aboutsummaryrefslogtreecommitdiff
path: root/lib/urldata.h
AgeCommit message (Collapse)Author
2016-11-28http2: Fix crashes when parent stream gets abortedAnders Bakken
Closes #1125
2016-11-25HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEYThomas Glanzmann
2016-11-25add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}Frank Gevaerts
Adds access to the effectively used protocol/scheme to both libcurl and curl, both in string and numeric (CURLPROTO_*) form. Note that the string form will be uppercase, as it is just the internal string. As these strings are declared internally as const, and all other strings returned by curl_easy_getinfo() are de-facto const as well, string handling in getinfo.c got const-ified. Closes #1137
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-18lib: fix compiler warnings after de4de4e3c7cMarcel Raad
Visual C++ now complains about implicitly casting time_t (64-bit) to long (32-bit). Fix this by changing some variables from long to time_t, or explicitly casting to long where the public interface would be affected. Closes #1131
2016-11-17Don't mix unix domain sockets with regular onesIsaac Boukris
When reusing a connection, make sure the unix domain socket option matches.
2016-11-12timeval: prefer time_t to hold seconds instead of longDaniel Stenberg
... as long is still 32bit on modern 64bit windows machines, while time_t is generally 64bit.
2016-11-05easy: Initialize info variables on easy init and duphandleJay Satiro
- Call Curl_initinfo on init and duphandle. Prior to this change the statistical and informational variables were simply zeroed by calloc on easy init and duphandle. While zero is the correct default value for almost all info variables, there is one where it isn't (filetime initializes to -1). Bug: https://github.com/curl/curl/issues/1103 Reported-by: Neal Poole
2016-10-13vtls: only re-use session-ids using the same schemeDaniel Stenberg
To make it harder to do cross-protocol mistakes
2016-09-22New libcurl option to keep sending on errorMichael Kaufmann
Add the new option CURLOPT_KEEP_SENDING_ON_ERROR to control whether sending the request body shall be completed when the server responds early with an error status code. This is suitable for manual NTLM authentication. Reviewed-by: Jay Satiro Closes https://github.com/curl/curl/pull/904
2016-09-20easy: Reset all statistical session info in curl_easy_resetJay Satiro
Bug: https://github.com/curl/curl/issues/1017 Reported-by: Jeroen Ooms
2016-09-04speed caps: not based on average speeds anymoreOlivier Brunel
Speed limits (from CURLOPT_MAX_RECV_SPEED_LARGE & CURLOPT_MAX_SEND_SPEED_LARGE) were applied simply by comparing limits with the cumulative average speed of the entire transfer; While this might work at times with good/constant connections, in other cases it can result to the limits simply being "ignored" for more than "short bursts" (as told in man page). Consider a download that goes on much slower than the limit for some time (because bandwidth is used elsewhere, server is slow, whatever the reason), then once things get better, curl would simply ignore the limit up until the average speed (since the beginning of the transfer) reached the limit. This could prove the limit useless to effectively avoid using the entire bandwidth (at least for quite some time). So instead, we now use a "moving starting point" as reference, and every time at least as much as the limit as been transferred, we can reset this starting point to the current position. This gets a good limiting effect that applies to the "current speed" with instant reactivity (in case of sudden speed burst). Closes #971
2016-08-28http2: make sure stream errors don't needlessly close the connectionDaniel Stenberg
With HTTP/2 each transfer is made in an indivial logical stream over the connection, making most previous errors that caused the connection to get forced-closed now instead just kill the stream and not the connection. Fixes #941
2016-08-26schannel: Disable ALPN for Wine since it is causing problemsJay Satiro
- Disable ALPN on Wine. - Don't pass input secbuffer when ALPN is disabled. When ALPN support was added a change was made to pass an input secbuffer to initialize the context. When ALPN is enabled the buffer contains the ALPN information, and when it's disabled the buffer is empty. In either case this input buffer caused problems with Wine and connections would not complete. Bug: https://github.com/curl/curl/issues/983 Reported-by: Christian Fillion
2016-08-20urldata.h: Corrected comment for httpcode which is also populated by SMTPSteve Holme
As of 7.25.0 and commit 5430007222.
