1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-18 07:25:14 -05:00
Commit Graph

1040 Commits

Author SHA1 Message Date
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
ejanchivdorj
94241a9e78
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
2021-05-03 17:11:01 +02:00
Martin Halle
e540b32562 version: add gsasl_version to curl_version_info_data
- Add gsasl_version string and bump to CURLVERSION_TENTH.

Ref: https://curl.se/mail/lib-2021-04/0003.html

Closes https://github.com/curl/curl/pull/6843
2021-04-22 18:28:28 -04:00
Jay Satiro
54e7475016 schannel: Disable auto credentials; add an option to enable it
- Disable auto credentials by default. This is a breaking change
  for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
  to automatically locate and use a client certificate for
  authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
  --proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673
2021-04-22 16:53:37 -04:00
Daniel Stenberg
ccaaa534d0
RELEASE-NOTES: synced
and bumped curlver to 7.77.0
2021-04-15 08:24:19 +02:00
Daniel Stenberg
77db2a0c6d
typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers
... and not values.

Reported-by: locpyl-tidnyd on github
Fixes #6818
Closes #6819
2021-04-07 00:16:40 +02:00
Daniel Stenberg
f6bbc3407a
RELEASE-NOTES: synced
and bumped to 7.76.1
2021-04-04 23:53:33 +02:00
Viktor Szakats
44872aefc2
http: add support to read and store the referrer header
- add CURLINFO_REFERER libcurl option
- add --write-out '%{referer}' command-line option
- extend --xattr command-line option to fill user.xdg.referrer.url extended
  attribute with the referrer (if there was any)

Closes #6591
2021-02-19 13:57:19 +00:00
Jay Satiro
53022e1893 doh: add options to disable ssl verification
- New libcurl options CURLOPT_DOH_SSL_VERIFYHOST,
  CURLOPT_DOH_SSL_VERIFYPEER and CURLOPT_DOH_SSL_VERIFYSTATUS do the
  same as their respective counterparts.

- New curl tool options --doh-insecure and --doh-cert-status do the same
  as their respective counterparts.

Prior to this change DOH SSL certificate verification settings for
verifyhost and verifypeer were supposed to be inherited respectively
from CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER, but due to a bug
were not. As a result DOH verification remained at the default, ie
enabled, and it was not possible to disable. This commit changes
behavior so that the DOH verification settings are independent and not
inherited.

Ref: https://github.com/curl/curl/pull/4579#issuecomment-554723676

Fixes https://github.com/curl/curl/issues/4578
Closes https://github.com/curl/curl/pull/6597
2021-02-14 18:20:48 -05:00
Daniel Stenberg
9e95105617
RELEASE-NOTES: synced
bumped the version to 7.76.0
2021-02-12 09:55:04 +01:00
Daniel Stenberg
8d9346f1a0
gsasl: provide CURL_VERSION_GSASL if built-in
To let applications know the feature is available.

Closes #6592
2021-02-11 16:16:34 +01:00
Jacob Hoffman-Andrews
246399a874
vtls: initial implementation of rustls backend
This adds a new TLS backend, rustls. It uses the C-to-rustls bindings
from https://github.com/abetterinternet/crustls.

Rustls is at https://github.com/ctz/rustls/.

There is still a fair bit to be done, like sending CloseNotify on
connection shutdown, respecting CAPATH, and properly indicating features
like "supports TLS 1.3 ciphersuites." But it works well enough to make
requests and receive responses.

Blog post for context:
https://www.abetterinternet.org/post/memory-safe-curl/

Closes #6350
2021-02-09 11:06:18 +01:00
Daniel Stenberg
bcba216f9b
RELEASE-NOTES: synced
... and bump pending version to 7.75.1 (for now)
2021-02-04 22:51:26 +01:00
Dmitry Wagin
796ce293de
http: improve AWS HTTP v4 Signature auth
- Add support services without region and service prefixes in
the URL endpoint (ex. Min.IO, GCP, Yandex Cloud, Mail.Ru Cloud Solutions, etc)
by providing region and service parameters via aws-sigv4 option.
- Add [:region[:service]] suffix to aws-sigv4 option;
- Fix memory allocation errors.
- Refactor memory management.
- Use Curl_http_method instead() STRING_CUSTOMREQUEST.
- Refactor canonical headers generating.
- Remove repeated sha256_to_hex() usage.
- Add some docs fixes.
- Add some codestyle fixes.
- Add overloaded strndup() for debug - curl_dbg_strndup().
- Update tests.

