Commit Graph

21035 Commits

Author SHA1 Message Date
Daniel Stenberg 6834ebaaa3 RELEASE-NOTES: synced with 79607eec51 2016-09-19 23:58:55 +02:00
Daniel Gustafsson 79607eec51 darwinssl: Fix typo in comment
Closes https://github.com/curl/curl/pull/1028
2016-09-19 17:06:00 -04:00
Bernard Spil 01c8db47aa libressl: fix version output
LibreSSL defines `OPENSSL_VERSION_NUMBER` as `0x20000000L` for all
versions returning `LibreSSL/2.0.0` for any LibreSSL version.

This change provides a local OpenSSL_version_num function replacement
returning LIBRESSL_VERSION_NUMBER instead.

Closes #1029
2016-09-19 22:47:35 +02:00
rugk 31dd3bf674 TODO: Add PINNEDPUBLICKEY - HPKP compatibility, HSTS & HPKP
Closes #1025
Closes #1026
Closes #1027
2016-09-19 16:58:33 +02:00
Daniel Stenberg a2b360f890 openssl: don't call ERR_remote_thread_state on >= 1.1.0
Follow-up fix to d9321562
2016-09-19 14:32:59 +02:00
Daniel Stenberg de71e68000 openssl: don’t call CRYTPO_cleanup_all_ex_data
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
multiple times without crashing - and other libs might call it! We
basically cannot call it without risking a crash. The function is a
no-op since OpenSSL 1.1.0.

Not calling this function only risks a small memory leak with OpenSSL <
1.1.0.

Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
Reported-by: Todd Short
2016-09-19 11:33:14 +02:00
Daniel Stenberg fb0032a33e TODO: Support SSLKEYLOGFILE 2016-09-19 10:29:00 +02:00
Jay Satiro 6ee9ea5e70 CURLOPT_PINNEDPUBLICKEY.3: fix the AVAILABILITY formatting 2016-09-18 17:56:35 -04:00
Nick Zitzmann 227ee9d84d darwinssl: disable RC4 cipher-suite support
RC4 was a nice alternative to CBC back in the days of BEAST, but it's insecure and obsolete now.
2016-09-18 15:01:03 -05:00
Nick Zitzmann d086b2394c configure: change "iOS/Mac OS X native" to "Apple OS native"
Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
2016-09-18 14:50:17 -05:00
Jay Satiro 19445f35ba test2048: fix url 2016-09-18 15:33:15 -04:00
Jay Satiro 45c1c54c42 examples/imap-append: Set size of data to be uploaded
Prior to this commit this example failed with error
'Cannot APPEND with unknown input file size'.

Bug: https://github.com/curl/curl/issues/1008
Reported-by: lukaszgn@users.noreply.github.com

Closes https://github.com/curl/curl/pull/1011
2016-09-18 02:19:17 -04:00
Tony Kelman e01d0f1030 LICENSE-MIXING.md: update with mbedTLS dual licensing
Recent versions of mbedTLS are available under either Apache 2.0 or GPL
2.0, see https://tls.mbed.org/how-to-get

Closes #1019
2016-09-16 23:56:28 +02:00
Daniel Stenberg 710f0572c9 KNOWN_BUGS: chunked-encoded requests with HTTP/2 is fixed 2016-09-16 09:00:20 +02:00
Daniel Stenberg f423a00971 http2: debug ouput sent HTTP/2 request headers 2016-09-16 09:00:20 +02:00
Daniel Stenberg d4c5a91722 http: accept "Transfer-Encoding: chunked" for HTTP/2 as well
... but don't send the actual header over the wire as it isn't accepted.
Chunked uploading is still triggered using this method.

Fixes #1013
Fixes #662
2016-09-16 09:00:20 +02:00
Daniel Stenberg d93215621f openssl: fix per-thread memory leak usiong 1.0.1 or 1.0.2
OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
so we need to clean it when easy handles are freed, in case the thread
will be killed in which the easy handle was used. All OpenSSL code in
libcurl should extract the error in association with the error already
so clearing this queue here should be harmless at worst.

