1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 15:05:02 -05:00
Commit Graph

23548 Commits

Author SHA1 Message Date
Stephan Mühlstrasser
b0a50227c0
openssl: fix subjectAltName check on non-ASCII platforms
Curl_cert_hostcheck operates with the host character set, therefore the
ASCII subjectAltName string retrieved with OpenSSL must be converted to
the host encoding before comparison.

Closes #2493
2018-04-20 16:55:31 +02:00
Jay Satiro
a3f385393a openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
- Support handling verbose-mode trace messages of type
  SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
  SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
  SSL3_MT_MESSAGE_HASH

Reported-by: iz8mbw@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/2403
2018-04-20 01:28:32 -04:00
Daniel Stenberg
8fb78f9ddc
ftplistparser: keep state between invokes
Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2508
2018-04-19 20:10:52 +02:00
Daniel Stenberg
5c8521851f
detect_proxy: only show proxy use if it had contents 2018-04-19 14:59:06 +02:00
Daniel Stenberg
6d3c9c8ab4
http2: handle on_begin_headers() called more than once
This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
2018-04-19 08:06:40 +02:00
Dan McNulty
8996300211 schannel: add support for CURLOPT_CAINFO
- Move verify_certificate functionality in schannel.c into a new
  file called schannel_verify.c. Additionally, some structure defintions
  from schannel.c have been moved to schannel.h to allow them to be
  used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
  all versions of Windows instead of just Windows CE. verify_certificate
  will be invoked on Windows CE or when the user specifies
  CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
  exclusively trusts the certificate store backed by the CURLOPT_CAINFO
  file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
  when available. This implements a TODO in schannel.c to improve
  handling of multiple SANs in a certificate. In particular, all SANs
  will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
  when using Schannel to maintain backward compatibility. Previously,
  any curl-ca-bundle.crt file found in that search would have been
  ignored by Schannel. But, with CAINFO support, the file found by
  that search would have been used as the certificate store and
  could cause issues for any users that have curl-ca-bundle.crt in
  the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
  SSL backend is Schannel. We allow setting CA location for schannel
  only when explicitly specified by the user via CURLOPT_CAINFO /
  --cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
  and last SAN, respectively, matches the connection hostname. New test
  certificates have been added for these cases. For 3000, the certificate
  prefix is Server-localhost-firstSAN and for 3001, the certificate
  prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
  validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325
2018-04-18 03:59:47 -04:00
Jay Satiro
4d660fdcb0 schannel: fix warning
- Fix warning 'integer from pointer without a cast' on 3rd arg in
  CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
  type of the same size.

Follow-up to e35b025.

Caught by Marc's CI builds.
2018-04-17 15:43:30 -04:00
Jakub Wilk
24e8355877 docs: fix typos
Closes https://github.com/curl/curl/pull/2503
2018-04-17 15:32:51 -04:00
Daniel Stenberg
ba48863e52
RELEASE-NOTES: synced 2018-04-17 13:46:06 +02:00
kdekker
7921659450 winbuild: Support custom devel paths for each dependency
- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
  OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
  NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.

- Use lib.exe for making the static library instead of link.exe /lib.
  The latter is undocumented and could cause problems as noted in the
  comments.

- Remove a dangling URL that no longer worked. (I was not able to find
  the IDN download at MSDN/microsoft.com, so it seems to be removed.)

- Remove custom override for release-ssh2-ssl-dll-zlib configuration.
  Nobody knows why it was there and as far as we can see is unnecessary.

Closes https://github.com/curl/curl/pull/2474
2018-04-17 03:13:50 -04:00
Jess
3872d8310d
README.md: add backers and sponsors
Closes #2484
2018-04-17 00:27:31 +02:00
Archangel_SDY
e35b0256eb
schannel: add client certificate authentication
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`

Closes #2376
2018-04-17 00:23:01 +02:00
toughengineer
bc4b8c9717
ntlm_sspi: fix authentication using Credential Manager
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
2018-04-16 20:43:21 +02:00
Daniel Stenberg
2d4c2152c9
configure: keep LD_LIBRARY_PATH changes local
... only set it when we actually have to run tests to reduce its impact
on for example build commands etc.

Fixes #2490
Closes #2492

Reported-by: Dmitry Mikhirev
2018-04-16 20:32:17 +02:00
Marcel Raad
627bd7da76
urldata: make service names unconditional
The ifdefs have become quite long. Also, the condition for the
definition of CURLOPT_SERVICE_NAME and for setting it from
CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
options for NTLM, at least when using SSPI, for
https://github.com/curl/curl/pull/1660.
Just make the definitions unconditional to make that easier.

