aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2017-04-18TLS: Fix switching off SSL session id when client cert is usedJay Satiro
Move the sessionid flag to ssl_primary_config so that ssl and proxy_ssl will each have their own sessionid flag. Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that this issue had been fixed in 247d890, CVE-2016-5419. Bug: https://github.com/curl/curl/issues/1341 Reported-by: lijian996@users.noreply.github.com The new incarnation of this bug is called CVE-2017-7468 and is documented here: https://curl.haxx.se/docs/adv_20170419.html
2017-04-17openssl: don't try to print nonexistant peer private keysDavid Benjamin
X.509 certificates carry public keys, not private keys. Fields corresponding to the private half of the key will always be NULL. Closes #1425
2017-04-17openssl: fix thread-safety bugs in error-handlingDavid Benjamin
ERR_error_string with NULL parameter is not thread-safe. The library writes the string into some static buffer. Two threads doing this at once may clobber each other and run into problems. Switch to ERR_error_string_n which avoids this problem and is explicitly bounds-checked. Also clean up some remnants of OpenSSL 0.9.5 around here. A number of comments (fixed buffer size, explaining that ERR_error_string_n was added in a particular version) date to when ossl_strerror tried to support pre-ERR_error_string_n OpenSSLs. Closes #1424
2017-04-17openssl: make SSL_ERROR_to_str more future-proofDavid Benjamin
Rather than making assumptions about the values, use a switch-case. Closes #1424
2017-04-17code: fix typos and style in commentsDaniel Gustafsson
A few random typos, and minor whitespace cleanups, found in comments while reading code. Closes #1423
2017-04-17extern-scan.pl: strip trailing CRMarcel Raad
This makes test 1135 pass with CRLF checkouts. Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166 Closes https://github.com/curl/curl/pull/1422
2017-04-17configure.ac: ignore CR after version numbersMarcel Raad
Ignore everything after the version numbers in LIBCURL_VERSION and LIBCURL_VERSION_NUM to ged rid of the extra CR character. This makes tests 1022 and 1023 pass on Linux with a CRLF checkout. Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166 Closes https://github.com/curl/curl/pull/1422
2017-04-17.gitattributes: force shell scripts to LFMarcel Raad
Bash on Linux errors out on CR characters. This makes tests 1221 and 1222 pass on Linux with a CRLF checkout. Ref: https://github.com/curl/curl/pull/1344#issuecomment-289243166 Closes https://github.com/curl/curl/pull/1422
2017-04-16unit1303: fix compiler warningMarcel Raad
MinGW-w64 complains: warning: conversion to 'long int' from 'time_t {aka long long int}' may alter its value [-Wconversion] Fix this by using the correct type.
2017-04-16RELEASE-NOTES: synced with 1451271e0Daniel Stenberg
2017-04-15http2: fix handle leak in error pathLarry Stefani
Add missing newhandle free call in push_promise(). Closes #1416
2017-04-15mbedtls: fix memory leak in error pathLarry Stefani
Add missing our_ssl_sessionid free call in mbed_connect_step3(). Closes #1417
2017-04-15curl-compilers.m4: turn implicit function declarations into errorsMarcel Raad
This adds -Werror-implicit-function-declaration for GCC 2.95+ so that these errors are visible at the point where they occur instead of only at link time. Implicit function declarations are illegal in C99 and C++ anyway, and the same warning has been turned into an error for ICC in commit 3072c5b8a127057aa922b7c51051bbb4a630b091. Ref: https://gcc.gnu.org/onlinedocs/gcc-2.95.2/gcc_2.html#SEC8 Ref: https://curl.haxx.se/mail/lib-2017-04/0001.html Closes https://github.com/curl/curl/pull/1419
2017-04-12test1541: also test for CURL_PULL_WS2TCPIP_HMarcel Raad
Ref: https://github.com/curl/curl/issues/1408 Closes https://github.com/curl/curl/pull/1412
2017-04-12tests/server/util: prefer <poll.h> over <sys/poll.h>Marcel Raad
Follow-up to aa573c3c55cda72ec5ef677d87f6f46a53385f0c Ref: https://github.com/curl/curl/pull/1406
2017-04-11Curl_expire_latest: ignore already expired timersDaniel Stenberg
If the existing timer is still in there but has expired, the new timer should be added. Reported-by: Rainer Canavan Bug: https://curl.haxx.se/mail/lib-2017-04/0030.html Closes #1407
2017-04-11system.h: fix mingw sectionDaniel Stenberg
Reported-by: Marcel Raad Fixes #1408 Closes #1409
2017-04-11polarssl: unbreak build with versions < 1.3.8Marcel Raad
ssl_session_init was only introduced in version 1.3.8, the penultimate version. The function only contains a memset, so replace it with that. Suggested-by: Jay Satiro Fixes https://github.com/curl/curl/issues/1401
2017-04-11poll: prefer <poll.h> over <sys/poll.h>Marcel Raad
The POSIX standard location is <poll.h>. Using <sys/poll.h> results in warning spam when using the musl standard library. Closes https://github.com/curl/curl/pull/1406
2017-04-10openssl: fix this statement may fall through [-Wimplicit-fallthrough=]Alexis La Goutte
Closes #1402
2017-04-10nss: load CA certificates even with --insecureKamil Dudka
... because they may include an intermediate certificate for a client certificate and the intermediate certificate needs to be presented to the server, no matter if we verify the peer or not. Reported-by: thraidh Closes #851
2017-04-10RELEASE-NOTES: synced with f9d1e9a27f7e1Daniel Stenberg
2017-04-10libcurl-thread.3: fixed a bad macro that caused test 1140 to failDan Fandrich
2017-04-09libcurl-thread.3: also mention threaded-resolverDaniel Stenberg
Reported-by: Alex Bligh Bug: https://curl.haxx.se/mail/lib-2017-04/0044.html
2017-04-09.github/stale.yml: enable the stale botDaniel Stenberg
Issues and PRs with no activity for 180 days will get marked as stale, and if no further activity happens within 14 more days, the issue gets closed. This follows our established policy of not letting stalled bugs "get in the way": https://curl.haxx.se/docs/bugs.html#Closing_off_stalled_bugs Closes #1398
2017-04-08CURLINFO_SCHEME.3: fix variable typeJay Satiro
- Change documented param type to char ** from incorrect long *.
