aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2020-01-11libssh2: add support for forcing a hostkey typeSantino Keupp
- Allow forcing the host's key type found in the known_hosts file. Currently, curl (with libssh2) does not take keys from your known_hosts file into account when talking to a server. With this patch the known_hosts file will be searched for an entry matching the hostname and, if found, libssh2 will be told to claim this key type from the server. Closes https://github.com/curl/curl/pull/4747
2020-01-11schannel: Make CURLOPT_CAINFO work better on Windows 7Faizur Rahman
- Support hostname verification via alternative names (SAN) in the peer certificate when CURLOPT_CAINFO is used in Windows 7 and earlier. CERT_NAME_SEARCH_ALL_NAMES_FLAG doesn't exist before Windows 8. As a result CertGetNameString doesn't quite work on those versions of Windows. This change provides an alternative solution for CertGetNameString by iterating through CERT_ALT_NAME_INFO for earlier versions of Windows. Prior to this change many certificates failed the hostname validation when CURLOPT_CAINFO was used in Windows 7 and earlier. Most certificates now represent multiple hostnames and rely on the alternative names field exclusively to represent their hostnames. Reported-by: Jeroen Ooms Fixes https://github.com/curl/curl/issues/3711 Closes https://github.com/curl/curl/pull/4761
2020-01-11ngtcp2: Add an error code for QUIC connection errorsEmil Engler
- Add new error code CURLE_QUIC_CONNECT_ERROR for QUIC connection errors. Prior to this change CURLE_FAILED_INIT was used, but that was not correct. Closes https://github.com/curl/curl/pull/4754
2020-01-11multi: Change curl_multi_wait/poll to error on negative timeoutJay Satiro
- Add new error CURLM_BAD_FUNCTION_ARGUMENT and return that error when curl_multi_wait/poll is passed timeout param < 0. Prior to this change passing a negative value to curl_multi_wait/poll such as -1 could cause the function to wait forever. Reported-by: hamstergene@users.noreply.github.com Fixes https://github.com/curl/curl/issues/4763 Closes https://github.com/curl/curl/pull/4765
2020-01-11cmake: Enable SMB for Windows buildsMarc Aldorasi
- Define USE_WIN32_CRYPTO by default. This enables SMB. - Show whether SMB is enabled in the "Enabled features" output. - Fix mingw compiler warning for call to CryptHashData by casting away const param. mingw CryptHashData prototype is wrong. Closes https://github.com/curl/curl/pull/4717
2020-01-11vtls: Refactor Curl_multissl_version to make the code clearerJay Satiro
Reported-by: Johannes Schindelin Ref: https://github.com/curl/curl/pull/3863#pullrequestreview-241395121 Closes https://github.com/curl/curl/pull/4803
2020-01-10fix: Copyright year out of date, should be 2020Daniel Stenberg
Follow-up to 875314ed0bf3b
2020-01-10hostip: move code to resolve IP address literals to `Curl_resolv`Marcel Raad
The code was duplicated in the various resolver backends. Also, it was called after the call to `Curl_ipvalid`, which matters in case of `CURLRES_IPV4` when called from `connect.c:bindlocal`. This caused test 1048 to fail on classic MinGW. The code ignores `conn->ip_version` as done previously in the individual resolver backends. Move the call to the `resolver_start` callback up to appease test 655, which wants it to be called also for literal addresses. Closes https://github.com/curl/curl/pull/4798
2020-01-06multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public headerDaniel Stenberg
... to the private multihhandle.h. It is not for public use and it wasn't prefixed correctly anyway! Closes #4790
2020-01-06file: fix copyright year rangeDaniel Stenberg
Follow-up to 1b71bc532bd
2020-01-06file: on Windows, refuse paths that start with \\Daniel Stenberg
... as that might cause an unexpected SMB connection to a given host name. Reported-by: Fernando Muñoz CVE-2019-15601 Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
2020-01-03lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS`Marcel Raad
Closes https://github.com/curl/curl/pull/4775
2019-12-31bearssl: Improve I/O handlingMichael Forney
Factor out common I/O loop as bearssl_run_until, which reads/writes TLS records until the desired engine state is reached. This is now used for the handshake, read, write, and close. Match OpenSSL SSL_write behavior, and don't return the number of bytes written until the corresponding records have been completely flushed across the socket. This involves keeping track of the length of data buffered into the TLS engine, and assumes that when CURLE_AGAIN is returned, the write function will be called again with the same data and length arguments. This is the same requirement of SSL_write. Handle TLS close notify as EOF when reading by returning 0. Closes https://github.com/curl/curl/pull/4748
2019-12-27lib: remove erroneous +x file permission on some c filesXiang Xiao
Modified by commit eb9a604 accidentally. Closes https://github.com/curl/curl/pull/4756
2019-12-27lib: fix warnings found when porting to NuttXXiang Xiao
