1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-16 06:25:03 -05:00
Commit Graph

10789 Commits

Author SHA1 Message Date
Hubert Kario
319ae9075e nss: allow to specify TLS 1.3 ciphers if supported by NSS
Closes #3916
2019-05-27 09:04:09 +02:00
Jay Satiro
db8ec1fa38
Revert all SASL authzid (new feature) commits
- Revert all commits related to the SASL authzid feature since the next
  release will be a patch release, 7.65.1.

Prior to this change CURLOPT_SASL_AUTHZID  / --sasl-authzid was destined
for the next release, assuming it would be a feature release 7.66.0.
However instead the next release will be a patch release, 7.65.1 and
will not contain any new features.

After the patch release after the reverted commits can be restored by
using cherry-pick:

git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690

Details for all reverted commits:

Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()."

This reverts commit 0edf6907ae.

Revert "tests: Fix the line endings for the SASL alt-auth tests"

This reverts commit c2a8d52a13.

Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples"

This reverts commit 8c1cc369d0.

Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool"

This reverts commit a9499ff136.

Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID"

This reverts commit a14d72ca2f.
2019-05-25 23:36:11 +02:00
Daniel Stenberg
5c9b2e68a4
sectransp: handle errSSLPeerAuthCompleted from SSLRead()
Reported-by: smuellerDD on github
Fixes #3932
Closes #3933
2019-05-24 11:34:13 +02:00
Gisle Vanem
9d55e09cfe
Fix typo. 2019-05-24 09:05:28 +02:00
Daniel Stenberg
9ad313dcb8
md4: include the mbedtls config.h to get the MD4 info 2019-05-23 17:06:40 +02:00
Daniel Stenberg
0dc9a80199
md4: build correctly with openssl without MD4
Reported-by: elsamuko at github
Fixes #3921
Closes #3922
2019-05-23 17:06:29 +02:00
Zenju
170bd047f5
config-win32: add support for if_nametoindex and getsockname
Closes https://github.com/curl/curl/pull/3923
2019-05-23 11:10:28 +02:00
Daniel Stenberg
dc0a671213
url: fix bad #ifdef
Regression since e91e481612.

Reported-by: Tom Greenslade
Fixes #3924
Closes #3925
2019-05-23 09:06:48 +02:00
Daniel Stenberg
c6b5813723
Revert "progress: CURL_DISABLE_PROGRESS_METER"
This reverts commit 3b06e68b77.

Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT +
CURLOPT_LOW_SPEED_TIME

Reported-by: Dave Reisner

Fixes #3927
Closes #3928
2019-05-23 09:05:20 +02:00
Steve Holme
a14d72ca2f
sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixed #3653
Closes #3790
2019-05-22 22:55:05 +01:00
Daniel Stenberg
269f7df0ae
PolarSSL: deprecate support step 1. Removed from configure.
Also removed mentions from most docs.

Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html

Closes #3888
2019-05-22 10:00:56 +02:00
Daniel Stenberg
c9c4f7b547
configure/cmake: check for if_nametoindex()
- adds the check to cmake

- fixes the configure check to work for cross-compiled windows builds

Closes #3917
2019-05-22 09:49:19 +02:00
Daniel Stenberg
12e564ca20
parse_proxy: use the IPv6 zone id if given
If the proxy string is given as an IPv6 numerical address with a zone
id, make sure to use that for the connect to the proxy.

Reported-by: Edmond Yu

Fixes #3482
Closes #3918
2019-05-22 09:45:43 +02:00
Daniel Stenberg
8fba2d6a6b
url: convert the zone id from a IPv6 URL to correct scope id
Reported-by: GitYuanQu on github
Fixes #3902
Closes #3914
2019-05-21 18:58:45 +02:00
Daniel Gustafsson
528b284e4b udpateconninfo: mark variable unused
When compiling without getpeername() or getsockname(), the sockfd
paramter to Curl_udpateconninfo() became unused after commit e91e481612
added ifdef guards.

Closes #3910
Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196
Reviewed-by: Marcel Raad, Daniel Stenberg
2019-05-21 09:42:22 +02:00
Daniel Gustafsson
8986d3c6f4 ftp: move ftp_ccc in under featureflag
Commit e91e481612 moved ftp_ccc in under
the FTP featureflag in the UserDefined struct, but vtls callsites were
still using it unprotected.

Closes #3912
Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865
Reviewed-by: Daniel Stenberg, Marcel Raad
2019-05-21 09:38:11 +02:00
Guy Poizat
0da8441298
mbedtls: enable use of EC keys
Closes #3892
2019-05-20 19:00:59 +02:00
Omar Ramadan
c454d7f3f4
urlapi: increase supported scheme length to 40 bytes
The longest currently registered URI scheme at IANA is 36 bytes long.

Closes #3905
Closes #3900
2019-05-20 15:27:02 +02:00
Marcel Raad
10db3ef21e
lib: reduce variable scopes
Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872
2019-05-20 08:51:11 +02:00
Marcel Raad
320cec284d
ssh: move variable declaration to where it's used
This way, we need only one call to free.

Closes https://github.com/curl/curl/pull/3873
2019-05-20 08:06:22 +02:00
Marcel Raad
c92a4debd2
ssh-libssh: remove unused variable
sock was only used to be assigned to fd_read.

Closes https://github.com/curl/curl/pull/3873
2019-05-20 08:06:05 +02:00
Daniel Stenberg
2576003415
tftp: use the current blksize for recvfrom()
bug: https://curl.haxx.se/docs/CVE-2019-5436.html
Reported-by: l00p3r on hackerone
CVE-2019-5436
2019-05-20 07:57:49 +02:00
Daniel Gustafsson
9a87fe704e version: make ssl_version buffer match for multi_ssl
When running a multi TLS backend build the version string needs more
buffer space. Make the internal ssl_buffer stack buffer match the one
in Curl_multissl_version() to allow for the longer string. For single
TLS backend builds there is no use in extended to buffer. This is a
fallout from #3863 which fixes up the multi_ssl string generation to
avoid a buffer overflow when the buffer is too small.

Closes #3875
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-05-19 22:06:26 +02:00
Steve Holme
7ca7f82ba7
http_ntlm_wb: Handle auth for only a single request
Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Missed in fe6049f0.
2019-05-18 19:01:11 +01:00
Steve Holme
2697d63363
http_ntlm_wb: Cleanup handshake after clean NTLM failure
Missed in 50b87c4e.
2019-05-18 19:01:10 +01:00
Steve Holme
bd21fc9d2f
http_ntlm_wb: Return the correct error on receiving an empty auth message
Missed in fe20826b as it wasn't implemented in http.c in b4d6db83.

Closes #3894
2019-05-18 19:00:51 +01:00
Daniel Stenberg
e91e481612
libcurl: #ifdef away more code for disabled features/protocols 2019-05-17 23:24:34 +02:00
Daniel Stenberg
3b06e68b77
progress: CURL_DISABLE_PROGRESS_METER 2019-05-17 23:24:34 +02:00
Daniel Stenberg
3cfcdf08d8
hostip: CURL_DISABLE_SHUFFLE_DNS 2019-05-17 23:24:34 +02:00
Daniel Stenberg
1f8a584f6a
netrc: CURL_DISABLE_NETRC 2019-05-17 23:24:34 +02:00
Daniel Stenberg
8ece8177f1
cleanup: remove FIXME and TODO comments
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883
2019-05-16 09:16:56 +02:00
Steve Holme
fe20826b58
http_ntlm_wb: Move the type-2 message processing into a dedicated function
This brings the code inline with the other HTTP authentication mechanisms.

Closes #3890
2019-05-16 00:03:30 +01:00
Daniel Stenberg
ee68bbe29c
parse_proxy: use the URL parser API
As we treat a given proxy as a URL we should use the unified URL parser
to extract the parts out of it.

Closes #3878
2019-05-15 12:02:05 +02:00
Steve Holme
e832d1ef74
http_negotiate: Move the Negotiate state out of the negotiatedata structure
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.

Closes #3882
2019-05-15 00:32:42 +01:00
Steve Holme
85bef18ca1
http_ntlm: Move the NTLM state out of the ntlmdata structure
Given that this member variable is not used by the SASL based protocols
there is no need to have it here.
2019-05-15 00:31:45 +01:00
Steve Holme
0c73adfad3
url: Move the negotiate state type into a dedicated enum 2019-05-15 00:31:35 +01:00
Steve Holme
be9fd703e0
url: Remove duplicate clean up of the winbind variables in conn_shutdown()
Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior
to calling conn_shutdown() and it in turn performs this, there is no
need to perform the same action in conn_shutdown().

Closes #3881
2019-05-14 14:35:11 +01:00
Daniel Stenberg
9f9ec7da57
urlapi: require a non-zero host name length when parsing URL
Updated test 1560 to verify.

Closes #3880
2019-05-14 13:39:10 +02:00
Daniel Gustafsson
bd91e7f340 imap: Fix typo in comment 2019-05-14 12:38:23 +02:00
Steve Holme
b5d1de8e21
url: Remove unnecessary initialisation from allocate_conn()
No need to set variables to zero as calloc() does this for us.

Closes #3879
2019-05-14 09:48:16 +01:00
Daniel Gustafsson
b4bb920405 vtls: fix potential ssl_buffer stack overflow
In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.

Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
2019-05-13 20:27:50 +02:00
Daniel Stenberg
93c4de6974
pingpong: disable more when no pingpong enabled 2019-05-13 08:17:10 +02:00
Daniel Stenberg
6d32b72822
proxy: acknowledge DISABLE_PROXY more 2019-05-13 08:17:10 +02:00
Daniel Stenberg
b084616210
parsedate: CURL_DISABLE_PARSEDATE 2019-05-13 08:17:10 +02:00
Daniel Stenberg
e5b546b339
sasl: only enable if there's a protocol enabled using it 2019-05-13 08:17:10 +02:00
Daniel Stenberg
b95456f4e2
mime: acknowledge CURL_DISABLE_MIME 2019-05-13 08:17:09 +02:00
Daniel Stenberg
0e2208ada6
wildcard: disable from build when FTP isn't present 2019-05-13 08:17:09 +02:00
Daniel Stenberg
7c70a3b1ad
http: CURL_DISABLE_HTTP_AUTH 2019-05-13 08:17:09 +02:00
Daniel Stenberg
bf7303966e
base64: build conditionally if there are users 2019-05-13 08:17:09 +02:00
Daniel Stenberg
ae4adae954
doh: CURL_DISABLE_DOH 2019-05-13 08:17:09 +02:00
Steve Holme
52dfab65d6
auth: Rename the various authentication clean up functions
For consistency and to a avoid confusion.

Closes #3869
2019-05-12 18:37:00 +01:00
Marcel Raad
15fd9abfea
easy: fix another "clarify calculation precedence" warning
I missed this one in commit 6b3dde7fe6.
2019-05-12 13:36:45 +02:00
Marcel Raad
6b3dde7fe6
build: fix "clarify calculation precedence" warnings
Codacy/CppCheck warns about this. Consistently use parentheses as we
already do in some places to silence the warning.

Closes https://github.com/curl/curl/pull/3866
2019-05-12 09:31:09 +02:00
Steve Holme
407408f376
http_ntlm: Corrected the name of the include guard
Missed in f0bdd72c.

Closes #3867
2019-05-11 22:25:55 +01:00
Steve Holme
5c2aebe308
http_digest: Don't expose functions when HTTP and Crypto Auth are disabled
Closes #3861
2019-05-11 17:23:32 +01:00
Steve Holme
fb243b0475
http_negotiate: Don't expose functions when HTTP is disabled 2019-05-11 17:23:27 +01:00
Daniel Stenberg
12d655d456
doh: disable DOH for the cases it doesn't work
Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Limitation added to KNOWN_BUGS.

Fixes #3850
Closes #3857
2019-05-11 11:38:58 +02:00
Steve Holme
0424605fc7 vauth: Fix incorrect function description for Curl_auth_user_contains_domain()
...and misalignment of these comments. From a78c61a4.

Closes #3860
2019-05-10 22:12:03 +01:00
Jay Satiro
d934059afd Revert "multi: support verbose conncache closure handle"
This reverts commit b0972bc.

- No longer show verbose output for the conncache closure handle.

The offending commit was added so that the conncache closure handle
would inherit verbose mode from the user's easy handle. (Note there is
no way for the user to set options for the closure handle which is why
that was necessary.) Other debug settings such as the debug function
were not also inherited since we determined that could lead to crashes
if the user's per-handle private data was used on an unexpected handle.

The reporter here says he has a debug function to capture the verbose
output, and does not expect or want any output to stderr; however
because the conncache closure handle does not inherit the debug function
the verbose output for that handle does go to stderr.

There are other plausible scenarios as well such as the user redirects
stderr on their handle, which is also not inherited since it could lead
to crashes when used on an unexpected handle.

Short of allowing the user to set options for the conncache closure
handle I don't think there's much we can safely do except no longer
inherit the verbose setting.

Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html
Reported-by: Kristoffer Gleditsch

Ref: https://github.com/curl/curl/pull/3598
Ref: https://github.com/curl/curl/pull/3618

Closes https://github.com/curl/curl/pull/3856
2019-05-10 15:01:57 -04:00
Steve Holme
e7a1bc8ee4 ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup()
From 6012fa5a.

Closes #3858
2019-05-10 00:07:44 +01:00
Kamil Dudka
f4603708af http_negotiate: do not treat failure of gss_init_sec_context() as fatal
Fixes #3726
Closes #3849
2019-05-09 09:41:33 +02:00
Kamil Dudka
f65845c1ec spnego_gssapi: fix return code on gss_init_sec_context() failure
Fixes #3726
Closes #3849
2019-05-09 09:41:14 +02:00
Jay Satiro
b5901cab57 http: Ignore HTTP/2 prior knowledge setting for HTTP proxies
- Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to
  the destination host.

We already do something similar for HTTPS proxies by not sending h2. [1]

Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would
incorrectly use HTTP/2 to talk to the proxy, which is not something we
support (yet?). Also it's debatable whether or not that setting should
apply to HTTP/2 proxies.

[1]: https://github.com/curl/curl/commit/17c5d05

Bug: https://github.com/curl/curl/issues/3570
Bug: https://github.com/curl/curl/issues/3832

Closes https://github.com/curl/curl/pull/3853
2019-05-08 22:50:41 -04:00
Ricky Leverence
3a03e59048
OpenSSL: Report -fips in version if OpenSSL is built with FIPS
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1

Closes #3771
2019-05-08 09:30:15 +02:00
Frank Gevaerts
191ffd0708 nss: allow fifos and character devices for certificates.
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.

I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.

Closes #3807
2019-05-07 17:23:02 +02:00
Daniel Stenberg
d37b0936d1
ssh: define USE_SSH if SSH is enabled (any backend)
Closes #3846
2019-05-06 10:14:17 +02:00
Daniel Stenberg
2d0e9b40d3
urlapi: add CURLUPART_ZONEID to set and get
The zoneid can be used with IPv6 numerical addresses.

Updated test 1560 to verify.

Closes #3834
2019-05-05 15:52:46 +02:00
Taiyu Len
0eec832603
WRITEFUNCTION: add missing set_in_callback around callback
Closes #3837
2019-05-05 11:09:30 +02:00
Daniel Stenberg
bdb2dbc103
urlapi: strip off scope id from numerical IPv6 addresses
... to make the host name "usable". Store the scope id and put it back
when extracting a URL out of it.

Also makes curl_url_set() syntax check CURLUPART_HOST.

Fixes #3817
Closes #3822
2019-05-03 12:17:22 +02:00
Daniel Stenberg
5c9487a30e
multiif.h: remove unused protos
... for functions related to pipelining. Those functions were removed in
2f44e94efb.

Closes #3828
2019-05-02 09:56:19 +02:00
Yiming Jing
6ab569ce0b
travis: upgrade the MesaLink TLS backend to v1.0.0
Closes #3823
Closes #3776
2019-05-01 23:25:05 +02:00
Daniel Stenberg
41fcdf71a1
ConnectionExists: improve non-multiplexing use case
- better log output

- make sure multiplex is enabled for it to be used
2019-05-01 22:51:23 +02:00
Daniel Stenberg
be6e281cf2
multi: provide Curl_multiuse_state to update information
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
5c8783d77f
process_pending_handles: mark queued transfers as previously pending
With transfers being queued up, we only move one at a a time back to the
CONNECT state but now we mark moved transfers so that when a moved
transfer is confirmed "successful" (it connected) it will trigger the
move of another pending transfer. Previously, it would otherwise wait
until the transfer was done before doing this. This makes queued up
pending transfers get processed (much) faster.
2019-05-01 22:51:23 +02:00
Daniel Stenberg
c32248f17d
http: mark bundle as not for multiuse on < HTTP/2 response
Fixes #3813
Closes #3815
2019-05-01 22:51:23 +02:00
Daniel Gustafsson
b45fd8938e cookie: Guard against possible NULL ptr deref
In case the name pointer isn't set (due to memory pressure most likely)
we need to skip the prefix matching and reject with a badcookie to avoid
a possible NULL pointer dereference.

Closes #3820 #3821
Reported-by: Jonathan Moerman
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-05-01 13:14:15 +02:00
Kamil Dudka
9e8f28a8f1 nss: provide more specific error messages on failed init
Closes #3808
2019-04-29 10:29:53 +02:00
Daniel Stenberg
5fc28510a4
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().

The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.

NOTE: This does not apply to `CURLOPT_POSTFIELDS`.

Test 1559 verifies.

Closes #3805
2019-04-29 08:02:44 +02:00
Simon Warta
dc5ac786d9
cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP
Closes https://github.com/curl/curl/pull/3769
2019-04-27 11:51:23 +02:00
Steve Holme
e7d3f65ab9 ntlm: Missed pre-processor || (or) during rebase for cd15acd0 2019-04-23 20:26:02 +01:00
Steve Holme
cd15acd0ec ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4
Just like we do for mbed TLS, use our local implementation of MD4 when
OpenSSL doesn't support it. This allows a type-3 message to include the
NT response.
2019-04-23 20:00:33 +01:00
Steve Holme
eb84ca3ea8 sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616
RFC 4616 specifies the authzid is optional in the client authentication
message and that the server will derive the authorisation identity
(authzid) from the authentication identity (authcid) when not specified
by the client.
2019-04-22 12:29:49 +01:00
Gisle Vanem
b21701c54b memdebug: fix variable name
Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile.

Ref: https://github.com/curl/curl/commit/76b6348#r33259088
2019-04-22 03:10:05 -04:00
Steve Holme
f0950acc07 vauth/cleartext: Don't send the authzid if it is empty
Follow up to 762a292f.
2019-04-21 23:34:21 +01:00
Daniel Stenberg
e649432e72
CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse
... and disconnect too old ones instead of trying to reuse.

Default max age is set to 118 seconds.

Ref: #3722
Closes #3782
2019-04-21 23:06:23 +02:00
Po-Chuan Hsieh
060f870b85 altsvc: Fix building with cookies disables
ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if
check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is
disabled. Fix by splitting out the function into a separate file which can
be included where needed.

Closes #3717
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2019-04-20 22:46:21 +02:00
Daniel Stenberg
e06b8bdae6
Curl_disconnect: treat all CONNECT_ONLY connections as "dead"
Since the connection has been used by the "outside" we don't know the
state of it anymore and curl should not use it anymore.

Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html

Closes #3795
2019-04-20 12:40:45 +02:00
Daniel Stenberg
31c3111284
multi: fix the statenames (follow-up fix from 2f44e94efb)
The list of names must be in sync with the defined states in the header
file!
2019-04-19 16:56:32 +02:00
Steve Holme
07ba221667 md5: Update the function signature following d84da52d 2019-04-16 00:08:42 +01:00
Steve Holme
0a9f3edeb3 md5: Forgot to update the code alignment in d84da52d 2019-04-15 22:40:43 +01:00
Steve Holme
d84da52d9f md5: Return CURLcode from the internally accessible functions
Following 28f826b3 to return CURLE_OK instead of numeric 0.
2019-04-15 22:38:20 +01:00
Steve Holme
5a1ba3ccb5 md(4|5): Fixed indentation oddities with the importation of replacement code
The indentation from 211d5329 and 57d6d253 was a little strange as
parts didn't align correctly, uses 4 spaces rather than 2. Checked
the indentation of the original source so it aligns, albeit, using
curl style.
2019-04-14 14:08:15 +01:00
Steve Holme
28f826b3bf md5: Code style to return CURLE_OK rather than numeric 0 2019-04-14 08:42:36 +01:00
Steve Holme
51b81e9b6e md5: Corrected code style for some pointer arguments 2019-04-14 08:36:56 +01:00
Daniel Stenberg
4f463da6b5
singleipconnect: show port in the verbose "Trying ..." message
To aid debugging better.
2019-04-13 11:21:25 +02:00
tmilburn
c3e38a4250
CURLOPT_ADDRESS_SCOPE: fix range check and more
Commit 9081014 fixed most of the confusing issues between scope id and
scope however 844896d added bad limits checking assuming that the scope
is being set and not the scope id.

I have fixed the documentation so it all refers to scope ids.

In addition Curl_if2ip refered to the scope id as remote_scope_id which
is incorrect, so I renamed it to local_scope_id.

Adjusted-by: Daniel Stenberg

Closes #3655
Closes #3765
Fixes #3713
2019-04-13 11:18:55 +02:00
Daniel Stenberg
d715d2ac89
urlapi: stricter CURLUPART_PORT parsing
Only allow well formed decimal numbers in the input.

Document that the number MUST be between 1 and 65535.

Add tests to test 1560 to verify the above.

Ref: https://github.com/curl/curl/issues/3753
Closes #3762
2019-04-13 11:17:30 +02:00
Daniel Stenberg
3f5da4e59a
openssl: mark connection for close on TLS close_notify
Without this, detecting and avoid reusing a closed TLS connection
(without a previous GOAWAY) when doing HTTP/2 is tricky.

Reported-by: Tom van der Woerdt
Fixes #3750
Closes #3763
2019-04-12 12:17:52 +02:00
Steve Holme
762a292f87 vauth/cleartext: Update the PLAIN login function signature to match RFC 4616
Functionally this doesn't change anything as we still use the username
for both the authorisation identity and the authentication identity.

Closes #3757
2019-04-11 22:43:30 +01:00
Daniel Stenberg
9a4ad1b056
url: always clone the CUROPT_CURLU handle
Since a few code paths actually update that data.

Fixes #3753
Closes #3761

Reported-by: Poul T Lomholt
2019-04-11 22:45:01 +02:00
Daniel Stenberg
f73de32d46
CURLOPT_DNS_USE_GLOBAL_CACHE: remove
Remove the code too. The functionality has been disabled in code since
7.62.0. Setting this option will from now on simply be ignored and have
no function.

Closes #3654
2019-04-11 22:22:39 +02:00
Marcel Raad
d1b5cf830b
build: fix Codacy/CppCheck warnings
- remove unused variables
- declare conditionally used variables conditionally
- suppress unused variable warnings in the CMake tests
- remove dead variable stores
- consistently use WIN32 macro to detect Windows

Closes https://github.com/curl/curl/pull/3739
2019-04-11 21:08:44 +02:00
Marcel Raad
bb0b10135c
polarssl_threadlock: remove conditionally unused code
Make functions no-ops if neither both USE_THREADS_POSIX and
HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are
defined. Previously, if only one of them was defined, there was either
code compiled that did nothing useful or the wrong header included for
the functions used.

Also, move POLARSSL_MUTEX_T define to implementation file as it's not
used externally.

Closes https://github.com/curl/curl/pull/3739
2019-04-11 21:08:42 +02:00
Steve Holme
166ace8be0 emailL Added reference to RFC8314 for implicit TLS 2019-04-11 01:19:15 +01:00
Daniel Stenberg
8ebc42be04
socks: fix error message 2019-04-08 23:30:53 +02:00
Daniel Stenberg
f4b6901230
socks5: user name and passwords must be shorter than 256
bytes... since the protocol needs to store the length in a single byte field.

Reported-by: XmiliaH on github
Fixes #3737
Closes #3740
2019-04-07 23:27:11 +02:00
Jakub Zakrzewski
0dd47c2a3d
urlapi: urlencode characters above 0x7f correctly
fixes #3741
Closes #3742
2019-04-07 22:57:42 +02:00
Even Rouault
64cbae3107
multi_runsingle(): fix use-after-free
Fixes #3745
Closes #3746

The following snippet
```

int main()
{
    CURL* hCurlHandle = curl_easy_init();
    curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com");
    curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1");
    curl_easy_perform(hCurlHandle);
    curl_easy_cleanup(hCurlHandle);
    return 0;
}
```
triggers the following Valgrind warning

```
==4125== Invalid read of size 8
==4125==    at 0x4E7D1EE: Curl_llist_remove (llist.c:97)
==4125==    by 0x4E7EF5C: detach_connnection (multi.c:798)
==4125==    by 0x4E80545: multi_runsingle (multi.c:1451)
==4125==    by 0x4E8197C: curl_multi_perform (multi.c:2072)
==4125==    by 0x4E766A0: easy_transfer (easy.c:625)
==4125==    by 0x4E76915: easy_perform (easy.c:719)
==4125==    by 0x4E7697C: curl_easy_perform (easy.c:738)
==4125==    by 0x4008BE: main (in /home/even/curl/test)
==4125==  Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd
==4125==    at 0x4C2ECF0: free (vg_replace_malloc.c:530)
==4125==    by 0x4E62C36: conn_free (url.c:756)
==4125==    by 0x4E62D34: Curl_disconnect (url.c:818)
==4125==    by 0x4E48DF9: Curl_once_resolved (hostip.c:1097)
==4125==    by 0x4E8052D: multi_runsingle (multi.c:1446)
==4125==    by 0x4E8197C: curl_multi_perform (multi.c:2072)
==4125==    by 0x4E766A0: easy_transfer (easy.c:625)
==4125==    by 0x4E76915: easy_perform (easy.c:719)
==4125==    by 0x4E7697C: curl_easy_perform (easy.c:738)
==4125==    by 0x4008BE: main (in /home/even/curl/test)
==4125==  Block was alloc'd at
==4125==    at 0x4C2F988: calloc (vg_replace_malloc.c:711)
==4125==    by 0x4E6438E: allocate_conn (url.c:1654)
==4125==    by 0x4E685B4: create_conn (url.c:3496)
==4125==    by 0x4E6968F: Curl_connect (url.c:4023)
==4125==    by 0x4E802E7: multi_runsingle (multi.c:1368)
==4125==    by 0x4E8197C: curl_multi_perform (multi.c:2072)
==4125==    by 0x4E766A0: easy_transfer (easy.c:625)
==4125==    by 0x4E76915: easy_perform (easy.c:719)
==4125==    by 0x4E7697C: curl_easy_perform (easy.c:738)
==4125==    by 0x4008BE: main (in /home/even/curl/test)
```

This has been bisected to commit 2f44e94

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109
Credit to OSS Fuzz
2019-04-07 22:55:38 +02:00
Daniel Stenberg
2f44e94efb
pipelining: removed
As previously planned and documented in DEPRECATE.md, all pipelining
code is removed.

