]> granicus.if.org Git - curl/log
curl
6 years agoschannel_verify: fix build for non-schannel
Daniel Stenberg [Wed, 16 May 2018 08:12:13 +0000 (10:12 +0200)]
schannel_verify: fix build for non-schannel

6 years agorand: fix typo
Jay Satiro [Wed, 16 May 2018 06:18:50 +0000 (02:18 -0400)]
rand: fix typo

6 years agoschannel: disable manual verify if APIs not available
Jay Satiro [Wed, 16 May 2018 06:02:29 +0000 (02:02 -0400)]
schannel: disable manual verify if APIs not available

.. because original MinGW and old compilers do not have the Windows API
definitions needed to support manual verification.

6 years agoschannel: disable client cert option if APIs not available
Archangel_SDY [Mon, 23 Apr 2018 14:12:43 +0000 (22:12 +0800)]
schannel: disable client cert option if APIs not available

Original MinGW targets Windows 2000 by default, which lacks some APIs and
definitions for this feature. Disable it if these APIs are not available.

Closes https://github.com/curl/curl/pull/2522

6 years agoRELEASE-NOTES: 7.60.0 release curl-7_60_0
Daniel Stenberg [Sun, 13 May 2018 21:33:37 +0000 (23:33 +0200)]
RELEASE-NOTES: 7.60.0 release

6 years agoTHANKS: added people from the curl 7.60.0 release
Daniel Stenberg [Sun, 13 May 2018 21:32:42 +0000 (23:32 +0200)]
THANKS: added people from the curl 7.60.0 release

6 years agodocs/libcurl/index.html: removed
Daniel Stenberg [Tue, 15 May 2018 14:41:55 +0000 (16:41 +0200)]
docs/libcurl/index.html: removed

The HTML files are long gone from the dist, now remove the last HTML
file pointing to those missing files.

d

6 years agohttp2: remove unused variable
steini2000 [Mon, 14 May 2018 15:49:06 +0000 (17:49 +0200)]
http2: remove unused variable

Closes #2570

6 years agohttp2: use easy handle of stream for logging
steini2000 [Mon, 14 May 2018 15:40:48 +0000 (17:40 +0200)]
http2: use easy handle of stream for logging

6 years agogcc: disable picky gcc-8 function pointer warnings in two places
Daniel Stenberg [Mon, 14 May 2018 07:55:34 +0000 (09:55 +0200)]
gcc: disable picky gcc-8 function pointer warnings in two places

Reported-by: Rikard Falkeborn
Bug: #2560
Closes #2569

6 years agohttp2: use the correct function pointer typedef
Daniel Stenberg [Mon, 14 May 2018 07:38:56 +0000 (09:38 +0200)]
http2: use the correct function pointer typedef

Fixes gcc-8 picky compiler warnings
Reported-by: Rikard Falkeborn
Bug: #2560
Closes #2568

6 years agoCODE_STYLE: mention return w/o parens, but sizeof with
Daniel Stenberg [Mon, 14 May 2018 08:19:52 +0000 (10:19 +0200)]
CODE_STYLE: mention return w/o parens, but sizeof with

... and remove the github markdown syntax so that it renders better on
the web site. Also, don't use back-ticks inlined to allow the CSS to
highlight source code better.

6 years agoexamples: Fix format specifiers
Rikard Falkeborn [Sun, 6 May 2018 17:44:03 +0000 (19:44 +0200)]
examples: Fix format specifiers

Closes #2561

6 years agotool: Fix format specifiers
Rikard Falkeborn [Fri, 11 May 2018 15:34:55 +0000 (17:34 +0200)]
tool: Fix format specifiers

6 years agontlm: Fix format specifiers
Rikard Falkeborn [Sat, 5 May 2018 20:09:04 +0000 (22:09 +0200)]
ntlm: Fix format specifiers

6 years agotests: Fix format specifiers
Rikard Falkeborn [Sun, 6 May 2018 19:20:32 +0000 (21:20 +0200)]
tests: Fix format specifiers

6 years agolib: Fix format specifiers
Rikard Falkeborn [Sun, 6 May 2018 18:32:24 +0000 (20:32 +0200)]
lib: Fix format specifiers

6 years agocontributors.sh: use "on github", not at
Daniel Stenberg [Mon, 14 May 2018 06:52:41 +0000 (08:52 +0200)]
contributors.sh: use "on github", not at

6 years agohttp2: getsock fix for uploads
Daniel Stenberg [Sat, 12 May 2018 19:58:46 +0000 (21:58 +0200)]
http2: getsock fix for uploads

When there's an upload in progress, make sure to wait for the socket to
become writable.

