aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2018-04-20openssl: fix subjectAltName check on non-ASCII platformsStephan Mühlstrasser
Curl_cert_hostcheck operates with the host character set, therefore the ASCII subjectAltName string retrieved with OpenSSL must be converted to the host encoding before comparison. Closes #2493
2018-04-20openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messagesJay Satiro
- Support handling verbose-mode trace messages of type SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS, SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO, SSL3_MT_MESSAGE_HASH Reported-by: iz8mbw@users.noreply.github.com Fixes https://github.com/curl/curl/issues/2403
2018-04-19ftplistparser: keep state between invokesDaniel Stenberg
Regression from f786d1f14 Reported-by: wncboy on github Fixes #2445 Closes #2508
2018-04-19detect_proxy: only show proxy use if it had contentsDaniel Stenberg
2018-04-19http2: handle on_begin_headers() called more than onceDaniel Stenberg
This triggered an assert if called more than once in debug mode (and a memory leak if not debug build). With the right sequence of HTTP/2 headers incoming it can happen. Detected by OSS-Fuzz Closes #2507 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
2018-04-18schannel: add support for CURLOPT_CAINFODan McNulty
- Move verify_certificate functionality in schannel.c into a new file called schannel_verify.c. Additionally, some structure defintions from schannel.c have been moved to schannel.h to allow them to be used in schannel_verify.c. - Make verify_certificate functionality for Schannel available on all versions of Windows instead of just Windows CE. verify_certificate will be invoked on Windows CE or when the user specifies CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER. - In verify_certificate, create a custom certificate chain engine that exclusively trusts the certificate store backed by the CURLOPT_CAINFO file. - doc updates of --cacert/CAINFO support for schannel - Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString when available. This implements a TODO in schannel.c to improve handling of multiple SANs in a certificate. In particular, all SANs will now be searched instead of just the first name. - Update tool_operate.c to not search for the curl-ca-bundle.crt file when using Schannel to maintain backward compatibility. Previously, any curl-ca-bundle.crt file found in that search would have been ignored by Schannel. But, with CAINFO support, the file found by that search would have been used as the certificate store and could cause issues for any users that have curl-ca-bundle.crt in the search path. - Update url.c to not set the build time CURL_CA_BUNDLE if the selected SSL backend is Schannel. We allow setting CA location for schannel only when explicitly specified by the user via CURLOPT_CAINFO / --cacert. - Add new test cases 3000 and 3001. These test cases check that the first and last SAN, respectively, matches the connection hostname. New test certificates have been added for these cases. For 3000, the certificate prefix is Server-localhost-firstSAN and for 3001, the certificate prefix is Server-localhost-secondSAN. - Remove TODO 15.2 (Add support for custom server certificate validation), this commit addresses it. Closes https://github.com/curl/curl/pull/1325
2018-04-17schannel: fix warningJay Satiro
- Fix warning 'integer from pointer without a cast' on 3rd arg in CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer type of the same size. Follow-up to e35b025. Caught by Marc's CI builds.
2018-04-17docs: fix typosJakub Wilk
Closes https://github.com/curl/curl/pull/2503
2018-04-17RELEASE-NOTES: syncedDaniel Stenberg
2018-04-17winbuild: Support custom devel paths for each dependencykdekker
- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2, OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH, NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH. - Use lib.exe for making the static library instead of link.exe /lib. The latter is undocumented and could cause problems as noted in the comments. - Remove a dangling URL that no longer worked. (I was not able to find the IDN download at MSDN/microsoft.com, so it seems to be removed.) - Remove custom override for release-ssh2-ssl-dll-zlib configuration. Nobody knows why it was there and as far as we can see is unnecessary. Closes https://github.com/curl/curl/pull/2474
2018-04-17README.md: add backers and sponsorsJess
Closes #2484
2018-04-17schannel: add client certificate authenticationArchangel_SDY
Users can now specify a client certificate in system certificates store explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"` Closes #2376
