aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2016-12-01http_proxy: simplify CONNECT response readingDaniel Stenberg
Since it now reads responses one byte a time, a loop could be removed and it is no longer limited to get the whole response within 16K, it is now instead only limited to 16K maximum header line lengths.
2016-12-01CONNECT: read responses one byte at a timeDaniel Stenberg
... so that it doesn't read data that is actually coming from the remote. 2xx responses have no body from the proxy, that data is from the peer. Fixes #1132
2016-12-01CONNECT: reject TE or CL in 2xx responsesDaniel Stenberg
A server MUST NOT send any Transfer-Encoding or Content-Length header fields in a 2xx (Successful) response to CONNECT. (RFC 7231 section 4.3.6) Also fixes the three test cases that did this.
2016-12-01URL parser: reject non-numerical port numbersDaniel Stenberg
Test 1281 added to verify
2016-11-30cyassl: fixed typo introduced in 4f8b1774Dan Fandrich
2016-11-30CURLOPT_CONNECT_TO: Skip non-matching "connect-to" entries properlyMichael Kaufmann
If a port number in a "connect-to" entry does not match, skip this entry instead of connecting to port 0. If a port number in a "connect-to" entry matches, use this entry and look no further. Reported-by: Jay Satiro Assisted-by: Jay Satiro, Daniel Stenberg Closes #1148
2016-11-28http2: check nghttp2_session_set_local_window_size existsJay Satiro
The function only exists since nghttp2 1.12.0. Bug: https://github.com/curl/curl/commit/a4d8888#commitcomment-19985676 Reported-by: Michael Kaufmann
2016-11-28http2: Fix crashes when parent stream gets abortedAnders Bakken
Closes #1125
2016-11-26curl_version_info: add CURL_VERSION_HTTPS_PROXYOkhin Vasilij
Closes #1142
2016-11-26curl_easy_reset: clear info for CULRINFO_PROTOCOL and CURLINFO_SCHEMEFrank Gevaerts
2016-11-25HTTPS Proxy: Implement CURLOPT_PROXY_PINNEDPUBLICKEYThomas Glanzmann
2016-11-25url: proxy: Use 443 as default port for https proxiesThomas Glanzmann
2016-11-24x509asn1: Restore the parameter check in Curl_getASN1ElementJay Satiro
- Restore the removed parts of the parameter check. Follow-up to 945f60e which altered the parameter check.
2016-11-25add CURLINFO_SCHEME, CURLINFO_PROTOCOL, and %{scheme}Frank Gevaerts
Adds access to the effectively used protocol/scheme to both libcurl and curl, both in string and numeric (CURLPROTO_*) form. Note that the string form will be uppercase, as it is just the internal string. As these strings are declared internally as const, and all other strings returned by curl_easy_getinfo() are de-facto const as well, string handling in getinfo.c got const-ified. Closes #1137
2016-11-24checksrc: move open braces to comply with function declaration styleDaniel Stenberg
2016-11-24checksrc: detect wrongly placed open braces in func declarationsDaniel Stenberg
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24checksrc: verify ASTERISKNOSPACEDaniel Stenberg
Detects (char*) and 'char*foo' uses.
2016-11-24checksrc: code style: use 'char *name' styleDaniel Stenberg
2016-11-24checksrc: add ASTERISKSPACEDaniel Stenberg
Verifies a 'char *name' style, with no space after the asterisk.
2016-11-24openssl: remove dead codeDaniel Stenberg
Coverity CID 1394666
2016-11-24HTTPS-proxy: fixed mbedtls and polishingOkhin Vasilij
2016-11-24darwinssl: adopted to the HTTPS proxy changesDaniel Stenberg
It builds and runs all test cases. No adaptations for actual HTTPS proxy support has been made.
2016-11-24gtls: fix indent to silence compiler warningDaniel Stenberg
vtls/gtls.c: In function ‘Curl_gtls_data_pending’: vtls/gtls.c:1429:3: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation] if(conn->proxy_ssl[connindex].session && ^~ vtls/gtls.c:1433:5: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘if’ return res;
2016-11-24mbedtls: Fix compile errorsThomas Glanzmann
2016-11-24proxy: Support HTTPS proxy and SOCKS+HTTP(s)Alex Rousskov
* HTTPS proxies: An HTTPS proxy receives all transactions over an SSL/TLS connection. Once a secure connection with the proxy is established, the user agent uses the proxy as usual, including sending CONNECT requests to instruct the proxy to establish a [usually secure] TCP tunnel with an origin server. HTTPS proxies protect nearly all aspects of user-proxy communications as opposed to HTTP proxies that receive all requests (including CONNECT requests) in vulnerable clear text. With HTTPS proxies, it is possible to have two concurrent _nested_ SSL/TLS sessions: the "outer" one between the user agent and the proxy and the "inner" one between the user agent and the origin server (through the proxy). This change adds supports for such nested sessions as well. A secure connection with a proxy requires its own set of the usual SSL options (their actual descriptions differ and need polishing, see TODO): --proxy-cacert FILE CA certificate to verify peer against --proxy-capath DIR CA directory to verify peer against --proxy-cert CERT[:PASSWD] Client certificate file and password --proxy-cert-type TYPE Certificate file type (DER/PEM/ENG) --proxy-ciphers LIST SSL ciphers to use --proxy-crlfile FILE Get a CRL list in PEM format from the file --proxy-insecure Allow connections to proxies with bad certs --proxy-key KEY Private key file name --proxy-key-type TYPE Private key file type (DER/PEM/ENG) --proxy-pass PASS Pass phrase for the private key --proxy-ssl-allow-beast Allow security flaw to improve interop --proxy-sslv2 Use SSLv2 --proxy-sslv3 Use SSLv3 --proxy-tlsv1 Use TLSv1 --proxy-tlsuser USER TLS username --proxy-tlspassword STRING TLS password --proxy-tlsauthtype STRING TLS authentication type (default SRP) All --proxy-foo options are independent from their --foo counterparts, except --proxy-crlfile which defaults to --crlfile and --proxy-capath which defaults to --capath. Curl now also supports %{proxy_ssl_verify_result} --write-out variable, similar to the existing %{ssl_verify_result} variable. Supported backends: OpenSSL, GnuTLS, and NSS. * A SOCKS proxy + HTTP/HTTPS proxy combination: If both --socks* and --proxy options are given, Curl first connects to the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS proxy. TODO: Update documentation for the new APIs and --proxy-* options. Look for "Added in 7.XXX" marks.