2016-08-03TLS: switch off SSL session id when client cert is usedDaniel Stenberg
CVE-2016-5419 Bug: https://curl.haxx.se/docs/adv_20160803A.html Reported-by: Bru Rom Contributions-by: Eric Rescorla and Ray Satiro
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-06-21cleanup: fix method names in code commentsMichael Kaufmann
Closes #887
2016-06-01vtls: fix ssl session cache race conditionIvan Avdeev
Sessionid cache management is inseparable from managing individual session lifetimes. E.g. for reference-counted sessions (like those in SChannel and OpenSSL engines) every session addition and removal should be accompanied with refcount increment and decrement respectively. Failing to do so synchronously leads to a race condition that causes symptoms like use-after-free and memory corruption. This commit: - makes existing session cache locking explicit, thus allowing individual engines to manage lock's scope. - fixes OpenSSL and SChannel engines by putting refcount management inside this lock's scope in relevant places. - adds these explicit locking calls to other engines that use sessionid cache to accommodate for this change. Note, however, that it is unknown whether any of these engines could also have this race. Bug: https://github.com/curl/curl/issues/815 Fixes #815 Closes #847
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-04-28mbedtls: Fix session resumeJay Satiro
This also fixes PolarSSL session resume. Prior to this change the TLS session information wasn't properly saved and restored for PolarSSL and mbedTLS. Bug: https://curl.haxx.se/mail/lib-2016-01/0070.html Reported-by: Thomas Glanzmann Bug: https://curl.haxx.se/mail/lib-2016-04/0095.html Reported-by: Moti Avrahami
2016-04-20sendf.c: added ability to call recv() before send() as workaroundKarlson2k
WinSock destroys recv() buffer if send() is failed. As result - server response may be lost if server sent it while curl is still sending request. This behavior noticeable on HTTP server short replies if libcurl use several send() for request (usually for POST request). To workaround this problem, libcurl use recv() before every send() and keeps received data in intermediate buffer for further processing. Fixes: #657 Closes: #668
2016-04-18url: add CURLOPT_TCP_FASTOPEN optionAlessandro Ghedini
2016-04-17news: CURLOPT_CONNECT_TO and --connect-toMichael Kaufmann
Makes curl connect to the given host+port instead of the host+port found in the URL.
2016-04-12http2: Use size_t type for data drain countJay Satiro
Ref: https://github.com/curl/curl/issues/659 Ref: https://github.com/curl/curl/pull/663
2016-04-09CURLOPT_SOCKS5_GSSAPI_SERVICE: Merged with CURLOPT_PROXY_SERVICE_NAMESteve Holme
As these two options provide identical functionality, the former for SOCK5 proxies and the latter for HTTP proxies, merged the two options together. As such CURLOPT_SOCKS5_GSSAPI_SERVICE is marked as deprecated as of 7.49.0.
2016-04-09urldata: Use bool for socks5_gssapi_nec as it is a flagSteve Holme
This value is set to TRUE or FALSE so should be a bool and not a long.
2016-04-09sasl: Fixed compilation errors from commit 9d89a0387Steve Holme
...when GSS-API or Windows SSPI are not used.
2016-04-02spnego: Renamed the context's SPN variableSteve Holme
To be consistent with the Kerberos 5 context and other authentication code.
2016-03-08imap/pop3/smtp: Fixed connections upgraded with TLS are not reusedSteve Holme
Regression since commit 710f14edba. Bug: https://github.com/curl/curl/issues/422 Reported-by: Justin Ehlert
2016-02-23TFTP: add option to suppress TFTP option requests (Part 1)Michael Koenig
Some TFTP server implementations ignore the "TFTP Option extension" (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing problems with libcurl. Another switch for curl_easy_setopt "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from sending TFTP option requests to a server, avoiding many problems caused by faulty implementations. Bug: https://github.com/curl/curl/issues/481
2016-02-09mbedtls: fix ALPN usage segfaultDaniel Stenberg
Since we didn't keep the input argument around after having called mbedtls, it could end up accessing the wrong memory when figuring out the ALPN protocols. Closes #642
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-01-29urldata: Error on missing SSL backend-specific connect infoGisle Vanem
2016-01-28urldata: moved common variable out of ifdefSergei Nikulov
Closes https://github.com/bagder/curl/pull/618
2015-11-09oauth2: Don't use XOAUTH2 in OAuth 2.0 variablesSteve Holme
2015-11-09oauth2: Use OAuth 2.0 rather than XOAUTH2 in commentsSteve Holme
When referring to OAuth 2.0 we should use the official name rather the SASL mechanism name.
