1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Commit Graph

659 Commits

Author SHA1 Message Date
Daniel Stenberg
3533def3d5 http2: make sure stream errors don't needlessly close the connection
With HTTP/2 each transfer is made in an indivial logical stream over the
connection, making most previous errors that caused the connection to get
forced-closed now instead just kill the stream and not the connection.

Fixes #941
2016-08-28 16:44:49 +02:00
Jay Satiro
895168bfd3 schannel: Disable ALPN for Wine since it is causing problems
- Disable ALPN on Wine.

- Don't pass input secbuffer when ALPN is disabled.

When ALPN support was added a change was made to pass an input secbuffer
to initialize the context. When ALPN is enabled the buffer contains the
ALPN information, and when it's disabled the buffer is empty. In either
case this input buffer caused problems with Wine and connections would
not complete.

Bug: https://github.com/curl/curl/issues/983
Reported-by: Christian Fillion
2016-08-26 15:35:16 -04:00
Steve Holme
670802bd0b urldata.h: Corrected comment for httpcode which is also populated by SMTP
As of 7.25.0 and commit 5430007222.
2016-08-20 20:20:32 +01:00
Daniel Stenberg
247d890da8 TLS: switch off SSL session id when client cert is used
CVE-2016-5419
Bug: https://curl.haxx.se/docs/adv_20160803A.html
Reported-by: Bru Rom
Contributions-by: Eric Rescorla and Ray Satiro
2016-08-03 00:34:27 +02:00
Daniel Stenberg
434f8d0389 internals: rename the SessionHandle struct to Curl_easy 2016-06-22 10:28:41 +02:00
Michael Kaufmann
0bdec5e01d cleanup: fix method names in code comments
Closes #887
2016-06-21 13:11:40 +02:00
Ivan Avdeev
31c521b047 vtls: fix ssl session cache race condition
Sessionid cache management is inseparable from managing individual
session lifetimes. E.g. for reference-counted sessions (like those in
SChannel and OpenSSL engines) every session addition and removal
should be accompanied with refcount increment and decrement
respectively. Failing to do so synchronously leads to a race condition
that causes symptoms like use-after-free and memory corruption.
This commit:
 - makes existing session cache locking explicit, thus allowing
   individual engines to manage lock's scope.
 - fixes OpenSSL and SChannel engines by putting refcount management
   inside this lock's scope in relevant places.
 - adds these explicit locking calls to other engines that use
   sessionid cache to accommodate for this change. Note, however,
   that it is unknown whether any of these engines could also have
   this race.

Bug: https://github.com/curl/curl/issues/815
Fixes #815
Closes #847
2016-06-01 09:40:55 +02:00
Daniel Stenberg
f6767f5435 TLS: move the ALPN/NPN enable bits to the connection
Only protocols that actually have a protocol registered for ALPN and NPN
should try to get that negotiated in the TLS handshake. That is only
HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN
would wrongly be used in all handshakes if libcurl was built with it
enabled.

Reported-by: Jay Satiro

Fixes #789
2016-05-09 15:30:25 -04:00
Jay Satiro
9f498de9a2 mbedtls: Fix session resume
This also fixes PolarSSL session resume.

Prior to this change the TLS session information wasn't properly
saved and restored for PolarSSL and mbedTLS.

Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html
Reported-by: Thomas Glanzmann

Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html
Reported-by: Moti Avrahami
2016-04-28 02:57:38 -04:00
Karlson2k
72d5e144fb sendf.c: added ability to call recv() before send() as workaround
WinSock destroys recv() buffer if send() is failed. As result - server
response may be lost if server sent it while curl is still sending
request. This behavior noticeable on HTTP server short replies if
libcurl use several send() for request (usually for POST request).
To workaround this problem, libcurl use recv() before every send() and
keeps received data in intermediate buffer for further processing.

Fixes: #657
Closes: #668
2016-04-20 09:22:48 +02:00
Alessandro Ghedini
dc68f2dab9 url: add CURLOPT_TCP_FASTOPEN option 2016-04-18 23:17:19 +02:00
Michael Kaufmann
cd8d236245 news: CURLOPT_CONNECT_TO and --connect-to
Makes curl connect to the given host+port instead of the host+port found
in the URL.
2016-04-17 23:50:59 +02:00
Jay Satiro
3f57880ad1 http2: Use size_t type for data drain count
Ref: https://github.com/curl/curl/issues/659
Ref: https://github.com/curl/curl/pull/663
2016-04-12 00:37:44 -04:00
Steve Holme
ccf7a82605 CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAME
As these two options provide identical functionality, the former for
SOCK5 proxies and the latter for HTTP proxies, merged the two options
together.