Closes #3651
2019-04-06 22:49:50 +02:00
Marcel Raad
ab5a6cf603
ftplistparser: fix LGTM alert "Empty block without comment"
Removing the block is consistent with line 954/957.

Closes https://github.com/curl/curl/pull/3732
2019-04-05 12:56:18 +02:00
Marcel Raad
1369b74299
transfer: fix LGTM alert "Comparison is always true"
Just remove the redundant condition, which also makes it clear that
k->buf is always 0-terminated if this break is not hit.

Closes https://github.com/curl/curl/pull/3732
2019-04-05 12:56:10 +02:00
Rikard Falkeborn
f5a77473c5 smtp: fix compiler warning
- Fix clang string-plus-int warning.

Clang 8 warns about adding a string to an int does not append to the
string. Indeed it doesn't, but that was not the intention either. Use
array indexing as suggested to silence the warning. There should be no
functional changes.

(In other words clang warns about "foo"+2 but not &"foo"[2] so use the
latter.)

smtp.c:1221:29: warning: adding 'int' to a string does not append to the
string [-Wstring-plus-int]
      eob = strdup(SMTP_EOB + 2);
            ~~~~~~~~~~~~~~~~^~~~

Closes https://github.com/curl/curl/pull/3729
2019-04-04 21:11:42 -04:00
Tim Rühsen
7b758e9835 documentation: Fix several typos
Closes #3724
Reviewed-by: Jakub Zakrzewski
Reviewed-by: Daniel Gustafsson
2019-04-03 22:06:06 +02:00
Mert Yazıcıoğlu
6227e2bd07 vauth/oauth2: Fix OAUTHBEARER token generation
OAUTHBEARER tokens were incorrectly generated in a format similar to
XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the
RFC7628.

Fixes: #2487
Reported-by: Paolo Mossino

Closes https://github.com/curl/curl/pull/3377
2019-04-02 15:52:12 -04:00
Brad Spencer
80208d68dc
resolve: apply Happy Eyeballs philosophy to parallel c-ares queries
Closes #3699
2019-03-27 23:31:59 +01:00
Daniel Stenberg
dbce1bd86f
multi: improved HTTP_1_1_REQUIRED handling
Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error
on first flight.

Reported-by: niner on github
Fixes #3696
Closes #3707
2019-03-27 23:28:14 +01:00
Daniel Stenberg
c07fc5e292
Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set"
This reverts commit 9130ead9fc.

Fixes #3708
2019-03-27 00:19:15 +01:00
Christian Schmitz
9130ead9fc
ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set
Closes #3704
2019-03-26 16:32:14 +01:00
Jay Satiro
a375ab3be4 os400: Disable Alt-Svc by default since it's experimental
Follow-up to 520f0b4 which added Alt-Svc support and enabled it by
default for OS400. Since the feature is experimental, it should be
disabled by default.

Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332
Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html

Closes https://github.com/curl/curl/pull/3688
2019-03-24 16:43:43 -04:00
Daniel Gustafsson
d0c1268f99 lib: Fix typos in comments 2019-03-22 11:39:03 +01:00
David Woodhouse
efd9fba681 openssl: if cert type is ENG and no key specified, key is ENG too
Fixes #3692
Closes #3692
2019-03-20 13:10:44 -07:00
Daniel Stenberg
7550f62d07
sectransp: tvOS 11 is required for ALPN support
Reported-by: nianxuejie on github
Assisted-by: Nick Zitzmann
Assisted-by: Jay Satiro
Fixes #3689
Closes #3690
2019-03-20 08:14:21 +01:00
Patrick Monnerat
520f0b47ad os400: alt-svc support.
Although experimental, enable it in the platform config file.
Upgrade ILE/RPG binding.
2019-03-17 18:54:36 +01:00
Daniel Stenberg
e3a53e3efb
conncache: use conn->data to know if a transfer owns it
- make sure an already "owned" connection isn't returned unless
  multiplexed.

- clear ->data when returning the connection to the cache again

Regression since 7.62.0 (probably in commit 1b76c38904)

Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html

Closes #3686
2019-03-17 18:07:20 +01:00
Chris Young
1e853653d2
configure: add --with-amissl
AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
It also requires all programs using it to use bsdsocket.library
directly, rather than accessing socket functions through clib, which
libcurl was not necessarily doing previously. Configure will now check
for the headers and ensure they are included if found.

Closes #3677
2019-03-15 10:22:42 +01:00
Chris Young
76a9d8df0e
vtls: rename some of the SSL functions
... in the SSL structure as AmiSSL is using macros for the socket API
functions.
2019-03-15 10:22:42 +01:00
Daniel Stenberg
5cf5d57ab9
makefile: make checksrc and hugefile commands "silent"
... to match the style already used for compiling, linking
etc. Acknowledges 'make V=1' to enable verbose.

Closes #3681
2019-03-14 20:11:24 +01:00
Dominik Hölzl
6c60355323
Negotiate: fix for HTTP POST with Negotiate
* Adjusted unit tests 2056, 2057
* do not generally close connections with CURLAUTH_NEGOTIATE after every request
* moved negotiatedata from UrlState to connectdata
* Added stream rewind logic for CURLAUTH_NEGOTIATE
* introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC
* Consider authproblem state for CURLAUTH_NEGOTIATE
* Consider reuse_forbid for CURLAUTH_NEGOTIATE
* moved and adjusted negotiate authentication state handling from
  output_auth_headers into Curl_output_negotiate
* Curl_output_negotiate: ensure auth done is always set
* Curl_output_negotiate: Set auth done also if result code is
  GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may
  also indicate the last challenge request (only works with disabled
  Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1)
* Consider "Persistent-Auth" header, detect if not present;
  Reset/Cleanup negotiate after authentication if no persistent
  authentication
* apply changes introduced with #2546 for negotiate rewind logic

Fixes #1261
Closes #1975
2019-03-14 09:26:03 +01:00
Marc Schlatter
dd8a19f8a0
http: send payload when (proxy) authentication is done
The check that prevents payload from sending in case of authentication
doesn't check properly if the authentication is done or not.

They're cases where the proxy respond "200 OK" before sending
authentication challenge. This change takes care of that.

Fixes #2431
Closes #3669
2019-03-13 10:58:52 +01:00
Daniel Stenberg
5add3514e6
file: fix "Checking if unsigned variable 'readcount' is less than zero."
Pointed out by codacy

Closes #3672
2019-03-12 21:46:11 +01:00
Daniel Stenberg
401cb92954
memdebug: log pointer before freeing its data
Coverity warned for two potentional "Use after free" cases. Both are false
positives because the memory wasn't used, it was only the actual pointer
value that was logged.

The fix still changes the order of execution to avoid the warnings.

Coverity CID 1443033 and 1443034

Closes #3671
2019-03-12 21:45:03 +01:00
Daniel Stenberg
0bb56392d4
multi: removed unused code for request retries
This code was once used for the non multi-interface using code path, but
ever since easy_perform was turned into a wrapper around the multi
interface, this code path never runs.

Closes #3666
2019-03-11 17:29:51 +01:00
Jay Satiro
9e6af114ea doh: inherit some SSL options from user's easy handle
- Inherit SSL options for the doh handle but not SSL client certs,
  SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert,
  SSL pinned public key, SSL ciphers, SSL id cache setting,
  SSL kerberos or SSL gss-api settings.

- Fix inheritance of verbose setting.

- Inherit NOSIGNAL.

There is no way for the user to set options for the doh (DNS-over-HTTPS)
handles and instead we inherit some options from the user's easy handle.

My thinking for the SSL options not inherited is they are most likely
not intended by the user for the DOH transfer. I did inherit insecure
because I think that should still be in control of the user.

Prior to this change doh did not work for me because CAINFO was not
inherited. Also verbose was set always which AFAICT was a bug (#3660).

Fixes https://github.com/curl/curl/issues/3660
Closes https://github.com/curl/curl/pull/3661
2019-03-11 01:50:12 -04:00
Daniel Stenberg
299d9660f8
Revert "cookies: extend domain checks to non psl builds"
This reverts commit 3773de378d.

Regression shipped in 7.64.0
Fixes #3649
2019-03-09 12:59:20 +01:00
Daniel Stenberg
76b6348949
memdebug: make debug-specific functions use curl_dbg_ prefix
To not "collide" or use up the regular curl_ name space. Also makes them
easier to detect in helper scripts.

Closes #3656
2019-03-08 23:21:21 +01:00
Daniel Stenberg
4ed62bc0dc
source: fix two 'nread' may be used uninitialized warnings
Both seem to be false positives but we don't like warnings.

Closes #3646
2019-03-05 13:03:43 +01:00
Daniel Stenberg
39c29626cb
gopher: remove check for path == NULL
Since it can't be NULL and it makes Coverity believe we lack proper NULL
checks. Verified by test 659, landed in commit 15401fa886.

Pointed out by Coverity CID 1442746.

Assisted-by: Dan Fandrich
Fixes #3617
Closes #3642
2019-03-05 08:01:50 +01:00
Daniel Stenberg
d6f73af730
ssh: loop the state machine if not done and not blocking
If the state machine isn't complete, didn't fail and it didn't return
due to blocking it can just as well loop again.

This addresses the problem with SFTP directory listings where we would
otherwise return back to the parent and as the multi state machine
doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the
doing phase isn't complete, it would return out when in reality there
was more data to deal with.

Fixes #3506
Closes #3644
2019-03-05 07:57:11 +01:00
Jay Satiro
b0972bc8e1 multi: support verbose conncache closure handle
- Change closure handle to receive verbose setting from the easy handle
  most recently added via curl_multi_add_handle.

The closure handle is a special easy handle used for closing cached
connections. It receives limited settings from the easy handle most
recently added to the multi handle. Prior to this change that did not
include verbose which was a problem because on connection shutdown
verbose mode was not acknowledged.

Ref: https://github.com/curl/curl/pull/3598

Co-authored-by: Daniel Stenberg

Closes https://github.com/curl/curl/pull/3618
2019-03-05 00:00:01 -05:00
Daniel Stenberg
15401fa886
CURLU: fix NULL dereference when used over proxy
Test 659 verifies

Also fixed the test 658 name

Closes #3641
2019-03-04 16:24:08 +01:00
Daniel Stenberg
2591a491aa
altsvc_out: check the return code from Curl_gmtime
Pointed out by Coverity, CID 1442956.

Closes #3640
2019-03-03 21:30:31 +01:00
Daniel Stenberg
5345b04a43
alt-svc: add test 355 and 356 to verify with command line curl 2019-03-03 11:17:52 +01:00
Daniel Stenberg
e1be825453
alt-svc: the libcurl bits 2019-03-03 11:17:52 +01:00
Daniel Stenberg
15cbf8dec6
gnutls: remove call to deprecated gnutls_compression_get_name
It has been deprecated by GnuTLS since a year ago and now causes build
warnings.

Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f
Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html

Closes #3636
2019-03-02 11:13:57 +01:00
Jay Satiro
db374c50db system_win32: move win32_init here from easy.c
.. since system_win32 is a more appropriate location for the functions
and to extern the globals.

Ref: https://github.com/curl/curl/commit/ca597ad#r32446578
Reported-by: Gisle Vanem

Closes https://github.com/curl/curl/pull/3625
2019-03-02 01:49:48 -05:00
Daniel Stenberg
65eb65fde6
urldata: simplify bytecounters
- no need to have them protocol specific

- no need to set pointers to them with the Curl_setup_transfer() call

- make Curl_setup_transfer() operate on a transfer pointer, not
  connection

- switch some counters from long to the more proper curl_off_t type

Closes #3627
2019-03-01 17:30:34 +01:00
Daniel Stenberg
754ae10398
threaded-resolver: shutdown the resolver thread without error message
When a transfer is done, the resolver thread will be brought down. That
could accidentally generate an error message in the error buffer even
though this is not an error situationand the transfer would still return
OK.  An application that still reads the error buffer could find a
"Could not resolve host: [host name]" message there and get confused.

