aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2018-06-12schannel: avoid incompatible pointer warningViktor Szakats
with clang-6.0: ``` vtls/schannel_verify.c: In function 'add_certs_to_store': vtls/schannel_verify.c:212:30: warning: passing argument 11 of 'CryptQueryObject' from incompatible pointer type [-Wincompatible-pointer-types] &cert_context)) { ^ In file included from /usr/share/mingw-w64/include/schannel.h:10:0, from /usr/share/mingw-w64/include/schnlsp.h:9, from vtls/schannel.h:29, from vtls/schannel_verify.c:40: /usr/share/mingw-w64/include/wincrypt.h:4437:26: note: expected 'const void **' but argument is of type 'CERT_CONTEXT ** {aka struct _CERT_CONTEXT **}' WINIMPM WINBOOL WINAPI CryptQueryObject (DWORD dwObjectType, const void *pvObject, DWORD dwExpectedContentTypeFlags, DWORD dwExpectedFormatTypeFlags, DWORD dwFlags, ^~~~~~~~~~~~~~~~ ``` Ref: https://msdn.microsoft.com/library/windows/desktop/aa380264 Closes https://github.com/curl/curl/pull/2648
2018-06-12schannel: support selecting ciphersRobert Prag
Given the contstraints of SChannel, I'm exposing these as the algorithms themselves instead; while replicating the ciphersuite as specified by OpenSSL would have been preferable, I found no way in the SChannel API to do so. To use this from the commandline, you need to pass the names of contants defining the desired algorithms. For example, curl --ciphers "CALG_SHA1:CALG_RSA_SIGN:CALG_RSA_KEYX:CALG_AES_128:CALG_DH_EPHEM" https://github.com The specific names come from wincrypt.h Closes #2630
2018-06-11cppcheck: fix warningsMarian Klymov
- Get rid of variable that was generating false positive warning (unitialized) - Fix issues in tests - Reduce scope of several variables all over etc Closes #2631
2018-06-11openssl: assume engine support in 1.0.1 or laterDaniel Stenberg
Previously it was checked for in configure/cmake, but that would then leave other build systems built without engine support. While engine support probably existed prior to 1.0.1, I decided to play safe. If someone experience a problem with this, we can widen the version check. Fixes #2641 Closes #2644
2018-06-08boringssl + schannel: undef X509_NAME in lib/schannel.hGisle Vanem
Fixes the build problem when both boringssl and schannel are enabled. Fixes #2634 Closes #2643
2018-06-08mk-ca-bundle.pl: leave certificate name untouched in decode()Vladimir Kotal
Closes #2640
2018-06-03spelling fixesViktor Szakats
Detected using the `codespell` tool (version 1.13.0). Also secure and fix an URL.
2018-06-02axtls: follow-up spell fix of commentDaniel Stenberg
2018-06-02axTLS: not considered fit for useDaniel Stenberg
URL: https://curl.haxx.se/mail/lib-2018-06/0000.html This is step one. It adds #error statements that require source edits to make curl build again if asked to use axTLS. At a later stage we might remove the axTLS specific code completely. Closes #2628
2018-06-02build: remove the Borland specific makefilesDaniel Stenberg
According to the user survey 2018, not even one out of 670 users use them. Nobody on the mailing list spoke up for them either. Closes #2629
2018-06-01curl_addrinfo: use same #ifdef conditions in source as headerDaniel Stenberg
... for curl_dofreeaddrinfo
2018-06-01multi: remove a DEBUGF()Daniel Stenberg
... it might call infof() with a NULL first argument that isn't harmful but makes it not do anything. The infof() line is not very useful anymore, it has served it purpose. Good riddance! Fixes #2627
2018-06-01CURLOPT_RESOLVE: always purge old entry firstAlibek.Jorajev
If there's an existing entry using the selected name. Closes #2622
2018-06-01fnmatch: use the system one if availableDaniel Stenberg
If configure detects fnmatch to be available, use that instead of our custom one for FTP wildcard pattern matching. For standard compliance, to reduce our footprint and to use already well tested and well exercised code. A POSIX fnmatch behaves slightly different than the internal function for a few test patterns currently and the macOS one yet slightly different. Test case 1307 is adjusted for these differences. Closes #2626