2015-10-23http2: s/priority/weightDaniel Stenberg
2015-10-23http2: added three stream prio/deps optionsDaniel Stenberg
CURLOPT_STREAM_DEPENDS CURLOPT_STREAM_DEPENDS_E CURLOPT_STREAM_PRIORITY
2015-10-20vtls: added support for mbedTLSJonas Minnberg
closes #496
2015-10-15fread_func: move callback pointer from set to state structDaniel Stenberg
... and assign it from the set.fread_func_set pointer in the Curl_init_CONNECT function. This A) avoids that we have code that assigns fields in the 'set' struct (which we always knew was bad) and more importantly B) it makes it impossibly to accidentally leave the wrong value for when the handle is re-used etc. Introducing a state-init functionality in multi.c, so that we can set a specific function to get called when we enter a state. The Curl_init_CONNECT is thus called when switching to the CONNECT state. Bug: https://github.com/bagder/curl/issues/346 Closes #346
2015-08-22CURLOPT_DEFAULT_PROTOCOL: addedNathaniel Waisbrot
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default protocol for schemeless URLs. - Add new tool option --proto-default to expose CURLOPT_DEFAULT_PROTOCOL. In the case of schemeless URLs libcurl will behave in this way: When the option is used libcurl will use the supplied default. When the option is not used, libcurl will follow its usual plan of guessing from the hostname and falling back to 'http'.
2015-07-25HTTP: ignore "Content-Encoding: compress"Michael Kaufmann
Currently, libcurl rejects responses with "Content-Encoding: compress" when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should treat the Content-Encoding "compress" the same as other Content-Encodings that it does not support, e.g. "bzip2". That means just ignoring it.
2015-07-17SSL: Add an option to disable certificate revocation checksJay Satiro
New tool option --ssl-no-revoke. New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. Currently this option applies only to WinSSL where we have automatic certificate revocation checking by default. According to the ssl-compared chart there are other backends that have automatic checking (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at some later point. Bug: https://github.com/bagder/curl/issues/264 Reported-by: zenden2k <zenden2k@gmail.com>
2015-06-24http2: initial implementation of the push callbackDaniel Stenberg
2015-06-17schannel: schannel_recv overhaulJay Satiro
This commit is several drafts squashed together. The changes from each draft are noted below. If any changes are similar and possibly contradictory the change in the latest draft takes precedence. Bug: https://github.com/bagder/curl/issues/244 Reported-by: Chris Araman %% %% Draft 1 %% - return 0 if len == 0. that will have to be documented. - continue on and process the caches regardless of raw recv - if decrypted data will be returned then set the error code to CURLE_OK and return its count - if decrypted data will not be returned and the connection has closed (eg nread == 0) then return 0 and CURLE_OK - if decrypted data will not be returned and the connection *hasn't* closed then set the error code to CURLE_AGAIN --only if an error code isn't already set-- and return -1 - narrow the Win2k workaround to only Win2k %% %% Draft 2 %% - Trying out a change in flow to handle corner cases. %% %% Draft 3 %% - Back out the lazier decryption change made in draft2. %% %% Draft 4 %% - Some formatting and branching changes - Decrypt all encrypted cached data when len == 0 - Save connection closed state - Change special Win2k check to use connection closed state %% %% Draft 5 %% - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the connection isn't closed. %% %% Draft 6 %% - Save the last error only if it is an unrecoverable error. Prior to this I saved the last error state in all cases; unfortunately the logic to cover that in all cases would lead to some muddle and I'm concerned that could then lead to a bug in the future so I've replaced it by only recording an unrecoverable error and that state will persist. - Do not recurse on renegotiation. Instead we'll continue on to process any trailing encrypted data received during the renegotiation only. - Move the err checks in cleanup after the check for decrypted data. In either case decrypted data is always returned but I think it's easier to understand when those err checks come after the decrypted data check. %% %% Draft 7 %% - Regardless of len value go directly to cleanup if there is an unrecoverable error or a close_notify was already received. Prior to this change we only acknowledged those two states if len != 0. - Fix a bug in connection closed behavior: Set the error state in the cleanup, because we don't know for sure it's an error until that time. - (Related to above) In the case the connection is closed go "greedy" with the decryption to make sure all remaining encrypted data has been decrypted even if it is not needed at that time by the caller. This is necessary because we can only tell if the connection closed gracefully (close_notify) once all encrypted data has been decrypted. - Do not renegotiate when an unrecoverable error is pending. %% %% Draft 8 %% - Don't show 'server closed the connection' info message twice. - Show an info message if server closed abruptly (missing close_notify).
2015-05-20read_callback: move to SessionHandle from connectdataDaniel Stenberg
With many easy handles using the same connection for multiplexing, it is important we store and keep the transfer-oriented stuff in the SessionHandle so that callbacks and callback data work fine even when many easy handles share the same physical connection.
2015-05-18CURLOPT_PIPEWAIT: addedDaniel Stenberg
By setting this option to 1 libcurl will wait for a connection to reveal if it is possible to pipeline/multiplex on before it continues.
2015-05-18http2: separate multiplex/pipelining + cleanup memory leaksDaniel Stenberg