Reported-by: Michael Schmid
Fixes #3629
Closes #3630
2019-03-01 09:31:34 +01:00
Daniel Stenberg
14c95f8101
ssh: fix Condition '!status' is always true
in the same sftp_done function in both SSH backends. Simplify them
somewhat.

Pointed out by Codacy.

Closes #3628
2019-03-01 09:24:45 +01:00
Daniel Stenberg
4ff055530d
Curl_easy: remove req.maxfd - never used!
Introduced in 8b6314ccfb, but not used anymore in current code. Unclear
since when.

Closes #3626
2019-02-28 15:27:32 +01:00
Daniel Stenberg
f1d915ea49
http: set state.infilesize when sending formposts
Without it set, we would unwillingly triger the "HTTP error before end
of send, stop sending" condition even if the entire POST body had been
sent (since it wouldn't know the expected size) which would
unnecessarily log that message and close the connection when it didn't
have to.

Reported-by: Matt McClure
Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html
Closes #3624
2019-02-28 15:24:03 +01:00
Daniel Stenberg
76a9c3c4be
Secure Transport: no more "darwinssl"
Everyone calls it Secure Transport, now we do too.

Reviewed-by: Nick Zitzmann

Closes #3619
2019-02-28 08:42:59 +01:00
Daniel Stenberg
eb43338941
cookies: only save the cookie file if the engine is enabled
Follow-up to 8eddb8f425.

If the cookieinfo pointer is NULL there really is nothing to save.

Without this fix, we got a problem when a handle was using shared object
with cookies and is told to "FLUSH" it to file (which worked) and then
the share object was removed and when the easy handle was closed just
afterwards it has no cookieinfo and no cookies so it decided to save an
empty jar (overwriting the file just flushed).

Test 1905 now verifies that this works.

Assisted-by: Michael Wallner
Assisted-by: Marcel Raad

Closes #3621
2019-02-27 21:59:40 +01:00
Daniel Stenberg
62a2534e4c
urldata: convert bools to bitfields and move to end
This allows the compiler to pack and align the structs better in
memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2
makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000.

Removed an unused struct field.

No functionality changes.

Closes #3610
2019-02-27 08:37:56 +01:00
Daniel Stenberg
880cd5dd20
strerror: make the strerror function use local buffers
Instead of using a fixed 256 byte buffer in the connectdata struct.

In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.

This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.

Co-authored-by: Jay Satiro

Closes #3612
2019-02-26 10:20:21 +01:00
Michael Wallner
8eddb8f425
cookies: fix NULL dereference if flushing cookies with no CookieInfo set
Regression brought by a52e46f390 (shipped in 7.63.0)

Closes #3613
2019-02-26 10:07:58 +01:00
Bernd Mueller
90236edee4
OpenSSL: add support for TLS ASYNC state
Closes #3591
2019-02-25 13:53:47 +01:00
georgeok
531b7ad43a schannel: support CALG_ECDH_EPHEM algorithm
Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
algorithm option when selecting ciphers. This became available on the
Win10 SDK.

Closes https://github.com/curl/curl/pull/3608
2019-02-25 01:38:35 -05:00
Daniel Stenberg
aa7b813ad1
multi: call multi_done on connect timeouts
Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get
updated correctly and could end up getting reported to the application
completely wrong (way too small).

Reported-by: accountantM on github
Fixes #3602
Closes #3605
2019-02-24 22:56:46 +01:00
Daniel Stenberg
300def7d40
wolfssl: stop custom-adding curves
since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in
wolfSSL 3.10.2 and later) it sends these curves by default already.

Pointed-out-by: David Garske

Closes #3599
2019-02-23 11:47:24 +01:00
Daniel Stenberg
11974ac859
configure: remove the unused fdopen macro
and the two remaining #ifdefs for it

Closes #3600
2019-02-22 22:38:33 +01:00
Jay Satiro
7466d1a308 url: change conn shutdown order to unlink data as last step
- Split off connection shutdown procedure from Curl_disconnect into new
  function conn_shutdown.

- Change the shutdown procedure to close the sockets before
  disassociating the transfer.

Prior to this change the sockets were closed after disassociating the
transfer so SOCKETFUNCTION wasn't called since the transfer was already
disassociated. That likely came about from recent work started in
Jan 2019 (#3442) to separate transfers from connections.

Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html
Reported-by: Pavel Löbl

Closes https://github.com/curl/curl/issues/3597
Closes https://github.com/curl/curl/pull/3598
2019-02-22 15:19:42 -05:00
Marcel Raad
50f1bb2632 Fix strict-prototypes GCC warning
As seen in the MinGW autobuilds. Caused by commit
f26bc29cfe.
2019-02-22 19:12:30 +01:00
Daniel Stenberg
aa5a28bd69
http2: verify :athority in push promise requests
RFC 7540 says we should verify that the push is for an "authoritative"
server. We make sure of this by only allowing push with an :athority
header that matches the host that was asked for in the URL.

Fixes #3577
Reported-by: Nicolas Grekas
Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html
Closes #3581
2019-02-20 08:18:02 +01:00
Daniel Stenberg
afc00e047c
singlesocket: fix the 'sincebefore' placement
The variable wasn't properly reset within the loop and thus could remain
set for sockets that hadn't been set before and miss notifying the app.

This is a follow-up to 4c35574 (shipped in curl 7.64.0)

Reported-by: buzo-ffm on github
Detected-by: Jan Alexander Steffens
Fixes #3585
Closes #3589
2019-02-20 08:15:32 +01:00
Daniel Stenberg
b08898fb29
connection: never reuse CONNECT_ONLY conections
and make CONNECT_ONLY conections never reuse any existing ones either.

Reported-by: Pavel Löbl
Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html
Closes #3586
2019-02-19 22:50:02 +01:00
Daniel Stenberg
d8b0318ad6
x509asn1: cleanup and unify code layout
- rename 'n' to buflen in functions, and use size_t for them. Don't pass
  in negative buffer lengths.

- move most function comments to above the function starts like we use
  to

- remove several unnecessary typecasts (especially of NULL)

Reviewed-by: Patrick Monnerat
Closes #3582
2019-02-19 16:03:19 +01:00
Daniel Stenberg
942eb09e8a
http: make adding a blank header thread-safe
Previously the function would edit the provided header in-place when a
semicolon is used to signify an empty header. This made it impossible to
use the same set of custom headers in multiple threads simultaneously.

This approach now makes a local copy when it needs to edit the string.

Reported-by: d912e3 on github
Fixes #3578
Closes #3579
2019-02-19 10:18:47 +01:00
Frank Gevaerts
21b33b9a0b
rand: Fix a mismatch between comments in source and header.
Reported-by: Björn Stenberg <bjorn@haxx.se>
Closes #3584
2019-02-18 23:13:30 +01:00
Patrick Monnerat
fa86d32d59 x509asn1: replace single char with an array
Although safe in this context, using a single char as an array may
cause invalid accesses to adjacent memory locations.

Detected by Coverity.
2019-02-18 15:40:34 +01:00
Jay Satiro
f26bc29cfe easy: fix win32 init to work without CURL_GLOBAL_WIN32
- Change the behavior of win32_init so that the required initialization
  procedures are not affected by CURL_GLOBAL_WIN32 flag.

libcurl via curl_global_init supports initializing for win32 with an
optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop
Winsock initialization. It did so internally by skipping win32_init()
when that flag was set. Since then win32_init() has been expanded to
include required initialization routines that are separate from
Winsock and therefore must be called in all cases. This commit fixes
it so that CURL_GLOBAL_WIN32 only controls the optional win32
initialization (which is Winsock initialization, according to our doc).

The only users affected by this change are those that don't pass
CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the
risk of a potential crash.

Ref: https://github.com/curl/curl/pull/3573

Fixes https://github.com/curl/curl/issues/3313
Closes https://github.com/curl/curl/pull/3575
2019-02-18 02:12:12 -05:00
Daniel Gustafsson
e6522522f9 cookie: Add support for cookie prefixes
The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes
and how they should affect cookie initialization, which has been
adopted by the major browsers. This adds support for the two prefixes
defined, __Host- and __Secure, and updates the testcase with the
supplied examples from the draft.

Closes #3554
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-17 00:09:30 +01:00
Daniel Gustafsson
0299b262cd mbedtls: release sessionid resources on error
If mbedtls_ssl_get_session() fails, it may still have allocated
memory that needs to be freed to avoid leaking. Call the library
API function to release session resources on this errorpath as
well as on Curl_ssl_addsessionid() errors.

Closes: #3574
Reported-by: Michał Antoniak <M.Antoniak@posnet.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-16 22:30:31 +01:00
Patrick Monnerat
c52620c249 version.c: silent scan-build even when librtmp is not enabled 2019-02-16 01:04:22 +01:00
Daniel Stenberg
ca597ad34a
Curl_now: figure out windows version in win32_init
... and avoid use of static variables that aren't thread safe.

Fixes regression from e9ababd4f5 (present in the 7.64.0 release)

Reported-by: Paul Groke
Fixes #3572
Closes #3573
2019-02-15 23:23:14 +01:00
Daniel Stenberg
354aa32820
strip_trailing_dot: make sure NULL is never used for strlen
scan-build warning: Null pointer passed as an argument to a 'nonnull'
parameter
2019-02-14 23:30:43 +01:00
Jay Satiro
4015fae044
connection_check: restore original conn->data after the check
- Save the original conn->data before it's changed to the specified
  data transfer for the connection check and then restore it afterwards.

This is a follow-up to 38d8e1b 2019-02-11.

History:

It was discovered a month ago that before checking whether to extract a
dead connection that that connection should be associated with a "live"
transfer for the check (ie original conn->data ignored and set to the
passed in data). A fix was landed in 54b201b which did that and also
cleared conn->data after the check. The original conn->data was not
restored, so presumably it was thought that a valid conn->data was no
longer needed.

Several days later it was discovered that a valid conn->data was needed
after the check and follow-up fix was landed in bbae24c which partially
reverted the original fix and attempted to limit the scope of when
conn->data was changed to only when pruning dead connections. In that
case conn->data was not cleared and the original conn->data not
restored.

A month later it was discovered that the original fix was somewhat
correct; a "live" transfer is needed for the check in all cases
because original conn->data could be null which could cause a bad deref
at arbitrary points in the check. A fix was landed in 38d8e1b which
expanded the scope to all cases. conn->data was not cleared and the
original conn->data not restored.

A day later it was discovered that not restoring the original conn->data
may lead to busy loops in applications that use the event interface, and
given this observation it's a pretty safe assumption that there is some
code path that still needs the original conn->data. This commit is the
follow-up fix for that, it restores the original conn->data after the
connection check.

Assisted-by: tholin@users.noreply.github.com
Reported-by: tholin@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/3542
Closes #3559
2019-02-14 17:42:43 +01:00
Daniel Stenberg
49d73d40f6
memdebug: bring back curl_mark_sclose
Used by debug builds with NSS.

Reverted from 05b100aee2
2019-02-14 17:34:55 +01:00
Patrick Monnerat
539d17b0de transfer.c: do not compute length of undefined hex buffer.
On non-ascii platforms, the chunked hex header was measured for char code
conversion length, even for chunked trailers that do not have an hex header.
In addition, the efective length is already known: use it.
Since the hex length can be zero, only convert if needed.

Reported by valgrind.
2019-02-14 16:03:24 +01:00
Patrick Monnerat
489ef6b694 x509asn1: "Dereference of null pointer"
Detected by scan-build (false positive).
2019-02-14 14:54:01 +01:00
Daniel Stenberg
28177def43
gssapi: fix deprecated header warnings
Heimdal includes on FreeBSD spewed out lots of them. Less so now.

Closes #3566
2019-02-14 08:38:43 +01:00
Daniel Stenberg
bb2444b794
multi: Dereference of null pointer
Mostly a false positive, but this makes the code easier to read anyway.

Detected by scan-build.

Closes #3563
2019-02-13 08:06:35 +01:00
Jay Satiro
0648070423 schannel: restore some debug output but only for debug builds
Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.

Ref: https://github.com/curl/curl/commit/84c10dc#r32292900
2019-02-12 19:54:08 -05:00
Daniel Stenberg
179927c12a
mime: put the boundary buffer into the curl_mime struct
... instead of allocating it separately and point to it. It is
fixed-size and always used for each part.

Closes #3561
2019-02-12 22:55:32 +01:00
Daniel Stenberg
84c10dc1ba
schannel: be quiet
Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.

Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
Reported-by: Volker Schmid
Closes #3552
2019-02-12 22:53:10 +01:00
Romain Geissler
aa1f1d48f3
Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning
Closes #3562
2019-02-12 19:19:55 +01:00
Daniel Stenberg
61496154ce
http2: multi_connchanged() moved from multi.c, only used for h2
Closes #3557
2019-02-12 14:40:37 +01:00
Daniel Stenberg
a6d134e17a
pretransfer: don't strlen() POSTFIELDS set for GET requests
... since that data won't be used in the request anyway.

