aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-01-26NTLM: Fix ConnectionExists to compare Proxy credentialsIsaac Boukris
Proxy NTLM authentication should compare credentials when re-using a connection similar to host authentication, as it authenticate the connection. Example: curl -v -x http://proxy:port http://host/ -U good_user:good_pwd --proxy-ntlm --next -x http://proxy:port http://host/ [-U fake_user:fake_pwd --proxy-ntlm] CVE-2016-0755 Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-18mbedtls: Fix pinned key return value on failJay Satiro
- Switch from verifying a pinned public key in a callback during the certificate verification to inline after the certificate verification. The callback method had three problems: 1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH was not returned. 2. If peer certificate verification was disabled the pinned key verification did not take place as it should. 3. (related to #2) If there was no certificate of depth 0 the callback would not have checked the pinned public key. Though all those problems could have been fixed it would have made the code more complex. Instead we now verify inline after the certificate verification in mbedtls_connect_step2. Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html Ref: https://github.com/bagder/curl/pull/601
2016-01-15ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULLKamil Dudka
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle empty strings specially since curl-7_25_0-31-g05a443a but the behavior was unintentionally removed in curl-7_38_0-47-gfa7d04f. This commit restores the original behavior and clarifies it in the documentation that NULL and "" have both the same meaning when passed to CURLOPT_SSH_PUBLIC_KEYFILE. Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-14openssl: improved error detection/reportingDaniel Stenberg
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL 1.1.0+ returned a new func number of another cerfificate fail so this required a fix and this is the better way to catch this error anyway.
2016-01-14openssl: for 1.1.0+ they now provide a SSLeay() macro of their ownDaniel Stenberg
2016-01-11ConnectionExists: only do pipelining/multiplexing when askedDaniel Stenberg
When an HTTP/2 upgrade request fails (no protocol switch), it would previously detect that as still possible to pipeline on (which is acorrect) and do that when PIPEWAIT was enabled even if pipelining was not explictily enabled. It should only pipelined if explicitly asked to. Closes #584
2016-01-11lib: Prefix URLs with lower-case protocol names/schemesMohammad AlSaleh
Before this patch, if a URL does not start with the protocol name/scheme, effective URLs would be prefixed with upper-case protocol names/schemes. This behavior might not be expected by library users or end users. For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the URL is "hostname/path". The effective URL would be "HTTPS://hostname/path" instead of "https://hostname/path". After this patch, effective URLs would be prefixed with a lower-case protocol name/scheme. Closes #597 Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11IDN host names: Remove the port number before converting to ACEMichael Kaufmann
Closes #596
2016-01-10mbedtls: implement CURLOPT_PINNEDPUBLICKEYThomas Glanzmann
2016-01-09url: Fix compile error with --enable-werrorTatsuhiro Tsujikawa
2016-01-08http2: Ensure that http2_handle_stream_close is calledTatsuhiro Tsujikawa
Previously, when HTTP/2 is enabled and used, and stream has content length known, Curl_read was not called when there was no bytes left to read. Because of this, we could not make sure that http2_handle_stream_close was called for every stream. Since we use http2_handle_stream_close to emit trailer fields, they were effectively ignored. This commit changes the code so that Curl_read is called even if no bytes left to read, to ensure that http2_handle_stream_close is called for every stream. Discussed in https://github.com/bagder/curl/pull/564
2016-01-08http2: handle the received SETTINGS frameDaniel Stenberg
This regression landed in 5778e6f5 and made libcurl not act on received settings and instead stayed with its internal defaults. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html Reported-by: Bankde
2016-01-08Revert "multiplex: allow only once HTTP/2 is actually used"Daniel Stenberg
This reverts commit 46cb70e9fa81c9a56de484cdd7c5d9d0d9fbec36. Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
2016-01-08http2: Fix PUSH_PROMISE headers being treated as trailersTatsuhiro Tsujikawa
Discussed in https://github.com/bagder/curl/pull/564
2016-01-08connection reuse: IDN host names fixedMichael Kaufmann
Use the ACE form of IDN hostnames as key in the connection cache. Add new tests. Closes #592
2016-01-07mbedtls: Fix ALPN supportJay Satiro
- Fix ALPN reply detection. - Wrap nghttp2 code in ifdef USE_NGHTTP2. Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2016-01-06http2: Fix client write for trailers on stream closeJay Satiro
Check that the trailer buffer exists before attempting a client write for trailers on stream close. Refer to comments in https://github.com/bagder/curl/pull/564
2016-01-06ConnectionExists: add missing newline in infof() callDaniel Stenberg
Mistake from commit a464f33843ee1
2016-01-06multiplex: allow only once HTTP/2 is actually usedDaniel Stenberg
To make sure curl doesn't allow multiplexing before a connection is upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the connection uses HTTP/2 as well and not only check what's wanted. Closes #584 Patch-by: c0ff
2015-12-23ftplistparser.c: fix handling of file LISTings using Windows EOLMarc Hoersken
Previously file.txt[CR][LF] would have been returned as file.tx (without the last t) if filetype is symlink. Now the t is included and the internal item_length includes the zero byte. Spotted using test 576 on Windows.
