summaryrefslogtreecommitdiff
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* connect: fix building for recent versions of MinixSevan Janiyan2018-11-291-1/+1
| | | | | | | | EBADIOCTL doesn't exist on more recent Minix. There have also been substantial changes to the network stack. Fixes build on Minix 3.4rc Closes https://github.com/curl/curl/pull/3323
* doh: fix typo in infof callDaniel Gustafsson2018-11-261-1/+1
| | | | Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* curl_easy_perform: fix timeout handlingDaniel Stenberg2018-11-253-5/+30
| | | | | | | | | | | | | curl_multi_wait() was erroneously used from within curl_easy_perform(). It could lead to it believing there was no socket to wait for and then instead sleep for a while instead of monitoring the socket and then miss acting on that activity as swiftly as it should (causing an up to 1000 ms delay). Reported-by: Antoni Villalonga Fixes #3305 Closes #3306 Closes #3308
* cookies: create the cookiejar even if no cookies to saveDaniel Stenberg2018-11-231-34/+28
| | | | | | | | | | | Important for when the file is going to be read again and thus must not contain old contents! Adds test 327 to verify. Reported-by: daboul on github Fixes #3299 Closes #3300
* checksrc: ban snprintf use, add command line flag to override warnsDaniel Stenberg2018-11-231-0/+27
|
* snprintf: renamed and we now only use msnprintf()Daniel Stenberg2018-11-2351-402/+394
| | | | | | | | | | | The function does not return the same value as snprintf() normally does, so readers may be mislead into thinking the code works differently than it actually does. A different function name makes this easier to detect. Reported-by: Tomas Hoger Assisted-by: Daniel Gustafsson Fixes #3296 Closes #3297
* host names: allow trailing dot in name resolve, then strip itTobias Hintze2018-11-222-28/+55
| | | | | | | Delays stripping of trailing dots to after resolving the hostname. Fixes #3022 Closes #3222
* openssl: support session resume with TLS 1.3Michael Kaufmann2018-11-211-42/+102
| | | | | | | | | | | | | | | | | | | | | | | Session resumption information is not available immediately after a TLS 1.3 handshake. The client must wait until the server has sent a session ticket. Use OpenSSL's "new session" callback to get the session information and put it into curl's session cache. For TLS 1.3 sessions, this callback will be invoked after the server has sent a session ticket. The "new session" callback is invoked only if OpenSSL's session cache is enabled, so enable it and use the "external storage" mode which lets curl manage the contents of the session cache. A pointer to the connection data and the sockindex are now saved as "SSL extra data" to make them available to the callback. This approach also works for old SSL/TLS versions and old OpenSSL versions. Reviewed-by: Daniel Stenberg <daniel@haxx.se> Fixes #3202 Closes #3271
* ssl: fix compilation with OpenSSL 0.9.7Michael Kaufmann2018-11-211-2/+2
| | | | | | | - ENGINE_cleanup() was used without including "openssl/engine.h" - enable engine support for OpenSSL 0.9.7 Closes #3266
* openssl: disable TLS renegotiation with BoringSSLDaniel Stenberg2018-11-211-1/+8
| | | | | | | | | | | | Since we're close to feature freeze, this change disables this feature with an #ifdef. Define ALLOW_RENEG at build-time to enable. This could be converted to a bit for CURLOPT_SSL_OPTIONS to let applications opt-in this. Concern-raised-by: David Benjamin Fixes #3283 Closes #3293
* ares: remove fd from multi fd set when ares is about to close the fdRomain Fliedel2018-11-208-23/+45
| | | | | | | | | | | | | | | | | | | When using c-ares for asyn dns, the dns socket fd was silently closed by c-ares without curl being aware. curl would then 'realize' the fd has been removed at next call of Curl_resolver_getsock, and only then notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with CURL_POLL_REMOVE. At this point the fd is already closed. By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this patch allows curl to be notified that the fd is not longer needed for neither for write nor read. At this point by calling Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE before the fd is actually closed by ares. In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore since it does not allow passing a different sock_state_cb_data Closes #3238
* ntlm: Remove redundant ifdef USE_OPENSSLpkubaj2018-11-201-16/+6
| | | | | | | | | | | | | | | | | | | lib/curl_ntlm.c had code that read as follows: #ifdef USE_OPENSSL # ifdef USE_OPENSSL # else # .. # endif #endif Remove the redundant USE_OPENSSL along with #else (it's not possible to reach it anyway). The removed construction is a leftover from when the SSLeay support was removed. Closes #3269 Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* ssl: replace all internal uses of CURLE_SSL_CACERTHan Han2018-11-206-17/+17
| | | | Closes #3291
* openssl: Remove SSLEAY leftoversDaniel Gustafsson2018-11-172-3/+1
| | | | | | | | | Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't compatible with the SSLeay library. This removes the few leftovers that were omitted in the less frequently used platform targets. Closes #3270 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* http_negotiate: do not close connection until negotiation is completedElia Tufarolo2018-11-162-1/+8
| | | | | | Fix HTTP POST using CURLAUTH_NEGOTIATE. Closes #3275
* pop3: only do APOP with a valid timestampDaniel Stenberg2018-11-161-2/+10
| | | | | | Brought-by: bobmitchell1956 on github Fixes #3278 Closes #3279
* openssl: do not log excess "TLS app data" lines for TLS 1.3Peter Wu2018-11-161-17/+11
| | | | | | | | | | | | | | | The SSL_CTX_set_msg_callback callback is not just called for the Handshake or Alert protocols, but also for the raw record header (SSL3_RT_HEADER) and the decrypted inner record type (SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid excess debug spam when using `curl -v` against a TLSv1.3-enabled server: * TLSv1.3 (IN), TLS app data, [no content] (0): (Following this message, another callback for the decrypted handshake/alert messages will be be present anyway.) Closes https://github.com/curl/curl/pull/3281
* nss: remove version selecting dead codebagder/nss-max-tlsKamil Dudka2018-11-131-14/+1
| | | | Closes #3262
* nss: set default max-tls to 1.3/1.2Daniel Stenberg2018-11-131-1/+5
| | | | Fixes #3261
* nss: fix fallthrough comment to fix picky compiler warningDaniel Stenberg2018-11-121-1/+1
|
* ftp: avoid two unsigned int overflows in FTP listing parserTim Rühsen2018-11-091-1/+1
| | | | | | | | | Curl_ftp_parselist: avoid unsigned integer overflows The overflow has no real world impact, just avoid it for "best practice". Closes #3225
* openssl: support BoringSSL TLS renegotiationJérémy Rocher2018-11-091-0/+4
| | | | | | | | | | | | | | | | | | | | | As per BoringSSL porting documentation [1], BoringSSL rejects peer renegotiations by default. curl fails when trying to authenticate to server through client certificate if it is requested by server after the initial TLS handshake. Enable renegotiation by default with BoringSSL to get same behavior as with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2] which was introduced in commit 1d5ef3bb1eb9 [3]. 1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation 2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482 3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86 Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com> Fixes #3258 Closes #3259
* setopt: add CURLOPT_CURLUJim Fuller2018-11-094-6/+35
| | | | | | Allows an application to pass in a pre-parsed URL via a URL handle. Closes #3227
* winssl: be consistent in Schannel capitalizationDaniel Gustafsson2018-11-072-5/+4
| | | | | | | | The productname from Microsoft is "Schannel", but in infof/failf reporting we use "schannel". This removes different versions. Closes #3243 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* urlapi: only skip encoding the first '=' with APPENDQUERY setDaniel Stenberg2018-11-071-1/+6
| | | | | | | | | APPENDQUERY + URLENCODE would skip all equals signs but now it only skip encoding the first to better allow "name=content" for any content. Reported-by: Alexey Melnichuk Fixes #3231 Closes #3231
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-062-2/+4
| | | | | | | | | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Also fixed test203 to use file_pwd to make it get the correct path on windows. Removed test 2070 since it was a duplicate of 203. Assisted-by: Marcel Raad Reported-by: Hagai Auro Fixes #3220 Fixes #3233 Closes #3223 Closes #3235
* libcurl: stop reading from paused transfersSangamkar2018-11-061-0/+5
| | | | | | | In the transfer loop it would previously not acknwledge the pause bit and continue until drained or loop ended. Closes #3240
* curl_multibyte: fix a malloc overcalculationJay Satiro2018-11-061-6/+6
| | | | | | | | Prior to this change twice as many bytes as necessary were malloc'd when converting wchar to UTF8. To allay confusion in the future I also changed the variable name for the amount of bytes from len to bytes. Closes https://github.com/curl/curl/pull/3209
* netrc: don't ignore the login name specified with "--user"Michael Kaufmann2018-11-053-33/+35
| | | | | | | | | | | | - for "--netrc", don't ignore the login/password specified with "--user", only ignore the login/password in the URL. This restores the netrc behaviour of curl 7.61.1 and earlier. - fix the documentation of CURL_NETRC_REQUIRED - improve the detection of login/password changes when reading .netrc - don't read .netrc if both login and password are already set Fixes #3213 Closes #3224
* Revert "url: a short host name + port is not a scheme"Daniel Stenberg2018-11-051-1/+1
| | | | | | | This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2. This commit caused test failures on appveyor/windows. Work on fixing them is in #3235.
