1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-14 13:35:03 -05:00
Commit Graph

11088 Commits

Author SHA1 Message Date
Gisle Vanem
2c0362ee04
vtls: make BearSSL possible to set with CURL_SSL_BACKEND
Ref: 9b879160df (commitcomment-36355622)

Closes #4698
2019-12-10 15:35:23 +01:00
Daniel Stenberg
c7bc689fc3
conn: always set bits.close with connclose()
Closes #4690
2019-12-09 17:17:42 +01:00
Daniel Stenberg
ee263de7a3
conncache: fix multi-thread use of shared connection cache
It could accidentally let the connection get used by more than one
thread, leading to double-free and more.

Reported-by: Christopher Reid
Fixes #4544
Closes #4557
2019-12-09 15:30:09 +01:00
Jay Satiro
689443bf42 lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS
and OS400 package spec.

Also I added the option to the NameValue list in the tool even though it
isn't exposed as a command-line option (...yet?). (NameValue stringizes
the option name for the curl cmd -> libcurl source generator)

Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN.

Ref: https://github.com/curl/curl/pull/4655
2019-12-05 19:17:31 -05:00
Jay Satiro
0edf75865a setopt: Fix ALPN / NPN user option when built without HTTP2
- Stop treating lack of HTTP2 as an unknown option error result for
  CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN.

Prior to this change it was impossible to disable ALPN / NPN if libcurl
was built without HTTP2. Setting either option would result in
CURLE_UNKNOWN_OPTION and the respective internal option would not be
set. That was incorrect since ALPN and NPN are used independent of
HTTP2.

Reported-by: Shailesh Kapse

Fixes https://github.com/curl/curl/issues/4668
Closes https://github.com/curl/curl/pull/4672
2019-12-05 18:38:40 -05:00
Marcel Raad
bf24e0f928
curl_setup: fix CURLRES_IPV6 condition
Move the definition of `CURLRES_IPV6` to before undefining
`HAVE_GETADDRINFO`. Regression from commit 67a08dca27 which caused
some tests to fail and others to be skipped with c-ares.

Fixes https://github.com/curl/curl/issues/4673
Closes https://github.com/curl/curl/pull/4677
2019-12-05 20:17:47 +01:00
Peter Wu
87b9337c8f CMake: add support for building with the NSS vtls backend
Options are cross-checked with configure.ac and acinclude.m4.
Tested on Arch Linux, untested on other platforms like Windows or macOS.

Closes #4663
Reviewed-by: Kamil Dudka
2019-12-04 21:34:02 +00:00
Daniel Stenberg
854343fc4e
hostip4.c: bump copyright year range 2019-12-03 23:13:25 +01:00
Marcel Raad
67a08dca27
curl_setup: disable IPv6 resolver without getaddrinfo
Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6
address support. This makes it possible to connect to IPv6 literals by
setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes
the CMake build when using the synchronous resolver without
`getaddrinfo` support.

Closes https://github.com/curl/curl/pull/4662
2019-12-03 21:37:33 +01:00
Daniel Stenberg
564d88a8bd
openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains
Closes #4655
2019-12-03 16:28:50 +01:00
Daniel Stenberg
94f1f77158
openssl: set X509_V_FLAG_PARTIAL_CHAIN
Have intermediate certificates in the trust store be treated as
trust-anchors, in the same way as self-signed root CA certificates
are. This allows users to verify servers using the intermediate cert
only, instead of needing the whole chain.

Other TLS backends already accept partial chains.

Reported-by: Jeffrey Walton
Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
2019-12-03 16:28:50 +01:00
Daniel Stenberg
d9118e8d71
copyright: fix the year ranges for two files
Follow-up to 9c1806ae
2019-12-02 08:02:39 +01:00
Jay Satiro
9c1806ae46 build: Disable Visual Studio warning "conditional expression is constant"
- Disable warning C4127 "conditional expression is constant" globally
  in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

    #define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658
2019-12-01 19:01:02 -05:00
Jay Satiro
0436d4438a openssl: retrieve reported LibreSSL version at runtime
- Retrieve LibreSSL runtime version when supported (>= 2.7.1).

For earlier versions we continue to use the compile-time version.

Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3

Closes https://github.com/curl/curl/pull/2425
2019-12-01 18:56:24 -05:00
Jay Satiro
5b22e1a5a9 strerror: Add Curl_winapi_strerror for Win API specific errors
- In all code call Curl_winapi_strerror instead of Curl_strerror when
  the error code is known to be from Windows GetLastError.

Curl_strerror prefers CRT error codes (errno) over Windows API error
codes (GetLastError) when the two overlap. When we know the error code
is from GetLastError it is more accurate to prefer the Windows API error
messages.

Reported-by: Richard Alcock

Fixes https://github.com/curl/curl/issues/4550
Closes https://github.com/curl/curl/pull/4581
2019-12-01 18:12:36 -05:00
Daniel Stenberg
bc5d22c3de
global_init: undo the "intialized" bump in case of failure
... so that failures in the global init function don't count as a
working init and it can then be called again.

Reported-by: Paul Groke
Fixes #4636
Closes #4653
2019-12-02 00:04:56 +01:00
Daniel Stenberg
0044443a02
parsedate: offer a getdate_capped() alternative
... and use internally. This function will return TIME_T_MAX instead of
failure if the parsed data is found to be larger than what can be
represented. TIME_T_MAX being the largest value curl can represent.

Reviewed-by: Daniel Gustafsson
Reported-by: JanB on github
Fixes #4152
Closes #4651
2019-11-29 11:01:24 +01:00
Daniel Stenberg
cc4cf93e52
sha256: bump the copyright year range
Follow-up from 66e21520f
2019-11-28 22:28:06 +01:00
Daniel Gustafsson
66e21520f3 curl_setup_once: consistently use WHILE_FALSE in macros
The WHILE_FALSE construction is used to avoid compiler warnings in
macro constructions. This fixes a few instances where it was not
used in order to keep the code consistent.

Closes #4649
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 16:02:13 +01:00
Steve Holme
bb8cf05169
http_ntlm: Remove duplicate NSS initialisation
Given that this is performed by the NTLM code there is no need to
perform the initialisation in the HTTP layer. This also keeps the
initialisation the same as the SASL based protocols and also fixes a
possible compilation issue if both NSS and SSPI were to be used as
multiple SSL backends.

Reviewed-by: Kamil Dudka
Closes #3935
2019-11-28 14:41:55 +01:00
Daniel Gustafsson
ba82673dac checksrc: fix regexp for ASSIGNWITHINCONDITION
The regexp looking for assignments within conditions was too greedy
and matched a too long string in the case of multiple conditionals
on the same line. This is basically only a problem in single line
macros, and the code which exemplified this was essentially:

  do { if((x) != NULL) { x = NULL; } } while(0)

..where the final parenthesis of while(0) matched the regexp, and
the legal assignment in the block triggered the warning. Fix by
making the regexp less greedy by matching for the tell-tale signs
of the if statement ending.

Also remove the one occurrence where the warning was disabled due
to a construction like the above, where the warning didn't apply
when fixed.

Closes #4647
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28 14:18:16 +01:00
Niall
8acfad38ca
doh: use dedicated probe slots
... to easier allow additional DNS transactions.

Closes #4629
2019-11-28 12:49:44 +01:00
David Benjamin
d94aa39410
ngtcp2: fix thread-safety bug in error-handling
ERR_error_string(NULL) should never be called. It places the error in a
global buffer, which is not thread-safe. Use ERR_error_string_n with a
local buffer instead.

Closes #4645
2019-11-28 00:48:19 +01:00
John Schroeder
7cf18b05e0
XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE
(also for PROGRESSFUNCTION)

By returning this value from the callback, the internal progress
function call is still called afterward.

Closes #4599
2019-11-26 09:16:01 +01:00
Michael Forney
9b879160df
TLS: add BearSSL vtls implementation
Closes #4597
2019-11-26 08:32:23 +01:00
Gergely Nagy
f3c35e371c
multi: add curl_multi_wakeup()
This commit adds curl_multi_wakeup() which was previously in the TODO
list under the curl_multi_unblock name.

On some platforms and with some configurations this feature might not be
available or can fail, in these cases a new error code
(CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup().

Fixes #4418
Closes #4608
2019-11-25 15:45:56 +01:00
Xiaoyin Liu
0a65febccf schannel: fix --tls-max for when min is --tlsv1 or default
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_
macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS
(CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always.

Closes https://github.com/curl/curl/pull/4633
2019-11-24 03:16:26 -05:00
Jay Satiro
78cef06847 openssl: Revert to less sensitivity for SYSCALL errors
- Disable the extra sensitivity except in debug builds (--enable-debug).

- Improve SYSCALL error message logic in ossl_send and ossl_recv so that
  "No error" / "Success" socket error text isn't shown on SYSCALL error.

Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity
of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were
also considered errors. For example, a server that does not send a known
protocol termination point (eg HTTP content length or chunked encoding)
_and_ does not send a TLS termination point (close_notify alert) would
cause an error if it closed the connection.

To be clear that behavior made it into release build 7.67.0
unintentionally. Several users have reported it as an issue.

Ultimately the idea is a good one, since it can help prevent against a
truncation attack. Other SSL backends may already behave similarly (such
as Windows native OS SSL Schannel). However much more of our user base
is using OpenSSL and there is a mass of legacy users in that space, so I
think that behavior should be partially reverted and then rolled out
slowly.

This commit changes the behavior so that the increased sensitivity is
disabled in all curl builds except curl debug builds (DEBUGBUILD). If
after a period of time there are no major issues then it can be enabled
in dev and release builds with the newest OpenSSL (1.1.1+), since users
using the newest OpenSSL are the least likely to have legacy problems.

Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794
Reported-by: Bjoern Franke

Fixes https://github.com/curl/curl/issues/4624
Closes https://github.com/curl/curl/pull/4623
2019-11-22 22:29:39 -05:00
Daniel Stenberg
1f4e7dc661 openssl: improve error message for SYSCALL during connect
Reported-by: Paulo Roberto Tomasi
Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html

Closes https://github.com/curl/curl/pull/4593
2019-11-22 22:29:37 -05:00
Daniel Stenberg
f70da9c17e
include: make CURLE_HTTP3 use a new error code
To avoid potential issues with error code reuse.

