aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2020-05-27ngtcp2: use common key log routine for better thread-safetyPeter Wu
Tested with ngtcp2 built against the OpenSSL library. Additionally tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC). The TLS backend (independent of QUIC) may or may not already have opened the keylog file before. Therefore Curl_tls_keylog_open is always called to ensure the file is open.
2020-05-27wolfssl: add SSLKEYLOGFILE supportPeter Wu
Tested following the same curl and tshark commands as in commit "vtls: Extract and simplify key log file handling from OpenSSL" using WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with `./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`. Full support for this feature requires certain wolfSSL build options, see "Availability note" in lib/vtls/wolfssl.c for details. Closes #5327
2020-05-27vtls: Extract and simplify key log file handling from OpenSSLPeter Wu
Create a set of routines for TLS key log file handling to enable reuse with other TLS backends. Simplify the OpenSSL backend as follows: - Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled. - Do not perform dynamic memory allocation when preparing a log entry. Unless the TLS specifications change we can suffice with a reasonable fixed-size buffer. - Simplify state tracking when SSL_CTX_set_keylog_callback is unavailable. My original sslkeylog.c code included this tracking in order to handle multiple calls to SSL_connect and detect new keys after renegotiation (via SSL_read/SSL_write). For curl however we can be sure that a single master secret eventually becomes available after SSL_connect, so a simple flag is sufficient. An alternative to the flag is examining SSL_state(), but this seems more complex and is not pursued. Capturing keys after server renegotiation was already unsupported in curl and remains unsupported. Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f (`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`) against an OpenSSL 1.1.1f server configured with: # Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2 openssl s_server -www -tls1 # Likewise, but fail the server handshake. openssl s_server -www -tls1 -Verify 2 # TLS 1.3 test. No need to test the failing server handshake. openssl s_server -www -tls1_3 Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly written using Wireshark. For the first and third case, expect four matches per connection (decrypted Server Finished, Client Finished, HTTP Request, HTTP Response). For the second case where the handshake fails, expect a decrypted Server Finished only. tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \ -eframe.number -eframe.time -etcp.stream -e_ws.col.Info \ -dtls.port==4433,http -ohttp.desegment_body:FALSE \ -Y 'tls.handshake.verify_data or http' A single connection can easily be identified via the `tcp.stream` field.
2020-05-27transfer: close connection after excess data has been readMichael Kaufmann
For HTTP 1.x, it's a protocol error when the server sends more bytes than announced. If this happens, don't reuse the connection, because the start position of the next response is undefined. Closes #5440
2020-05-27Revert "ssh: ignore timeouts during disconnect"Estanislau Augé-Pujadas
This reverts commit f31760e63b4e9ef1eb25f8f211390f8239388515. Shipped in curl 7.54.1. Bug: https://curl.haxx.se/mail/lib-2020-05/0068.html Closes #5465
2020-05-27urldata: connect related booleans live in struct ConnectBitsDaniel Stenberg
And remove a few unused booleans! Closes #5461
2020-05-26hostip: on macOS avoid DoH when given a numerical IP addressDaniel Stenberg
When USE_RESOLVE_ON_IPS is set (defined on macOS), it means that numerical IP addresses still need to get "resolved" - but not with DoH. Reported-by: Viktor Szakats Fixes #5454 Closes #5459
2020-05-26ngtcp2: cleanup memory when failing to connectDaniel Stenberg
Reported-by: Peter Wu Fixes #5447 (the ngtcp2 side of it) Closes #5451
2020-05-26quiche: clean up memory properly when failing to connectDaniel Stenberg
Addresses the quiche side of #5447 Reported-by: Peter Wu Closes #5450
2020-05-26cleanup: use a single space after equals sign in assignmentsDaniel Stenberg
2020-05-25url: accept "any length" credentials for proxy authDaniel Stenberg
They're only limited to the maximum string input restrictions, not to 256 bytes. Added test 1178 to verify Reported-by: Will Roberts Fixes #5448 Closes #5449
2020-05-25altsvc: fix parser for lines ending with CRLFDaniel Stenberg
Fixed the alt-svc parser to treat a newline as end of line. The unit tests in test 1654 were done without CRLF and thus didn't quite match the real world. Now they use CRLF as well. Reported-by: Peter Wu Assisted-by: Peter Wu Assisted-by: Jay Satiro Fixes #5445 Closes #5446
2020-05-25all: fix codespell errorsViktor Szakats
Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg Closes https://github.com/curl/curl/pull/5452
2020-05-25ngtcp2: fix build with current ngtcp2 master implementing draft 28Peter Wu
Based on client.cc changes from ngtcp2. Tested with current git master, ngtcp2 commit c77d5731ce92, nghttp3 commit 65ff479d4380. Fixes #5444 Closes #5443
2020-05-24copyright: updated year ranges out of syncDaniel Stenberg
... and whitelisted a few more files in the the copyright.pl script.
