aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2019-11-24schannel: fix --tls-max for when min is --tlsv1 or defaultXiaoyin Liu
Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. Closes https://github.com/curl/curl/pull/4633
2019-11-22openssl: Revert to less sensitivity for SYSCALL errorsJay Satiro
- Disable the extra sensitivity except in debug builds (--enable-debug). - Improve SYSCALL error message logic in ossl_send and ossl_recv so that "No error" / "Success" socket error text isn't shown on SYSCALL error. Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were also considered errors. For example, a server that does not send a known protocol termination point (eg HTTP content length or chunked encoding) _and_ does not send a TLS termination point (close_notify alert) would cause an error if it closed the connection. To be clear that behavior made it into release build 7.67.0 unintentionally. Several users have reported it as an issue. Ultimately the idea is a good one, since it can help prevent against a truncation attack. Other SSL backends may already behave similarly (such as Windows native OS SSL Schannel). However much more of our user base is using OpenSSL and there is a mass of legacy users in that space, so I think that behavior should be partially reverted and then rolled out slowly. This commit changes the behavior so that the increased sensitivity is disabled in all curl builds except curl debug builds (DEBUGBUILD). If after a period of time there are no major issues then it can be enabled in dev and release builds with the newest OpenSSL (1.1.1+), since users using the newest OpenSSL are the least likely to have legacy problems. Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794 Reported-by: Bjoern Franke Fixes https://github.com/curl/curl/issues/4624 Closes https://github.com/curl/curl/pull/4623
2019-11-22openssl: improve error message for SYSCALL during connectDaniel Stenberg
Reported-by: Paulo Roberto Tomasi Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html Closes https://github.com/curl/curl/pull/4593
2019-11-21include: make CURLE_HTTP3 use a new error codeDaniel Stenberg
To avoid potential issues with error code reuse. Reported-by: Christoph M. Becker Assisted-by: Dan Fandrich Fixes #4601 Closes #4627
2019-11-18ngtcp2: use overflow buffer for extra HTTP/3 dataJavier Blazquez
Fixes #4525 Closes #4603
2019-11-18altsvc: bump to h3-24Daniel Stenberg
... as both ngtcp2 and quiche now support that in their master branches Closes #4604
2019-11-18ngtcp2: free used resources on disconnectDaniel Stenberg
Fixes #4614 Closes #4615
2019-11-18ngtcp2: handle key updates as ngtcp2 master branch tells usDaniel Stenberg
Reviewed-by: Tatsuhiro Tsujikawa Fixes #4612 Closes #4613
2019-11-17multi: Fix curl_multi_poll wait when extra_fds && !extra_nfdsGergely Nagy
Prior to this change: The check if an extra wait is necessary was based not on the number of extra fds but on the pointer. If a non-null pointer was given in extra_fds, but extra_nfds was zero, then the wait was skipped even though poll was not called. Closes https://github.com/curl/curl/pull/4610
2019-11-17lib: Move lib/ssh.h -> lib/vssh/ssh.hJay Satiro
Follow-up to 5b2d703 which moved ssh source files to vssh. Closes https://github.com/curl/curl/pull/4609
2019-11-16doh: improced both encoding and decodingNiall
Improved estimation of expected_len and updated related comments; increased strictness of QNAME-encoding, adding error detection for empty labels and names longer than the overall limit; avoided treating DNAME as unexpected; updated unit test 1655 with more thorough set of proofs and tests Closes #4598
2019-11-16ngtcp2: increase QUIC window size when data is consumedDaniel Stenberg
Assisted-by: Javier Blazquez Ref #4525 (partial fix) Closes #4600
2019-11-14config-win32: cpu-machine-OS for Windows on ARMMelissa Mears
Define the OS macro properly for Windows on ARM builds. Also, we might as well add the GCC-style IA-64 macro. Closes #4590
2019-11-14multi_poll: avoid busy-loop when called without easy handles attachedDaniel Stenberg
Fixes #4594 Closes #4595 Reported-by: 3dyd on github
2019-11-12quiche: reject headers in the wrong orderDaniel Stenberg
Pseudo header MUST come before regular headers or cause an error. Reported-by: Cynthia Coan Fixes #4571 Closes #4584