Reported-by: Christoph M. Becker
Assisted-by: Dan Fandrich
Fixes #4601
Closes #4627
2019-11-21 23:16:29 +01:00
Javier Blazquez
e0363a47de
ngtcp2: use overflow buffer for extra HTTP/3 data
Fixes #4525
Closes #4603
2019-11-18 16:40:08 +01:00
Daniel Stenberg
425c572a19
altsvc: bump to h3-24
... as both ngtcp2 and quiche now support that in their master branches

Closes #4604
2019-11-18 14:49:34 +01:00
Daniel Stenberg
82e4d029c5
ngtcp2: free used resources on disconnect
Fixes #4614
Closes #4615
2019-11-18 14:46:12 +01:00
Daniel Stenberg
a72b6b9606
ngtcp2: handle key updates as ngtcp2 master branch tells us
Reviewed-by: Tatsuhiro Tsujikawa

Fixes #4612
Closes #4613
2019-11-18 14:42:51 +01:00
Gergely Nagy
d1476aa11e multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds
Prior to this change:

The check if an extra wait is necessary was based not on the
number of extra fds but on the pointer.

If a non-null pointer was given in extra_fds, but extra_nfds
was zero, then the wait was skipped even though poll was not
called.

Closes https://github.com/curl/curl/pull/4610
2019-11-17 23:35:48 -05:00
Jay Satiro
1f6a18685e lib: Move lib/ssh.h -> lib/vssh/ssh.h
Follow-up to 5b2d703 which moved ssh source files to vssh.

Closes https://github.com/curl/curl/pull/4609
2019-11-17 23:27:39 -05:00
Niall
b6a53fff6c
doh: improced both encoding and decoding
Improved estimation of expected_len and updated related comments;
increased strictness of QNAME-encoding, adding error detection for empty
labels and names longer than the overall limit; avoided treating DNAME
as unexpected;

updated unit test 1655 with more thorough set of proofs and tests

Closes #4598
2019-11-16 16:15:03 +01:00
Daniel Stenberg
7627a2dd9d
ngtcp2: increase QUIC window size when data is consumed
Assisted-by: Javier Blazquez
Ref #4525 (partial fix)
Closes #4600
2019-11-16 00:12:53 +01:00
Melissa Mears
c6b70de246
config-win32: cpu-machine-OS for Windows on ARM
Define the OS macro properly for Windows on ARM builds.  Also, we might
as well add the GCC-style IA-64 macro.

Closes #4590
2019-11-14 23:27:06 +01:00
Daniel Stenberg
4e1eee1500
multi_poll: avoid busy-loop when called without easy handles attached
Fixes #4594
Closes #4595
Reported-by: 3dyd on github
2019-11-14 23:22:22 +01:00
Daniel Stenberg
b3eb7d172a
quiche: reject headers in the wrong order
Pseudo header MUST come before regular headers or cause an error.

Reported-by: Cynthia Coan
Fixes #4571
Closes #4584
2019-11-12 09:44:24 +01:00
Daniel Stenberg
8686aab694
openssl: prevent recursive function calls from ctx callbacks
Follow the pattern of many other callbacks.

Ref: #4546
Closes #4585
2019-11-12 09:40:00 +01:00
Daniel Stenberg
13182b33f7
remove_handle: clear expire timers after multi_done()
Since 59041f0, a new timer might be set in multi_done() so the clearing
of the timers need to happen afterwards!

Reported-by: Max Kellermann
Fixes #4575
Closes #4583
2019-11-11 14:49:17 +01:00
Daniel Stenberg
32747aafa0
pause: avoid updating socket if done was already called
... avoids unnecesary recursive risk when the transfer is already done.

Reported-by: Richard Bowker
Fixes #4563
Closes #4574
2019-11-10 16:48:47 +01:00
Jay Satiro
07cf042ece strerror: Fix an error looking up some Windows error strings
- Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in
  Windows error strings.

Since we are not in control of the error code we don't know what
information may be needed by the error string's format specifiers.

Prior to this change Windows API error strings which contain specifiers
(think specifiers like similar to printf specifiers) would not be shown.
The FormatMessage Windows API call which turns a Windows error code into
a string could fail and set error ERROR_INVALID_PARAMETER if that error
string contained a format specifier. FormatMessage expects a va_list for
the specifiers, unless inserts are ignored in which case no substitution
is attempted.

Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353
2019-11-09 18:07:59 -05:00
Daniel Stenberg
1f73138ce1
checksrc: repair the copyrightyear check
- Consider a modified file to be committed this year.

- Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and
  includes

- Ignore 0 parents when getting latest commit date of file.

since in the CI we're dealing with a truncated repo of last 50 commits,
the file's most recent commit may not be available. when this happens
git log and rev-list show the initial commit (ie first commit not to be
truncated) but that's incorrect so ignore it.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549

Co-authored-by: Jay Satiro
2019-11-08 14:51:42 +01:00
Daniel Stenberg
0bc60d91de
copyrights: fix copyright year range
.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549
2019-11-08 14:51:42 +01:00
Christian Schmitz
93213b2421
ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set
Closes #3704
2019-11-07 23:14:02 +01:00
Wyatt O'Day
93738efe16 build: fix for CURL_DISABLE_DOH
Fixes https://github.com/curl/curl/issues/4565
Closes https://github.com/curl/curl/pull/4566
2019-11-06 23:48:10 -05:00
Vilhelm Prytz
d0319adb0c
copyrights: update all copyright notices to 2019 on files changed this year
Closes #4547
2019-11-02 23:15:56 +01:00
Bastien Bouclet
9910d6b9a4
mbedtls: add error message for cert validity starting in the future
Closes #4552
2019-11-02 22:59:13 +01:00
Jay Satiro
9c49824902 schannel_verify: Fix concurrent openings of CA file
- Open the CA file using FILE_SHARE_READ mode so that others can read
  from it as well.

Prior to this change our schannel code opened the CA file without
sharing which meant concurrent openings (eg an attempt from another
thread or process) would fail during the time it was open without
sharing, which in curl's case would cause error:
"schannel: failed to open CA file".

Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
Reported-by: Richard Alcock
2019-11-01 18:02:59 -04:00
Daniel Stenberg
c2b01cce5c
gtls: make gnutls_bye() not wait for response on shutdown
... as it can make it wait there for a long time for no good purpose.

Patched-by: Jay Satiro
Reported-by: Bylon2 on github
Adviced-by: Nikos Mavrogiannopoulos

Fixes #4487
Closes #4541
2019-10-31 09:10:50 +01:00
Daniel Stenberg
dcd7e37c3a
url: make Curl_close() NULLify the pointer too
This is the common pattern used in the code and by a unified approach we
avoid mistakes.

Closes #4534
2019-10-30 09:36:21 +01:00
Daniel Stenberg
0cbd6f8df7
url: Curl_free_request_state() should also free doh handles
... or risk DoH memory leaks.

Reported-by: Paul Dreik
Fixes #4463
Closes #4527
2019-10-29 22:48:19 +01:00
Javier Blazquez
9f5b26d23f HTTP3: fix invalid use of sendto for connected UDP socket
On macOS/BSD, trying to call sendto on a connected UDP socket fails
with a EISCONN error. Because the singleipconnect has already called
connect on the socket when we're trying to use it for QUIC transfers
we need to use plain send instead.

Fixes #4529
Closes https://github.com/curl/curl/pull/4533
2019-10-28 15:00:33 -04:00
Javier Blazquez
e0ee3d9f9b
HTTP3: fix Windows build
The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv
in order to perform nonblocking operations. On Windows this flag does
not exist. Instead, the socket must be set to nonblocking mode via
ioctlsocket.

This change sets the nonblocking flag on UDP sockets used for QUIC on
all platforms so the use of MSG_DONTWAIT is not needed.

Fixes #4531
Closes #4532
2019-10-28 09:21:43 +01:00
Francois Rivard
8986df802d
schannel: reverse the order of certinfo insertions
Fixes #4518
Closes #4519
2019-10-24 16:30:40 +02:00
Daniel Stenberg
807c056c08
conn-reuse: requests wanting NTLM can reuse non-NTLM connections
Added test case 338 to verify.

Reported-by: Daniel Silverstone
Fixes #4499
Closes #4514
2019-10-23 10:15:39 +02:00
Daniel Stenberg
95a4cfd888
http2_recv: a closed stream trumps pause state
... and thus should return 0, not EAGAIN.

Reported-by: Tom van der Woerdt
Fixes #4496
Closes #4505
2019-10-18 23:23:48 +02:00
Daniel Stenberg
59041f052a
http2: expire a timeout at end of stream
To make sure that transfer is being dealt with. Streams without
Content-Length need a final read to notice the end-of-stream state.

Reported-by: Tom van der Woerdt
Fixes #4496
2019-10-18 23:23:43 +02:00
Daniel Stenberg
e062043433
url: normalize CURLINFO_EFFECTIVE_URL
The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as
input in most cases, which made it not get a scheme prefixed like before
if the URL was given without one, and it didn't remove dotdot sequences
etc.

Added test case 1907 to verify that this now works as intended and as
before 7.62.0.

Regression introduced in 7.62.0

Reported-by: Christophe Dervieux
Fixes #4491
Closes #4493
2019-10-16 14:10:55 +02:00
Marcel Raad
a626fa128c
security: silence conversion warning
With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer,
while `read` expects a 32 bit signed integer.
Use `sread` instead of `read` to use the correct parameter type.

Closes https://github.com/curl/curl/pull/4483
2019-10-13 22:10:12 +02:00
Marcel Raad
be16d8d994
connect: silence sign-compare warning
With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the
result of `sizeof` is unsigned.

Closes https://github.com/curl/curl/pull/4483
2019-10-13 22:09:59 +02:00
Harry Sintonen
0dc14b8381
socketpair: fix include and define for older TCP header systems
fixed build for systems that need netinet/in.h for IPPROTO_TCP and are
missing INADDR_LOOPBACK

Closes #4480
2019-10-10 23:20:15 +02:00
Daniel Stenberg
622cf7db6b
socketpair: fix double-close in error case
Follow-up to bc2dbef0af
2019-10-10 11:18:21 +02:00
Daniel Stenberg
1b843bb5ed
gskit: use the generic Curl_socketpair 2019-10-10 11:04:38 +02:00
Daniel Stenberg
9c76f694de
asyn-thread: make use of Curl_socketpair() where available 2019-10-10 11:04:38 +02:00
Daniel Stenberg
bc2dbef0af
socketpair: an implemention for Windows and more
Curl_socketpair() is designed to be used and work everywhere if there's
no native version or the native version isn't good enough.

Closes #4466
2019-10-10 11:04:38 +02:00
Daniel Stenberg
490effc193
connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT
Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no
matter what errno said.

This makes for example --retry work on these transfer failures.

Reported-by: Nathaniel J. Smith
Fixes #4461
Clsoes #4462
2019-10-09 14:16:28 +02:00
Nicolas
8bb3a95ce1 ldap: fix OOM error on missing query string
- Allow missing queries, don't return NO_MEMORY error in such a case.

It is acceptable for there to be no specified query string, for example:

curl ldap://ldap.forumsys.com

A regression bug in 1b443a7 caused this issue.

