delta/curl.git/lib, branch bagder/https-proxy-tests

vauth/cleartext: fix theoretical integer overflow

2020-05-14T06:36:35+00:00

Fix theoretical integer overflow in Curl_auth_create_plain_message.

The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.

Closes #5391

checksrc: enhance the ASTERISKSPACE and update code accordingly

2020-05-13T22:02:05+00:00

Fine: "struct hello *world"

Not fine: "struct hello* world" (and variations)

Closes #5386

OpenSSL: have CURLOPT_CRLFILE imply CURLSSLOPT_NO_PARTIALCHAIN

2020-05-13T14:39:36+00:00

... to avoid an OpenSSL bug that otherwise makes the CRL check to fail.

Reported-by: Michael Kaufmann
Fixes #5374
Closes #5376

url: reject too long input when parsing credentials

2020-05-13T06:02:42+00:00

Since input passed to libcurl with CURLOPT_USERPWD and
CURLOPT_PROXYUSERPWD circumvents the regular string length check we have
in Curl_setstropt(), the input length limit is enforced in
Curl_parse_login_details too, separately.

Reported-by: Thomas Bouzerar
Closes #5383

easy: fix dangling pointer on easy_perform fail

2020-05-12T07:00:27+00:00

Closes https://github.com/curl/curl/pull/5363

url: sort the protocol schemes in rough popularity order

2020-05-12T06:22:04+00:00

When looking for a protocol match among supported schemes, check the
most "popular" schemes first. It has zero functionality difference and
for all practical purposes a speed difference will not be measureable
but it still think it makes sense to put the least likely matches last.

"Popularity" based on the 2019 user survey.

Closes #5377

CMake: add ENABLE_ALT_SVC option

2020-05-10T21:36:54+00:00

Tested alt-svc with quiche. While at it, add missing MultiSSL reporting
(not tested).

CMake: add HTTP/3 support (ngtcp2+nghttp3, quiche)

2020-05-10T21:36:41+00:00

Add three new CMake Find modules (using the curl license, but I grant
others the right to apply the CMake BSD license instead).

This CMake config is simpler than the autotools one because it assumes
ngtcp2 and nghttp3 to be used together. Another difference is that this
CMake config checks whether QUIC is actually supported by the TLS
library (patched OpenSSL or boringssl) since this can be a common
configuration mistake that could result in build errors later.

Unlike autotools, CMake does not warn you that the features are
experimental. The user is supposed to already know that and read the
documentation. It requires a very special build environment anyway.

Tested with ngtcp2+OpenSSL+nghttp3 and quiche+boringssl, both built from
current git master. Use `LD_DEBUG=files src/curl |& grep need` to figure
out which features (libldap-2.4, libssh2) to disable due to conflicts
with boringssl.

Closes #5359

checksrc: close the .checksrc file handle when done reading

2020-05-08T15:00:29+00:00

CURLOPT_SSL_OPTIONS: add *_NATIVE_CA to use Windows CA store (with openssl)

2020-05-08T13:55:04+00:00

Closes #4346