2019-11-12openssl: prevent recursive function calls from ctx callbacksDaniel Stenberg
Follow the pattern of many other callbacks. Ref: #4546 Closes #4585
2019-11-11remove_handle: clear expire timers after multi_done()Daniel Stenberg
Since 59041f0, a new timer might be set in multi_done() so the clearing of the timers need to happen afterwards! Reported-by: Max Kellermann Fixes #4575 Closes #4583
2019-11-10pause: avoid updating socket if done was already calledDaniel Stenberg
... avoids unnecesary recursive risk when the transfer is already done. Reported-by: Richard Bowker Fixes #4563 Closes #4574
2019-11-09strerror: Fix an error looking up some Windows error stringsJay Satiro
- Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in Windows error strings. Since we are not in control of the error code we don't know what information may be needed by the error string's format specifiers. Prior to this change Windows API error strings which contain specifiers (think specifiers like similar to printf specifiers) would not be shown. The FormatMessage Windows API call which turns a Windows error code into a string could fail and set error ERROR_INVALID_PARAMETER if that error string contained a format specifier. FormatMessage expects a va_list for the specifiers, unless inserts are ignored in which case no substitution is attempted. Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353
2019-11-08checksrc: repair the copyrightyear checkDaniel Stenberg
- Consider a modified file to be committed this year. - Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and includes - Ignore 0 parents when getting latest commit date of file. since in the CI we're dealing with a truncated repo of last 50 commits, the file's most recent commit may not be available. when this happens git log and rev-list show the initial commit (ie first commit not to be truncated) but that's incorrect so ignore it. Ref: https://github.com/curl/curl/pull/4547 Closes https://github.com/curl/curl/pull/4549 Co-authored-by: Jay Satiro
2019-11-08copyrights: fix copyright year rangeDaniel Stenberg
.. because checksrc's copyright year check stopped working. Ref: https://github.com/curl/curl/pull/4547 Closes https://github.com/curl/curl/pull/4549
2019-11-07ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION setChristian Schmitz
Closes #3704
2019-11-06build: fix for CURL_DISABLE_DOHWyatt O'Day
Fixes https://github.com/curl/curl/issues/4565 Closes https://github.com/curl/curl/pull/4566
2019-11-02copyrights: update all copyright notices to 2019 on files changed this yearVilhelm Prytz
Closes #4547
2019-11-02mbedtls: add error message for cert validity starting in the futureBastien Bouclet
Closes #4552
2019-11-01schannel_verify: Fix concurrent openings of CA fileJay Satiro
- Open the CA file using FILE_SHARE_READ mode so that others can read from it as well. Prior to this change our schannel code opened the CA file without sharing which meant concurrent openings (eg an attempt from another thread or process) would fail during the time it was open without sharing, which in curl's case would cause error: "schannel: failed to open CA file". Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html Reported-by: Richard Alcock
2019-10-31gtls: make gnutls_bye() not wait for response on shutdownDaniel Stenberg
... as it can make it wait there for a long time for no good purpose. Patched-by: Jay Satiro Reported-by: Bylon2 on github Adviced-by: Nikos Mavrogiannopoulos Fixes #4487 Closes #4541
2019-10-30url: make Curl_close() NULLify the pointer tooDaniel Stenberg
This is the common pattern used in the code and by a unified approach we avoid mistakes. Closes #4534
2019-10-29url: Curl_free_request_state() should also free doh handlesDaniel Stenberg
... or risk DoH memory leaks. Reported-by: Paul Dreik Fixes #4463 Closes #4527
2019-10-28HTTP3: fix invalid use of sendto for connected UDP socketJavier Blazquez
On macOS/BSD, trying to call sendto on a connected UDP socket fails with a EISCONN error. Because the singleipconnect has already called connect on the socket when we're trying to use it for QUIC transfers we need to use plain send instead. Fixes #4529 Closes https://github.com/curl/curl/pull/4533
2019-10-28HTTP3: fix Windows buildJavier Blazquez