Detected-by: steini2000 on github
Bug: #2520
Closes #2567

6 years agopingpong: fix response cache memcpy overflow
Daniel Stenberg [Fri, 23 Mar 2018 22:30:04 +0000 (23:30 +0100)]
pingpong: fix response cache memcpy overflow

Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.

Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html

6 years agohttp: restore buffer pointer when bad response-line is parsed
Daniel Stenberg [Sat, 24 Mar 2018 22:47:41 +0000 (23:47 +0100)]
http: restore buffer pointer when bad response-line is parsed

... leaving the k->str could lead to buffer over-reads later on.

CVE: CVE-2018-1000301
Assisted-by: Max Dymond
Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105

6 years agocookies: do not take cookie name as a parameter
Patrick Monnerat [Sat, 12 May 2018 23:23:10 +0000 (01:23 +0200)]
cookies: do not take cookie name as a parameter

RFC 6265 section 4.2.1 does not set restrictions on cookie names.
This is a follow-up to commit 7f7fcd0.
Also explicitly check proper syntax of cookie name/value pair.

New test 1155 checks that cookie names are not reserved words.

Reported-By: anshnd at github
Fixes #2564
Closes #2566

6 years agosmb: reject negative file sizes
Daniel Stenberg [Sat, 12 May 2018 20:24:25 +0000 (22:24 +0200)]
smb: reject negative file sizes

Assisted-by: Max Dymond
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8245

6 years agosetup_transfer: deal with both sockets being -1
Daniel Stenberg [Fri, 11 May 2018 21:54:26 +0000 (23:54 +0200)]
setup_transfer: deal with both sockets being -1

Detected by Coverity; CID 1435559.  Follow-up to f8d608f38d00. It would
index the array with -1 if neither index was a socket.

6 years agotravis: add build using NSS
Daniel Stenberg [Thu, 10 May 2018 06:56:46 +0000 (08:56 +0200)]
travis: add build using NSS

Closes #2558

6 years agoopenssl: change FILE ops to BIO ops
Sunny Purushe [Tue, 17 Apr 2018 08:50:09 +0000 (04:50 -0400)]
openssl: change FILE ops to BIO ops

To make builds with VS2015 work. Recent changes in VS2015 _IOB_ENTRIES
handling is causing problems. This fix changes the OpenSSL backend code
to use BIO functions instead of FILE I/O functions to circumvent those
problems.

Closes #2512

6 years agotravis: add a build using WolfSSL
Daniel Stenberg [Tue, 24 Apr 2018 14:16:25 +0000 (16:16 +0200)]
travis: add a build using WolfSSL

Assisted-by: Dan Fandrich
Closes #2528

6 years agoRELEASE-NOTES: typo
Daniel Stenberg [Mon, 7 May 2018 12:30:18 +0000 (14:30 +0200)]
RELEASE-NOTES: typo

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Mon, 7 May 2018 08:32:42 +0000 (10:32 +0200)]
RELEASE-NOTES: synced

6 years agoURLs: fix one more http url
Daniel Gustafsson [Sat, 5 May 2018 19:27:09 +0000 (21:27 +0200)]
URLs: fix one more http url

This file wasn't included in commit 4af40b3646d3b09 which updated all
haxx.se http urls to https. The file was committed prior to that update,
but may have been merged after it and hence didn't get updated.