Fixes #3548
Reported-by: Renaud Allard
Close #3549
2019-02-12 14:36:54 +01:00
Daniel Stenberg
aabc7ae5ec
multi: remove verbose "Expire in" ... messages
Reported-by: James Brown
Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html
Closes #3558
2019-02-12 14:13:15 +01:00
Daniel Stenberg
aabe0a7312
mbedtls: make it build even if MBEDTLS_VERSION_C isn't set
Reported-by: MAntoniak on github
Fixes #3553
Closes #3556
2019-02-12 10:27:47 +01:00
Daniel Gustafsson
5c31aebf64 non-ascii.c: fix typos in comments
Fix two occurrences of s/convers/converts/ spotted while reading code.
2019-02-12 10:24:29 +01:00
Daniel Stenberg
fc7ab4835b
fnmatch: disable if FTP is disabled
Closes #3551
2019-02-12 07:50:39 +01:00
Daniel Stenberg
afda140ec5
curl_path: only enabled for SSH builds 2019-02-12 07:50:39 +01:00
Daniel Gustafsson
e5d574c54f dns: release sharelock as soon as possible
There is no benefit to holding the data sharelock when freeing the
addrinfo in case it fails, so ensure releaseing it as soon as we can
rather than holding on to it. This also aligns the code with other
consumers of sharelocks.

Closes #3516
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-02-11 13:34:11 +01:00
Daniel Stenberg
982c09b95b
multi: (void)-prefix when ignoring return values
... and added braces to two function calls which fixes warnings if they
are replace by empty macros at build-time.
2019-02-11 11:57:02 +01:00
Daniel Stenberg
38d8e1bd4e
connection_check: set ->data to the transfer doing the check
The http2 code for connection checking needs a transfer to use. Make
sure a working one is set before handler->connection_check() is called.

Reported-by: jnbr on github
Fixes #3541
Closes #3547
2019-02-11 10:34:34 +01:00
Daniel Stenberg
81a9fe4e92
hostip: make create_hostcache_id avoid alloc + free
Closes #3544
2019-02-11 08:57:54 +01:00
Daniel Stenberg
05b100aee2
cleanup: make local functions static
urlapi: turn three local-only functions into statics

conncache: make conncache_find_first_connection static

multi: make detach_connnection static

connect: make getaddressinfo static

curl_ntlm_core: make hmac_md5 static

http2: make two functions static

http: make http_setup_conn static

connect: make tcpnodelay static

tests: make UNITTEST a thing to mark functions with, so they can be static for
normal builds and non-static for unit test builds

... and mark Curl_shuffle_addr accordingly.

url: make up_free static

setopt: make vsetopt static

curl_endian: make write32_le static

rtsp: make rtsp_connisdead static

warnless: remove unused functions

memdebug: remove one unused function, made another static
2019-02-10 18:38:57 +01:00
Daniel Stenberg
9cb126792c
url/idnconvert: remove scan for <= 32 ascii values
The check was added back in fa939220df before the URL parser would catch
these problems and therefore these will never trigger now.

Closes #3539
2019-02-09 23:39:58 +01:00
Daniel Stenberg
f260b9e932
urlapi: reduce variable scope, remove unreachable 'break'
Both nits pointed out by codacy.com

Closes #3540
2019-02-09 23:33:36 +01:00
Chris Araman
927a5bd1b4 url: close TLS before removing conn from cache
- Fix potential crashes in schannel shutdown.

Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.

Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531
2019-02-06 13:33:21 -05:00
Daniel Gustafsson
39df4073e5
smtp: avoid risk of buffer overflow in strtol
If the incoming len 5, but the buffer does not have a termination
after 5 bytes, the strtol() call may keep reading through the line
buffer until is exceeds its boundary. Fix by ensuring that we are
using a bounded read with a temporary buffer on the stack.

Bug: https://curl.haxx.se/docs/CVE-2019-3823.html
Reported-by: Brian Carpenter (Geeknik Labs)
CVE-2019-3823
2019-02-04 08:22:32 +01:00
Daniel Stenberg
50c9484278
ntlm: fix *_type3_message size check to avoid buffer overflow
Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
2019-02-04 08:22:32 +01:00
Daniel Stenberg
b780b30d13
NTLM: fix size check condition for type2 received data
Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
2019-02-04 08:22:31 +01:00
georgeok
a730432e59
spnego_sspi: add support for channel binding
Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509
2019-02-01 09:56:27 +01:00
Daniel Stenberg
180501cb02
schannel: stop calling it "winssl"
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504
2019-02-01 08:20:38 +01:00
Daniel Stenberg
6f61933adf
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.

Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
2019-02-01 08:19:40 +01:00
Jeremie Rapin
a9d9a3abbe
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application.  Use the curl mecanisms fix this behavior.

Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>

Closes #3502
2019-01-28 12:03:33 +01:00
Michael Kujawa
b0a43aade1 timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)

Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.

Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
2019-01-28 01:16:00 -05:00
Daniel Stenberg
179311ec37
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.

Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
2019-01-26 00:29:50 +01:00
Felix Hädicke
3cbf731d9e
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.

Fixes #3493
Closes #3494
2019-01-24 09:09:45 +01:00
Felix Hädicke
15c94b310b
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.

Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.

This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.

Fixes #3491
Closes #3495
2019-01-24 09:03:11 +01:00
Archangel_SDY
ce6f73b912
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487
2019-01-21 23:21:45 +01:00
Daniel Gustafsson
f0b2c13a9e memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.

Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2019-01-20 21:59:04 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Stenberg
6ee6729709
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
2019-01-18 16:43:21 +01:00
JDepooter
b095a1ca63
ssh: log the libssh2 error message when ssh session startup fails
When a ssh session startup fails, it is useful to know why it has
failed. This commit changes the message from:
   "Failure establishing ssh session"
to something like this, for example:
   "Failure establishing ssh session: -5, Unable to exchange encryption keys"

Closes #3481
2019-01-17 15:03:16 +01:00
Daniel Stenberg
16a3307e81
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
2019-01-16 08:20:57 +01:00
Daniel Stenberg
bbae24c3ae
extract_if_dead: follow-up to 54b201b48c
extract_if_dead() dead is called from two functions, and only one of
them should get conn->data updated and now neither call path clears it.

scan-build found a case where conn->data would be NULL dereferenced in
ConnectionExists() otherwise.

Closes #3473
2019-01-15 08:49:16 +01:00
Daniel Stenberg
fe71b2d928
multi: remove "Dead assignment"
Found by scan-build. Follow-up to 4c35574bb7.

Closes #3471
2019-01-15 08:10:17 +01:00
Daniel Stenberg
ea77fec16f
tests: move objnames-* from lib into tests
Since they're used purely for testing purposes, I think they should
rather be stored there.

Closes #3470
2019-01-15 08:09:34 +01:00
Frank Gevaerts
c54ee668df
cookie: fix comment typo (url_path_len -> uri_path_len)
Closes #3469
2019-01-14 23:02:34 +01:00
Daniel Stenberg
54b201b48c
extract_if_dead: use a known working transfer when checking connections
Make sure that this function sets a proper "live" transfer for the
connection before calling the protocol-specific connection check
function, and then clear it again afterward as a non-used connection has
no current transfer.

Reported-by: Jeroen Ooms
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Gustafsson
Fixes #3463
Closes #3464
2019-01-13 17:09:14 +01:00
Daniel Stenberg
cf8c70594f
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
OpenSSL_version() replaces OpenSSL_version_num()

Closes #3462
2019-01-13 17:06:59 +01:00
Daniel Stenberg
ba243235ec
urldata: rename easy_conn to just conn
We use "conn" everywhere to be a pointer to the connection.

Introduces two functions that "attaches" and "detaches" the connection
to and from the transfer.

Going forward, we should favour using "data->conn" (since a transfer
always only has a single connection or none at all) to "conn->data"
(since a connection can have none, one or many transfers associated with
it and updating conn->data to be correct is error prone and a frequent
reason for internal issues).

Closes #3442
2019-01-11 15:35:13 +01:00
Daniel Stenberg
afeb8d9902
cookies: allow secure override when done over HTTPS
Added test 1562 to verify.

Reported-by: Jeroen Ooms
Fixes #3445
Closes #3450
2019-01-10 10:31:06 +01:00
Daniel Stenberg
4c35574bb7
multi: multiplexing improvements
Fixes #3436
Closes #3448

 Problem 1

After LOTS of scratching my head, I eventually realized that even when doing
10 uploads in parallel, sometimes the socket callback to the application that
tells it what to wait for on the socket, looked like it would reflect the
status of just the single transfer that just changed state.

Digging into the code revealed that this was indeed the truth. When multiple
transfers are using the same connection, the application did not correctly get
the *combined* flags for all transfers which then could make it switch to READ
(only) when in fact most transfers wanted to get told when the socket was
WRITEABLE.

 Problem 1b

A separate but related regression had also been introduced by me when I
cleared connection/transfer association better a while ago, as now the logic
couldn't find the connection and see if that was marked as used by more
transfers and then it would also prematurely remove the socket from the socket
hash table even in times other transfers were still using it!

 Fix 1

Make sure that each socket stored in the socket hash has a "combined" action
field of what to ask the application to wait for, that is potentially the ORed
action of multiple parallel transfers. And remove that socket hash entry only
if there are no transfers left using it.

 Problem 2

The socket hash entry stored an association to a single transfer using that
socket - and when curl_multi_socket_action() was called to tell libcurl about
activities on that specific socket only that transfer was "handled".

This was WRONG, as a single socket/connection can be used by numerous parallel
transfers and not necessarily a single one.

 Fix 2

We now store a list of handles in the socket hashtable entry and when libcurl
is told there's traffic for a particular socket, it now iterates over all
known transfers using that single socket.
2019-01-10 09:49:09 +01:00
Katsuhiko YOSHIDA
1f30dc886d
cookies: skip custom cookies when redirecting cross-site
Closes #3417
2019-01-09 15:18:08 +01:00
Daniel Stenberg
1a93153783
timediff: fix math for unsigned time_t
Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html

Closes #3449
2019-01-09 10:15:36 +01:00
Brad Spencer
84a30d0a41
curl_multi_remove_handle() don't block terminating c-ares requests
Added Curl_resolver_kill() for all three resolver modes, which only
blocks when necessary, along with test 1592 to confirm
curl_multi_remove_handle() doesn't block unless it must.

Closes #3428
Fixes #3371
2019-01-07 10:05:20 +01:00
Daniel Stenberg
ebe658c1e5
Revert "http_negotiate: do not close connection until negotiation is completed"
This reverts commit 07ebaf8378.

This also reopens PR #3275 which brought the change now reverted.

Fixes #3384
Closes #3439
2019-01-07 09:36:36 +01:00
Marcel Raad
e939afeb5c
schannel: fix compiler warning
When building with Unicode on MSVC, the compiler warns about freeing a
pointer to const in Curl_unicodefree. Fix this by declaring it as
non-const and casting the argument to Curl_convert_UTF8_to_tchar to
non-const too, like we do in all other places.

Closes https://github.com/curl/curl/pull/3435
2019-01-06 23:09:19 +01:00
Rikard Falkeborn
1e4ec09a26
printf: introduce CURL_FORMAT_TIMEDIFF_T 2019-01-04 23:51:13 +01:00
Rikard Falkeborn
fa2d6ba84d
printf: fix format specifiers
Closes #3426
2019-01-04 23:50:48 +01:00
Markus Moeller
7bcca93459 ntlm: update selection of type 3 response
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the
check seems to work.

Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf

Fixes https://github.com/curl/curl/issues/3286
Closes https://github.com/curl/curl/pull/3287
Closes https://github.com/curl/curl/pull/3415
2019-01-01 11:47:17 +01:00
Daniel Gustafsson
a4482b21bd urlapi: fix parsing ipv6 with zone index
The previous fix for parsing IPv6 URLs with a zone index was a paddle
short for URLs without an explicit port. This patch fixes that case
and adds a unit test case.

This bug was highlighted by issue #3408, and while it's not the full
fix for the problem there it is an isolated bug that should be fixed
regardless.

Closes #3411
Reported-by: GitYuanQu on github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-30 20:11:57 +01:00
Claes Jakobsson
d8cae791f4 hostip: support wildcard hosts
This adds support for wildcard hosts in CURLOPT_RESOLVE. These are
try-last so any non-wildcard entry is resolved first. If specified,
any host not matched by another CURLOPT_RESOLVE config will use this
as fallback.

