openssl: certinfo errors now fail correctly

If there is a (memory) error when creating the certinfo data, the code
would previously continue which could lead to a partial/broken response

openssl: certinfo errors now fail correctly

If there is a (memory) error when creating the certinfo data, the code
would previously continue which could lead to a partial/broken response.
Now, the first error aborts and cleans up the entire thing.

A certinfo "collection" error is however still not considered an error
big enough to stop the handshake.

Bonus 1: made two functions static (and removed the Curl_ prefix) that
were not used outside of openssl.c

Bonus 2: removed the unused function Curl_ossl_set_client_cert

Closes #14780

show more ...

openssl: stop duplicate ssl key logging for legacy OpenSSL

- Don't call the keylog function if it has already logged the key.

For old OpenSSL versions and its forks that do not have

openssl: stop duplicate ssl key logging for legacy OpenSSL

- Don't call the keylog function if it has already logged the key.

For old OpenSSL versions and its forks that do not have support for
OpenSSL's keylog callback, libcurl has its own legacy key logging
function that logs the TLS 1.2 (and earlier) key (client random + master
key) on a single line.

Prior to this change, since e7de80e8 (precedes 8.8.0), the legacy key
logging function could write the same key line more than once (usually
twice) due to some incorrect logic.

Closes https://github.com/curl/curl/pull/13683

show more ...

vtls: TLS session storage overhaul

- add session with destructor callback
- remove vtls `session_free` method
- let `Curl_ssl_addsessionid()` take ownership
of session object,

vtls: TLS session storage overhaul

- add session with destructor callback
- remove vtls `session_free` method
- let `Curl_ssl_addsessionid()` take ownership
of session object, freeing it also on failures
- change tls backend use
- test_17, add tests for SSL session resumption

Closes #13386

show more ...

tls: use shared init code for TCP+QUIC

Closes #13172

vtls: consistently use typedef names for OpenSSL structs

The foo_st names don't appear in OpenSSL public API documentation. The
FOO typedefs are more common. This header was already refe

vtls: consistently use typedef names for OpenSSL structs

The foo_st names don't appear in OpenSSL public API documentation. The
FOO typedefs are more common. This header was already referencing
SSL_CTX via <openssl/ssl.h>. There is a comment about avoiding
<openssl/x509v3.h>, but OpenSSL actually declares all the typedefs in
<openssl/ossl_typ.h>, which is already included by <openssl/ssl.h> (and
every other OpenSSL header), so just use that. Though I've included it
just to be explicit.

(I'm also fairly sure including <openssl/ssl.h> already triggers the
Schannel conflicts anyway. The comment was probably just out of date.)

Closes #12439

show more ...

openssl: fix building with v3 `no-deprecated` + add CI test

- build quictls with `no-deprecated` in CI to have test coverage for
this OpenSSL 3 configuration.

- don't call `Op

openssl: fix building with v3 `no-deprecated` + add CI test

- build quictls with `no-deprecated` in CI to have test coverage for
this OpenSSL 3 configuration.

- don't call `OpenSSL_add_all_algorithms()`, `OpenSSL_add_all_digests()`.
The caller code is meant for OpenSSL 3, while these two functions were
only necessary before OpenSSL 1.1.0. They are missing from OpenSSL 3
if built with option `no-deprecated`, causing build errors:
```
vtls/openssl.c:4097:3: error: call to undeclared function 'OpenSSL_add_all_algorithms'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
vtls/openssl.c:4098:3: error: call to undeclared function 'OpenSSL_add_all_digests'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
```
Ref: https://ci.appveyor.com/project/curlorg/curl-for-win/builds/48587418?fullLog=true#L7667

Regression from b6e6d4ff8f253c8b8055bab9d4d6a10f9be109f3 #12030
Bug: https://github.com/curl/curl/issues/12380#issuecomment-1822944669
Reviewed-by: Alex Bozarth

- vquic/curl_ngtcp2: fix using `SSL_get_peer_certificate` with
`no-deprecated` quictls 3 builds.
Do it by moving an existing solution for this from `vtls/openssl.c`
to `vtls/openssl.h` and adjusting caller code.
```
vquic/curl_ngtcp2.c:1950:19: error: implicit declaration of function 'SSL_get_peer_certificate'; did you mean 'SSL_get1_peer_certificate'? [-Wimplicit-function-declaration]
```
Ref: https://github.com/curl/curl/actions/runs/6960723097/job/18940818625#step:24:1178

- curl_ntlm_core: fix `-Wunused-parameter`, `-Wunused-variable` and
`-Wunused-function` when trying to build curl with NTLM enabled but
without the necessary TLS backend (with DES) support.

Closes #12384

show more ...

vtls/vquic, keep peer name information together

- add `struct ssl_peer` to keep hostname, dispname and sni
for a filter
- allocate `sni` for use in VTLS backend
- eliminate `Cu

vtls/vquic, keep peer name information together

- add `struct ssl_peer` to keep hostname, dispname and sni
for a filter
- allocate `sni` for use in VTLS backend
- eliminate `Curl_ssl_snihost()` and its use of the download buffer
- use ssl_peer in SSL and QUIC filters

Closes #12349

show more ...

ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl

Using common method for SSL_CTX initialization of verfiy peer and CA
settings. This also provides X509_STORE sharing to b

ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl

Using common method for SSL_CTX initialization of verfiy peer and CA
settings. This also provides X509_STORE sharing to become available for
ngtcp2+openssl HTTP/3.

Reported-by: violetlige on github

Fixes #10222
Closes #10239

show more ...

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

openssl: make certinfo available for QUIC

Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the cert chain f

openssl: make certinfo available for QUIC

Curl_ossl_certchain() is now an exported function in lib/vtls/openssl.c that
can also be used from quiche.c and ngtcp2.c to get the cert chain for QUIC
connections as well.

The *certchain function was moved to the top of the file for this reason.

Reported-by: Eloy Degen
Fixes #9584
Closes #9597

show more ...

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

ngtcp2: add client certificate authentication for OpenSSL

Closes #8522

openssl.h: avoid including OpenSSL headers here

... by instead using the struct version of the typedef'ed pointer. To
fix build errors when both Schannel and OpenSSL are enabled.

openssl.h: avoid including OpenSSL headers here

... by instead using the struct version of the typedef'ed pointer. To
fix build errors when both Schannel and OpenSSL are enabled.

Fixes #8240
Reported-by: Jan Ehrhardt
Closes #8246

show more ...

ngtcp2: verify the server cert on connect (quictls)

Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a fu

ngtcp2: verify the server cert on connect (quictls)

Make ngtcp2+quictls correctly acknowledge `CURLOPT_SSL_VERIFYPEER` and
`CURLOPT_SSL_VERIFYHOST`.

The name check now uses a function from lib/vtls/openssl.c which will
need attention for when TLS is not done by OpenSSL or is disabled while
QUIC is enabled.

Possibly the servercert() function in openssl.c should be adjusted to be
able to use for both regular TLS and QUIC.

Ref: #8173
Closes #8178

show more ...

copyright: fix year ranges

Follow-up from 4d2f8006777

curl.se: new home

Closes #6172

vtls: fold the backend ID into the Curl_ssl structure

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

vtls: move SSL backends' private constants out of their header files

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

vtls: remove obsolete declarations of SSL backend functionality

These functions are all available via the Curl_ssl struct now, no need
to declare them separately anymore.

As the

vtls: remove obsolete declarations of SSL backend functionality

These functions are all available via the Curl_ssl struct now, no need
to declare them separately anymore.

As the global declarations are removed, the corresponding function
definitions are marked as file-local. The only two exceptions here are
Curl_mbedtls_shutdown() and Curl_polarssl_shutdown(): only the
declarations were removed, there are no function definitions to mark
file-local.

Please note that Curl_nss_force_init() is *still* declared globally, as
the only SSL backend-specific function, because it was introduced
specifically for the use case where cURL was compiled with
`--without-ssl --with-nss`. For details, see f3b77e561 (http_ntlm: add
support for NSS, 2010-06-27).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct

That will allow us to choose the SSL backend at runtime.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx

vtls: move the SUPPORT_HTTPS_PROXY flag into the Curl_ssl struct

That will allow us to choose the SSL backend at runtime.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: convert the have_curlssl_* constants to runtime flags

The entire idea of introducing the Curl_ssl struct to describe SSL
backends is to prepare for choosing the SSL backend at runt

vtls: convert the have_curlssl_* constants to runtime flags

The entire idea of introducing the Curl_ssl struct to describe SSL
backends is to prepare for choosing the SSL backend at runtime.

To that end, convert all the #ifdef have_curlssl_* style conditionals
to use bit flags instead.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: move sha256sum into the Curl_ssl struct

The SHA-256 checksumming is also an SSL backend-specific function.
Let's include it in the struct declaring the functionality of SSL
bac

vtls: move sha256sum into the Curl_ssl struct

The SHA-256 checksumming is also an SSL backend-specific function.
Let's include it in the struct declaring the functionality of SSL
backends.

In contrast to MD5, there is no fall-back code. To indicate this, the
respective entries are NULL for those backends that offer no support for
SHA-256 checksumming.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: move md5sum into the Curl_ssl struct

The MD5 summing is also an SSL backend-specific function. So let's
include it, offering the previous fall-back code as a separate function

vtls: move md5sum into the Curl_ssl struct

The MD5 summing is also an SSL backend-specific function. So let's
include it, offering the previous fall-back code as a separate function
now: Curl_none_md5sum(). To allow for that, the signature had to be
changed so that an error could be returned from the implementation
(Curl_none_md5sum() can run out of memory).

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: use the Curl_ssl struct to access all SSL backends' functionality

This is the first step to unify the SSL backend handling. Now all the
SSL backend-specific functionality is access

vtls: use the Curl_ssl struct to access all SSL backends' functionality

This is the first step to unify the SSL backend handling. Now all the
SSL backend-specific functionality is accessed via a global instance of
the Curl_ssl struct.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...

vtls: declare Curl_ssl structs for every SSL backend

The idea of introducing the Curl_ssl struct was to unify how the SSL
backends are declared and called. To this end, we now provide an

vtls: declare Curl_ssl structs for every SSL backend

The idea of introducing the Curl_ssl struct was to unify how the SSL
backends are declared and called. To this end, we now provide an
instance of the Curl_ssl struct for each and every SSL backend.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

show more ...