]> granicus.if.org Git - curl/log
curl
6 years agocookies: leave secure cookies alone
Daniel Gustafsson [Thu, 13 Dec 2018 08:57:58 +0000 (09:57 +0100)]
cookies: leave secure cookies alone

Only allow secure origins to be able to write cookies with the
'secure' flag set. This reduces the risk of non-secure origins
to influence the state of secure origins. This implements IETF
Internet-Draft draft-ietf-httpbis-cookie-alone-01 which updates
RFC6265.

Closes #2956
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agodocs: fix the --tls-max description
Daniel Stenberg [Wed, 12 Dec 2018 10:48:56 +0000 (11:48 +0100)]
docs: fix the --tls-max description

Reported-by: Tobias Lindgren
Pointed out in #3367

Closes #3368

6 years agourlapi: Fix port parsing of eol colon
Daniel Gustafsson [Wed, 12 Dec 2018 10:45:09 +0000 (11:45 +0100)]
urlapi: Fix port parsing of eol colon

A URL with a single colon without a portnumber should use the default
port, discarding the colon. Fix, add a testcase and also do little bit
of comment wordsmithing.

Closes #3365
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoRELEASE-NOTES: 7.63.0 curl-7_63_0
Daniel Stenberg [Wed, 12 Dec 2018 07:12:27 +0000 (08:12 +0100)]
RELEASE-NOTES: 7.63.0

6 years agoTHANKS: from the curl 7.62.0 cycle
Daniel Stenberg [Wed, 12 Dec 2018 07:12:27 +0000 (08:12 +0100)]
THANKS: from the curl 7.62.0 cycle

6 years agotest1519: use lib1518 and test CURLINFO_REDIRECT_URL more
Daniel Stenberg [Tue, 11 Dec 2018 15:36:07 +0000 (16:36 +0100)]
test1519: use lib1518 and test CURLINFO_REDIRECT_URL more

6 years agoCurl_follow: extract the Location: header field unvalidated
Daniel Stenberg [Tue, 11 Dec 2018 15:08:51 +0000 (16:08 +0100)]
Curl_follow: extract the Location: header field unvalidated

... when not actually following the redirect. Otherwise we return error
for this and an application can't extract the value.

Test 1518 added to verify.

Reported-by: Pavel Pavlov
Fixes #3340
Closes #3364

6 years agomulti: convert two timeout variables to timediff_t
Daniel Stenberg [Tue, 11 Dec 2018 11:52:21 +0000 (12:52 +0100)]
multi: convert two timeout variables to timediff_t

The time_t type is unsigned on some systems and these variables are used
to hold return values from functions that return timediff_t
already. timediff_t is always a signed type.

Closes #3363

6 years agodelta: use --diff-filter on the git diff-tree invokes
Daniel Stenberg [Tue, 11 Dec 2018 14:25:52 +0000 (15:25 +0100)]
delta: use --diff-filter on the git diff-tree invokes

Suggested-by: Dave Reisner
6 years agodocumentation: curl_formadd field and file names are now escaped
Patrick Monnerat [Tue, 11 Dec 2018 14:21:10 +0000 (15:21 +0100)]
documentation: curl_formadd field and file names are now escaped

Prior to 7.56.0, fieldnames and filenames were set in Content-Disposition
header without special processing: this may lead to invalid RFC 822
quoted-strings.
7.56.0 introduces escaping of backslashes and double quotes in these names:
mention it in the documentation.

Reported-by: daboul on github
Closes #3361

6 years agoscripts/delta: show repo delta info from last release
Daniel Stenberg [Tue, 11 Dec 2018 14:06:21 +0000 (15:06 +0100)]
scripts/delta: show repo delta info from last release

... where "last release" should be the git tag in the repo.

6 years agotests: add urlapi unittest
Daniel Gustafsson [Tue, 11 Dec 2018 14:02:24 +0000 (15:02 +0100)]
tests: add urlapi unittest

This adds a new unittest intended to cover the internal functions in
the urlapi code, starting with parse_port(). In order to avoid name
collisions in debug builds, parse_port() is renamed Curl_parse_port()
since it will be exported.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agourlapi: fix portnumber parsing for ipv6 zone index
Daniel Gustafsson [Tue, 11 Dec 2018 14:02:19 +0000 (15:02 +0100)]
urlapi: fix portnumber parsing for ipv6 zone index

An IPv6 URL which contains a zone index includes a '%%25<zode id>'
string before the ending ']' bracket. The parsing logic wasn't set
up to cope with the zone index however, resulting in a malformed url
error being returned. Fix by breaking the parsing into two stages
to correctly handle the zone index.

