This function has been unused since the initial commit of the GSKit
backend in 0eba02fd4. The motivation for the code was getting the
whole certificate chain: the only place where the latter is available
is as a callback parameter. Unfortunately it is not possible to pass
a user pointer to this callback, which precludes the possibility to
associate the cert chain with a data/conn structure.
For further information, search for pgsk_cert_validation_callback on:
https://www.ibm.com/docs/api/v1/content/ssw_ibm_i_71/apis/gsk_attribute_set_callback.htm
As the upstream library never added a parameter like that to the API,
we give up the wait and remove the dead code.
Closes: #8782
Reviewed-by: Patrick Monnerat <patrick@monnerat.net>
Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.
Bug: https://curl.se/docs/CVE-2022-22576.html
CVE-2022-22576
Closes#8746
Also move timediff_t definitions from timeval.h to timediff.h and
then make timeval.h include the new standalone-capable timediff.h.
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Supersedes #5888Closes#8595
Ensure that all infof calls with a warning message are capitalized
in the same way. At some point we should probably set up a style-
guide for infof but until then let's aim for a little consistenncy
where we can.
Closes: #8711
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Also rephrase to make it sound less dangerous:
"ALPN: server did not agree on a protocol. Uses default."
Reported-by: Nick Coghlan
Fixes#8643Closes#8651
Prior to this change if, at build time, the GnuTLS backend was found to
have TLS-SRP support (HAVE_GNUTLS_SRP) but TLS-SRP was disabled in curl
via --disable-tls-srp (!USE_TLS_SRP) then a build error would occur.
Bug: https://curl.se/mail/lib-2022-03/0046.html
Reported-by: Robert Brose
Closes https://github.com/curl/curl/pull/8604
The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag) in
libcurl was ignored when compiling with BoringSSL because
HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was
detected. However, this feature is supported in BoringSSL since
5fd1807d. This commit enables it, and also reduces the required minimal
OpenSSL version to 1.0.2 as per OpenSSL's official documentation.
Fixes#8553Closes#8556
Ideally, Curl_ssl_getsessionid should not be called unless sessionid
caching is enabled. There is a debug assertion in the function to help
ensure that. Therefore, the pattern in all vtls is basically:
if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();}
There was one instance in openssl.c where sessionid was not checked
beforehand and this change fixes that.
Prior to this change an assertion would occur in openssl debug builds
during connection stage if session caching was disabled.
Reported-by: Jim Beveridge
Fixes https://github.com/curl/curl/issues/8472
Closes https://github.com/curl/curl/pull/8484
- Change TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA strength to weak.
All other 3DES ciphers are already marked as weak.
Closes https://github.com/curl/curl/pull/8479
- Do not create trust anchor object for a CA certificate until after it
is processed.
Prior to this change the object was created at state BR_PEM_BEGIN_OBJ
(certificate processing begin state). An incomplete certificate (for
example missing a newline at the end) never reaches BR_PEM_END_OBJ
(certificate processing end state) and therefore the trust anchor data
was not set in those objects, which caused EXC_BAD_ACCESS.
Ref: https://github.com/curl/curl/pull/8106
Closes https://github.com/curl/curl/pull/8476
- When peer verification is disabled use the x509_decode engine instead
of the x509_minimal engine to parse and extract the public key from
the first cert of the chain.
Prior to this change in such a case no key was extracted and that caused
CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if
any validity check fails but the x509_decode won't.
Ref: https://github.com/curl/curl/pull/8106
Closes https://github.com/curl/curl/pull/8475
This array is only used by the SCHANNEL_CRED struct in the
schannel_acquire_credential_handle function. It can therefore be kept as
a local variable. This is a minor update to
bbb71507b7.
This change also updates the NUM_CIPHERS value to accurately count the
number of ciphers options listed in schannel.c, which is 47 instead of
45. It is unlikely that anyone tries to set all 47 values, but if they
had tried, the last two would not have been set.
Closes#8469
As mentioned in 32766cb, gskit was the last user of Curl_select which is
now gone. Convert to using Curl_poll to allow build to work on IBM i.
Closes#8454
In c30bf22, Curl_ssl_getsock was factored out in to a member of
struct Curl_ssl but the gskit initialization was not updated to reflect
this new member.
Closes#8454
2f0bb864c1 replaced sterror with Curl_strerror, but the strerror buffer
shadows the set_buffer "buffer" parameter. To keep consistency with the
other functions that use Curl_strerror, rename the parameter.
In addition, strerror.h is needed for the definition of STRERROR_LEN.
Closes#8454
Returning zero indicates end of connection, so if there's no data read
but the connection is alive, it needs to return -1 with CURLE_AGAIN.
Closes#8431
The callback gets called because of the call to PR_Recv() done to
attempt to avoid RST on the TCP connection. The conn->bundle pointer is
already cleared at this point so avoid dereferencing it.
Reported-by: Eric Musser
Fixes#8341Closes#8342
mbedtls/certs.h file contains only certificates example (all definitions
is beginning by mbedtls_test_*). None of them is used so we can avoid
include the file.
Closes#8343