2020-05-23setopt: add CURLOPT_PROXY_ISSUERCERT(_BLOB) for coherencyGilles Vollant
Closes #5431
2020-05-22Revert "sendf: make failf() use the mvsnprintf() return code"Daniel Stenberg
This reverts commit 74623551f306990e70c7c5515b88972005604a74. Instead mark the function call with (void). Getting the return code and using it instead triggered Coverity warning CID 1463596 because snprintf() can return a negative value... Closes #5441
2020-05-19sha256: move assign to the declaration lineDaniel Stenberg
Follow-up to fae30656. Should've been squashed with that commit...
2020-05-19sha256: fixed potentially uninitialized variableSiva Sivaraman
Closes #5414
2020-05-19sendf: make failf() use the mvsnprintf() return codeDaniel Stenberg
... and avoid a strlen() call. Fixes a MonocleAI warning. Reported-by: MonocleAI Fixes #5413 Closes #5420
2020-05-19hostip: make Curl_printable_address not return anythingDaniel Stenberg
It was not used much anyway and instead we let it store a blank buffer in case of failure. Reported-by: MonocleAI Fixes #5411 Closes #5418
2020-05-19ftp: mark return-ignoring calls to Curl_GetFTPResponse with (void)Daniel Stenberg
They're done on purpose, make that visible in the code. Reported-by: MonocleAI Fixes #5412 Closes #549
2020-05-17dynbuf: return NULL when there's no buffer lengthDaniel Stenberg
... as returning a "" is not a good idea as the string is supposed to be allocated and returning a const string will cause issues. Reported-by: Brian Carpenter Follow-up to ed35d6590e72c Closes #5405
2020-05-15CMake: add libssh build supportPeter Wu
Closes #5372
2020-05-15http2: keep trying to send pending frames after req.upload_doneVyron Tsingaras
Fixes #1410 Closes #5401
2020-05-15setopt: support certificate options in memory with struct curl_blobGilles Vollant
This change introduces a generic way to provide binary data in setopt options, called BLOBs. This change introduces these new setopts: CURLOPT_ISSUERCERT_BLOB, CURLOPT_PROXY_SSLCERT_BLOB, CURLOPT_PROXY_SSLKEY_BLOB, CURLOPT_SSLCERT_BLOB and CURLOPT_SSLKEY_BLOB. Reviewed-by: Daniel Stenberg Closes #5357
2020-05-15source cleanup: remove all custom typedef structsDaniel Stenberg
- Stick to a single unified way to use structs - Make checksrc complain on 'typedef struct {' - Allow them in tests, public headers and examples - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually typedef different types/structs depending on build conditions. Closes #5338
2020-05-15ftp: make domore_getsock() return the secondary socket properlyDaniel Stenberg
Previously, after PASV and immediately after the data connection has connected, the function would only return the control socket to wait for which then made the data connection simply timeout and not get polled correctly. This become obvious when running test 1631 and 1632 event- based.
2020-05-15ftp: shut down the secondary connection properly when SSL is usedDaniel Stenberg
Reported-by: Neal Poole Fixes #5340 Closes #5385
2020-05-14curl_setup: support Unicode functions to open files on WindowsMarcel Raad
Use them only if `_UNICODE` is defined, in which case command-line arguments have been converted to UTF-8. Closes https://github.com/curl/curl/pull/3784
2020-05-14tool: support UTF-16 command line on WindowsMarcel Raad
- use `wmain` instead of `main` when `_UNICODE` is defined [0] - define `argv_item_t` as `wchar_t *` in this case - use the curl_multibyte gear to convert the command-line arguments to UTF-8 This makes it possible to pass parameters with characters outside of the current locale on Windows, which is required for some tests, e.g. the IDN tests. Out of the box, this currently only works with the Visual Studio project files, which default to Unicode, and winbuild with the `ENABLE_UNICODE` option. [0] https://devblogs.microsoft.com/oldnewthing/?p=40643 Ref: https://github.com/curl/curl/issues/3747 Closes https://github.com/curl/curl/pull/3784
2020-05-14curl_multibyte: add to curlxMarcel Raad
This will also be needed in the tool and tests. Ref: https://github.com/curl/curl/pull/3758#issuecomment-482197512 Closes https://github.com/curl/curl/pull/3784
2020-05-14url: make the updated credentials URL-encoded in the URLDaniel Stenberg
Found-by: Gregory Jefferis Reported-by: Jeroen Ooms Added test 1168 to verify. Bug spotted when doing a redirect. Bug: https://github.com/jeroen/curl/issues/224 Closes #5400
2020-05-14vauth/cleartext: fix theoretical integer overflowMajor_Tom
Fix theoretical integer overflow in Curl_auth_create_plain_message. The security impact of the overflow was discussed on hackerone. We agreed this is more of a theoretical vulnerability, as the integer overflow would only be triggerable on systems using 32-bits size_t with over 4GB of available memory space for the process. Closes #5391