Closes #2550

6 years agogithub/lock: auto-lock closed issues after 90 days of inactivity
Daniel Stenberg [Sat, 5 May 2018 12:05:57 +0000 (14:05 +0200)]
github/lock: auto-lock closed issues after 90 days of inactivity

6 years agovtls: fix missing commas
Daniel Stenberg [Fri, 4 May 2018 21:02:36 +0000 (23:02 +0200)]
vtls: fix missing commas

follow-up to e66cca046cef

6 years agovtls: use unified "supports" bitfield member in backends
Daniel Stenberg [Fri, 4 May 2018 10:10:39 +0000 (12:10 +0200)]
vtls: use unified "supports" bitfield member in backends

... instead of previous separate struct fields, to make it easier to
extend and change individual backends without having to modify them all.

closes #2547

6 years agotransfer: don't unset writesockfd on setup of multiplexed conns
Daniel Stenberg [Fri, 4 May 2018 14:41:03 +0000 (16:41 +0200)]
transfer: don't unset writesockfd on setup of multiplexed conns

Curl_setup_transfer() can be called to setup a new individual transfer
over a multiplexed connection so it shouldn't unset writesockfd.

Bug: #2520
Closes #2549

6 years agoconfigure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h
Frank Gevaerts [Fri, 4 May 2018 12:31:16 +0000 (14:31 +0200)]
configure: put CURLDEBUG and DEBUGBUILD in lib/curl_config.h

They are removed from the compiler flags.

This ensures that make dependency tracking will force a rebuild whenever
configure --enable-debug or --enable-curldebug changes.

Closes #2548

6 years agohttp: don't set the "rewind" flag when not uploading anything
Daniel Stenberg [Fri, 4 May 2018 09:06:26 +0000 (11:06 +0200)]
http: don't set the "rewind" flag when not uploading anything

It triggers an assert.

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8144
Closes #2546

6 years agotravis: add an mbedtls build
Daniel Stenberg [Wed, 25 Apr 2018 07:20:08 +0000 (09:20 +0200)]
travis: add an mbedtls build

Closes #2531

6 years agoconfigure: only check for CA bundle for file-using SSL backends
Daniel Stenberg [Thu, 3 May 2018 12:54:10 +0000 (14:54 +0200)]
configure: only check for CA bundle for file-using SSL backends

When only building with SSL backends that don't use the CA bundle file
(by default), skip the check.

Fixes #2543
Fixes #2180
Closes #2545

6 years agossh-libssh.c: fix left shift compiler warning
Daniel Stenberg [Thu, 3 May 2018 20:16:57 +0000 (22:16 +0200)]
ssh-libssh.c: fix left shift compiler warning

ssh-libssh.c:2429:21: warning: result of '1 << 31' requires 33 bits to
represent, but 'int' only has 32 bits [-Wshift-overflow=]

'len' will never be that big anyway so I converted the run-time check to
a regular assert.

6 years agoURL: fix ASCII dependency in strcpy_url and strlen_url
Stephan Mühlstrasser [Thu, 26 Apr 2018 08:15:26 +0000 (10:15 +0200)]
URL: fix ASCII dependency in strcpy_url and strlen_url

Commit 3c630f9b0af097663a64e5c875c580aa9808a92b partially reverted the
changes from commit dd7521bcc1b7a6fcb53c31f9bd1192fcc884bd56 because of
the problem that strcpy_url() was modified unilaterally without also
modifying strlen_url(). As a consequence strcpy_url() was again
depending on ASCII encoding.

This change fixes strlen_url() and strcpy_url() in parallel to use a
common host-encoding independent criterion for deciding whether an URL
character must be %-escaped.

Closes #2535

6 years agodocs: remove extraneous commas in man pages
Denis Ollier [Wed, 2 May 2018 08:03:46 +0000 (10:03 +0200)]
docs: remove extraneous commas in man pages

Closes #2544

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Thu, 3 May 2018 13:14:03 +0000 (15:14 +0200)]
RELEASE-NOTES: synced

6 years agoRevert "TODO: remove configure --disable-pthreads"
Daniel Stenberg [Thu, 3 May 2018 13:05:05 +0000 (15:05 +0200)]
Revert "TODO: remove configure --disable-pthreads"

This reverts commit d5d683a97f9765bddfd964fe32e137aa6e703ed3.

--disable-pthreads can be used to disable pthreads and get the threaded
resolver to use the windows threading when building with mingw.