2018-05-31configure: check for declaration of getpwuid_rBernhard Walle
On our x86 Android toolchain, getpwuid_r is implemented but the header is missing: netrc.c:81:7: error: implicit declaration of function 'getpwuid_r' [-Werror=implicit-function-declaration] Unfortunately, the function is used in curl_ntlm_wb.c, too, so I moved the prototype to curl_setup.h. Signed-off-by: Bernhard Walle <bernhard@bwalle.de> Closes #2609
2018-05-31strictness: correct {infof, failf} format specifiersRikard Falkeborn
Closes #2623
2018-05-31option: disallow username in URLBjörn Stenberg
Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340
2018-05-29setopt: add TLS 1.3 ciphersuitesDaniel Stenberg
Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github Closes #2607
2018-05-28fnmatch: insist on escaped bracket to matchDaniel Stenberg
A non-escaped bracket ([) is for a character group - as documented. It will *not* match an individual bracket anymore. Test case 1307 updated accordingly to match. Problem detected by OSS-Fuzz, although this fix is probably not a final fix for the notorious timeout issues. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8525 Closes #2614
2018-05-28psl: use latest psl and refresh it periodicallyPatrick Monnerat
The latest psl is cached in the multi or share handle. It is refreshed before use after 72 hours. New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. If the latest psl is not available, the builtin psl is used. Reported-by: Yaakov Selkowitz Fixes #2553 Closes #2601
2018-05-28cmake: check for getpwuid_rBernhard Walle
The autotools-based build system does it, so we do it also in CMake. Bug: #2609 Signed-off-by: Bernhard Walle <bernhard@bwalle.de>
2018-05-27schannel: add failf calls for client certificate failuresralcock
Closes #2604
2018-05-25content_encoding: handle zlib versions too old for Z_BLOCKAlejandro R. Sedeño
Fallback on Z_SYNC_FLUSH when Z_BLOCK is not available. Fixes #2606 Closes #2608
2018-05-24multi: provide a socket to wait for in Curl_protocol_getsockDaniel Stenberg
... even when there's no protocol specific handler setup. Bug: https://curl.haxx.se/mail/lib-2018-05/0062.html Reported-by: Sean Miller Closes #2600
2018-05-24httpauth: add support for Bearer tokensLinus Lewandowski
Closes #2102
2018-05-24cmake: set -d postfix for debug builds if not specifiedSergei Nikulov
using -DCMAKE_DEBUG_POSTFIX explicitly fixes #2121, obsoletes #2384
2018-05-22http resume: skip body if http code 416 (range error) is ignored.Patrick Monnerat
This avoids appending error data to already existing good data. Test 92 is updated to match this change. New test 1156 checks all combinations of --range/--resume, --fail, Content-Range header and http status code 200/416. Fixes #1163 Reported-By: Ithubg on github Closes #2578
2018-05-22tftp: make sure error is zero terminated before printfing itDaniel Stenberg
2018-05-22schannel: make CAinfo parsing resilient to CR/LFJohannes Schindelin
OpenSSL has supported --cacert for ages, always accepting LF-only line endings ("Unix line endings") as well as CR/LF line endings ("Windows line endings"). When we introduced support for --cacert also with Secure Channel (or in cURL speak: "WinSSL"), we did not take care to support CR/LF line endings, too, even if we are much more likely to receive input in that form when using Windows. Let's fix that. Happily, CryptQueryObject(), the function we use to parse the ca-bundle, accepts CR/LF input already, and the trailing LF before the END CERTIFICATE marker catches naturally any CR/LF line ending, too. So all we need to care about is the BEGIN CERTIFICATE marker. We do not actually need to verify here that the line ending is CR/LF. Just checking for a CR or an LF is really plenty enough. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/2592
2018-05-21checksrc: make sure sizeof() is used *with* parenthesesDaniel Stenberg