The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv in order to perform nonblocking operations. On Windows this flag does not exist. Instead, the socket must be set to nonblocking mode via ioctlsocket. This change sets the nonblocking flag on UDP sockets used for QUIC on all platforms so the use of MSG_DONTWAIT is not needed. Fixes #4531 Closes #4532
2019-10-24schannel: reverse the order of certinfo insertionsFrancois Rivard
Fixes #4518 Closes #4519
2019-10-23conn-reuse: requests wanting NTLM can reuse non-NTLM connectionsDaniel Stenberg
Added test case 338 to verify. Reported-by: Daniel Silverstone Fixes #4499 Closes #4514
2019-10-18http2_recv: a closed stream trumps pause stateDaniel Stenberg
... and thus should return 0, not EAGAIN. Reported-by: Tom van der Woerdt Fixes #4496 Closes #4505
2019-10-18http2: expire a timeout at end of streamDaniel Stenberg
To make sure that transfer is being dealt with. Streams without Content-Length need a final read to notice the end-of-stream state. Reported-by: Tom van der Woerdt Fixes #4496
2019-10-16url: normalize CURLINFO_EFFECTIVE_URLDaniel Stenberg
The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as input in most cases, which made it not get a scheme prefixed like before if the URL was given without one, and it didn't remove dotdot sequences etc. Added test case 1907 to verify that this now works as intended and as before 7.62.0. Regression introduced in 7.62.0 Reported-by: Christophe Dervieux Fixes #4491 Closes #4493
2019-10-13security: silence conversion warningMarcel Raad
With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, while `read` expects a 32 bit signed integer. Use `sread` instead of `read` to use the correct parameter type. Closes https://github.com/curl/curl/pull/4483
2019-10-13connect: silence sign-compare warningMarcel Raad
With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the result of `sizeof` is unsigned. Closes https://github.com/curl/curl/pull/4483
2019-10-10socketpair: fix include and define for older TCP header systemsHarry Sintonen
fixed build for systems that need netinet/in.h for IPPROTO_TCP and are missing INADDR_LOOPBACK Closes #4480
2019-10-10socketpair: fix double-close in error caseDaniel Stenberg
Follow-up to bc2dbef0afc08
2019-10-10gskit: use the generic Curl_socketpairDaniel Stenberg
2019-10-10asyn-thread: make use of Curl_socketpair() where availableDaniel Stenberg
2019-10-10socketpair: an implemention for Windows and moreDaniel Stenberg
Curl_socketpair() is designed to be used and work everywhere if there's no native version or the native version isn't good enough. Closes #4466
2019-10-09connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUTDaniel Stenberg
Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no matter what errno said. This makes for example --retry work on these transfer failures. Reported-by: Nathaniel J. Smith Fixes #4461 Clsoes #4462
2019-10-05ldap: fix OOM error on missing query stringNicolas
- Allow missing queries, don't return NO_MEMORY error in such a case. It is acceptable for there to be no specified query string, for example: curl ldap://ldap.forumsys.com A regression bug in 1b443a7 caused this issue. This is a partial fix for #4261. Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 Reported-by: Jojojov@users.noreply.github.com Analyzed-by: Samuel Surtees Closes https://github.com/curl/curl/pull/4467
2019-10-05build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO definesPaul B. Omta
Closes https://github.com/curl/curl/pull/4460
2019-10-04ngtcp2: adapt to API changeDaniel Stenberg
Closes #4457
2019-10-03cookies: change argument type for Curl_flush_cookiesDaniel Stenberg
The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
2019-10-03http2: move state-init from creation to pre-transferDaniel Stenberg
To make sure that the HTTP/2 state is initialized correctly for duplicated handles. It would otherwise easily generate "spurious" PRIORITY frames to get sent over HTTP/2 connections when duplicated easy handles were used. Reported-by: Daniel Silverstone Fixes #4303 Closes #4442
2019-10-03urlapi: fix use-after-free bugDaniel Stenberg
Follow-up from 2c20109a9b5d04 Added test 663 to verify. Reported by OSS-Fuzz Bug: https://crbug.com/oss-fuzz/17954 Closes #4453