2017-04-08INSTALL.md: fix secure transport configure argumentsMarcel Raad
--without-ssl is needed instead of --with-winssl.
2017-04-08vtls: fix unreferenced variable warningsMarcel Raad
... by moving the variables into the correct #ifdef block.
2017-04-07BUGS: "Bugs in old versions"Daniel Stenberg
2017-04-07system.h: add section for tccDaniel Stenberg
Closes #1397
2017-04-07schannel: fix compiler warningsMarcel Raad
When UNICODE is not defined, the Curl_convert_UTF8_to_tchar macro maps directly to its argument. As it is declared as a pointer to const and InitializeSecurityContext expects a pointer to non-const, both MSVC and MinGW issue a warning about implicitly casting away the const. Fix this by declaring the variables as pointers to non-const. Closes https://github.com/curl/curl/pull/1394
2017-04-07sspi: print out InitializeSecurityContext() error messageIsaac Boukris
Reported-by: Carsten (talksinmath) Fixes #1384 Closes #1395
2017-04-06gtls: fix compiler warningMarcel Raad
Curl_timeleft returns time_t instead of long since commit 21aa32d30dbf319f2d336e0cb68d3a3235869fbb.
2017-04-06test1606: verify speedcheckDaniel Stenberg
2017-04-06low_speed_limit: improved function for longer time periodsDaniel Stenberg
Previously, periods of fast speed between periods of slow speed would not count and could still erroneously trigger a timeout. Reported-by: Paul Harris Fixes #1345 Closes #1390
2017-04-06system.h: set sizeof long to 4 on "default 32 bit" systemsDaniel Stenberg
Triggered a test failure on test 1541 for the build known as "Linux 4.4 i686 tcc 0.9.26 glibc 2.20"
2017-04-06nss: fix build after e60fe20fdf94e829ba5fce33f7a9d6c281149f7dMarcel Raad
Curl_llist_alloc is now Curl_llist_init. Closes https://github.com/curl/curl/pull/1391
2017-04-06INSTALL.cmake: more problemsDaniel Stenberg
and mention specific issues where they are discussed
2017-04-05test1541: ignore the curl_off_t variable type name comparisonDaniel Stenberg
... the sizes and the formatting strings are what's really important and avoids problems with int64_t vs "long long". Bug: https://curl.haxx.se/mail/lib-2017-04/0019.html
2017-04-05Revert "configure: prefer 'long long' to int64_t for curl_off_t"Daniel Stenberg
This reverts commit 81284374bf3c670d2050f8562edeb69f060b07cc. Due to mingw32 brekage.
2017-04-05tool_operate: fix MinGW compiler warningMarcel Raad
MinGW complains: tool_operate.c:197:15: error: comparison is always true due to limited range of data type [-Werror=type-limits] Fix this by only doing the comparison if 'long' is large enough to hold the constant it is compared with. Closes https://github.com/curl/curl/pull/1378
2017-04-05tool_operate: move filetime code to its own functionMarcel Raad
Ref: https://github.com/curl/curl/pull/1378
2017-04-05configure: prefer 'long long' to int64_t for curl_off_tDaniel Stenberg
Since it is a native type and it makes it less complicated to find a matching one in system.h Bug: https://curl.haxx.se/mail/lib-2017-04/0010.html Reported-by: Dan Fandrich Closes #1388
2017-04-04tests: added test for Curl_splaygetbest to unit1309Dániel Bakai
This checks the new behavior of Curl_splaygetbest, so that the smallest node not larger than the key is removed, and FIFO behavior is kept even when there are multiple nodes with the same key. Closes #1358
2017-04-04multi: fix queueing of pending easy handlesDániel Bakai
Multi handles repeatedly invert the queue of pending easy handles when used with CURLMOPT_MAX_TOTAL_CONNECTIONS. This is caused by a multistep process involving Curl_splaygetbest and violates the FIFO property of the multi handle. This patch fixes this issue by redefining the "best" node in the context of timeouts as the "smallest not larger than now", and implementing the necessary data structure modifications to do this effectively, namely: - splay nodes with the same key are now stored in a doubly-linked circular list instead of a non-circular one to enable O(1) insertion to the tail of the list - Curl_splayinsert inserts nodes with the same key to the tail of the same list - in case of multiple nodes with the same key, the one on the head of the list gets selected
2017-04-04tool: fix Windows Unicode buildMarcel Raad
... by explicitly calling the ANSI versions of Windows API functions where required.
2017-04-04curl_sasl: declare mechtable staticMartin Kepplinger
struct mechtable is only used locally here. It can be declared static.
2017-04-04url: don't free postponed data on connection reuseAntti Hätälä
- Don't free postponed data on a connection that will be reused since doing so can cause data loss when pipelining. Only Windows builds are affected by this. Closes https://github.com/curl/curl/issues/1380
2017-04-04RELEASE-NOTES: synced with 4f2e348f9b42c69c480Daniel Stenberg
2017-04-04hash: move key into hash struct to reduce mallocsDaniel Stenberg
This removes one tiny malloc for each hash struct allocated. In a simple case like "curl localhost", this save three mallocs. Closes #1376