Example send a.com to 10.0.0.1 and everything else to 10.0.0.2:
  curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \
       https://a.com https://b.com

This is probably quite similar to using:
  --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443

Closes #3406
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-27 14:23:53 +01:00
Daniel Gustafsson
ba266b3ed7 url: fix incorrect indentation 2018-12-27 00:05:12 +01:00
Daniel Stenberg
7608f9a2d5
Revert "libssh: no data pointer == nothing to do"
This reverts commit c98ee5f67f since commit f3ce38739f fixed the
problem in a more generic way.
2018-12-23 23:13:15 +01:00
Daniel Stenberg
f3ce38739f
disconnect: set conn->data for protocol disconnect
Follow-up to fb445a1e18: Set conn->data explicitly to point out the
current transfer when invoking the protocol-specific disconnect function
so that it can work correctly.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173
2018-12-23 23:12:40 +01:00
Pavel P
e9ababd4f5 timeval: Use high resolution timestamps on Windows
- Use QueryPerformanceCounter on Windows Vista+

There is confusing info floating around that QueryPerformanceCounter
can leap etc, which might have been true long time ago, but no longer
the case nowadays (perhaps starting from WinXP?). Also, boost and
std::chrono::steady_clock use QueryPerformanceCounter in a similar way.

Prior to this change GetTickCount or GetTickCount64 was used, which has
lower resolution. That is still the case for <= XP.

Fixes https://github.com/curl/curl/issues/3309
Closes https://github.com/curl/curl/pull/3318
2018-12-23 02:30:37 -05:00
Daniel Stenberg
c98ee5f67f
libssh: no data pointer == nothing to do 2018-12-22 18:14:57 +01:00
Daniel Stenberg
85f9aa08d9
conncache_unlock: avoid indirection by changing input argument type 2018-12-22 18:14:56 +01:00
Daniel Stenberg
fb445a1e18
disconnect: separate connections and easy handles better
Do not assume/store assocation between a given easy handle and the
connection if it can be avoided.

Long-term, the 'conn->data' pointer should probably be removed as it is a
little too error-prone. Still used very widely though.

Reported-by: masbug on github
Fixes #3391
Closes #3400
2018-12-22 18:14:50 +01:00
Daniel Stenberg
d18a5afaf0
libssh: free sftp_canonicalize_path() data correctly
Assisted-by: Harry Sintonen

Fixes #3402
Closes #3403
2018-12-22 18:10:39 +01:00
Daniel Stenberg
006ff62d8c
http: added options for allowing HTTP/0.9 responses
Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose.

For now, both the tool and library allow HTTP/0.9 by default.
docs/DEPRECATE.md lays out the plan for when to reverse that default: 6
months after the 7.64.0 release. The options are added already now so
that applications/scripts can start using them already now.

Fixes #2873
Closes #3383
2018-12-21 10:49:30 +01:00
Daniel Stenberg
db9776ea00
if2ip: remove unused function Curl_if_is_interface_name
Closes #3401
2018-12-21 10:46:05 +01:00
Daniel Stenberg
6dc1780ea5
http2: clear pause stream id if it gets closed
Reported-by: Florian Pritz

Fixes #3392
Closes #3399
2018-12-20 17:10:12 +01:00
David Garske
982a897b4b wolfssl: Perform cleanup
This adds a cleanup callback for cyassl. Resolves possible memory leak
when using ECC fixed point cache.

Closes #3395
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2018-12-20 11:32:55 +01:00
Daniel Stenberg
0b9fadf81f
mbedtls: follow-up VERIFYHOST fix from f097669248
Fix-by: Eric Rosenquist

Fixes #3376
Closes #3390
2018-12-20 11:00:34 +01:00
Daniel Gustafsson
3773de378d cookies: extend domain checks to non psl builds
Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-19 20:59:09 +01:00
Matus Uzak
462037ad48
smb: fix incorrect path in request if connection reused
Follow-up to 09e401e01b.  If connection gets reused, then data member
will be copied, but not the proto member.  As a result, in smb_do(),
path has been set from the original proto.share data.

Closes #3388
2018-12-19 09:52:36 +01:00
Daniel Stenberg
f097669248
mbedtls: use VERIFYHOST
Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380
2018-12-17 23:36:42 +01:00
Daniel Stenberg
d8a9de6203
pingpong: change default response timeout to 120 seconds
Previously it was 30 minutes
2018-12-17 12:33:18 +01:00
Daniel Stenberg
154a17b6ee
pingpong: ignore regular timeout in disconnect phase
The timeout set with CURLOPT_TIMEOUT is no longer used when
disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP,
POP3).

Reported-by: jasal82 on github

Fixes #3264
Closes #3374
2018-12-17 12:33:00 +01:00
Ayoub Boudhar
f464535bfd
http: Implement trailing headers for chunked transfers
This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION
options that allow a callback based approach to sending trailing headers
with chunked transfers.

The test server (sws) was updated to take into account the detection of the
end of transfer in the case of trailing headers presence.

Test 1591 checks that trailing headers can be sent using libcurl.

Closes #3350
2018-12-14 10:10:48 +01:00
Daniel Stenberg
4531b299cc
darwinssl: accept setting max-tls with default min-tls
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373
2018-12-14 09:54:31 +01:00
Daniel Stenberg
4b4062aaeb
gopher: fix memory leak from 9026083ddb 2018-12-13 15:06:17 +01:00
Leonardo Taccari
9026083ddb
gopher: always include the entire gopher-path in request
After the migration to URL API all octets in the selector after the
first `?' were interpreted as query and accidentally discarded and not
passed to the server.

Add a gopherpath to always concatenate possible path and query URL
pieces.

Fixes #3369
Closes #3370
2018-12-13 10:22:25 +01:00
Leonardo Taccari
305d25ed8a
urlapi: distinguish possibly empty query
If just a `?' to indicate the query is passed always store a zero length
query instead of having a NULL query.

This permits to distinguish URL with trailing `?'.

Fixes #3369
Closes #3370
2018-12-13 10:21:33 +01:00
Daniel Gustafsson
7a09b52c98 cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 09:57:58 +01:00
Daniel Gustafsson
d8607da1a6 urlapi: Fix port parsing of eol colon
A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12 11:48:04 +01:00
Daniel Stenberg
435402cfe3
Curl_follow: extract the Location: header field unvalidated
... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364
2018-12-12 07:58:47 +01:00
Daniel Stenberg
ecb2e194d4
multi: convert two timeout variables to timediff_t
The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363
2018-12-11 15:43:20 +01:00
Daniel Gustafsson
e1be2ecba4 tests: add urlapi unittest
This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:24 +01:00
Daniel Gustafsson
63533cbde2 urlapi: fix portnumber parsing for ipv6 zone index
An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:19 +01:00
Jay Satiro
552f0205e6
http: fix HTTP auth to include query in URI
- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356
2018-12-11 13:28:20 +01:00
Michael Kaufmann
c8bf8cc1e4
http: don't set CURLINFO_CONDITION_UNMET for http status code 204
The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359
2018-12-11 13:22:42 +01:00
Samuel Surtees
1b443a7c00
ldap: fix LDAP URL parsing regressions
- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d (7.62.0)

Closes #3362
2018-12-11 13:20:12 +01:00
Stefan Kanthak
e1360a1c91
(lib)curl.rc: fixup for minor bugs
All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348
2018-12-10 00:10:04 +01:00
Daniel Stenberg
1e9abfedfa
cookies: expire "Max-Age=0" immediately
Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352
2018-12-09 18:34:55 +01:00
Johannes Schindelin
d997aa0e96
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-08 10:59:23 +01:00
Ben Greear
07e61abdac
openssl: fix unused variable compiler warning with old openssl
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347
2018-12-07 17:03:17 +01:00
Johannes Schindelin
cbea2fd2c7
NTLM: force the connection to HTTP/1.1
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07 13:03:21 +01:00
Johannes Schindelin
2456152069
curl_global_sslset(): id == -1 is not necessarily an error
It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes #3346
2018-12-07 11:38:22 +01:00
Daniel Stenberg
d506df860f
doh: fix memory leak in OOM situation
Reviewed-by: Daniel Gustafsson
Closes #3342
2018-12-06 09:52:38 +01:00
Daniel Stenberg
027d66e5f1
doh: make it work for h2-disabled builds too
Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336
2018-12-05 23:44:26 +01:00
Gergely Nagy
08efa19e6a
openssl: do not use file BIOs if not requested
Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339
2018-12-05 15:26:18 +01:00
Paul Howarth
8ad9e5915a
nss: Fix compatibility with nss versions 3.14 to 3.15 2018-12-05 15:24:32 +01:00
Paul Howarth
71a1442eb2
nss: Improve info message when falling back SSL protocol
Use descriptive text strings rather than decimal numbers.
2018-12-05 15:24:32 +01:00
Paul Howarth
6848ea585b
nss: Fall back to latest supported SSL version
NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261
2018-12-05 15:24:32 +01:00
Daniel Gustafsson
6381708970 checksrc: add COPYRIGHTYEAR check
Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-03 23:13:40 +01:00
Sevan Janiyan
b466560124 connect: fix building for recent versions of Minix
EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323
2018-11-29 02:05:23 -05:00
Daniel Gustafsson
fd1049554f doh: fix typo in infof call
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-26 11:40:26 +01:00
Daniel Stenberg
34fe0e1622
curl_easy_perform: fix timeout handling
curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308
2018-11-25 11:25:43 +01:00
Daniel Stenberg
a52e46f390
cookies: create the cookiejar even if no cookies to save
Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300
2018-11-23 14:50:51 +01:00
Daniel Stenberg
2e49610853
checksrc: ban snprintf use, add command line flag to override warns 2018-11-23 08:26:51 +01:00
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
Tobias Hintze
5b4cce2e36
host names: allow trailing dot in name resolve, then strip it
Delays stripping of trailing dots to after resolving the hostname.

Fixes #3022
Closes #3222
2018-11-22 13:40:51 +01:00
Michael Kaufmann
549310e907 openssl: support session resume with TLS 1.3
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.

Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.

The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.

A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.

This approach also works for old SSL/TLS versions and old OpenSSL versions.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Fixes #3202
Closes #3271
2018-11-21 11:18:25 +01:00
Michael Kaufmann
30a65381f9 ssl: fix compilation with OpenSSL 0.9.7
- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7

Closes #3266
2018-11-21 11:14:26 +01:00
Daniel Stenberg
59311bd3df
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
2018-11-21 08:30:18 +01:00
Romain Fliedel
6765e6d9e6
ares: remove fd from multi fd set when ares is about to close the fd
When using c-ares for asyn dns, the dns socket fd was silently closed
by c-ares without curl being aware. curl would then 'realize' the fd
has been removed at next call of Curl_resolver_getsock, and only then
notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
CURL_POLL_REMOVE. At this point the fd is already closed.

By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
patch allows curl to be notified that the fd is not longer needed
for neither for write nor read. At this point by calling
Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
before the fd is actually closed by ares.

In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
since it does not allow passing a different sock_state_cb_data

Closes #3238
2018-11-20 19:58:45 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Han Han
78ff4e0de3
ssl: replace all internal uses of CURLE_SSL_CACERT
Closes #3291
2018-11-20 14:57:00 +01:00
Daniel Gustafsson
1cccf2f945 openssl: Remove SSLEAY leftovers
Commit 709cf76f6b deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-17 21:36:10 +01:00
Elia Tufarolo
07ebaf8378
http_negotiate: do not close connection until negotiation is completed
Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275
2018-11-16 23:38:47 +01:00
Daniel Stenberg
6d0e487f9f
pop3: only do APOP with a valid timestamp
Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279
2018-11-16 23:36:53 +01:00
Peter Wu
27e4ac24cd openssl: do not log excess "TLS app data" lines for TLS 1.3
The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281
2018-11-16 16:03:31 -05:00
Kamil Dudka
3d988c5563
nss: remove version selecting dead code
Closes #3262
2018-11-13 23:55:22 +01:00
Daniel Stenberg
0c448093dd
nss: set default max-tls to 1.3/1.2
Fixes #3261
2018-11-13 23:54:13 +01:00
Daniel Stenberg
42fd235040
nss: fix fallthrough comment to fix picky compiler warning 2018-11-12 15:23:17 +01:00
Tim Rühsen
c05d77ee7d
ftp: avoid two unsigned int overflows in FTP listing parser
Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225
2018-11-09 23:08:46 +01:00
Jérémy Rocher
27cb384679
openssl: support BoringSSL TLS renegotiation
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
2018-11-09 22:32:47 +01:00
Jim Fuller
5c4fe0d826
setopt: add CURLOPT_CURLU
Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227
2018-11-09 15:47:28 +01:00
Daniel Gustafsson
8a49b291cb winssl: be consistent in Schannel capitalization
The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07 10:11:13 +01:00
Daniel Stenberg
9aa8ff2895
urlapi: only skip encoding the first '=' with APPENDQUERY set
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
encoding the first to better allow "name=content" for any content.

Reported-by: Alexey Melnichuk
Fixes #3231
Closes #3231
2018-11-07 08:28:48 +01:00
Daniel Stenberg
9df8dc101b
url: a short host name + port is not a scheme
The function identifying a leading "scheme" part of the URL considered a
few letters ending with a colon to be a scheme, making something like
"short:80" to become an unknown scheme instead of a short host name and
a port number.

