summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* schannel: add "best effort" revocation check optionJohannes Schindelin2020-03-1820-2/+136
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
* multi: Improve parameter check for curl_multi_remove_handleJay Satiro2020-03-182-2/+6
| | | | | | | | | - If an easy handle is owned by a multi different from the one specified then return CURLM_BAD_EASY_HANDLE. Prior to this change I assume user error could cause corruption. Closes https://github.com/curl/curl/pull/5116
* windows: suppress UI in all CryptAcquireContext() callsViktor Szakats2020-03-176-13/+13
| | | | | | Ref: https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta#parameters Reviewed-by: Marc Hörsken Closes https://github.com/curl/curl/pull/5088
* writeout_json: add missing comma to fix the HTTP versionDaniel Stenberg2020-03-171-1/+1
| | | | Follow-up to 04c03416e68fd635a15
* test 970: verify --write-out '%{json}'Daniel Stenberg2020-03-173-3/+136
| | | | | | | | | | | Makes curl_easy_getinfo() of "variable" numerical content instead return the number set in the env variable `CURL_TIME`. Makes curl_version() of "variable" textual content. This guarantees a stable version string which can be tested against. Environment variable `CURL_VERSION` defines the content. Assisted-by: Mathias Gumz
* writeout: support to generate JSON outputMathias Gumz2020-03-178-83/+361
| | | | | | | | | | | | | | | | This commit adds support to generate JSON via the writeout feature: -w "%{json}" It leverages the existing infrastructure as much as possible. Thus, generating the JSON on STDERR is possible by: -w "%{stderr}%{json}" This implements a variant of https://github.com/curl/curl/wiki/JSON#--write-out-json. Closes #4870
* CI: stop ignoring 323, it is disabledDaniel Stenberg2020-03-173-15/+10
|
* DISABLED: disable test 323Daniel Stenberg2020-03-171-0/+3
| | | | | | | | | | | | | The test uses SRP to "a server not supporting it" but modern stunnel versions will silently accept it and remain happy. The test is therefore faulty. I haven't figured out how to make stunnel explicitly reject SRP-using connects. Reported-by: Marc Hörsken Fixes #5105 Closes #5113
* ci/tests: increase timeouts for torture builds on Azure PipelinesMarc Hoersken2020-03-171-2/+2
| | | | | | For some reason the torture builds have slowed down recently. Reported-by: Daniel Stenberg
* cmake: add support for building with wolfSSLbagder/cmake-wolfsslDaniel Stenberg2020-03-164-12/+49
| | | | | | | | | My working build cmdline: $ cmake -DCMAKE_PREFIX_PATH=$HOME/build-wolfssl -DCMAKE_USE_WOLFSSL=ON . Assisted-by: Brad King Closes #5095
* tool_operate: fix add_parallel_transfers when more are in queueDaniel Stenberg2020-03-161-1/+1
| | | | | | | | | | | | Trying to return early from the function if no new transfers were added would break the "morep" argument and cause issues. This could lead to zero content "transfers" (within quotes since they would never be started) when parallel-max was reduced. Reported-by: Gavin Wong Analyzed-by: Jay Satiro Fixes #4937 Closes #5112
* vtls: free ssl_config leftovers on out-of-memoryDaniel Stenberg2020-03-161-0/+1
| | | | | | | | Torture testing 2034 and 2037 found this. Reported-by: Marc Hörsken Fixes #5108 Closes #5109
* ci/tests: fix Azure Pipelines not running for pull requestsMarc Hoersken2020-03-161-2/+10
| | | | Closes #5111
* gskit: update the copyright year rangeDaniel Stenberg2020-03-151-1/+1
| | | | Follow-up from 083603c63a3
* gskit: use our internal select wrapper for portabilityMarc Hoersken2020-03-151-2/+1
| | | | | Follow up to c52b342 Closes #5106
* tests: fix verification of stdout in test 1452 due to newlineMarc Hoersken2020-03-151-1/+3
| | | | Fixes test1452:41:1: error: missing </stdout> tag before </verify>
* ci/tests: install impacket for SMB tests on FreeBSD using CirrusCIMarc Hoersken2020-03-151-1/+2
