]> granicus.if.org Git - curl/log
curl
6 years agontlm: Remove redundant ifdef USE_OPENSSL
pkubaj [Wed, 14 Nov 2018 12:12:34 +0000 (12:12 +0000)]
ntlm: Remove redundant ifdef USE_OPENSSL

lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agossl: replace all internal uses of CURLE_SSL_CACERT
Han Han [Tue, 20 Nov 2018 01:48:59 +0000 (17:48 -0800)]
ssl: replace all internal uses of CURLE_SSL_CACERT

Closes #3291

6 years agodocs: add more description to unified ssl error codes
Han Han [Mon, 19 Nov 2018 23:57:44 +0000 (15:57 -0800)]
docs: add more description to unified ssl error codes

6 years agocurle: move deprecated error code to ifndef block
Han Han [Mon, 19 Nov 2018 23:16:54 +0000 (15:16 -0800)]
curle: move deprecated error code to ifndef block

6 years agoos400: add CURLOPT_CURLU to ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:23:00 +0000 (15:23 +0100)]
os400: add CURLOPT_CURLU to ILE/RPG binding.

6 years agoos400: Add curl_easy_conn_upkeep() to ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:22:00 +0000 (15:22 +0100)]
os400: Add curl_easy_conn_upkeep() to ILE/RPG binding.

6 years agoos400: fix return type of curl_easy_pause() in ILE/RPG binding.
Patrick Monnerat [Mon, 19 Nov 2018 14:19:36 +0000 (15:19 +0100)]
os400: fix return type of curl_easy_pause() in ILE/RPG binding.

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Mon, 19 Nov 2018 13:39:59 +0000 (14:39 +0100)]
RELEASE-NOTES: synced

6 years agoimpacket: add LICENSE
Daniel Stenberg [Thu, 15 Nov 2018 14:17:58 +0000 (15:17 +0100)]
impacket: add LICENSE

The license for the impacket package was not in our tree.

Imported now from upstream's
https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE

Reported-by: infinnovation-dev on github
Fixes #3276
Closes #3277

6 years agotool_doswin: Fix uninitialized field warning
Daniel Gustafsson [Sun, 18 Nov 2018 20:57:00 +0000 (21:57 +0100)]
tool_doswin: Fix uninitialized field warning

The partial struct initialization in 397664a065abffb7c3445ca9 caused
a warning on uninitialized MODULEENTRY32 struct members:

  /src/tool_doswin.c:681:3: warning: missing initializer for field
  'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}'
  [-Wmissing-field-initializers]

This is sort of a bogus warning as the remaining members will be set
to zero by the compiler, as all omitted members are. Nevertheless,
remove the warning by omitting all members and setting the dwSize
members explicitly.

Closes #3254
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
6 years agoopenssl: Remove SSLEAY leftovers
Daniel Gustafsson [Sat, 17 Nov 2018 20:36:10 +0000 (21:36 +0100)]
openssl: Remove SSLEAY leftovers

Commit 709cf76f6bb7dbac deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agohttp_negotiate: do not close connection until negotiation is completed
Elia Tufarolo [Tue, 13 Nov 2018 17:30:56 +0000 (18:30 +0100)]
http_negotiate: do not close connection until negotiation is completed

Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275

6 years agopop3: only do APOP with a valid timestamp
Daniel Stenberg [Thu, 15 Nov 2018 16:00:16 +0000 (17:00 +0100)]
pop3: only do APOP with a valid timestamp

Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279

6 years agoopenssl: do not log excess "TLS app data" lines for TLS 1.3
Peter Wu [Fri, 16 Nov 2018 16:57:08 +0000 (17:57 +0100)]
openssl: do not log excess "TLS app data" lines for TLS 1.3

The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281

6 years agotests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
Marc Hoersken [Thu, 15 Nov 2018 20:10:29 +0000 (21:10 +0100)]
tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows

SO_EXCLUSIVEADDRUSE is on by default on Vista or newer,
but does not work together with SO_REUSEADDR being on.

The default changes were made with stunnel 5.34 and 5.35.

