aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-03-05mbedtls: fix user-specified SSL protocol versionJay Satiro
Prior to this change when a single protocol CURL_SSLVERSION_ was specified by the user that version was set only as the minimum version but not as the maximum version as well.
2016-03-05makefile.m32: fix to allow -ssh2-winssl combinationViktor Szakats
In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl (OpenSSL) option, with no way to override it with -winssl. Since both libssh2 and curl support using Windows's built-in SSL backend, modify the logic to allow that combination.
2016-03-05cookie: Don't expire session cookies in remove_expiredJay Satiro
Prior to this change cookies with an expiry date that failed parsing and were converted to session cookies could be purged in remove_expired. Bug: https://github.com/curl/curl/issues/697 Reported-by: Seth Mos
2016-03-03cookie: remove redundant checkDaniel Stenberg
... as it was already checked previously within the function. Reported-by: Dmitry-Me Closes #695
2016-03-01url: if Curl_done is premature then pipeline not in useAnders Bakken
Prevent a crash if 2 (or more) requests are made to the same host and pipelining is enabled and the connection does not complete. Bug: https://github.com/curl/curl/pull/690
2016-03-01makefile.m32: allow to pass .dll/.exe-specific LDFLAGSViktor Szakats
using envvars `CURL_LDFLAG_EXTRAS_DLL` and `CURL_LDFLAG_EXTRAS_EXE` respectively. This is useful f.e. to pass ASLR-related extra options, that are required to make this feature work when using the mingw toolchain. Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985 Closes https://github.com/curl/curl/pull/689
2016-02-29formpost: fix memory leaks in AddFormData error branchesDaniel Stenberg
Reported-by: Dmitry-Me Fixes #688
2016-02-28getinfo: Fix syntax error when mbedTLSJay Satiro
The assignment of the mbedTLS TLS session info in the parent commit was incorrect. Change the assignment to a pointer to the session structure.
2016-02-27getinfo: Add support for mbedTLS TLS session infoJay Satiro
.. and preprocessor check TLS session info is defined for all backends.
2016-02-25file: try reading from files with no sizeDaniel Stenberg
Some systems have special files that report as 0 bytes big, but still contain data that can be read (for example /proc/cpuinfo on Linux). Starting now, a zero byte size is considered "unknown" size and will be read as far as possible anyway. Reported-by: Jesse Tan Closes #681
2016-02-24Curl_read: check for activated HTTP/1 pipelining, not only requestedDaniel Stenberg
... as when pipelining is used, we read things into a unified buffer and we don't do that with HTTP/2. This could then easily make programs that set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data intermixed or plain broken between HTTP/2 streams. Reported-by: Anders Bakken
2016-02-23getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSIONJay Satiro
The two options are almost the same, except in the case of OpenSSL: CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *. CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *. For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to return an SSL pointer for OpenSSL. Also, add support for the 'internals' member to point to SSL object for the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and wolfSSL. Bug: https://github.com/curl/curl/issues/234 Reported-by: dkjjr89@users.noreply.github.com Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html Reported-by: Michael König
2016-02-23multi_remove_handle: keep the timeout list until after disconnectDaniel Stenberg
The internal Curl_done() function uses Curl_expire() at times and that uses the timeout list. Better clean up the list once we're done using it. This caused a segfault. Reported-by: 蔡文凱 Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
2016-02-23TFTP: add option to suppress TFTP option requests (Part 2)Jay Satiro
- Add tests. - Add an example to CURLOPT_TFTP_NO_OPTIONS.3. - Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS. Bug: https://github.com/curl/curl/issues/481
2016-02-23TFTP: add option to suppress TFTP option requests (Part 1)Michael Koenig
Some TFTP server implementations ignore the "TFTP Option extension" (RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing problems with libcurl. Another switch for curl_easy_setopt "CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from sending TFTP option requests to a server, avoiding many problems caused by faulty implementations. Bug: https://github.com/curl/curl/issues/481
2016-02-19curl_sasl: Fix memory leak in digest parserEmil Lerner
If any parameter in a HTTP DIGEST challenge message is present multiple times, memory allocated for all but the last entry should be freed. Bug: https://github.com/curl/curl/pull/667
2016-02-17http2: don't decompress gzip decoding automaticallyDaniel Stenberg
At one point during the development of HTTP/2, the commit 133cdd29ea0 introduced automatic decompression of Content-Encoding as that was what the spec said then. Now however, HTTP/2 should work the same way as HTTP/1 in this regard. Reported-by: Kazuho Oku Closes #661
2016-02-16http: Don't break the header into chunks if HTTP/2Tatsuhiro Tsujikawa
nghttp2 callback deals with TLS layer and therefore the header does not need to be broken into chunks. Bug: https://github.com/curl/curl/issues/659 Reported-by: Kazuho Oku
2016-02-16openssl: use macro to guard the opaque EVP_PKEY branchViktor Szakats
2016-02-16openssl: avoid direct PKEY access with OpenSSL 1.1.0Viktor Szakats
by using API instead of accessing an internal structure. This is required starting OpenSSL 1.1.0-pre3. Closes #650
2016-02-14SCP: use libssh2_scp_recv2 to support > 2GB files on windowsDavid Byron
libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any day now. Closes #451
2016-02-13gtls: fix for builds lacking encrypted key file supportShine Fan
Bug: https://github.com/curl/curl/pull/651
2016-02-12curlx_tvdiff: handle 32bit time_t overflowsDaniel Stenberg
On 32bit systems, make sure we don't overflow and return funky values for very large time differences. Reported-by: Anders Bakken Closes #646
2016-02-10nss: search slash in forward direction in dup_nickname()Kamil Dudka
It is wasteful to search it backwards if we look for _any_ slash.