Closes https://github.com/curl/curl/pull/2479
2018-04-16 20:11:41 +02:00
Daniel Stenberg
6cbe96975b
test1148: tolerate progress updates better
Fixes #2446
Closes #2488
2018-04-16 16:53:46 +02:00
Christian Schmitz
78611c745c
ssh: show libSSH2 error code when closing fails
Closes #2500
2018-04-16 16:46:08 +02:00
Daniel Gustafsson
36f0f47887 vauth: Fix typo
Address various spellings of "credentials".

Closes https://github.com/curl/curl/pull/2496
2018-04-15 03:25:48 -04:00
Dagobert Michelsen
631f64cf46 system.h: Add sparcv8plus to oracle/sunpro 32-bit detection
With specific compiler options selecting the arch like -xarch=sparc on
newer compilers like Oracle Studio 12.4 there is no definition of
__sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
32ÎíÎñbit subset defined by the V8plus ISA specification, without the
Visual Instruction Set (VIS), and without other implementation-specific
ISA extensions. So it should be the same as __sparcv8.

Closes https://github.com/curl/curl/pull/2491
2018-04-15 03:15:31 -04:00
Daniel Gustafsson
9b96e0bb44 checksrc: Fix typo
Fix typo in "semicolon" spelling and remove stray tab character.

Closes https://github.com/curl/curl/pull/2498
2018-04-15 03:05:45 -04:00
Daniel Gustafsson
94400f32e9 all: Refactor malloc+memset to use calloc
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.

Closes https://github.com/curl/curl/pull/2497
2018-04-15 03:00:37 -04:00
Daniel Stenberg
2b126cd708
duphandle: make sure CURLOPT_RESOLVE is duplicated fine too
Verified in test 1502 now

Fixes #2485
Closes #2486
Reported-by: Ernst Sjöstrand
2018-04-12 16:21:24 +02:00
Daniel Stenberg
462d8378ea
mailmap: add a monnerat fixup [ci skip] 2018-04-12 08:02:40 +02:00
Daniel Stenberg
85eea2fb38
proxy: show getenv proxy use in verbose output
... to aid debugging etc as it sometimes isn't immediately obvious why
curl uses or doesn't use a proxy.

Inspired by #2477

Closes #2480
2018-04-11 10:56:03 +02:00
Daniel Stenberg
249a7c9dac
travis: build libpsl and make builds use it
closes #2471
2018-04-11 00:46:03 +02:00
Daniel Stenberg
ac6c86732b
travis: bump to clang 6 and gcc 7
Extra-eye-on-this-by: Marcel Raad

Closes #2478
2018-04-10 13:33:10 +02:00
Marcel Raad
0b87c96325
travis: use trusty for coverage build
This works now and precise is in the process of being decommissioned.

Closes https://github.com/curl/curl/pull/2476
2018-04-10 07:52:45 +02:00
Marcel Raad
0f31647cf7
lib: silence null-dereference warnings
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
when dereferencing pointers after DEBUGASSERT-ing that they are not
NULL.
Fix this by removing the DEBUGASSERTs.

Suggested-by: Daniel Stenberg
Ref: https://github.com/curl/curl/pull/2463
2018-04-09 15:54:52 +02:00
kdekker
75f517f968
winbuild: fix URL
Follow up on https://github.com/curl/curl/pull/2472.
Now using en-us instead of nl-nl as language code in the URL.

Closes https://github.com/curl/curl/pull/2475
2018-04-09 15:19:00 +02:00
kdekker
73070e8242
winbuild: updated the documentation
The setenv command no longer exists and visual studio build prompts got
changed. Used Visual Studio 2015/2017 as reference.

Closes #2472
2018-04-09 10:42:14 +02:00
Daniel Stenberg
778235ce21
test1136: fix cookie order after commit c990eadd12 2018-04-09 00:10:20 +02:00
Daniel Stenberg
dc1b6c5a00
build: cleanup to fix clang warnings/errors
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
cast from integer to pointer is a GNU extension

Reported-by: Rikard Falkeborn

Fixes #2466
Closes #2468
2018-04-08 13:59:30 +02:00
Jay Satiro
817d1c0106 examples/sftpuploadresmue: Fix Windows large file seek
- Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.

- Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
  curl_off_t.