2018-04-16ntlm_sspi: fix authentication using Credential Managertoughengineer
If you pass empty user/pass asking curl to use Windows Credential Storage (as stated in the docs) and it has valid credentials for the domain, e.g. curl -v -u : --ntlm example.com currently authentication fails. This change fixes it by providing proper SPN string to the SSPI API calls. Fixes https://github.com/curl/curl/issues/1622 Closes https://github.com/curl/curl/pull/1660
2018-04-16configure: keep LD_LIBRARY_PATH changes localDaniel Stenberg
... only set it when we actually have to run tests to reduce its impact on for example build commands etc. Fixes #2490 Closes #2492 Reported-by: Dmitry Mikhirev
2018-04-16urldata: make service names unconditionalMarcel Raad
The ifdefs have become quite long. Also, the condition for the definition of CURLOPT_SERVICE_NAME and for setting it from CURLOPT_SERVICE_NAME have diverged. We will soon also need the two options for NTLM, at least when using SSPI, for https://github.com/curl/curl/pull/1660. Just make the definitions unconditional to make that easier. Closes https://github.com/curl/curl/pull/2479
2018-04-16test1148: tolerate progress updates betterDaniel Stenberg
Fixes #2446 Closes #2488
2018-04-16ssh: show libSSH2 error code when closing failsChristian Schmitz
Closes #2500
2018-04-15vauth: Fix typoDaniel Gustafsson
Address various spellings of "credentials". Closes https://github.com/curl/curl/pull/2496
2018-04-15system.h: Add sparcv8plus to oracle/sunpro 32-bit detectionDagobert Michelsen
With specific compiler options selecting the arch like -xarch=sparc on newer compilers like Oracle Studio 12.4 there is no definition of __sparcv8 but __sparcv8plus which means the V9 ISA, but limited to the 32ÎíÎñbit subset defined by the V8plus ISA specification, without the Visual Instruction Set (VIS), and without other implementation-specific ISA extensions. So it should be the same as __sparcv8. Closes https://github.com/curl/curl/pull/2491
2018-04-15checksrc: Fix typoDaniel Gustafsson
Fix typo in "semicolon" spelling and remove stray tab character. Closes https://github.com/curl/curl/pull/2498
2018-04-15all: Refactor malloc+memset to use callocDaniel Gustafsson
When a zeroed out allocation is required, use calloc() rather than malloc() followed by an explicit memset(). The result will be the same, but using calloc() everywhere increases consistency in the codebase and avoids the risk of subtle bugs when code is injected between malloc and memset by accident. Closes https://github.com/curl/curl/pull/2497
2018-04-12duphandle: make sure CURLOPT_RESOLVE is duplicated fine tooDaniel Stenberg
Verified in test 1502 now Fixes #2485 Closes #2486 Reported-by: Ernst Sjöstrand
2018-04-12mailmap: add a monnerat fixup [ci skip]Daniel Stenberg
2018-04-11proxy: show getenv proxy use in verbose outputDaniel Stenberg
... to aid debugging etc as it sometimes isn't immediately obvious why curl uses or doesn't use a proxy. Inspired by #2477 Closes #2480
2018-04-11travis: build libpsl and make builds use itDaniel Stenberg
closes #2471
2018-04-10travis: bump to clang 6 and gcc 7Daniel Stenberg
Extra-eye-on-this-by: Marcel Raad Closes #2478
2018-04-10travis: use trusty for coverage buildMarcel Raad
This works now and precise is in the process of being decommissioned. Closes https://github.com/curl/curl/pull/2476
2018-04-09lib: silence null-dereference warningsMarcel Raad
In debug mode, MingGW-w64's GCC 7.3 issues null-dereference warnings when dereferencing pointers after DEBUGASSERT-ing that they are not NULL. Fix this by removing the DEBUGASSERTs. Suggested-by: Daniel Stenberg Ref: https://github.com/curl/curl/pull/2463
2018-04-09winbuild: fix URLkdekker
Follow up on https://github.com/curl/curl/pull/2472. Now using en-us instead of nl-nl as language code in the URL. Closes https://github.com/curl/curl/pull/2475
2018-04-09winbuild: updated the documentationkdekker
The setenv command no longer exists and visual studio build prompts got changed. Used Visual Studio 2015/2017 as reference. Closes #2472
2018-04-09test1136: fix cookie order after commit c990eadd1277Daniel Stenberg
2018-04-08build: cleanup to fix clang warnings/errorsDaniel Stenberg
unit1309 and vtls/gtls: error: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension Reported-by: Rikard Falkeborn Fixes #2466 Closes #2468
2018-04-07examples/sftpuploadresmue: Fix Windows large file seekJay Satiro
- Use _fseeki64 instead of fseek (long) to seek curl_off_t in Windows. - Use CURL_FORMAT_CURL_OFF_T specifier instead of %ld to print curl_off_t. Caught by Marc's CI builds.
