1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-25 17:48:48 -05:00
Commit Graph

10284 Commits

Author SHA1 Message Date
Daniel Stenberg
6f61933adf
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
To make sure Curl_timeleft() also thinks the timeout has been reached
when one of the EXPIRE_*TIMEOUTs expires.

Bug: https://curl.haxx.se/mail/lib-2019-01/0073.html
Reported-by: Zhao Yisha
Closes #3501
2019-02-01 08:19:40 +01:00
Jeremie Rapin
a9d9a3abbe
sigpipe: if mbedTLS is used, ignore SIGPIPE
mbedTLS doesn't have a sigpipe management. If a write/read occurs when
the remote closes the socket, the signal is raised and kills the
application.  Use the curl mecanisms fix this behavior.

Signed-off-by: Jeremie Rapin <j.rapin@overkiz.com>

Closes #3502
2019-01-28 12:03:33 +01:00
Michael Kujawa
b0a43aade1 timeval: Disable MSVC Analyzer GetTickCount warning
Compiling with msvc /analyze and a recent Windows SDK warns against
using GetTickCount (Suggests to use GetTickCount64 instead.)

Since GetTickCount is only being used when GetTickCount64 isn't
available, I am disabling that warning.

Fixes https://github.com/curl/curl/issues/3437
Closes https://github.com/curl/curl/pull/3440
2019-01-28 01:16:00 -05:00
Daniel Stenberg
179311ec37
configure: rewrite --enable-code-coverage
The previously used ax_code_coverage.m4 is not license compatible and
must not be used.

Reported-by: William A. Rowe Jr
Fixes #3497
Closes #3499
2019-01-26 00:29:50 +01:00
Felix Hädicke
3cbf731d9e
setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for
libssh as well. So accepting these options only when compiling with
libssh2 is wrong here.

Fixes #3493
Closes #3494
2019-01-24 09:09:45 +01:00
Felix Hädicke
15c94b310b
libssh: do not let libssh create socket
By default, libssh creates a new socket, instead of using the socket
created by curl for SSH connections.

Pass the socket created by curl to libssh using ssh_options_set() with
SSH_OPTIONS_FD directly after ssh_new(). So libssh uses our socket
instead of creating a new one.

This approach is very similar to what is done in the libssh2 code, where
the socket created by curl is passed to libssh2 when
libssh2_session_startup() is called.

Fixes #3491
Closes #3495
2019-01-24 09:03:11 +01:00
Archangel_SDY
ce6f73b912
schannel: preserve original certificate path parameter
Fixes #3480
Closes #3487
2019-01-21 23:21:45 +01:00
Daniel Gustafsson
f0b2c13a9e memcmp: avoid doing single char memcmp
There is no real gain in performing memcmp() comparisons on single
characters, so change these to array subscript inspections which
saves a call and makes the code clearer.

Closes #3486
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2019-01-20 21:59:04 +01:00
georgeok
0966233744 ntlm_sspi: add support for channel binding
Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321
2019-01-19 13:00:53 +01:00
Daniel Stenberg
6ee6729709
schannel: on connection close there might not be a transfer
Reported-by: Marcel Raad
Fixes #3412
Closes #3483
2019-01-18 16:43:21 +01:00
JDepooter
b095a1ca63
ssh: log the libssh2 error message when ssh session startup fails
When a ssh session startup fails, it is useful to know why it has
failed. This commit changes the message from:
   "Failure establishing ssh session"
to something like this, for example:
   "Failure establishing ssh session: -5, Unable to exchange encryption keys"

Closes #3481
2019-01-17 15:03:16 +01:00
Daniel Stenberg
16a3307e81
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
2019-01-16 08:20:57 +01:00
Daniel Stenberg
bbae24c3ae
extract_if_dead: follow-up to 54b201b48c
extract_if_dead() dead is called from two functions, and only one of
them should get conn->data updated and now neither call path clears it.

scan-build found a case where conn->data would be NULL dereferenced in
ConnectionExists() otherwise.

Closes #3473
2019-01-15 08:49:16 +01:00
Daniel Stenberg
fe71b2d928
multi: remove "Dead assignment"
Found by scan-build. Follow-up to 4c35574bb7.

