Age | Commit message (Collapse) | Author |
|
Follow the pattern of many other callbacks.
Ref: #4546
Closes #4585
|
|
.. because checksrc's copyright year check stopped working.
Ref: https://github.com/curl/curl/pull/4547
Closes https://github.com/curl/curl/pull/4549
|
|
Closes #4552
|
|
- Open the CA file using FILE_SHARE_READ mode so that others can read
from it as well.
Prior to this change our schannel code opened the CA file without
sharing which meant concurrent openings (eg an attempt from another
thread or process) would fail during the time it was open without
sharing, which in curl's case would cause error:
"schannel: failed to open CA file".
Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html
Reported-by: Richard Alcock
|
|
... as it can make it wait there for a long time for no good purpose.
Patched-by: Jay Satiro
Reported-by: Bylon2 on github
Adviced-by: Nikos Mavrogiannopoulos
Fixes #4487
Closes #4541
|
|
Fixes #4518
Closes #4519
|
|
|
|
Closes https://github.com/curl/curl/pull/4425
|
|
Instead of showing the somewhat nonsensical errno number, use strerror()
to provide a more relatable error message.
Closes #4411
|
|
Curl_timeleft returns `timediff_t`, which is 64 bits wide also on
32-bit systems since commit b1616dad8f0.
Closes https://github.com/curl/curl/pull/4398
|
|
It was already fixed for BoringSSL in commit a0f8fccb1e0.
LibreSSL has had the second argument to SSL_CTX_set_min_proto_version
as uint16_t ever since the function was added in [0].
[0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda
Closes https://github.com/curl/curl/pull/4397
|
|
If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the
connection should not be reused.
Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html
Reported-by: Sebastian Haglund
Closes #4347
|
|
Follow-up to ffe34b7b59
Closes #4359
|
|
For FTPS transfers, curl gets close_notify on the data connection
without that being a signal to close the control connection!
Regression since 3f5da4e59a556fc (7.65.0)
Reported-by: Zenju on github
Reviewed-by: Jay Satiro
Fixes #4329
Closes #4340
|
|
OpenSSL 1.1.0 adds SSL_CTX_set_<min|max>_proto_version() that we now use
when available. Existing code is preserved for older versions of
OpenSSL.
Closes #4304
|
|
|
|
Closes #4244
|
|
SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported
range in NSS 3.45. It looks like the intention is to raise the minimum
version rather than lowering the maximum, so adjust accordingly. Note
that the caller (nss_setup_connect) initializes the version range to
(TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again.
Closes #4187
Reviewed-by: Daniel Stenberg
Reviewed-by: Kamil Dudka
|
|
Closes #4184
|
|
It was used (intended) to pass in the size of the 'socks' array that is
also passed to these functions, but was rarely actually checked/used and
the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries
that should be used instead.
Closes #4169
|
|
Several reasons:
- we can't add everyone who's helping out so its unfair to just a few
selected ones.
- we already list all helpers in THANKS and in RELEASE-NOTES for each
release
- we don't want to give the impression that some parts of the code is
"owned" or "controlled" by specific persons
Assisted-by: Daniel Gustafsson
Closes #4129
|
|
PK11_IsPresent() checks for the token for the given slot is available,
and sets needlogin flags for the PK11_Authenticate() call. Should it
return false, we should however treat it as an error and bail out.
Closes https://github.com/curl/curl/pull/4110
|
|
Closes #4100
|
|
The file suffix for dynamically loadable objects on macOS is .dylib,
which need to be added for the module definitions in order to get the
NSS TLS backend to work properly on macOS.
Closes https://github.com/curl/curl/pull/4046
|
|
The value of the maxPTDs parameter to PR_Init() has since at least
NSPR 2.1, which was released sometime in 1998, been marked ignored
as is accordingly not used in the initialization code. Setting it
to a value when calling PR_Init() is thus benign, but indicates an
intent which may be misleading. Reset the value to zero to improve
clarity.