As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of
7.49.0.
2016-04-09 20:47:05 +01:00
Steve Holme
830a4e55a2 urldata: Use bool for socks5_gssapi_nec as it is a flag
This value is set to TRUE or FALSE so should be a bool and not a long.
2016-04-09 17:19:21 +01:00
Steve Holme
f044cbe6fc sasl: Fixed compilation errors from commit 9d89a0387
...when GSS-API or Windows SSPI are not used.
2016-04-09 05:57:10 +01:00
Steve Holme
2aaa63b555 spnego: Renamed the context's SPN variable
To be consistent with the Kerberos 5 context and other authentication
code.
2016-04-02 06:41:29 +01:00
Steve Holme
a5aec58726 imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
Regression since commit 710f14edba.

Bug: https://github.com/curl/curl/issues/422
Reported-by: Justin Ehlert
2016-03-08 19:36:46 +00:00
Michael Koenig
9dc3eaee29 TFTP: add option to suppress TFTP option requests (Part 1)
Some TFTP server implementations ignore the "TFTP Option extension"
(RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
problems with libcurl. Another switch for curl_easy_setopt
"CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
sending TFTP option requests to a server, avoiding many problems caused
by faulty implementations.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:00:58 -05:00
Daniel Stenberg
716302c2cd mbedtls: fix ALPN usage segfault
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642
2016-02-09 23:37:14 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Steve Holme
eaa98cef8d oauth2: Don't use XOAUTH2 in OAuth 2.0 variables 2015-11-09 22:25:08 +00:00
Steve Holme
4e3d396900 oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
When referring to OAuth 2.0 we should use the official name rather the
SASL mechanism name.
2015-11-09 22:25:08 +00:00
Daniel Stenberg
d31ed6ac71 http2: s/priority/weight 2015-10-23 08:22:38 +02:00
Daniel Stenberg
3042cb5043 http2: added three stream prio/deps options
CURLOPT_STREAM_DEPENDS

CURLOPT_STREAM_DEPENDS_E

CURLOPT_STREAM_PRIORITY
2015-10-23 08:22:38 +02:00
Jonas Minnberg
fe7590f729 vtls: added support for mbedTLS
closes #496
2015-10-20 07:57:24 +02:00
Daniel Stenberg
c6aedf680f fread_func: move callback pointer from set to state struct
... and assign it from the set.fread_func_set pointer in the
Curl_init_CONNECT function. This A) avoids that we have code that
assigns fields in the 'set' struct (which we always knew was bad) and
more importantly B) it makes it impossibly to accidentally leave the
wrong value for when the handle is re-used etc.

Introducing a state-init functionality in multi.c, so that we can set a
specific function to get called when we enter a state. The
Curl_init_CONNECT is thus called when switching to the CONNECT state.

Bug: https://github.com/bagder/curl/issues/346

Closes #346
2015-10-15 23:32:19 +02:00
Nathaniel Waisbrot
9756d1da76 CURLOPT_DEFAULT_PROTOCOL: added
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.
2015-08-22 21:57:14 -04:00
Michael Kaufmann
c5d060cab4 HTTP: ignore "Content-Encoding: compress"
Currently, libcurl rejects responses with "Content-Encoding: compress"
when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
treat the Content-Encoding "compress" the same as other
Content-Encodings that it does not support, e.g. "bzip2". That means
just ignoring it.
2015-07-25 00:46:01 +02:00
Jay Satiro
172b2beba6 SSL: Add an option to disable certificate revocation checks
New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-17 02:40:16 -04:00
Daniel Stenberg
ea7134ac87 http2: initial implementation of the push callback 2015-06-24 23:44:42 +02:00
Jay Satiro
3e7ec1e849 schannel: schannel_recv overhaul
This commit is several drafts squashed together. The changes from each
draft are noted below. If any changes are similar and possibly
contradictory the change in the latest draft takes precedence.

Bug: https://github.com/bagder/curl/issues/244
Reported-by: Chris Araman

%%
%% Draft 1
%%
- return 0 if len == 0. that will have to be documented.
- continue on and process the caches regardless of raw recv
- if decrypted data will be returned then set the error code to CURLE_OK
and return its count
- if decrypted data will not be returned and the connection has closed
(eg nread == 0) then return 0 and CURLE_OK
- if decrypted data will not be returned and the connection *hasn't*
closed then set the error code to CURLE_AGAIN --only if an error code
isn't already set-- and return -1
- narrow the Win2k workaround to only Win2k

%%
%% Draft 2
%%
- Trying out a change in flow to handle corner cases.

%%
%% Draft 3
%%
- Back out the lazier decryption change made in draft2.

%%
%% Draft 4
%%
- Some formatting and branching changes
- Decrypt all encrypted cached data when len == 0
- Save connection closed state
- Change special Win2k check to use connection closed state

%%
%% Draft 5
%%
- Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
connection isn't closed.

%%
%% Draft 6
%%
- Save the last error only if it is an unrecoverable error.