6 years agonss: remove version selecting dead code
Kamil Dudka [Tue, 13 Nov 2018 22:54:56 +0000 (23:54 +0100)]
nss: remove version selecting dead code

Closes #3262

6 years agonss: set default max-tls to 1.3/1.2
Daniel Stenberg [Mon, 12 Nov 2018 15:22:23 +0000 (16:22 +0100)]
nss: set default max-tls to 1.3/1.2

Fixes #3261

6 years agotool_cb_wrt: Silence function cast compiler warning
Daniel Gustafsson [Mon, 12 Nov 2018 19:54:07 +0000 (20:54 +0100)]
tool_cb_wrt: Silence function cast compiler warning

Commit 5bfaa86ceb3c2a9ac474a928e748c4a86a703b33 introduced a new
compiler warning on Windows cross compilation with GCC. See below
for an example of the warning from the autobuild logs (whitespace
edited to fit):

/src/tool_cb_wrt.c:175:9: warning: cast from function call of type
    'intptr_t {aka long long int}' to non-matching type 'void *'
    [-Wbad-function-cast]
(HANDLE) _get_osfhandle(fileno(outs->stream)),
^

Store the return value from _get_osfhandle() in an intermediate
variable and cast the variable in WriteConsoleW() rather than the
function call directly to avoid a compiler warning.

In passing, also add inspection of the MultiByteToWideChar() return
value and return failure in case an error is reported.

Closes #3263
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
6 years agonss: fix fallthrough comment to fix picky compiler warning
Daniel Stenberg [Mon, 12 Nov 2018 14:23:17 +0000 (15:23 +0100)]
nss: fix fallthrough comment to fix picky compiler warning

6 years agodocs: expanded on some CURLU details
Daniel Stenberg [Sat, 10 Nov 2018 23:10:56 +0000 (00:10 +0100)]
docs: expanded on some CURLU details

6 years agoftp: avoid two unsigned int overflows in FTP listing parser
Tim Rühsen [Sat, 3 Nov 2018 17:49:00 +0000 (18:49 +0100)]
ftp: avoid two unsigned int overflows in FTP listing parser

Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225

6 years agocurl: --local-port range was not "including"
Daniel Stenberg [Fri, 9 Nov 2018 09:49:14 +0000 (10:49 +0100)]
curl: --local-port range was not "including"

The end port number in a given range was not included in the range used,
as it is documented to be.

Reported-by: infinnovation-dev on github
Fixes #3251
Closes #3255

6 years agoopenssl: support BoringSSL TLS renegotiation
Jérémy Rocher [Fri, 9 Nov 2018 13:05:26 +0000 (14:05 +0100)]
openssl: support BoringSSL TLS renegotiation

As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259

6 years agoHISTORY: add some milestones
Daniel Stenberg [Fri, 9 Nov 2018 12:05:26 +0000 (13:05 +0100)]
HISTORY: add some milestones

Added a few of the more notable milestones in curl history that were
missing. Primarily more recent ones but I also noted some older that
could be worth mentioning.

[ci skip]
Closes #3257

6 years agoKNOWN_BUGS: add --proxy-any connection issue
Daniel Gustafsson [Fri, 9 Nov 2018 15:50:39 +0000 (16:50 +0100)]
KNOWN_BUGS: add --proxy-any connection issue

Add the identified issue with --proxy-any and proxy servers which
advertise authentication schemes other than the supported one.

Closes #876
Closes #3250
Reported-by: NTMan on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agosetopt: add CURLOPT_CURLU
Jim Fuller [Thu, 1 Nov 2018 18:16:15 +0000 (19:16 +0100)]
setopt: add CURLOPT_CURLU

Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227

6 years agodocs: ESCape "\n" codes
Gisle Vanem [Wed, 7 Nov 2018 12:26:55 +0000 (13:26 +0100)]
docs: ESCape "\n" codes

Groff / Troff will display a:
 printaf("Errno: %ld\n", error);
as:
  printf("Errno: %ld0, error);

when a "\n" is not escaped. Use "\\n" instead.

Closes #3246

6 years agocurl: --local-port fix followup
Daniel Stenberg [Wed, 7 Nov 2018 22:26:55 +0000 (23:26 +0100)]
curl: --local-port fix followup

Regression by 52db54869e6.