Fixes #964
2016-09-14 14:35:44 +02:00
Daniel Stenberg 4ba1569ad1 RELEASE-NOTES: reset and go toward 7.51.0 (again) 2016-09-14 09:00:00 +02:00
Daniel Stenberg 8986c86e1e THANKS: updated with curl 7.50.3 contributors 2016-09-14 07:56:18 +02:00
Daniel Stenberg 0b4a85352b RELEASE-NOTES: curl 7.50.3 2016-09-14 07:56:11 +02:00
Daniel Stenberg 8dcc074f36 test1605: verify negative input lengths to (un)escape functions 2016-09-14 07:49:43 +02:00
Daniel Stenberg 01cf1308ee curl_easy_unescape: deny negative string lengths as input
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14 07:49:43 +02:00
Daniel Stenberg 826a9ced2b curl_easy_escape: deny negative string lengths as input
CVE-2016-7167

Bug: https://curl.haxx.se/docs/adv_20160914.html
2016-09-14 07:49:43 +02:00
Daniel Stenberg ffa0709a88 curl: make --create-dirs on windows grok both forward and backward slashes
Reported-by: Ryan Scott

Fixes #1007
2016-09-14 07:48:43 +02:00
Daniel Stenberg 4a35bbbe8e RELEASE-NOTES: synced with 665694979b 2016-09-13 15:09:29 +02:00
Tony Kelman 665694979b mbedtls: switch off NTLM in build if md4 isn't available
NTLM support with mbedTLS was added in 497e7c9 but requires that mbedTLS
is built with the MD4 functions available, which it isn't in default
builds. This now adapts if the funtion isn't there and builds libcurl
without NTLM support if so.

Fixes #1004
2016-09-12 23:08:10 +02:00
Jay Satiro 511838f1d8 CODE_STYLE: fix long-line guideline
- Change maximum allowed line length from 80 to 79.
2016-09-12 01:51:37 -04:00
Jay Satiro 27c2131b02 CODE_STYLE: add column alignment section
Note that since the added examples are for column alignment I had to
encapsulate with ~~~c markdown to preserve their alignment.
2016-09-11 19:12:14 -04:00
Peter Wu 2f3feda273 cmake: fix curl-config --static-libs
The `curl-config --static-libs` command should not output paths like
-l/usr/lib/libssl.so, instead print the absolute path without `-l`.

This also removes the confusing message "Static linking is broken" which
was printed because curl-config --static-libs was disfunctional even
though the static libcurl.a library works properly.

Fixes https://github.com/curl/curl/issues/841
2016-09-11 13:13:19 +02:00
Daniel Stenberg a8e751a51a http: refuse to pass on response body with NO_NODY was set
... like when a HTTP/0.9 response comes back without any headers at all
and just a body this now prevents that body from being sent to the
callback etc.

Adapted test 1144 to verify.

Fixes #973

Assisted-by: Ray Satiro
2016-09-11 12:02:07 +02:00
Daniel Stenberg d58682f28b RELEASE-NOTES: synced with 257bf3ac67 2016-09-11 00:06:17 +02:00
Jakub Zakrzewski 257bf3ac67 CMake: Don't build unit tests if private symbols are hidden
This only excludes building unit tests from default build ( 'all' Make
target or "Build Solution" in VisualStudio). The projects and Make
targets will still be generated and shown in supporting IDEs.

Fixes https://github.com/curl/curl/issues/981
Reported-by: Randy Armstrong

Closes https://github.com/curl/curl/pull/990
2016-09-10 00:35:38 +02:00
Jakub Zakrzewski 6140dfcf3e CMake: Try to (un-)hide private library symbols
Detect support for compiler symbol visibility flags and apply those
according to CURL_HIDDEN_SYMBOLS option.
It should work true to the autotools build except it tries to unhide
symbols on Windows when requested and prints warning if it fails.

Ref: https://github.com/curl/curl/issues/981#issuecomment-242665951
Reported-by: Daniel Stenberg
2016-09-10 00:35:38 +02:00
Daniel Stenberg 83ef21e5e9 openssl: fix bad memory free (regression)
... by partially reverting f975f06033. The allocation could be made by
OpenSSL so the free must be made with OPENSSL_free() to avoid problems.