This is a partial fix for #4261.

Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077
Reported-by: Jojojov@users.noreply.github.com
Analyzed-by: Samuel Surtees

Closes https://github.com/curl/curl/pull/4467
2019-10-05 19:47:31 -04:00
Paul B. Omta
df85b86a92 build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines
Closes https://github.com/curl/curl/pull/4460
2019-10-05 19:18:30 -04:00
Daniel Stenberg
b902b0632d
ngtcp2: adapt to API change
Closes #4457
2019-10-04 10:31:36 +02:00
Daniel Stenberg
249541f12f
cookies: change argument type for Curl_flush_cookies
The second argument is really a 'bool' so use that and pass in TRUE/FALSE
to make it clear.

Closes #4455
2019-10-03 22:56:28 +02:00
Daniel Stenberg
8a00560de2
http2: move state-init from creation to pre-transfer
To make sure that the HTTP/2 state is initialized correctly for
duplicated handles. It would otherwise easily generate "spurious"
PRIORITY frames to get sent over HTTP/2 connections when duplicated easy
handles were used.

Reported-by: Daniel Silverstone
Fixes #4303
Closes #4442
2019-10-03 22:55:42 +02:00
Daniel Stenberg
02c6b984cb
urlapi: fix use-after-free bug
Follow-up from 2c20109a9b

Added test 663 to verify.

Reported by OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17954

Closes #4453
2019-10-03 22:54:26 +02:00
Paul Dreik
13ecc0725f
cookie: avoid harmless use after free
This fix removes a use after free which can be triggered by
the internal cookie fuzzer, but otherwise is probably
impossible to trigger from an ordinary application.

The following program reproduces it:

        curl_global_init(CURL_GLOBAL_DEFAULT);
        CURL*  handle=curl_easy_init();
        CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false);
        curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null");
        Curl_flush_cookies(handle, true);
        Curl_cookie_cleanup(info);
        curl_easy_cleanup(handle);
        curl_global_cleanup();

This was found through fuzzing.

Closes #4454
2019-10-03 15:43:50 +02:00
Niall
0f48055c40
ESNI: initial build/setup
Closes #4011
2019-10-02 12:33:08 +02:00
Daniel Stenberg
c6f250c4d6
redirect: when following redirects to an absolute URL, URL encode it
... to make it handle for example (RFC violating) embeded spaces.

Reported-by: momala454 on github
Fixes #4445
Closes #4447
2019-10-02 07:53:32 +02:00
Daniel Stenberg
2c20109a9b
urlapi: fix URL encoding when setting a full URL 2019-10-02 07:53:17 +02:00
Kunal Ekawde
c124e6b3c0
CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt
Closes #4410
2019-10-02 07:47:48 +02:00
Daniel Stenberg
f0f053fed0
chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error
Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the
response is chunked-encoded.

Reported-by: Ilya Kosarev
Fixes #4310
Closes #4449
2019-10-02 07:46:05 +02:00
Marcel Raad
ac830139da
checksrc: fix uninitialized variable warning
The loop doesn't need to be executed without a file argument.

Closes https://github.com/curl/curl/pull/4444
2019-10-01 10:47:45 +02:00
Marcel Raad
0f62c9af8b
urlapi: fix unused variable warning
`dest` is only used with `ENABLE_IPV6`.

Closes https://github.com/curl/curl/pull/4444
2019-10-01 10:47:41 +02:00
Marcel Raad
69d95b6d4c
lib: silence conversion warnings
Closes https://github.com/curl/curl/pull/4444
2019-10-01 10:47:37 +02:00
Daniel Stenberg
c24cf6c64c
altsvc: accept quoted ma and persist values
As mandated by the spec. Test 1654 is extended to verify.

Closes #4443
2019-09-30 16:35:12 +02:00
lucas
19338e9721 quiche: update HTTP/3 config creation to new API 2019-09-29 22:40:58 +01:00
Daniel Stenberg
d0a7ee3f61
cookies: using a share with cookies shouldn't enable the cookie engine
The 'share object' only sets the storage area for cookies. The "cookie
engine" still needs to be enabled or activated using the normal cookie
options.

This caused the curl command line tool to accidentally use cookies
without having been told to, since curl switched to using shared cookies
in 7.66.0.

Test 1166 verifies

Updated test 506

Fixes #4429
Closes #4434
2019-09-28 18:10:43 +02:00
Daniel Stenberg
ed73509157
setopt: handle ALTSVC set to NULL 2019-09-27 16:26:50 +02:00
Zenju
500fb0e4cb
FTP: url-decode path before evaluation
Closes #4428
2019-09-27 08:29:54 +02:00
julian
c7e6b71e5a vtls: Fix comment typo about macosx-version-min compiler flag
Closes https://github.com/curl/curl/pull/4425
2019-09-27 01:46:49 -04:00
Daniel Stenberg
b6532b809f
quiche: don't close connection at end of stream! 2019-09-26 16:06:11 +02:00
Daniel Stenberg
2377465901
quiche: set 'drain' when returning without having drained the queues 2019-09-26 15:45:58 +02:00
Daniel Stenberg
ea7744a07e
Revert "FTP: url-decode path before evaluation"
This reverts commit 2f036a72d5.
2019-09-26 14:53:19 +02:00
Zenju
2f036a72d5
FTP: url-decode path before evaluation
Closes #4423
2019-09-26 13:57:44 +02:00
Daniel Stenberg
0ab38f5fd6
openssl: use strerror on SSL_ERROR_SYSCALL
Instead of showing the somewhat nonsensical errno number, use strerror()
to provide a more relatable error message.

Closes #4411
2019-09-26 13:55:18 +02:00
Jay Satiro
cded993700 url: don't set appconnect time for non-ssl/non-ssh connections
Prior to this change non-ssl/non-ssh connections that were reused set
TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH
handshake took place.

[1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in
libcurl and %{time_appconnect} in the curl tool. It is documented as
"the time until the SSL/SSH handshake is completed".

Reported-by: Marcel Hernandez

Ref: https://github.com/curl/curl/issues/3760

Closes https://github.com/curl/curl/pull/3773
2019-09-26 03:04:26 -04:00
Daniel Stenberg
217812fa9e
ngtcp2: remove fprintf() calls
- convert some of them to H3BUF() calls to infof()
- remove some of them completely
- made DEBUG_HTTP3 defined only if CURLDEBUG is set for now

Closes #4421
2019-09-25 23:28:58 +02:00
Jay Satiro
af3ced3b9c
url: fix the NULL hostname compiler warning case
Closes #4403
2019-09-25 14:35:02 +02:00
Daniel Stenberg
218a62a6ce
altsvc: correct the #ifdef for the ngtcp2 backend 2019-09-25 12:13:43 +02:00
Daniel Stenberg
a4c6520991
altsvc: save h3 as h3-23
Follow-up to d176a2c7e5
2019-09-25 12:06:55 +02:00
Daniel Stenberg
6e7733f788
urlapi: question mark within fragment is still fragment
The parser would check for a query part before fragment, which caused it
to do wrong when the fragment contains a question mark.

Extended test 1560 to verify.

Reported-by: Alex Konev
Fixes #4412
Closes #4413
2019-09-24 23:30:43 +02:00
Patrick Monnerat
3e0a8e539c os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr,
As libcurl now uses these 2 system functions, wrappers are needed on os400
to convert returned AF_UNIX sockaddrs to ascii.

This is a follow-up to commit 7fb54ef.
See also #4037.
Closes #4214
2019-09-24 13:39:22 +02:00
Lucas Pardue
4a778f75c5 strcase: fix raw lowercasing the letter X
Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to
this change.

Follow-up to 0023fce which added the function several days ago.

Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546

Closes https://github.com/curl/curl/pull/4408
2019-09-24 01:31:37 -04:00
Daniel Stenberg
b259baabfe
http2: Expression 'stream->stream_id != - 1' is always true
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:02 +02:00
Daniel Stenberg
f91b82e688
http2: A value is being subtracted from the unsigned variable
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:02 +02:00
Daniel Stenberg
9aed993da0
libssh: part of conditional expression is always true: !result
PVS-Studio warning
Fixed #4402
2019-09-23 22:44:02 +02:00
Daniel Stenberg
b7e872ac17
libssh: part of conditional expression is always true
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:01 +02:00
Daniel Stenberg
9221896768
libssh: The expression is excessive or contains a misprint
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:01 +02:00
Daniel Stenberg
32fa043202
quiche: The expression must be surrounded by parentheses
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:01 +02:00
Daniel Stenberg
89d972f24c
vauth: The parameter 'status' must be surrounded by parentheses
PVS-Studio warning
Fixes #4402
2019-09-23 22:44:01 +02:00
Paul Dreik
a5bf6a36c5
doh: allow only http and https in debug mode
Otherwise curl may be told to use for instance pop3 to
communicate with the doh server, which most likely
is not what you want.

Found through fuzzing.

Closes #4406
2019-09-23 22:38:23 +02:00
Paul Dreik
bb74201804
doh: return early if there is no time left
Closes #4406
2019-09-23 22:38:15 +02:00
Barry Pollard
0023fce38d
http: lowercase headernames for HTTP/2 and HTTP/3
Closes #4401
Fixes #4400
2019-09-23 22:33:31 +02:00
Marcel Raad
527461285f
vtls: fix narrowing conversion warnings
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f.

Closes https://github.com/curl/curl/pull/4398
2019-09-23 09:44:35 +02:00
Marcel Raad
367e4b3c4d
openssl: fix compiler warning with LibreSSL
It was already fixed for BoringSSL in commit a0f8fccb1e.
LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
as uint16_t ever since the function was added in [0].

[0] 56f107201b

Closes https://github.com/curl/curl/pull/4397
2019-09-22 20:55:54 +02:00
Jay Satiro
5ee88eee68 socks: Fix destination host shown on SOCKS5 error
Prior to this change when a server returned a socks5 connect error then
curl would parse the destination address:port from that data and show it
to the user as the destination:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.12.206 (locally resolved)
* Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)
curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)

That's incorrect because the address:port included in the connect error
is actually a bind address:port (typically unused) and not the
destination address:port. This fix changes curl to show the destination
information that curl sent to the server instead:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved)
* Can't complete SOCKS5 connection to 172.217.7.14:99. (1)
curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1)

curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to google.com:99 (remotely resolved)
* Can't complete SOCKS5 connection to google.com:99. (1)
curl: (7) Can't complete SOCKS5 connection to google.com:99. (1)

Ref: https://tools.ietf.org/html/rfc1928#section-6

Closes https://github.com/curl/curl/pull/4394
2019-09-21 23:45:02 -04:00
Daniel Stenberg
d176a2c7e5
altsvc: both backends run h3-23 now
Closes #4395
2019-09-21 23:11:29 +02:00
Daniel Stenberg
fe514ad9ae
http: fix warning on conversion from int to bit
Follow-up from 03ebe66d70
2019-09-21 23:09:59 +02:00
Daniel Stenberg
03ebe66d70
urldata: use 'bool' for the bit type on MSVC compilers
Closes #4387
Fixes #4379
2019-09-21 23:05:41 +02:00
Zenju
36ff5e37b9
FTP: FTPFILE_NOCWD: avoid redundant CWDs
Closes #4382
2019-09-21 16:23:03 +02:00
Daniel Stenberg
0801343e27
cookie: pass in the correct cookie amount to qsort()
As the loop discards cookies without domain set. This bug would lead to
qsort() trying to sort uninitialized pointers. We have however not found
it a security problem.

