1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 09:38:54 -05:00
Commit Graph

111 Commits

Author SHA1 Message Date
Daniel Stenberg
9a8b3b3e13
copyright: fix out-of-date copyright ranges and missing headers
Reported by the new script 'scripts/copyright.pl'. The script has a
regex whitelist for the files that don't need copyright headers.

Removed three (mostly usesless) README files from docs/

Closes #5141
2020-03-24 15:05:59 +01:00
Johannes Schindelin
5450428491 schannel: add "best effort" revocation check option
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and
  --ssl-revoke-best-effort to allow a "best effort" revocation check.

A best effort revocation check ignores errors that the revocation check
was unable to take place. The reasoning is described in detail below and
discussed further in the PR.

---

When running e.g. with Fiddler, the schannel backend fails with an
unhelpful error message:

	Unknown error (0x80092012) - The revocation function was unable
	to check revocation for the certificate.

Sadly, many enterprise users who are stuck behind MITM proxies suffer
the very same problem.

This has been discussed in plenty of issues:
https://github.com/curl/curl/issues/3727,
https://github.com/curl/curl/issues/264, for example.

In the latter, a Microsoft Edge developer even made the case that the
common behavior is to ignore issues when a certificate has no recorded
distribution point for revocation lists, or when the server is offline.
This is also known as "best effort" strategy and addresses the Fiddler
issue.

Unfortunately, this strategy was not chosen as the default for schannel
(and is therefore a backend-specific behavior: OpenSSL seems to happily
ignore the offline servers and missing distribution points).

To maintain backward-compatibility, we therefore add a new flag
(`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option
(`--ssl-revoke-best-effort`) to select the new behavior.

Due to the many related issues Git for Windows and GitHub Desktop, the
plan is to make this behavior the default in these software packages.

The test 2070 was added to verify this behavior, adapted from 310.

Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com>
Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes https://github.com/curl/curl/pull/4981
2020-03-18 03:23:39 -04:00
Emil Engler
cbb5429001 ngtcp2: Add an error code for QUIC connection errors
- Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection
  errors.

Prior to this change CURLE_FAILED_INIT was used, but that was not
correct.

Closes https://github.com/curl/curl/pull/4754
2020-01-11 18:19:32 -05:00
Jay Satiro
b700662b1c multi: Change curl_multi_wait/poll to error on negative timeout
- Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when
  curl_multi_wait/poll is passed timeout param < 0.

Prior to this change passing a negative value to curl_multi_wait/poll
such as -1 could cause the function to wait forever.

Reported-by: hamstergene@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/4763

Closes https://github.com/curl/curl/pull/4765
2020-01-11 18:16:28 -05:00
Jay Satiro
779b415a2a os400: Add missing CURLE error constants
Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922
Reported-by: Emil Engler
2019-12-26 16:20:11 -05:00
Jay Satiro
689443bf42 lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.

Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)

Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.

Ref: https://github.com/curl/curl/pull/4655
2019-12-05 19:17:31 -05:00
Gergely Nagy
f3c35e371c
multi: add curl_multi_wakeup()
This commit adds curl_multi_wakeup() which was previously in the TODO
list under the curl_multi_unblock name.

On some platforms and with some configurations this feature might not be
available or can fail, in these cases a new error code
(CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup().

Fixes #4418
Closes #4608
2019-11-25 15:45:56 +01:00
Kunal Ekawde
c124e6b3c0
CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt
Closes #4410
2019-10-02 07:47:48 +02:00
Daniel Stenberg
084404b8ab
CURLOPT_H3: removed
There's no use for this anymore and it was never in a release.

Closes #4206
2019-08-09 12:26:02 +02:00
Steve Holme
7c469fa537 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixes #3653
Closes #3790

NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.

Closes https://github.com/curl/curl/pull/4186
2019-08-06 11:38:20 -04:00
Jay Satiro
9a24f97711 OS400: Add CURLOPT_H3 symbols
Follow-up to 3af0e76 which added experimental H3 support.

