Age | Commit message (Collapse) | Author |
|
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.
Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.
Closes #5327
|
|
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:
- Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
- Do not perform dynamic memory allocation when preparing a log entry.
Unless the TLS specifications change we can suffice with a reasonable
fixed-size buffer.
- Simplify state tracking when SSL_CTX_set_keylog_callback is
unavailable. My original sslkeylog.c code included this tracking in
order to handle multiple calls to SSL_connect and detect new keys
after renegotiation (via SSL_read/SSL_write). For curl however we can
be sure that a single master secret eventually becomes available
after SSL_connect, so a simple flag is sufficient. An alternative to
the flag is examining SSL_state(), but this seems more complex and is
not pursued. Capturing keys after server renegotiation was already
unsupported in curl and remains unsupported.
Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:
# Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
openssl s_server -www -tls1
# Likewise, but fail the server handshake.
openssl s_server -www -tls1 -Verify 2
# TLS 1.3 test. No need to test the failing server handshake.
openssl s_server -www -tls1_3
Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.
tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
-eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
-dtls.port==4433,http -ohttp.desegment_body:FALSE \
-Y 'tls.handshake.verify_data or http'
A single connection can easily be identified via the `tcp.stream` field.
|
|
|
|
For HTTP 1.x, it's a protocol error when the server sends more bytes
than announced. If this happens, don't reuse the connection, because the
start position of the next response is undefined.
Closes #5440
|
|
This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in
curl 7.54.1.
Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html
Closes #5465
|
|
And remove a few unused booleans!
Closes #5461
|
|
When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that
numerical IP addresses still need to get "resolved" - but not with DoH.
Reported-by: Viktor Szakats
Fixes #5454
Closes #5459
|
|
Reported-by: Peter Wu
Fixes #5447 (the ngtcp2 side of it)
Closes #5451
|
|
Addresses the quiche side of #5447
Reported-by: Peter Wu
Closes #5450
|
|
|
|
They're only limited to the maximum string input restrictions, not to
256 bytes.
Added test 1178 to verify
Reported-by: Will Roberts
Fixes #5448
Closes #5449
|
|
Closes #5442
|
|
Fixed the alt-svc parser to treat a newline as end of line.
The unit tests in test 1654 were done without CRLF and thus didn't quite
match the real world. Now they use CRLF as well.
Reported-by: Peter Wu
Assisted-by: Peter Wu
Assisted-by: Jay Satiro
Fixes #5445
Closes #5446
|
|
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/5452
|
|
Based on client.cc changes from ngtcp2. Tested with current git master,
ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380.
Fixes #5444
Closes #5443
|
|
moved the new setopts up to a "change"
|
|
|
|
... and whitelisted a few more files in the the copyright.pl script.
|
|
Closes #5431
|
|
curl would previously show "curl: Saved to filename 'name from header'"
if -J was used and a name was picked from the Content-Disposition
header. That output could interfer with other stdout output, such as -w.
This commit removes that output line.
Bug: https://curl.haxx.se/mail/archive-2020-05/0044.html
Reported-by: Коваленко Анатолий Викторович
Closes #5435
|
|
quiche builds boringssl as static library, reuse that instead of
building another shared library.
Closes #5438
|
|
A shared boringssl/OpenSSL library requires -lcrypto only for linking.
A static build additionally requires `-ldl -lpthread`. In the latter
case `-lpthread` is added to LIBS which prevented `-pthread` from being
added to CFLAGS. Clear LIBS to fix linking failures for libtest tests.
|
|
This reverts commit 74623551f306990e70c7c5515b88972005604a74.
Instead mark the function call with (void). Getting the return code and
using it instead triggered Coverity warning CID 1463596 because
snprintf() can return a negative value...
Closes #5441
|
|
Reported-by: Billyzou0741326 on github
Fixes #5432
Closes #5436
|
|
Follow-up from a3b0699d5c1
|
|
The option number also needs to be less than CURLOPTTYPE_BLOB.
Follow-up to cac5374298
Reported-by: Jeroen Ooms
Bug: https://github.com/curl/curl/pull/5365#issuecomment-631084114
|
|
Closes #5426
|
|
Closes #5406
|
|
Follow-up to c5f0a9db22.
|
|
Seems highly unlikely to actually be possible, but better safe than
sorry.
Closes #5417
|
|
... in curl_easy_getinfo() calls. They're harmless but clearing the
variables makes the code safer and comforts the reader.
Closes #5416
|
|
Follow-up to fae30656. Should've been squashed with that commit...
|
|
Closes #5414
|
|
... and avoid a strlen() call. Fixes a MonocleAI warning.
Reported-by: MonocleAI
Fixes #5413
Closes #5420
|
|
It was not used much anyway and instead we let it store a blank buffer
in case of failure.
Reported-by: MonocleAI
Fixes #5411
Closes #5418
|
|
They're done on purpose, make that visible in the code.
Reported-by: MonocleAI
Fixes #5412
Closes #549
|
|
Closes #5396
Closes #5398
|
|
|
|
... as returning a "" is not a good idea as the string is supposed to be
allocated and returning a const string will cause issues.
Reported-by: Brian Carpenter
Follow-up to ed35d6590e72c
Closes #5405
|
|
Changes, partially to reduce build failures from external dependencies:
- Upgrade Ubuntu and drop unnecessary third-party repos.
- Properly clone apt config to ensure retries.
- Upgrade to clang-9 from the standard repos.
- Use Ubuntu 20.04 focal for the libssh build, use of ssh_get_publickey
fails on -Werror=deprecated-declarations in Ubuntu 18.04. Do not use
focal everywhere yet since Travis CI has not documented this option.
In focal, python-impacket (Py2.7) has been removed, leaving only
python3-impacket. Since it is only needed for SMB tests and not SSH,
skip it for the libssh job since it might need more work.
- apt: Remove gcc-8 and libstdc++-8-dev, already installed via g++-8.
Non-functional cleanups:
- Simplify test matrix, drop redundant os and compiler keys.
- Deprecation fixes: remove sudo, rename matrix -> jobs.
- Every job has an 'env' key, put this key first in a list item.
Closes #5370
|
|
Automatically apply a consistent indentation with:
python3 -c 'from ruamel.yaml import YAML;y=YAML();d=y.load(open(".travis.yml"));y.width=500;y.dump(d,open(".travis.yml.new","w"))'
followed by manually re-indenting three comments.
Closes #5370
|
|
Closes #5372
|
|
Closes #4820
|
|
Closes #5176
|
|
Fixes #1410
Closes #5401
|
|
This change introduces a generic way to provide binary data in setopt
options, called BLOBs.
This change introduces these new setopts:
CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB,
CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB.
Reviewed-by: Daniel Stenberg
Closes #5357
|
|
- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples
- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.
Closes #5338
|
|
|
|
Previously, after PASV and immediately after the data connection has
connected, the function would only return the control socket to wait for
which then made the data connection simply timeout and not get polled
correctly. This become obvious when running test 1631 and 1632 event-
based.
|
|
|