1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Commit Graph

9065 Commits

Author SHA1 Message Date
Michael Kaufmann
f9484d9fb1 openssl: simplify expression in Curl_ossl_version 2016-12-18 13:09:51 +01:00
Isaac Boukris
82245eaa56 Curl_getconnectinfo: avoid checking if the connection is closed
It doesn't benefit us much as the connection could get closed at
any time, and also by checking we lose the ability to determine
if the socket was closed by reading zero bytes.

Reported-by: Michael Kaufmann

Closes https://github.com/curl/curl/pull/1134
2016-12-18 12:47:10 +01:00
Daniel Stenberg
845522cadb preproxy: renamed what was added as SOCKS_PROXY
CURLOPT_SOCKS_PROXY -> CURLOPT_PRE_PROXY

Added the corresponding --preroxy command line option. Sets a SOCKS
proxy to connect to _before_ connecting to a HTTP(S) proxy.
2016-12-16 16:04:23 +01:00
Daniel Stenberg
7907a2bec9 CURLOPT_SOCKS_PROXYTYPE: removed
This was added as part of the SOCKS+HTTPS proxy merge but there's no
need to support this as we prefer to have the protocol specified as a
prefix instead.
2016-12-16 15:10:19 +01:00
Daniel Stenberg
1c3e8bbfed checksrc: warn for assignments within if() expressions
... they're already frowned upon in our source code style guide, this
now enforces the rule harder.
2016-12-14 01:29:44 +01:00
Daniel Stenberg
b228d2952b checksrc: stricter no-space-before-paren enforcement
In order to make the code style more uniform everywhere
2016-12-13 23:39:11 +01:00
Adam Langley
71a55534fa openssl: don't use OpenSSL's ERR_PACK.
ERR_PACK is an internal detail of OpenSSL. Also, when using it, a
function name must be specified which is overly specific: the test will
break whenever OpenSSL internally change things so that a different
function creates the error.

Closes #1157
2016-12-07 23:53:03 +01:00
Daniel Stenberg
74595b223d http_proxy: simplify CONNECT response reading
Since it now reads responses one byte a time, a loop could be removed
and it is no longer limited to get the whole response within 16K, it is
now instead only limited to 16K maximum header line lengths.
2016-12-01 16:18:52 +01:00
Daniel Stenberg
3ea3518429 CONNECT: read responses one byte at a time
... so that it doesn't read data that is actually coming from the
remote. 2xx responses have no body from the proxy, that data is from the
peer.

Fixes #1132
2016-12-01 16:18:36 +01:00
Daniel Stenberg
c50b878c15 CONNECT: reject TE or CL in 2xx responses
A server MUST NOT send any Transfer-Encoding or Content-Length header
fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section
4.3.6)

Also fixes the three test cases that did this.
2016-12-01 16:18:36 +01:00
Daniel Stenberg
aab33215af URL parser: reject non-numerical port numbers
Test 1281 added to verify
2016-12-01 10:36:37 +01:00
Dan Fandrich
18b02f1964 cyassl: fixed typo introduced in 4f8b1774 2016-11-30 21:57:55 +01:00
Michael Kaufmann
b34ea05d9d CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properly
If a port number in a "connect-to" entry does not match, skip this
entry instead of connecting to port 0.

If a port number in a "connect-to" entry matches, use this entry
and look no further.

Reported-by: Jay Satiro
Assisted-by: Jay Satiro, Daniel Stenberg

Closes #1148
2016-11-30 12:02:44 +01:00
Jay Satiro
19613fb355 http2: check nghttp2_session_set_local_window_size exists
The function only exists since nghttp2 1.12.0.

Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676
Reported-by: Michael Kaufmann
2016-11-28 14:08:35 -05:00
Anders Bakken
421f740164 http2: Fix crashes when parent stream gets aborted
Closes #1125
2016-11-28 15:06:17 +01:00
Okhin Vasilij
a4b2f7aafd curl_version_info: add CURL_VERSION_HTTPS_PROXY
Closes #1142
2016-11-26 17:28:53 +01:00
Frank Gevaerts
267b26b24a curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEME 2016-11-26 16:53:51 +01:00
Thomas Glanzmann
4f8b17743d HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEY 2016-11-25 10:49:38 +01:00
Thomas Glanzmann
1232dbb8bd url: proxy: Use 443 as default port for https proxies 2016-11-25 10:01:58 +01:00
Jay Satiro
2127457018 x509asn1: Restore the parameter check in Curl_getASN1Element
- Restore the removed parts of the parameter check.

Follow-up to 945f60e which altered the parameter check.
2016-11-24 19:43:20 -05:00
Frank Gevaerts
ba410f6c64 add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}
Adds access to the effectively used protocol/scheme to both libcurl and
curl, both in string and numeric (CURLPROTO_*) form.

Note that the string form will be uppercase, as it is just the internal
string.

As these strings are declared internally as const, and all other strings
returned by curl_easy_getinfo() are de-facto const as well, string
handling in getinfo.c got const-ified.