Caught by Marc's CI builds.
2018-04-07 16:03:55 -04:00
Daniel Stenberg
8020a0c62f
curl_setup: provide a CURL_SA_FAMILY_T type if none exists
... and use this type instead of 'sa_family_t' in the code since several
platforms don't have it.

Closes #2463
2018-04-07 11:19:46 +02:00
Eric Gallager
a19fefb070
build: add picky compiler warning flags for gcc 6 and 7 2018-04-07 11:18:58 +02:00
Daniel Stenberg
4e884615d1
configure: detect sa_family_t 2018-04-07 11:18:57 +02:00
Stefan Agner
464a019cbe tool_operate: Fix retry on FTP 4xx to ignore other protocols
Only treat response code as FTP response codes in case the
protocol type is FTP.

This fixes an issue where an HTTP download was treated as FTP
in case libcurl returned with 33. This happens when the
download has already finished and the server responses 416:
  HTTP/1.1 416 Requested Range Not Satisfiable

This should not be treated as an FTP error.

Fixes #2464
Closes #2465
2018-04-07 02:57:57 -04:00
Daniel Stenberg
dd03e8c281
hash: calculate sizes with size_t instead of longs
... since they return size_t anyway!

closes #2462
2018-04-06 23:42:25 +02:00
Daniel Stenberg
67bd4ab19e
RELEASE-NOTES: synced 2018-04-06 15:52:19 +02:00
Jay Satiro
222de37f95
build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15
.. and do the same for build-wolfssl.bat.

Because MS calls it VC14.1.

Closes https://github.com/curl/curl/pull/2189
2018-04-06 15:16:35 +02:00
kdekker
8585026524
winbuild: make the clean target work without build-type
Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
be invoked unless a build-type was specified. However, a clean target
only existed when a build type was specified. As a result, the clean
target was unreachable. Made clean target unconditional.

Closes #2455
2018-04-06 14:43:33 +02:00
patelvivekv1993
a65a75e9b3
build-openssl.bat: allow custom paths for VS and perl
Fixes #2430
Closes #2457
2018-04-06 14:39:53 +02:00
Laurie Clark-Michalek
5f3938bc4a
FTP: allow PASV on IPv6 connections when a proxy is being used
In the situation of a client connecting to an FTP server using an IPv6
tunnel proxy, the connection info will indicate that the connection is
IPv6. However, because the server behing the proxy is IPv4, it is
permissable to attempt PSV mode. In the case of the FTP server being
IPv4 only, EPSV will always fail, and with the current logic curl will
be unable to connect to the server, as the IPv6 fwdproxy causes curl to
think that EPSV is impossible.

Closes #2432
2018-04-06 14:30:59 +02:00
Jon DeVree
695e96b3d5
file: restore old behavior for file:////foo/bar URLs
curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
8089 but then returns an error saying this is unimplemented. This is
actually a regression in behavior on both Windows and Unix.

Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
then passed to the relevant OS API. This means that the behavior of this
case is actually OS dependent.

The Unix path resolution rules say that the OS must handle swallowing
the extra "/" and so this path is the same as "/foo/bar"

The Windows path resolution rules say that this is a UNC path and
automatically handles the SMB access for the program. So curl on Windows
was already doing Appendix E.3.2 without any special code in curl.

Regression

Closes #2438
2018-04-06 14:28:42 +02:00
Gaurav Malhotra
2536e2450b
Revert "openssl: Don't add verify locations when verifypeer==0"
This reverts commit dc85437736.

libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).

Closes #2451
2018-04-06 14:25:00 +02:00
Wyatt O'Day
336b6a32c0
tls: fix mbedTLS 2.7.0 build + handle sha256 failures
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)

Closes #2453
2018-04-06 14:21:50 +02:00
Lauri Kasanen
746479adcb
cookie: case-insensitive hashing for the domains
closes #2458
2018-04-06 14:13:08 +02:00
Patrick Monnerat
82dfdac5f7 cookie: fix and optimize 2nd top level domain name extraction
This fixes a segfault occurring when a name of the (invalid) form "domain..tld"
is processed.

test46 updated to cover this case.

Follow-up to commit c990ead.

Ref: https://github.com/curl/curl/pull/2440
2018-04-04 15:28:28 +02:00
Daniel Stenberg
256b80fe81
openssl: provide defines for argument typecasts to build warning-free
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
2018-04-04 13:24:36 +02:00
Bernard Spil
7c90c93c0b
openssl: fix build with LibreSSL 2.7
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API

Fixes #2319
Closes #2447
Closes #2448

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2018-04-04 11:24:51 +02:00