aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-11-17openssl: Remove SSLEAY leftoversDaniel Gustafsson
Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't compatible with the SSLeay library. This removes the few leftovers that were omitted in the less frequently used platform targets. Closes #3270 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-16http_negotiate: do not close connection until negotiation is completedElia Tufarolo
Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
2018-11-16pop3: only do APOP with a valid timestampDaniel Stenberg
Brought-by: bobmitchell1956 on github Fixes #3278 Closes #3279
2018-11-16openssl: do not log excess "TLS app data" lines for TLS 1.3Peter Wu
The SSL_CTX_set_msg_callback callback is not just called for the Handshake or Alert protocols, but also for the raw record header (SSL3_RT_HEADER) and the decrypted inner record type (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid excess debug spam when using `curl -v` against a TLSv1.3-enabled server: * TLSv1.3 (IN), TLS app data, [no content] (0): (Following this message, another callback for the decrypted handshake/alert messages will be be present anyway.) Closes https://github.com/curl/curl/pull/3281
2018-11-13nss: remove version selecting dead codeKamil Dudka
Closes #3262
2018-11-13nss: set default max-tls to 1.3/1.2Daniel Stenberg
Fixes #3261
2018-11-12nss: fix fallthrough comment to fix picky compiler warningDaniel Stenberg
2018-11-09ftp: avoid two unsigned int overflows in FTP listing parserTim Rühsen
Curl_ftp_parselist: avoid unsigned integer overflows The overflow has no real world impact, just avoid it for "best practice". Closes #3225
2018-11-09openssl: support BoringSSL TLS renegotiationJérémy Rocher
As per BoringSSL porting documentation [1], BoringSSL rejects peer renegotiations by default. curl fails when trying to authenticate to server through client certificate if it is requested by server after the initial TLS handshake. Enable renegotiation by default with BoringSSL to get same behavior as with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] which was introduced in commit 1d5ef3bb1eb9 [3]. 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> Fixes #3258 Closes #3259
2018-11-09setopt: add CURLOPT_CURLUJim Fuller
Allows an application to pass in a pre-parsed URL via a URL handle. Closes #3227
2018-11-07winssl: be consistent in Schannel capitalizationDaniel Gustafsson
The productname from Microsoft is "Schannel", but in infof/failf reporting we use "schannel". This removes different versions. Closes #3243 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
2018-11-06url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
2018-11-06libcurl: stop reading from paused transfersSangamkar
In the transfer loop it would previously not acknwledge the pause bit and continue until drained or loop ended. Closes #3240
2018-11-06curl_multibyte: fix a malloc overcalculationJay Satiro
Prior to this change twice as many bytes as necessary were malloc'd when converting wchar to UTF8. To allay confusion in the future I also changed the variable name for the amount of bytes from len to bytes. Closes https://github.com/curl/curl/pull/3209
2018-11-05netrc: don't ignore the login name specified with "--user"Michael Kaufmann
- for "--netrc", don't ignore the login/password specified with "--user", only ignore the login/password in the URL. This restores the netrc behaviour of curl 7.61.1 and earlier. - fix the documentation of CURL_NETRC_REQUIRED - improve the detection of login/password changes when reading .netrc - don't read .netrc if both login and password are already set Fixes #3213 Closes #3224
2018-11-05Revert "url: a short host name + port is not a scheme"Daniel Stenberg
This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
2018-11-03infof: clearly indicate truncationDaniel Gustafsson
The internal buffer in infof() is limited to 2048 bytes of payload plus an additional byte for NULL termination. Servers with very long error messages can however cause truncation of the string, which currently isn't very clear, and leads to badly formatted output. This appends a "...\n" (or just "..." in case the format didn't with a newline char) marker to the end of the string to clearly show that it has been truncated. Also include a unittest covering infof() to try and catch any bugs introduced in this quite important function. Closes #3216 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
2018-11-03url: a short host name + port is not a schemeDaniel Stenberg
The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
2018-11-03URL: fix IPv6 numeral address parserDaniel Stenberg
Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
2018-11-02mprintf: avoid unsigned integer overflow warningTim Rühsen
The overflow has no real world impact. Just avoid it for "best practice". Code change suggested by "The Infinnovation Team" and Daniel Stenberg. Closes #3184
2018-11-02Curl_follow: accept non-supported schemes for "fake" redirectsDaniel Stenberg
When not actually following the redirect and the target URL is only stored for later retrieval, curl always accepted "non-supported" schemes. This was a regression from 46e164069d1a5230. Reported-by: Brad King Fixes #3210 Closes #3215
2018-11-01axtls: removedDaniel Stenberg
As has been outlined in the DEPRECATE.md document, the axTLS code has been disabled for 6 months and is hereby removed. Use a better supported TLS library! Assisted-by: Daniel Gustafsson Closes #3194
2018-11-01schannel: make CURLOPT_CERTINFO support using Issuer chainmarcosdiazr