Closes https://github.com/curl/curl/pull/4054
|
|
Change the logic around such that we only keep CRLs that NSS actually
ended up caching around for later deletion. If CERT_CacheCRL() fails
then there is little point in delaying the freeing of the CRL as it
is not used.
Closes https://github.com/curl/curl/pull/4053
|
|
OpenSSL changed their manual locations and does not redirect to the new
locations.
Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html
Reported-by: Daniel Stenberg
|
|
... since that needs UI_OpenSSL() which isn't provided when OpenSSL is
built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for
UWP (with "VC-WIN32-UWP").
Reported-by: Vasily Lobaskin
Fixes #4073
Closes #4077
|
|
Certinfo gives the same result for all OpenSSL versions.
Also made printing RSA pubkeys consistent with older versions.
Reported-by: Michael Wallner
Fixes #3706
Closes #4030
|
|
OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(),
which is why we switched to CONF_modules_load_file() and introduced
a comment stating why. This behavior was however changed in OpenSSL
commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now
outdated and incorrect comment. The mentioned commit also declares
OPENSSL_config() deprecated so keep the current coding.
Closes #4033
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
|
|
follow-up from deb9462ff2de8
|
|
follow-up from deb9462ff2de8
Closes #4007
|
|
Remove support for, references to and use of "cyaSSL" from the source
and docs. wolfSSL is the current name and there's no point in keeping
references to ancient history.
Assisted-by: Daniel Gustafsson
Closes #3903
|
|
Reduce variable scopes and remove redundant variable stores.
Closes https://github.com/curl/curl/pull/3975
|
|
Closes #3916
|
|
Reported-by: smuellerDD on github
Fixes #3932
Closes #3933
|
|
Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under
the FTP featureflag in the UserDefined struct, but vtls callsites were
still using it unprotected.
Closes #3912
Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865
Reviewed-by: Daniel Stenberg, Marcel Raad
|
|
Closes #3892
|
|
Fixes Codacy/CppCheck warnings.
Closes https://github.com/curl/curl/pull/3872
|
|
They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.
Ref: #3876
Closes #3883
|
|
In Curl_multissl_version() it was possible to overflow the passed in
buffer if the generated version string exceeded the size of the buffer.
Fix by inverting the logic, and also make sure to not exceed the local
buffer during the string generation.
Closes #3863
Reported-by: nevv on HackerOne/curl
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
|
|
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
define. It uses this define to determine whether to publish -fips at
the end of the version displayed. Applications that utilize the version
reported by OpenSSL will see a mismatch if they compare it to what curl
reports, as curl is not modifying the version in the same way. This
change simply adds a check to see if OPENSSL_FIPS is defined, and will
alter the reported version to match what OpenSSL itself provides. This
only appears to be applicable in versions of OpenSSL <1.1.1
Closes #3771
|
|
Currently you can do things like --cert <(cat ./cert.crt) with (at least) the
openssl backend, but that doesn't work for nss because is_file rejects fifos.
I don't actually know if this is sufficient, nss might do things internally
(like seeking back) that make this not work, so actual testing is needed.
Closes #3807
|
|
Closes #3823
Closes #3776
|
|
As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.
|
|
Closes #3808
|
|
Without this, detecting and avoid reusing a closed TLS connection
(without a previous GOAWAY) when doing HTTP/2 is tricky.
Reported-by: Tom van der Woerdt
Fixes #3750
Closes #3763
|
|
- remove unused variables
- declare conditionally used variables conditionally
- suppress unused variable warnings in the CMake tests
- remove dead variable stores
- consistently use WIN32 macro to detect Windows
Closes https://github.com/curl/curl/pull/3739
|
|
Make functions no-ops if neither both USE_THREADS_POSIX and
HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are
defined. Previously, if only one of them was defined, there was either
code compiled that did nothing useful or the wrong header included for
the functions used.
Also, move POLARSSL_MUTEX_T define to implementation file as it's not
used externally.
Closes https://github.com/curl/curl/pull/3739
|
|
Fixes #3692
Closes #3692
|