If --with-ssl is used and configure still couldn't enable SSL this
creates an error instead of just silently ignoring the fact.
Suggested-by: Isaiah Norton
Fixes#3824Closes#3830
Fish defines a vendor completions directory for completions that are not
installed as part of the fish project itself, and the vendor completions
are preferred if they exist. This prevents trying to overwrite the
builtin curl.fish completion (or creating file conflicts in distro
packaging).
Prefer the pkg-config defined location exported by fish, if it can be
found, and fall back to the correct directory defined by most systems.
Closes#3723
Reviewed-by: Daniel Gustafsson
AmiSSL is an Amiga native library which provides a wrapper over OpenSSL.
It also requires all programs using it to use bsdsocket.library
directly, rather than accessing socket functions through clib, which
libcurl was not necessarily doing previously. Configure will now check
for the headers and ensure they are included if found.
Closes#3677
Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.
Closes#3504
When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` can produce
only a subset of found in a `--libs` call (e.x. pthread may be excluded).
Adding `--libs-only-other` ensures other libraries are also included in
the list. This corrects select build environments compiling against a
static version of OpenSSL. Before the change, the following could be
observed:
checking for openssl options with pkg-config... found
configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
checking for HMAC_Update in -lcrypto... no
checking for HMAC_Init_ex in -lcrypto... no
checking OpenSSL linking with -ldl... no
checking OpenSSL linking with -ldl and -lpthread... no
configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
...
SSL support: no (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
...
And include the other libraries when compiling SSL_LIBS succeeds with:
checking for openssl options with pkg-config... found
configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
checking for HMAC_Update in -lcrypto... yes
checking for SSL_connect in -lssl... yes
...
SSL support: enabled (OpenSSL)
...
Signed-off-by: James Knight <james.d.knight@live.com>
Closes#3193
As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.
Use a better supported TLS library!
Assisted-by: Daniel Gustafsson
Closes#3194
- also update two URLs outside of docs/examples
- fix spelling of filename persistant.c
- fix three long lines that started failing checksrc.pl
Closes https://github.com/curl/curl/pull/3036
When trying to detect pthreads use on HPUX the checks will succeed
without the correct -l option but then end up failing at run-time.
Reported-by: Eason-Yu on github
Fixes#2697Closes#3025
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.
Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.
Fixes#2724Closes#2791
The linker is pretty dumb and processes things left to right, keeping a
tally of symbols it hasn't resolved yet. So, we need -ldl to appear
after -lcrypto otherwise the linker won't find the dl functions.
Closes#2684
Fix the -ldl and -ldl + -lpthread checks for OpenSSL, necessary for
building with static libs without pkg-config.
Reported-by: Marcel Raad
Fixes#2199Closes#2659
Previously it was checked for in configure/cmake, but that would then
leave other build systems built without engine support.
While engine support probably existed prior to 1.0.1, I decided to play
safe. If someone experience a problem with this, we can widen the
version check.
Fixes#2641Closes#2644
If configure detects fnmatch to be available, use that instead of our
custom one for FTP wildcard pattern matching. For standard compliance,
to reduce our footprint and to use already well tested and well
exercised code.
A POSIX fnmatch behaves slightly different than the internal function
for a few test patterns currently and the macOS one yet slightly
different. Test case 1307 is adjusted for these differences.
Closes#2626
On our x86 Android toolchain, getpwuid_r is implemented but the header
is missing:
netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration]
Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved
the prototype to curl_setup.h.
Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
Closes#2609
The automake default ar flags are 'cru', but the 'u' flag in there
causes warnings on many modern Linux distros. Removing 'u' may have a
minor performance impact on older distros but should not cause harm.
