summaryrefslogtreecommitdiff
path: root/lib/doh.c
Commit message (Collapse)AuthorAgeFilesLines
* dynbuf: introduce internal generic dynamic buffer functionsDaniel Stenberg2020-05-041-63/+29
| | | | | | | | | | | | | A common set of functions instead of many separate implementations for creating buffers that can grow when appending data to them. Existing functionality has been ported over. In my early basic testing, the total number of allocations seem at roughly the same amount as before, possibly a few less. See docs/DYNBUF.md for a description of the API. Closes #5300
* doh: Constify some input pointersRikard Falkeborn2020-04-281-12/+14
| | | | Closes #5306
* schannel: add "best effort" revocation check optionJohannes Schindelin2020-03-181-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
* cleanup: fix typos and wording in docs and commentsPedro Monreal2020-02-021-2/+2
| | | | | Closes #4869 Reviewed-by: Emil Engler and Daniel Gustafsson
* doh: make it behave when built without proxy supportDaniel Stenberg2019-12-121-16/+18
| | | | | | | Reported-by: Marcel Raad Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734 Closes #4704
* build: Disable Visual Studio warning "conditional expression is constant"Jay Satiro2019-12-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Disable warning C4127 "conditional expression is constant" globally in curl_setup.h for when building with Microsoft's compiler. This mainly affects building with the Visual Studio project files found in the projects dir. Prior to this change the cmake and winbuild build systems already disabled 4127 globally for when building with Microsoft's compiler. Also, 4127 was already disabled for all build systems in the limited circumstance of the WHILE_FALSE macro which disabled the warning specifically for while(0). This commit removes the WHILE_FALSE macro and all other cruft in favor of disabling globally in curl_setup. Background: We have various macros that cause 0 or 1 to be evaluated, which would cause warning C4127 in Visual Studio. For example this causes it: #define Curl_resolver_asynch() 1 Full behavior is not clearly defined and inconsistent across versions. However it is documented that since VS 2015 Update 3 Microsoft has addressed this somewhat but not entirely, not warning on while(true) for example. Prior to this change some C4127 warnings occurred when I built with Visual Studio using the generated projects in the projects dir. Closes https://github.com/curl/curl/pull/4658
* doh: use dedicated probe slotsNiall2019-11-281-40/+44
| | | | | | ... to easier allow additional DNS transactions. Closes #4629
* doh: improced both encoding and decodingNiall2019-11-161-24/+52
| | | | | | | | | | | Improved estimation of expected_len and updated related comments; increased strictness of QNAME-encoding, adding error detection for empty labels and names longer than the overall limit; avoided treating DNAME as unexpected; updated unit test 1655 with more thorough set of proofs and tests Closes #4598
* url: make Curl_close() NULLify the pointer tooDaniel Stenberg2019-10-301-9/+5
| | | | | | | This is the common pattern used in the code and by a unified approach we avoid mistakes. Closes #4534
* doh: allow only http and https in debug modePaul Dreik2019-09-231-0/+3
| | | | | | | | | | Otherwise curl may be told to use for instance pop3 to communicate with the doh server, which most likely is not what you want. Found through fuzzing. Closes #4406
* doh: return early if there is no time leftPaul Dreik2019-09-231-1/+4
| | | | Closes #4406
* doh: avoid truncating DNS QTYPE to lower octetNiall O'Reilly2019-09-191-2/+4
| | | | Closes #4381
* doh: clean up dangling DOH handles and memory on easy closeDaniel Stenberg2019-09-161-5/+6
| | | | | | | | | If you set the same URL for target as for DoH (and it isn't a DoH server), like "https://example.com" in both, the easy handles used for the DoH requests could be left "dangling" and end up not getting freed. Reported-by: Paul Dreik Closes #4366
* doh: fix undefined behaviour and open up for gcc and clang optimizationPaul Dreik2019-09-151-2/+8
| | | | | | | | | | | | The undefined behaviour is annoying when running fuzzing with sanitizers. The codegen is the same, but the meaning is now not up for dispute. See https://cppinsights.io/s/516a2ff4 By incrementing the pointer first, both gcc and clang recognize this as a bswap and optimizes it to a single instruction. See https://godbolt.org/z/994Zpx Closes #4350
* doh: fix (harmless) buffer overrunPaul Dreik2019-09-151-2/+15
| | | | | | | | Added unit test case 1655 to verify. Close #4352 the code correctly finds the flaws in the old code, if one temporarily restores doh.c to the old version.
* lib: reduce variable scopesMarcel Raad2019-05-201-3/+4
| | | | | | Fixes Codacy/CppCheck warnings. Closes https://github.com/curl/curl/pull/3872
* doh: CURL_DISABLE_DOHDaniel Stenberg2019-05-131-0/+4
|
* doh: inherit some SSL options from user's easy handleJay Satiro2019-03-111-3/+68
| | | | | | | | | | | | | | | | | | | | | | | | - Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661
* printf: fix format specifiersRikard Falkeborn2019-01-041-2/+2
| | | | Closes #3426
* doh: fix memory leak in OOM situationDaniel Stenberg2018-12-061-3/+4
| | | | | Reviewed-by: Daniel Gustafsson Closes #3342
* doh: make it work for h2-disabled builds tooDaniel Stenberg2018-12-051-26/+2
| | | | | | Reported-by: dtmsecurity at github Fixes #3325 Closes #3336
* doh: fix typo in infof callDaniel Gustafsson2018-11-261-1/+1
| | | | Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-231-3/+3
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* travis: add build for "configure --disable-verbose"Daniel Stenberg2018-10-181-0/+8
| | | | Closes #3144
* doh: keep the IPv4 address in (original) network byte orderDaniel Stenberg2018-10-051-10/+9
| | | | | | | | Ideally this will fix the reversed order shown in SPARC tests: resp 8: Expected 127.0.0.1 got 1.0.0.127 Closes #3091
* doh: make sure TTL isn't re-inited by second (discarded?) responseDaniel Stenberg2018-10-041-3/+8
| | | | Closes #3092
* doh: fix curl_easy_setopt argument typeMarcel Raad2018-10-021-1/+1
| | | | | CURLOPT_POSTFIELDSIZE is long. Fixes a compiler warning on 64-bit MinGW.
* doh: only build if h2 enabledDaniel Stenberg2018-09-301-1/+29
| | | | | | | | The DoH spec says "HTTP/2 [RFC7540] is the minimum RECOMMENDED version of HTTP for use with DoH". Reported-by: Marcel Raad Closes #3066
* doh: minor edits to please CoverityDaniel Stenberg2018-09-071-2/+5
| | | | | | | The gcc typecheck macros and coverity combined made it warn on the 2nd argument for ERROR_CHECK_SETOPT(). Here's minor rearrange to please it. Coverity CID 1439115 and CID 1439114.
* DOH: add test case 1650 and 2100Daniel Stenberg2018-09-061-65/+27
|
* setopt: add CURLOPT_DOH_URLDaniel Stenberg2018-09-061-0/+915
Closes #2668
View Lorry Controller Status