.

We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.

Reviewed-by: Jacob Hoffman-Andrews
Closes #6894

show more ...

rustls: Handle close_notify.

If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection ea

rustls: Handle close_notify.

If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).

Closes #6763

show more ...

rustls: allocate a buffer for TLS data.

Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
init

rustls: allocate a buffer for TLS data.

Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
initialized before writing to them. By using calloc, we can ensure the
buffer is initialized once and then reuse it across calls.

Closes #6742

show more ...

rustls: support CURLOPT_SSL_VERIFYPEER

This requires the latest main branch of crustls, which provides
rustls_client_config_builder_dangerous_set_certificate_verifier and
rustls_clie

rustls: support CURLOPT_SSL_VERIFYPEER

This requires the latest main branch of crustls, which provides
rustls_client_config_builder_dangerous_set_certificate_verifier and
rustls_client_config_builder_set_enable_sni.

This refactors the session setup into its own function, and adds a new
function cr_hostname_is_ip. Because crustls doesn't support verification
of IP addresses, special handling is needed: We disable SNI and set a
placeholder hostname (which never actually gets sent on the wire).

Closes #6719

show more ...

lib: remove 'conn->data' completely

The Curl_easy pointer struct entry in connectdata is now gone. Just
before commit 215db086e0 landed on January 8, 2021 there were 919
references t

lib: remove 'conn->data' completely

The Curl_easy pointer struct entry in connectdata is now gone. Just
before commit 215db086e0 landed on January 8, 2021 there were 919
references to conn->data.

Closes #6608

show more ...

vtls: initial implementation of rustls backend

This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
from https://github.com/abetterinternet/crustls.

Rustls is a

vtls: initial implementation of rustls backend

This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
from https://github.com/abetterinternet/crustls.

Rustls is at https://github.com/ctz/rustls/.

There is still a fair bit to be done, like sending CloseNotify on
connection shutdown, respecting CAPATH, and properly indicating features
like "supports TLS 1.3 ciphersuites." But it works well enough to make
requests and receive responses.

Blog post for context:
https://www.abetterinternet.org/post/memory-safe-curl/

Closes #6350

show more ...