Prior to this I saved the last error state in all cases; unfortunately
the logic to cover that in all cases would lead to some muddle and I'm
concerned that could then lead to a bug in the future so I've replaced
it by only recording an unrecoverable error and that state will persist.

- Do not recurse on renegotiation.

Instead we'll continue on to process any trailing encrypted data
received during the renegotiation only.

- Move the err checks in cleanup after the check for decrypted data.

In either case decrypted data is always returned but I think it's easier
to understand when those err checks come after the decrypted data check.

%%
%% Draft 7
%%
- Regardless of len value go directly to cleanup if there is an
unrecoverable error or a close_notify was already received. Prior to
this change we only acknowledged those two states if len != 0.

- Fix a bug in connection closed behavior: Set the error state in the
cleanup, because we don't know for sure it's an error until that time.

- (Related to above) In the case the connection is closed go "greedy"
with the decryption to make sure all remaining encrypted data has been
decrypted even if it is not needed at that time by the caller. This is
necessary because we can only tell if the connection closed gracefully
(close_notify) once all encrypted data has been decrypted.

- Do not renegotiate when an unrecoverable error is pending.

%%
%% Draft 8
%%
- Don't show 'server closed the connection' info message twice.

- Show an info message if server closed abruptly (missing close_notify).
2015-06-17 00:17:03 -04:00
Daniel Stenberg
b0143a2a33 read_callback: move to SessionHandle from connectdata
With many easy handles using the same connection for multiplexing, it is
important we store and keep the transfer-oriented stuff in the
SessionHandle so that callbacks and callback data work fine even when
many easy handles share the same physical connection.
2015-05-20 23:06:45 +02:00
Daniel Stenberg
811443754a CURLOPT_PIPEWAIT: added
By setting this option to 1 libcurl will wait for a connection to reveal
if it is possible to pipeline/multiplex on before it continues.
2015-05-18 09:33:47 +02:00
Daniel Stenberg
783b3c7b42 http2: separate multiplex/pipelining + cleanup memory leaks 2015-05-18 08:57:18 +02:00
Daniel Stenberg
f4b8b39881 http2: leave WAITPERFORM when conn is multiplexed
No need to wait for our "spot" like for pipelining
2015-05-18 08:57:18 +02:00
Daniel Stenberg
01e1bdb10c http2: force "drainage" of streams
... which is necessary since the socket won't be readable but there is
data waiting in the buffer.
2015-05-18 08:57:17 +02:00
Linus Nielsen
97c272e5d1 Negotiate: custom service names for SPNEGO.
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
2015-04-28 08:29:56 +02:00
Daniel Stenberg
5d23279299 CURLOPT_PATH_AS_IS: added
--path-as-is is the command line option

Added docs in curl.1 and CURLOPT_PATH_AS_IS.3

Added test in test 1241
2015-03-24 10:31:58 +01:00
Alessandro Ghedini
4dcd25e138 url: add CURLOPT_SSL_FALSESTART option
This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.
2015-03-20 20:14:33 +01:00
Dan Fandrich
9e66d3f4d3 axtls: version 1.5.2 now requires that config.h be manually included 2015-03-19 10:11:17 +01:00
Daniel Stenberg
00ea0e7db0 http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
Since they already exist and will make comparing easier
2015-03-07 11:10:30 +01:00
Alessandro Ghedini
44ffe27056 urldata: remove unused asked_for_h2 field 2015-03-07 10:36:10 +01:00
Daniel Stenberg
042526c19f urldata: fix gnutls build 2015-03-06 10:13:40 +01:00
Daniel Stenberg
709cf76f6b openssl: remove all uses of USE_SSLEAY
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
2015-03-05 10:57:52 +01:00
Alessandro Ghedini
3af90a6e19 url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
2015-01-16 23:23:29 +01:00
Steve Holme
1abe65d928 code/docs: Use Unix rather than UNIX to avoid use of the trademark
Use Unix when generically writing about Unix based systems as UNIX is
the trademark and should only be used in a particular product's name.
2014-12-26 21:42:44 +00:00
Patrick Monnerat
9081014c2c IPV6: address scope != scope id
There was a confusion between these: this commit tries to disambiguate them.
- Scope can be computed from the address itself.
- Scope id is scope dependent: it is currently defined as 1-based local
  interface index for link-local scoped addresses, and as a site index(?) for
  (obsolete) site-local addresses. Linux only supports it for link-local
  addresses.
The URL parser properly parses a scope id as an interface index, but stores it
in a field named "scope": confusion. The field has been renamed into "scope_id".
Curl_if2ip() used the scope id as it was a scope. This caused failures
to bind to an interface.
Scope is now computed from the addresses and Curl_if2ip() matches them.
If redundantly specified in the URL, scope id is check for mismatch with
the interface index.

This commit should fix SF bug #1451.
2014-12-16 13:52:06 +01:00