Extended test 1560 to verify.

Also fixed test203 to use file_pwd to make it get the correct path on
windows. Removed test 2070 since it was a duplicate of 203.

Assisted-by: Marcel Raad
Reported-by: Hagai Auro
Fixes #3220
Fixes #3233
Closes #3223
Closes #3235
2018-11-06 19:11:58 +01:00
Sangamkar
74f4782319
libcurl: stop reading from paused transfers
In the transfer loop it would previously not acknwledge the pause bit
and continue until drained or loop ended.

Closes #3240
2018-11-06 19:07:17 +01:00
Jay Satiro
28429fb175 curl_multibyte: fix a malloc overcalculation
Prior to this change twice as many bytes as necessary were malloc'd when
converting wchar to UTF8. To allay confusion in the future I also
changed the variable name for the amount of bytes from len to bytes.

Closes https://github.com/curl/curl/pull/3209
2018-11-06 03:11:05 -05:00
Michael Kaufmann
53db15ba55 netrc: don't ignore the login name specified with "--user"
- for "--netrc", don't ignore the login/password specified with "--user",
  only ignore the login/password in the URL.
  This restores the netrc behaviour of curl 7.61.1 and earlier.
- fix the documentation of CURL_NETRC_REQUIRED
- improve the detection of login/password changes when reading .netrc
- don't read .netrc if both login and password are already set

Fixes #3213
Closes #3224
2018-11-05 20:34:01 +01:00
Daniel Stenberg
d9abebc7ee
Revert "url: a short host name + port is not a scheme"
This reverts commit 226cfa8264.

This commit caused test failures on appveyor/windows. Work on fixing them is
in #3235.
2018-11-05 09:24:59 +01:00
Daniel Gustafsson
c37b66aaae infof: clearly indicate truncation
The internal buffer in infof() is limited to 2048 bytes of payload plus
an additional byte for NULL termination. Servers with very long error
messages can however cause truncation of the string, which currently
isn't very clear, and leads to badly formatted output.

This appends a "...\n" (or just "..." in case the format didn't with a
newline char) marker to the end of the string to clearly show
that it has been truncated.

Also include a unittest covering infof() to try and catch any bugs
introduced in this quite important function.

Closes #3216
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-03 20:54:18 +01:00
Daniel Stenberg
226cfa8264
url: a short host name + port is not a scheme
The function identifying a leading "scheme" part of the URL considered a few
letters ending with a colon to be a scheme, making something like "short:80"
to become an unknown scheme instead of a short host name and a port number.

Extended test 1560 to verify.

Reported-by: Hagai Auro
Fixes #3220
Closes #3223
2018-11-03 15:01:27 +01:00
Daniel Stenberg
b28094833a
URL: fix IPv6 numeral address parser
Regression from 46e164069d. Extended test 1560 to verify.

Reported-by: tpaukrt on github
Fixes #3218
Closes #3219
2018-11-03 00:14:04 +01:00
Tim Rühsen
e4f2a5bc1b
mprintf: avoid unsigned integer overflow warning
The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184
2018-11-02 11:07:04 +01:00
Daniel Stenberg
2c5ec339ea
Curl_follow: accept non-supported schemes for "fake" redirects
When not actually following the redirect and the target URL is only
stored for later retrieval, curl always accepted "non-supported"
schemes. This was a regression from 46e164069d.

Reported-by: Brad King
Fixes #3210
Closes #3215
2018-11-02 09:50:44 +01:00
Daniel Stenberg
302d125b42
axtls: removed
As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson
Closes #3194
2018-11-01 10:29:53 +01:00
marcosdiazr
7f4c358541
schannel: make CURLOPT_CERTINFO support using Issuer chain
Closes #3197
2018-11-01 10:21:51 +01:00
Daniel Stenberg
832661b3a7
schannel: use Curl_ prefix for global private symbols
Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201
2018-11-01 09:39:45 +01:00
Daniel Gustafsson
1460e89e01 vtls: add MesaLink to curl_sslbackend enum
MesaLink support was added in commit 57348eb97d but the
backend was never added to the curl_sslbackend enum in curl/curl.h.
This adds the new backend to the enum and updates the relevant docs.

Closes #3195
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-30 16:56:51 +01:00
Daniel Stenberg
f3a24d7916
Curl_auth_create_plain_message: fix too-large-input-check
CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
81d135d671
Curl_close: clear data->multi_easy on free to avoid use-after-free
Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)

Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-29 08:05:23 +01:00
Daniel Stenberg
75b94d77e8
rand: add comment to skip a clang-tidy false positive 2018-10-27 15:59:44 +02:00
Daniel Stenberg
feea1259e4
x509asn1: always check return code from getASN1Element() 2018-10-27 15:59:43 +02:00
Daniel Stenberg
be20814191
Makefile: add 'tidy' target that runs clang-tidy
Available in the root, src and lib dirs.

Closes #3163
2018-10-27 15:59:38 +02:00
Patrick Monnerat
c335b7f1f7 x509asn1: suppress left shift on signed value
Use an unsigned variable: as the signed operation behavior is undefined,
this change silents clang-tidy about it.

Ref: https://github.com/curl/curl/pull/3163
Reported-By: Daniel Stenberg
2018-10-27 15:04:50 +02:00
Michael Kaufmann
3793761a37 multi: Fix error handling in the SENDPROTOCONNECT state
If Curl_protocol_connect() returns an error code,
handle the error instead of switching to the next state.

Closes #3170
2018-10-27 13:03:50 +02:00
Daniel Stenberg
44a9e9f80f
openssl: output the correct cipher list on TLS 1.3 error
When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178
Closes #3180
2018-10-27 10:46:38 +02:00
Daniel Gustafsson
5c8c310edb ssh: free the session on init failures
Ensure to clear the session object in case the libssh2 initialization
fails.

It could be argued that the libssh2 error function should be called to
get a proper error message in this case. But since the only error path
in libssh2_knownhost_init() is memory a allocation failure it's safest
to avoid since the libssh2 error handling allocates memory.

Closes #3179
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26 15:39:15 +02:00
Daniel Gustafsson
68348461dc
openssl: make 'done' a proper boolean
Closes #3176
2018-10-26 13:51:25 +02:00
Daniel Stenberg
ebfe02f73c
gtls: Values stored to but never read
Detected by clang-tidy

Closes #3176
2018-10-26 13:51:07 +02:00
Gisle Vanem
639d052e44
rtmp: fix for compiling with lwIP
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
  curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
    setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
    ^
  curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
  #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                 ^
Closes #3155
2018-10-26 00:04:02 +02:00
Michael Kaufmann
daabc91581 urldata: Fix comment in header
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25 13:04:03 +02:00
Michael Kaufmann
d48e6b7f95 netrc: free temporary strings if memory allocation fails
- Change the inout parameters after all needed memory has been
  allocated. Do not change them if something goes wrong.
- Free the allocated temporary strings if strdup() fails.

Closes #3122
2018-10-25 12:54:55 +02:00
Ruslan Baratov
4f2541f975
config: Remove unused SIZEOF_VOIDP
Closes #3162
2018-10-24 11:20:57 +02:00
Gisle Vanem
eda0998894
Fix for compiling with lwIP (3)
lwIP on Windows does not have a WSAIoctl() function. 
But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23 12:55:07 +02:00
Daniel Stenberg
6535b9303d
Curl_follow: return better errors on URL problems
... by making the converter function global and accessible.

Closes #3153
2018-10-23 11:43:41 +02:00
Daniel Stenberg
ca10fae6fc
Curl_follow: remove remaining free(newurl)
Follow-up to 05564e750e. This function no longer frees the passed-in
URL.

Reported-by: Michael Kaufmann
Bug: 05564e750e (commitcomm)
ent-30985666
2018-10-23 11:43:41 +02:00
Daniel Gustafsson
06d8f16b87 headers: end all headers with guard comment
Most headerfiles end with a /* <headerguard> */ comment, but it was
missing from some. The comment isn't the most important part of our
code documentation but consistency has an intrinsic value in itself.
This adds header guard comments to the files that were lacking it.

Closes #3158
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-23 10:02:24 +02:00
Daniel Stenberg
05564e750e
multi: avoid double-free
Curl_follow() no longer frees the string. Make sure it happens in the
caller function, like we normally handle allocations.

This bug was introduced with the use of the URL API internally, it has
never been in a release version

Reported-by: Dario Weißer
Closes #3149
2018-10-19 15:29:31 +02:00
Daniel Stenberg
8a49f91d32
multi: make the closure handle "inherit" CURLOPT_NOSIGNAL
Otherwise, closing that handle can still cause surprises!

Reported-by: Martin Ankerl
Fixes #3138
Closes #3147
2018-10-19 11:03:17 +02:00
Marcel Raad
abebb2b893
config_win32: enable LDAPS
As done in the autotools and CMake builds by default.

Closes https://github.com/curl/curl/pull/3137
2018-10-19 09:23:14 +02:00
Daniel Stenberg
ad547fcf7b
travis: add build for "configure --disable-verbose"
Closes #3144
2018-10-18 14:51:49 +02:00
Matthew Whitehead
df54b14fb7 x509asn1: Fix SAN IP address verification
For IP addresses in the subject alternative name field, the length
of the IP address (and hence the number of bytes to perform a
memcmp on) is incorrectly calculated to be zero. The code previously
subtracted q from name.end. where in a successful case q = name.end
and therefore addrlen equalled 0. The change modifies the code to
subtract name.beg from name.end to calculate the length correctly.

The issue only affects libcurl with GSKit SSL, not other SSL backends.
The issue is not a security issue as IP verification would always fail.

Fixes #3102
Closes #3141
2018-10-16 03:52:47 -04:00
Marcel Raad
6c413648ec
nonblock: fix unused parameter warning
If USE_BLOCKING_SOCKETS is defined, curlx_nonblock's arguments are not
used.
2018-10-14 21:07:45 +02:00
Michael Kaufmann
6afe70a00b Curl_follow: Always free the passed new URL
Closes #3124
2018-10-13 13:18:51 +02:00
Daniel Gustafsson
12d833fa1e transfer: fix typo in comment 2018-10-10 23:50:13 +02:00
Viktor Szakats
e13f023777 ldap: show precise LDAP call in error message on Windows
Also add a unique but common text ('bind via') to make it
easy to grep this specific failure regardless of platform.

Ref: https://github.com/curl/curl/pull/878/files#diff-7a636f08047c4edb53a240f540b4ecf6R468
Closes https://github.com/curl/curl/pull/3118
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-09 15:05:35 +00:00
Marcel Raad
673795f814
curl_setup: define NOGDI on Windows
This avoids an ERROR macro clash between <wingdi.h> and <arpa/tftp.h>
on MinGW.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:53 +02:00
Marcel Raad
940e1c1e74
Windows: fixes for MinGW targeting Windows Vista
Classic MinGW has neither InitializeCriticalSectionEx nor
GetTickCount64, independent of the target Windows version.

Closes https://github.com/curl/curl/pull/3113
2018-10-09 08:33:45 +02:00
Viktor Szakats
ff9d7f4447 spelling fixes [ci skip]
as detected by codespell 1.14.0

Closes https://github.com/curl/curl/pull/3114
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-08 19:37:40 +00:00
Daniel Stenberg
2ece5e3001
curl_ntlm_wb: check aprintf() return codes
... when they return NULL we're out of memory and MUST return failure.

closes #3111
2018-10-08 12:06:33 +02:00
Rick Deist
3349a633b8
hostip: fix check on Curl_shuffle_addr return value
Closes #3110
2018-10-08 08:39:24 +02:00
Daniel Stenberg
e50a2002bd
FILE: fix CURLOPT_NOBODY and CURLOPT_HEADER output
Now FILE transfers send headers to the header callback like HTTP and
other protocols. Also made curl_easy_getinfo(...CURLINFO_PROTOCOL...)
work for FILE in the callbacks.

Makes "curl -i file://.." and "curl -I file://.." work like before
again. Applied the bold header logic to them too.

Regression from c1c2762 (7.61.0)

Reported-by: Shaun Jackman
Fixes #3083
Closes #3101
2018-10-08 08:35:40 +02:00
Daniel Gustafsson
b55e85d4ec gskit: make sure to terminate version string
In case a very small buffer was passed to the version function, it could
result in the buffer not being NULL-terminated since strncpy() doesn't
guarantee a terminator on an overflowed buffer. Rather than adding code
to terminate (and handle zero-sized buffers), move to using snprintf()
instead like all the other vtls backends.

Closes #3105
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-10-07 22:36:25 +02:00
dmitrykos
0b19ef13b4
timeval: fix use of weak symbol clock_gettime() on Apple platforms
Closes #3048
2018-10-05 22:29:21 +02:00
Daniel Stenberg
7f00146d00
doh: keep the IPv4 address in (original) network byte order
Ideally this will fix the reversed order shown in SPARC tests:

  resp 8: Expected 127.0.0.1 got 1.0.0.127

Closes #3091
2018-10-05 22:15:34 +02:00
Daniel Gustafsson
4301d14b90 checksrc: handle zero scoped ignore commands
If a !checksrc! disable command specified to ignore zero errors, it was
still added to the ignore block even though nothing was ignored. While
there were no blocks ignored that shouldn't be ignored, the processing
ended with with a warning:

<filename>:<line>:<col>: warning: Unused ignore: LONGLINE (UNUSEDIGNORE)
 /* !checksrc! disable LONGLINE 0 */
                    ^
Fix by instead treating a zero ignore as a a badcommand and throw a
warning for that one.