Reported-by: Paul Dreik
Closes #4386
2019-09-21 16:07:52 +02:00
Paul Dreik
47066036a0
urlapi: avoid index underflow for short ipv6 hostnames
If the input hostname is "[", hlen will underflow to max of size_t when
it is subtracted with 2.

hostname[hlen] will then cause a warning by ubsanitizer:

runtime error: addition of unsigned offset to 0x<snip> overflowed to
0x<snip>

I think that in practice, the generated code will work, and the output
of hostname[hlen] will be the first character "[".

This can be demonstrated by the following program (tested in both clang
and gcc, with -O3)

int main() {
  char* hostname=strdup("[");
  size_t hlen = strlen(hostname);

  hlen-=2;
  hostname++;
  printf("character is %d\n",+hostname[hlen]);
  free(hostname-1);
}

I found this through fuzzing, and even if it seems harmless, the proper
thing is to return early with an error.

Closes #4389
2019-09-21 15:57:17 +02:00
Tatsuhiro Tsujikawa
63a8d2b172
ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23
Closes #4392
2019-09-21 15:44:17 +02:00
Daniel Stenberg
7d5524500d
libssh2: part of conditional expression is always true: !result
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:52 +02:00
Daniel Stenberg
36fbb10071
urlapi: Expression 'storep' is always true
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:48 +02:00
Daniel Stenberg
a6451487d4
urlapi: 'scheme' is always true
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:46 +02:00
Daniel Stenberg
b10464399b
urlapi: part of conditional expression is always true: (relurl[0] == '/')
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:42 +02:00
Daniel Stenberg
8f593f6d3b
setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly
Fixes bug detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:35 +02:00
Daniel Stenberg
2ba62322a7
mime: make Curl_mime_duppart() assert if called without valid dst
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:31 +02:00
Daniel Stenberg
cc95dbd64f
http_proxy: part of conditional expression is always true: !error
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:28 +02:00
Daniel Stenberg
d0390a538a
imap: merged two case-branches performing the same action
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:25 +02:00
Daniel Stenberg
07c1af9226
multi: value '2L' is assigned to a boolean
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:21 +02:00
Daniel Stenberg
2e68e5a023
easy: part of conditional expression is always true: !result
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:20 +02:00
Daniel Stenberg
0b90ec9bbf
netrc: part of conditional expression is always true: !done
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:18 +02:00
Daniel Stenberg
317c97bd81
version: Expression 'left > 1' is always true
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:17 +02:00
Daniel Stenberg
389426e3d0
url: remove dead code
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:13 +02:00
Daniel Stenberg
3ab45650e2
url: part of expression is always true: (bundle->multiuse == 0)
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:11 +02:00
Daniel Stenberg
e3c41ebd7c
ftp: the conditional expression is always true
... both !result and (ftp->transfer != FTPTRANSFER_BODY)!

Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:06 +02:00
Daniel Stenberg
49f3117a23
ftp: Expression 'ftpc->wait_data_conn' is always false
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:03 +02:00
Daniel Stenberg
a50c3d7fa0
ftp: Expression 'ftpc->wait_data_conn' is always true
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:07:00 +02:00
Daniel Stenberg
97c17e9fcb
ftp: part of conditional expression is always true: !result
Fixes warning detected by PVS-Studio
Fixes #4374
2019-09-20 08:06:58 +02:00
Daniel Stenberg
69ea985d4c
http: fix Expression 'http->postdata' is always false
Fixes warning detected by PVS-Studio
Fixes #4374
Reported-by: Valerii Zapodovnikov
2019-09-20 08:06:47 +02:00
Niall O'Reilly
0d59addff6
doh: avoid truncating DNS QTYPE to lower octet
Closes #4381
2019-09-19 22:50:38 +02:00
Jens Finkhaeuser
0a4ecbdf1c
urlapi: CURLU_NO_AUTHORITY allows empty authority/host part
CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not
"file:///") to override cURL's default demand that an authority exists.

Closes #4349
2019-09-19 15:57:28 +02:00
Daniel Stenberg
3c5f9ba899
url: only reuse TLS connections with matching pinning
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.

Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund

Closes #4347
2019-09-19 14:58:24 +02:00
Michael Kaufmann
2a2404153b http: merge two "case" statements 2019-09-18 13:45:41 +02:00
Zenju
1c02a4e874
FTP: remove trailing slash from path for LIST/MLSD
Closes #4348
2019-09-18 09:27:21 +02:00
Daniel Stenberg
ac58c51b29
mime: when disabled, avoid C99 macro
Closes #4368
2019-09-18 08:08:41 +02:00
Daniel Stenberg
beb4350917
url: cleanup dangling DOH request headers too
Follow-up to 9bc44ff64d

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/17269

Closes #4372
2019-09-18 07:48:49 +02:00
Christoph M. Becker
7c596f5dea
http2: relax verification of :authority in push promise requests
If the :authority pseudo header field doesn't contain an explicit port,
we assume it is valid for the default port, instead of rejecting the
request for all ports.

Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html

Closes #4365
2019-09-16 23:36:22 +02:00
Daniel Stenberg
9bc44ff64d
doh: clean up dangling DOH handles and memory on easy close
If you set the same URL for target as for DoH (and it isn't a DoH
server), like "https://example.com" in both, the easy handles used for
the DoH requests could be left "dangling" and end up not getting freed.

Reported-by: Paul Dreik
Closes #4366
2019-09-16 17:31:56 +02:00
Daniel Stenberg
6de1053692
smb: check for full size message before reading message details
To avoid reading of uninitialized data.

Assisted-by: Max Dymond
Bug: https://crbug.com/oss-fuzz/16907
Closes #4363
2019-09-16 14:16:06 +02:00
Daniel Stenberg
00da834156
quiche: persist connection details
... like we do for other protocols at connect time. This makes "curl -I"
and other things work.

Reported-by: George Liu
Fixes #4358
Closes #4360
2019-09-16 13:37:26 +02:00
Daniel Stenberg
a0f8fccb1e
openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version
Follow-up to ffe34b7b59
Closes #4359
2019-09-16 08:49:51 +02:00
Paul Dreik
dda418266c
doh: fix undefined behaviour and open up for gcc and clang optimization
The undefined behaviour is annoying when running fuzzing with
sanitizers. The codegen is the same, but the meaning is now not up for
dispute. See https://cppinsights.io/s/516a2ff4

By incrementing the pointer first, both gcc and clang recognize this as
a bswap and optimizes it to a single instruction.  See
https://godbolt.org/z/994Zpx

Closes #4350
2019-09-15 23:27:45 +02:00
Paul Dreik
b766602729
doh: fix (harmless) buffer overrun
Added unit test case 1655 to verify.
Close #4352

the code correctly finds the flaws in the old code,
if one temporarily restores doh.c to the old version.
2019-09-15 23:25:24 +02:00
Daniel Stenberg
65f5b958c9
FTP: allow "rubbish" prepended to the SIZE response
This is a protocol violation but apparently there are legacy proprietary
servers doing this.

Added test 336 and 337 to verify.

Reported-by: Philippe Marguinaud
Closes #4339
2019-09-13 14:21:00 +02:00
Zenju
acf1d2acd1
FTP: skip CWD to entry dir when target is absolute
Closes #4332
2019-09-13 14:05:34 +02:00
Daniel Stenberg
83b4cfacba
parsedate: still provide the name arrays when disabled
If FILE or FTP are enabled, since they also use them!

Reported-by: Roland Hieber
Fixes #4325
Closes #4343
2019-09-13 08:25:14 +02:00
Daniel Stenberg
a56a47ac33
openssl: close_notify on the FTP data connection doesn't mean closure
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!

Regression since 3f5da4e59a (7.65.0)

Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
2019-09-13 00:10:47 +02:00
Zenju
0aef91411e
setopt: make it easier to add new enum values
... by using the *_LAST define names better.

Closes #4321
2019-09-12 09:42:54 +02:00
Daniel Stenberg
e34ec7de59
asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
Reported-by: Dagobert Michelsen
Fixes #4328
Closes #4333
2019-09-12 09:37:11 +02:00
Jay Satiro
08f96982a9 ldap: Stop using wide char version of ldapp_err2string
Despite ldapp_err2string being documented by MS as returning a
PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and
returns PWCHAR (wchar_t *).

We have lots of code that expects ldap_err2string to return char *,
most of it failf used like this:

failf(data, "LDAP local: Some error: %s", ldap_err2string(rc));

Closes https://github.com/curl/curl/pull/4272
2019-09-11 02:44:47 -04:00
Daniel Stenberg
9637dbfffd
urlapi: one colon is enough for the strspn() input (typo) 2019-09-10 11:51:51 +02:00
Daniel Stenberg
eab3c580f9
urlapi: verify the IPv6 numerical address
It needs to parse correctly. Otherwise it could be tricked into letting
through a-f using host names that libcurl would then resolve. Like
'[ab.be]'.

Reported-by: Thomas Vegas
Closes #4315
2019-09-10 11:32:12 +02:00
Clément Notin
ffe34b7b59
openssl: use SSL_CTX_set_<min|max>_proto_version() when available
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available.  Existing code is preserved for older versions of
OpenSSL.

Closes #4304
2019-09-10 08:11:42 +02:00
Clément Notin
9136542d33
openssl: indent, re-organize and add comments 2019-09-10 08:08:44 +02:00
migueljcrum
67b30b3418
sspi: fix memory leaks
Closes #4299
2019-09-10 08:06:05 +02:00
Daniel Stenberg
c4c9e070f3
Curl_fillreadbuffer: avoid double-free trailer buf on error
Reviewed-by: Jay Satiro
Reported-by: Thomas Vegas

Closes #4307
2019-09-09 09:36:27 +02:00
Daniel Stenberg
9069838b30
security:read_data fix bad realloc()
... that could end up a double-free

CVE-2019-5481
Bug: https://curl.haxx.se/docs/CVE-2019-5481.html
2019-09-09 08:14:34 +02:00
Thomas Vegas
facb0e4662
tftp: Alloc maximum blksize, and use default unless OACK is received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
2019-09-09 08:14:34 +02:00
Thomas Vegas
82f3ba3806
tftp: return error when packet is too small for options 2019-09-09 08:14:34 +02:00
Daniel Stenberg
158dcb9f86
netrc: free 'home' on error
Follow-up to f9c7ba9096

Coverity CID 1453474

Closes #4291
2019-09-03 23:00:51 +02:00
Daniel Stenberg
4ac2884003
urldata: avoid 'generic', use dedicated pointers
For the 'proto' union within the connectdata struct.

