aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-11-21openssl: disable TLS renegotiation with BoringSSLDaniel Stenberg
Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293
2018-11-20ares: remove fd from multi fd set when ares is about to close the fdRomain Fliedel
When using c-ares for asyn dns, the dns socket fd was silently closed by c-ares without curl being aware. curl would then 'realize' the fd has been removed at next call of Curl_resolver_getsock, and only then notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with CURL_POLL_REMOVE. At this point the fd is already closed. By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this patch allows curl to be notified that the fd is not longer needed for neither for write nor read. At this point by calling Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE before the fd is actually closed by ares. In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore since it does not allow passing a different sock_state_cb_data Closes #3238
2018-11-20ntlm: Remove redundant ifdef USE_OPENSSLpkubaj
lib/curl_ntlm.c had code that read as follows: #ifdef USE_OPENSSL # ifdef USE_OPENSSL # else # .. # endif #endif Remove the redundant USE_OPENSSL along with #else (it's not possible to reach it anyway). The removed construction is a leftover from when the SSLeay support was removed. Closes #3269 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20ssl: replace all internal uses of CURLE_SSL_CACERTHan Han
Closes #3291
2018-11-17openssl: Remove SSLEAY leftoversDaniel Gustafsson
Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't compatible with the SSLeay library. This removes the few leftovers that were omitted in the less frequently used platform targets. Closes #3270 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-16http_negotiate: do not close connection until negotiation is completedElia Tufarolo
Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
2018-11-16pop3: only do APOP with a valid timestampDaniel Stenberg
Brought-by: bobmitchell1956 on github Fixes #3278 Closes #3279
2018-11-16openssl: do not log excess "TLS app data" lines for TLS 1.3Peter Wu
The SSL_CTX_set_msg_callback callback is not just called for the Handshake or Alert protocols, but also for the raw record header (SSL3_RT_HEADER) and the decrypted inner record type (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid excess debug spam when using `curl -v` against a TLSv1.3-enabled server: * TLSv1.3 (IN), TLS app data, [no content] (0): (Following this message, another callback for the decrypted handshake/alert messages will be be present anyway.) Closes https://github.com/curl/curl/pull/3281
2018-11-13nss: remove version selecting dead codeKamil Dudka
Closes #3262
2018-11-13nss: set default max-tls to 1.3/1.2Daniel Stenberg
Fixes #3261
2018-11-12nss: fix fallthrough comment to fix picky compiler warningDaniel Stenberg
2018-11-09ftp: avoid two unsigned int overflows in FTP listing parserTim Rühsen
Curl_ftp_parselist: avoid unsigned integer overflows The overflow has no real world impact, just avoid it for "best practice". Closes #3225
2018-11-09openssl: support BoringSSL TLS renegotiationJérémy Rocher
As per BoringSSL porting documentation [1], BoringSSL rejects peer renegotiations by default. curl fails when trying to authenticate to server through client certificate if it is requested by server after the initial TLS handshake. Enable renegotiation by default with BoringSSL to get same behavior as with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] which was introduced in commit 1d5ef3bb1eb9 [3]. 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> Fixes #3258 Closes #3259
2018-11-09setopt: add CURLOPT_CURLUJim Fuller
Allows an application to pass in a pre-parsed URL via a URL handle. Closes #3227
2018-11-07winssl: be consistent in Schannel capitalizationDaniel Gustafsson
The productname from Microsoft is "Schannel", but in infof/failf reporting we use "schannel". This removes different versions. Closes #3243 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
2018-11-06url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
2018-11-06libcurl: stop reading from paused transfersSangamkar
In the transfer loop it would previously not acknwledge the pause bit and continue until drained or loop ended. Closes #3240
2018-11-06curl_multibyte: fix a malloc overcalculationJay Satiro
Prior to this change twice as many bytes as necessary were malloc'd when converting wchar to UTF8. To allay confusion in the future I also changed the variable name for the amount of bytes from len to bytes. Closes https://github.com/curl/curl/pull/3209
2018-11-05netrc: don't ignore the login name specified with "--user"Michael Kaufmann
- for "--netrc", don't ignore the login/password specified with "--user", only ignore the login/password in the URL. This restores the netrc behaviour of curl 7.61.1 and earlier. - fix the documentation of CURL_NETRC_REQUIRED - improve the detection of login/password changes when reading .netrc - don't read .netrc if both login and password are already set Fixes #3213 Closes #3224
2018-11-05Revert "url: a short host name + port is not a scheme"Daniel Stenberg
This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
2018-11-03infof: clearly indicate truncationDaniel Gustafsson