6 years agovtls: don't define MD5_DIGEST_LENGTH for wolfssl
Daniel Stenberg [Mon, 30 Apr 2018 13:34:26 +0000 (15:34 +0200)]
vtls: don't define MD5_DIGEST_LENGTH for wolfssl

... as it defines it (too)

6 years agoTODO: remove configure --disable-pthreads
Daniel Stenberg [Tue, 1 May 2018 09:38:16 +0000 (11:38 +0200)]
TODO: remove configure --disable-pthreads

6 years agowolfssl: Fix non-blocking connect
David Garske [Wed, 11 Apr 2018 16:46:08 +0000 (09:46 -0700)]
wolfssl: Fix non-blocking connect

Closes https://github.com/curl/curl/pull/2542

6 years agoCURLOPT_URL.3: add ENCODING section [ci skip]
Daniel Stenberg [Mon, 30 Apr 2018 12:31:04 +0000 (14:31 +0200)]
CURLOPT_URL.3: add ENCODING section [ci skip]

Feedback-by: Michael Kilburn
6 years agoKNOWN_BUGS: Client cert with Issuer DN differs between backends
Daniel Stenberg [Mon, 30 Apr 2018 08:26:26 +0000 (10:26 +0200)]
KNOWN_BUGS: Client cert with Issuer DN differs between backends

Closes #1411

6 years agoKNOWN_BUGS: Passive transfer tries only one IP address
Daniel Stenberg [Mon, 30 Apr 2018 08:22:17 +0000 (10:22 +0200)]
KNOWN_BUGS: Passive transfer tries only one IP address

Closes #1508

6 years agoKNOWN_BUGS: --upload-file . hang if delay in STDIN
Daniel Stenberg [Mon, 30 Apr 2018 08:19:45 +0000 (10:19 +0200)]
KNOWN_BUGS: --upload-file . hang if delay in STDIN

Closes #2051

6 years agoKNOWN_BUGS: Connection information when using TCP Fast Open
Daniel Stenberg [Mon, 30 Apr 2018 08:17:10 +0000 (10:17 +0200)]
KNOWN_BUGS: Connection information when using TCP Fast Open

Closes #1332

6 years agotravis: enable libssh2 on both macos and Linux
Daniel Stenberg [Sun, 29 Apr 2018 22:22:08 +0000 (00:22 +0200)]
travis: enable libssh2 on both macos and Linux

It seems to not be detected by default anymore (which is a bug I
believe)

Closes #2541

6 years agoTODO: Support the clienthello extension
Daniel Stenberg [Sun, 29 Apr 2018 22:42:34 +0000 (00:42 +0200)]
TODO: Support the clienthello extension

Closes #2299

6 years agoTODO: CLOEXEC
Daniel Stenberg [Sun, 29 Apr 2018 22:10:45 +0000 (00:10 +0200)]
TODO: CLOEXEC

Closes #2252

6 years agotests: provide 'manual' as a feature to optionally require
Daniel Stenberg [Sat, 28 Apr 2018 22:24:49 +0000 (00:24 +0200)]
tests: provide 'manual' as a feature to optionally require

... and make test 1026 rely on that feature so that --disable-manual
builds don't cause test failures.

Reported-by: Max Dymond and Anders Roxell
Fixes #2533
Closes #2540

6 years agoCURLINFO_PROTOCOL.3: mention the existing defined names
Daniel Stenberg [Fri, 27 Apr 2018 09:35:25 +0000 (11:35 +0200)]
CURLINFO_PROTOCOL.3: mention the existing defined names

6 years agocookies: remove unused macro
Daniel Gustafsson [Thu, 26 Apr 2018 22:54:21 +0000 (00:54 +0200)]
cookies: remove unused macro

Commit 2bc230de63 made the macro MAX_COOKIE_LINE_TXT become unused,
so remove as it's not part of the published API.

Closes https://github.com/curl/curl/pull/2537

6 years agochecksrc: force indentation of lines after an else
Daniel Gustafsson [Wed, 25 Apr 2018 19:53:27 +0000 (21:53 +0200)]
checksrc: force indentation of lines after an else

This extends the INDENTATION case to also handle 'else' statements
and require proper indentation on the following line. Also fixes the
offending cases found in the codebase.