Closes #4290
2019-09-03 23:00:51 +02:00
Daniel Stenberg
5050edb124
cleanup: move functions out of url.c and make them static
Closes #4289
2019-09-03 13:11:12 +02:00
Daniel Stenberg
4d0306c698
smtp: check for and bail out on too short EHLO response
Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918

Assisted-by: Max Dymond

Closes #4287
2019-09-03 08:25:23 +02:00
Daniel Stenberg
198b73d12c
smb: init *msg to NULL in smb_send_and_recv()
... it might otherwise return OK from this function leaving that pointer
uninitialized.

Bug: https://crbug.com/oss-fuzz/16907

Closes #4286
2019-09-02 23:06:48 +02:00
Daniel Stenberg
84ced9389e
Curl_addr2string: take an addrlen argument too
This allows the function to figure out if a unix domain socket has a
file name or not associated with it! When a socket is created with
socketpair(), as done in the fuzzer testing, the path struct member is
uninitialized and must not be accessed.

Bug: https://crbug.com/oss-fuzz/16699

Closes #4283
2019-08-31 11:41:56 +02:00
Daniel Stenberg
c30aff4f88
quiche: expire when poll returned data
... to make sure we continue draining the queue until empty

Closes #4281
2019-08-30 17:41:16 +02:00
Daniel Stenberg
4d9e324771
quiche: decrease available buffer size, don't assign it!
Found-by: Jeremy Lainé
2019-08-30 17:41:11 +02:00
Daniel Stenberg
7bac3135df
ngtcp2: on h3 stream close, call expire
... to trigger a new read to detect the stream close!

Closes #4275
2019-08-29 19:23:52 +02:00
Tatsuhiro Tsujikawa
484b6f345f
ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4278
2019-08-29 19:22:16 +02:00
Daniel Stenberg
0690b3330c
ngtcp2: set flow control window to stream buffer size
Closes #4274
2019-08-28 14:37:19 +02:00
Tatsuhiro Tsujikawa
5b3be0729c
ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl
Closes #4270
2019-08-27 16:31:19 +02:00
Daniel Stenberg
c1b6a384f9
http2: when marked for closure and wanted to close == OK
It could otherwise return an error even when closed correctly if GOAWAY
had been received previously.

Reported-by: Tom van der Woerdt
Fixes #4267
Closes #4268
2019-08-26 22:44:59 +02:00
Kamil Dudka
7e513c1048 vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure
This is a follow-up to https://github.com/curl/curl/pull/3864 .

Closes #4224
2019-08-26 13:43:21 +02:00
Daniel Stenberg
48f589893d
quiche: send the HTTP body correctly on callback uploads
Closes #4265
2019-08-26 11:31:39 +02:00
Daniel Stenberg
aae22fdbd5
ngtcp2: add support for SSLKEYLOGFILE
Closes #4260
2019-08-25 23:29:46 +02:00
Daniel Stenberg
30a606e066
ngtcp2: improve h3 response receiving
Closes #4259
2019-08-25 23:29:43 +02:00
Daniel Stenberg
b959c2f775
ngtcp2: use nghttp3_version() 2019-08-25 23:18:17 +02:00
Daniel Stenberg
ff4ef390f6
ngtcp2: sync with upstream API changes
Assisted-by: Tatsuhiro Tsujikawa
2019-08-25 23:18:14 +02:00
Kyle Abramowitz
25f9621935
scp: fix directory name length used in memcpy
Fix read off end of array due to bad pointer math in getworkingpath for
SCP home directory case.

Closes #4258
2019-08-24 18:47:56 +02:00
Daniel Stenberg
65fda739ee
http: the 'closed' struct field is used by both ngh2 and ngh3
and remove 'header_recvbuf', not used for anything

Reported-by: Jeremy Lainé

Closes #4257
2019-08-24 17:21:41 +02:00
Daniel Stenberg
0a5d28fa2e
ngtcp2: accept upload via callback
Closes #4256
2019-08-23 22:33:29 +02:00
Daniel Stenberg
e59540139a
cleanup: remove DOT_CHAR completely
Follow-up to f9c7ba9096

The use of DOT_CHAR for ".ssh" was probably a mistake and is removed
now.

Pointed-out-by: Gisle Vanem
Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638

Closes #4247
2019-08-20 23:07:59 +02:00
Daniel Stenberg
23803aae7b
spnego_sspi: add typecast to fix build warning
Reported in build "Win32 target on Debian Stretch (64-bit) -
i686-w64-mingw32 - gcc-20170516"

Closes #4245
2019-08-20 23:06:19 +02:00
Daniel Stenberg
3e8a9bfd17
openssl: build warning free with boringssl
Closes #4244
2019-08-20 19:55:06 +02:00
Daniel Stenberg
2056175dc2
ngtcp2: make postfields-set posts work
Closes #4242
2019-08-20 16:53:40 +02:00
Daniel Stenberg
99775438d6
http: remove chunked-encoding and expect header use for HTTP/3 2019-08-20 16:53:40 +02:00
Daniel Stenberg
6a90c9e0c4
CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2
For a long time (since 7.28.1) we've returned error when setting the
value to 1 to make applications notice that we stopped supported the old
behavior for 1. Starting now, we treat 1 and 2 exactly the same.

Closes #4241
2019-08-20 14:57:59 +02:00
Daniel Stenberg
f9c7ba9096
netrc: make the code try ".netrc" on Windows as well
... but fall back and try "_netrc" too if the dot version didn't work.

Co-Authored-By: Steve Holme
2019-08-20 11:48:42 +02:00
Daniel Stenberg
1a0dc6f6a3
ngtcp2: use ngtcp2_version() to get the run-time version
... which of course doesn't have to be the same used at build-time.

Function just recently merged in ngtcp2.
2019-08-20 08:52:22 +02:00
Daniel Stenberg
349c3f5a08
ngtcp2: move the h3 initing to immediately after the rx key
To fix a segfault and to better deal with 0-RTT

Assisted-by: Tatsuhiro Tsujikawa
2019-08-20 08:51:23 +02:00
Alessandro Ghedini
e54affa82c
quiche: register debug callback once and earlier
The quiche debug callback is global and can only be initialized once, so
make sure we don't do it multiple times (e.g. if multiple requests are
executed).

In addition this initializes the callback before the connection is
created, so we get logs for the handshake as well.

Closes #4236
2019-08-17 17:00:49 +02:00
Daniel Stenberg
ea28a6cb2f
ssh: add a generic Curl_ssh_version function for SSH backends
Closes #4235
2019-08-17 16:57:58 +02:00
Daniel Stenberg
1a7634e484
base64: check for SSH, not specific SSH backends 2019-08-17 16:57:56 +02:00
Daniel Stenberg
d6dea75af7
vssh: move ssh init/cleanup functions into backend code 2019-08-17 16:57:55 +02:00
Daniel Stenberg
5b2d703fe5
vssh: create directory for SSH backend code 2019-08-17 16:57:55 +02:00
Daniel Stenberg
68fab35c73
http: fix use of credentials from URL when using HTTP proxy
When a username and password are provided in the URL, they were wrongly
removed from the stored URL so that subsequent uses of the same URL
wouldn't find the crendentials. This made doing HTTP auth with multiple
connections (like Digest) mishave.

Regression from 46e164069d (7.62.0)

Test case 335 added to verify.

Reported-by: Mike Crowe

Fixes #4228
Closes #4229
2019-08-16 10:11:22 +02:00
Daniel Stenberg
cec3ef8793
ngtcp2: provide the callbacks as a static struct
... instead of having them in quicsocket
2019-08-15 10:20:35 +02:00
Tatsuhiro Tsujikawa
408c758bb8
ngtcp2: add missing nghttp3_conn_add_write_offset call
Closes #4225
2019-08-15 08:02:52 +02:00
Tatsuhiro Tsujikawa
c47ef9115e
ngtcp2: deal with stream close 2019-08-15 08:02:23 +02:00
Tatsuhiro Tsujikawa
e42bd8a204
ngtcp2: Consume QUIC STREAM data properly 2019-08-15 08:02:20 +02:00
Tatsuhiro Tsujikawa
887ebc384c
ngtcp2: don't reinitialize SSL on Retry 2019-08-15 08:02:15 +02:00
Daniel Stenberg
437bf10cad
multi: getsock improvements for QUIC connecting 2019-08-14 23:14:12 +02:00
Daniel Stenberg
5848f27594
connect: connections are persistent by default for HTTP/3 2019-08-14 23:14:12 +02:00
Daniel Stenberg
baf7860b71
quiche: happy eyeballs
Closes #4220
2019-08-14 23:14:12 +02:00
Daniel Stenberg
f2cc26456b
ngtcp2: do QUIC connections happy-eyeballs friendly 2019-08-14 23:14:12 +02:00
Daniel Stenberg
1d85e09ccd
curl_version: bump string buffer size to 250
With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which
causes a truncated output).
2019-08-14 15:16:07 +02:00
Jay Satiro
dca6f73613 vauth: Use CURLE_AUTH_ERROR for auth function errors
- Add new error code CURLE_AUTH_ERROR.

Prior to this change auth function errors were signaled by
CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was
technically correct.

Ref: https://github.com/curl/curl/pull/3848

Co-authored-by: Dominik Hölzl

Closes https://github.com/curl/curl/pull/3864
2019-08-14 03:14:01 -04:00
Peter Wu
cc5fae5dac nss: use TLSv1.3 as default if supported
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
range in NSS 3.45. It looks like the intention is to raise the minimum
version rather than lowering the maximum, so adjust accordingly. Note
that the caller (nss_setup_connect) initializes the version range to
(TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.