Closes #1137
2016-11-25 00:45:18 +01:00
Daniel Stenberg
6832c1d4b2 checksrc: move open braces to comply with function declaration style 2016-11-24 23:58:22 +01:00
Daniel Stenberg
80e7cfeb87 checksrc: detect wrongly placed open braces in func declarations 2016-11-24 23:58:22 +01:00
Daniel Stenberg
8657c268e1 checksrc: white space edits to comply to stricter checksrc 2016-11-24 23:58:22 +01:00
Daniel Stenberg
ec0a5c96ac checksrc: verify ASTERISKNOSPACE
Detects (char*) and 'char*foo' uses.
2016-11-24 23:58:22 +01:00
Daniel Stenberg
dbadaebfc4 checksrc: code style: use 'char *name' style 2016-11-24 23:58:22 +01:00
Daniel Stenberg
bc7e08471c checksrc: add ASTERISKSPACE
Verifies a 'char *name' style, with no space after the asterisk.
2016-11-24 23:48:45 +01:00
Daniel Stenberg
74ffa040a4 openssl: remove dead code
Coverity CID 1394666
2016-11-24 23:41:45 +01:00
Okhin Vasilij
c6da05a5ec HTTPS-proxy: fixed mbedtls and polishing 2016-11-24 23:41:45 +01:00
Daniel Stenberg
49765cd75c darwinssl: adopted to the HTTPS proxy changes
It builds and runs all test cases. No adaptations for actual HTTPS proxy
support has been made.
2016-11-24 23:41:45 +01:00
Daniel Stenberg
8b4352658a gtls: fix indent to silence compiler warning
vtls/gtls.c: In function ‘Curl_gtls_data_pending’:
vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
   if(conn->proxy_ssl[connindex].session &&
      ^~
      vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’
           return res;
2016-11-24 23:41:45 +01:00
Thomas Glanzmann
8cb872df10 mbedtls: Fix compile errors 2016-11-24 23:41:45 +01:00
Alex Rousskov
cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Patrick Monnerat
8034d8fc62 Declare endian read functions argument as a const pointer.
This is done for all functions of the form Curl_read[136][624]_[lb]e.
2016-11-24 16:14:21 +01:00
Patrick Monnerat
945f60e8a7 Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
See CRL-01-006.
2016-11-24 14:28:39 +01:00
Jay Satiro
3e9c0230f4 url: Fix conn reuse for local ports and interfaces
- Fix connection reuse for when the proposed new conn 'needle' has a
specified local port but does not have a specified device interface.

Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html
Reported-by: bjt3[at]hotmail.com
2016-11-22 16:10:06 -05:00
Daniel Stenberg
f18f7bf934 rand: pass in number of randoms as an unsigned argument 2016-11-21 07:51:42 +01:00
Jay Satiro
8626632f3e rand: Fix potentially uninitialized result warning 2016-11-20 23:57:47 -05:00
Marcel Raad
c0ae2dbb86
vtls: fix build warnings
Fix warnings about conversions from long to time_t in openssl.c and
schannel.c.

Follow-up to de4de4e3c7
2016-11-19 14:09:03 +01:00
Marcel Raad
21aa32d30d lib: fix compiler warnings after de4de4e3c7
Visual C++ now complains about implicitly casting time_t (64-bit) to
long (32-bit). Fix this by changing some variables from long to time_t,
or explicitly casting to long where the public interface would be
affected.

Closes #1131
2016-11-18 10:11:55 +01:00
Isaac Boukris
0b8d682f81 Don't mix unix domain sockets with regular ones
When reusing a connection, make sure the unix domain
socket option matches.
2016-11-17 17:34:02 +01:00
Jay Satiro
a4d888857e http2: Use huge HTTP/2 windows
- Improve performance by using a huge HTTP/2 window size.

Bug: https://github.com/curl/curl/issues/1102
Reported-by: afrind@users.noreply.github.com
Assisted-by: Tatsuhiro Tsujikawa
2016-11-16 17:35:11 -05:00
Jay Satiro
b65f79d9e8 http2: Fix address sanitizer memcpy warning
- In Curl_http2_switched don't call memcpy when src is NULL.

Curl_http2_switched can be called like:

Curl_http2_switched(conn, NULL, 0);

.. and prior to this change memcpy was then called like:

memcpy(dest, NULL, 0)

.. causing address sanitizer to warn:

http2.c:2057:3: runtime error: null pointer passed as argument 2, which
is declared to never be null
2016-11-16 02:16:10 -05:00
David Schweikert
7c9b9add6f darwinssl: fix SSL client certificate not found on MacOS Sierra
Reviewed-by: Nick Zitzmann

Closes #1105
2016-11-15 08:41:32 +01:00
Daniel Stenberg
f682156a4f Curl_rand: fixed and moved to rand.c
Now Curl_rand() is made to fail if it cannot get the necessary random
level.

Changed the proto of Curl_rand() slightly to provide a number of ints at
once.

Moved out from vtls, since it isn't a TLS function and vtls provides
Curl_ssl_random() for this to use.

Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-11-14 08:23:52 +01:00
Daniel Stenberg
ebf985c159 time_t fix: follow-up to de4de4e3c7
Blah, I accidentally wrote size_t instead of time_t for two variables.

Reported-by: Dave Reisner
2016-11-13 23:09:45 +01:00
Daniel Stenberg
de4de4e3c7 timeval: prefer time_t to hold seconds instead of long
... as long is still 32bit on modern 64bit windows machines, while
time_t is generally 64bit.
2016-11-12 13:32:21 +01:00
Daniel Stenberg
346340808c URL-parser: for file://[host]/ URLs, the [host] must be localhost
Previously, the [host] part was just ignored which made libcurl accept
strange URLs misleading users. like "file://etc/passwd" which might've
looked like it refers to "/etc/passwd" but is just "/passwd" since the
"etc" is an ignored host name.

Reported-by: Mike Crowe
Assisted-by: Kamil Dudka
2016-11-11 17:14:45 +01:00
Daniel Stenberg
ddefc056b6 openssl: make sure to fail in the unlikely event that PRNG seeding fails 2016-11-11 14:16:31 +01:00
Daniel Stenberg
942c952db6 openssl: avoid unnecessary seeding if already done
1.1.0+ does more of this by itself so we can avoid extra processing this
way.
2016-11-11 13:54:16 +01:00