Closes #3355
Closes #3319
Reported-by: tonystz on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agohttp: fix HTTP auth to include query in URI
Jay Satiro [Mon, 10 Dec 2018 00:34:47 +0000 (19:34 -0500)]
http: fix HTTP auth to include query in URI

- Include query in the path passed to generate HTTP auth.

Recent changes to use the URL API internally (46e1640, 7.62.0)
inadvertently broke authentication URIs by omitting the query.

Fixes https://github.com/curl/curl/issues/3353
Closes #3356

6 years agohttp: don't set CURLINFO_CONDITION_UNMET for http status code 204
Michael Kaufmann [Mon, 10 Dec 2018 16:30:31 +0000 (17:30 +0100)]
http: don't set CURLINFO_CONDITION_UNMET for http status code 204

The http status code 204 (No Content) should not change the "condition
unmet" flag. Only the http status code 304 (Not Modified) should do
this.

Closes #359

6 years agoldap: fix LDAP URL parsing regressions
Samuel Surtees [Tue, 11 Dec 2018 10:15:15 +0000 (20:15 +1000)]
ldap: fix LDAP URL parsing regressions

- Match URL scheme with LDAP and LDAPS
- Retrieve attributes, scope and filter from URL query instead

Regression brought in 46e164069d1a5230 (7.62.0)

Closes #3362

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sun, 9 Dec 2018 23:26:55 +0000 (00:26 +0100)]
RELEASE-NOTES: synced

6 years ago(lib)curl.rc: fixup for minor bugs
Stefan Kanthak [Fri, 7 Dec 2018 15:39:35 +0000 (16:39 +0100)]
(lib)curl.rc: fixup for minor bugs

All resources defined in lib/libcurl.rc and curl.rc are language
neutral.

winbuild/MakefileBuild.vc ALWAYS defines the macro DEBUGBUILD, so the
ifdef's in line 33 of lib/libcurl.rc and src/curl.rc are wrong.

Replace the hard-coded constants in both *.rc files with #define'd
values.

Thumbs-uped-by: Rod Widdowson, Johannes Schindelin
URL: https://curl.haxx.se/mail/lib-2018-11/0000.html
Closes #3348

6 years agotest329: verify cookie max-age=0 immediate expiry
Daniel Stenberg [Sat, 8 Dec 2018 16:50:09 +0000 (17:50 +0100)]
test329: verify cookie max-age=0 immediate expiry

6 years agocookies: expire "Max-Age=0" immediately
Daniel Stenberg [Sat, 8 Dec 2018 16:29:55 +0000 (17:29 +0100)]
cookies: expire "Max-Age=0" immediately

Reported-by: Jeroen Ooms
Fixes #3351
Closes #3352

6 years agoUpon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1
Johannes Schindelin [Fri, 7 Dec 2018 16:04:39 +0000 (17:04 +0100)]
Upon HTTP_1_1_REQUIRED, retry the request with HTTP/1.1

This is a companion patch to cbea2fd2c (NTLM: force the connection to
HTTP/1.1, 2018-12-06): with NTLM, we can switch to HTTP/1.1
preemptively. However, with other (Negotiate) authentication it is not
clear to this developer whether there is a way to make it work with
HTTP/2, so let's try HTTP/2 first and fall back in case we encounter the
error HTTP_1_1_REQUIRED.

Note: we will still keep the NTLM workaround, as it avoids an extra
round trip.

Daniel Stenberg helped a lot with this patch, in particular by
suggesting to introduce the Curl_h2_http_1_1_error() function.

Closes #3349

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agoopenssl: fix unused variable compiler warning with old openssl
Ben Greear [Fri, 7 Dec 2018 10:31:08 +0000 (11:31 +0100)]
openssl: fix unused variable compiler warning with old openssl

URL: https://curl.haxx.se/mail/lib-2018-11/0055.html

Closes #3347

6 years agoNTLM: force the connection to HTTP/1.1
Johannes Schindelin [Thu, 6 Dec 2018 16:26:13 +0000 (17:26 +0100)]
NTLM: force the connection to HTTP/1.1

Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
the capability. However, NTLM authentication only works with HTTP/1.1,
and will likely remain in that boat (for details, see
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).