Closes #2532

6 years agohttp2: fix null pointer dereference in http2_connisdead
Daniel Stenberg [Thu, 26 Apr 2018 14:07:10 +0000 (16:07 +0200)]
http2: fix null pointer dereference in http2_connisdead

This function can get called on a connection that isn't setup enough to
have the 'recv_underlying' function pointer initialized so it would try
to call the NULL pointer.

Reported-by: Dario Weisser
Follow-up to db1b2c7fe9b093f8 (never shipped in a release)
Closes #2536

6 years agohttp2: get rid of another strstr()
Daniel Stenberg [Thu, 26 Apr 2018 08:41:21 +0000 (10:41 +0200)]
http2: get rid of another strstr()

Follow-up to 1514c44655e12e: replace another strstr() call done on a
buffer that might not be zero terminated - with a memchr() call, even if
we know the substring will be found.

Assisted-by: Max Dymond
Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8021

Closes #2534

6 years agocyassl: adapt to libraries without TLS 1.0 support built-in
Daniel Stenberg [Wed, 25 Apr 2018 09:45:35 +0000 (11:45 +0200)]
cyassl: adapt to libraries without TLS 1.0 support built-in

WolfSSL doesn't enable it by default anymore

6 years agoconfigure: provide --with-wolfssl as an alias for --with-cyassl
Daniel Stenberg [Wed, 25 Apr 2018 07:04:25 +0000 (09:04 +0200)]
configure: provide --with-wolfssl as an alias for --with-cyassl

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Wed, 25 Apr 2018 13:37:54 +0000 (15:37 +0200)]
RELEASE-NOTES: synced

6 years agoos400.c: fix ASSIGNWITHINCONDITION checksrc warnings
Daniel Gustafsson [Mon, 23 Apr 2018 20:29:06 +0000 (22:29 +0200)]
os400.c: fix ASSIGNWITHINCONDITION checksrc warnings

All occurrences of assignment within conditional expression in
os400sys.c rewritten into two steps: first assignment and then the check
on the success of the assignment. Also adjust related incorrect brace
positions to match project indentation style.

This was spurred by seeing "if((inp = input_token))", but while in there
all warnings were fixed.

There should be no functional change from these changes.

Closes #2525

6 years agocookies: ensure that we have cookies before writing jar
Daniel Gustafsson [Tue, 24 Apr 2018 20:42:41 +0000 (22:42 +0200)]
cookies: ensure that we have cookies before writing jar

The jar should be written iff there are cookies, so ensure that we still
have cookies after expiration to avoid creating an empty file.

Closes #2529

6 years agostrcpy_url: only %-encode values >= 0x80
Daniel Stenberg [Wed, 25 Apr 2018 05:56:01 +0000 (07:56 +0200)]
strcpy_url: only %-encode values >= 0x80

OSS-Fuzz detected

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8000

Broke in dd7521bcc1b7

6 years agomime: avoid NULL pointer dereference risk
Daniel Stenberg [Tue, 24 Apr 2018 09:33:29 +0000 (11:33 +0200)]
mime: avoid NULL pointer dereference risk

Coverity detected, CID 1435120

Closes #2527

6 years agoctype: restore character classification for non-ASCII platforms
Stephan Mühlstrasser [Fri, 13 Apr 2018 12:28:55 +0000 (14:28 +0200)]
ctype: restore character classification for non-ASCII platforms

With commit 4272a0b0fc49a1ac0ceab5c4a365c9f6ab8bf8e2 curl-speficic
character classification macros and functions were introduced in
curl_ctype.[ch] to avoid dependencies on the locale. This broke curl on
non-ASCII, e.g. EBCDIC platforms. This change restores the previous set
of character classification macros when CURL_DOES_CONVERSIONS is
defined.

Closes #2494

6 years agoftplistparser: keep state between invokes
Daniel Stenberg [Thu, 19 Apr 2018 13:47:05 +0000 (15:47 +0200)]
ftplistparser: keep state between invokes

Fixes FTP wildcard parsing when done over a number of read buffers.

Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2526

6 years agoexamples/http2-upload: expand buffer to avoid silly warning
Daniel Stenberg [Tue, 24 Apr 2018 12:14:23 +0000 (14:14 +0200)]
examples/http2-upload: expand buffer to avoid silly warning

http2-upload.c:135:44: error: ‘%02d’ directive output may be truncated
writing between 2 and 11 bytes into a region of size between 8 and 17

6 years agoexamples/sftpuploadresume: typecast fseek argument to long
Daniel Stenberg [Tue, 24 Apr 2018 12:11:53 +0000 (14:11 +0200)]
examples/sftpuploadresume: typecast fseek argument to long

/docs/examples/sftpuploadresume.c:102:12: warning: conversion to 'long
int' from 'curl_off_t {aka long long int}' may alter its value

6 years agoRevert "ftplistparser: keep state between invokes"
Daniel Stenberg [Tue, 24 Apr 2018 06:19:54 +0000 (08:19 +0200)]
Revert "ftplistparser: keep state between invokes"

This reverts commit abbc8457d85aca74b7cfda1d394b0844932b2934.

Caused fuzzer problems on travis not seen when this was a PR!

6 years agoCurl_memchr: zero length input can't match
Daniel Stenberg [Tue, 24 Apr 2018 06:03:23 +0000 (08:03 +0200)]
Curl_memchr: zero length input can't match

Avoids undefined behavior.

Reported-by: Geeknik Labs
6 years agoftplistparser: keep state between invokes
Daniel Stenberg [Thu, 19 Apr 2018 13:47:05 +0000 (15:47 +0200)]
ftplistparser: keep state between invokes

Fixes FTP wildcard parsing when doing over a number of read buffers.

Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2519

6 years agoftplistparser: renamed some members and variables
Daniel Stenberg [Fri, 20 Apr 2018 08:29:44 +0000 (10:29 +0200)]
ftplistparser: renamed some members and variables

... to make them better spell out what they're for.

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Mon, 23 Apr 2018 12:43:02 +0000 (14:43 +0200)]
RELEASE-NOTES: synced

6 years agocurl_global_sslset: always provide available backends
Christian Schmitz [Sun, 15 Apr 2018 08:35:06 +0000 (10:35 +0200)]
curl_global_sslset: always provide available backends

Closes #2499

6 years agohttp2: convert an assert to run-time check
Daniel Stenberg [Sat, 21 Apr 2018 10:33:52 +0000 (12:33 +0200)]
http2: convert an assert to run-time check

Fuzzing has proven we can reach code in on_frame_recv with status_code
not having been set, so let's detect that in run-time (instead of with
assert) and error error accordingly.

(This should no longer happen with the latest nghttp2)

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7903
Closes #2514

6 years agocurl.1: clarify that options and URLs can be mixed
Daniel Stenberg [Mon, 23 Apr 2018 06:33:08 +0000 (08:33 +0200)]
curl.1: clarify that options and URLs can be mixed

Fixes #2515
Closes #2517

6 years agoCURLOPT_SSLCERT.3: improve WinSSL-specific usage info
Archangel_SDY [Wed, 18 Apr 2018 13:01:14 +0000 (21:01 +0800)]
CURLOPT_SSLCERT.3: improve WinSSL-specific usage info

Ref: https://github.com/curl/curl/pull/2376#issuecomment-381858780

Closes https://github.com/curl/curl/pull/2504

6 years agoschannel: fix build error on targets <= XP
Archangel_SDY [Wed, 18 Apr 2018 11:13:54 +0000 (19:13 +0800)]
schannel: fix build error on targets <= XP

- Use CRYPT_STRING_HEX instead of CRYPT_STRING_HEXRAW since XP doesn't
  support the latter.

Ref: https://github.com/curl/curl/pull/2376#issuecomment-382153668

Closes https://github.com/curl/curl/pull/2504

6 years agoRevert "ftplistparser: keep state between invokes"
Daniel Stenberg [Mon, 23 Apr 2018 05:50:01 +0000 (07:50 +0200)]
Revert "ftplistparser: keep state between invokes"

This reverts commit 8fb78f9ddc6d858d630600059b8ad84a80892fd9.

Unfortunately this fix introduces memory leaks I've not been able to fix
in several days. Reverting this for now to get the leaks fixed.