Closes #3471
2019-01-15 08:10:17 +01:00
Daniel Stenberg
ea77fec16f
tests: move objnames-* from lib into tests
Since they're used purely for testing purposes, I think they should
rather be stored there.

Closes #3470
2019-01-15 08:09:34 +01:00
Frank Gevaerts
c54ee668df
cookie: fix comment typo (url_path_len -> uri_path_len)
Closes #3469
2019-01-14 23:02:34 +01:00
Daniel Stenberg
54b201b48c
extract_if_dead: use a known working transfer when checking connections
Make sure that this function sets a proper "live" transfer for the
connection before calling the protocol-specific connection check
function, and then clear it again afterward as a non-used connection has
no current transfer.

Reported-by: Jeroen Ooms
Reviewed-by: Marcel Raad
Reviewed-by: Daniel Gustafsson
Fixes #3463
Closes #3464
2019-01-13 17:09:14 +01:00
Daniel Stenberg
cf8c70594f
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
OpenSSL_version() replaces OpenSSL_version_num()

Closes #3462
2019-01-13 17:06:59 +01:00
Daniel Stenberg
ba243235ec
urldata: rename easy_conn to just conn
We use "conn" everywhere to be a pointer to the connection.

Introduces two functions that "attaches" and "detaches" the connection
to and from the transfer.

Going forward, we should favour using "data->conn" (since a transfer
always only has a single connection or none at all) to "conn->data"
(since a connection can have none, one or many transfers associated with
it and updating conn->data to be correct is error prone and a frequent
reason for internal issues).

Closes #3442
2019-01-11 15:35:13 +01:00
Daniel Stenberg
afeb8d9902
cookies: allow secure override when done over HTTPS
Added test 1562 to verify.

Reported-by: Jeroen Ooms
Fixes #3445
Closes #3450
2019-01-10 10:31:06 +01:00
Daniel Stenberg
4c35574bb7
multi: multiplexing improvements
Fixes #3436
Closes #3448

 Problem 1

After LOTS of scratching my head, I eventually realized that even when doing
10 uploads in parallel, sometimes the socket callback to the application that
tells it what to wait for on the socket, looked like it would reflect the
status of just the single transfer that just changed state.

Digging into the code revealed that this was indeed the truth. When multiple
transfers are using the same connection, the application did not correctly get
the *combined* flags for all transfers which then could make it switch to READ
(only) when in fact most transfers wanted to get told when the socket was
WRITEABLE.

 Problem 1b

A separate but related regression had also been introduced by me when I
cleared connection/transfer association better a while ago, as now the logic
couldn't find the connection and see if that was marked as used by more
transfers and then it would also prematurely remove the socket from the socket
hash table even in times other transfers were still using it!

 Fix 1

Make sure that each socket stored in the socket hash has a "combined" action
field of what to ask the application to wait for, that is potentially the ORed
action of multiple parallel transfers. And remove that socket hash entry only
if there are no transfers left using it.

 Problem 2

The socket hash entry stored an association to a single transfer using that
socket - and when curl_multi_socket_action() was called to tell libcurl about
activities on that specific socket only that transfer was "handled".

This was WRONG, as a single socket/connection can be used by numerous parallel
transfers and not necessarily a single one.

 Fix 2

We now store a list of handles in the socket hashtable entry and when libcurl
is told there's traffic for a particular socket, it now iterates over all
known transfers using that single socket.
2019-01-10 09:49:09 +01:00
Katsuhiko YOSHIDA
1f30dc886d
cookies: skip custom cookies when redirecting cross-site
Closes #3417
2019-01-09 15:18:08 +01:00
Daniel Stenberg
1a93153783
timediff: fix math for unsigned time_t
Bug: https://curl.haxx.se/mail/lib-2018-12/0088.html

Closes #3449
2019-01-09 10:15:36 +01:00
Brad Spencer
84a30d0a41
curl_multi_remove_handle() don't block terminating c-ares requests
Added Curl_resolver_kill() for all three resolver modes, which only
blocks when necessary, along with test 1592 to confirm
curl_multi_remove_handle() doesn't block unless it must.