Closes #6524
2021-01-30 23:48:22 +01:00
Daniel Stenberg
f52c6981c5
curl.h: add CURLPROTO_GOPHERS as own protocol identifier
Follow-up to a1f06f32b8, to make sure it can be handled separately
from plain gopher.

Closes #6418
2021-01-06 15:23:41 +01:00
Emil Engler
725ec470e2
language: s/behaviour/behavior/g
We currently use both spellings the british "behaviour" and the american
"behavior". However "behavior" is more used in the project so I think
it's worth dropping the british name.

Closes #6395
2021-01-02 23:35:59 +01:00
Matthias Gatto
eb69797766
http: Make the call to v4 signature
This patch allow to call the v4 signature introduce in previous commit

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>
2020-12-21 16:28:03 +01:00
Matthias Gatto
08e8455ddd
http: introduce AWS HTTP v4 Signature
It is a security process for HTTP.

It doesn't seems to be standard, but it is used by some cloud providers.

Aws:
https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Outscale:
https://wiki.outscale.net/display/EN/Creating+a+Canonical+Request
GCP (I didn't test that this code work with GCP though):
https://cloud.google.com/storage/docs/access-control/signing-urls-manually

most of the code is in lib/http_v4_signature.c

Information require by the algorithm:
- The URL
- Current time
-  some prefix that are append to some of the signature parameters.

The data extracted from the URL are: the URI, the region,
the host and the API type

example:
https://api.eu-west-2.outscale.com/api/latest/ReadNets
        ~~~ ~~~~~~~~               ~~~~~~~~~~~~~~~~~~~
        ^       ^                          ^
       /         \                        URI
   API type     region

Small description of the algorithm:
- make canonical header using content type, the host, and the date
- hash the post data
- make canonical_request using custom request, the URI,
  the get data, the canonical header, the signed header
  and post data hash
- hash canonical_request
- make str_to_sign using one of the prefix pass in parameter,
  the date, the credential scope and the canonical_request hash
- compute hmac from date, using secret key as key.
- compute hmac from region, using above hmac as key
- compute hmac from api_type, using above hmac as key
- compute hmac from request_type, using above hmac as key
- compute hmac from str_to_sign using above hmac as key
- create Authorization header using above hmac, prefix pass in parameter,
  the date, and above hash

Signed-off-by: Matthias Gatto <matthias.gatto@outscale.com>

Closes #5703
2020-12-21 16:27:50 +01:00
Daniel Stenberg
9211cb2034
version: include hyper version 2020-12-18 09:58:03 +01:00
Daniel Stenberg
4dc710b198
RELEASE-NOTES: synced 2020-12-16 08:22:28 +01:00
Daniel Stenberg
98dc917869
RELEASE-NOTES: synced
start over on the next release cycle
2020-12-09 22:57:47 +01:00
Oliver Urbann
0d16a49c16
curl: add compatibility for Amiga and GCC 6.5
Changes are mainly reordering and adding of includes required
to compile with a more recent version of GCC.

Closes #6220
2020-11-20 23:36:51 +01:00
Daniel Stenberg
ac0a88fd25
copyright: fix year ranges
Follow-up from 4d2f800677
2020-11-05 08:22:10 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
21464a65c6
curlver: bumped to 7.74.0 2020-11-03 16:08:48 +01:00
Daniel Stenberg
2cfc4ed983
hsts: add read/write callbacks
- read/write callback options
- man pages for the 4 new setopts
- test 1915 verifies the callbacks

Closes #5896
2020-11-03 16:08:48 +01:00
Daniel Stenberg
7385610d0c
hsts: add support for Strict-Transport-Security
- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle

Closes #5896
2020-11-03 16:08:42 +01:00
Daniel Stenberg
96450a1a33
alt-svc: enable by default
Remove CURLALTSVC_IMMEDIATELY, which was never implemented/supported.

alt-svc support in curl is no longer considered experimental

Closes #5868
2020-10-25 23:08:54 +01:00
Daniel Stenberg
a654fdc9d1
RELEASE-NOTES: synced
Started over for the journey to next release.
2020-10-15 12:53:29 +02:00
Daniel Stenberg
d0c77730ed
include/README: convert to markdown
Closes #6028
2020-09-30 22:45:41 +02:00
Michael Baentsch
ede125b7b7
tls: add CURLOPT_SSL_EC_CURVES and --curves
Closes #5892
2020-08-30 17:24:04 +02:00
Jeroen Ooms
70984ce1be
tests: add test1912 with typechecks
Validates that gcc-typecheck macros match the new option type API.

