1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-13 21:15:08 -05:00
Commit Graph

25917 Commits

Author SHA1 Message Date
Peter Wu
7be7c56be9 wolfssl: add SSLKEYLOGFILE support
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.

Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.

Closes #5327
2020-05-27 21:19:51 +02:00
Peter Wu
6011a986ca vtls: Extract and simplify key log file handling from OpenSSL
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:

 - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
 - Do not perform dynamic memory allocation when preparing a log entry.
   Unless the TLS specifications change we can suffice with a reasonable
   fixed-size buffer.
 - Simplify state tracking when SSL_CTX_set_keylog_callback is
   unavailable. My original sslkeylog.c code included this tracking in
   order to handle multiple calls to SSL_connect and detect new keys
   after renegotiation (via SSL_read/SSL_write). For curl however we can
   be sure that a single master secret eventually becomes available
   after SSL_connect, so a simple flag is sufficient. An alternative to
   the flag is examining SSL_state(), but this seems more complex and is
   not pursued. Capturing keys after server renegotiation was already
   unsupported in curl and remains unsupported.

Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:

    # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
    openssl s_server -www -tls1
    # Likewise, but fail the server handshake.
    openssl s_server -www -tls1 -Verify 2
    # TLS 1.3 test. No need to test the failing server handshake.
    openssl s_server -www -tls1_3

Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.

    tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
        -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
        -dtls.port==4433,http -ohttp.desegment_body:FALSE \
        -Y 'tls.handshake.verify_data or http'

A single connection can easily be identified via the `tcp.stream` field.
2020-05-27 21:19:51 +02:00
Daniel Stenberg
d528d97563
FILEFORMAT: add more features that tests can depend on 2020-05-27 14:33:49 +02:00
Michael Kaufmann
3d44bfb08d
transfer: close connection after excess data has been read
For HTTP 1.x, it's a protocol error when the server sends more bytes
than announced. If this happens, don't reuse the connection, because the
start position of the next response is undefined.

Closes #5440
2020-05-27 08:16:35 +02:00
Estanislau Augé-Pujadas
18e63b1679
Revert "ssh: ignore timeouts during disconnect"
This reverts commit f31760e63b. Shipped in
curl 7.54.1.

Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html
Closes #5465
2020-05-27 08:13:13 +02:00
Daniel Stenberg
7414fb25a2
urldata: connect related booleans live in struct ConnectBits
And remove a few unused booleans!

Closes #5461
2020-05-27 08:02:47 +02:00
Daniel Stenberg
67d2802dea
hostip: on macOS avoid DoH when given a numerical IP address
When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that
numerical IP addresses still need to get "resolved" - but not with DoH.

Reported-by: Viktor Szakats
Fixes #5454
Closes #5459
2020-05-26 17:37:39 +02:00
Daniel Stenberg
96a822f6e2
ngtcp2: cleanup memory when failing to connect
Reported-by: Peter Wu
Fixes #5447 (the ngtcp2 side of it)
Closes #5451
2020-05-26 10:16:32 +02:00
Daniel Stenberg
3ff207f7e3
quiche: clean up memory properly when failing to connect
Addresses the quiche side of #5447
Reported-by: Peter Wu
Closes #5450
2020-05-26 10:15:18 +02:00
Daniel Stenberg
d23cc224e6
cleanup: use a single space after equals sign in assignments 2020-05-26 08:28:38 +02:00
Daniel Stenberg
ad829b21ae
url: accept "any length" credentials for proxy auth
They're only limited to the maximum string input restrictions, not to
256 bytes.

Added test 1178 to verify

Reported-by: Will Roberts
Fixes #5448
Closes #5449
2020-05-25 23:08:57 +02:00
Maksim Stsepanenka
96f52abf80
test1167: fixes in badsymbols.pl
Closes #5442
2020-05-25 23:07:46 +02:00
Daniel Stenberg
d844f2b9ff
altsvc: fix parser for lines ending with CRLF
Fixed the alt-svc parser to treat a newline as end of line.

The unit tests in test 1654 were done without CRLF and thus didn't quite
match the real world. Now they use CRLF as well.

Reported-by: Peter Wu
Assisted-by: Peter Wu
Assisted-by: Jay Satiro
Fixes #5445
Closes #5446
2020-05-25 23:05:27 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Peter Wu
54d122287c ngtcp2: fix build with current ngtcp2 master implementing draft 28
Based on client.cc changes from ngtcp2. Tested with current git master,
ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380.