Closes #3096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-05 13:33:21 +02:00
Daniel Gustafsson
b5d182d037 checksrc: enable strict mode and warnings
Enable strict and warnings mode for checksrc to ensure we aren't missing
anything due to bugs in the checking code. This uncovered a few things
which are all fixed in this commit:

* several variables were used uninitialized
* several variables were not defined in the correct scope
* the whitelist filehandle was read even if the file didn't exist
* the enable_warn() call when a disable counter had expired was passing
  incorrect variables, but since the checkwarn() call is unlikely to hit
  (the counter is only decremented to zero on actual ignores) it didn't
  manifest a problem.

Closes #3090
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-10-05 13:29:37 +02:00
dmitrykos
667b5721c7 cmake: test and set missed defines during configuration
Added configuration checks for HAVE_BUILTIN_AVAILABLE and HAVE_CLOCK_GETTIME_MONOTONIC.

Closes #3097
2018-10-05 13:10:41 +03:00
Daniel Stenberg
8f2bb0e377
doh: make sure TTL isn't re-inited by second (discarded?) response
Closes #3092
2018-10-04 23:22:28 +02:00
Daniel Gustafsson
2873971d62 memory: ensure to check allocation results
The result of a memory allocation should always be checked, as we may
run under memory pressure where even a small allocation can fail. This
adds checking and error handling to a few cases where the allocation
wasn't checked for success. In the ftp case, the freeing of the path
variable is moved ahead of the allocation since there is little point
in keeping it around across the strdup, and the separation makes for
more readable code. In nwlib, the lock is aslo freed in the error path.

Also bumps the copyright years on affected files.

Closes #3084
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 23:45:38 +02:00
Daniel Gustafsson
e182fc1613 comment: Fix multiple typos in function parameters
Ensure that the parameters in the comment match the actual names in the
prototype.

Closes #3079
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-03 10:27:27 +02:00
Jay Satiro
dd6b62acc3 nss: fix nssckbi module loading on Windows
- Use .DLL extension instead of .so to load modules on Windows.

Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html
Reported-by: Maxime Legros

Ref: https://github.com/curl/curl/pull/3016/#issuecomment-423069442

Closes https://github.com/curl/curl/pull/3086
2018-10-03 02:28:09 -04:00
Daniel Stenberg
d9a2dc9aad
urlapi: starting with a drive letter on win32 is not an abs url
... and libcurl doesn't support any single-letter URL schemes (if there
even exist any) so it should be fairly risk-free.

Reported-by: Marcel Raad

Fixes #3070
Closes #3071
2018-10-02 11:48:01 +02:00
Marcel Raad
c1c092c0b4
doh: fix curl_easy_setopt argument type
CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit
MinGW.
2018-10-02 11:15:29 +02:00
Ruslan Baratov
69328490fc CMake: Improve config installation
Use 'GNUInstallDirs' standard module to set destinations of installed
files.

Use uppercase "CURL" names instead of lowercase "curl" to match standard
'FindCURL.cmake' CMake module:
* https://cmake.org/cmake/help/latest/module/FindCURL.html

Meaning:
* Install 'CURLConfig.cmake' instead of 'curl-config.cmake'
* User should call 'find_package(CURL)' instead of 'find_package(curl)'

Use 'configure_package_config_file' function to generate
'CURLConfig.cmake' file. This will make 'curl-config.cmake.in' template
file smaller and handle components better.  E.g.  current configuration
report no error if user specified unknown components (note: new
configuration expects no components, report error if user will try to
specify any).

Closes https://github.com/curl/curl/pull/2849
2018-10-01 16:16:29 -04:00
Daniel Stenberg
570008c99d
doh: only build if h2 enabled
The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version
of HTTP for use with DoH".

Reported-by: Marcel Raad
Closes #3066
2018-09-30 11:31:58 +02:00
Daniel Stenberg
2dfc0dd6b5
multi: fix memory leak in content encoding related error path
... a missing multi_done() call.

Credit to OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10728
Closes #3063
2018-09-29 15:03:57 +02:00
Daniel Stenberg
454fa3fd7b
multi: fix location URL memleak in error path
Follow-up to #3044 - fix a leak OSS-Fuzz detected
Closes #3057
2018-09-28 17:10:14 +02:00
Sergei Nikulov
f8215f80ab cmake: fixed path used in generation of docs/tests during curl build through add_subdicectory(...) 2018-09-28 16:54:20 +03:00
Marcel Raad
7ae78feea3
curl_threads: fix classic MinGW compile break
Classic MinGW still has _beginthreadex's return type as unsigned long
instead of uintptr_t [0]. uintptr_t is not even defined because of [1].

[0] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l167
[1] https://sourceforge.net/p/mingw/mingw-org-wsl/ci/wsl-5.1-release/tree/mingwrt/include/process.h#l90

Bug: https://github.com/curl/curl/issues/2924#issuecomment-424334807
Closes https://github.com/curl/curl/pull/3051
2018-09-27 09:13:20 +02:00
Daniel Stenberg
304bb2f7c1
Curl_http2_done: fix memleak in error path
Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
2018-09-25 17:03:45 +02:00
Daniel Stenberg
4058cf2a7f
http: fix memleak in rewind error path
If the rewind would fail, a strdup() would not get freed.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10665
Closes #3044
2018-09-25 10:30:08 +02:00
Daniel Stenberg
ef695fc301
Curl_retry_request: fix memory leak
Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10648
Closes #3042
2018-09-24 16:38:11 +02:00
Daniel Stenberg
e2dd435d47
openssl: load built-in engines too
Regression since 38203f1

Reported-by: Jean Fabrice
Fixes #3023
Closes #3040
2018-09-24 16:36:31 +02:00
Christian Heimes
b939bc47b2
OpenSSL: enable TLS 1.3 post-handshake auth
OpenSSL 1.1.1 requires clients to opt-in for post-handshake
authentication.

Fixes: https://github.com/curl/curl/issues/3026
Signed-off-by: Christian Heimes <christian@python.org>

Closes https://github.com/curl/curl/pull/3027
2018-09-24 08:01:18 +02:00
Even Rouault
55b51b8c49
Curl_dedotdotify(): always nul terminate returned string.
This fixes potential out-of-buffer access on "file:./" URL

$ valgrind curl "file:./"
==24516== Memcheck, a memory error detector
==24516== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24516== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24516== Command: /home/even/install-curl-git/bin/curl file:./
==24516==
==24516== Conditional jump or move depends on uninitialised value(s)
==24516==    at 0x4C31F9C: strcmp (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24516==    by 0x4EBB315: seturl (urlapi.c:801)
==24516==    by 0x4EBB568: parseurl (urlapi.c:861)
==24516==    by 0x4EBC509: curl_url_set (urlapi.c:1199)
==24516==    by 0x4E644C6: parseurlandfillconn (url.c:2044)
==24516==    by 0x4E67AEF: create_conn (url.c:3613)
==24516==    by 0x4E68A4F: Curl_connect (url.c:4119)
==24516==    by 0x4E7F0A4: multi_runsingle (multi.c:1440)
==24516==    by 0x4E808E5: curl_multi_perform (multi.c:2173)
==24516==    by 0x4E7558C: easy_transfer (easy.c:686)
==24516==    by 0x4E75801: easy_perform (easy.c:779)
==24516==    by 0x4E75868: curl_easy_perform (easy.c:798)

Was originally spotted by
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10637
Credit to OSS-Fuzz

Closes #3039
2018-09-24 07:48:41 +02:00
Viktor Szakats
b801b453af whitespace fixes
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
  in manual examples

Closes https://github.com/curl/curl/pull/3037
2018-09-23 22:24:02 +00:00
Daniel Stenberg
e407e79c29
http: add missing return code check
Detected by Coverity. CID 1439610.

Follow-up from 46e164069d

Closes #3034
2018-09-23 23:08:39 +02:00
Daniel Stenberg
30b2d07b03
ftp: don't access pointer before NULL check
Detected by Coverity. CID 1439611.

Follow-up from 46e164069d
2018-09-23 23:08:36 +02:00
Daniel Stenberg
46e164069d
url: use the URL API internally as well
... to make it a truly unified URL parser.

Closes #3017
2018-09-22 11:58:10 +02:00
Viktor Szakats
f078361c0e URL and mailmap updates, remove an obsolete directory [ci skip]
Closes https://github.com/curl/curl/pull/3031
2018-09-22 07:58:32 +00:00
Erik Minekus
39c9140cce
Curl_saferealloc: Fixed typo in docblock
Closes #3029
2018-09-21 14:24:55 +02:00
Daniel Stenberg
2097cd5152
urlapi: fix support for address scope in IPv6 numerical addresses
Closes #3024
2018-09-21 11:19:14 +02:00
Loganaden Velvindron
9bdadbbdee
GnutTLS: TLS 1.3 support
Closes #2971
2018-09-21 09:13:33 +02:00
Jay Satiro
2e5651a5ce vtls: fix ssl version "or later" behavior change for many backends
- Treat CURL_SSLVERSION_MAX_NONE the same as
  CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
  the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012
2018-09-20 14:12:25 -04:00
Daniel Stenberg
9307c219ad
urlapi: add CURLU_GUESS_SCHEME and fix hostname acceptance
In order for this API to fully work for libcurl itself, it now offers a
CURLU_GUESS_SCHEME flag that makes it "guess" scheme based on the host
name prefix just like libcurl always did. If there's no known prefix, it
will guess "http://".

Separately, it relaxes the check of the host name so that IDN host names
can be passed in as well.

Both these changes are necessary for libcurl itself to use this API.

Assisted-by: Daniel Gustafsson
Closes #3018
2018-09-19 23:21:52 +02:00
Kamil Dudka
eb0b3acbc1 nss: try to connect even if libnssckbi.so fails to load
One can still use CA certificates stored in NSS database.

Reported-by: Maxime Legros
Bug: https://curl.haxx.se/mail/lib-2018-09/0077.html

Closes #3016
2018-09-19 16:58:33 +02:00
Daniel Gustafsson
522e647cc5 urlapi: don't set value which is never read
In the CURLUPART_URL case, there is no codepath which invokes url
decoding so remove the assignment of the urldecode variable. This
fixes the deadstore bug-report from clang static analysis.

Closes #3015
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-19 13:44:10 +02:00
Daniel Stenberg
ec5d0991cc
curl_multi_wait: call getsock before figuring out timeout
.... since getsock may update the expiry timer.

Fixes #2996
Closes #3000
2018-09-18 15:39:28 +02:00
Daniel Gustafsson
ed7830061e darwinssl: Fix realloc memleak
The reallocation was using the input pointer for the return value, which
leads to a memory leak on reallication failure. Fix by instead use the
safe internal API call Curl_saferealloc().

Closes #3005
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Nick Zitzmann <nickzman@gmail.com>
2018-09-18 09:08:06 +02:00
Daniel Gustafsson
927cb3708e memory: add missing curl_printf header
ftp_send_command() was using vsnprintf() without including the libcurl
*rintf() replacement header. Fix by including curl_printf.h and also
add curl_memory.h while at it since memdebug.h depends on it.

Closes #2999
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-17 09:28:10 +02:00
Daniel Stenberg
55dbcb061d
http: made Curl_add_buffer functions take a pointer-pointer
... so that they can clear the original pointer on failure, which makes
the error-paths and their cleanups easier.

Closes #2992
2018-09-16 23:22:37 +02:00
Daniel Stenberg
130c53b632
http2: fix memory leaks on error-path 2018-09-16 23:22:15 +02:00
Viktor Szakats
420087bb30 secure Openwall URLs 2018-09-14 18:48:35 +00:00
Daniel Stenberg
4ff5f9405a
openssl: show "proper" version number for libressl builds
Closes #2989
2018-09-14 11:57:20 +02:00
Rainer Jung
1599dfcba6
openssl: assume engine support in 0.9.8 or later
Fixes #2983
Closes #2988
2018-09-14 11:56:28 +02:00
Daniel Gustafsson
daa12c6eb3 sendf: use failf() rather than Curl_failf()
The failf() macro is the name used for invoking Curl_failf(). While
there isn't a way to turn off failf like there is for infof, but it's
still a good idea to use the macro.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:48:21 +02:00
Daniel Gustafsson
e7ee2f2923 sendf: Fix whitespace in infof/failf concatenation
Strings broken on multiple rows in the .c file need to have appropriate
whitespace padding on either side of the concatenation point to render
a correct amalgamated string. Fix by adding a space at the occurrences
found.

Closes #2986
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-09-13 10:47:45 +02:00