Explained on the automake mailing list already back in April 2015:
https://www.mail-archive.com/automake-patches@gnu.org/msg07705.html
Reported-by: elephoenix on github
Fixes#2617Closes#2619
The ssh2 pkg-config file could contain the following lines when build
with a static version of mbedtls:
Libs: -L${libdir} -lssh2 /xxx/libmbedcrypto.a
Libs.private: /xxx/libmbedcrypto.a
This static mbedtls library must be used to correctly detect ssh2
support and this library must be copied in libcurl.pc otherwise
compilation of any application (such as upmpdcli) with libcurl will fail
when trying to found mbedtls functions included in libssh2. So, replace
pkg-config --libs-only-l by pkg-config --libs.
Fixes:
- http://autobuild.buildroot.net/results/43e24b22a77f616d6198c10435dcc23cc3b9088a
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Closes#2613
When given a prefix, the $PREFIX_OPENSSL/lib/openssl.pc or
$PREFIX_OPENSSL/include/openssl/ssl.h files must be present or cause an
error. Helps users detect when giving configure the wrong path.
Reported-by: Oleg Pudeyev
Assisted-by: Per Malmberg
Fixes#2580
... only set it when we actually have to run tests to reduce its impact
on for example build commands etc.
Fixes#2490Closes#2492
Reported-by: Dmitry Mikhirev
Assign the time_t variable negative value and then check if it is
greater than zero, which will evaluate true for unsigned time_t but
false for signed time_t.
Make curl_getdate() handle dates before 1970 as well (returning negative
values).
Make test 517 test dates for 64 bit time_t.
This fixes bug (3) mentioned in #2238Closes#2250
Link order should list libraries after the libraries that use them,
so when we're guessing that we might also need to add -ldl in order
to use -lssl, we should add -ldl after -lssl.
Closes https://github.com/curl/curl/pull/2234
The SFTP back-end supports asynchronous reading only, limited
to 32-bit file length. Writing is synchronous with no other
limitations.
This also brings keyboard-interactive authentication.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
libssh is an alternative library to libssh2.
https://www.libssh.org/
That patch set also introduces support for ECDSA
ed25519 keys, as well as gssapi authentication.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
The new API added in Linux 4.11 only requires setting a socket option
before connecting, without the whole sento() machinery.
Notably, this makes it possible to use TFO with SSL connections on Linux
as well, without the need to mess around with OpenSSL (or whatever other
SSL library) internals.
Closes#2056
This uses the brotli external library (https://github.com/google/brotli).
Brotli becomes a feature: additional curl_version_info() bit and
structure fields are provided for it and CURLVERSION_NOW bumped.
Tests 314 and 315 check Brotli content unencoding with correct and
erroneous data.
Some tests are updated to accomodate with the now configuration dependent
parameters of the Accept-Encoding header.
The stub implementation is pre-loaded using LD_PRELOAD
and emulates common gssapi uses (only builds if curl is
initially built with gssapi support).
The initial tests are currently disabled for debug builds
as LD_PRELOAD is not used then.
Ref: https://github.com/curl/curl/pull/1687
- Prepend srcdir include path instead of append.
Prior to this change it was possible that during the check for the size
of curl_off_t the include path of a user's already installed curl could
come before the include path of the to-be-built curl, resulting in the
system.h of the former being incorrectly included for that check.
Closes https://github.com/curl/curl/pull/1870
Back in 2008, (and commit 3f3d6ebe66) we changed the logic in how we
determine the native type for `curl_off_t`. To really make sure we
didn't break ABI without bumping SONAME, we introduced logic that
attempted to detect that it would use a different size and thus not be
compatible. We also provided a manual switch that allowed users to tell
configure to bump SONAME by force.
Today, we know of no one who ever got a SONAME bump auto-detected and we
don't know of anyone who's using the manual bump feature. The auto-
detection is also no longer working since we introduced defining
curl_off_t in system.h (7.55.0).
Finally, this bumping logic is not present in the cmake build.
Closes#1861
Automake gets confused if you want to use C++ static libraries with C
code - basically we need to involve the clang++ linker. The easiest way
of achieving this is to rename the C code as C++ code. This gets us a
bit further along the path and ought to be compatible with Google's
version of clang.
- Start with the basic code from the ossfuzz project.
