Age | Commit message (Collapse) | Author |
|
|
|
This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.
Detected by OSS-Fuzz
Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
|
|
- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
from schannel.c have been moved to schannel.h to allow them to be
used in schannel_verify.c.
- Make verify_certificate functionality for Schannel available on
all versions of Windows instead of just Windows CE. verify_certificate
will be invoked on Windows CE or when the user specifies
CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
- In verify_certificate, create a custom certificate chain engine that
exclusively trusts the certificate store backed by the CURLOPT_CAINFO
file.
- doc updates of --cacert/CAINFO support for schannel
- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
when available. This implements a TODO in schannel.c to improve
handling of multiple SANs in a certificate. In particular, all SANs
will now be searched instead of just the first name.
- Update tool_operate.c to not search for the curl-ca-bundle.crt file
when using Schannel to maintain backward compatibility. Previously,
any curl-ca-bundle.crt file found in that search would have been
ignored by Schannel. But, with CAINFO support, the file found by
that search would have been used as the certificate store and
could cause issues for any users that have curl-ca-bundle.crt in
the search path.
- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
SSL backend is Schannel. We allow setting CA location for schannel
only when explicitly specified by the user via CURLOPT_CAINFO /
--cacert.
- Add new test cases 3000 and 3001. These test cases check that the first
and last SAN, respectively, matches the connection hostname. New test
certificates have been added for these cases. For 3000, the certificate
prefix is Server-localhost-firstSAN and for 3001, the certificate
prefix is Server-localhost-secondSAN.
- Remove TODO 15.2 (Add support for custom server certificate
validation), this commit addresses it.
Closes https://github.com/curl/curl/pull/1325
|
|
- Fix warning 'integer from pointer without a cast' on 3rd arg in
CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
type of the same size.
Follow-up to e35b025.
Caught by Marc's CI builds.
|
|
Closes https://github.com/curl/curl/pull/2503
|
|
|
|
- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
- Use lib.exe for making the static library instead of link.exe /lib.
The latter is undocumented and could cause problems as noted in the
comments.
- Remove a dangling URL that no longer worked. (I was not able to find
the IDN download at MSDN/microsoft.com, so it seems to be removed.)
- Remove custom override for release-ssh2-ssl-dll-zlib configuration.
Nobody knows why it was there and as far as we can see is unnecessary.
Closes https://github.com/curl/curl/pull/2474
|
|
Closes #2484
|
|
Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`
Closes #2376
|
|
If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.
Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660
|
|
... only set it when we actually have to run tests to reduce its impact
on for example build commands etc.
Fixes #2490
Closes #2492
Reported-by: Dmitry Mikhirev
|
|
The ifdefs have become quite long. Also, the condition for the
definition of CURLOPT_SERVICE_NAME and for setting it from
CURLOPT_SERVICE_NAME have diverged. We will soon also need the two
options for NTLM, at least when using SSPI, for
https://github.com/curl/curl/pull/1660.
Just make the definitions unconditional to make that easier.
Closes https://github.com/curl/curl/pull/2479
|
|
Fixes #2446
Closes #2488
|
|
Closes #2500
|
|
Address various spellings of "credentials".
Closes https://github.com/curl/curl/pull/2496
|
|
With specific compiler options selecting the arch like -xarch=sparc on
newer compilers like Oracle Studio 12.4 there is no definition of
__sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the
32ÎíÎñbit subset defined by the V8plus ISA specification, without the
Visual Instruction Set (VIS), and without other implementation-specific
ISA extensions. So it should be the same as __sparcv8.
Closes https://github.com/curl/curl/pull/2491
|
|
Fix typo in "semicolon" spelling and remove stray tab character.
Closes https://github.com/curl/curl/pull/2498
|
|
When a zeroed out allocation is required, use calloc() rather than
malloc() followed by an explicit memset(). The result will be the
same, but using calloc() everywhere increases consistency in the
codebase and avoids the risk of subtle bugs when code is injected
between malloc and memset by accident.