Closes https://github.com/curl/curl/pull/4185
2019-08-04 11:04:51 -04:00
Jay Satiro
db8ec1fa38
Revert all SASL authzid (new feature) commits
- Revert all commits related to the SASL authzid feature since the next
  release will be a patch release, 7.65.1.

Prior to this change CURLOPT_SASL_AUTHZID  / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.

After the patch release after the reverted commits can be restored by
using cherry-pick:

git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690

Details for all reverted commits:

Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."

This reverts commit 0edf6907ae.

Revert "tests: Fix the line endings for the SASL alt-auth tests"

This reverts commit c2a8d52a13.

Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"

This reverts commit 8c1cc369d0.

Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"

This reverts commit a9499ff136.

Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"

This reverts commit a14d72ca2f.
2019-05-25 23:36:11 +02:00
Steve Holme
a14d72ca2f
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
2019-05-22 22:55:05 +01:00
Patrick Monnerat
b898b4c06c os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings 2019-04-30 14:29:16 +02:00
Patrick Monnerat
520f0b47ad os400: alt-svc support.
Although experimental, enable it in the platform config file.
Upgrade ILE/RPG binding.
2019-03-17 18:54:36 +01:00
Patrick Monnerat
9be7ced65f os400: upgrade ILE/RPG binding.
- Trailer function support.
- http 0.9 option.
- curl_easy_upkeep.
2018-12-26 15:17:54 +01:00
Han Han
78ff4e0de3
ssl: replace all internal uses of CURLE_SSL_CACERT
Closes #3291
2018-11-20 14:57:00 +01:00
Patrick Monnerat
c19ed66a8d os400: add CURLOPT_CURLU to ILE/RPG binding. 2018-11-19 15:23:00 +01:00
Patrick Monnerat
ee90ca02e0 os400: Add curl_easy_conn_upkeep() to ILE/RPG binding. 2018-11-19 15:22:00 +01:00
Patrick Monnerat
50397e1fd8 os400: fix return type of curl_easy_pause() in ILE/RPG binding. 2018-11-19 15:19:36 +01:00
Patrick Monnerat
a77b640cc0 OS400: add URL API ccsid wrappers and sync ILE/RPG bindings 2018-11-05 15:37:23 +01:00
Daniel Gustafsson
1460e89e01 vtls: add MesaLink to curl_sslbackend enum
MesaLink support was added in commit 57348eb97d but the
backend was never added to the curl_sslbackend enum in curl/curl.h.
This adds the new backend to the enum and updates the relevant docs.

Closes #3195
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-30 16:56:51 +01:00
Patrick Monnerat
6d8c628912 os400: add new option in ILE/RPG binding
Follow-up to commit 946ce5b
2018-05-31 19:08:03 +02:00
Patrick Monnerat
e40ab75e9b os400: sync EBCDIC wrappers and ILE/RPG binding with latest options 2018-05-30 01:45:40 +02:00
Patrick Monnerat
c2dc7d9c6c os400: implement mime api EBCDIC wrappers
Also sync ILE/RPG binding to define the new functions.
2018-05-30 00:38:37 +02:00
Patrick Monnerat
8541d02c96 psl: use latest psl and refresh it periodically
The latest psl is cached in the multi or share handle. It is refreshed
before use after 72 hours.
New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing.
If the latest psl is not available, the builtin psl is used.

Reported-by: Yaakov Selkowitz
Fixes #2553
Closes #2601
2018-05-28 20:37:14 +02:00
Patrick Monnerat
f982e49f0c ILE/RPG binding: Add CURLOPT_HAPROXYPROTOCOL/Fix CURLOPT_DNS_SHUFFLE_ADDRESSES 2018-03-18 01:47:05 +01:00
Rick Deist
d95f3dc0b1
resolve: add CURLOPT_DNS_SHUFFLE_ADDRESSES
This patch adds CURLOPT_DNS_SHUFFLE_ADDRESSES to explicitly request
shuffling of IP addresses returned for a hostname when there is more
than one. This is useful when the application knows that a round robin
approach is appropriate and is willing to accept the consequences of
potentially discarding some preference order returned by the system's
implementation.