The internal buffer in infof() is limited to 2048 bytes of payload plus an additional byte for NULL termination. Servers with very long error messages can however cause truncation of the string, which currently isn't very clear, and leads to badly formatted output. This appends a "...\n" (or just "..." in case the format didn't with a newline char) marker to the end of the string to clearly show that it has been truncated. Also include a unittest covering infof() to try and catch any bugs introduced in this quite important function. Closes #3216 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-03url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
2018-11-03URL: fix IPv6 numeral address parserDaniel Stenberg
Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
2018-11-02mprintf: avoid unsigned integer overflow warningTim Rühsen
The overflow has no real world impact. Just avoid it for "best practice". Code change suggested by "The Infinnovation Team" and Daniel Stenberg. Closes #3184
2018-11-02Curl_follow: accept non-supported schemes for "fake" redirectsDaniel Stenberg
When not actually following the redirect and the target URL is only stored for later retrieval, curl always accepted "non-supported" schemes. This was a regression from 46e164069d1a5230. Reported-by: Brad King Fixes #3210 Closes #3215
2018-11-01axtls: removedDaniel Stenberg
As has been outlined in the DEPRECATE.md document, the axTLS code has been disabled for 6 months and is hereby removed. Use a better supported TLS library! Assisted-by: Daniel Gustafsson Closes #3194
2018-11-01schannel: make CURLOPT_CERTINFO support using Issuer chainmarcosdiazr
Closes #3197
2018-11-01schannel: use Curl_ prefix for global private symbolsDaniel Stenberg
Curl_verify_certificate() must use the Curl_ prefix since it is globally available in the lib and otherwise steps outside of our namespace! Closes #3201
2018-10-30vtls: add MesaLink to curl_sslbackend enumDaniel Gustafsson
MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the backend was never added to the curl_sslbackend enum in curl/curl.h. This adds the new backend to the enum and updates the relevant docs. Closes #3195 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-29Curl_auth_create_plain_message: fix too-large-input-checkDaniel Stenberg
CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29Curl_close: clear data->multi_easy on free to avoid use-after-freeDaniel Stenberg
Regression from b46cfbc068 (7.59.0) CVE-2018-16840 Reported-by: Brian Carpenter (Geeknik Labs) Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-27rand: add comment to skip a clang-tidy false positiveDaniel Stenberg
2018-10-27x509asn1: always check return code from getASN1Element()Daniel Stenberg
2018-10-27Makefile: add 'tidy' target that runs clang-tidyDaniel Stenberg
Available in the root, src and lib dirs. Closes #3163
2018-10-27x509asn1: suppress left shift on signed valuePatrick Monnerat
Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
2018-10-27multi: Fix error handling in the SENDPROTOCONNECT stateMichael Kaufmann
If Curl_protocol_connect() returns an error code, handle the error instead of switching to the next state. Closes #3170
2018-10-27openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg
When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
2018-10-26ssh: free the session on init failuresDaniel Gustafsson
Ensure to clear the session object in case the libssh2 initialization fails. It could be argued that the libssh2 error function should be called to get a proper error message in this case. But since the only error path in libssh2_knownhost_init() is memory a allocation failure it's safest to avoid since the libssh2 error handling allocates memory. Closes #3179 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26openssl: make 'done' a proper booleanDaniel Gustafsson
Closes #3176
2018-10-26gtls: Values stored to but never readDaniel Stenberg
Detected by clang-tidy Closes #3176
2018-10-26rtmp: fix for compiling with lwIPGisle Vanem
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, ^ curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) ^ Closes #3155
2018-10-25urldata: Fix comment in headerMichael Kaufmann
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25netrc: free temporary strings if memory allocation failsMichael Kaufmann
- Change the inout parameters after all needed memory has been allocated. Do not change them if something goes wrong. - Free the allocated temporary strings if strdup() fails. Closes #3122
2018-10-24config: Remove unused SIZEOF_VOIDPRuslan Baratov
Closes #3162
2018-10-23Fix for compiling with lwIP (3)Gisle Vanem
lwIP on Windows does not have a WSAIoctl() function. But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23Curl_follow: return better errors on URL problemsDaniel Stenberg
... by making the converter function global and accessible. Closes #3153
2018-10-23Curl_follow: remove remaining free(newurl)Daniel Stenberg
Follow-up to 05564e750e8f0c. This function no longer frees the passed-in URL. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm ent-30985666
2018-10-23headers: end all headers with guard commentDaniel Gustafsson
Most headerfiles end with a /* <headerguard> */ comment, but it was missing from some. The comment isn't the most important part of our code documentation but consistency has an intrinsic value in itself. This adds header guard comments to the files that were lacking it. Closes #3158 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-19multi: avoid double-freeDaniel Stenberg
Curl_follow() no longer frees the string. Make sure it happens in the caller function, like we normally handle allocations. This bug was introduced with the use of the URL API internally, it has never been in a release version Reported-by: Dario Weißer Closes #3149