summaryrefslogtreecommitdiff
path: root/lib/setopt.c
Commit message (Collapse)AuthorAgeFilesLines
* schannel: add "best effort" revocation check optionJohannes Schindelin2020-03-181-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Implement new option CURLSSLOPT_REVOKE_BEST_EFFORT and --ssl-revoke-best-effort to allow a "best effort" revocation check. A best effort revocation check ignores errors that the revocation check was unable to take place. The reasoning is described in detail below and discussed further in the PR. --- When running e.g. with Fiddler, the schannel backend fails with an unhelpful error message: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate. Sadly, many enterprise users who are stuck behind MITM proxies suffer the very same problem. This has been discussed in plenty of issues: https://github.com/curl/curl/issues/3727, https://github.com/curl/curl/issues/264, for example. In the latter, a Microsoft Edge developer even made the case that the common behavior is to ignore issues when a certificate has no recorded distribution point for revocation lists, or when the server is offline. This is also known as "best effort" strategy and addresses the Fiddler issue. Unfortunately, this strategy was not chosen as the default for schannel (and is therefore a backend-specific behavior: OpenSSL seems to happily ignore the offline servers and missing distribution points). To maintain backward-compatibility, we therefore add a new flag (`CURLSSLOPT_REVOKE_BEST_EFFORT`) and a new option (`--ssl-revoke-best-effort`) to select the new behavior. Due to the many related issues Git for Windows and GitHub Desktop, the plan is to make this behavior the default in these software packages. The test 2070 was added to verify this behavior, adapted from 310. Based-on-work-by: georgeok <giorgos.n.oikonomou@gmail.com> Co-authored-by: Markus Olsson <j.markus.olsson@gmail.com> Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Closes https://github.com/curl/curl/pull/4981
* ares: store dns parameters for duphandleErnst Sjöstrand2020-03-071-4/+20
| | | | | | | | | | | With c-ares the dns parameters lives in ares_channel. Store them in the curl handle and set them again in easy_duphandle. Regression introduced in #3228 (6765e6d), shipped in curl 7.63.0. Fixes #4893 Closes #5020 Signed-off-by: Ernst Sjöstrand <ernst.sjostrand@verisure.com>
* cleanup: comment typosDaniel Stenberg2020-02-211-1/+1
| | | | | | Spotted by 'codespell' Closes #4957
* smtp: Allow RCPT TO command to fail for some recipientsPavel Volgarev2020-01-211-1/+5
| | | | | | | | Introduces CURLOPT_MAIL_RCPT_ALLLOWFAILS. Verified with the new tests 3002-3007 Closes #4816
* lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAINJay Satiro2019-12-051-0/+1
| | | | | | | | | | | | | Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS and OS400 package spec. Also I added the option to the NameValue list in the tool even though it isn't exposed as a command-line option (...yet?). (NameValue stringizes the option name for the curl cmd -> libcurl source generator) Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. Ref: https://github.com/curl/curl/pull/4655
* setopt: Fix ALPN / NPN user option when built without HTTP2Jay Satiro2019-12-051-2/+0
| | | | | | | | | | | | | | | | - Stop treating lack of HTTP2 as an unknown option error result for CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN. Prior to this change it was impossible to disable ALPN / NPN if libcurl was built without HTTP2. Setting either option would result in CURLE_UNKNOWN_OPTION and the respective internal option would not be set. That was incorrect since ALPN and NPN are used independent of HTTP2. Reported-by: Shailesh Kapse Fixes https://github.com/curl/curl/issues/4668 Closes https://github.com/curl/curl/pull/4672
* openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chainsDaniel Stenberg2019-12-031-0/+1
| | | | Closes #4655
* cookies: change argument type for Curl_flush_cookiesDaniel Stenberg2019-10-031-1/+1
| | | | | | | The second argument is really a 'bool' so use that and pass in TRUE/FALSE to make it clear. Closes #4455
* setopt: handle ALTSVC set to NULLDaniel Stenberg2019-09-271-1/+2
|
* setopt: store CURLOPT_RTSP_SERVER_CSEQ correctlyDaniel Stenberg2019-09-201-1/+1
| | | | | Fixes bug detected by PVS-Studio Fixes #4374
* setopt: make it easier to add new enum valuesZenju2019-09-121-7/+7
| | | | | | ... by using the *_LAST define names better. Closes #4321
* CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2Daniel Stenberg2019-08-201-21/+5
| | | | | | | | For a long time (since 7.28.1) we've returned error when setting the value to 1 to make applications notice that we stopped supported the old behavior for 1. Starting now, we treat 1 and 2 exactly the same. Closes #4241
* CURLOPT_H3: removedDaniel Stenberg2019-08-091-7/+0
| | | | | | There's no use for this anymore and it was never in a release. Closes #4206
* CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directlyDaniel Stenberg2019-08-081-2/+6
| | | | | | | | | | | | Even though it cannot fall-back to a lower HTTP version automatically. The safer way to upgrade remains via CURLOPT_ALTSVC. CURLOPT_H3 no longer has any bits that do anything and might be removed before we remove the experimental label. Updated the curl tool accordingly to use "--http3". Closes #4197
* sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme2019-08-061-0/+6
| | | | | | | | | | | | | | | | | Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes https://github.com/curl/curl/pull/4186
* HTTP3: initial (experimental) supportDaniel Stenberg2019-07-211-0/+8
| | | | | | | | | USe configure --with-ngtcp2 or --with-quiche Using either option will enable a HTTP3 build. Co-authored-by: Alessandro Ghedini <alessandro@ghedini.me> Closes #3500
* libcurl: Restrict redirect schemes (follow-up)Jay Satiro2019-07-171-2/+1
| | | | | | | | | | | | - Allow FTPS on redirect. - Update default allowed redirect protocols in documentation. Follow-up to 6080ea0. Ref: https://github.com/curl/curl/pull/4094 Closes https://github.com/curl/curl/pull/4115
* os400: make vsetopt() non-static as Curl_vsetopt() for os400 support.Patrick Monnerat2019-06-161-3/+6
| | | | | | | | Use it in curl_easy_setopt_ccsid(). Reported-by: jonrumsey on github Fixes #3833 Closes #4028
* Revert all SASL authzid (new feature) commitsJay Satiro2019-05-251-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Revert all commits related to the SASL authzid feature since the next release will be a patch release, 7.65.1. Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined for the next release, assuming it would be a feature release 7.66.0. However instead the next release will be a patch release, 7.65.1 and will not contain any new features. After the patch release after the reverted commits can be restored by using cherry-pick: git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 Details for all reverted commits: Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. Revert "tests: Fix the line endings for the SASL alt-auth tests" This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177.
* sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZIDSteve Holme2019-05-221-0/+6
| | | | | | | | | | Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixed #3653 Closes #3790
* libcurl: #ifdef away more code for disabled features/protocolsDaniel Stenberg2019-05-171-85/+112
|
* hostip: CURL_DISABLE_SHUFFLE_DNSDaniel Stenberg2019-05-171-0/+2
|
* proxy: acknowledge DISABLE_PROXY moreDaniel Stenberg2019-05-131-4/+22
|
* wildcard: disable from build when FTP isn't presentDaniel Stenberg2019-05-131-0/+2
|
* ssh: define USE_SSH if SSH is enabled (any backend)Daniel Stenberg2019-05-061-2/+2
| | | | Closes #3846
* CURL_MAX_INPUT_LENGTH: largest acceptable string input sizeDaniel Stenberg2019-04-291-0/+7
| | | | | | | | | | | | | | | | | This limits all accepted input strings passed to libcurl to be less than CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: curl_easy_setopt() and curl_url_set(). The 8000000 number is arbitrary picked and is meant to detect mistakes or abuse, not to limit actual practical use cases. By limiting the acceptable string lengths we also reduce the risk of integer overflows all over. NOTE: This does not apply to `CURLOPT_POSTFIELDS`. Test 1559 verifies. Closes #3805
* CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuseDaniel Stenberg2019-04-211-0/+6
| | | | | | | | | ... and disconnect too old ones instead of trying to reuse. Default max age is set to 118 seconds. Ref: #3722 Closes #3782
* CURLOPT_ADDRESS_SCOPE: fix range check and moretmilburn2019-04-131-6/+9
| | | | | | | | | | | | | | | | | Commit 9081014 fixed most of the confusing issues between scope id and scope however 844896d added bad limits checking assuming that the scope is being set and not the scope id. I have fixed the documentation so it all refers to scope ids. In addition Curl_if2ip refered to the scope id as remote_scope_id which is incorrect, so I renamed it to local_scope_id. Adjusted-by: Daniel Stenberg Closes #3655 Closes #3765 Fixes #3713
* CURLOPT_DNS_USE_GLOBAL_CACHE: removeDaniel Stenberg2019-04-111-5/+1
| | | | | | | | Remove the code too. The functionality has been disabled in code since 7.62.0. Setting this option will from now on simply be ignored and have no function. Closes #3654
* alt-svc: the libcurl bitsDaniel Stenberg2019-03-031-0/+26
|
* urldata: convert bools to bitfields and move to endDaniel Stenberg2019-02-271-5/+9
| | | | | | | | | | | | This allows the compiler to pack and align the structs better in memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. Removed an unused struct field. No functionality changes. Closes #3610
* cleanup: make local functions staticDaniel Stenberg2019-02-101-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | urlapi: turn three local-only functions into statics conncache: make conncache_find_first_connection static multi: make detach_connnection static connect: make getaddressinfo static curl_ntlm_core: make hmac_md5 static http2: make two functions static http: make http_setup_conn static connect: make tcpnodelay static tests: make UNITTEST a thing to mark functions with, so they can be static for normal builds and non-static for unit test builds ... and mark Curl_shuffle_addr accordingly. url: make up_free static setopt: make vsetopt static curl_endian: make write32_le static rtsp: make rtsp_connisdead static warnless: remove unused functions memdebug: remove one unused function, made another static
* setopt: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libsshFelix Hädicke2019-01-241-2/+1
| | | | | | | | | CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION are supported for libssh as well. So accepting these options only when compiling with libssh2 is wrong here. Fixes #3493 Closes #3494
* urldata: rename easy_conn to just connDaniel Stenberg2019-01-111-11/+11
| | | | | | | | | | | | | | | We use "conn" everywhere to be a pointer to the connection. Introduces two functions that "attaches" and "detaches" the connection to and from the transfer. Going forward, we should favour using "data->conn" (since a transfer always only has a single connection or none at all) to "conn->data" (since a connection can have none, one or many transfers associated with it and updating conn->data to be correct is error prone and a frequent reason for internal issues). Closes #3442
* http: added options for allowing HTTP/0.9 responsesDaniel Stenberg2018-12-211-0/+6