2015-12-23ConnectionExists: with *PIPEWAIT, wait for connectionsAnders Bakken
Try harder to prevent libcurl from opening up an additional socket when CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS handshakes complete first before the decision is made. Closes #575
2015-12-16cyassl: deal with lack of *get_peer_certificateDaniel Stenberg
The function is only present in wolfssl/cyassl if it was built with --enable-opensslextra. With these checks added, pinning support is disabled unless the TLS lib has that function available. Also fix the mistake in configure that checks for the wrong lib name. Closes #566
2015-12-16wolfssl: handle builds without SSLv3 supportDaniel Stenberg
2015-12-15http2: Support trailer fieldsTatsuhiro Tsujikawa
This commit adds trailer support in HTTP/2. In HTTP/1.1, chunked encoding must be used to send trialer fields. HTTP/2 deprecated any trandfer-encoding, including chunked. But trailer fields are now always available. Since trailer fields are relatively rare these days (gRPC uses them extensively though), allocating buffer for trailer fields is done when we detect that HEADERS frame containing trailer fields is started. We use Curl_add_buffer_* functions to buffer all trailers, just like we do for regular header fields. And then deliver them when stream is closed. We have to be careful here so that all data are delivered to upper layer before sending trailers to the application. We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE mechanism, but current method is far more simple. Another possibility is use chunked encoding internally for HTTP/2 traffic. I have not tested it, but it could add another overhead. Closes #564
2015-12-15x509asn1: Fix host altname verificationJay Satiro
- In Curl_verifyhost check all altnames in the certificate. Prior to this change only the first altname was checked. Only the GSKit SSL backend was affected by this bug. Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html Reported-by: John Kohl
2015-12-15cyassl: fix compiler warning on type conversionDaniel Stenberg
2015-12-14setstropt: const-correctnessAnders Bakken
Closes #565
2015-12-14libressl: the latest openssl x509 funcs are not in libresslDaniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-12-10openssl: adapt to openssl >= 1.1.0 X509 opaque structsDaniel Stenberg
Closes #491
2015-12-10openssl: avoid BIO_reset() warnings since it returns a valueDaniel Stenberg
2015-12-10openssl: adapt to 1.1.0+ name changesDaniel Stenberg
2015-12-09fix b6d5cb40d7038feDaniel Stenberg
2015-12-08http2: Fix hanging paused streamTatsuhiro Tsujikawa
When NGHTTP2_ERR_PAUSE is returned from data_source_read_callback, we might not process DATA frame fully. Calling nghttp2_session_mem_recv() again will continue to process DATA frame, but if there is no incoming frames, then we have to call it again with 0-length data. Without this, on_stream_close callback will not be called, and stream could be hanged. Bug: http://curl.haxx.se/mail/lib-2015-11/0103.html Reported-by: Francisco Moraes
2015-12-08build: fix compilation error with CURL_DISABLE_VERBOSE_STRINGSChristian Stewart
With curl disable verbose strings in http.c the compilation fails due to the data variable being undefined later on in the function. Closes #558
2015-12-07config-win32: Fix warning HAVE_WINSOCK2_H undefinedGisle Vanem
2015-12-07openssl: BoringSSL doesn't have CONF_modules_freeGisle Vanem