When we just found out that we want to use NTLM, and when the current
connection runs in HTTP/2 mode, let's force the connection to be closed
and to be re-opened using HTTP/1.1.

Fixes https://github.com/curl/curl/issues/3341.
Closes #3345

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agocurl_global_sslset(): id == -1 is not necessarily an error
Johannes Schindelin [Thu, 6 Dec 2018 16:18:43 +0000 (17:18 +0100)]
curl_global_sslset(): id == -1 is not necessarily an error

It is allowed to call that function with id set to -1, specifying the
backend by the name instead. We should imitate what is done further down
in that function to allow for that.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Closes #3346

6 years ago.gitattributes: make tabs in indentation a visible error
Johannes Schindelin [Thu, 6 Dec 2018 19:20:32 +0000 (20:20 +0100)]
.gitattributes: make tabs in indentation a visible error

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 6 Dec 2018 09:02:09 +0000 (10:02 +0100)]
RELEASE-NOTES: synced

6 years agodoh: fix memory leak in OOM situation
Daniel Stenberg [Wed, 5 Dec 2018 14:21:27 +0000 (15:21 +0100)]
doh: fix memory leak in OOM situation

Reviewed-by: Daniel Gustafsson
Closes #3342

6 years agodoh: make it work for h2-disabled builds too
Daniel Stenberg [Mon, 3 Dec 2018 10:51:52 +0000 (11:51 +0100)]
doh: make it work for h2-disabled builds too

Reported-by: dtmsecurity at github
Fixes #3325
Closes #3336

6 years agopackages: remove old leftover files and dirs
Daniel Stenberg [Fri, 30 Nov 2018 15:01:32 +0000 (16:01 +0100)]
packages: remove old leftover files and dirs

This subdir has mostly become an attic of never-used cruft from the
past.

Closes #3331

6 years agoopenssl: do not use file BIOs if not requested
Gergely Nagy [Mon, 3 Dec 2018 16:34:57 +0000 (17:34 +0100)]
openssl: do not use file BIOs if not requested

Moves the file handling BIO calls to the branch of the code where they
are actually used.

Closes #3339

6 years agonss: Fix compatibility with nss versions 3.14 to 3.15
Paul Howarth [Tue, 4 Dec 2018 18:43:51 +0000 (18:43 +0000)]
nss: Fix compatibility with nss versions 3.14 to 3.15

6 years agonss: Improve info message when falling back SSL protocol
Paul Howarth [Tue, 4 Dec 2018 10:48:32 +0000 (10:48 +0000)]
nss: Improve info message when falling back SSL protocol

Use descriptive text strings rather than decimal numbers.

6 years agonss: Fall back to latest supported SSL version
Paul Howarth [Mon, 3 Dec 2018 11:42:48 +0000 (11:42 +0000)]
nss: Fall back to latest supported SSL version

NSS may be built without support for the latest SSL/TLS versions,
leading to "SSL version range is not valid" errors when the library
code supports a recent version (e.g. TLS v1.3) but it has explicitly
been disabled.

This change adjusts the maximum SSL version requested by libcurl to
be the maximum supported version at runtime, as long as that version
is at least as high as the minimum version required by libcurl.

Fixes #3261

6 years agotravis: enable COPYRIGHTYEAR extended warning
Daniel Gustafsson [Mon, 3 Dec 2018 22:18:59 +0000 (23:18 +0100)]
travis: enable COPYRIGHTYEAR extended warning

The extended warning for checking incorrect COPYRIGHTYEAR is quite
expensive to run, so rather than expecting every developer to do it
we ensure it's turned on locally for Travis.

6 years agochecksrc: add COPYRIGHTYEAR check
Daniel Gustafsson [Mon, 3 Dec 2018 22:13:40 +0000 (23:13 +0100)]
checksrc: add COPYRIGHTYEAR check

Forgetting to bump the year in the copyright clause when hacking has
been quite common among curl developers, but a traditional checksrc
check isn't a good fit as it would penalize anyone hacking on January
1st (among other things). This adds a more selective COPYRIGHTYEAR
check which intends to only cover the currently hacked on changeset.

The check for updated copyright year is currently not enforced on all
files but only on files edited and/or committed locally. This is due to
the amount of files which aren't updated with their correct copyright
year at the time of their respective commit.

To further avoid running this expensive check for every developer, it
adds a new local override mode for checksrc where a .checksrc file can
be used to turn on extended warnings locally.

