1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 09:08:49 -05:00
Commit Graph

10816 Commits

Author SHA1 Message Date
Santino Keupp
272282a054 libssh2: add support for forcing a hostkey type
- Allow forcing the host's key type found in the known_hosts file.

Currently, curl (with libssh2) does not take keys from your known_hosts
file into account when talking to a server. With this patch the
known_hosts file will be searched for an entry matching the hostname
and, if found, libssh2 will be told to claim this key type from the
server.

Closes https://github.com/curl/curl/pull/4747
2020-01-11 19:17:33 -05:00
Faizur Rahman
29e40a6d8a schannel: Make CURLOPT_CAINFO work better on Windows 7
- Support hostname verification via alternative names (SAN) in the
  peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier.

CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a
result CertGetNameString doesn't quite work on those versions of
Windows. This change provides an alternative solution for
CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier
versions of Windows.

Prior to this change many certificates failed the hostname validation
when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates
now represent multiple hostnames and rely on the alternative names field
exclusively to represent their hostnames.

Reported-by: Jeroen Ooms

Fixes https://github.com/curl/curl/issues/3711
Closes https://github.com/curl/curl/pull/4761
2020-01-11 18:23:46 -05:00
Emil Engler
cbb5429001 ngtcp2: Add an error code for QUIC connection errors
- Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection
  errors.

Prior to this change CURLE_FAILED_INIT was used, but that was not
correct.

Closes https://github.com/curl/curl/pull/4754
2020-01-11 18:19:32 -05:00
Jay Satiro
b700662b1c multi: Change curl_multi_wait/poll to error on negative timeout
- Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when
  curl_multi_wait/poll is passed timeout param < 0.

Prior to this change passing a negative value to curl_multi_wait/poll
such as -1 could cause the function to wait forever.

Reported-by: hamstergene@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/4763

Closes https://github.com/curl/curl/pull/4765
2020-01-11 18:16:28 -05:00
Marc Aldorasi
ea6d6205d9 cmake: Enable SMB for Windows builds
- Define USE_WIN32_CRYPTO by default. This enables SMB.

- Show whether SMB is enabled in the "Enabled features" output.

- Fix mingw compiler warning for call to CryptHashData by casting away
  const param. mingw CryptHashData prototype is wrong.

Closes https://github.com/curl/curl/pull/4717
2020-01-11 18:10:47 -05:00
Jay Satiro
c9c551f1f9 vtls: Refactor Curl_multissl_version to make the code clearer
Reported-by: Johannes Schindelin

Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121

Closes https://github.com/curl/curl/pull/4803
2020-01-11 17:50:33 -05:00
Daniel Stenberg
8bd14c871f
fix: Copyright year out of date, should be 2020
Follow-up to 875314ed0b
2020-01-10 22:39:04 +01:00
Marcel Raad
875314ed0b
hostip: move code to resolve IP address literals to Curl_resolv
The code was duplicated in the various resolver backends.

Also, it was called after the call to `Curl_ipvalid`, which matters in
case of `CURLRES_IPV4` when called from `connect.c:bindlocal`. This
caused test 1048 to fail on classic MinGW.

The code ignores `conn->ip_version` as done previously in the
individual resolver backends.

Move the call to the `resolver_start` callback up to appease test 655,
which wants it to be called also for literal addresses.

Closes https://github.com/curl/curl/pull/4798
2020-01-10 17:57:16 +01:00
Daniel Stenberg
9275c2be8c
multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header
... to the private multihhandle.h. It is not for public use and it
wasn't prefixed correctly anyway!

Closes #4790
2020-01-06 19:53:38 +01:00
Daniel Stenberg
50e35ccfbb
file: fix copyright year range
Follow-up to 1b71bc532b
2020-01-06 10:12:02 +01:00
Daniel Stenberg
1b71bc532b
file: on Windows, refuse paths that start with \\
... as that might cause an unexpected SMB connection to a given host
name.