Closes #4187
Reviewed-by: Daniel Stenberg
Reviewed-by: Kamil Dudka
2019-08-13 21:59:30 +01:00
Daniel Stenberg
362d59edab
quic.h: remove unused proto 2019-08-13 15:09:07 +02:00
Daniel Stenberg
d6cb1bdf6c
lib/quic.c: unused - removed 2019-08-13 12:41:04 +02:00
Daniel Stenberg
49e6b3857f
altsvc: make it use h3-22 with ngtcp2 as well 2019-08-12 22:30:58 +02:00
Daniel Stenberg
368d444cc6
ngtcp2: initial h3 request work
Closes #4217
2019-08-12 22:30:52 +02:00
Daniel Stenberg
1a2df1518a
curl_version_info: offer quic (and h3) library info
Closes #4216
2019-08-12 13:37:08 +02:00
Tatsuhiro Tsujikawa
fb6d46a709
ngtcp2: send HTTP/3 request with nghttp3
This commit makes sending HTTP/3 request with nghttp3 work.  It
minimally receives HTTP response and calls nghttp3 callbacks, but no
processing is made at the moment.

Closes #4215
2019-08-12 09:20:36 +02:00
Daniel Stenberg
102ebe0459
nghttp3: initial h3 template code added 2019-08-12 00:18:59 +02:00
Daniel Stenberg
d85a1cf11d
nghttp3: required when ngtcp2 is used for QUIC
- checked for by configure
- updated docs/HTTP3.md
- shown in the version string

Closes #4210
2019-08-12 00:18:53 +02:00
Eric Wong
17d1e27d30
asyn-thread: issue CURL_POLL_REMOVE before closing socket
This avoids EBADF errors from EPOLL_CTL_DEL operations in the
ephiperfifo.c example.  EBADF is dangerous in multi-threaded
applications where I rely on epoll_ctl to operate on the same
epoll description from different threads.

Follow-up to eb9a604f8d

Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html
Closes #4211
2019-08-11 22:58:01 +02:00
Tatsuhiro Tsujikawa
86ae740482
ngtcp2: Send ALPN h3-22
Closes #4212
2019-08-11 16:47:29 +02:00
Tatsuhiro Tsujikawa
f49abd1090
ngtcp2: use ngtcp2_settings_default and specify initial_ts 2019-08-11 16:47:21 +02:00
Tatsuhiro Tsujikawa
afce0620a2
ngtcp2: make the QUIC handshake work
Closes #4209
2019-08-10 16:07:33 +02:00
Daniel Stenberg
084404b8ab
CURLOPT_H3: removed
There's no use for this anymore and it was never in a release.

Closes #4206
2019-08-09 12:26:02 +02:00
Daniel Stenberg
db061571ef
http3: make connection reuse work
Closes #4204
2019-08-09 12:26:02 +02:00
Daniel Stenberg
4570c22c57
quiche: add SSLKEYLOGFILE support 2019-08-09 12:23:18 +02:00
Daniel Stenberg
69b3ff5118
alt-svc: add protocol version selection masking
So that users can mask in/out specific HTTP versions when Alt-Svc is
used.

 - Removed "h2c" and updated test case accordingly
 - Changed how the altsvc struct is laid out
 - Added ifdefs to make the unittest run even in a quiche-tree

Closes #4201
2019-08-08 09:10:29 +02:00
Daniel Stenberg
a93b43cde8
http3: fix the HTTP/3 in the request, make alt-svc set right versions
Closes #4200
2019-08-08 08:28:43 +02:00
Daniel Stenberg
98c3f14871
alt-svc: send Alt-Used: in redirected requests
RFC 7838 section 5:

   When using an alternative service, clients SHOULD include an Alt-Used
   header field in all requests.

Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus
this is deemed ok).

You can disable sending this header just like you disable any other HTTP
header in libcurl.

Closes #4199
2019-08-08 08:24:37 +02:00
Daniel Stenberg
026840e35c
CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly
Even though it cannot fall-back to a lower HTTP version automatically. The
safer way to upgrade remains via CURLOPT_ALTSVC.

CURLOPT_H3 no longer has any bits that do anything and might be removed
before we remove the experimental label.

Updated the curl tool accordingly to use "--http3".

Closes #4197
2019-08-08 08:17:24 +02:00
Daniel Stenberg
f933449d3b
CURLINFO_RETRY_AFTER: parse the Retry-After header value
This is only the libcurl part that provides the information. There's no
user of the parsed value. This change includes three new tests for the
parser.

Ref: #3794
2019-08-07 14:45:39 +02:00
Daniel Stenberg
fd00e14adb
curl.h: add CURL_HTTP_VERSION_3 to the version enum
It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with
CURLINFO_HTTP_VERSION.
2019-08-07 12:51:52 +02:00
Daniel Stenberg
1f145b02d9
quiche: make use of the connection timeout API properly 2019-08-07 12:51:52 +02:00
Daniel Stenberg
7a83e1d1d4
quiche: make POSTFIELDS posts work 2019-08-07 11:05:05 +02:00
Daniel Stenberg
07828b1c9d
quiche: improved error handling and memory cleanups 2019-08-07 08:39:39 +02:00
Daniel Stenberg
470551b7fc
quiche: flush egress in h3_stream_recv() too 2019-08-07 07:48:37 +02:00
Steve Holme
7c469fa537 sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID
Added the ability for the calling program to specify the authorisation
identity (authzid), the identity to act as, in addition to the
authentication identity (authcid) and password when using SASL PLAIN
authentication.

Fixes #3653
Closes #3790

NOTE: This commit was cherry-picked and is part of a series of commits
that added the authzid feature for upcoming 7.66.0. The series was
temporarily reverted in db8ec1f so that it would not ship in a 7.65.x
patch release.

Closes https://github.com/curl/curl/pull/4186
2019-08-06 11:38:20 -04:00
Yiming Jing
9b5f2ad329
mesalink: implement client authentication
Closes #4184
2019-08-06 10:19:17 +02:00
Daniel Stenberg
02346abc32
curl_multi_poll: a sister to curl_multi_wait() that waits more
Repeatedly we see problems where using curl_multi_wait() is difficult or
just awkward because if it has no file descriptor to wait for
internally, it returns immediately and leaves it to the caller to wait
for a small amount of time in order to avoid occasional busy-looping.

This is often missed or misunderstood, leading to underperforming
applications.

This change introduces curl_multi_poll() as a replacement drop-in
function that accepts the exact same set of arguments. This function
works identically to curl_multi_wait() - EXCEPT - for the case when
there's nothing to wait for internally, as then this function will by
itself wait for a "suitable" short time before it returns. This
effectiely avoids all risks of busy-looping and should also make it less
likely that apps "over-wait".

This also changes the curl tool to use this funtion internally when
doing parallel transfers and changes curl_easy_perform() to use it
internally.

Closes #4163
2019-08-06 09:33:29 +02:00
Daniel Stenberg
cee7639b79
quiche:h3_stream_recv return 0 at end of stream
... and remove some verbose messages we don't need. Made transfers from
facebook.com work better.
2019-08-06 08:06:58 +02:00
Daniel Stenberg
92dc514c5b
altsvc: make quiche use h3-22 now 2019-08-06 07:39:27 +02:00
Daniel Stenberg
e9bbc81299
quiche: show the actual version number 2019-08-06 07:39:27 +02:00
Daniel Stenberg
dc35631ef7
quiche: first working HTTP/3 request
- enable debug log
 - fix use of quiche API
 - use download buffer
 - separate header/body

Closes #4193
2019-08-06 07:39:21 +02:00
Daniel Stenberg
a42b0957ab
http09: disable HTTP/0.9 by default in both tool and library
As the plan has been laid out in DEPRECATED. Update docs accordingly and
verify in test 1174. Now requires the option to be set to allow HTTP/0.9
responses.

Closes #4191
2019-08-06 00:08:14 +02:00
Daniel Stenberg
4173868f66
quiche: initial h3 request send/receive 2019-08-05 14:20:56 +02:00
Daniel Stenberg
47645f45da
lib/Makefile.am: make checksrc run in vquic too 2019-08-05 14:20:51 +02:00
Daniel Stenberg
182c272133
altsvc: fix removal of expired cache entry
Closes #4192
2019-08-05 14:18:46 +02:00
Steve Holme
850a295b41
md4: Use our own MD4 implementation when no crypto libraries are available
Closes #3780
2019-08-04 18:01:29 +01:00
Steve Holme
72e5fd83b2
md4: No need to include Curl_md4.h for each TLS library 2019-08-04 18:01:29 +01:00
Steve Holme
3d9685ee55
md4: No need for the NTLM code to call Curl_md4it() for each TLS library
As the NTLM code no longer calls any of TLS libraries' specific MD4
functions, there is no need to call this function for each #ifdef.
2019-08-04 18:01:28 +01:00
Steve Holme
2ff216f1b0
md4: Move the mbed TLS MD4 implementation out of the NTLM code 2019-08-04 18:01:28 +01:00
Steve Holme
c5eb2fd618
md4: Move the WinCrypt implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
11c50f7655
md4: Move the SecureTransport implementation out of the NTLM code 2019-08-04 18:01:27 +01:00
Steve Holme
24c298fb4d
md4: Use the Curl_md4it() function for OpenSSL based NTLM 2019-08-04 18:01:26 +01:00
Steve Holme
c89365929b
md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code 2019-08-04 18:01:26 +01:00
Steve Holme
78e263676b
md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code 2019-08-04 18:01:25 +01:00
Jay Satiro
9a24f97711 OS400: Add CURLOPT_H3 symbols
Follow-up to 3af0e76 which added experimental H3 support.

Closes https://github.com/curl/curl/pull/4185
2019-08-04 11:04:51 -04:00
Daniel Stenberg
cc28a502bc
url: make use of new HTTP version if alt-svc has one 2019-08-03 21:55:51 +02:00
Daniel Stenberg
a9a2b26830
url: set conn->transport to default TCP at init time 2019-08-03 21:55:51 +02:00
Daniel Stenberg
0711153b46
altsvc: with quiche, use the quiche h3 alpn string
Closes #4183
2019-08-03 21:55:41 +02:00
Daniel Stenberg
1132f43012
alt-svc: more liberal ALPN name parsing
Allow pretty much anything to be part of the ALPN identifier. In
particular minus, which is used for "h3-20" (in-progress HTTP/3
versions) etc.

Updated test 356.
Closes #4182
2019-08-03 21:54:00 +02:00
Daniel Stenberg
decefd5778
quiche: use the proper HTTP/3 ALPN 2019-08-02 13:52:14 +02:00
Daniel Stenberg
fc5b61baf0
quiche: add failf() calls for two error cases
To aid debugging

Closes #4181
2019-08-02 13:52:07 +02:00
Kamil Dudka
4c187043c5 http_negotiate: improve handling of gss_init_sec_context() failures
If HTTPAUTH_GSSNEGOTIATE was used for a POST request and
gss_init_sec_context() failed, the POST request was sent
with empty body.  This commit also restores the original
behavior of `curl --fail --negotiate`, which was changed
by commit 6c60355323.

Add regression tests 2077 and 2078 to cover this.