Closes #3428
Fixes #3371
2019-01-07 10:05:20 +01:00
Daniel Stenberg
ebe658c1e5
Revert "http_negotiate: do not close connection until negotiation is completed"
This reverts commit 07ebaf8378.

This also reopens PR #3275 which brought the change now reverted.

Fixes #3384
Closes #3439
2019-01-07 09:36:36 +01:00
Marcel Raad
e939afeb5c
schannel: fix compiler warning
When building with Unicode on MSVC, the compiler warns about freeing a
pointer to const in Curl_unicodefree. Fix this by declaring it as
non-const and casting the argument to Curl_convert_UTF8_to_tchar to
non-const too, like we do in all other places.

Closes https://github.com/curl/curl/pull/3435
2019-01-06 23:09:19 +01:00
Rikard Falkeborn
1e4ec09a26
printf: introduce CURL_FORMAT_TIMEDIFF_T 2019-01-04 23:51:13 +01:00
Rikard Falkeborn
fa2d6ba84d
printf: fix format specifiers
Closes #3426
2019-01-04 23:50:48 +01:00
Markus Moeller
7bcca93459 ntlm: update selection of type 3 response
NTLM2 did not work i.e. no NTLMv2 response was created. Changing the
check seems to work.

Ref: https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-NLMP/[MS-NLMP].pdf

Fixes https://github.com/curl/curl/issues/3286
Closes https://github.com/curl/curl/pull/3287
Closes https://github.com/curl/curl/pull/3415
2019-01-01 11:47:17 +01:00
Daniel Gustafsson
a4482b21bd urlapi: fix parsing ipv6 with zone index
The previous fix for parsing IPv6 URLs with a zone index was a paddle
short for URLs without an explicit port. This patch fixes that case
and adds a unit test case.

This bug was highlighted by issue #3408, and while it's not the full
fix for the problem there it is an isolated bug that should be fixed
regardless.

Closes #3411
Reported-by: GitYuanQu on github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-30 20:11:57 +01:00
Claes Jakobsson
d8cae791f4 hostip: support wildcard hosts
This adds support for wildcard hosts in CURLOPT_RESOLVE. These are
try-last so any non-wildcard entry is resolved first. If specified,
any host not matched by another CURLOPT_RESOLVE config will use this
as fallback.

Example send a.com to 10.0.0.1 and everything else to 10.0.0.2:
  curl --resolve *:443:10.0.0.2 --resolve a.com:443:10.0.0.1 \
       https://a.com https://b.com

This is probably quite similar to using:
  --connect-to a.com:443:10.0.0.1:443 --connect-to :443:10.0.0.2:443

Closes #3406
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-27 14:23:53 +01:00
Daniel Gustafsson
ba266b3ed7 url: fix incorrect indentation 2018-12-27 00:05:12 +01:00
Daniel Stenberg
7608f9a2d5
Revert "libssh: no data pointer == nothing to do"
This reverts commit c98ee5f67f since commit f3ce38739f fixed the
problem in a more generic way.
2018-12-23 23:13:15 +01:00
Daniel Stenberg
f3ce38739f
disconnect: set conn->data for protocol disconnect
Follow-up to fb445a1e18: Set conn->data explicitly to point out the
current transfer when invoking the protocol-specific disconnect function
so that it can work correctly.

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12173
2018-12-23 23:12:40 +01:00
Pavel P
e9ababd4f5 timeval: Use high resolution timestamps on Windows
- Use QueryPerformanceCounter on Windows Vista+

There is confusing info floating around that QueryPerformanceCounter
can leap etc, which might have been true long time ago, but no longer
the case nowadays (perhaps starting from WinXP?). Also, boost and
std::chrono::steady_clock use QueryPerformanceCounter in a similar way.

Prior to this change GetTickCount or GetTickCount64 was used, which has
lower resolution. That is still the case for <= XP.