Reported-by: Harold Stuart
Fixes #1005
2016-09-09 23:35:10 +02:00
Daniel Stenberg 85033bcfcc http2: support > 64bit sized uploads
... by making sure we don't count down the "upload left" counter when the
uploaded size is unknown and then it can be allowed to continue forever.

Fixes #996
2016-09-09 15:41:39 +02:00
Jay Satiro af2d679e14 errors: new alias CURLE_WEIRD_SERVER_REPLY (8)
Since we're using CURLE_FTP_WEIRD_SERVER_REPLY in imap, pop3 and smtp as
more of a generic "failed to parse" introduce an alias without FTP in
the name.

Closes https://github.com/curl/curl/pull/975
2016-09-07 21:24:27 -04:00
Daniel Stenberg add8ee7d57 bump: toward 7.51.0 2016-09-07 15:45:24 +02:00
Daniel Stenberg ebd620d691 HISTORY: remove ascii logo to render nicer on web 2016-09-07 14:29:19 +02:00
Daniel Stenberg b965090963 curl: whitelist use of strtok() in non-threaded context 2016-09-07 10:43:40 +02:00
Daniel Stenberg 5871dfcc16 checksrc: detect strtok() use
... as that function slipped through once before.
2016-09-07 10:41:57 +02:00
Viktor Szakats 8fa20da8e1 mk-ca-bundle.pl: use SHA256 instead of SHA1
This hash is used to verify the original downloaded certificate bundle
and also included in the generated bundle's comment header. Also
rename related internal symbols to algorithm-agnostic names.
2016-09-07 10:41:11 +02:00
Daniel Stenberg 9ce6d0d528 RELEASE-NOTES: curl 7.50.2 release 2016-09-07 07:45:43 +02:00
Daniel Stenberg e79de9e326 THANKS: updated for 7.50.2 2016-09-07 07:45:40 +02:00
Gaurav Malhotra 8e176a7c79 openssl: fix CURLINFO_SSL_VERIFYRESULT
CURLINFO_SSL_VERIFYRESULT does not get the certificate verification
result when SSL_connect fails because of a certificate verification
error.

This fix saves the result of SSL_get_verify_result so that it is
returned by CURLINFO_SSL_VERIFYRESULT.

Closes https://github.com/curl/curl/pull/995
2016-09-06 16:17:37 -04:00
Daniel Gustafsson 022dbdb8ac darwinssl: test for errSecSuccess in PKCS12 import rather than noErr (#993)
While noErr and errSecSuccess are defined as the same value, the API
documentation states that SecPKCS12Import() returns errSecSuccess if
there were no errors in importing. Ensure that a future change of the
defined value doesn't break (however unlikely) and be consistent with
the API docs.
2016-09-06 10:37:31 +02:00
Daniel Gustafsson 8331b08d22 docs: Fix link to CONTRIBUTE in Github contribution guidelines (#994) 2016-09-06 10:35:00 +02:00
Marcel Raad 4af389353a openssl: Fix compilation with OPENSSL_API_COMPAT=0x10100000L
With OPENSSL_API_COMPAT=0x10100000L (OpenSSL 1.1 API), the cleanup
functions are unavailable (they're no-ops anyway in OpenSSL 1.1). The
replacements for SSL_load_error_strings, SSLeay_add_ssl_algorithms, and
OpenSSL_add_all_algorithms are called automatically [1][2]. SSLeay() is
now called OpenSSL_version_num().

[1]: https://www.openssl.org/docs/man1.1.0/ssl/OPENSSL_init_ssl.html
[2]: https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_init_crypto.html

Closes #992
2016-09-05 22:51:12 +02:00
Daniel Stenberg 72abf4f59e RELEASE-NOTES: synced with 3d4c0c8b9b 2016-09-05 14:55:01 +02:00
Daniel Stenberg 3d4c0c8b9b http2: return EOF when done uploading without known size
Fixes #982
2016-09-05 14:32:32 +02:00
Daniel Stenberg 03bb481598 http2: skip the content-length parsing, detect unknown size 2016-09-05 13:55:24 +02:00