Reported-by: infinnovation-dev on github
Fixes #3248
Closes #3249

6 years agoMore "\n" ESCaping
Gisle Vanem [Wed, 7 Nov 2018 12:32:17 +0000 (13:32 +0100)]
More "\n" ESCaping

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Wed, 7 Nov 2018 11:00:14 +0000 (12:00 +0100)]
RELEASE-NOTES: synced

6 years agocurl: fix --local-port integer overflow
Daniel Stenberg [Mon, 5 Nov 2018 10:57:29 +0000 (11:57 +0100)]
curl: fix --local-port integer overflow

The tool's local port command line range parser didn't check for integer
overflows and could pass "weird" data to libcurl for this option.
libcurl however, has a strict range check for the values so it rejects
anything outside of the accepted range.

Reported-by: Brian Carpenter
Closes #3242

6 years agocurl: correct the switch() logic in ourWriteOut
Daniel Stenberg [Wed, 7 Nov 2018 10:14:20 +0000 (11:14 +0100)]
curl: correct the switch() logic in ourWriteOut

Follow-up to e431daf013, as I did the wrong correction for a compiler
warning. It should be a break and not a fall-through.

Pointed-out-by: Frank Gevaerts
6 years agocurl: add %{stderr} and %{stdout} for --write-out
Frank Gevaerts [Mon, 8 Oct 2018 21:54:01 +0000 (23:54 +0200)]
curl: add %{stderr} and %{stdout} for --write-out

Closes #3115

6 years agowinssl: be consistent in Schannel capitalization
Daniel Gustafsson [Wed, 7 Nov 2018 09:11:13 +0000 (10:11 +0100)]
winssl: be consistent in Schannel capitalization

The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agoTODO: Have the URL API offer IDN decoding
Daniel Stenberg [Wed, 7 Nov 2018 07:46:34 +0000 (08:46 +0100)]
TODO: Have the URL API offer IDN decoding

Similar to how URL decoding/encoding is done, we could have URL
functions to convert IDN host names to punycode.

Suggested-by: Alexey Melnichuk
Closes #3232

6 years agourlapi: only skip encoding the first '=' with APPENDQUERY set
Daniel Stenberg [Tue, 6 Nov 2018 22:48:35 +0000 (23:48 +0100)]
urlapi: only skip encoding the first '=' with APPENDQUERY set

APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
encoding the first to better allow "name=content" for any content.

Reported-by: Alexey Melnichuk
Fixes #3231
Closes #3231

6 years agourl: a short host name + port is not a scheme
Daniel Stenberg [Sun, 4 Nov 2018 22:30:48 +0000 (23:30 +0100)]
url: a short host name + port is not a scheme

The function identifying a leading "scheme" part of the URL considered a
few letters ending with a colon to be a scheme, making something like
"short:80" to become an unknown scheme instead of a short host name and
a port number.

Extended test 1560 to verify.

Also fixed test203 to use file_pwd to make it get the correct path on
windows. Removed test 2070 since it was a duplicate of 203.

Assisted-by: Marcel Raad
Reported-by: Hagai Auro
Fixes #3220
Fixes #3233
Closes #3223
Closes #3235

6 years agolibcurl: stop reading from paused transfers
Sangamkar [Mon, 5 Nov 2018 23:29:55 +0000 (15:29 -0800)]
libcurl: stop reading from paused transfers

In the transfer loop it would previously not acknwledge the pause bit
and continue until drained or loop ended.

Closes #3240

6 years agotool: add undocumented option --dump-module-paths for win32
Jay Satiro [Thu, 1 Nov 2018 06:50:40 +0000 (02:50 -0400)]
tool: add undocumented option --dump-module-paths for win32

- Add an undocumented diagnostic option for Windows to show the full
  paths of all loaded modules regardless of whether or not libcurl
  initialization succeeds.

This is needed so that in the CI we can get a list of all DLL
dependencies after initialization (when they're most likely to have
finished loading) and then package them as artifacts so that a
functioning build can be downloaded. Also I imagine it may have some use
as a diagnostic for help requests.