Reported-by: Fernando Muñoz
CVE-2019-15601
Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
2020-01-06 10:05:37 +01:00
Marcel Raad
291ed52122
lib: fix compiler warnings with CURL_DISABLE_VERBOSE_STRINGS
Closes https://github.com/curl/curl/pull/4775
2020-01-03 17:02:30 +01:00
Michael Forney
9024b01387 bearssl: Improve I/O handling
Factor out common I/O loop as bearssl_run_until, which reads/writes TLS
records until the desired engine state is reached. This is now used for
the handshake, read, write, and close.

Match OpenSSL SSL_write behavior, and don't return the number of bytes
written until the corresponding records have been completely flushed
across the socket. This involves keeping track of the length of data
buffered into the TLS engine, and assumes that when CURLE_AGAIN is
returned, the write function will be called again with the same data
and length arguments. This is the same requirement of SSL_write.

Handle TLS close notify as EOF when reading by returning 0.

Closes https://github.com/curl/curl/pull/4748
2019-12-31 02:43:47 -05:00
Xiang Xiao
060fb84a5a lib: remove erroneous +x file permission on some c files
Modified by commit eb9a604 accidentally.

Closes https://github.com/curl/curl/pull/4756
2019-12-27 22:55:52 -05:00
Xiang Xiao
4b463992e5 lib: fix warnings found when porting to NuttX
- Undefine DEBUGASSERT in curl_setup_once.h in case it was already
  defined as a system macro.

- Don't compile write32_le in curl_endian unless
  CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le.

- Include <arpa/inet.h> in socketpair.c.

Closes https://github.com/curl/curl/pull/4756
2019-12-27 22:52:31 -05:00
Jay Satiro
10121a417d ngtcp2: Support the latest update key callback type
- Remove our cb_update_key in favor of ngtcp2's new
  ngtcp2_crypto_update_key_cb which does the same thing.

Several days ago the ngtcp2_update_key callback function prototype was
changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to
fix up our cb_update_key for that change they also added
ngtcp2_crypto_update_key_cb which does the same thing so we'll use that
instead.

Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c

Closes https://github.com/curl/curl/pull/4735
2019-12-20 00:34:58 -05:00
Daniel Stenberg
8c0807aa16
create_conn: prefer multiplexing to using new connections
... as it would previously prefer new connections rather than
multiplexing in most conditions! The (now removed) code was a leftover
from the Pipelining code that was translated wrongly into a
multiplex-only world.

Reported-by: Kunal Ekawde
Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html
Closes #4732
2019-12-19 09:00:56 +01:00
Gisle Vanem
ac7b1fb10c strerror: Fix compiler warning "empty expression"
- Remove the final semi-colon in the SEC2TXT() macro definition.

Before:  #define SEC2TXT(sec) case sec: txt = #sec; break;

After:   #define SEC2TXT(sec) case sec: txt = #sec; break

Prior to this change SEC2TXT(foo); would generate break;; which caused
the empty expression warning.

Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547
2019-12-18 14:10:23 -05:00
Daniel Stenberg
0caf1423e5
define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore
It is covered by USE_OPENSSL_ENGINE now.

Reported-by: Gisle Vanem
Bug: 87b9337c8f (commitcomment-36447951)

Closes #4725
2019-12-17 07:58:46 +01:00
Daniel Stenberg
bdb5b6dd5b
lib: remove ASSIGNWITHINCONDITION exceptions, use our code style
... even for macros

Reviewed-by: Daniel Gustafsson
Reviewed-by: Jay Satiro
Reported-by: Jay Satiro
Fixes #4683
Closes #4722
2019-12-17 07:36:11 +01:00
Daniel Stenberg
31e637d224
Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION"
This reverts commit ba82673dac.

Bug: #4683
2019-12-16 22:46:35 +01:00
Santino Keupp
1d2d3feb21
libssh2: add support for ECDSA and ed25519 knownhost keys
... if a new enough libssh2 version is present.

Source: https://curl.haxx.se/mail/archive-2019-12/0023.html
Co-Authored-by: Daniel Stenberg
Closes #4714
2019-12-15 23:03:39 +01:00
Daniel Stenberg
29ca9fc596
multi: free sockhash on OOM
This would otherwise leak memory in the error path.

Detected by torture test 1540.