Closes https://github.com/curl/curl/pull/2497
|
|
Verified in test 1502 now
Fixes #2485
Closes #2486
Reported-by: Ernst Sjöstrand
|
|
|
|
... to aid debugging etc as it sometimes isn't immediately obvious why
curl uses or doesn't use a proxy.
Inspired by #2477
Closes #2480
|
|
closes #2471
|
|
Extra-eye-on-this-by: Marcel Raad
Closes #2478
|
|
This works now and precise is in the process of being decommissioned.
Closes https://github.com/curl/curl/pull/2476
|
|
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings
when dereferencing pointers after DEBUGASSERT-ing that they are not
NULL.
Fix this by removing the DEBUGASSERTs.
Suggested-by: Daniel Stenberg
Ref: https://github.com/curl/curl/pull/2463
|
|
Follow up on https://github.com/curl/curl/pull/2472.
Now using en-us instead of nl-nl as language code in the URL.
Closes https://github.com/curl/curl/pull/2475
|
|
The setenv command no longer exists and visual studio build prompts got
changed. Used Visual Studio 2015/2017 as reference.
Closes #2472
|
|
|
|
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a
cast from integer to pointer is a GNU extension
Reported-by: Rikard Falkeborn
Fixes #2466
Closes #2468
|
|
- Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows.
- Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print
curl_off_t.
Caught by Marc's CI builds.
|
|
... and use this type instead of 'sa_family_t' in the code since several
platforms don't have it.
Closes #2463
|
|
|
|
|
|
Only treat response code as FTP response codes in case the
protocol type is FTP.
This fixes an issue where an HTTP download was treated as FTP
in case libcurl returned with 33. This happens when the
download has already finished and the server responses 416:
HTTP/1.1 416 Requested Range Not Satisfiable
This should not be treated as an FTP error.
Fixes #2464
Closes #2465
|
|
... since they return size_t anyway!
closes #2462
|
|
|
|
.. and do the same for build-wolfssl.bat.
Because MS calls it VC14.1.
Closes https://github.com/curl/curl/pull/2189
|
|
Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
be invoked unless a build-type was specified. However, a clean target
only existed when a build type was specified. As a result, the clean
target was unreachable. Made clean target unconditional.
Closes #2455
|
|
Fixes #2430
Closes #2457
|
|
In the situation of a client connecting to an FTP server using an IPv6
tunnel proxy, the connection info will indicate that the connection is
IPv6. However, because the server behing the proxy is IPv4, it is
permissable to attempt PSV mode. In the case of the FTP server being
IPv4 only, EPSV will always fail, and with the current logic curl will
be unable to connect to the server, as the IPv6 fwdproxy causes curl to
think that EPSV is impossible.
Closes #2432
|
|
curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC
8089 but then returns an error saying this is unimplemented. This is
actually a regression in behavior on both Windows and Unix.
Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and
then passed to the relevant OS API. This means that the behavior of this
case is actually OS dependent.
The Unix path resolution rules say that the OS must handle swallowing
the extra "/" and so this path is the same as "/foo/bar"
The Windows path resolution rules say that this is a UNC path and
automatically handles the SMB access for the program. So curl on Windows
was already doing Appendix E.3.2 without any special code in curl.
Regression
Closes #2438
|
|
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb.
libcurl (with the OpenSSL backend) performs server certificate verification
even if verifypeer == 0 and the verification result is available using
CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the
CURLINFO_SSL_VERIFYRESULT to not have useful information for the
verifypeer == 0 use case (it would always have
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY).
Closes #2451
|
|
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED)
Closes #2453
|
|
closes #2458
|
|
This fixes a segfault occurring when a name of the (invalid) form "domain..tld"
is processed.
test46 updated to cover this case.
Follow-up to commit c990ead.
Ref: https://github.com/curl/curl/pull/2440
|
|
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
|
|
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API
Fixes #2319
Closes #2447
Closes #2448
Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
|
|
This makes libcurl handle thousands of cookies much better and speedier.
Closes #2440
|
|
This drops the cookie load time for 8k cookies from 178ms to 15ms.
Closes #2441
|
|
...as otherwise it might use a different decimal sign.
Bug: #2436
Reported-by: Oumph on github
|