2016-02-10nss: do not count enabled cipher-suitesKamil Dudka
We only care if at least one cipher-suite is enabled, so it does not make any sense to iterate till the end and count all enabled cipher-suites.
2016-02-10mbedtls.c: re-indent to better match curl standardsDaniel Stenberg
2016-02-09mbedtls: fix memory leak when destroying SSL connection dataRafael Antonio
Closes #626
2016-02-09mbedtls: fix ALPN usage segfaultDaniel Stenberg
Since we didn't keep the input argument around after having called mbedtls, it could end up accessing the wrong memory when figuring out the ALPN protocols. Closes #642
2016-02-09openssl: remove most BoringSSL #ifdefs.David Benjamin
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of BoringSSL #ifdefs in cURL should be unnecessary: - BoringSSL provides no-op stubs for compatibility which replaces most #ifdefs. - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove the compatibility codepath. - With a small tweak to an extend_key_56_to_64 call, the NTLM code builds fine. - Switch OCSP-related #ifdefs to the more generally useful OPENSSL_NO_OCSP. The only #ifdefs which remain are Curl_ossl_version and the #undefs to work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves that to the consumer. The in-header workaround makes things sensitive to include order.) This change errs on the side of removing conditionals despite many of the restored codepaths being no-ops. (BoringSSL generally adds no-op compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are bad enough!) Closes #640
2016-02-08cookies: allow spaces in cookie names, cut of trailing spacesDaniel Stenberg
It turns out Firefox and Chrome both allow spaces in cookie names and there are sites out there using that. Turned out the code meant to strip off trailing space from cookie names didn't work. Fixed now. Test case 8 modified to verify both these changes. Closes #639
2016-02-08configure: --with-ca-fallback: use built-in TLS CA fallbackLudwig Nussel
When trying to verify a peer without having any root CA certificates set, this makes libcurl use the TLS library's built in default as fallback. Closes #569
2016-02-08Proxy-Connection: stop sending this header by defaultDaniel Stenberg
RFC 7230 says we should stop. Firefox already stopped. Bug: https://github.com/curl/curl/issues/633 Reported-By: Brad Fitzpatrick Closes #633
2016-02-06openssl: Fix signed/unsigned mismatch warning in X509V3_extJay Satiro
sk_X509_EXTENSION_num may return an unsigned integer, however the value will fit in an int. Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896 Reported-by: Gisle Vanem
2016-02-06idn_win32: Better error checkingMichael Kaufmann
.. also fix a conversion bug in the unused function curl_win32_ascii_to_idn(). And remove wprintfs on error (Jay). Bug: https://github.com/curl/curl/pull/637
2016-02-04URLs: change more http to httpsViktor Szakats
2016-02-04sasl_sspi: Fix memory leak in domain populateJay Satiro
Free an existing domain before replacing it. Bug: https://github.com/curl/curl/issues/635 Reported-by: silveja1@users.noreply.github.com
2016-02-04URLs: follow GitHub project rename (also Travis CI)Viktor Szakats
Closes #632
2016-02-03URLs: Change more haxx.se URLs from http: to https:Dan Fandrich
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2016-02-02dotdot: allow an empty input string tooDaniel Stenberg
It isn't used by the code in current conditions but for safety it seems sensible to at least not crash on such input. Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-01-29urldata: Error on missing SSL backend-specific connect infoGisle Vanem
2016-01-28urldata: moved common variable out of ifdefSergei Nikulov
Closes https://github.com/bagder/curl/pull/618
2016-01-26NTLM: Fix ConnectionExists to compare Proxy credentialsIsaac Boukris
Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] CVE-2016-0755 Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-15ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULLKamil Dudka
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-11ConnectionExists: only do pipelining/multiplexing when askedDaniel Stenberg
When an HTTP/2 upgrade request fails (no protocol switch), it would previously detect that as still possible to pipeline on (which is acorrect) and do that when PIPEWAIT was enabled even if pipelining was not explictily enabled. It should only pipelined if explicitly asked to. Closes #584
2016-01-11lib: Prefix URLs with lower-case protocol names/schemesMohammad AlSaleh
Before this patch, if a URL does not start with the protocol name/scheme, effective URLs would be prefixed with upper-case protocol names/schemes. This behavior might not be expected by library users or end users. For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the URL is "hostname/path". The effective URL would be "HTTPS://hostname/path" instead of "https://hostname/path". After this patch, effective URLs would be prefixed with a lower-case protocol name/scheme. Closes #597 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11IDN host names: Remove the port number before converting to ACEMichael Kaufmann
Closes #596