6 years agotool_help: clarify --max-time unit of time is seconds
Jay Satiro [Sat, 21 Apr 2018 18:19:37 +0000 (14:19 -0400)]
tool_help: clarify --max-time unit of time is seconds

Before:
 -m, --max-time <time> Maximum time allowed for the transfer

After:
 -m, --max-time <seconds> Maximum time allowed for the transfer

6 years agohttp2: handle GOAWAY properly
Daniel Stenberg [Thu, 19 Apr 2018 18:03:30 +0000 (20:03 +0200)]
http2: handle GOAWAY properly

When receiving REFUSED_STREAM, mark the connection for close and retry
streams accordingly on another/fresh connection.

Reported-by: Terry Wu
Fixes #2416
Fixes #1618
Closes #2510

6 years agohttp2: clear the "drain counter" when a stream is closed
Daniel Stenberg [Thu, 19 Apr 2018 18:01:52 +0000 (20:01 +0200)]
http2: clear the "drain counter" when a stream is closed

This fixes the notorious "httpc->drain_total >= data->state.drain"
assert.

Reported-by: Anders Bakken
Fixes #1680
Closes #2509

6 years agohttp2: avoid strstr() on data not zero terminated
Daniel Stenberg [Fri, 20 Apr 2018 14:32:46 +0000 (16:32 +0200)]
http2: avoid strstr() on data not zero terminated

It's not strictly clear if the API contract allows us to call strstr()
on a string that isn't zero terminated even when we know it will find
the substring, and clang's ASAN check dislikes us for it.

Also added a check of the return code in case it fails, even if I can't
think of a situation how that can trigger.

Detected by OSS-Fuzz
Closes #2513
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7760

6 years agoopenssl: fix subjectAltName check on non-ASCII platforms
Stephan Mühlstrasser [Fri, 13 Apr 2018 12:04:11 +0000 (14:04 +0200)]
openssl: fix subjectAltName check on non-ASCII platforms

Curl_cert_hostcheck operates with the host character set, therefore the
ASCII subjectAltName string retrieved with OpenSSL must be converted to
the host encoding before comparison.

Closes #2493

6 years agoopenssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages
Jay Satiro [Tue, 20 Mar 2018 06:57:50 +0000 (02:57 -0400)]
openssl: Add support for OpenSSL 1.1.1 verbose-mode trace messages

- Support handling verbose-mode trace messages of type
  SSL3_RT_INNER_CONTENT_TYPE, SSL3_MT_ENCRYPTED_EXTENSIONS,
  SSL3_MT_END_OF_EARLY_DATA, SSL3_MT_KEY_UPDATE, SSL3_MT_NEXT_PROTO,
  SSL3_MT_MESSAGE_HASH

Reported-by: iz8mbw@users.noreply.github.com
Fixes https://github.com/curl/curl/issues/2403

6 years agoftplistparser: keep state between invokes
Daniel Stenberg [Thu, 19 Apr 2018 13:47:05 +0000 (15:47 +0200)]
ftplistparser: keep state between invokes

Regression from f786d1f14

Reported-by: wncboy on github
Fixes #2445
Closes #2508

6 years agodetect_proxy: only show proxy use if it had contents
Daniel Stenberg [Thu, 19 Apr 2018 12:59:06 +0000 (14:59 +0200)]
detect_proxy: only show proxy use if it had contents

6 years agohttp2: handle on_begin_headers() called more than once
Daniel Stenberg [Wed, 18 Apr 2018 21:51:01 +0000 (23:51 +0200)]
http2: handle on_begin_headers() called more than once

This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764

6 years agoschannel: add support for CURLOPT_CAINFO
Dan McNulty [Fri, 10 Mar 2017 20:27:30 +0000 (14:27 -0600)]
schannel: add support for CURLOPT_CAINFO

- Move verify_certificate functionality in schannel.c into a new
  file called schannel_verify.c. Additionally, some structure defintions
  from schannel.c have been moved to schannel.h to allow them to be
  used in schannel_verify.c.

- Make verify_certificate functionality for Schannel available on
  all versions of Windows instead of just Windows CE. verify_certificate
  will be invoked on Windows CE or when the user specifies
  CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.

- In verify_certificate, create a custom certificate chain engine that
  exclusively trusts the certificate store backed by the CURLOPT_CAINFO
  file.