Closes #3303
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoCHECKSRC.md: document more warnings
Daniel Stenberg [Mon, 3 Dec 2018 07:25:58 +0000 (08:25 +0100)]
CHECKSRC.md: document more warnings

Closes #3335
[ci skip]

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Fri, 30 Nov 2018 22:54:37 +0000 (23:54 +0100)]
RELEASE-NOTES: synced

6 years agoSECURITY-PROCESS: bountygraph shuts down
Daniel Stenberg [Mon, 26 Nov 2018 10:37:49 +0000 (11:37 +0100)]
SECURITY-PROCESS: bountygraph shuts down

This backpedals back the documents to the state before bountygraph.

Closes #3311

6 years agocurl: fix memory leak reading --writeout from file
Daniel Stenberg [Fri, 30 Nov 2018 10:59:04 +0000 (11:59 +0100)]
curl: fix memory leak reading --writeout from file

If another string had been set first, the writout function for reading
the syntax from file would leak the previously allocated memory.

Reported-by: Brian Carpenter
Fixes #3322
Closes #3330

6 years agotool_main: rename function to make it unique and better
Daniel Stenberg [Fri, 30 Nov 2018 10:58:09 +0000 (11:58 +0100)]
tool_main: rename function to make it unique and better

... there's already another function in the curl tool named
free_config_fields!

6 years agoTODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry
Daniel Gustafsson [Thu, 29 Nov 2018 11:15:04 +0000 (12:15 +0100)]
TODO: remove CURLOPT_DNS_USE_GLOBAL_CACHE entry

Commit 7c5837e79280e6abb3ae143dfc49bca5e74cdd11 deprecated the option
making it a manual code-edit operation to turn it back on. The removal
process has thus started and is now documented in docs/DEPRECATE.md so
remove from the TODO to avoid anyone looking for something to pick up
spend cycles on an already in-progress entry.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoconnect: fix building for recent versions of Minix
Sevan Janiyan [Thu, 29 Nov 2018 01:48:19 +0000 (01:48 +0000)]
connect: fix building for recent versions of Minix

EBADIOCTL doesn't exist on more recent Minix.
There have also been substantial changes to the network stack.
Fixes build on Minix 3.4rc

Closes https://github.com/curl/curl/pull/3323

6 years agoCMake: fix MIT/Heimdal Kerberos detection
Konstantin Kushnir [Tue, 27 Nov 2018 15:12:35 +0000 (17:12 +0200)]
CMake: fix MIT/Heimdal Kerberos detection

- fix syntax error in FindGSS.cmake
- correct krb5 include directory. FindGSS exports
  "GSS_INCLUDE_DIR" variable.

Closes https://github.com/curl/curl/pull/3316

6 years agotest328: verify Content-Encoding: none
Daniel Stenberg [Tue, 27 Nov 2018 16:30:44 +0000 (17:30 +0100)]
test328: verify Content-Encoding: none

Because of issue #3315

Closes #3317

6 years agoconfigure: include all libraries in ssl-libs fetch
James Knight [Tue, 30 Oct 2018 07:17:44 +0000 (03:17 -0400)]
configure: include all libraries in ssl-libs fetch

When compiling a collection of SSL libraries to link against (SSL_LIBS),
ensure all libraries are included. The call `--libs-only-l` can produce
only a subset of found in a `--libs` call (e.x. pthread may be excluded).
Adding `--libs-only-other` ensures other libraries are also included in
the list. This corrects select build environments compiling against a
static version of OpenSSL. Before the change, the following could be
observed:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -lcrypto -lz -ldl "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... no
    checking for HMAC_Init_ex in -lcrypto... no
    checking OpenSSL linking with -ldl... no
    checking OpenSSL linking with -ldl and -lpthread... no
    configure: WARNING: SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.
    configure: WARNING: Use --with-ssl, --with-gnutls, --with-polarssl, --with-cyassl, --with-nss, --with-axtls, --with-winssl, or --with-darwinssl to address this.
    ...
    SSL support:      no      (--with-{ssl,gnutls,nss,polarssl,mbedtls,cyassl,axtls,winssl,darwinssl} )
    ...