Fixes #5444
Closes #5443
2020-05-25 17:34:00 +02:00
Daniel Stenberg
82a33efb33
RELEASE-NOTES: synced
moved the new setopts up to a "change"
2020-05-25 09:40:25 +02:00
Daniel Stenberg
b955250b78
RELEASE-NOTES: synced 2020-05-25 09:38:28 +02:00
Daniel Stenberg
d75e6ce85a
copyright: updated year ranges out of sync
... and whitelisted a few more files in the the copyright.pl script.
2020-05-24 00:02:33 +02:00
Gilles Vollant
7f40633422
setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
Closes #5431
2020-05-23 23:19:13 +02:00
Daniel Stenberg
006d2991bd
curl: remove -J "informational" written on stdout
curl would previously show "curl: Saved to filename 'name from header'"
if -J was used and a name was picked from the Content-Disposition
header. That output could interfer with other stdout output, such as -w.

This commit removes that output line.
Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html
Reported-by: Коваленко Анатолий Викторович
Closes #5435
2020-05-23 23:12:53 +02:00
Peter Wu
421171a8d4 travis: simplify quiche build instructions wrt boringssl
quiche builds boringssl as static library, reuse that instead of
building another shared library.

Closes #5438
2020-05-22 21:10:07 +02:00
Peter Wu
06e266e0a5 configure: fix pthread check with static boringssl
A shared boringssl/OpenSSL library requires -lcrypto only for linking.
A static build additionally requires `-ldl -lpthread`. In the latter
case `-lpthread` is added to LIBS which prevented `-pthread` from being
added to CFLAGS. Clear LIBS to fix linking failures for libtest tests.
2020-05-22 21:10:07 +02:00
Daniel Stenberg
f6c6a159f5
Revert "sendf: make failf() use the mvsnprintf() return code"
This reverts commit 74623551f3.

Instead mark the function call with (void). Getting the return code and
using it instead triggered Coverity warning CID 1463596 because
snprintf() can return a negative value...

Closes #5441
2020-05-22 12:34:51 +02:00
Daniel Stenberg
5d965b4898
typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
Reported-by: Billyzou0741326 on github
Fixes #5432
Closes #5436
2020-05-21 00:05:42 +02:00
Daniel Stenberg
bb79320af7
tests/server/util.h: add extern to silence compiler warning
Follow-up from a3b0699d5c
2020-05-20 15:37:09 +02:00
Daniel Stenberg
c9fddf64c6
typecheck-gcc.h: fix the OFF_T check
The option number also needs to be less than CURLOPTTYPE_BLOB.

Follow-up to cac5374298
Reported-by: Jeroen Ooms
Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114
2020-05-20 10:08:54 +02:00
Daniel Stenberg
6c889a0dd1
TODO: --dry-run
Closes #5426
2020-05-19 09:46:50 +02:00
Daniel Stenberg
39177b8ef9
TODO: Ratelimit or wait between serial requests
Closes #5406
2020-05-19 09:42:11 +02:00
Daniel Stenberg
33d60d09f3
tool_paramhlp: fixup C89 mistake
Follow-up to c5f0a9db22.
2020-05-19 08:58:33 +02:00
Siva Sivaraman
c5f0a9db22
tool_paramhlp: fixed potentially uninitialized strtol() variable
Seems highly unlikely to actually be possible, but better safe than
sorry.

Closes #5417
2020-05-19 08:55:27 +02:00
Siva Sivaraman
c4df1f75ad
tool_operate: fixed potentially uninitialized variables
... in curl_easy_getinfo() calls. They're harmless but clearing the
variables makes the code safer and comforts the reader.

Closes #5416
2020-05-19 08:53:41 +02:00
Daniel Stenberg
557dde201c
sha256: move assign to the declaration line
Follow-up to fae30656. Should've been squashed with that commit...
2020-05-19 08:52:38 +02:00
Siva Sivaraman
fae3065676
sha256: fixed potentially uninitialized variable
Closes #5414
2020-05-19 08:47:12 +02:00
Daniel Stenberg
74623551f3
sendf: make failf() use the mvsnprintf() return code
... and avoid a strlen() call. Fixes a MonocleAI warning.