Closes #4713
2019-12-13 22:46:46 +01:00
Marcel Raad
4457e08a7a
hostip: suppress compiler warning
With `--disable-doh --disable-threaded-resolver`, the `dns` parameter
is not used.

Closes https://github.com/curl/curl/pull/4692
2019-12-13 20:55:51 +01:00
Daniel Stenberg
68ffe6c17d
ntlm_wb: fix double-free in OOM
Detected by torture testing test 1310

Closes #4710
2019-12-13 13:01:01 +01:00
Daniel Stenberg
5dc56eb95d
altsvc: make the save function ignore NULL filenames
It might happen in OOM situations. Detected bv torture tests.

Closes #4707
2019-12-12 14:10:09 +01:00
Daniel Stenberg
4940bb8568
doh: make it behave when built without proxy support
Reported-by: Marcel Raad
Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734

Closes #4704
2019-12-12 09:26:08 +01:00
Daniel Stenberg
1d5c427d7f
conncache: CONNECT_ONLY connections assumed always in-use
This makes them never to be considered "the oldest" to be discarded when
reaching the connection cache limit. The reasoning here is that
CONNECT_ONLY is primarily used in combination with using the
connection's socket post connect and since that is used outside of
curl's knowledge we must assume that it is in use until explicitly
closed.

Reported-by: Pavel Pavlov
Reported-by: Pavel Löbl
Fixes #4426
Fixes #4369
Closes #4696
2019-12-11 09:25:56 +01:00
Gisle Vanem
2c0362ee04
vtls: make BearSSL possible to set with CURL_SSL_BACKEND
Ref: 9b879160df (commitcomment-36355622)

Closes #4698
2019-12-10 15:35:23 +01:00
Daniel Stenberg
c7bc689fc3
conn: always set bits.close with connclose()
Closes #4690
2019-12-09 17:17:42 +01:00
Daniel Stenberg
ee263de7a3
conncache: fix multi-thread use of shared connection cache
It could accidentally let the connection get used by more than one
thread, leading to double-free and more.

Reported-by: Christopher Reid
Fixes #4544
Closes #4557
2019-12-09 15:30:09 +01:00
Jay Satiro
689443bf42 lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.

Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)

Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.

Ref: https://github.com/curl/curl/pull/4655
2019-12-05 19:17:31 -05:00
Jay Satiro
0edf75865a setopt: Fix ALPN / NPN user option when built without HTTP2
- Stop treating lack of HTTP2 as an unknown option error result for
  CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN.

Prior to this change it was impossible to disable ALPN / NPN if libcurl
was built without HTTP2. Setting either option would result in
CURLE_UNKNOWN_OPTION and the respective internal option would not be
set. That was incorrect since ALPN and NPN are used independent of
HTTP2.

Reported-by: Shailesh Kapse

Fixes https://github.com/curl/curl/issues/4668
Closes https://github.com/curl/curl/pull/4672
2019-12-05 18:38:40 -05:00
Marcel Raad
bf24e0f928
curl_setup: fix CURLRES_IPV6 condition
Move the definition of `CURLRES_IPV6` to before undefining
`HAVE_GETADDRINFO`. Regression from commit 67a08dca27 which caused
some tests to fail and others to be skipped with c-ares.

Fixes https://github.com/curl/curl/issues/4673
Closes https://github.com/curl/curl/pull/4677
2019-12-05 20:17:47 +01:00
Peter Wu
87b9337c8f CMake: add support for building with the NSS vtls backend
Options are cross-checked with configure.ac and acinclude.m4.
Tested on Arch Linux, untested on other platforms like Windows or macOS.

Closes #4663
Reviewed-by: Kamil Dudka
2019-12-04 21:34:02 +00:00
Daniel Stenberg
854343fc4e
hostip4.c: bump copyright year range 2019-12-03 23:13:25 +01:00
Marcel Raad
67a08dca27
curl_setup: disable IPv6 resolver without getaddrinfo
Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6
address support. This makes it possible to connect to IPv6 literals by
setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes
the CMake build when using the synchronous resolver without
`getaddrinfo` support.