Ref: https://github.com/curl/curl/pull/3103

Closes https://github.com/curl/curl/pull/3208

6 years agocurl_multibyte: fix a malloc overcalculation
Jay Satiro [Thu, 1 Nov 2018 06:53:22 +0000 (02:53 -0400)]
curl_multibyte: fix a malloc overcalculation

Prior to this change twice as many bytes as necessary were malloc'd when
converting wchar to UTF8. To allay confusion in the future I also
changed the variable name for the amount of bytes from len to bytes.

Closes https://github.com/curl/curl/pull/3209

6 years agonetrc: don't ignore the login name specified with "--user"
Michael Kaufmann [Sat, 3 Nov 2018 15:58:18 +0000 (16:58 +0100)]
netrc: don't ignore the login name specified with "--user"

- for "--netrc", don't ignore the login/password specified with "--user",
  only ignore the login/password in the URL.
  This restores the netrc behaviour of curl 7.61.1 and earlier.
- fix the documentation of CURL_NETRC_REQUIRED
- improve the detection of login/password changes when reading .netrc
- don't read .netrc if both login and password are already set

Fixes #3213
Closes #3224

6 years agoOS400: add URL API ccsid wrappers and sync ILE/RPG bindings
Patrick Monnerat [Mon, 5 Nov 2018 14:37:23 +0000 (15:37 +0100)]
OS400: add URL API ccsid wrappers and sync ILE/RPG bindings

6 years agocurl: fixed UTF-8 in current console code page (Windows)
Yasuhiro Matsumoto [Thu, 1 Nov 2018 16:04:39 +0000 (01:04 +0900)]
curl: fixed UTF-8 in current console code page (Windows)

Fixes #3211
Fixes #3175
Closes #3212

6 years agoTODO: 2.6 multi upkeep
Daniel Stenberg [Mon, 5 Nov 2018 08:53:49 +0000 (09:53 +0100)]
TODO: 2.6 multi upkeep

Closes #3199

6 years agounittest: make 1652 stable across collations
Daniel Gustafsson [Mon, 5 Nov 2018 08:51:33 +0000 (09:51 +0100)]
unittest: make 1652 stable across collations

The previous coding used a format string whose output depended on the
current locale of the environment running the test. Since the gist of
the test is to have a format string, with the actual formatting being
less important, switch to a more stable formatstring with decimals.

Reported-by: Marcel Raad
Closes #3234
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agoRevert "url: a short host name + port is not a scheme"
Daniel Stenberg [Mon, 5 Nov 2018 08:24:53 +0000 (09:24 +0100)]
Revert "url: a short host name + port is not a scheme"

This reverts commit 226cfa8264cd979eff3fd52c0f3585ef095e7cf2.

This commit caused test failures on appveyor/windows. Work on fixing them is
in #3235.

6 years agosymbols-in-versions: add missing CURLU_ symbols
Daniel Stenberg [Sat, 3 Nov 2018 21:45:08 +0000 (22:45 +0100)]
symbols-in-versions: add missing CURLU_ symbols

...and fix symbol-scan.pl to also scan urlapi.h

Reported-by: Alexey Melnichuk
Fixes #3226
Closes #3230

6 years agoinfof: clearly indicate truncation
Daniel Gustafsson [Sat, 3 Nov 2018 19:54:18 +0000 (20:54 +0100)]
infof: clearly indicate truncation

The internal buffer in infof() is limited to 2048 bytes of payload plus
an additional byte for NULL termination. Servers with very long error
messages can however cause truncation of the string, which currently
isn't very clear, and leads to badly formatted output.

This appends a "...\n" (or just "..." in case the format didn't with a
newline char) marker to the end of the string to clearly show
that it has been truncated.

Also include a unittest covering infof() to try and catch any bugs
introduced in this quite important function.

