#
fbf5d507 |
| 18-Sep-2024 |
Daniel Stenberg |
lib/src: white space edits to comply better with code style ... as checksrc now finds and complains about these. Closes #14921
|
#
344a177a |
| 09-Sep-2024 |
Daniel Stenberg |
lib: remove the final strncpy() calls wolfssl: use strcpy() as the target buffer is > 40 bytes gethostname: return failure if the buffer is too small instead Closes #14830
|
#
ff94698d |
| 19-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
wolfssl: fix setting tls version The value CURL_SSLVERSION_TLSv1_0 was unsupported. Closes #14587
|
#
623b8775 |
| 12-Aug-2024 |
Stefan Eissing |
gnutls/wolfssl: improve error message when certificate fails Give more detailed reasons for certificate failures where available in gnutls and wolfssi to allow user to understand the cau
gnutls/wolfssl: improve error message when certificate fails Give more detailed reasons for certificate failures where available in gnutls and wolfssi to allow user to understand the cause of the failure. Closes #14501
show more ...
|
#
71d3ab58 |
| 11-Aug-2024 |
Viktor Szakats |
vtls: fix static function name collisions between TLS backends When using CMake Unity build. - use unique name for `set_ssl_version_min_max()` Fixes collision between GnuTLS,
vtls: fix static function name collisions between TLS backends When using CMake Unity build. - use unique name for `set_ssl_version_min_max()` Fixes collision between GnuTLS, mbedTLS and SecureTransport. ``` lib\vtls\mbedtls.c(317,1): error C2084: function 'CURLcode set_ssl_version_min_max(Curl_easy *,ssl_peer *,ssl_primary_config *,const char **,const char *)' already has a body lib\vtls\mbedtls.c(837,49): warning C4133: 'function': incompatible types - from 'Curl_cfilter *' to 'Curl_easy *' lib\vtls\mbedtls.c(837,53): warning C4133: 'function': incompatible types - from 'Curl_easy *' to 'ssl_peer *' lib\vtls\mbedtls.c(837,25): error C2198: 'set_ssl_version_min_max': too few arguments for call ``` - use unique name for `do_file_type()` Fixes collision between GnuTLS, OpenSSL and wolfSSL. ``` lib\vtls\openssl.c(1053,12): error C2084: function 'gnutls_x509_crt_fmt_t do_file_type(const char *)' already has a body ``` Ref: https://github.com/curl/curl/actions/runs/10341162641/job/28622681573?pr=14484#step:10:31 Cherry-picked from #14495 Closes #14516
show more ...
|
#
902d9a1d |
| 09-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
wolfssl: fix CURLOPT_SSLVERSION Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls proto to just the specified version. Now it properly supports a range. So it ca
wolfssl: fix CURLOPT_SSLVERSION Before, setting CURLOPT_SSLVERSION with wolfSSL restricted the the tls proto to just the specified version. Now it properly supports a range. So it can set the min and max tls proto (max requires wolfSSL 4.2.0). Bump the absolute minimum required version of wolfSSL to 3.4.6 (released 2015) because it is needed for the wolfSSL_CTX_SetMinVersion() function. Closes #14480
show more ...
|
#
0a5ea09a |
| 29-Feb-2024 |
Max Faxälv |
spnego_gssapi: implement TLS channel bindings for openssl Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid ide
spnego_gssapi: implement TLS channel bindings for openssl Channel Bindings are used to tie the session context to a specific TLS channel. This is to provide additional proof of valid identity, mitigating authentication relay attacks. Major web servers have the ability to require (None/Accept/Require) GSSAPI channel binding, rendering Curl unable to connect to such websites unless support for channel bindings is implemented. IIS calls this feature Extended Protection (EPA), which is used in Enterprise environments using Kerberos for authentication. This change require krb5 >= 1.19, otherwise channel bindings won't be forwarded through SPNEGO. Co-Authored-By: Steffen Kieß <947515+steffen-kiess@users.noreply.github.com> Closes #13098
show more ...