... and unify the source code to adhere. Closes #2563
2018-05-18curl_fnmatch: only allow two asterisks for matchingDaniel Stenberg
The previous limit of 5 can still end up in situation that takes a very long time and consumes a lot of CPU. If there is still a rare use case for this, a user can provide their own fnmatch callback for a version that allows a larger set of wildcards. This commit was triggered by yet another OSS-Fuzz timeout due to this. Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369 Closes #2587
2018-05-18docs: mention HAproxy protocol "version 1"Aleks
...as there's also a version 2. Closes #2579
2018-05-17getinfo: add microsecond precise timers for various intervalsPhilip Prindeville
Provide a set of new timers that return the time intervals using integer number of microseconds instead of floats. The new info names are as following: CURLINFO_APPCONNECT_TIME_T CURLINFO_CONNECT_TIME_T CURLINFO_NAMELOOKUP_TIME_T CURLINFO_PRETRANSFER_TIME_T CURLINFO_REDIRECT_TIME_T CURLINFO_STARTTRANSFER_TIME_T CURLINFO_TOTAL_TIME_T Closes #2495
2018-05-17openssl: acknowledge --tls-max for default version tooDaniel Stenberg
... previously it only used the max setting if a TLS version was also explicitly asked for. Reported-by: byte_bucket Fixes #2571 Closes #2572
2018-05-16schannel_verify: fix build for non-schannelDaniel Stenberg
2018-05-16rand: fix typoJay Satiro
2018-05-16schannel: disable manual verify if APIs not availableJay Satiro
.. because original MinGW and old compilers do not have the Windows API definitions needed to support manual verification.
2018-05-16schannel: disable client cert option if APIs not availableArchangel_SDY
Original MinGW targets Windows 2000 by default, which lacks some APIs and definitions for this feature. Disable it if these APIs are not available. Closes https://github.com/curl/curl/pull/2522
2018-05-14http2: remove unused variablesteini2000
Closes #2570
2018-05-14http2: use easy handle of stream for loggingsteini2000
2018-05-14gcc: disable picky gcc-8 function pointer warnings in two placesDaniel Stenberg
Reported-by: Rikard Falkeborn Bug: #2560 Closes #2569
2018-05-14http2: use the correct function pointer typedefDaniel Stenberg
Fixes gcc-8 picky compiler warnings Reported-by: Rikard Falkeborn Bug: #2560 Closes #2568
2018-05-14ntlm: Fix format specifiersRikard Falkeborn
2018-05-14lib: Fix format specifiersRikard Falkeborn
2018-05-14http2: getsock fix for uploadsDaniel Stenberg
When there's an upload in progress, make sure to wait for the socket to become writable. Detected-by: steini2000 on github Bug: #2520 Closes #2567
2018-05-14pingpong: fix response cache memcpy overflowDaniel Stenberg
Response data for a handle with a large buffer might be cached and then used with the "closure" handle when it has a smaller buffer and then the larger cache will be copied and overflow the new smaller heap based buffer. Reported-by: Dario Weisser CVE: CVE-2018-1000300 Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
2018-05-14http: restore buffer pointer when bad response-line is parsedDaniel Stenberg
... leaving the k->str could lead to buffer over-reads later on. CVE: CVE-2018-1000301 Assisted-by: Max Dymond Detected by OSS-Fuzz. Bug: https://curl.haxx.se/docs/adv_2018-b138.html Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
2018-05-13cookies: do not take cookie name as a parameterPatrick Monnerat
RFC 6265 section 4.2.1 does not set restrictions on cookie names. This is a follow-up to commit 7f7fcd0. Also explicitly check proper syntax of cookie name/value pair. New test 1155 checks that cookie names are not reserved words. Reported-By: anshnd at github Fixes #2564 Closes #2566
2018-05-12smb: reject negative file sizesDaniel Stenberg
Assisted-by: Max Dymond Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245
2018-05-11setup_transfer: deal with both sockets being -1Daniel Stenberg
Detected by Coverity; CID 1435559. Follow-up to f8d608f38d00. It would index the array with -1 if neither index was a socket.