Daniel Stenberg [Fri, 6 Oct 2017 15:20:54 +0000 (17:20 +0200)]
pingpong: return error when trying to send without connection
When imap_done() got called before a connection is setup, it would try
to "finish up" and dereffed a NULL pointer.
Test case 1553 managed to reproduce. I had to actually use a host name
to try to resolve to slow it down, as using the normal local server IP
will make libcurl get a connection in the first curl_multi_perform()
loop and then the bug doesn't trigger.
Viktor Szakats [Fri, 6 Oct 2017 07:37:42 +0000 (07:37 +0000)]
lib/config-win32.h: let SMB/SMBS be enabled with OpenSSL/NSS
The source code is now prepared to handle the case when both
Win32 Crypto and OpenSSL/NSS crypto backends are enabled
at the same time, making it now possible to enable `USE_WIN32_CRYPTO`
whenever the targeted Windows version supports it. Since this
matches the minimum Windows version supported by curl
(Windows 2000), enable it unconditionally for the Win32 platform.
This in turn enables SMB (and SMBS) protocol support whenever
Win32 Crypto is available, regardless of what other crypto backends
are enabled.
Viktor Szakats [Wed, 4 Oct 2017 15:57:19 +0000 (15:57 +0000)]
lib/Makefile.m32: allow customizing dll suffixes
- New `CURL_DLL_SUFFIX` envvar will add a suffix to the generated
libcurl dll name. Useful to add `-x64` to 64-bit builds so that
it can live in the same directory as the 32-bit one. By default
this is empty.
- New `CURL_DLL_A_SUFFIX` envvar to customize the suffix of the
generated import library (implib) for libcurl .dll. It defaults
to `dll`, and it's useful to modify that to `.dll` to have the
standard naming scheme for mingw-built .dlls, i.e. `libcurl.dll.a`.
Michael Kaufmann [Sun, 24 Sep 2017 12:08:29 +0000 (14:08 +0200)]
vtls: compare and clone ssl configs properly
Compare these settings in Curl_ssl_config_matches():
- verifystatus (CURLOPT_SSL_VERIFYSTATUS)
- random_file (CURLOPT_RANDOM_FILE)
- egdsocket (CURLOPT_EGDSOCKET)
Also copy the setting "verifystatus" in Curl_clone_primary_ssl_config(),
and copy the setting "sessionid" unconditionally.
This means that reusing connections that are secured with a client
certificate is now possible, and the statement "TLS session resumption
is disabled when a client certificate is used" in the old advisory at
https://curl.haxx.se/docs/adv_20170419.html is obsolete.
Daniel Stenberg [Tue, 3 Oct 2017 05:59:55 +0000 (07:59 +0200)]
examples: bring back curl_formadd-using examples
... now with a -formadd suffix. While the new mime API is introduced in
7.56.0 we must acknowledge that lots of users can't upgrade their curl
versions immediately.
Dan Fandrich [Fri, 29 Sep 2017 23:20:56 +0000 (01:20 +0200)]
Set and use more necessary options when some protocols are disabled
When curl and libcurl are built with some protocols disabled, they stop
setting and receiving some options that don't make sense with those
protocols. In particular, when HTTP is disabled many options aren't set
that are used only by HTTP. However, some options that appear to be
HTTP-only are actually used by other protocols as well (some despite
having HTTP in the name) and should be set, but weren't. This change now
causes some of these options to be set and used for more (or for all)
protocols. In particular, this fixes tests 646 through 649 in an
HTTP-disabled build, which use the MIME API in the mail protocols.
Michael Kaufmann [Sun, 24 Sep 2017 13:02:12 +0000 (15:02 +0200)]
reuse_conn: don't copy flags that are known to be equal
A connection can only be reused if the flags "conn_to_host" and
"conn_to_port" match. Therefore it is not necessary to copy these flags
in reuse_conn().
Viktor Szakats [Tue, 12 Sep 2017 18:14:00 +0000 (18:14 +0000)]
metalink: fix NSS issue in MultiSSL builds
In MultiSSL mode (i.e. when more than one SSL backend is compiled
in), we cannot use the compile time flag `USE_NSS` as indicator that
the NSS backend is in use. As far as Metalink is concerned, the SSL
backend is only used for MD5, SHA-1 and SHA-256 calculations,
therefore one of the available SSL backends is selected at compile
time, in a strict order of preference.