|
#
63e9e067 |
| 07-Aug-2024 |
Alex Snast |
wolfssl: avoid taking cached x509 store ref if sslctx already using it Closes #14442
|
#
5c2ab55a |
| 05-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
vtls: add SSLSUPP_CIPHER_LIST Added SSLSUPP_CIPHER_LIST so be able to differniate SSL Backends that support CURLOPT_SSL_CIPHER_LIST. Closes #14406
|
#
4c128924 |
| 04-Aug-2024 |
Jan Venekamp <1422460+jan2000@users.noreply.github.com> |
wolfssl: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with WolfSSL in line with other SSL backends, to make the curl interface more consistent across the backends. No
wolfssl: add CURLOPT_TLS13_CIPHERS support Bring setting ciphers with WolfSSL in line with other SSL backends, to make the curl interface more consistent across the backends. Now the tls1.3 ciphers are set with the --tls13-ciphers option, when not set the default tls1.3 ciphers are used. The tls1.2 (1.1, 1.0) ciphers are set with the --ciphers option, when not set the default tls1.2 ciphers are used. The ciphers available for the connection are now a union of the tls1.3 and tls1.2 ciphers. This changes the behaviour for WolfSSL when --ciphers is set, but --tls13-ciphers is not set. Now the ciphers set with --ciphers are combined with the default tls1.3 ciphers, whereas before solely the ciphers of --ciphers were used. Thus before when no tls1.3 ciphers were specified in --ciphers, tls1.3 was completely disabled. This might not be what the user expected, especially as this does not happen with OpenSSL. Closes #14385
show more ...
|
#
344ba8c8 |
| 04-Aug-2024 |
Stefan Eissing |
wolfssl: improve shutdown handling Improve handling of shutdown when sending gets blocked. Add workaround for <https://github.com/wolfSSL/wolfssl/issues/7784> where wolfSSL keep
wolfssl: improve shutdown handling Improve handling of shutdown when sending gets blocked. Add workaround for <https://github.com/wolfSSL/wolfssl/issues/7784> where wolfSSL keeps on adding close notify messages to its outgoing buffer on ever attempt. Closes #14376
show more ...
|
#
8d981180 |
| 25-Jun-2024 |
Alex Snast |
wolfssl: add support for ssl cert blob / ssl key blob options wolfSSL supports setting certificates/private keys from memory blobs which allow us to implement both CURLOPT_SSLCERT_BLOB a
wolfssl: add support for ssl cert blob / ssl key blob options wolfSSL supports setting certificates/private keys from memory blobs which allow us to implement both CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB options. Closes #14018
show more ...
|
#
911c3166 |
| 18-Jul-2024 |
Stefan Eissing |
lib: add eos flag to send methods Adds a `bool eos` flag to send methods to indicate that the data is the last chunk the invovled transfer wants to send to the server. This will
lib: add eos flag to send methods Adds a `bool eos` flag to send methods to indicate that the data is the last chunk the invovled transfer wants to send to the server. This will help protocol filters like HTTP/2 and 3 to forward the stream's EOF flag and also allow to EAGAIN such calls when buffers are not yet fully flushed. Closes #14220
show more ...
|
#
5a9262a3 |
| 12-Jul-2024 |
Stefan Eissing |
url: dns_entry related improvements Replace Curl_resolv_unlock() with Curl_resolv_unlink(): -replace inuse member with refcount in Curl_dns_entry - pass Curl_dns_entry ** t
url: dns_entry related improvements Replace Curl_resolv_unlock() with Curl_resolv_unlink(): -replace inuse member with refcount in Curl_dns_entry - pass Curl_dns_entry ** to unlink, so it gets always cleared - solve potential (but unlikley) UAF in FTP's handling of looked up Curl_dns_entry. Esp. do not use addr information after unlinking an entry. In reality, the unlink will not free memory, as the dns entry is still referenced by the hostcache. But this is not safe and relying on no other code pruning the cache in the meantime. - pass permanent flag when adding a dns entry instead of fixing timestamp afterwards. url.c: fold several static *resolve_* functions into one. Closes #14195
show more ...