Fixes #3992
Closes #4171
2019-08-01 16:21:41 +02:00
Daniel Stenberg
b1616dad8f
timediff: make it 64 bit (if possible) even with 32 bit time_t
... to make it hold microseconds too.

Fixes #4165
Closes #4168
2019-08-01 07:43:24 +02:00
Daniel Stenberg
b7d1264647
getenv: support up to 4K environment variable contents on windows
Reported-by: Michal Čaplygin
Fixes #4174
Closes #4175
2019-07-31 08:20:59 +02:00
lufia
84aba180e2
plan9: add support for running on Plan 9
Closes #3701
2019-07-31 00:23:25 +02:00
lufia
6cd5c35509
ntlm: explicit type casting 2019-07-31 00:22:16 +02:00
Daniel Stenberg
a55faf33d4
cleanup: remove the 'numsocks' argument used in many places
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.

Closes #4169
2019-07-30 23:16:44 +02:00
Daniel Stenberg
cb542ac4d0
readwrite_data: repair setting the TIMER_STARTTRANSFER stamp
Regression, broken in commit 65eb65fde6 (curl 7.64.1)

Reported-by: Jonathan Cardoso Machado
Assisted-by: Jay Satiro

Fixes #4136
Closes #4162
2019-07-30 23:07:56 +02:00
Daniel Stenberg
041690aadb
asyn-thread: removed unused variable
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
before push...
2019-07-30 10:29:54 +02:00
amkatyal
eb9a604f8d
asyn-thread: create a socketpair to wait on
Closes #4157
2019-07-30 08:27:30 +02:00
Daniel Stenberg
d23e87d551
progress: reset download/uploaded counter
... to make CURLOPT_MAX_RECV_SPEED_LARGE and
CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that
reuse the same handle.

Fixed-by: Ironbars13 on github
Fixes #4084
Closes #4161
2019-07-29 22:31:30 +02:00
Daniel Stenberg
fc6045f5d1
http2_recv: trigger another read when the last data is returned
... so that end-of-stream is detected properly.

Reported-by: Tom van der Woerdt
Fixes #4043
Closes #4160
2019-07-29 22:16:27 +02:00
Balazs Kovacsics
802aa5ae27
HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown
If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set,
automatically add a Transfer-Encoding: chunked header, same as it is
already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME.  Update
test 1514 according to the new behaviour.

Closes #4138
2019-07-29 13:18:53 +02:00
Jay Satiro
78ed3abe11 easy: resize receive buffer on easy handle reset
- In curl_easy_reset attempt to resize the receive buffer to its default
  size. If realloc fails then continue using the previous size.

Prior to this change curl_easy_reset did not properly handle resetting
the receive buffer (data->state.buffer). It reset the variable holding
its size (data->set.buffer_size) to the default size (READBUFFER_SIZE)
but then did not actually resize the buffer. If a user resized the
buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the
default, later called curl_easy_reset and attempted to reuse the handle
then a heap overflow would very likely occur during that handle's next
transfer.

Reported-by: Felix Hädicke

Fixes https://github.com/curl/curl/issues/4143
Closes https://github.com/curl/curl/pull/4145
2019-07-25 22:24:06 -04:00
Felix Hädicke
6261749510
ssh-libssh: do not specify O_APPEND when not in append mode
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
make much sense. And this combination of flags is not accepted by all
SFTP servers (at least not Apache SSHD).

Fixes #4147
Closes #4148
2019-07-25 23:29:21 +02:00
Gergely Nagy
a55edcea65
multi: call detach_connection before Curl_disconnect
Curl_disconnect bails out if conn->easyq is not empty, detach_connection
needs to be called first to remove the current easy from the queue.

Fixes #4144
Closes #4151
2019-07-25 18:06:42 +02:00
Daniel Stenberg
3af0e76d1e
HTTP3: initial (experimental) support
USe configure --with-ngtcp2 or --with-quiche

Using either option will enable a HTTP3 build.
Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me>

Closes #3500
2019-07-21 23:49:03 +02:00
Daniel Stenberg
828392ae10
curl_version_info: provide nghttp2 details
Introducing CURLVERSION_SIXTH with nghttp2 info.

Closes #4121
2019-07-20 00:06:42 +02:00
Daniel Stenberg
ec3f6f1c36
source: remove names from source comments
Several reasons:

- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons

Assisted-by: Daniel Gustafsson
Closes #4129
2019-07-19 23:50:22 +02:00
Daniel Stenberg
27e14efe5f
progress: make the progress meter appear again
Fix regression caused by 21080e1

Reported-by: Chih-Hsuan Yen
Fixes #4122
Closes #4124
2019-07-19 11:29:27 +02:00
Daniel Gustafsson
e5b371dc51 nss: inspect returnvalue of token check
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call.  Should it
return false, we should however treat it as an error and bail out.

Closes https://github.com/curl/curl/pull/4110
2019-07-17 00:52:24 -04:00
Jay Satiro
e8442e4ffc libcurl: Restrict redirect schemes (follow-up)
- Allow FTPS on redirect.

- Update default allowed redirect protocols in documentation.

Follow-up to 6080ea0.

Ref: https://github.com/curl/curl/pull/4094

Closes https://github.com/curl/curl/pull/4115
2019-07-17 00:48:40 -04:00
Linos Giannopoulos
6080ea098d
libcurl: Restrict redirect schemes
All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS
counterpart were allowed for redirect. This vastly broadens the
exploitation surface in case of a vulnerability such as SSRF [1], where
libcurl-based clients are forced to make requests to arbitrary hosts.

For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based
protocol by URL-encoding a payload in the URI. Gopher will open a TCP
connection and send the payload.

Only HTTP/HTTPS and FTP are allowed. All other protocols have to be
explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS.

[1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/

Signed-off-by: Linos Giannopoulos <lgian@skroutz.gr>

Closes #4094
2019-07-14 16:29:55 +02:00
Zenju
7e8f1916d6
openssl: define HAVE_SSL_GET_SHUTDOWN based on version number
Closes #4100
2019-07-14 16:24:46 +02:00
Peter Simonyi
855887af79
http: allow overriding timecond with custom header
With CURLOPT_TIMECONDITION set, a header is automatically added (e.g.
If-Modified-Since).  Allow this to be replaced or suppressed with
CURLOPT_HTTPHEADER.

Fixes #4103
Closes #4109
2019-07-14 16:17:15 +02:00
Juergen Hoetzel
ac3d19a26d smb: Use the correct error code for access denied on file open
- Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open.

Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead.

Closes https://github.com/curl/curl/pull/4095
2019-07-11 02:57:40 -04:00
Gisle Vanem
26da21c84a system_win32: fix clang warning
- Declare variable in header as extern.

Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597
2019-07-11 02:27:04 -04:00
Daniel Gustafsson
11d7fe118d headers: Remove no longer exported functions
There were a leftover few prototypes of Curl_ functions that we used to
export but no longer do, this removes those prototypes and cleans up any
comments still referring to them.

Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free()
Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn()
were made static in 05b100aee2.
Curl_http_perhapsrewind() made static in 574aecee20.

For the remainder, I didn't trawl the Git logs hard enough to capture
their exact time of deletion, but they were all gone: Curl_splayprint(),
Curl_http2_send_request(), Curl_global_host_cache_dtor(),
Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(),
Curl_http_auth_stage() and Curl_close_connections().

Closes #4096
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-07-10 19:26:40 +02:00
Daniel Gustafsson
efc55b8986 cleanup: fix typo in comment 2019-07-08 13:19:35 +02:00
Daniel Gustafsson
24e92a71d5 nss: support using libnss on macOS
The file suffix for dynamically loadable objects on macOS is .dylib,
which need to be added for the module definitions in order to get the
NSS TLS backend to work properly on macOS.

Closes https://github.com/curl/curl/pull/4046
2019-07-06 23:40:21 -04:00
Daniel Gustafsson
6717102503 nss: don't set unused parameter
The value of the maxPTDs parameter to PR_Init() has since at least
NSPR 2.1, which was released sometime in 1998, been marked ignored
as is accordingly not used in the initialization code.  Setting it
to a value when calling PR_Init() is thus benign, but indicates an
intent which may be misleading. Reset the value to zero to improve
clarity.

Closes https://github.com/curl/curl/pull/4054
2019-07-06 23:37:51 -04:00
Daniel Gustafsson
2028a1a977 nss: only cache valid CRL entries
Change the logic around such that we only keep CRLs that NSS actually
ended up caching around for later deletion.  If CERT_CacheCRL() fails
then there is little point in delaying the freeing of the CRL as it
is not used.

Closes https://github.com/curl/curl/pull/4053
2019-07-06 23:32:39 -04:00
Gergely Nagy
cf4255c847 lib: Use UTF-8 encoding in comments
Some editors and IDEs assume that source files use UTF-8 file encodings.
It also fixes the build with MSVC when /utf-8 command line option is
used (this option is mandatory for some other open-source projects, this
is useful when using the same options is desired for building all
libraries of a project).

Closes https://github.com/curl/curl/pull/4087
2019-07-06 23:25:20 -04:00
Jay Satiro
3609ab3147 docs: Fix links to OpenSSL docs
OpenSSL changed their manual locations and does not redirect to the new
locations.

Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html
Reported-by: Daniel Stenberg
2019-06-30 17:16:28 -04:00
Daniel Stenberg
c40eb3220c
openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is
built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for
UWP (with "VC-WIN32-UWP").

Reported-by: Vasily Lobaskin
Fixes #4073
Closes #4077
2019-06-26 07:59:46 +02:00
Daniel Stenberg
e4b5dd2987
win32: make DLL loading a no-op for UWP
Reported-by: Michael Brehm
Fixes #4060
Closes #4072
2019-06-25 20:33:07 +02:00
Daniel Gustafsson
b96282010e http: clarify header buffer size calculation
The header buffer size calculation can from static analysis seem to
overlow as it performs an addition between two size_t variables and
stores the result in a size_t variable. Overflow is however guarded
against elsewhere since the input to the addition is regulated by
the maximum read buffer size. Clarify this with a comment since the
question was asked.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-24 23:35:06 +02:00
Daniel Stenberg
265f7f42f6
http2: call done_sending on end of upload
To make sure a HTTP/2 stream registers the end of stream.

Bug #4043 made me find this problem but this fix doesn't correct the
reported issue.

Closes #4068
2019-06-24 23:11:37 +02:00
James Brown
d331227cf0
c-ares: honor port numbers in CURLOPT_DNS_SERVERS
By using ares_set_servers_ports_csv on new enough c-ares.

Fixes #4066
Closes #4067
2019-06-24 15:34:16 +02:00
Daniel Stenberg
e73b478246
multi: enable multiplexing by default (again)
It was originally made default in d7c4213bd0 (7.62.0) but mistakenly
reverted in commit 2f44e94efb (7.65.0). Now enabled again.