Closes #5873
2020-08-28 23:36:55 +02:00
Daniel Stenberg
6ebe63fac2
options: API for meta-data about easy options
const struct curl_easyoption *curl_easy_option_by_name(const char *name);

 const struct curl_easyoption *curl_easy_option_by_id (CURLoption id);

 const struct curl_easyoption *
 curl_easy_option_next(const struct curl_easyoption *prev);

The purpose is to provide detailed enough information to allow for
example libcurl bindings to get option information at run-time about
what easy options that exist and what arguments they expect.

Assisted-by: Jeroen Ooms
Closes #5365
2020-08-27 14:17:36 +02:00
Michael Musset
ebc6c54c74
sftp: add the option CURLKHSTAT_FINE_REPLACE
Replace the old fingerprint of the host with a new.

Closes #5685
2020-08-24 17:26:08 +02:00
Daniel Stenberg
ddf47bbc0a
RELEASE-NOTES: synced
The next release is now to become 7.73.0
2020-08-24 17:02:16 +02:00
Daniel Stenberg
88b1ca7cba
CURLE_PROXY: new error code
Failures clearly returned from a (SOCKS) proxy now causes this return
code. Previously the situation was not very clear as what would be
returned and when.

In addition: when this error code is returned, an application can use
CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then
returns a value from the new 'CURLproxycode' enum.

Closes #5770
2020-08-24 08:41:48 +02:00
Daniel Stenberg
5bb1721579
RELEASE-NOTES: synced
... and version bumped to 7.72.1
2020-08-19 23:43:52 +02:00
Jay Satiro
d979cb9ed2 curl.h: update CURLINFO_LASTONE
CURLINFO_LASTONE should have been updated when
CURLINFO_EFFECTIVE_METHOD was added.

Reported-by: xwxbug@users.noreply.github.com

Fixes https://github.com/curl/curl/issues/5711
2020-07-23 02:44:53 -04:00
Daniel Stenberg
954cd3eb48
CURL_PUSH_ERROROUT: allow the push callback to fail the parent stream
... by adding support for a new dedicated return code.

Suggested-by: Jonathan Cardoso
Assisted-by: Erik Johansson
URL: https://curl.haxx.se/mail/lib-2020-06/0099.html
Closes #5636
2020-07-16 00:24:29 +02:00
Daniel Stenberg
d75e3ab74c
CURLINFO_EFFECTIVE_METHOD: added
Provide the HTTP method that was used on the latest request, which might
be relevant for users when there was one or more redirects involved.

Closes #5511
2020-07-14 17:53:45 +02:00
Viktor Szakats
8fa3f7809a
windows: add unicode to feature list
Reviewed-by: Marcel Raad
Reviewed-by: Marc Hörsken

Closes #5491
2020-07-14 08:30:17 +00:00
Daniel Stenberg
2bd8fe8823
RELEASE-NOTES: synced
... and bumped to 7.72.0 as the next release version number
2020-07-12 18:16:23 +02:00
Gilles Vollant
e13357b14b
content_encoding: add zstd decoding support
include zstd curl patch for Makefile.m32 from vszakats
and include Add CMake support for zstd from Peter Wu

Helped-by: Viktor Szakats
Helped-by: Peter Wu
Closes #5453
2020-07-12 18:11:37 +02:00
Daniel Stenberg
01afe4e1af
RELEASE-NOTES: synced 2020-07-01 10:37:20 +02:00
Daniel Stenberg
032e838b73
terminology: call them null-terminated strings
Updated terminology in docs, comments and phrases to refer to C strings
as "null-terminated". Done to unify with how most other C oriented docs
refer of them and what users in general seem to prefer (based on a
single highly unscientific poll on twitter).

Reported-by: coinhubs on github
Fixes #5598
Closes #5608
2020-06-28 00:31:24 +02:00
Daniel Stenberg
906bb64ac9
curlver: start working on 7.71.1 2020-06-24 11:44:10 +02:00
Daniel Stenberg
eab2f95c0d
wording: avoid blacklist/whitelist stereotypes
Instead of discussing if there's value or meaning (implied or not) in
the colors, let's use words without the same possibly negative
associations.

Closes #5546
2020-06-10 08:49:17 +02:00
Viktor Szakats
308c243db5
all: fix codespell errors
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
2020-05-25 19:44:04 +00:00
Gilles Vollant
7f40633422
setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherency
Closes #5431
2020-05-23 23:19:13 +02:00
Daniel Stenberg
5d965b4898
typecheck-gcc.h: CURLINFO_PRIVATE does not need a 'char *'
Reported-by: Billyzou0741326 on github
Fixes #5432
Closes #5436
2020-05-21 00:05:42 +02:00