|
#
f87a958e |
| 30-Jul-2024 |
Alex Snast |
wolfssl: avoid calling get_cached_x509_store if store is uncachable There's no need for get_cached_x509_store call if the return value won't be used for caching anyway. Closes #
wolfssl: avoid calling get_cached_x509_store if store is uncachable There's no need for get_cached_x509_store call if the return value won't be used for caching anyway. Closes #14306
show more ...
|
#
0f2876b2 |
| 26-Jul-2024 |
Stefan Eissing |
wolfssl: CA store share fix When sharing the x509 store in wolfSSL, always use an explicitly constructed one, as the SSLCTX might have "only" an internal one which is not obeying ref
wolfssl: CA store share fix When sharing the x509 store in wolfSSL, always use an explicitly constructed one, as the SSLCTX might have "only" an internal one which is not obeying reference count lifetimes. Fixes #14278 Reported-by: Alex Snast Closes #14279
show more ...
|
#
11e248b7 |
| 24-Jul-2024 |
Anthony Hu |
wolfSSL: allow wolfSSL's implementation of kyber to be used Closes #14268
|
#
25321de3 |
| 18-Jul-2024 |
Daniel Stenberg |
Revert "lib: send eos flag" This reverts commit be93299f10ef0b2bf7fe5c82140120073831867a.
|
#
be93299f |
| 18-Jul-2024 |
Stefan Eissing |
lib: send eos flag Adds a `bool eos` flag to send methods to indicate that the data is the last chunk the invovled transfer wants to send to the server. This will help protocol
lib: send eos flag Adds a `bool eos` flag to send methods to indicate that the data is the last chunk the invovled transfer wants to send to the server. This will help protocol filters like HTTP/2 and 3 to forward the stream's EOF flag and also allow to EAGAIN such calls when buffers are not yet fully flushed. Closes #14220
show more ...
|
#
dfbdcb93 |
| 15-Jul-2024 |
Tal Regev |
GHA/windows: add MSVC wolfSSL job with test Fix the file of wolfssl.c because of this warning/error: ``` curl\lib\vtls\wolfssl.c(1017,42): error C2220: the following warning is treat
GHA/windows: add MSVC wolfSSL job with test Fix the file of wolfssl.c because of this warning/error: ``` curl\lib\vtls\wolfssl.c(1017,42): error C2220: the following warning is treated as an error [curl\bld\lib\libcurl_object.vcxproj] curl\lib\vtls\wolfssl.c(1017,42): warning C4267: 'function': conversion from 'size_t' to 'unsigned long', possible loss of data [curl\bld\lib\libcurl_object.vcxproj] ``` `size_t` in MSVC is different. Change it to `unsigned long` because `wolfSSL_ERR_error_string_n` last argument is defined as `unsigned long`. Closes #14193
show more ...
|
#
6343034d |
| 12-Jul-2024 |
Viktor Szakats |
tidy-up: adjust casing of project names Mostly TLS/SSH project name. Closes #14160
|
#
5ab2eda8 |
| 07-Jul-2024 |
Alex Snast |
wolfssl: use larger error buffer when formatting errors Currently we're using WOLFSSL_MAX_ERROR_SZ to define the error buffer size, this value is user defined which means it can be overw
wolfssl: use larger error buffer when formatting errors Currently we're using WOLFSSL_MAX_ERROR_SZ to define the error buffer size, this value is user defined which means it can be overwritten with -DWOLFSSL_MAX_ERROR_SZ=512 when building wolfssl and this overwrite is not exported to the users of wolfssl. Instead of relying on WOLFSSL_MAX_ERROR_SZ we'll just use a 256 bytes error buffer and use wolfSSL_ERR_error_string_n to fill it thus dropping the dependency on WOLFSSL_MAX_ERROR_SZ altogether. Closes #14114
show more ...
|
#
46a26f12 |
| 08-Jul-2024 |
Stefan Eissing |
vtls: replace addsessionid with set_sessionid - deduplicate the code in many tls backends that check for an existing id and delete it before adding the new one - rename ssl_primary
vtls: replace addsessionid with set_sessionid - deduplicate the code in many tls backends that check for an existing id and delete it before adding the new one - rename ssl_primary_config's `sessionid` bool to `cache_session` Closes #14121
show more ...