- doc updates of --cacert/CAINFO support for schannel

- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
  when available. This implements a TODO in schannel.c to improve
  handling of multiple SANs in a certificate. In particular, all SANs
  will now be searched instead of just the first name.

- Update tool_operate.c to not search for the curl-ca-bundle.crt file
  when using Schannel to maintain backward compatibility. Previously,
  any curl-ca-bundle.crt file found in that search would have been
  ignored by Schannel. But, with CAINFO support, the file found by
  that search would have been used as the certificate store and
  could cause issues for any users that have curl-ca-bundle.crt in
  the search path.

- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
  SSL backend is Schannel. We allow setting CA location for schannel
  only when explicitly specified by the user via CURLOPT_CAINFO /
  --cacert.

- Add new test cases 3000 and 3001. These test cases check that the first
  and last SAN, respectively, matches the connection hostname. New test
  certificates have been added for these cases. For 3000, the certificate
  prefix is Server-localhost-firstSAN and for 3001, the certificate
  prefix is Server-localhost-secondSAN.

- Remove TODO 15.2 (Add support for custom server certificate
  validation), this commit addresses it.

Closes https://github.com/curl/curl/pull/1325

6 years agoschannel: fix warning
Jay Satiro [Tue, 17 Apr 2018 17:47:01 +0000 (13:47 -0400)]
schannel: fix warning

- Fix warning 'integer from pointer without a cast' on 3rd arg in
  CertOpenStore. The arg type HCRYPTPROV may be a pointer or integer
  type of the same size.

Follow-up to e35b025.

Caught by Marc's CI builds.

6 years agodocs: fix typos
Jakub Wilk [Tue, 17 Apr 2018 19:17:57 +0000 (21:17 +0200)]
docs: fix typos

Closes https://github.com/curl/curl/pull/2503

6 years agoRELEASE-NOTES: synced
Daniel Stenberg [Tue, 17 Apr 2018 11:46:06 +0000 (13:46 +0200)]
RELEASE-NOTES: synced

6 years agowinbuild: Support custom devel paths for each dependency
kdekker [Mon, 9 Apr 2018 09:19:51 +0000 (11:19 +0200)]
winbuild: Support custom devel paths for each dependency

- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
  OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
  NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.

- Use lib.exe for making the static library instead of link.exe /lib.
  The latter is undocumented and could cause problems as noted in the
  comments.

- Remove a dangling URL that no longer worked. (I was not able to find
  the IDN download at MSDN/microsoft.com, so it seems to be removed.)

- Remove custom override for release-ssh2-ssl-dll-zlib configuration.
  Nobody knows why it was there and as far as we can see is unnecessary.

Closes https://github.com/curl/curl/pull/2474

6 years agoREADME.md: add backers and sponsors
Jess [Thu, 12 Apr 2018 05:40:17 +0000 (14:40 +0900)]
README.md: add backers and sponsors

Closes #2484

6 years agoschannel: add client certificate authentication
Archangel_SDY [Sat, 10 Mar 2018 15:40:00 +0000 (23:40 +0800)]
schannel: add client certificate authentication

Users can now specify a client certificate in system certificates store
explicitly using expression like `--cert "CurrentUser\MY\<thumbprint>"`

Closes #2376

6 years agontlm_sspi: fix authentication using Credential Manager
toughengineer [Sat, 8 Jul 2017 00:10:08 +0000 (02:10 +0200)]
ntlm_sspi: fix authentication using Credential Manager

If you pass empty user/pass asking curl to use Windows Credential
Storage (as stated in the docs) and it has valid credentials for the
domain, e.g.
curl -v -u : --ntlm example.com
currently authentication fails.
This change fixes it by providing proper SPN string to the SSPI API
calls.

Fixes https://github.com/curl/curl/issues/1622
Closes https://github.com/curl/curl/pull/1660

6 years agoconfigure: keep LD_LIBRARY_PATH changes local
Daniel Stenberg [Fri, 13 Apr 2018 12:07:39 +0000 (14:07 +0200)]
configure: keep LD_LIBRARY_PATH changes local

... only set it when we actually have to run tests to reduce its impact
on for example build commands etc.

Fixes #2490
Closes #2492

Reported-by: Dmitry Mikhirev