Closes #1694
2018-03-17 20:44:14 +01:00
Patrick Monnerat
a91a235d4c os400: add curl_resolver_start_callback type to ILE/RPG binding 2018-02-22 12:59:02 +01:00
Francisco Sedano
23713645d4 url: Add option CURLOPT_RESOLVER_START_FUNCTION
- Add new option CURLOPT_RESOLVER_START_FUNCTION to set a callback that
  will be called every time before a new resolve request is started
  (ie before a host is resolved) with a pointer to backend-specific
  resolver data. Currently this is only useful for ares.

- Add new option CURLOPT_RESOLVER_START_DATA to set a user pointer to
  pass to the resolver start callback.

Closes https://github.com/curl/curl/pull/2311
2018-02-21 21:29:10 -05:00
Jay Satiro
dd027c80fe lib: CURLOPT_HAPPY_EYEBALLS_TIMEOUT => CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS
- In keeping with the naming of our other connect timeout options rename
  CURLOPT_HAPPY_EYEBALLS_TIMEOUT to CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.

This change adds the _MS suffix since the option expects milliseconds.
This is more intuitive for our users since other connect timeout options
that expect milliseconds use _MS such as CURLOPT_TIMEOUT_MS,
CURLOPT_CONNECTTIMEOUT_MS, CURLOPT_ACCEPTTIMEOUT_MS.

The tool option already uses an -ms suffix, --happy-eyeballs-timeout-ms.

Follow-up to 2427d94 which added the lib and tool option yesterday.

Ref: https://github.com/curl/curl/pull/2260
2018-02-21 15:16:50 -05:00
Anders Bakken
2427d94c6d url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT
- Add new option CURLOPT_HAPPY_EYEBALLS_TIMEOUT to set libcurl's happy
  eyeball timeout value.

- Add new optval macro CURL_HET_DEFAULT to represent the default happy
  eyeballs timeout value (currently 200 ms).

- Add new tool option --happy-eyeballs-timeout-ms to expose
  CURLOPT_HAPPY_EYEBALLS_TIMEOUT. The -ms suffix is used because the
  other -timeout options in the tool expect seconds not milliseconds.

Closes https://github.com/curl/curl/pull/2260
2018-02-20 17:51:43 -05:00
Patrick Monnerat
3b548ffde9 setopt: reintroduce non-static Curl_vsetopt() for OS400 support
This also upgrades ILE/RPG bindings with latest setopt options.

Reported-By: jonrumsey on github
Fixes #2230
Closes #2233
2018-01-13 01:28:19 +01:00
Johannes Schindelin
9d96a5f0b5
version: add the CURL_VERSION_MULTI_SSL feature flag
This new feature flag reports When cURL was built with multiple SSL
backends.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2017-08-28 22:56:49 +02:00
Viktor Szakats
b7b4dc0d49 ssh: add the ability to enable compression (for SCP/SFTP)
The required low-level logic was already available as part of
`libssh2` (via `LIBSSH2_FLAG_COMPRESS` `libssh2_session_flag()`[1]
option.)

This patch adds the new `libcurl` option `CURLOPT_SSH_COMPRESSION`
(boolean) and the new `curl` command-line option `--compressed-ssh`
to request this `libssh2` feature. To have compression enabled, it
is required that the SSH server supports a (zlib) compatible
compression method and that `libssh2` was built with `zlib` support
enabled.

[1] https://www.libssh2.org/libssh2_session_flag.html

Ref: https://github.com/curl/curl/issues/1732
Closes https://github.com/curl/curl/pull/1735
2017-08-17 03:32:00 -04:00
Desmond O. Chang
d2bcf1e3e2 url: add option CURLOPT_SUPPRESS_CONNECT_HEADERS
- Add new option CURLOPT_SUPPRESS_CONNECT_HEADERS to allow suppressing
  proxy CONNECT response headers from the user callback functions
  CURLOPT_HEADERFUNCTION and CURLOPT_WRITEFUNCTION.