Closes #3216
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
6 years agotool_getparam: fix some comments
Michael Kaufmann [Sat, 3 Nov 2018 16:24:31 +0000 (17:24 +0100)]
tool_getparam: fix some comments

6 years agourl: a short host name + port is not a scheme
Daniel Stenberg [Fri, 2 Nov 2018 22:46:01 +0000 (23:46 +0100)]
url: a short host name + port is not a scheme

The function identifying a leading "scheme" part of the URL considered a few
letters ending with a colon to be a scheme, making something like "short:80"
to become an unknown scheme instead of a short host name and a port number.

Extended test 1560 to verify.

Reported-by: Hagai Auro
Fixes #3220
Closes #3223

6 years agoURL: fix IPv6 numeral address parser
Daniel Stenberg [Fri, 2 Nov 2018 14:11:16 +0000 (15:11 +0100)]
URL: fix IPv6 numeral address parser

Regression from 46e164069d1a52. Extended test 1560 to verify.

Reported-by: tpaukrt on github
Fixes #3218
Closes #3219

6 years agotravis: remove curl before a normal build
Daniel Stenberg [Wed, 31 Oct 2018 11:57:36 +0000 (12:57 +0100)]
travis: remove curl before a normal build

on Linux. To make sure the test suite runs with its newly build tool and
doesn't require an external one present.

Bug: #3198
Closes #3200

6 years agomprintf: avoid unsigned integer overflow warning
Tim Rühsen [Sun, 28 Oct 2018 10:33:27 +0000 (11:33 +0100)]
mprintf: avoid unsigned integer overflow warning

The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184

6 years agoCurl_follow: accept non-supported schemes for "fake" redirects
Daniel Stenberg [Thu, 1 Nov 2018 22:45:57 +0000 (23:45 +0100)]
Curl_follow: accept non-supported schemes for "fake" redirects

When not actually following the redirect and the target URL is only
stored for later retrieval, curl always accepted "non-supported"
schemes. This was a regression from 46e164069d1a5230.

Reported-by: Brad King
Fixes #3210
Closes #3215

6 years agoopenvms: fix example name
Daniel Gustafsson [Fri, 2 Nov 2018 07:59:01 +0000 (08:59 +0100)]
openvms: fix example name

Commit efc696a2e09225bfeab4 renamed persistant.c to persistent.c to
fix the typo in the name, but missed to update the OpenVMS package
files which still looked for the old name.

Closes #3217
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
6 years agoconfigure: show CFLAGS, LDFLAGS etc in summary
Daniel Stenberg [Thu, 1 Nov 2018 07:17:28 +0000 (08:17 +0100)]
configure: show CFLAGS, LDFLAGS etc in summary

To make it easier to understand other people's and remote builds etc.

Closes #3207

6 years agoversion: bump for next cycle
Daniel Stenberg [Thu, 1 Nov 2018 10:02:49 +0000 (11:02 +0100)]
version: bump for next cycle

6 years agoaxtls: removed
Daniel Stenberg [Tue, 30 Oct 2018 09:00:00 +0000 (10:00 +0100)]
axtls: removed

As has been outlined in the DEPRECATE.md document, the axTLS code has
been disabled for 6 months and is hereby removed.

Use a better supported TLS library!

Assisted-by: Daniel Gustafsson
Closes #3194

6 years agoschannel: make CURLOPT_CERTINFO support using Issuer chain
marcosdiazr [Tue, 30 Oct 2018 21:06:30 +0000 (18:06 -0300)]
schannel: make CURLOPT_CERTINFO support using Issuer chain

Closes #3197

6 years agotravis: build with sanitize=address,undefined,signed-integer-overflow
Daniel Stenberg [Mon, 29 Oct 2018 15:18:34 +0000 (16:18 +0100)]
travis: build with sanitize=address,undefined,signed-integer-overflow

... using clang

Closes #3190

6 years agoschannel: use Curl_ prefix for global private symbols
Daniel Stenberg [Wed, 31 Oct 2018 12:36:30 +0000 (13:36 +0100)]
schannel: use Curl_ prefix for global private symbols

Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201

6 years agotests: drop http_pipe.py script no longer used
Kamil Dudka [Wed, 31 Oct 2018 12:07:48 +0000 (13:07 +0100)]
tests: drop http_pipe.py script no longer used

It is unused since commit f7208df7d9d5cd5e15e2d89237e828f32b63f135.

