The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
mode for middle box but it is enabled by default, which is unnecessary
for QUIC.
Fixes#6896Closes#7202
Removing expired cookies needs to be a fast operation since we want to
be able to perform it often and speculatively. By tracking the timestamp
of the next known expiration we can exit early in case the timestamp is
in the future.
Closes: #7172
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Trying dual-stack on some embedded platform, I noticed that quite
frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
timeout value. After debugging this issue, I noticed that this happens
if c-ares resolver response for IPv6 family comes before IPv4 (which was
randomly happening in my tests).
In such cases, because libCurl puts the last resolver response on top of
the address list, when IPv4 resolver response comes after IPv6 one - the
IPv4 family starts the connection phase instead of IPv6 family.
The solution for this issue is to always put IPv6 addresses on top of
the address list, regardless the order of resolver responses.
Bug: https://curl.se/mail/lib-2021-06/0003.htmlCloses#7188
Commit 1c1d9f1aff removed the last use
for the inet_pton.h headerfile, this removes the inclusion of the
header.
Closes: #7182
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Fixes potential hang in accept by using select + non-blocking accept.
Fixes potential hang in peer check by replacing the send/recv check with
a getsockname/getpeername check.
Adds length check for returned sockaddr data.
Closes#7144
For options that pass in lists or strings that are subsequently parsed
and must be correct. This broadens the scope for the option previously
known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
provided as a #define for existing applications.
Closes#7175
Follow-up to 1a0ebf6632
- Check the return code to Curl_inet_pton() in two instances, even
though we know the input is valid so the functions won't fail.
- Clear the 'struct sockaddr_in' struct before use so that the
'sin_zero' field isn't left uninitialized.
Detected by Coverity.
Assisted-by: Harry Sintonen
Closes#7163
As host names are case insensitive, the use of case sensitive hashing
caused unnecesary cache misses and therefore lost performance. This
lowercases the hash key.
Reported-by: Harry Sintonen
Fixes#7159Closes#7161
This avoids a TCP reset (RST) if the server initiates a connection
shutdown by sending an SSL close notify alert and then closes the TCP
connection.
For SSL connections, usually the server announces that it will close the
connection with an SSL close notify alert. curl should read this alert.
If curl does not read this alert and just closes the connection, some
operating systems close the TCP connection with an RST flag.
See RFC 1122, section 4.2.2.13
If curl reads the close notify alert, the TCP connection is closed
normally with a FIN flag.
The new code is similar to existing code in the "SSL shutdown" function:
try to read an alert (non-blocking), and ignore any read errors.
Closes#7095
This function might get called for an easy handle for which the session
cache hasn't been setup. It now just returns a "miss" in that case.
Reported-by: Christoph M. Becker
Fixes#7148Closes#7153
Resolving the case insensitive host name 'localhost' now returns the
addresses 127.0.0.1 and (if IPv6 is enabled) ::1 without using any
resolver.
This removes the risk that users accidentally resolves 'localhost' to
something else. By making sure 'localhost' is always local, we can
assume a "secure context" for such transfers (for cookies etc).
Closes#7039
Also, use a single function library-wide for detecting if a given hostname is
a numerical IP address.
Reported-by: Harry Sintonen
Fixes#7146Closes#7149
To prevent previous ones to get reused on subsequent requests. Matches
how the built-in HTTP code works. Makes test 90 to 93 work.
Add test 90 to 93 in travis.
Closes#7139
In a3268eca79 this code was changed to use the ALPN_H2 constant
instead of the NGHTTP2_PROTO_ALPN constant. However, these constants are
not the same. The nghttp2 constant included the length of the string,
like this: "\x2h2". The ALPN_H2 constant is just "h2". Therefore we need
to re-add the length of the string to the ALPN buffer.
Closes#7138
When the SecCertificateCopyCommonName function fails, it leaves
common_name in a invalid state so CFStringCompare uses the invalid
result, causing EXC_BAD_ACCESS.
The fix is to check the return value of the function before using the
name.
Closes#7126
Latest version of quiche requires the application to pass the peer
address of received packets, and it provides the address for outgoing
packets back.
Closes#7120