Fixes https://github.com/curl/curl/issues/3309
Closes https://github.com/curl/curl/pull/3318
2018-12-23 02:30:37 -05:00
Daniel Stenberg
c98ee5f67f
libssh: no data pointer == nothing to do 2018-12-22 18:14:57 +01:00
Daniel Stenberg
85f9aa08d9
conncache_unlock: avoid indirection by changing input argument type 2018-12-22 18:14:56 +01:00
Daniel Stenberg
fb445a1e18
disconnect: separate connections and easy handles better
Do not assume/store assocation between a given easy handle and the
connection if it can be avoided.

Long-term, the 'conn->data' pointer should probably be removed as it is a
little too error-prone. Still used very widely though.

Reported-by: masbug on github
Fixes #3391
Closes #3400
2018-12-22 18:14:50 +01:00
Daniel Stenberg
d18a5afaf0
libssh: free sftp_canonicalize_path() data correctly
Assisted-by: Harry Sintonen

Fixes #3402
Closes #3403
2018-12-22 18:10:39 +01:00
Daniel Stenberg
006ff62d8c
http: added options for allowing HTTP/0.9 responses
Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose.

For now, both the tool and library allow HTTP/0.9 by default.
docs/DEPRECATE.md lays out the plan for when to reverse that default: 6
months after the 7.64.0 release. The options are added already now so
that applications/scripts can start using them already now.

Fixes #2873
Closes #3383
2018-12-21 10:49:30 +01:00
Daniel Stenberg
db9776ea00
if2ip: remove unused function Curl_if_is_interface_name
Closes #3401
2018-12-21 10:46:05 +01:00
Daniel Stenberg
6dc1780ea5
http2: clear pause stream id if it gets closed
Reported-by: Florian Pritz

Fixes #3392
Closes #3399
2018-12-20 17:10:12 +01:00
David Garske
982a897b4b wolfssl: Perform cleanup
This adds a cleanup callback for cyassl. Resolves possible memory leak
when using ECC fixed point cache.

Closes #3395
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
2018-12-20 11:32:55 +01:00
Daniel Stenberg
0b9fadf81f
mbedtls: follow-up VERIFYHOST fix from f097669248
Fix-by: Eric Rosenquist

Fixes #3376
Closes #3390
2018-12-20 11:00:34 +01:00
Daniel Gustafsson
3773de378d cookies: extend domain checks to non psl builds
Ensure to perform the checks we have to enforce a sane domain in
the cookie request. The check for non-PSL enabled builds is quite
basic but it's better than nothing.

Closes #2964
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-19 20:59:09 +01:00
Matus Uzak
462037ad48
smb: fix incorrect path in request if connection reused
Follow-up to 09e401e01b.  If connection gets reused, then data member
will be copied, but not the proto member.  As a result, in smb_do(),
path has been set from the original proto.share data.

Closes #3388
2018-12-19 09:52:36 +01:00
Daniel Stenberg
f097669248
mbedtls: use VERIFYHOST
Previously, VERIFYPEER would enable/disable all checks.

Reported-by: Eric Rosenquist
Fixes #3376
Closes #3380
2018-12-17 23:36:42 +01:00
Daniel Stenberg
d8a9de6203
pingpong: change default response timeout to 120 seconds
Previously it was 30 minutes
2018-12-17 12:33:18 +01:00
Daniel Stenberg
154a17b6ee
pingpong: ignore regular timeout in disconnect phase
The timeout set with CURLOPT_TIMEOUT is no longer used when
disconnecting from one of the pingpong protocols (FTP, IMAP, SMTP,
POP3).

Reported-by: jasal82 on github

Fixes #3264
Closes #3374
2018-12-17 12:33:00 +01:00
Ayoub Boudhar
f464535bfd
http: Implement trailing headers for chunked transfers
This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION
options that allow a callback based approach to sending trailing headers
with chunked transfers.

The test server (sws) was updated to take into account the detection of the
end of transfer in the case of trailing headers presence.

Test 1591 checks that trailing headers can be sent using libcurl.