Closes #3204

6 years agoruntests: use the local curl for verifying
Daniel Stenberg [Wed, 31 Oct 2018 10:08:49 +0000 (11:08 +0100)]
runtests: use the local curl for verifying

... revert the mistaken change brought in commit 8440616f53.

Reported-by: Alessandro Ghedini
Bug: https://curl.haxx.se/mail/lib-2018-10/0118.html

Closes #3198

6 years agoRELEASE-NOTES: 7.62.0 curl-7_62_0
Daniel Stenberg [Mon, 29 Oct 2018 07:35:51 +0000 (08:35 +0100)]
RELEASE-NOTES: 7.62.0

6 years agoTHANKS: 7.62.0 status
Daniel Stenberg [Sat, 27 Oct 2018 10:06:15 +0000 (12:06 +0200)]
THANKS: 7.62.0 status

6 years agovtls: add MesaLink to curl_sslbackend enum
Daniel Gustafsson [Tue, 30 Oct 2018 15:56:51 +0000 (16:56 +0100)]
vtls: add MesaLink to curl_sslbackend enum

MesaLink support was added in commit 57348eb97d1b8fc3742e02c but the
backend was never added to the curl_sslbackend enum in curl/curl.h.
This adds the new backend to the enum and updates the relevant docs.

Closes #3195
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agocmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable
Ruslan Baratov [Mon, 29 Oct 2018 16:19:48 +0000 (19:19 +0300)]
cmake: Remove unused CURL_CONFIG_HAS_BEEN_RUN_BEFORE variable

Closes #3191

6 years agotest2080: verify the fix for CVE-2018-16842
Daniel Stenberg [Sun, 28 Oct 2018 09:43:57 +0000 (10:43 +0100)]
test2080: verify the fix for CVE-2018-16842

6 years agovoutf: fix bad arethmetic when outputting warnings to stderr
Daniel Stenberg [Sat, 27 Oct 2018 23:33:23 +0000 (01:33 +0200)]
voutf: fix bad arethmetic when outputting warnings to stderr

CVE-2018-16842
Reported-by: Brian Carpenter
Bug: https://curl.haxx.se/docs/CVE-2018-16842.html

6 years agocmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in
Tuomo Rinne [Sat, 27 Oct 2018 10:23:19 +0000 (11:23 +0100)]
cmake: uniform ZLIB to use USE_ variable and clean curl-config.cmake.in

Closes #3123

6 years agocmake: add find_dependency call for ZLIB to CMake config file
Tuomo Rinne [Thu, 11 Oct 2018 18:55:53 +0000 (19:55 +0100)]
cmake: add find_dependency call for ZLIB to CMake config file

6 years agocmake: add support for transitive ZLIB target
Tuomo Rinne [Wed, 10 Oct 2018 20:45:44 +0000 (21:45 +0100)]
cmake: add support for transitive ZLIB target

6 years agounit1650: fix "null pointer passed as argument 1 to memcmp"
Daniel Stenberg [Mon, 29 Oct 2018 09:27:04 +0000 (10:27 +0100)]
unit1650: fix "null pointer passed as argument 1 to memcmp"

Detected by UndefinedBehaviorSanitizer

Closes #3187

6 years agotravis: add a "make tidy" build that runs clang-tidy
Daniel Stenberg [Sat, 27 Oct 2018 14:02:48 +0000 (16:02 +0200)]
travis: add a "make tidy" build that runs clang-tidy

Closes #3182

6 years agounit1300: fix stack-use-after-scope AddressSanitizer warning
Daniel Stenberg [Sun, 28 Oct 2018 23:06:01 +0000 (00:06 +0100)]
unit1300: fix stack-use-after-scope AddressSanitizer warning

Closes #3186

6 years agoCurl_auth_create_plain_message: fix too-large-input-check
Daniel Stenberg [Fri, 28 Sep 2018 14:08:16 +0000 (16:08 +0200)]
Curl_auth_create_plain_message: fix too-large-input-check

CVE-2018-16839
Reported-by: Harry Sintonen
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html