2018-04-07curl_setup: provide a CURL_SA_FAMILY_T type if none existsDaniel Stenberg
... and use this type instead of 'sa_family_t' in the code since several platforms don't have it. Closes #2463
2018-04-07build: add picky compiler warning flags for gcc 6 and 7Eric Gallager
2018-04-07configure: detect sa_family_tDaniel Stenberg
2018-04-07tool_operate: Fix retry on FTP 4xx to ignore other protocolsStefan Agner
Only treat response code as FTP response codes in case the protocol type is FTP. This fixes an issue where an HTTP download was treated as FTP in case libcurl returned with 33. This happens when the download has already finished and the server responses 416: HTTP/1.1 416 Requested Range Not Satisfiable This should not be treated as an FTP error. Fixes #2464 Closes #2465
2018-04-06hash: calculate sizes with size_t instead of longsDaniel Stenberg
... since they return size_t anyway! closes #2462
2018-04-06RELEASE-NOTES: syncedDaniel Stenberg
2018-04-06build-openssl.bat: Refer to VS2017 as VC14.1 instead of VC15Jay Satiro
.. and do the same for build-wolfssl.bat. Because MS calls it VC14.1. Closes https://github.com/curl/curl/pull/2189
2018-04-06winbuild: make the clean target work without build-typekdekker
Due to the check in Makefile.vc and MakefileBuild.vc, no make call can be invoked unless a build-type was specified. However, a clean target only existed when a build type was specified. As a result, the clean target was unreachable. Made clean target unconditional. Closes #2455
2018-04-06build-openssl.bat: allow custom paths for VS and perlpatelvivekv1993
Fixes #2430 Closes #2457
2018-04-06FTP: allow PASV on IPv6 connections when a proxy is being usedLaurie Clark-Michalek
In the situation of a client connecting to an FTP server using an IPv6 tunnel proxy, the connection info will indicate that the connection is IPv6. However, because the server behing the proxy is IPv4, it is permissable to attempt PSV mode. In the case of the FTP server being IPv4 only, EPSV will always fail, and with the current logic curl will be unable to connect to the server, as the IPv6 fwdproxy causes curl to think that EPSV is impossible. Closes #2432
2018-04-06file: restore old behavior for file:////foo/bar URLsJon DeVree
curl 7.57.0 and up interpret this according to Appendix E.3.2 of RFC 8089 but then returns an error saying this is unimplemented. This is actually a regression in behavior on both Windows and Unix. Before curl 7.57.0 this URL was treated as a path of "//foo/bar" and then passed to the relevant OS API. This means that the behavior of this case is actually OS dependent. The Unix path resolution rules say that the OS must handle swallowing the extra "/" and so this path is the same as "/foo/bar" The Windows path resolution rules say that this is a UNC path and automatically handles the SMB access for the program. So curl on Windows was already doing Appendix E.3.2 without any special code in curl. Regression Closes #2438
2018-04-06Revert "openssl: Don't add verify locations when verifypeer==0"Gaurav Malhotra
This reverts commit dc85437736e1fc90e689bb1f6c51c8f1aa9430eb. libcurl (with the OpenSSL backend) performs server certificate verification even if verifypeer == 0 and the verification result is available using CURLINFO_SSL_VERIFYRESULT. The commit that is being reverted caused the CURLINFO_SSL_VERIFYRESULT to not have useful information for the verifypeer == 0 use case (it would always have X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Closes #2451
2018-04-06tls: fix mbedTLS 2.7.0 build + handle sha256 failuresWyatt O'Day
(mbedtls 2.70 compiled with MBEDTLS_DEPRECATED_REMOVED) Closes #2453
2018-04-06cookie: case-insensitive hashing for the domainsLauri Kasanen
closes #2458
2018-04-04cookie: fix and optimize 2nd top level domain name extractionPatrick Monnerat
This fixes a segfault occurring when a name of the (invalid) form "domain..tld" is processed. test46 updated to cover this case. Follow-up to commit c990ead. Ref: https://github.com/curl/curl/pull/2440
2018-04-04openssl: provide defines for argument typecasts to build warning-freeDaniel Stenberg
... as OpenSSL >= 1.1.0 and libressl >= 2.7.0 use different argument types.
2018-04-04openssl: fix build with LibreSSL 2.7Bernard Spil
- LibreSSL 2.7 implements (most of) OpenSSL 1.1 API Fixes #2319 Closes #2447 Closes #2448 Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>