2016-11-24Declare endian read functions argument as a const pointer.Patrick Monnerat
This is done for all functions of the form Curl_read[136][624]_[lb]e.
2016-11-24Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat
See CRL-01-006.
2016-11-22url: Fix conn reuse for local ports and interfacesJay Satiro
- Fix connection reuse for when the proposed new conn 'needle' has a specified local port but does not have a specified device interface. Bug: https://curl.haxx.se/mail/lib-2016-11/0137.html Reported-by: bjt3[at]hotmail.com
2016-11-21rand: pass in number of randoms as an unsigned argumentDaniel Stenberg
2016-11-20rand: Fix potentially uninitialized result warningJay Satiro
2016-11-19vtls: fix build warningsMarcel Raad
Fix warnings about conversions from long to time_t in openssl.c and schannel.c. Follow-up to de4de4e3c7c
2016-11-18lib: fix compiler warnings after de4de4e3c7cMarcel Raad
Visual C++ now complains about implicitly casting time_t (64-bit) to long (32-bit). Fix this by changing some variables from long to time_t, or explicitly casting to long where the public interface would be affected. Closes #1131
2016-11-17Don't mix unix domain sockets with regular onesIsaac Boukris
When reusing a connection, make sure the unix domain socket option matches.
2016-11-16http2: Use huge HTTP/2 windowsJay Satiro
- Improve performance by using a huge HTTP/2 window size. Bug: https://github.com/curl/curl/issues/1102 Reported-by: afrind@users.noreply.github.com Assisted-by: Tatsuhiro Tsujikawa
2016-11-16http2: Fix address sanitizer memcpy warningJay Satiro
- In Curl_http2_switched don't call memcpy when src is NULL. Curl_http2_switched can be called like: Curl_http2_switched(conn, NULL, 0); .. and prior to this change memcpy was then called like: memcpy(dest, NULL, 0) .. causing address sanitizer to warn: http2.c:2057:3: runtime error: null pointer passed as argument 2, which is declared to never be null
2016-11-15darwinssl: fix SSL client certificate not found on MacOS SierraDavid Schweikert
Reviewed-by: Nick Zitzmann Closes #1105
2016-11-14Curl_rand: fixed and moved to rand.cDaniel Stenberg
Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-11-13time_t fix: follow-up to de4de4e3c7cDaniel Stenberg
Blah, I accidentally wrote size_t instead of time_t for two variables. Reported-by: Dave Reisner
2016-11-12timeval: prefer time_t to hold seconds instead of longDaniel Stenberg
... as long is still 32bit on modern 64bit windows machines, while time_t is generally 64bit.
2016-11-11URL-parser: for file://[host]/ URLs, the [host] must be localhostDaniel Stenberg
Previously, the [host] part was just ignored which made libcurl accept strange URLs misleading users. like "file://etc/passwd" which might've looked like it refers to "/etc/passwd" but is just "/passwd" since the "etc" is an ignored host name. Reported-by: Mike Crowe Assisted-by: Kamil Dudka
2016-11-11openssl: make sure to fail in the unlikely event that PRNG seeding failsDaniel Stenberg
2016-11-11openssl: avoid unnecessary seeding if already doneDaniel Stenberg
1.1.0+ does more of this by itself so we can avoid extra processing this way.
2016-11-11openssl: RAND_status always exists in OpenSSL >= 0.9.7Daniel Stenberg
and remove RAND_screen from configure since nothing is using that function
2016-11-11Curl_pgrsUpdate: use dedicated function for time passedDaniel Stenberg
2016-11-11realloc: use Curl_saferealloc to avoid common mistakesDaniel Stenberg
Discussed: https://curl.haxx.se/mail/lib-2016-11/0087.html
2016-11-10openssl: raise the max_version to 1.3 if asked forDaniel Stenberg
Now I've managed to negotiate TLS 1.3 with https://enabled.tls13.com/ when using boringssl.
2016-11-09vtls: Fail on unrecognized param for CURLOPT_SSLVERSIONJay Satiro
- Fix GnuTLS code for CURL_SSLVERSION_TLSv1_2 that broke when the TLS 1.3 support was added in 6ad3add. - Homogenize across code for all backends the error message when TLS 1.3 is not available to "<backend>: TLS 1.3 is not yet supported". - Return an error when a user-specified ssl version is unrecognized. --- Prior to this change our code for some of the backends used the 'default' label in the switch statement (ie ver unrecognized) for ssl.version and treated it the same as CURL_SSLVERSION_DEFAULT. Bug: https://curl.haxx.se/mail/lib-2016-11/0048.html Reported-by: Kamil Dudka
2016-11-09SPNEGO: Fix memory leak when authentication failsIsaac Boukris
If SPNEGO fails, cleanup the negotiate handle right away. Fixes #1115 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Reported-by: ashman-p
2016-11-08printf: fix ".*f" handlingDaniel Stenberg
It would always use precision 1 instead of reading it from the argument list as intended. Reported-by: Ray Satiro Bug: #1113