Reported-by: MonocleAI
Fixes #5413
Closes #5420
2020-05-19 08:13:31 +02:00
Daniel Stenberg
67521b5ecf
hostip: make Curl_printable_address not return anything
It was not used much anyway and instead we let it store a blank buffer
in case of failure.

Reported-by: MonocleAI
Fixes #5411
Closes #5418
2020-05-19 08:11:46 +02:00
Daniel Stenberg
dbc5c17738
ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)
They're done on purpose, make that visible in the code.
Reported-by: MonocleAI
Fixes #5412
Closes #549
2020-05-19 08:06:41 +02:00
Daniel Stenberg
5646e563ae
TODO: forbid TLS post-handshake auth and do TLS record padding
Closes #5396
Closes #5398
2020-05-18 17:59:18 +02:00
Daniel Stenberg
17b1405b20
RELEASE-NOTES: synced 2020-05-18 11:38:02 +02:00
Daniel Stenberg
3df42ca949
dynbuf: return NULL when there's no buffer length
... as returning a "" is not a good idea as the string is supposed to be
allocated and returning a const string will cause issues.

Reported-by: Brian Carpenter
Follow-up to ed35d6590e
Closes #5405
2020-05-17 23:20:56 +02:00
Peter Wu
2c598cc778 travis: upgrade to bionic, clang-9, improve readability
Changes, partially to reduce build failures from external dependencies:
 - Upgrade Ubuntu and drop unnecessary third-party repos.
 - Properly clone apt config to ensure retries.
 - Upgrade to clang-9 from the standard repos.
 - Use Ubuntu 20.04 focal for the libssh build, use of ssh_get_publickey
   fails on -Werror=deprecated-declarations in Ubuntu 18.04. Do not use
   focal everywhere yet since Travis CI has not documented this option.
   In focal, python-impacket (Py2.7) has been removed, leaving only
   python3-impacket. Since it is only needed for SMB tests and not SSH,
   skip it for the libssh job since it might need more work.
 - apt: Remove gcc-8 and libstdc++-8-dev, already installed via g++-8.

Non-functional cleanups:
 - Simplify test matrix, drop redundant os and compiler keys.
 - Deprecation fixes: remove sudo, rename matrix -> jobs.
 - Every job has an 'env' key, put this key first in a list item.

Closes #5370
2020-05-16 13:41:17 +02:00
Peter Wu
1753e4140b travis: whitespace-only changes for consistency
Automatically apply a consistent indentation with:

    python3 -c 'from ruamel.yaml import YAML;y=YAML();d=y.load(open(".travis.yml"));y.width=500;y.dump(d,open(".travis.yml.new","w"))'

followed by manually re-indenting three comments.

Closes #5370
2020-05-16 13:40:48 +02:00
Peter Wu
a158a09166 CMake: add libssh build support
Closes #5372
2020-05-15 21:58:12 +02:00
Daniel Stenberg
a384e870bc
KNOWN_BUGS: wolfssh: publickey auth doesn't work
Closes #4820
2020-05-15 17:01:32 +02:00
Daniel Stenberg
938228dda2
KNOWN_BUGS: OS400 port requires deprecated IBM library
Closes #5176
2020-05-15 16:58:45 +02:00
Vyron Tsingaras
34a5400de1
http2: keep trying to send pending frames after req.upload_done
Fixes #1410
Closes #5401
2020-05-15 15:49:18 +02:00
Gilles Vollant
cac5374298
setopt: support certificate options in memory with struct curl_blob
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.

This change introduces these new setopts:

CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.

Reviewed-by: Daniel Stenberg
Closes #5357
2020-05-15 13:03:59 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Daniel Stenberg
5d54b5e697
travis: remove the .checksrc fiddling 2020-05-15 08:54:26 +02:00
Daniel Stenberg
449e54b483
ftp: make domore_getsock() return the secondary socket properly
Previously, after PASV and immediately after the data connection has
connected, the function would only return the control socket to wait for
which then made the data connection simply timeout and not get polled
correctly. This become obvious when running test 1631 and 1632 event-
based.
2020-05-15 08:28:56 +02:00
Daniel Stenberg
9e95ca10b5
test1632: verify FTP through HTTPS-proxy with connection re-use 2020-05-15 08:28:56 +02:00