Let's introduce a new `HAVE_NSS_CONTEXT` constant that can be used
to determine whether the SSL backend used for Metalink is the NSS
backend, and use that to guard the code that wants to de-initialize
the NSS-specific data structure.
Viktor Szakats [Wed, 30 Aug 2017 21:10:38 +0000 (21:10 +0000)]
ntlm: use strict order for SSL backend #if branches
With the recently introduced MultiSSL support multiple SSL backends
can be compiled into cURL That means that now the order of the SSL
One option would be to use the same SSL backend as was configured
via `curl_global_sslset()`, however, NTLMv2 support would appear
to be available only with some SSL backends. For example, when eb88d778e (ntlm: Use Windows Crypt API, 2014-12-02) introduced
support for NTLMv1 using Windows' Crypt API, it specifically did
*not* introduce NTLMv2 support using Crypt API at the same time.
So let's select one specific SSL backend for NTLM support when
compiled with multiple SSL backends, using a priority order such
that we support NTLMv2 even if only one compiled-in SSL backend can
be used for that.
In some cases the RSA key does not support verifying it because it's
located on a smart card, an engine wants to hide it, ...
Check the flags on the key before trying to verify it.
OpenSSL does the same thing internally; see ssl/ssl_rsa.c
Max Dymond [Mon, 11 Sep 2017 19:51:58 +0000 (20:51 +0100)]
ossfuzz: changes before merging the generated corpora
Before merging in the oss-fuzz corpora from Google, there are some changes
to the fuzzer.
- Add a read corpus script, to display corpus files nicely.
- Change the behaviour of the fuzzer so that TLV parse failures all now
go down the same execution paths, which should reduce the size of the
corpora.
- Make unknown TLVs a failure to parse, which should decrease the size
of the corpora as well.
Daniel Stenberg [Sun, 17 Sep 2017 22:55:07 +0000 (00:55 +0200)]
cookies: reject oversized cookies
... instead of truncating them.
There's no fixed limit for acceptable cookie names in RFC 6265, but the
entire cookie is said to be less than 4096 bytes (section 6.1). This is
also what browsers seem to implement.
We now allow max 5000 bytes cookie header. Max 4095 bytes length per
cookie name and value. Name + value together may not exceed 4096 bytes.
Added test 1151 to verify
Bug: https://curl.haxx.se/mail/lib-2017-09/0062.html Reported-by: Kevin Smith
Closes #1894
Jay Satiro [Mon, 18 Sep 2017 07:07:57 +0000 (03:07 -0400)]
socks: fix incorrect port number in SOCKS4 error message
Prior to this change it appears the SOCKS5 port parsing was erroneously
used for the SOCKS4 error message, and as a result an incorrect port
would be shown in the error message.
Marc Aldorasi [Fri, 15 Sep 2017 17:00:05 +0000 (13:00 -0400)]
schannel: Support partial send for when data is too large
Schannel can only encrypt a certain amount of data at once. Instead of
failing when too much data is to be sent at once, send as much data as
we can and let the caller send the remaining data by calling send again.
David Benjamin [Fri, 15 Sep 2017 22:36:40 +0000 (18:36 -0400)]
openssl: add missing includes
lib/vtls/openssl.c uses OpenSSL APIs from BUF_MEM and BIO APIs. Include
their headers directly rather than relying on other OpenSSL headers
including things.
Now that the form API is deprecated and not used anymore in curl tool,
a lot of its features left untested. Test 650 attempts to check all these
features not tested elsewhere.
Jay Satiro [Wed, 6 Sep 2017 22:04:16 +0000 (18:04 -0400)]
configure: fix curl_off_t check's include order
- Prepend srcdir include path instead of append.
Prior to this change it was possible that during the check for the size
of curl_off_t the include path of a user's already installed curl could
come before the include path of the to-be-built curl, resulting in the
system.h of the former being incorrectly included for that check.