Closes #3350
2018-12-14 10:10:48 +01:00
Daniel Stenberg
4531b299cc
darwinssl: accept setting max-tls with default min-tls
Reported-by: Andrei Neculau
Fixes #3367
Closes #3373
2018-12-14 09:54:31 +01:00
Daniel Stenberg
4b4062aaeb
gopher: fix memory leak from 9026083ddb 2018-12-13 15:06:17 +01:00
Leonardo Taccari
9026083ddb
gopher: always include the entire gopher-path in request
After the migration to URL API all octets in the selector after the
first `?' were interpreted as query and accidentally discarded and not
passed to the server.

Add a gopherpath to always concatenate possible path and query URL
pieces.

Fixes #3369
Closes #3370
2018-12-13 10:22:25 +01:00
Leonardo Taccari
305d25ed8a
urlapi: distinguish possibly empty query
If just a `?' to indicate the query is passed always store a zero length
query instead of having a NULL query.

This permits to distinguish URL with trailing `?'.

Fixes #3369
Closes #3370
2018-12-13 10:21:33 +01:00
Daniel Gustafsson
7a09b52c98 cookies: leave secure cookies alone
Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-13 09:57:58 +01:00
Daniel Gustafsson
d8607da1a6 urlapi: Fix port parsing of eol colon
A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-12 11:48:04 +01:00
Daniel Stenberg
435402cfe3
Curl_follow: extract the Location: header field unvalidated
... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364
2018-12-12 07:58:47 +01:00
Daniel Stenberg
ecb2e194d4
multi: convert two timeout variables to timediff_t
The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363
2018-12-11 15:43:20 +01:00
Daniel Gustafsson
e1be2ecba4 tests: add urlapi unittest
This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:24 +01:00
Daniel Gustafsson
63533cbde2 urlapi: fix portnumber parsing for ipv6 zone index
An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-12-11 15:02:19 +01:00
Jay Satiro
552f0205e6
http: fix HTTP auth to include query in URI
- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356
2018-12-11 13:28:20 +01:00
Michael Kaufmann
c8bf8cc1e4
http: don't set CURLINFO_CONDITION_UNMET for http status code 204
The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359
2018-12-11 13:22:42 +01:00
Samuel Surtees
1b443a7c00
ldap: fix LDAP URL parsing regressions
- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d (7.62.0)

Closes #3362
2018-12-11 13:20:12 +01:00
Stefan Kanthak
e1360a1c91
(lib)curl.rc: fixup for minor bugs
All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348
2018-12-10 00:10:04 +01:00
Daniel Stenberg
1e9abfedfa
cookies: expire "Max-Age=0" immediately
Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352
2018-12-09 18:34:55 +01:00
Johannes Schindelin
d997aa0e96
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-08 10:59:23 +01:00
Ben Greear
07e61abdac
openssl: fix unused variable compiler warning with old openssl
URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347
2018-12-07 17:03:17 +01:00
Johannes Schindelin
cbea2fd2c7
NTLM: force the connection to HTTP/1.1
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
2018-12-07 13:03:21 +01:00
Johannes Schindelin
2456152069
curl_global_sslset(): id == -1 is not necessarily an error
It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Closes #3346
2018-12-07 11:38:22 +01:00
Daniel Stenberg
d506df860f
doh: fix memory leak in OOM situation
Reviewed-by: Daniel Gustafsson
Closes #3342
2018-12-06 09:52:38 +01:00
Daniel Stenberg
027d66e5f1
doh: make it work for h2-disabled builds too
Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336
2018-12-05 23:44:26 +01:00
Gergely Nagy
08efa19e6a
openssl: do not use file BIOs if not requested
Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339
2018-12-05 15:26:18 +01:00
Paul Howarth
8ad9e5915a
nss: Fix compatibility with nss versions 3.14 to 3.15 2018-12-05 15:24:32 +01:00
Paul Howarth
71a1442eb2
nss: Improve info message when falling back SSL protocol
Use descriptive text strings rather than decimal numbers.
2018-12-05 15:24:32 +01:00
Paul Howarth
6848ea585b
nss: Fall back to latest supported SSL version
NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261
2018-12-05 15:24:32 +01:00
Daniel Gustafsson
6381708970 checksrc: add COPYRIGHTYEAR check
Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-12-03 23:13:40 +01:00
Sevan Janiyan
b466560124 connect: fix building for recent versions of Minix
EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323
2018-11-29 02:05:23 -05:00
Daniel Gustafsson
fd1049554f doh: fix typo in infof call
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-26 11:40:26 +01:00
Daniel Stenberg
34fe0e1622
curl_easy_perform: fix timeout handling
curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308
2018-11-25 11:25:43 +01:00
Daniel Stenberg
a52e46f390
cookies: create the cookiejar even if no cookies to save
Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300
2018-11-23 14:50:51 +01:00
Daniel Stenberg
2e49610853
checksrc: ban snprintf use, add command line flag to override warns 2018-11-23 08:26:51 +01:00
Daniel Stenberg
dcd6f81025
snprintf: renamed and we now only use msnprintf()
The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297
2018-11-23 08:26:51 +01:00
Tobias Hintze
5b4cce2e36
host names: allow trailing dot in name resolve, then strip it
Delays stripping of trailing dots to after resolving the hostname.