- Undefine DEBUGASSERT in curl_setup_once.h in case it was already defined as a system macro. - Don't compile write32_le in curl_endian unless CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le. - Include <arpa/inet.h> in socketpair.c. Closes https://github.com/curl/curl/pull/4756
2019-12-20ngtcp2: Support the latest update key callback typeJay Satiro
- Remove our cb_update_key in favor of ngtcp2's new ngtcp2_crypto_update_key_cb which does the same thing. Several days ago the ngtcp2_update_key callback function prototype was changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to fix up our cb_update_key for that change they also added ngtcp2_crypto_update_key_cb which does the same thing so we'll use that instead. Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c Closes https://github.com/curl/curl/pull/4735
2019-12-19create_conn: prefer multiplexing to using new connectionsDaniel Stenberg
... as it would previously prefer new connections rather than multiplexing in most conditions! The (now removed) code was a leftover from the Pipelining code that was translated wrongly into a multiplex-only world. Reported-by: Kunal Ekawde Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html Closes #4732
2019-12-18strerror: Fix compiler warning "empty expression"Gisle Vanem
- Remove the final semi-colon in the SEC2TXT() macro definition. Before: #define SEC2TXT(sec) case sec: txt = #sec; break; After: #define SEC2TXT(sec) case sec: txt = #sec; break Prior to this change SEC2TXT(foo); would generate break;; which caused the empty expression warning. Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547
2019-12-17define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymoreDaniel Stenberg
It is covered by USE_OPENSSL_ENGINE now. Reported-by: Gisle Vanem Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951 Closes #4725
2019-12-17lib: remove ASSIGNWITHINCONDITION exceptions, use our code styleDaniel Stenberg
... even for macros Reviewed-by: Daniel Gustafsson Reviewed-by: Jay Satiro Reported-by: Jay Satiro Fixes #4683 Closes #4722
2019-12-16Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION"Daniel Stenberg
This reverts commit ba82673dac3e8d00a76aa5e3779a0cb80e7442af. Bug: #4683
2019-12-15libssh2: add support for ECDSA and ed25519 knownhost keysSantino Keupp
... if a new enough libssh2 version is present. Source: https://curl.haxx.se/mail/archive-2019-12/0023.html Co-Authored-by: Daniel Stenberg Closes #4714
2019-12-13multi: free sockhash on OOMDaniel Stenberg
This would otherwise leak memory in the error path. Detected by torture test 1540. Closes #4713
2019-12-13hostip: suppress compiler warningMarcel Raad
With `--disable-doh --disable-threaded-resolver`, the `dns` parameter is not used. Closes https://github.com/curl/curl/pull/4692
2019-12-13ntlm_wb: fix double-free in OOMDaniel Stenberg
Detected by torture testing test 1310 Closes #4710
2019-12-12altsvc: make the save function ignore NULL filenamesDaniel Stenberg
It might happen in OOM situations. Detected bv torture tests. Closes #4707
2019-12-12doh: make it behave when built without proxy supportDaniel Stenberg
Reported-by: Marcel Raad Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734 Closes #4704
2019-12-11conncache: CONNECT_ONLY connections assumed always in-useDaniel Stenberg
This makes them never to be considered "the oldest" to be discarded when reaching the connection cache limit. The reasoning here is that CONNECT_ONLY is primarily used in combination with using the connection's socket post connect and since that is used outside of curl's knowledge we must assume that it is in use until explicitly closed. Reported-by: Pavel Pavlov Reported-by: Pavel Löbl Fixes #4426 Fixes #4369 Closes #4696
2019-12-10vtls: make BearSSL possible to set with CURL_SSL_BACKENDGisle Vanem
Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 Closes #4698
2019-12-09conn: always set bits.close with connclose()Daniel Stenberg
Closes #4690
2019-12-09conncache: fix multi-thread use of shared connection cacheDaniel Stenberg
It could accidentally let the connection get used by more than one thread, leading to double-free and more. Reported-by: Christopher Reid Fixes #4544 Closes #4557
2019-12-05lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAINJay Satiro
Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS and OS400 package spec. Also I added the option to the NameValue list in the tool even though it isn't exposed as a command-line option (...yet?). (NameValue stringizes the option name for the curl cmd -> libcurl source generator) Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. Ref: https://github.com/curl/curl/pull/4655
2019-12-05setopt: Fix ALPN / NPN user option when built without HTTP2Jay Satiro
- Stop treating lack of HTTP2 as an unknown option error result for CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN. Prior to this change it was impossible to disable ALPN / NPN if libcurl was built without HTTP2. Setting either option would result in CURLE_UNKNOWN_OPTION and the respective internal option would not be set. That was incorrect since ALPN and NPN are used independent of HTTP2. Reported-by: Shailesh Kapse Fixes https://github.com/curl/curl/issues/4668 Closes https://github.com/curl/curl/pull/4672