| | | | | | Also force the package index/cache to be updated before installing. Closes #5103
* tests/README: add note about manually installing python-impacketMarc Hoersken2020-03-151-0/+9
| | | | Follow up to 4be2560
* transfer: cap retries of "dead connections" to 5Daniel Stenberg2020-03-152-1/+7
| | | | | | | | | | When libcurl retries a connection due to it being "seemingly dead" or by REFUSED_STREAM, it will now only do it up five times before giving up, to avoid never-ending loops. Reported-by: Dima Tisnek Bug: https://curl.haxx.se/mail/lib-2020-03/0044.html Closes #5074
* TODO: TLS-PSK with OpenSSLDaniel Stenberg2020-03-151-0/+10
| | | | Closes #5081
* select: add 'timeout_ms' wrap-around precaution to Curl_selectMarc Hoersken2020-03-151-0/+6
|
* select: fix 'pending_ms' is assigned a value that is never usedMarc Hoersken2020-03-151-5/+5
| | | | Detected by Codacy
* select: move duplicate select preparation code into Curl_selectMarc Hoersken2020-03-152-81/+89
| | | | | | Reviewed by Daniel Stenberg Reviewed by Marcel Raad Closes #5078
* connect: happy eyeballs cleanupDaniel Stenberg2020-03-152-53/+51
| | | | | | | | | | | | | | | Make sure each separate index in connn->tempaddr[] is used for a fixed family (and only that family) during the connection process. If family one takes a long time and family two fails immediately, the previous logic could misbehave and retry the same family two address repeatedly. Reported-by: Paul Vixie Reported-by: Jay Satiro Fixes #5083 Fixes #4954 Closes #5089
* ci/tests: fix and align setting TFLAGS for make test-nonflakyMarc Hoersken2020-03-151-18/+20
|
* ci/tests: install test suite dependencies stunnel and impacketMarc Hoersken2020-03-151-1/+16
|
* tests: remove python_dependencies for smbserver from our treeMarc Hoersken2020-03-1517-18137/+14
| | | | | | | | | | | | Users of the SMB tests will have to install impacket manually. Reasoning: our in-tree version of impacket was quite outdated and only compatible with Python 2 which is already end-of-life. Upgrading to Python 3 and a compatible impacket version would require to import additional Python-only and CPython-extension dependencies. This would have hindered portability enormously. Closes #5094
* Makefile.m32: Improve windres parameter compatibilityJay Satiro2020-03-143-3/+3
| | | | | | | | | | | | - s/COFF/coff/ Some versions of windres do not recognize uppercase COFF as a valid way to specify the COFF output format. Reported-by: Steven Penny Fixes https://github.com/curl/curl/issues/5099 Closes https://github.com/curl/curl/pull/5101
* easy: Fix curl_easy_duphandle for builds missing IPv6 that use c-aresJay Satiro2020-03-141-8/+19
| | | | | | | | | | | | | | | | | - Ignore CURLE_NOT_BUILT_IN errors returned by c-ares functions in curl_easy_duphandle. Prior to this change if c-ares was used as the resolver backend and either it was too old or libcurl was built without IPv6 support then some of our resolver functions could return CURLE_NOT_BUILT_IN to curl_easy_duphandle causing it to fail. Caused by c8f086b which shipped in 7.69.1. Reported-by: Karl Chen Fixes https://github.com/curl/curl/issues/5097 Closes https://github.com/curl/curl/pull/5100
* docs: add warnings about FILE: URLs on WindowsDaniel Stenberg2020-03-133-2/+35
| | | | | | | | - --url man page section - libcurl-security.3 gets the full text - CURLOPT_URL.3 Reported-by: Tim Sedlmeyer
* server/getpart: make the "XML-parser" stricterDaniel Stenberg2020-03-133-12/+21
| | | | | | | | | When extracting a <section> <part> and there's no </part> before </section>, this now outputs an error and returns a wrong string to make users spot the mistake. Ref: #5070 Closes #5071
* impacket: some more Python 3 code compatibility updatesMarc Hoersken2020-03-133-13/+18
| | | | This makes smbserver load on Python 3, but still not work completely.