6 years agoCurl_close: clear data->multi_easy on free to avoid use-after-free
Daniel Stenberg [Thu, 18 Oct 2018 13:07:15 +0000 (15:07 +0200)]
Curl_close: clear data->multi_easy on free to avoid use-after-free

Regression from b46cfbc068 (7.59.0)
CVE-2018-16840
Reported-by: Brian Carpenter (Geeknik Labs)
Bug: https://curl.haxx.se/docs/CVE-2018-16840.html

6 years agosystem.h: use proper setting with Sun C++ as well
randomswdev [Sat, 27 Oct 2018 13:28:59 +0000 (15:28 +0200)]
system.h: use proper setting with Sun C++ as well

system.h selects the proper Sun settings when __SUNPRO_C is defined. The
Sun compiler does not define it when compiling C++ files.  I'm adding a
check also on __SUNPRO_CC to allow curl to work properly also when used
in a C++ project on Sun Solaris.

Closes #3181

6 years agorand: add comment to skip a clang-tidy false positive
Daniel Stenberg [Sat, 27 Oct 2018 13:57:31 +0000 (15:57 +0200)]
rand: add comment to skip a clang-tidy false positive

6 years agotest1651: unit test Curl_extract_certinfo()
Daniel Stenberg [Fri, 26 Oct 2018 21:07:07 +0000 (23:07 +0200)]
test1651: unit test Curl_extract_certinfo()

The version used for Gskit, NSS, GnuTLS, WolfSSL and schannel.

6 years agox509asn1: always check return code from getASN1Element()
Daniel Stenberg [Mon, 22 Oct 2018 23:04:42 +0000 (01:04 +0200)]
x509asn1: always check return code from getASN1Element()

6 years agoMakefile: add 'tidy' target that runs clang-tidy
Daniel Stenberg [Mon, 22 Oct 2018 22:33:27 +0000 (00:33 +0200)]
Makefile: add 'tidy' target that runs clang-tidy

Available in the root, src and lib dirs.

Closes #3163

6 years agoRELEASE-PROCEDURE: adjust the release dates
Daniel Stenberg [Sat, 27 Oct 2018 09:48:01 +0000 (11:48 +0200)]
RELEASE-PROCEDURE: adjust the release dates

See: https://curl.haxx.se/mail/lib-2018-10/0107.html

6 years agox509asn1: suppress left shift on signed value
Patrick Monnerat [Sat, 27 Oct 2018 13:04:50 +0000 (15:04 +0200)]
x509asn1: suppress left shift on signed value

Use an unsigned variable: as the signed operation behavior is undefined,
this change silents clang-tidy about it.

Ref: https://github.com/curl/curl/pull/3163
Reported-By: Daniel Stenberg
6 years agomulti: Fix error handling in the SENDPROTOCONNECT state
Michael Kaufmann [Thu, 25 Oct 2018 11:07:03 +0000 (13:07 +0200)]
multi: Fix error handling in the SENDPROTOCONNECT state

If Curl_protocol_connect() returns an error code,
handle the error instead of switching to the next state.

Closes #3170

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Sat, 27 Oct 2018 09:14:13 +0000 (11:14 +0200)]
RELEASE-NOTES: synced

6 years agoopenssl: output the correct cipher list on TLS 1.3 error
Daniel Stenberg [Fri, 26 Oct 2018 11:34:37 +0000 (13:34 +0200)]
openssl: output the correct cipher list on TLS 1.3 error

When failing to set the 1.3 cipher suite, the wrong string pointer would
be used in the error message. Most often saying "(nil)".

Reported-by: Ricky-Tigg on github
Fixes #3178
Closes #3180

6 years agodocs/CIPHERS: fix the TLS 1.3 cipher names
Daniel Stenberg [Fri, 26 Oct 2018 11:33:34 +0000 (13:33 +0200)]
docs/CIPHERS: fix the TLS 1.3 cipher names

... picked straight from the OpenSSL man page:
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

Reported-by: Ricky-Tigg on github
Bug: #3178

6 years agotravis: install gnutls-bin package
Marcel Raad [Sat, 8 Sep 2018 20:44:16 +0000 (22:44 +0200)]
travis: install gnutls-bin package

This is required for gnutls-serv, which enables a few more tests.