Closes #3197
2018-11-01schannel: use Curl_ prefix for global private symbolsDaniel Stenberg
Curl_verify_certificate() must use the Curl_ prefix since it is globally available in the lib and otherwise steps outside of our namespace! Closes #3201
2018-10-30vtls: add MesaLink to curl_sslbackend enumDaniel Gustafsson
MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the backend was never added to the curl_sslbackend enum in curl/curl.h. This adds the new backend to the enum and updates the relevant docs. Closes #3195 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-29Curl_auth_create_plain_message: fix too-large-input-checkDaniel Stenberg
CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
2018-10-29Curl_close: clear data->multi_easy on free to avoid use-after-freeDaniel Stenberg
Regression from b46cfbc068 (7.59.0) CVE-2018-16840 Reported-by: Brian Carpenter (Geeknik Labs) Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
2018-10-27rand: add comment to skip a clang-tidy false positiveDaniel Stenberg
2018-10-27x509asn1: always check return code from getASN1Element()Daniel Stenberg
2018-10-27Makefile: add 'tidy' target that runs clang-tidyDaniel Stenberg
Available in the root, src and lib dirs. Closes #3163
2018-10-27x509asn1: suppress left shift on signed valuePatrick Monnerat
Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
2018-10-27multi: Fix error handling in the SENDPROTOCONNECT stateMichael Kaufmann
If Curl_protocol_connect() returns an error code, handle the error instead of switching to the next state. Closes #3170
2018-10-27openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg
When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
2018-10-26ssh: free the session on init failuresDaniel Gustafsson
Ensure to clear the session object in case the libssh2 initialization fails. It could be argued that the libssh2 error function should be called to get a proper error message in this case. But since the only error path in libssh2_knownhost_init() is memory a allocation failure it's safest to avoid since the libssh2 error handling allocates memory. Closes #3179 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-26openssl: make 'done' a proper booleanDaniel Gustafsson
Closes #3176
2018-10-26gtls: Values stored to but never readDaniel Stenberg
Detected by clang-tidy Closes #3176
2018-10-26rtmp: fix for compiling with lwIPGisle Vanem
Compiling on _WIN32 and with USE_LWIPSOCK, causes this error: curl_rtmp.c(223,3): error: use of undeclared identifier 'setsockopt' setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO, ^ curl_rtmp.c(41,32): note: expanded from macro 'setsockopt' #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e) ^ Closes #3155
2018-10-25urldata: Fix comment in headerMichael Kaufmann
The "connecting" function is used by multiple protocols, not only FTP
2018-10-25netrc: free temporary strings if memory allocation failsMichael Kaufmann
- Change the inout parameters after all needed memory has been allocated. Do not change them if something goes wrong. - Free the allocated temporary strings if strdup() fails. Closes #3122
2018-10-24config: Remove unused SIZEOF_VOIDPRuslan Baratov
Closes #3162
2018-10-23Fix for compiling with lwIP (3)Gisle Vanem
lwIP on Windows does not have a WSAIoctl() function. But it do have a SO_SNDBUF option to lwip_setsockopt(). But it currently does nothing.
2018-10-23Curl_follow: return better errors on URL problemsDaniel Stenberg
... by making the converter function global and accessible. Closes #3153
2018-10-23Curl_follow: remove remaining free(newurl)Daniel Stenberg
Follow-up to 05564e750e8f0c. This function no longer frees the passed-in URL. Reported-by: Michael Kaufmann Bug: https://github.com/curl/curl/commit/05564e750e8f0c79016c680f301ce251e6e86155#commitcomm ent-30985666
2018-10-23headers: end all headers with guard commentDaniel Gustafsson
Most headerfiles end with a /* <headerguard> */ comment, but it was missing from some. The comment isn't the most important part of our code documentation but consistency has an intrinsic value in itself. This adds header guard comments to the files that were lacking it. Closes #3158 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-10-19multi: avoid double-freeDaniel Stenberg
Curl_follow() no longer frees the string. Make sure it happens in the caller function, like we normally handle allocations. This bug was introduced with the use of the URL API internally, it has never been in a release version Reported-by: Dario Weißer Closes #3149
2018-10-19multi: make the closure handle "inherit" CURLOPT_NOSIGNALDaniel Stenberg
Otherwise, closing that handle can still cause surprises! Reported-by: Martin Ankerl Fixes #3138 Closes #3147
2018-10-19config_win32: enable LDAPSMarcel Raad
As done in the autotools and CMake builds by default. Closes https://github.com/curl/curl/pull/3137
2018-10-18travis: add build for "configure --disable-verbose"Daniel Stenberg
Closes #3144
2018-10-16x509asn1: Fix SAN IP address verificationMatthew Whitehead
For IP addresses in the subject alternative name field, the length of the IP address (and hence the number of bytes to perform a memcmp on) is incorrectly calculated to be zero. The code previously subtracted q from name.end. where in a successful case q = name.end and therefore addrlen equalled 0. The change modifies the code to subtract name.beg from name.end to calculate the length correctly. The issue only affects libcurl with GSKit SSL, not other SSL backends. The issue is not a security issue as IP verification would always fail. Fixes #3102 Closes #3141