* smbserver: pin Python version to 2 since we are not yet 3 compatibleMarc Hoersken2020-03-131-1/+1
| | | | | | | | Even though the existing code can be fixed to run on Python 3, the tests will fail due to the Unicode transition the protocol is invalid. Follow up to ee63837 Closes #5085
* cleanup: fix some text/comment typosViktor Szakats2020-03-124-5/+5
| | | | Closes #5087
* smbserver: fix Python version specific ConfigParser importMarc Hoersken2020-03-122-5/+5
| | | | | Follow up to ee63837 and 8c7c4a6 Fixes #5077
* RELEASE-NOTES: syncedDaniel Stenberg2020-03-112-63/+21
| | | | bumped to 7.69.2
* tests/data: Fix some XML formatting issues in test casesDan Fandrich2020-03-113-3/+3
| | | | This allows these test files to pass xmllint.
* Makefile: run the cd commands in a subshellMuhammad Herdiansyah2020-03-111-11/+11
| | | | | | | | | In bmake, if the directory is changed (with cd or anything else), bmake won't return to the "root directory" on the next command (in the same Makefile rule). This commit runs the cd command in a subshell so it would work in bmake. Closes #5073
* configure: convert -I to -isystem as a last stepDaniel Stenberg2020-03-112-5/+6
| | | | | | | As all the -I uses in CFLAGS at that point are for system headers and third party libraries this helps us remove/ignore warnings on those! Closes #5060
* configure: fix -pedantic-errors for GCC 5 and laterDaniel Stenberg2020-03-111-13/+13
| | | | | | | | | | | | If --enable-werror is used. Follow-up to d5c0351055d5709da which added it too early in the configure script before $compiler_num was set correctly and thus this option was never used. Reported-by: Stepan Efremov Fixes #5067 Closes #5068
* configure: document 'compiler_num' for gccDaniel Stenberg2020-03-111-3/+12
| | | | | | | | | | The CURL_CHECK_COMPILER_GNU_C function sets the number to MAJOR*100 + MINOR and ignores the patch version, and since gcc version 7 it only sets it to MAJOR*100. Reported-by: Stepan Efremov Ref: #5067 Closes #5069
* RELEASE-NOTES: 7.69.1curl-7_69_1Daniel Stenberg2020-03-111-9/+11
|
* THANKS: from the 7.69.1 releaseDaniel Stenberg2020-03-111-0/+6
|
* test1129: fix invalid case of closing XML-tag and Content-LengthMarc Hoersken2020-03-101-6/+5
| | | | | Fixes #5070 Closes #5072
* tests/data: fix static ip instead of dynamic value being usedMarc Hoersken2020-03-102-4/+4
| | | | Follow up to 94ced8e
* tests/data: fix static ip:port instead of dynamic values being usedMarc Hoersken2020-03-105-9/+9
| | | | Closes #5065
* tests/server: fix missing use of exe_ext helper functionMarc Hoersken2020-03-102-2/+10
| | | | | | Follow up to 9819984 and 3dce984 Reviewed-By: Daniel Stenberg Closes #5064
* runtests: log minimal and maximal used port numbersMarc Hoersken2020-03-101-0/+7
|
* sftp: fix segfault regression introduced by #4747Jim Fuller2020-03-093-17/+72
| | | | | | | | This fix adds a defensive check for the case where the char *name in struct libssh2_knownhost is NULL Fixes #5041 Closes #5062
* RELEASE-NOTES: syncedDaniel Stenberg2020-03-081-4/+24
|
View Lorry Controller Status