2019-12-05curl_setup: fix `CURLRES_IPV6` conditionMarcel Raad
Move the definition of `CURLRES_IPV6` to before undefining `HAVE_GETADDRINFO`. Regression from commit 67a08dca27a which caused some tests to fail and others to be skipped with c-ares. Fixes https://github.com/curl/curl/issues/4673 Closes https://github.com/curl/curl/pull/4677
2019-12-04CMake: add support for building with the NSS vtls backendPeter Wu
Options are cross-checked with configure.ac and acinclude.m4. Tested on Arch Linux, untested on other platforms like Windows or macOS. Closes #4663 Reviewed-by: Kamil Dudka
2019-12-03hostip4.c: bump copyright year rangeDaniel Stenberg
2019-12-03curl_setup: disable IPv6 resolver without `getaddrinfo`Marcel Raad
Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6 address support. This makes it possible to connect to IPv6 literals by setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes the CMake build when using the synchronous resolver without `getaddrinfo` support. Closes https://github.com/curl/curl/pull/4662
2019-12-03openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chainsDaniel Stenberg
Closes #4655
2019-12-03openssl: set X509_V_FLAG_PARTIAL_CHAINDaniel Stenberg
Have intermediate certificates in the trust store be treated as trust-anchors, in the same way as self-signed root CA certificates are. This allows users to verify servers using the intermediate cert only, instead of needing the whole chain. Other TLS backends already accept partial chains. Reported-by: Jeffrey Walton Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html
2019-12-02copyright: fix the year ranges for two filesDaniel Stenberg
Follow-up to 9c1806ae
2019-12-01build: Disable Visual Studio warning "conditional expression is constant"Jay Satiro
- Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658
2019-12-01openssl: retrieve reported LibreSSL version at runtimeJay Satiro
- Retrieve LibreSSL runtime version when supported (>= 2.7.1). For earlier versions we continue to use the compile-time version. Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3 Closes https://github.com/curl/curl/pull/2425
2019-12-01strerror: Add Curl_winapi_strerror for Win API specific errorsJay Satiro
- In all code call Curl_winapi_strerror instead of Curl_strerror when the error code is known to be from Windows GetLastError. Curl_strerror prefers CRT error codes (errno) over Windows API error codes (GetLastError) when the two overlap. When we know the error code is from GetLastError it is more accurate to prefer the Windows API error messages. Reported-by: Richard Alcock Fixes https://github.com/curl/curl/issues/4550 Closes https://github.com/curl/curl/pull/4581
2019-12-02global_init: undo the "intialized" bump in case of failureDaniel Stenberg
... so that failures in the global init function don't count as a working init and it can then be called again. Reported-by: Paul Groke Fixes #4636 Closes #4653
2019-11-29parsedate: offer a getdate_capped() alternativeDaniel Stenberg
... and use internally. This function will return TIME_T_MAX instead of failure if the parsed data is found to be larger than what can be represented. TIME_T_MAX being the largest value curl can represent. Reviewed-by: Daniel Gustafsson Reported-by: JanB on github Fixes #4152 Closes #4651
2019-11-28sha256: bump the copyright year rangeDaniel Stenberg
Follow-up from 66e21520f
2019-11-28curl_setup_once: consistently use WHILE_FALSE in macrosDaniel Gustafsson
The WHILE_FALSE construction is used to avoid compiler warnings in macro constructions. This fixes a few instances where it was not used in order to keep the code consistent. Closes #4649 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28http_ntlm: Remove duplicate NSS initialisationSteve Holme
Given that this is performed by the NTLM code there is no need to perform the initialisation in the HTTP layer. This also keeps the initialisation the same as the SASL based protocols and also fixes a possible compilation issue if both NSS and SSPI were to be used as multiple SSL backends. Reviewed-by: Kamil Dudka Closes #3935
2019-11-28checksrc: fix regexp for ASSIGNWITHINCONDITIONDaniel Gustafsson
The regexp looking for assignments within conditions was too greedy and matched a too long string in the case of multiple conditionals on the same line. This is basically only a problem in single line macros, and the code which exemplified this was essentially: do { if((x) != NULL) { x = NULL; } } while(0) ..where the final parenthesis of while(0) matched the regexp, and the legal assignment in the block triggered the warning. Fix by making the regexp less greedy by matching for the tell-tale signs of the if statement ending. Also remove the one occurrence where the warning was disabled due to a construction like the above, where the warning didn't apply when fixed. Closes #4647 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2019-11-28doh: use dedicated probe slotsNiall
... to easier allow additional DNS transactions. Closes #4629