And include the other libraries when compiling SSL_LIBS succeeds with:

    checking for openssl options with pkg-config... found
    configure: pkg-config: SSL_LIBS: "-lssl -lz -ldl -pthread -lcrypto -lz -ldl -pthread "
    configure: pkg-config: SSL_LDFLAGS: "-L/home/jdknight/<workdir>/staging/usr/lib -L/home/jdknight/<workdir>/staging/usr/lib "
    configure: pkg-config: SSL_CPPFLAGS: "-I/home/jdknight/<workdir>/staging/usr/include "
    checking for HMAC_Update in -lcrypto... yes
    checking for SSL_connect in -lssl... yes
    ...
    SSL support:      enabled (OpenSSL)
    ...

Signed-off-by: James Knight <james.d.knight@live.com>
Closes #3193

6 years agodoh: fix typo in infof call
Daniel Gustafsson [Mon, 26 Nov 2018 10:40:26 +0000 (11:40 +0100)]
doh: fix typo in infof call

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agocmdline-opts/gen.pl: define the correct varname
Daniel Gustafsson [Mon, 26 Nov 2018 08:56:49 +0000 (09:56 +0100)]
cmdline-opts/gen.pl: define the correct varname

The variable definition had a small typo making it declare another
variable then the intended.

Closes #3304
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sun, 25 Nov 2018 22:50:39 +0000 (23:50 +0100)]
RELEASE-NOTES: synced

6 years agocurl_easy_perform: fix timeout handling
Daniel Stenberg [Sat, 24 Nov 2018 22:20:19 +0000 (23:20 +0100)]
curl_easy_perform: fix timeout handling

curl_multi_wait() was erroneously used from within
curl_easy_perform(). It could lead to it believing there was no socket
to wait for and then instead sleep for a while instead of monitoring the
socket and then miss acting on that activity as swiftly as it should
(causing an up to 1000 ms delay).

Reported-by: Antoni Villalonga
Fixes #3305
Closes #3306
Closes #3308

6 years agoCURLOPT_WRITEFUNCTION.3: spell out that it gets called many times
Daniel Stenberg [Fri, 23 Nov 2018 15:55:33 +0000 (16:55 +0100)]
CURLOPT_WRITEFUNCTION.3: spell out that it gets called many times

6 years agocookies: create the cookiejar even if no cookies to save
Daniel Stenberg [Thu, 22 Nov 2018 12:24:02 +0000 (13:24 +0100)]
cookies: create the cookiejar even if no cookies to save

Important for when the file is going to be read again and thus must not
contain old contents!

Adds test 327 to verify.

Reported-by: daboul on github
Fixes #3299
Closes #3300

6 years agochecksrc: ban snprintf use, add command line flag to override warns
Daniel Stenberg [Thu, 22 Nov 2018 08:00:57 +0000 (09:00 +0100)]
checksrc: ban snprintf use, add command line flag to override warns

6 years agosnprintf: renamed and we now only use msnprintf()
Daniel Stenberg [Thu, 22 Nov 2018 08:01:24 +0000 (09:01 +0100)]
snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297

6 years agotest: update test20/1322 for eglibc bug workaround
Tobias Hintze [Tue, 13 Nov 2018 14:49:28 +0000 (15:49 +0100)]
test: update test20/1322 for eglibc bug workaround

The tests 20 and 1322 are using getaddrinfo of libc for resolving. In
eglibc-2.19 there is a memory leakage and invalid free bug which
surfaces in some special circumstances (PF_UNSPEC hint with invalid or
non-existent names). The valgrind runs in testing fail in these
situations.

As the tests 20/1322 are not specific on either protocol (IPv4/IPv6)
this commit changes the hints to IPv4 protocol by passing `--ipv4` flag
on the tests' command line.  This prevents the valgrind failures.

6 years agohost names: allow trailing dot in name resolve, then strip it
Tobias Hintze [Fri, 2 Nov 2018 20:24:14 +0000 (21:24 +0100)]
host names: allow trailing dot in name resolve, then strip it

Delays stripping of trailing dots to after resolving the hostname.

Fixes #3022
Closes #3222

6 years agoCURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description
UnknownShadow200 [Wed, 21 Nov 2018 14:56:20 +0000 (01:56 +1100)]
CURLOPT_HEADERFUNCTION.3: match 'nitems' name in synopsis and description

Closes #3295

6 years agoconfigure: Fix typo in comment
Daniel Gustafsson [Wed, 21 Nov 2018 11:23:54 +0000 (12:23 +0100)]
configure: Fix typo in comment

6 years agoopenssl: support session resume with TLS 1.3
Michael Kaufmann [Wed, 14 Nov 2018 10:52:45 +0000 (11:52 +0100)]
openssl: support session resume with TLS 1.3

Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.

Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.

The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.

A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.

This approach also works for old SSL/TLS versions and old OpenSSL versions.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Fixes #3202
Closes #3271

6 years agossl: fix compilation with OpenSSL 0.9.7
Michael Kaufmann [Tue, 13 Nov 2018 20:41:25 +0000 (21:41 +0100)]
ssl: fix compilation with OpenSSL 0.9.7

- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7

Closes #3266

6 years agoopenssl: disable TLS renegotiation with BoringSSL
Daniel Stenberg [Tue, 20 Nov 2018 22:48:30 +0000 (23:48 +0100)]
openssl: disable TLS renegotiation with BoringSSL

Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293

6 years agoares: remove fd from multi fd set when ares is about to close the fd
Romain Fliedel [Mon, 5 Nov 2018 10:01:19 +0000 (11:01 +0100)]
ares: remove fd from multi fd set when ares is about to close the fd

When using c-ares for asyn dns, the dns socket fd was silently closed
by c-ares without curl being aware. curl would then 'realize' the fd
has been removed at next call of Curl_resolver_getsock, and only then
notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
CURL_POLL_REMOVE. At this point the fd is already closed.

By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
patch allows curl to be notified that the fd is not longer needed
for neither for write nor read. At this point by calling
Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
before the fd is actually closed by ares.

In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
since it does not allow passing a different sock_state_cb_data

Closes #3238

6 years agoexamples/ephiperfifo: report error when epoll_ctl fails
Romain Fliedel [Mon, 5 Nov 2018 10:46:56 +0000 (11:46 +0100)]
examples/ephiperfifo: report error when epoll_ctl fails

6 years agontlm: Remove redundant ifdef USE_OPENSSL
pkubaj [Wed, 14 Nov 2018 12:12:34 +0000 (12:12 +0000)]
ntlm: Remove redundant ifdef USE_OPENSSL

lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agossl: replace all internal uses of CURLE_SSL_CACERT
Han Han [Tue, 20 Nov 2018 01:48:59 +0000 (17:48 -0800)]
ssl: replace all internal uses of CURLE_SSL_CACERT

Closes #3291

6 years agodocs: add more description to unified ssl error codes
Han Han [Mon, 19 Nov 2018 23:57:44 +0000 (15:57 -0800)]
docs: add more description to unified ssl error codes

6 years agocurle: move deprecated error code to ifndef block
Han Han [Mon, 19 Nov 2018 23:16:54 +0000 (15:16 -0800)]
curle: move deprecated error code to ifndef block

6 years agoos400: add CURLOPT_CURLU to ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:23:00 +0000 (15:23 +0100)]
os400: add CURLOPT_CURLU to ILE/RPG binding.

6 years agoos400: Add curl_easy_conn_upkeep() to ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:22:00 +0000 (15:22 +0100)]
os400: Add curl_easy_conn_upkeep() to ILE/RPG binding.

6 years agoos400: fix return type of curl_easy_pause() in ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:19:36 +0000 (15:19 +0100)]
os400: fix return type of curl_easy_pause() in ILE/RPG binding.

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Mon, 19 Nov 2018 13:39:59 +0000 (14:39 +0100)]
RELEASE-NOTES: synced

6 years agoimpacket: add LICENSE
Daniel Stenberg [Thu, 15 Nov 2018 14:17:58 +0000 (15:17 +0100)]
impacket: add LICENSE

The license for the impacket package was not in our tree.

Imported now from upstream's
https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE

Reported-by: infinnovation-dev on github
Fixes #3276
Closes #3277

6 years agotool_doswin: Fix uninitialized field warning
Daniel Gustafsson [Sun, 18 Nov 2018 20:57:00 +0000 (21:57 +0100)]
tool_doswin: Fix uninitialized field warning

The partial struct initialization in 397664a065abffb7c3445ca9 caused
a warning on uninitialized MODULEENTRY32 struct members:

  /src/tool_doswin.c:681:3: warning: missing initializer for field
  'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}'
  [-Wmissing-field-initializers]

This is sort of a bogus warning as the remaining members will be set
to zero by the compiler, as all omitted members are. Nevertheless,
remove the warning by omitting all members and setting the dwSize
members explicitly.