2020-05-14checksrc: enhance the ASTERISKSPACE and update code accordinglyDaniel Stenberg
Fine: "struct hello *world" Not fine: "struct hello* world" (and variations) Closes #5386
2020-05-13OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAINDaniel Stenberg
... to avoid an OpenSSL bug that otherwise makes the CRL check to fail. Reported-by: Michael Kaufmann Fixes #5374 Closes #5376
2020-05-13url: reject too long input when parsing credentialsDaniel Stenberg
Since input passed to libcurl with CURLOPT_USERPWD and CURLOPT_PROXYUSERPWD circumvents the regular string length check we have in Curl_setstropt(), the input length limit is enforced in Curl_parse_login_details too, separately. Reported-by: Thomas Bouzerar Closes #5383
2020-05-12easy: fix dangling pointer on easy_perform faildenzor
Closes https://github.com/curl/curl/pull/5363
2020-05-12url: sort the protocol schemes in rough popularity orderDaniel Stenberg
When looking for a protocol match among supported schemes, check the most "popular" schemes first. It has zero functionality difference and for all practical purposes a speed difference will not be measureable but it still think it makes sense to put the least likely matches last. "Popularity" based on the 2019 user survey. Closes #5377
2020-05-10CMake: add ENABLE_ALT_SVC optionPeter Wu
Tested alt-svc with quiche. While at it, add missing MultiSSL reporting (not tested).
2020-05-10CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)Peter Wu
Add three new CMake Find modules (using the curl license, but I grant others the right to apply the CMake BSD license instead). This CMake config is simpler than the autotools one because it assumes ngtcp2 and nghttp3 to be used together. Another difference is that this CMake config checks whether QUIC is actually supported by the TLS library (patched OpenSSL or boringssl) since this can be a common configuration mistake that could result in build errors later. Unlike autotools, CMake does not warn you that the features are experimental. The user is supposed to already know that and read the documentation. It requires a very special build environment anyway. Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure out which features (libldap-2.4, libssh2) to disable due to conflicts with boringssl. Closes #5359
2020-05-08checksrc: close the .checksrc file handle when done readingDaniel Stenberg
2020-05-08CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)Gilles Vollant
Closes #4346
2020-05-08urlapi: accept :: as a valid IPv6 addressDaniel Stenberg
Text 1560 is extended to verify. Reported-by: Pavel Volgarev Fixes #5344 Closes #5351
2020-05-08*_sspi: fix bad uses of CURLE_NOT_BUILT_INPeter Wang
Return CURLE_AUTH_ERROR instead of CURLE_NOT_BUILT_IN for other instances of QuerySecurityPackageInfo failing, as in commit 2a81439553286f12cd04a4bdcdf66d8e026d8201. Closes #5355
2020-05-07ngtcp2: introduce qlog supportDaniel Stenberg
If the QLOGDIR environment variable is set, enable qlogging. ... and create Curl_qlogdir() in the new generic vquic/vquic.c file for QUIC functions that are backend independent. Closes #5353
2020-05-07ntlm_sspi: fix bad use of CURLE_NOT_BUILT_INDaniel Stenberg
That return code is reserved for build-time conditional code not being present while this was a regular run-time error from a Windows API. Reported-by: wangp on github Fixes #5349 Closes #5350
2020-05-07http2: simplify and clean up trailer handlingDaniel Stenberg
Triggered by a crash detected by OSS-Fuzz after the dynbuf introduction in ed35d6590e72. This should make the trailer handling more straight forward and hopefully less error-prone. Deliver the trailer header to the callback already at receive-time. No longer caches the trailers to get delivered at end of stream. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22030 Closes #5348
2020-05-05libssh2: convert over to use dynbufDaniel Stenberg
In my very basic test that lists sftp://127.0.0.1/tmp/, this patched code makes 161 allocations compared to 194 in git master. A 17% reduction. Closes #5336
2020-05-05quiche: enable qlog outputDaniel Stenberg
quiche has the potential to log qlog files. To enable this, you must build quiche with the qlog feature enabled `cargo build --features qlog`. curl then passes a file descriptor to quiche, which takes ownership of the file. The FD transfer only works on UNIX. The convention is to enable logging when the QLOGDIR environment is set. This should be a path to a folder where files are written with the naming template <SCID>.qlog. Co-authored-by: Lucas Pardue Replaces #5337 Closes #5341