* infof: clearly indicate truncationDaniel Gustafsson2018-11-031-1/+12
| | | | | | | | | | | | | | | | | | The internal buffer in infof() is limited to 2048 bytes of payload plus an additional byte for NULL termination. Servers with very long error messages can however cause truncation of the string, which currently isn't very clear, and leads to badly formatted output. This appends a "...\n" (or just "..." in case the format didn't with a newline char) marker to the end of the string to clearly show that it has been truncated. Also include a unittest covering infof() to try and catch any bugs introduced in this quite important function. Closes #3216 Reviewed-by: Daniel Stenberg <daniel@haxx.se> Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
* url: a short host name + port is not a schemeDaniel Stenberg2018-11-031-1/+1
| | | | | | | | | | | | The function identifying a leading "scheme" part of the URL considered a few letters ending with a colon to be a scheme, making something like "short:80" to become an unknown scheme instead of a short host name and a port number. Extended test 1560 to verify. Reported-by: Hagai Auro Fixes #3220 Closes #3223
* URL: fix IPv6 numeral address parserDaniel Stenberg2018-11-031-2/+6
| | | | | | | | Regression from 46e164069d1a52. Extended test 1560 to verify. Reported-by: tpaukrt on github Fixes #3218 Closes #3219
* mprintf: avoid unsigned integer overflow warningTim Rühsen2018-11-021-1/+1
| | | | | | | | The overflow has no real world impact. Just avoid it for "best practice". Code change suggested by "The Infinnovation Team" and Daniel Stenberg. Closes #3184
* Curl_follow: accept non-supported schemes for "fake" redirectsDaniel Stenberg2018-11-021-1/+2
| | | | | | | | | | When not actually following the redirect and the target URL is only stored for later retrieval, curl always accepted "non-supported" schemes. This was a regression from 46e164069d1a5230. Reported-by: Brad King Fixes #3210 Closes #3215
* axtls: removedDaniel Stenberg2018-11-019-817/+6
| | | | | | | | | | As has been outlined in the DEPRECATE.md document, the axTLS code has been disabled for 6 months and is hereby removed. Use a better supported TLS library! Assisted-by: Daniel Gustafsson Closes #3194
* schannel: make CURLOPT_CERTINFO support using Issuer chainmarcosdiazr2018-11-011-8/+64
| | | | Closes #3197
* schannel: use Curl_ prefix for global private symbolsDaniel Stenberg2018-11-013-4/+4
| | | | | | | Curl_verify_certificate() must use the Curl_ prefix since it is globally available in the lib and otherwise steps outside of our namespace! Closes #3201
* vtls: add MesaLink to curl_sslbackend enumDaniel Gustafsson2018-10-301-1/+1
| | | | | | | | | MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the backend was never added to the curl_sslbackend enum in curl/curl.h. This adds the new backend to the enum and updates the relevant docs. Closes #3195 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* Curl_auth_create_plain_message: fix too-large-input-checkDaniel Stenberg2018-10-291-1/+1
| | | | | | CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
* Curl_close: clear data->multi_easy on free to avoid use-after-freeDaniel Stenberg2018-10-291-1/+3
| | | | | | | | Regression from b46cfbc068 (7.59.0) CVE-2018-16840 Reported-by: Brian Carpenter (Geeknik Labs) Bug: https://curl.haxx.se/docs/CVE-2018-16840.html
* rand: add comment to skip a clang-tidy false positiveDaniel Stenberg2018-10-271-1/+3
|
* x509asn1: always check return code from getASN1Element()Daniel Stenberg2018-10-271-32/+102
|
* Makefile: add 'tidy' target that runs clang-tidyDaniel Stenberg2018-10-271-0/+8
| | | | | | Available in the root, src and lib dirs. Closes #3163
* x509asn1: suppress left shift on signed valuePatrick Monnerat2018-10-271-2/+2
| | | | | | | | Use an unsigned variable: as the signed operation behavior is undefined, this change silents clang-tidy about it. Ref: https://github.com/curl/curl/pull/3163 Reported-By: Daniel Stenberg
* multi: Fix error handling in the SENDPROTOCONNECT stateMichael Kaufmann2018-10-271-1/+1
| | | | | | | If Curl_protocol_connect() returns an error code, handle the error instead of switching to the next state. Closes #3170
* openssl: output the correct cipher list on TLS 1.3 errorDaniel Stenberg2018-10-271-1/+1
| | | | | | | | | When failing to set the 1.3 cipher suite, the wrong string pointer would be used in the error message. Most often saying "(nil)". Reported-by: Ricky-Tigg on github Fixes #3178 Closes #3180
* ssh: free the session on init failuresDaniel Gustafsson2018-10-261-1/+1
| | | | | | | | | | | | | Ensure to clear the session object in case the libssh2 initialization fails. It could be argued that the libssh2 error function should be called to get a proper error message in this case. But since the only error path in libssh2_knownhost_init() is memory a allocation failure it's safest to avoid since the libssh2 error handling allocates memory. Closes #3179 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
* openssl: make 'done' a proper booleanDaniel Gustafsson2018-10-261-6/+6
| | | | Closes #3176
* gtls: Values stored to but never readDaniel Stenberg2018-10-261-9/+7
| | | | | | Detected by clang-tidy Closes #3176
View Lorry Controller Status