- Rewrite fuzz corpora to be binary files full of Type-Length-Value
data, and write a glue layer in the fuzzing function to convert
corpora into CURL options.
- Have supporting functions to generate corpora from existing tests
- Integrate with Makefile.am
There is a mode in which libcurl is compiled with versioned symbols,
depending on the active SSL backend.
When multiple SSL backends are active, it does not make sense to favor
one over the others, so let's not: introduce a new prefix for the case
where multiple SSL backends are compiled into cURL.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Previously, we used as default SSL backend whatever was first in the
`available_backends` array.
However, some users may want to override that default without patching
the source code.
Now they can: with the --with-default-ssl-backend=<backend> option of
the ./configure script.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
When building software for the masses, it is sometimes not possible to
decide for all users which SSL backend is appropriate.
Git for Windows, for example, uses cURL to perform clones, fetches and
pushes via HTTPS, and some users strongly prefer OpenSSL, while other
users really need to use Secure Channel because it offers
enterprise-ready tools to manage credentials via Windows' Credential
Store.
The current Git for Windows versions use the ugly work-around of
building libcurl once with OpenSSL support and once with Secure Channel
support, and switching out the binaries in the installer depending on
the user's choice.
Needless to say, this is a super ugly workaround that actually only
works in some cases: Git for Windows also comes in a portable form, and
in a form intended for third-party applications requiring Git
functionality, in which cases this "swap out libcurl-4.dll" simply is
not an option.
Therefore, the Git for Windows project has a vested interest in teaching
cURL to make the SSL backend a *runtime* option.
This patch makes that possible.
By running ./configure with multiple --with-<backend> options, cURL will
be built with multiple backends.
For the moment, the backend can be configured using the environment
variable CURL_SSL_BACKEND (valid values are e.g. "openssl" and
"schannel").
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
This change does two things:
1. It un-breaks the build in Xcode 9.0. (Xcode 9.0 is currently
failing trying to compile connectx() in lib/connect.c.)
2. It finally weak-links the connectx() function, and falls back on
connect() when run on older operating systems.
- Change prepends to appends because user's LDFLAGS and CPPFLAGS should
always come first so they're searched before ours.
Bug: https://github.com/curl/curl/issues/1420
Reported-by: Helmut K. C. Tessarek
The check for if -ldl is needed to build with (a statically built)
openssl was broken. This repairs the check, and adds a check for
-lpthread as well since OpenSSL 1.1.0+ does in fact require -lpthread so
only adding -ldl for a static openssl build is no longer enough.
Reported-by: Jay Satiro
Ref: #1426Closes#1427
Prior to this change if you attempted to configure curl using
--wtih-zlib and specified a path the path would be ignored if you also
had pkg-config installed on your system. This situation can easily
arise when you are cross compiling. This change moves the test for
detecting zlib settings via pkg-config only if OPT_ZLIB is not set.
Closes https://github.com/curl/curl/pull/1292
When the threaded resolver option is specified for configure the default
thread library is pthreads. This change makes it possible to
--disable-pthreads and then configure can fall back on Win32 threads for
native Windows builds.
Closes https://github.com/curl/curl/pull/1260
Check for presence of gnutls_alpn_* and gnutls_ocsp_* functions during
configure instead of relying on the version number. GnuTLS has options
to turn these features off and we ca just work with with such builds
like we work with older versions.
Signed-off-by: Marcus Hoffmann <m.hoffmann@cartelsol.com>
Closes#1204
The OpenSSL function CRYTPO_cleanup_all_ex_data() cannot be called
multiple times without crashing - and other libs might call it! We
basically cannot call it without risking a crash. The function is a
no-op since OpenSSL 1.1.0.
Not calling this function only risks a small memory leak with OpenSSL <
1.1.0.
Bug: https://curl.haxx.se/mail/lib-2016-09/0045.html
Reported-by: Todd Short
Since I first wrote that text, Apple introduced tvOS and watchOS, and renamed "Mac OS X" to "macOS." Let's make the text a little more inclusive, since curl can be built for all four operating systems.