| | | | | | | | | | | | Added CURLOPT_HTTP09_ALLOWED and --http0.9 for this purpose. For now, both the tool and library allow HTTP/0.9 by default. docs/DEPRECATE.md lays out the plan for when to reverse that default: 6 months after the 7.64.0 release. The options are added already now so that applications/scripts can start using them already now. Fixes #2873 Closes #3383
* http: Implement trailing headers for chunked transfersAyoub Boudhar2018-12-141-0/+10
| | | | | | | | | | | | | This adds the CURLOPT_TRAILERDATA and CURLOPT_TRAILERFUNCTION options that allow a callback based approach to sending trailing headers with chunked transfers. The test server (sws) was updated to take into account the detection of the end of transfer in the case of trailing headers presence. Test 1591 checks that trailing headers can be sent using libcurl. Closes #3350
* cookies: leave secure cookies aloneDaniel Gustafsson2018-12-131-2/+2
| | | | | | | | | | | Only allow secure origins to be able to write cookies with the 'secure' flag set. This reduces the risk of non-secure origins to influence the state of secure origins. This implements IETF Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates RFC6265. Closes #2956 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* setopt: add CURLOPT_CURLUJim Fuller2018-11-091-0/+6
| | | | | | Allows an application to pass in a pre-parsed URL via a URL handle. Closes #3227
* curl_easy_upkeep: removed 'conn' from the nameDaniel Stenberg2018-09-071-1/+1
| | | | | | | ... including the associated option. Fixes #2951 Closes #2952
* upkeep: add a connection upkeep API: curl_easy_conn_upkeep()Max Dymond2018-09-071-0/+6
| | | | | | | | | Add functionality so that protocols can do custom keepalive on their connections, when an external API function is called. Add docs for the new options in 7.62.0 Closes #1641
* CURLOPT_UPLOAD_BUFFERSIZE: set upload buffer sizeDaniel Stenberg2018-09-061-0/+16
| | | | | | | This is step 3 of #2888. Fixes #2888 Closes #2896
* setopt: add CURLOPT_DOH_URLDaniel Stenberg2018-09-061-0/+5
| | | | Closes #2668
* CURLOPT_DNS_USE_GLOBAL_CACHE: deprecatedDaniel Stenberg2018-09-061-0/+2
| | | | | | | | Disable the CURLOPT_DNS_USE_GLOBAL_CACHE option and mark it for deprecation and complete removal in six months. Bug: https://curl.haxx.se/mail/lib-2018-09/0010.html Closes #2942
* url: default to CURL_HTTP_VERSION_2TLS if built h2-enabledDaniel Stenberg2018-09-051-0/+2
| | | | Closes #2709
* vtls: reinstantiate engine on duplicated handlesLaurent Bonnans2018-08-181-2/+7
| | | | | | | | | | | | Handles created with curl_easy_duphandle do not use the SSL engine set up in the original handle. This fixes the issue by storing the engine name in the internal url state and setting the engine from its name inside curl_easy_duphandle. Reported-by: Anton Gerasimov Signed-of-by: Laurent Bonnans Fixes #2829 Closes #2833
* option: disallow username in URLBjörn Stenberg2018-05-311-0/+4
| | | | | | | Adds CURLOPT_DISALLOW_USERNAME_IN_URL and --disallow-username-in-url. Makes libcurl reject URLs with a username in them. Closes #2340
* setopt: add TLS 1.3 ciphersuitesDaniel Stenberg2018-05-291-0/+19
| | | | | | | | | | Adds CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS. curl: added --tls13-ciphers and --proxy-tls13-ciphers Fixes #2435 Reported-by: zzq1015 on github Closes #2607
* psl: use latest psl and refresh it periodicallyPatrick Monnerat2018-05-281-1/+10
| | | | | | | | | | | The latest psl is cached in the multi or share handle. It is refreshed before use after 72 hours. New share lock CURL_LOCK_DATA_PSL controls the psl cache sharing. If the latest psl is not available, the builtin psl is used. Reported-by: Yaakov Selkowitz Fixes #2553 Closes #2601
* vtls: use unified "supports" bitfield member in backendsDaniel Stenberg2018-05-041-7/+7
| | | | | | | ... instead of previous separate struct fields, to make it easier to extend and change individual backends without having to modify them all. closes #2547
* urldata: make service names unconditionalMarcel Raad2018-04-161-5/+1
| | | | | | | | | | | The ifdefs have become quite long. Also, the condition for the definition of CURLOPT_SERVICE_NAME and for setting it from CURLOPT_SERVICE_NAME have diverged. We will soon also need the two options for NTLM, at least when using SSPI, for https://github.com/curl/curl/pull/1660. Just make the definitions unconditional to make that easier. Closes https://github.com/curl/curl/pull/2479