Closes #3254
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
6 years agoopenssl: Remove SSLEAY leftovers
Daniel Gustafsson [Sat, 17 Nov 2018 20:36:10 +0000 (21:36 +0100)]
openssl: Remove SSLEAY leftovers

Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agohttp_negotiate: do not close connection until negotiation is completed
Elia Tufarolo [Tue, 13 Nov 2018 17:30:56 +0000 (18:30 +0100)]
http_negotiate: do not close connection until negotiation is completed

Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275

6 years agopop3: only do APOP with a valid timestamp
Daniel Stenberg [Thu, 15 Nov 2018 16:00:16 +0000 (17:00 +0100)]
pop3: only do APOP with a valid timestamp

Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279

6 years agoopenssl: do not log excess "TLS app data" lines for TLS 1.3
Peter Wu [Fri, 16 Nov 2018 16:57:08 +0000 (17:57 +0100)]
openssl: do not log excess "TLS app data" lines for TLS 1.3

The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281

6 years agotests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
Marc Hoersken [Thu, 15 Nov 2018 20:10:29 +0000 (21:10 +0100)]
tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows

SO_EXCLUSIVEADDRUSE is on by default on Vista or newer,
but does not work together with SO_REUSEADDR being on.

The default changes were made with stunnel 5.34 and 5.35.

6 years agonss: remove version selecting dead code
Kamil Dudka [Tue, 13 Nov 2018 22:54:56 +0000 (23:54 +0100)]
nss: remove version selecting dead code

Closes #3262

6 years agonss: set default max-tls to 1.3/1.2
Daniel Stenberg [Mon, 12 Nov 2018 15:22:23 +0000 (16:22 +0100)]
nss: set default max-tls to 1.3/1.2

Fixes #3261

6 years agotool_cb_wrt: Silence function cast compiler warning
Daniel Gustafsson [Mon, 12 Nov 2018 19:54:07 +0000 (20:54 +0100)]
tool_cb_wrt: Silence function cast compiler warning

Commit 5bfaa86ceb3c2a9ac474a928e748c4a86a703b33 introduced a new
compiler warning on Windows cross compilation with GCC. See below
for an example of the warning from the autobuild logs (whitespace
edited to fit):

/src/tool_cb_wrt.c:175:9: warning: cast from function call of type
    'intptr_t {aka long long int}' to non-matching type 'void *'
    [-Wbad-function-cast]
(HANDLE) _get_osfhandle(fileno(outs->stream)),
^

Store the return value from _get_osfhandle() in an intermediate
variable and cast the variable in WriteConsoleW() rather than the
function call directly to avoid a compiler warning.

In passing, also add inspection of the MultiByteToWideChar() return
value and return failure in case an error is reported.

Closes #3263
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
6 years agonss: fix fallthrough comment to fix picky compiler warning
Daniel Stenberg [Mon, 12 Nov 2018 14:23:17 +0000 (15:23 +0100)]
nss: fix fallthrough comment to fix picky compiler warning

6 years agodocs: expanded on some CURLU details
Daniel Stenberg [Sat, 10 Nov 2018 23:10:56 +0000 (00:10 +0100)]
docs: expanded on some CURLU details

6 years agoftp: avoid two unsigned int overflows in FTP listing parser
Tim Rühsen [Sat, 3 Nov 2018 17:49:00 +0000 (18:49 +0100)]
ftp: avoid two unsigned int overflows in FTP listing parser

Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225

6 years agocurl: --local-port range was not "including"
Daniel Stenberg [Fri, 9 Nov 2018 09:49:14 +0000 (10:49 +0100)]
curl: --local-port range was not "including"

The end port number in a given range was not included in the range used,
as it is documented to be.

Reported-by: infinnovation-dev on github
Fixes #3251
Closes #3255

6 years agoopenssl: support BoringSSL TLS renegotiation
Jérémy Rocher [Fri, 9 Nov 2018 13:05:26 +0000 (14:05 +0100)]
openssl: support BoringSSL TLS renegotiation

As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259

6 years agoHISTORY: add some milestones
Daniel Stenberg [Fri, 9 Nov 2018 12:05:26 +0000 (13:05 +0100)]
HISTORY: add some milestones

Added a few of the more notable milestones in curl history that were
missing. Primarily more recent ones but I also noted some older that
could be worth mentioning.

[ci skip]
Closes #3257

6 years agoKNOWN_BUGS: add --proxy-any connection issue
Daniel Gustafsson [Fri, 9 Nov 2018 15:50:39 +0000 (16:50 +0100)]
KNOWN_BUGS: add --proxy-any connection issue

Add the identified issue with --proxy-any and proxy servers which
advertise authentication schemes other than the supported one.