Closes #4051
2019-06-23 23:02:23 +02:00
Daniel Stenberg
c0c40ab075
http2: don't call stream-close on already closed streams
Closes #4055
2019-06-21 00:07:13 +02:00
Gisle Vanem
8f332e589b
system_win32: fix typo 2019-06-20 09:39:10 +02:00
Daniel Stenberg
21080e1828
configure: --disable-progress-meter
Builds libcurl without support for the built-in progress meter.

Closes #4023
2019-06-18 22:33:26 +02:00
Steve Holme
6c2f9bea70
netrc: Return the correct error code when out of memory
Introduced in 763c5178.

Closes #4036
2019-06-18 21:00:43 +01:00
Daniel Stenberg
7fb54ef89b
config-os400: add getpeername and getsockname defines
Reported-by: jonrumsey on github
Fixes #4037
Closes #4039
2019-06-18 16:42:51 +02:00
Gergely Nagy
6c2b7d44e3
openssl: fix pubkey/signature algorithm detection in certinfo
Certinfo gives the same result for all OpenSSL versions.
Also made printing RSA pubkeys consistent with older versions.

Reported-by: Michael Wallner
Fixes #3706
Closes #4030
2019-06-18 07:57:31 +02:00
Daniel Stenberg
755083d00d
conn_maxage: move the check to prune_dead_connections()
... and avoid the locking issue.

Reported-by: Kunal Ekawde
Fixes #4029
Closes #4032
2019-06-17 23:51:26 +02:00
Daniel Gustafsson
03a22a26c6 openssl: remove outdated comment
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(),
which is why we switched to CONF_modules_load_file() and introduced
a comment stating why. This behavior was however changed in OpenSSL
commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now
outdated and incorrect comment. The mentioned commit also declares
OPENSSL_config() deprecated so keep the current coding.

Closes #4033
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-06-17 13:11:02 +02:00
Patrick Monnerat
ef8d98bbba os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.
Use it in curl_easy_setopt_ccsid().

Reported-by: jonrumsey on github
Fixes #3833
Closes #4028
2019-06-16 01:05:53 +02:00
Daniel Stenberg
6cc18c59a7
multi: fix the transfer hash function
Follow-up from 8b987cc7eb

Reported-by: Tom van der Woerdt
Fixes #4018
Closes #4024
2019-06-14 00:49:35 +02:00
Marcel Raad
74f911d463
krb5: fix compiler warning
Even though the variable was used in a DEBUGASSERT, GCC 8 warned in
debug mode:
krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable]

Just suppress the warning and declare the variable unconditionally
instead of only for DEBUGBUILD (which also missed the check for
HAVE_ASSERT_H).

Closes https://github.com/curl/curl/pull/4020
2019-06-13 11:08:53 +02:00
Daniel Stenberg
8b987cc7eb
multi: fix the transfer hashes in the socket hash entries
- The transfer hashes weren't using the correct keys so removing entries
  failed.

- Simplified the iteration logic over transfers sharing the same socket and
  they now simply are set to expire and thus get handled in the "regular"
  timer loop instead.

Reported-by: Tom van der Woerdt
Fixes #4012
Closes #4014
2019-06-12 12:31:23 +02:00
Cliff Crosland
f67009dd98 url: Fix CURLOPT_MAXAGE_CONN time comparison
Old connections are meant to expire from the connection cache after
CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x
that value. This occurs because a time value measured in milliseconds is
accidentally divided by 1M instead of by 1,000.

Closes https://github.com/curl/curl/pull/4013
2019-06-12 01:10:22 -04:00
Daniel Stenberg
ee6945c088
http2: remove CURL_DISABLE_TYPECHECK define
... in http2-less builds as it served no use.
2019-06-11 07:49:24 +02:00
Daniel Stenberg
342a0c7ddf
wolfssl: fix key pinning build error
follow-up from deb9462ff2
2019-06-11 07:46:04 +02:00
Daniel Stenberg
4da5794d81
wolfssl: fixup for SNI use
follow-up from deb9462ff2

Closes #4007
2019-06-10 13:04:53 +02:00
Daniel Stenberg
deb9462ff2
wolfssl: refer to it as wolfSSL only
Remove support for, references to and use of "cyaSSL" from the source
and docs. wolfSSL is the current name and there's no point in keeping
references to ancient history.

Assisted-by: Daniel Gustafsson

Closes #3903
2019-06-10 09:18:16 +02:00
Daniel Stenberg
1667d5599d
bindlocal: detect and avoid IP version mismatches in bind()
Reported-by: Alex Grebenschikov
Fixes #3993
Closes #4002
2019-06-10 08:01:50 +02:00
Daniel Stenberg
094b5f3540
multi: make sure 'data' can present in several sockhash entries
Since more than one socket can be used by each transfer at a given time,
each sockhash entry how has its own hash table with transfers using that
socket.

In addition, the sockhash entry can now be marked 'blocked = TRUE'"
which then makes the delete function just set 'removed = TRUE' instead
of removing it "for real", as a way to not rip out the carpet under the
feet of a parent function that iterates over the transfers of that same
sockhash entry.

Reported-by: Tom van der Woerdt
Fixes #3961
Fixes #3986
Fixes #3995
Fixes #4004
Closes #3997
2019-06-10 00:47:48 +02:00
Daniel Stenberg
680f141332
unpause: trigger a timeout for event-based transfers
... so that timeouts or other state machine actions get going again
after a changing pause state. For example, if the last delivery was
paused there's no pending socket activity.

Reported-by: sstruchtrup on github
Fixes #3994
Closes #4001
2019-06-09 18:33:59 +02:00
Marcel Raad
e23c52b329
build: fix Codacy warnings
Reduce variable scopes and remove redundant variable stores.

Closes https://github.com/curl/curl/pull/3975
2019-06-05 20:38:06 +02:00
Frank Gevaerts
660603141c
ssl: Update outdated "openssl-only" comments for supported backends
These are for features that used to be openssl-only but were expanded
over time to support other SSL backends.

Closes #3985
2019-06-04 20:25:12 +01:00
Sergey Ogryzkov
f9b60fb6f8
NTLM: reset proxy "multipass" state when CONNECT request is done
Closes #3972
2019-06-02 23:11:33 +02:00
Michael Kaufmann
2e5ceb3934
http: don't parse body-related headers bodyless responses
Responses with status codes 1xx, 204 or 304 don't have a response body. For
these, don't parse these headers:

- Content-Encoding
- Content-Length
- Content-Range
- Last-Modified
- Transfer-Encoding

This change ensures that HTTP/2 upgrades work even if a
"Content-Length: 0" or a "Transfer-Encoding: chunked" header is present.

Co-authored-by: Daniel Stenberg
Closes #3702
Fixes #3968
Closes #3977
2019-06-02 22:58:04 +02:00
Daniel Stenberg
c36f42839d
singlesocket: use separate variable for inner loop
An inner loop within the singlesocket() function wrongly re-used the
variable for the outer loop which then could cause an infinite
loop. Change to using a separate variable!

Reported-by: Eric Wu
Fixes #3970
Closes #3973
2019-06-01 10:41:15 +02:00
Josie Huddleston
1c0e9527ba
http2: Stop drain from being permanently set on
Various functions called within Curl_http2_done() can have the
side-effect of setting the Easy connection into drain mode (by calling
drain_this()).  However, the last time we unset this for a transfer (by
calling drained_transfer()) is at the beginning of Curl_http2_done().
If the Curl_easy is reused for another transfer, it is then stuck in
drain mode permanently, which in practice makes it unable to write any
data in the new transfer.

This fix moves the last call to drained_transfer() to later in
Curl_http2_done(), after the functions that could potentially call for a
drain.

Fixes #3966
Closes #3967
Reported-by: Josie-H
2019-05-30 00:26:20 +02:00
Steve Holme
bdf6d8af3e
conncache: Remove the DEBUGASSERT on length check
We trust the calling code as this is an internal function.

Closes #3962
2019-05-29 22:07:43 +01:00
Gisle Vanem
48b9ea4379 system_win32: fix function prototype
- Change if_nametoindex parameter type from char * to const char *.

Follow-up to 09eef8af from this morning.

Bug: https://github.com/curl/curl/commit/09eef8af#r33716067
2019-05-29 14:37:39 -04:00
Steve Holme
09eef8af18
url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows
This fixes the static dependency on iphlpapi.lib and allows curl to
build for targets prior to Windows Vista.

This partially reverts 170bd047.

Fixes #3960
Closes #3958
2019-05-29 07:19:20 +01:00
Daniel Stenberg
5908009e31
http: fix "error: equality comparison with extraneous parentheses" 2019-05-29 08:17:08 +02:00
Daniel Stenberg
6961322f70
parse_proxy: make sure portptr is initialized
Reported-by: Benbuck Nason

fixes #3959
2019-05-28 23:50:49 +02:00
Daniel Stenberg
a6183ab23a
url: default conn->port to the same as conn->remote_port
... so that it has a sensible value when ConnectionExists() is called which
needs it set to differentiate host "bundles" correctly on port number!

Also, make conncache:hashkey() use correct port for bundles that are proxy vs
host connections.

Probably a regression from 7.62.0

Reported-by: Tom van der Woerdt
Fixes #3956
Closes #3957
2019-05-28 23:00:42 +02:00
Daniel Stenberg
2f11fbf208
conncache: make "bundles" per host name when doing proxy tunnels
Only HTTP proxy use where multiple host names can be used over the same
connection should use the proxy host name for bundles.

Reported-by: Tom van der Woerdt
Fixes #3951
Closes #3955
2019-05-28 16:23:59 +02:00
Daniel Stenberg
8581e1928e
multi: track users of a socket better
They need to be removed from the socket hash linked list with more care.

When sh_delentry() is called to remove a sockethash entry, remove all
individual transfers from the list first. To enable this, each Curl_easy struct
now stores a pointer to the sockethash entry to know how to remove itself.

Reported-by: Tom van der Woerdt and Kunal Ekawde

Fixes #3952
Fixes #3904
Closes #3953
2019-05-28 12:17:02 +02:00
Steve Holme
28526e9c80
curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version
Microsoft added support for Unix Domain Sockets in Windows 10 1803
(RS4). Rather than expect the user to enable Unix Domain Sockets by
uncommenting the #define that was added in 0fd6221f we use the RS4
pre-processor variable that is present in newer versions of the
Windows SDK.

Closes #3939
2019-05-28 07:36:06 +01:00
Jonas Vautherin
5aa2347f22
cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables
Closes #3945
2019-05-28 08:34:15 +02:00
Hubert Kario
319ae9075e nss: allow to specify TLS 1.3 ciphers if supported by NSS
Closes #3916
2019-05-27 09:04:09 +02:00