With commit c2f9b78 we added a new dependency on pkg-config for
developers which may be unwanted. This change make the configure script
still work as before if pkg-config isn't installed, it'll just use the
old zlib detection logic without pkg-config.
Reported-by: Marc Hörsken
Fixes#972
These configure vars are modified in a curl-specific way and modified by
the configure process, but are never loaded from cache, even though they
are designated as _cv_. We should implement proper AC_CACHE_CHECKs for
them eventually.
'strncasecmp' was once provided by libresolv (no trailing e) for SunOS,
but this check is broken and most likely adds nothing useful. Removing
now.
Reported-by: Irfan Adilovic
Discussed in #770
- Warn if --with-ca-bundle file does not exist.
- Warn if --with-ca-path directory does not contain certificates.
- Improve help messages for both.
Example configure output:
ca cert bundle: /some/file (warning: certs not found)
ca cert path: /some/dir (warning: certs not found)
Bug: https://github.com/curl/curl/issues/404
Reported-by: Jeffrey Walton
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:
- BoringSSL provides no-op stubs for compatibility which replaces most
#ifdefs.
- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
the compatibility codepath.
- With a small tweak to an extend_key_56_to_64 call, the NTLM code
builds fine.
- Switch OCSP-related #ifdefs to the more generally useful
OPENSSL_NO_OCSP.
The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)
This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)
Closes#640
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.
Closes#569
The configure test uses AC_TRY_RUN to figure out if an ipv6 socket
works, and testing like that doesn't work for cross-compiles. These days
IPv6 support is widespread so a blind guess is probably more likely to
be 'yes' than 'no' now.
Further: anyone who cross-compiles can use configure's --disable-ipv6 to
explicitly disable IPv6 and that also works for cross-compiles.
Made happen after discussions in issue #594
The function is only present in wolfssl/cyassl if it was built with
--enable-opensslextra. With these checks added, pinning support is disabled
unless the TLS lib has that function available.
Also fix the mistake in configure that checks for the wrong lib name.
Closes#566
- If mingw ssl make sure -lgdi32 comes after ssl libs
- Allow PKG_CONFIG to set pkg-config location and options
Bug: https://github.com/bagder/curl/pull/501
Reported-by: Kang Lin
The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.
gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.
Signed-off-by: Mike Crowe <mac@mcrowe.com>
Since boringssl brought back DES_set_odd_parity again, it cannot be used
to differentiate from boringssl. Using the OPENSSL_IS_BORINGSSL define
seems better anyway.
URL: f551028d5c%5E!/
Original-patch-by: Bertrand Simonnet
Closes#393
This option disables any attempts in configure to create dependency on
stuff requiring linking to librt.so and libpthread.so, in this case this
means clock_gettime(CLOCK_MONOTONIC, &mt).
We were in need to build curl which doesn't link libpthread.so to avoid
the following bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=16628.
This commit requires nghttp2 v1.0.0 to compile, and migrate to v1.0.0,
and utilize recent version of nghttp2 to simplify the code,
First we use nghttp2_option_set_no_recv_client_magic function to
detect nghttp2 v1.0.0. That function only exists since v1.0.0.
Since nghttp2 v0.7.5, nghttp2 ensures header field ordering, and
validates received header field. If it found error, RST_STREAM with
PROTOCOL_ERROR is issued. Since we require v1.0.0, we can utilize
this feature to simplify libcurl code. This commit does this.
Migration from 0.7 series are done based on nghttp2 migration
document. For libcurl, we removed the code sending first 24 bytes
client magic. It is now done by nghttp2 library.
on_invalid_frame_recv callback signature changed, and is updated
accordingly.
This fixes a build failure where openssl and libmetalink are used
together and the system linker does not do implicit linking (e.g.
Fedora 13 and later releases). The MD5 functions required for
metalink support must be pulled in from the openssl crypto library.
This is similar to commit c6e7cbb94e,
which fixes the same sort of problem for NSS builds.
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.