2015-12-07lwip: Fix compatibility issues with later versionsGisle Vanem
The name of the header guard in lwIP's <lwip/opt.h> has changed from '__LWIP_OPT_H__' to 'LWIP_HDR_OPT_H' (bug #35874 in May 2015). Other fixes: - In curl_setup.h, the problem with an old PSDK doesn't apply if lwIP is used. - In memdebug.h, the 'socket' should be undefined first due to lwIP's lwip_socket() macro. - In curl_addrinfo.c lwIP's getaddrinfo() + freeaddrinfo() macros need special handling because they were undef'ed in memdebug.h. - In select.c we can't use preprocessor conditionals inside select if MSVC and select is a macro, as it is with lwIP. http://curl.haxx.se/mail/lib-2015-12/0023.html http://curl.haxx.se/mail/lib-2015-12/0024.html
2015-12-07version: Add flag CURL_VERSION_PSL for libpslGisle Vanem
2015-12-07formdata: Check if length is too large for memoryJay Satiro
- If the size of the length type (curl_off_t) is greater than the size of the size_t type then check before allocating memory to make sure the value of length will fit in a size_t without overflow. If it doesn't then return CURLE_BAD_FUNCTION_ARGUMENT. Bug: https://github.com/bagder/curl/issues/425#issuecomment-154518679 Reported-by: Steve Holme
2015-11-30Curl_read_plain: clean up ifdefs that break statementsFlavio Medeiros
Closes #546
2015-11-30http2: convert some verbose output into debug-only outputDaniel Stenberg
2015-11-30http2 push: add missing inits of new streamDaniel Stenberg
- set the correct stream_id for pushed streams - init maxdownload and size properly
2015-11-30http2 push: set weight for new streamDaniel Stenberg
give the new stream the old one's stream_weight internally to avoid sending a PRIORITY frame unless asked for it
2015-11-28curl_setup.h: undef freeaddrinfo in c-ares block to fix buildDaniel Stenberg
Fixes warnings 78c25c854a added.
2015-11-27nonblock: fix setting non-blocking mode for AmigaDaniel Stenberg
IoctlSocket() apparently wants a pointer to a long, passed as a char * in its third parameter. This bug was introduced already back in commit c5fdeef41d from October 1 2001! Bug: http://curl.haxx.se/mail/lib-2015-11/0088.html Reported-by: Norbert Kett
2015-11-27lib: Only define curl_dofreeaddrinfo if struct addrinfo is availableDan Fandrich
2015-11-25timecond: do not add if-modified-since without timeconditionDaniel Stenberg
The RTSP code path didn't skip adding the if-modified-since for certain RTSP code paths, even if CURLOPT_TIMECONDITION was set to CURL_TIMECOND_NONE. Also, an unknown non-zero CURLOPT_TIMECONDITION value no longer equals CURL_TIMECOND_IFMODSINCE. Bug: http://stackoverflow.com/questions/33903982/curl-timecond-none-doesnt-work-how-to-remove-if-modified-since-header
2015-11-24done: make sure the final progress update is madeDaniel Stenberg
It would previously be skipped if an existing error was returned, but would lead to a previous value being left there and later used. CURLINFO_TOTAL_TIME for example. Still it avoids that final progress update if we reached DONE as the result of a callback abort to avoid another callback to be called after an abort-by-callback. Reported-by: Lukas Ruzicka Closes #538
2015-11-24Revert "cleanup: general removal of TODO (and similar) comments"Daniel Stenberg
This reverts commit 64e959ffe37c436503f9fed1ce2d6ee6ae50bd9a. Feedback-by: Dan Fandrich URL: http://curl.haxx.se/mail/lib-2015-11/0062.html