- Add new tool option --suppress-connect-headers to expose
  CURLOPT_SUPPRESS_CONNECT_HEADERS and allow suppressing proxy CONNECT
  response headers from --dump-header and --include.

Assisted-by: Jay Satiro
Assisted-by: CarloCannas@users.noreply.github.com
Closes https://github.com/curl/curl/pull/783
2017-03-12 01:32:33 -05:00
Jozef Kralik
6448f98c18 vtls: add options to specify range of enabled TLS versions
This commit introduces the CURL_SSLVERSION_MAX_* constants as well as
the --tls-max option of the curl tool.

Closes https://github.com/curl/curl/pull/1166
2017-03-08 15:54:07 +01:00
Jay Satiro
a49d2d0e25 OS400: Fix symbols
- s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
  Follow-up to 7907a2b and 845522c.

- Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.

- Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.

Bug: https://github.com/curl/curl/issues/1237
Reported-by: jonrumsey@users.noreply.github.com
2017-02-01 18:28:29 -05:00
Patrick Monnerat
d2c5503e0c os400: support CURLOPT_PROXY_PINNEDPUBLICKEY
Also define it in ILE/RPG binding.
2016-11-26 18:52:30 +01:00
Patrick Monnerat
93c04cb14a os400: sync ILE/RPG binding 2016-11-25 03:25:21 +01:00
Alex Rousskov
cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Kamil Dudka
6ad3add606 vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
Fully implemented with the NSS backend only for now.

Reviewed-by: Ray Satiro
2016-11-07 11:52:07 +01:00
Michael Kaufmann
e9e5366193 New libcurl option to keep sending on error
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether
sending the request body shall be completed when the server responds
early with an error status code.

This is suitable for manual NTLM authentication.

Reviewed-by: Jay Satiro

Closes https://github.com/curl/curl/pull/904
2016-09-22 22:22:31 +02:00
Jay Satiro
af2d679e14 errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
more of a generic "failed to parse" introduce an alias without FTP in
the name.

Closes https://github.com/curl/curl/pull/975
2016-09-07 21:24:27 -04:00
Patrick Monnerat
13d633d274 os400: add new definitions to ILE/RPG binding. 2016-06-16 19:05:42 +02:00
Patrick Monnerat
7639a9cfc9 os400: upgrade ILE/RPG binding 2016-04-22 18:07:11 +02:00
Tatsuhiro Tsujikawa
92c2a4c053 http2: Add handling stream level error
Previously, when a stream was closed with other than NGHTTP2_NO_ERROR
by RST_STREAM, underlying TCP connection was dropped.  This is
undesirable since there may be other streams multiplexed and they are
very much fine.  This change introduce new error code
CURLE_HTTP2_STREAM, which indicates stream error that only affects the
relevant stream, and connection should be kept open.  The existing
CURLE_HTTP2 means connection error in general.

Ref: https://github.com/curl/curl/issues/659
Ref: https://github.com/curl/curl/pull/663
2016-04-11 21:43:24 -04:00
Patrick Monnerat
cac8c3206f os400: Fix ILE/RPG definition of CURLOPT_TFTP_NO_OPTIONS 2016-02-24 13:19:10 +01:00
Jay Satiro
332414a30e getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
The two options are almost the same, except in the case of OpenSSL:

CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.

CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.

For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
return an SSL pointer for OpenSSL.

Also, add support for the 'internals' member to point to SSL object for
the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
wolfSSL.

Bug: https://github.com/curl/curl/issues/234
Reported-by: dkjjr89@users.noreply.github.com

Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
Reported-by: Michael König
2016-02-23 19:03:03 -05:00
Michael Koenig
9dc3eaee29 TFTP: add option to suppress TFTP option requests (Part 1)
Some TFTP server implementations ignore the "TFTP Option extension"
(RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
problems with libcurl. Another switch for curl_easy_setopt
"CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
sending TFTP option requests to a server, avoiding many problems caused
by faulty implementations.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:00:58 -05:00