aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2020-03-18schannel: add "best effort" revocation check optionJohannes Schindelin
- Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
2020-03-18multi: Improve parameter check for curl_multi_remove_handleJay Satiro
- If an easy handle is owned by a multi different from the one specified then return CURLM_BAD_EASY_HANDLE. Prior to this change I assume user error could cause corruption. Closes https://github.com/curl/curl/pull/5116
2020-03-17windows: suppress UI in all CryptAcquireContext() callsViktor Szakats
Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters Reviewed-by: Marc Hörsken Closes https://github.com/curl/curl/pull/5088
2020-03-17test 970: verify --write-out '%{json}'Daniel Stenberg
Makes curl_easy_getinfo() of "variable" numerical content instead return the number set in the env variable `CURL_TIME`. Makes curl_version() of "variable" textual content. This guarantees a stable version string which can be tested against. Environment variable `CURL_VERSION` defines the content. Assisted-by: Mathias Gumz
2020-03-17writeout: support to generate JSON outputMathias Gumz
This commit adds support to generate JSON via the writeout feature: -w "%{json}" It leverages the existing infrastructure as much as possible. Thus, generating the JSON on STDERR is possible by: -w "%{stderr}%{json}" This implements a variant of https://github.com/curl/curl/wiki/JSON#--write-out-json. Closes #4870
2020-03-16cmake: add support for building with wolfSSLDaniel Stenberg
My working build cmdline: $ cmake -DCMAKE_PREFIX_PATH=$HOME/build-wolfssl -DCMAKE_USE_WOLFSSL=ON . Assisted-by: Brad King Closes #5095
2020-03-16vtls: free ssl_config leftovers on out-of-memoryDaniel Stenberg
Torture testing 2034 and 2037 found this. Reported-by: Marc Hörsken Fixes #5108 Closes #5109
2020-03-15gskit: update the copyright year rangeDaniel Stenberg
Follow-up from 083603c63a3
2020-03-15gskit: use our internal select wrapper for portabilityMarc Hoersken
Follow up to c52b342 Closes #5106
2020-03-15transfer: cap retries of "dead connections" to 5Daniel Stenberg
When libcurl retries a connection due to it being "seemingly dead" or by REFUSED_STREAM, it will now only do it up five times before giving up, to avoid never-ending loops. Reported-by: Dima Tisnek Bug: https://curl.haxx.se/mail/lib-2020-03/0044.html Closes #5074
2020-03-15select: add 'timeout_ms' wrap-around precaution to Curl_selectMarc Hoersken
2020-03-15select: fix 'pending_ms' is assigned a value that is never usedMarc Hoersken
Detected by Codacy
2020-03-15select: move duplicate select preparation code into Curl_selectMarc Hoersken
Reviewed by Daniel Stenberg Reviewed by Marcel Raad Closes #5078
2020-03-15connect: happy eyeballs cleanupDaniel Stenberg
Make sure each separate index in connn->tempaddr[] is used for a fixed family (and only that family) during the connection process. If family one takes a long time and family two fails immediately, the previous logic could misbehave and retry the same family two address repeatedly. Reported-by: Paul Vixie Reported-by: Jay Satiro Fixes #5083 Fixes #4954 Closes #5089
2020-03-14Makefile.m32: Improve windres parameter compatibilityJay Satiro
- s/COFF/coff/ Some versions of windres do not recognize uppercase COFF as a valid way to specify the COFF output format. Reported-by: Steven Penny Fixes https://github.com/curl/curl/issues/5099 Closes https://github.com/curl/curl/pull/5101
2020-03-14easy: Fix curl_easy_duphandle for builds missing IPv6 that use c-aresJay Satiro
- Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in curl_easy_duphandle. Prior to this change if c-ares was used as the resolver backend and either it was too old or libcurl was built without IPv6 support then some of our resolver functions could return CURLE_NOT_BUILT_IN to curl_easy_duphandle causing it to fail. Caused by c8f086b which shipped in 7.69.1. Reported-by: Karl Chen Fixes https://github.com/curl/curl/issues/5097 Closes https://github.com/curl/curl/pull/5100
2020-03-09sftp: fix segfault regression introduced by #4747Jim Fuller
This fix adds a defensive check for the case where the char *name in struct libssh2_knownhost is NULL Fixes #5041 Closes #5062
2020-03-08socks4: fix host resolve regressionDaniel Stenberg
1. The socks4 state machine was broken in the host resolving phase 2. The code now insists on IPv4-only when using SOCKS4 as the protocol only supports that. Regression from #4907 and 4a4b63d, shipped in 7.69.0 Reported-by: amishmm on github Bug: https://github.com/curl/curl/issues/5053#issuecomment-596191594 Closes #5061
2020-03-08cookie: get_top_domain() sets zero length for null domainsPatrick Monnerat
This silents a compilation warning with gcc -O3.