Fixes #3022
Closes #3222
2018-11-22 13:40:51 +01:00
Michael Kaufmann
549310e907 openssl: support session resume with TLS 1.3
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.

Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.

The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.

A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.

This approach also works for old SSL/TLS versions and old OpenSSL versions.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Fixes #3202
Closes #3271
2018-11-21 11:18:25 +01:00
Michael Kaufmann
30a65381f9 ssl: fix compilation with OpenSSL 0.9.7
- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7

Closes #3266
2018-11-21 11:14:26 +01:00
Daniel Stenberg
59311bd3df
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
2018-11-21 08:30:18 +01:00
Romain Fliedel
6765e6d9e6
ares: remove fd from multi fd set when ares is about to close the fd
When using c-ares for asyn dns, the dns socket fd was silently closed
by c-ares without curl being aware. curl would then 'realize' the fd
has been removed at next call of Curl_resolver_getsock, and only then
notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
CURL_POLL_REMOVE. At this point the fd is already closed.

By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
patch allows curl to be notified that the fd is not longer needed
for neither for write nor read. At this point by calling
Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
before the fd is actually closed by ares.

In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
since it does not allow passing a different sock_state_cb_data

Closes #3238
2018-11-20 19:58:45 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Han Han
78ff4e0de3
ssl: replace all internal uses of CURLE_SSL_CACERT
Closes #3291
2018-11-20 14:57:00 +01:00
Daniel Gustafsson
1cccf2f945 openssl: Remove SSLEAY leftovers
Commit 709cf76f6b deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-17 21:36:10 +01:00
Elia Tufarolo
07ebaf8378
http_negotiate: do not close connection until negotiation is completed
Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275
2018-11-16 23:38:47 +01:00
Daniel Stenberg
6d0e487f9f
pop3: only do APOP with a valid timestamp
Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279
2018-11-16 23:36:53 +01:00
Peter Wu
27e4ac24cd openssl: do not log excess "TLS app data" lines for TLS 1.3
The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281
2018-11-16 16:03:31 -05:00
Kamil Dudka
3d988c5563
nss: remove version selecting dead code
Closes #3262
2018-11-13 23:55:22 +01:00
Daniel Stenberg
0c448093dd
nss: set default max-tls to 1.3/1.2
Fixes #3261
2018-11-13 23:54:13 +01:00
Daniel Stenberg
42fd235040
nss: fix fallthrough comment to fix picky compiler warning 2018-11-12 15:23:17 +01:00
Tim Rühsen
c05d77ee7d
ftp: avoid two unsigned int overflows in FTP listing parser
Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225
2018-11-09 23:08:46 +01:00
Jérémy Rocher
27cb384679
openssl: support BoringSSL TLS renegotiation
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
2018-11-09 22:32:47 +01:00
Jim Fuller
5c4fe0d826
setopt: add CURLOPT_CURLU
Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227
2018-11-09 15:47:28 +01:00
Daniel Gustafsson
8a49b291cb winssl: be consistent in Schannel capitalization
The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07 10:11:13 +01:00