Closes https://github.com/curl/curl/pull/2958

6 years agossh: free the session on init failures
Daniel Gustafsson [Fri, 26 Oct 2018 13:39:15 +0000 (15:39 +0200)]
ssh: free the session on init failures

Ensure to clear the session object in case the libssh2 initialization
fails.

It could be argued that the libssh2 error function should be called to
get a proper error message in this case. But since the only error path
in libssh2_knownhost_init() is memory a allocation failure it's safest
to avoid since the libssh2 error handling allocates memory.

Closes #3179
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
6 years agodocs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date
Daniel Stenberg [Fri, 26 Oct 2018 12:12:44 +0000 (14:12 +0200)]
docs/RELEASE-PROCEDURE: remove old entries, modify the Dec 2018 date

... I'm moving it up one week due to travels. The rest stays.

6 years agoopenssl: make 'done' a proper boolean
Daniel Gustafsson [Fri, 26 Oct 2018 08:06:48 +0000 (10:06 +0200)]
openssl: make 'done' a proper boolean

Closes #3176

6 years agogtls: Values stored to but never read
Daniel Stenberg [Mon, 22 Oct 2018 22:31:16 +0000 (00:31 +0200)]
gtls: Values stored to but never read

Detected by clang-tidy

Closes #3176

6 years agocurl.1: --ipv6 mutexes ipv4 (fixed typo)
Alexey Eremikhin [Thu, 25 Oct 2018 14:02:59 +0000 (17:02 +0300)]
curl.1: --ipv6 mutexes ipv4 (fixed typo)

Fixes #3171
Closes #3172

6 years agotool_main: make TerminalSettings static
Daniel Stenberg [Tue, 23 Oct 2018 11:38:48 +0000 (13:38 +0200)]
tool_main: make TerminalSettings static

Reported-by: Gisle Vanem
Bug: https://github.com/curl/curl/commit/becfe1233ff2b6b0c3e1b6a10048b55b68c2539f#commitcomment-31008819
Closes #3161

6 years agocurl-config.in: remove dependency on bc
Daniel Stenberg [Thu, 25 Oct 2018 14:55:27 +0000 (16:55 +0200)]
curl-config.in: remove dependency on bc

Reported-by: Dima Pasechnik
Fixes #3143
Closes #3174

6 years agortmp: fix for compiling with lwIP
Gisle Vanem [Mon, 22 Oct 2018 08:33:44 +0000 (10:33 +0200)]
rtmp: fix for compiling with lwIP

Compiling on _WIN32 and with USE_LWIPSOCK, causes this error:
  curl_rtmp.c(223,3):  error: use of undeclared identifier 'setsockopt'
    setsockopt(r->m_sb.sb_socket, SOL_SOCKET, SO_RCVTIMEO,
    ^
  curl_rtmp.c(41,32):  note: expanded from macro 'setsockopt'
  #define setsockopt(a,b,c,d,e) (setsockopt)(a,b,c,(const char *)d,(int)e)
                                 ^
Closes #3155

6 years agoconfigure: remove CURL_CONFIGURE_CURL_SOCKLEN_T
Daniel Stenberg [Thu, 25 Oct 2018 06:03:51 +0000 (08:03 +0200)]
configure: remove CURL_CONFIGURE_CURL_SOCKLEN_T

Follow-up to #3166 which did the cmake part of this. This type/define is
not used.

Closes #3168

6 years agocmake: remove unused variables
Ruslan Baratov [Wed, 24 Oct 2018 12:22:02 +0000 (15:22 +0300)]
cmake: remove unused variables

Remove variables:
* HAVE_SOCKLEN_T
* CURL_SIZEOF_CURL_SOCKLEN_T
* CURL_TYPEOF_CURL_SOCKLEN_T

Closes #3166

6 years agourldata: Fix comment in header
Michael Kaufmann [Thu, 25 Oct 2018 11:02:26 +0000 (13:02 +0200)]
urldata: Fix comment in header

The "connecting" function is used by multiple protocols, not only FTP