Closes #876
Closes #3250
Reported-by: NTMan on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agosetopt: add CURLOPT_CURLU
Jim Fuller [Thu, 1 Nov 2018 18:16:15 +0000 (19:16 +0100)]
setopt: add CURLOPT_CURLU

Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227

6 years agodocs: ESCape "\n" codes
Gisle Vanem [Wed, 7 Nov 2018 12:26:55 +0000 (13:26 +0100)]
docs: ESCape "\n" codes

Groff / Troff will display a:
 printaf("Errno: %ld\n", error);
as:
  printf("Errno: %ld0, error);

when a "\n" is not escaped. Use "\\n" instead.

Closes #3246

6 years agocurl: --local-port fix followup
Daniel Stenberg [Wed, 7 Nov 2018 22:26:55 +0000 (23:26 +0100)]
curl: --local-port fix followup

Regression by 52db54869e6.

Reported-by: infinnovation-dev on github
Fixes #3248
Closes #3249

6 years agoMore "\n" ESCaping
Gisle Vanem [Wed, 7 Nov 2018 12:32:17 +0000 (13:32 +0100)]
More "\n" ESCaping

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Wed, 7 Nov 2018 11:00:14 +0000 (12:00 +0100)]
RELEASE-NOTES: synced

6 years agocurl: fix --local-port integer overflow
Daniel Stenberg [Mon, 5 Nov 2018 10:57:29 +0000 (11:57 +0100)]
curl: fix --local-port integer overflow

The tool's local port command line range parser didn't check for integer
overflows and could pass "weird" data to libcurl for this option.
libcurl however, has a strict range check for the values so it rejects
anything outside of the accepted range.

Reported-by: Brian Carpenter
Closes #3242

6 years agocurl: correct the switch() logic in ourWriteOut
Daniel Stenberg [Wed, 7 Nov 2018 10:14:20 +0000 (11:14 +0100)]
curl: correct the switch() logic in ourWriteOut

Follow-up to e431daf013, as I did the wrong correction for a compiler
warning. It should be a break and not a fall-through.

Pointed-out-by: Frank Gevaerts
6 years agocurl: add %{stderr} and %{stdout} for --write-out
Frank Gevaerts [Mon, 8 Oct 2018 21:54:01 +0000 (23:54 +0200)]
curl: add %{stderr} and %{stdout} for --write-out

Closes #3115

6 years agowinssl: be consistent in Schannel capitalization
Daniel Gustafsson [Wed, 7 Nov 2018 09:11:13 +0000 (10:11 +0100)]
winssl: be consistent in Schannel capitalization

The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoTODO: Have the URL API offer IDN decoding
Daniel Stenberg [Wed, 7 Nov 2018 07:46:34 +0000 (08:46 +0100)]
TODO: Have the URL API offer IDN decoding

Similar to how URL decoding/encoding is done, we could have URL
functions to convert IDN host names to punycode.

Suggested-by: Alexey Melnichuk
Closes #3232

6 years agourlapi: only skip encoding the first '=' with APPENDQUERY set
Daniel Stenberg [Tue, 6 Nov 2018 22:48:35 +0000 (23:48 +0100)]
urlapi: only skip encoding the first '=' with APPENDQUERY set

APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
encoding the first to better allow "name=content" for any content.

Reported-by: Alexey Melnichuk
Fixes #3231
Closes #3231

6 years agourl: a short host name + port is not a scheme
Daniel Stenberg [Sun, 4 Nov 2018 22:30:48 +0000 (23:30 +0100)]
url: a short host name + port is not a scheme

The function identifying a leading "scheme" part of the URL considered a
few letters ending with a colon to be a scheme, making something like
"short:80" to become an unknown scheme instead of a short host name and
a port number.

Extended test 1560 to verify.

Also fixed test203 to use file_pwd to make it get the correct path on
windows. Removed test 2070 since it was a duplicate of 203.

Assisted-by: Marcel Raad
Reported-by: Hagai Auro
Fixes #3220
Fixes #3233
Closes #3223
Closes #3235

6 years agolibcurl: stop reading from paused transfers
Sangamkar [Mon, 5 Nov 2018 23:29:55 +0000 (15:29 -0800)]
libcurl: stop reading from paused transfers

In the transfer loop it would previously not acknwledge the pause bit
and continue until drained or loop ended.

Closes #3240