2020-03-08sha256: Added WinCrypt implementationSteve Holme
Closed #5030
2020-03-08sha256: Added SecureTransport implementationSteve Holme
2020-03-07mime: fix the binary encoder to handle large data properlyPatrick Monnerat
New test 666 checks this is effective. As upload buffer size is significant in this kind of tests, shorten it in similar test 652. Fixes #4860 Closes #4833 Reported-by: RuurdBeerstra on github
2020-03-07mime: do not perform more than one read in a rowPatrick Monnerat
Input buffer filling may delay the data sending if data reads are slow. To overcome this problem, file and callback data reads do not accumulate in buffer anymore. All other data (memory data and mime framing) are considered as fast and still concatenated in buffer. As this may highly impact performance in terms of data overhead, an early end of part data check is added to spare a read call. When encoding a part's data, an encoder may require more bytes than made available by a single read. In this case, the above rule does not apply and reads are performed until the encoder is able to deliver some data. Tests 643, 644, 645, 650 and 654 have been adapted to the output data changes, with test data size reduced to avoid the boredom of long lists of 1-byte chunks in verification data. New test 667 checks mimepost using single-byte read callback with encoder. New test 668 checks the end of part data early detection. Fixes #4826 Reported-by: MrdUkk on github
2020-03-07mime: latch last read callback status.Patrick Monnerat
In case a read callback returns a status (pause, abort, eof, error) instead of a byte count, drain the bytes read so far but remember this status for further processing. Takes care of not losing data when pausing, and properly resume a paused mime structure when requested. New tests 670-673 check unpausing cases, with easy or multi interface and mime or form api. Fixes #4813 Reported-by: MrdUkk on github
2020-03-07ares: store dns parameters for duphandleErnst Sjöstrand
With c-ares the dns parameters lives in ares_channel. Store them in the curl handle and set them again in easy_duphandle. Regression introduced in #3228 (6765e6d), shipped in curl 7.63.0. Fixes #4893 Closes #5020 Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
2020-03-07version: make curl_version* thread-safe without using global contextDaniel Stenberg
Closes #5010
2020-03-07perl: align order and completeness of Windows OS checksMarc Hoersken
2020-03-07config-win32: Windows does not have ftruncateMarc Hoersken
2020-03-07pause: force a connection (re-)check after unpausingDaniel Stenberg
There might be data available that was already read off the socket, for example in the TLS layer. Reported-by: Anders Berg Fixes #4966 Closes #5049
2020-03-07socks5: switch state properly when the resolve is doneDaniel Stenberg
Regression from 4a4b63d (and #4907) Reported-by: vitaha85 on github Fixes #5053 Closes #5056
2020-03-07libssh: Fix matching user-specified MD5 hex keyJay Satiro
Prior to this change a match would never be successful because it was mistakenly coded to compare binary data from libssh to a user-specified hex string (ie CURLOPT_SSH_HOST_PUBLIC_KEY_MD5). Reported-by: fds242@users.noreply.github.com Fixes https://github.com/curl/curl/issues/4971 Closes https://github.com/curl/curl/pull/4974
2020-03-06pause: bail out on bad inputDaniel Stenberg
A NULL easy handle or an easy handle without an associated connection cannot be paused or unpaused. Closes #5050
2020-03-06pause: return early for calls that don't change pause stateDaniel Stenberg
Reviewed-by: Patrick Monnerat Ref: #4833 Closes #5026
2020-03-06multi: skip EINTR check on wakeup socket if it was closedJay Satiro
- Don't check errno on wakeup socket if sread returned 0 since sread doesn't set errno in that case. This is a follow-up to cf7760a from several days ago which fixed Curl_multi_wait to stop busy looping sread on the non-blocking wakeup socket if it was closed (ie sread returns 0). Due to a logic error it was still possible to busy loop in that case if errno == EINTR. Closes https://github.com/curl/curl/pull/5047
2020-03-06transfer: set correct copyright year rangeDaniel Stenberg
2020-03-06urldata: remove the 'stream_was_rewound' connectdata struct memberDaniel Stenberg
... as it is never set anywhere. Follow-up to 2f44e94ef Closes #5046
2020-03-05Revert "pause: force-drain the transfer on unpause"Daniel Stenberg
This reverts commit fa0216b294af4c7113a9040ca65eefc7fc18ac1c (from #5000) Clearly that didn't solve the problem correctly. Reported-by: Christopher Reid Reopens #4966 Fixes #5044
2020-03-05polarssl: remove more references and mentionsDaniel Stenberg
Assisted-by: Jay Satiro Follow-up to 6357a19ff29dac04 Closes #5036
2020-03-03Revert "sha256: Added SecureTransport implementation"Daniel Stenberg
This reverts commit 4feb38deed33fed14ff7c370a6a9153c661dbb9c (from #4956) That commit broke test 1610 on macos builds without TLS. Closes #5027
2020-03-03sha256: Tidy up following recent changesSteve Holme
Reviewed-by: Daniel Stenberg Closes #4956
2020-03-03sha256: Added WinCrypt implementationSteve Holme
2020-03-03sha256: Added SecureTransport implementationSteve Holme
2020-03-03sha256: Added mbedtls implementationSteve Holme
2020-03-03sha256: Added GNU TLS gcrypt implementationSteve Holme
2020-03-03sha256: Added GNU TLS Nettle implementationSteve Holme
2020-03-02md4: use init/update/final functions in Secure TransportNick Zitzmann
We can use CC_MD4_Init/Update/Final without having to allocate memory directly. Closes #4979
2020-03-02multi_wait: stop loop when sread() returns zeroDaniel Stenberg
It's unclear why it would ever return zero here, but this change fixes Robert's problem and it shouldn't loop forever... Reported-by: Robert Dunaj Bug: https://curl.haxx.se/mail/archive-2020-02/0011.html Closes #5019
2020-03-02http: mark POSTs with no body as "upload done" from the startDaniel Stenberg
As we have logic that checks if we get a >= 400 reponse code back before the upload is done, which then got confused since it wasn't "done" but yet there was no data to send! Reported-by: IvanoG on github Fixes #4996 Closes #5002
2020-03-02formdata/mime: copyright year range updateDaniel Stenberg
Due to the merge/revert cycle
2020-03-02Revert "mime: latch last read callback status."Daniel Stenberg
This reverts commit 87869e38d7afdec3ef1bb4965711458b088e254f. Fixes #5014 Closes #5015 Reopens #4833