Closes https://github.com/curl/curl/pull/4662
2019-12-03 21:37:33 +01:00
Daniel Stenberg
564d88a8bd
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
2019-12-03 16:28:50 +01:00
Daniel Stenberg
94f1f77158
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
2019-12-03 16:28:50 +01:00
Daniel Stenberg
d9118e8d71
copyright: fix the year ranges for two files
Follow-up to 9c1806ae
2019-12-02 08:02:39 +01:00
Jay Satiro
9c1806ae46 build: Disable Visual Studio warning "conditional expression is constant"
- Disable warning C4127 "conditional expression is constant" globally
  in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

    #define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658
2019-12-01 19:01:02 -05:00
Jay Satiro
0436d4438a openssl: retrieve reported LibreSSL version at runtime
- Retrieve LibreSSL runtime version when supported (>= 2.7.1).

For earlier versions we continue to use the compile-time version.

Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3

Closes https://github.com/curl/curl/pull/2425
2019-12-01 18:56:24 -05:00
Jay Satiro
5b22e1a5a9 strerror: Add Curl_winapi_strerror for Win API specific errors
- In all code call Curl_winapi_strerror instead of Curl_strerror when
  the error code is known to be from Windows GetLastError.

Curl_strerror prefers CRT error codes (errno) over Windows API error
codes (GetLastError) when the two overlap. When we know the error code
is from GetLastError it is more accurate to prefer the Windows API error
messages.

Reported-by: Richard Alcock

Fixes https://github.com/curl/curl/issues/4550
Closes https://github.com/curl/curl/pull/4581
2019-12-01 18:12:36 -05:00
Daniel Stenberg
bc5d22c3de
global_init: undo the "intialized" bump in case of failure
... so that failures in the global init function don't count as a
working init and it can then be called again.

Reported-by: Paul Groke
Fixes #4636
Closes #4653
2019-12-02 00:04:56 +01:00
Daniel Stenberg
0044443a02
parsedate: offer a getdate_capped() alternative
... and use internally. This function will return TIME_T_MAX instead of
failure if the parsed data is found to be larger than what can be
represented. TIME_T_MAX being the largest value curl can represent.

Reviewed-by: Daniel Gustafsson
Reported-by: JanB on github
Fixes #4152
Closes #4651
2019-11-29 11:01:24 +01:00
Daniel Stenberg
cc4cf93e52
sha256: bump the copyright year range
Follow-up from 66e21520f
2019-11-28 22:28:06 +01:00
Daniel Gustafsson
66e21520f3 curl_setup_once: consistently use WHILE_FALSE in macros
The WHILE_FALSE construction is used to avoid compiler warnings in
macro constructions. This fixes a few instances where it was not
used in order to keep the code consistent.

Closes #4649
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 16:02:13 +01:00
Steve Holme
bb8cf05169
http_ntlm: Remove duplicate NSS initialisation
Given that this is performed by the NTLM code there is no need to
perform the initialisation in the HTTP layer. This also keeps the
initialisation the same as the SASL based protocols and also fixes a
possible compilation issue if both NSS and SSPI were to be used as
multiple SSL backends.

Reviewed-by: Kamil Dudka
Closes #3935
2019-11-28 14:41:55 +01:00
Daniel Gustafsson
ba82673dac checksrc: fix regexp for ASSIGNWITHINCONDITION
The regexp looking for assignments within conditions was too greedy
and matched a too long string in the case of multiple conditionals
on the same line. This is basically only a problem in single line
macros, and the code which exemplified this was essentially:

  do { if((x) != NULL) { x = NULL; } } while(0)

..where the final parenthesis of while(0) matched the regexp, and
the legal assignment in the block triggered the warning. Fix by
making the regexp less greedy by matching for the tell-tale signs
of the if statement ending.

Also remove the one occurrence where the warning was disabled due
to a construction like the above, where the warning didn't apply
when fixed.

Closes #4647
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 14:18:16 +01:00
Niall
8acfad38ca
doh: use dedicated probe slots
... to easier allow additional DNS transactions.

Closes #4629
2019-11-28 12:49:44 +01:00