|
#
c074ba64 |
| 01-Jul-2024 |
Daniel Stenberg |
code: language cleanup in comments Based on the standards and guidelines we use for our documentation. - expand contractions (they're => they are etc) - host name = > hostname
code: language cleanup in comments Based on the standards and guidelines we use for our documentation. - expand contractions (they're => they are etc) - host name = > hostname - file name => filename - user name = username - man page => manpage - run-time => runtime - set-up => setup - back-end => backend - a HTTP => an HTTP - Two spaces after a period => one space after period Closes #14073
show more ...
|
#
c9b95c0b |
| 19-Jun-2024 |
Stefan Eissing |
lib: graceful connection shutdown When libcurl discards a connection there are two phases this may go through: "shutdown" and "closing". If a connection is aborted, the shutdown phas
lib: graceful connection shutdown When libcurl discards a connection there are two phases this may go through: "shutdown" and "closing". If a connection is aborted, the shutdown phase is skipped and it is closed right away. The connection filters attached to the connection implement the phases in their `do_shutdown()` and `do_close()` callbacks. Filters carry now a `shutdown` flags next to `connected` to keep track of the shutdown operation. Filters are shut down from top to bottom. If a filter is not connected, its shutdown is skipped. Notable filters that *do* something during shutdown are HTTP/2 and TLS. HTTP/2 sends the GOAWAY frame. TLS sends its close notify and expects to receive a close notify from the server. As sends and receives may EAGAIN on the network, a shutdown is often not successful right away and needs to poll the connection's socket(s). To facilitate this, such connections are placed on a new shutdown list inside the connection cache. Since managing this list requires the cooperation of a multi handle, only the connection cache belonging to a multi handle is used. If a connection was in another cache when being discarded, it is removed there and added to the multi's cache. If no multi handle is available at that time, the connection is shutdown and closed in a one-time, best-effort attempt. When a multi handle is destroyed, all connection still on the shutdown list are discarded with a final shutdown attempt and close. In curl debug builds, the environment variable `CURL_GRACEFUL_SHUTDOWN` can be set to make this graceful with a timeout in milliseconds given by the variable. The shutdown list is limited to the max number of connections configured for a multi cache. Set via CURLMOPT_MAX_TOTAL_CONNECTIONS. When the limit is reached, the oldest connection on the shutdown list is discarded. - In multi_wait() and multi_waitfds(), collect all connection caches involved (each transfer might carry its own) into a temporary list. Let each connection cache on the list contribute sockets and POLLIN/OUT events it's connections are waiting for. - in multi_perform() collect the connection caches the same way and let them peform their maintenance. This will make another non-blocking attempt to shutdown all connections on its shutdown list. - for event based multis (multi->socket_cb set), add the sockets and their poll events via the callback. When `multi_socket()` is invoked for a socket not known by an active transfer, forward this to the multi's cache for processing. On closing a connection, remove its socket(s) via the callback. TLS connection filters MUST NOT send close nofity messages in their `do_close()` implementation. The reason is that a TLS close notify signals a success. When a connection is aborted and skips its shutdown phase, the server needs to see a missing close notify to detect something has gone wrong. A graceful shutdown of FTP's data connection is performed implicitly before regarding the upload/download as complete and continuing on the control connection. For FTP without TLS, there is just the socket close happening. But with TLS, the sent/received close notify signals that the transfer is complete and healthy. Servers like `vsftpd` verify that and reject uploads without a TLS close notify. - added test_19_* for shutdown related tests - test_19_01 and test_19_02 test for TCP RST packets which happen without a graceful shutdown and should no longer appear otherwise. - add test_19_03 for handling shutdowns by the server - add test_19_04 for handling shutdowns by curl - add test_19_05 for event based shutdowny by server - add test_30_06/07 and test_31_06/07 for shutdown checks on FTP up- and downloads. Closes #13976
show more ...
|