Commit Graph

23746 Commits

Author SHA1 Message Date
Daniel Gustafsson
2fcc4367be configure: Fix typo in comment 2018-11-21 12:24:41 +01:00
Michael Kaufmann
549310e907 openssl: support session resume with TLS 1.3
Session resumption information is not available immediately after a TLS 1.3
handshake. The client must wait until the server has sent a session ticket.

Use OpenSSL's "new session" callback to get the session information and put it
into curl's session cache. For TLS 1.3 sessions, this callback will be invoked
after the server has sent a session ticket.

The "new session" callback is invoked only if OpenSSL's session cache is
enabled, so enable it and use the "external storage" mode which lets curl manage
the contents of the session cache.

A pointer to the connection data and the sockindex are now saved as "SSL extra
data" to make them available to the callback.

This approach also works for old SSL/TLS versions and old OpenSSL versions.

Reviewed-by: Daniel Stenberg <daniel@haxx.se>

Fixes #3202
Closes #3271
2018-11-21 11:18:25 +01:00
Michael Kaufmann
30a65381f9 ssl: fix compilation with OpenSSL 0.9.7
- ENGINE_cleanup() was used without including "openssl/engine.h"
- enable engine support for OpenSSL 0.9.7

Closes #3266
2018-11-21 11:14:26 +01:00
Daniel Stenberg
59311bd3df
openssl: disable TLS renegotiation with BoringSSL
Since we're close to feature freeze, this change disables this feature
with an #ifdef. Define ALLOW_RENEG at build-time to enable.

This could be converted to a bit for CURLOPT_SSL_OPTIONS to let
applications opt-in this.

Concern-raised-by: David Benjamin
Fixes #3283
Closes #3293
2018-11-21 08:30:18 +01:00
Romain Fliedel
6765e6d9e6
ares: remove fd from multi fd set when ares is about to close the fd
When using c-ares for asyn dns, the dns socket fd was silently closed
by c-ares without curl being aware. curl would then 'realize' the fd
has been removed at next call of Curl_resolver_getsock, and only then
notify the CURLMOPT_SOCKETFUNCTION to remove fd from its poll set with
CURL_POLL_REMOVE. At this point the fd is already closed.

By using ares socket state callback (ARES_OPT_SOCK_STATE_CB), this
patch allows curl to be notified that the fd is not longer needed
for neither for write nor read. At this point by calling
Curl_multi_closed we are able to notify multi with CURL_POLL_REMOVE
before the fd is actually closed by ares.

In asyn-ares.c Curl_resolver_duphandle we can't use ares_dup anymore
since it does not allow passing a different sock_state_cb_data

Closes #3238
2018-11-20 19:58:45 +01:00
Romain Fliedel
47ccb2d204
examples/ephiperfifo: report error when epoll_ctl fails 2018-11-20 19:58:41 +01:00
pkubaj
7c96f6a14b ntlm: Remove redundant ifdef USE_OPENSSL
lib/curl_ntlm.c had code that read as follows:

  #ifdef USE_OPENSSL
  # ifdef USE_OPENSSL
  # else
  # ..
  # endif
  #endif

Remove the redundant USE_OPENSSL along with #else (it's not possible to
reach it anyway). The removed construction is a leftover from when the
SSLeay support was removed.

Closes #3269
Reviewed-by: Daniel Gustafsson <daniel@yesql.se>
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-20 14:59:12 +01:00
Han Han
78ff4e0de3
ssl: replace all internal uses of CURLE_SSL_CACERT
Closes #3291
2018-11-20 14:57:00 +01:00
Han Han
89d2e95f78 docs: add more description to unified ssl error codes 2018-11-19 15:57:44 -08:00
Han Han
0fd4427f40 curle: move deprecated error code to ifndef block 2018-11-19 15:16:54 -08:00
Patrick Monnerat
c19ed66a8d os400: add CURLOPT_CURLU to ILE/RPG binding. 2018-11-19 15:23:00 +01:00
Patrick Monnerat
ee90ca02e0 os400: Add curl_easy_conn_upkeep() to ILE/RPG binding. 2018-11-19 15:22:00 +01:00
Patrick Monnerat
50397e1fd8 os400: fix return type of curl_easy_pause() in ILE/RPG binding. 2018-11-19 15:19:36 +01:00
Daniel Stenberg
e6d390a767
RELEASE-NOTES: synced 2018-11-19 14:39:59 +01:00
Daniel Stenberg
a04ed00a77
impacket: add LICENSE
The license for the impacket package was not in our tree.

Imported now from upstream's
https://github.com/SecureAuthCorp/impacket/blob/master/LICENSE

Reported-by: infinnovation-dev on github
Fixes #3276
Closes #3277
2018-11-19 14:08:28 +01:00
Daniel Gustafsson
b88bf6e650 tool_doswin: Fix uninitialized field warning
The partial struct initialization in 397664a065 caused
a warning on uninitialized MODULEENTRY32 struct members:

  /src/tool_doswin.c:681:3: warning: missing initializer for field
  'th32ModuleID' of 'MODULEENTRY32 {aka struct tagMODULEENTRY32}'
  [-Wmissing-field-initializers]

This is sort of a bogus warning as the remaining members will be set
to zero by the compiler, as all omitted members are. Nevertheless,
remove the warning by omitting all members and setting the dwSize
members explicitly.

Closes #3254
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
2018-11-18 21:57:00 +01:00
Daniel Gustafsson
1cccf2f945 openssl: Remove SSLEAY leftovers
Commit 709cf76f6b deprecated USE_SSLEAY, as curl since long isn't
compatible with the SSLeay library. This removes the few leftovers that
were omitted in the less frequently used platform targets.

Closes #3270
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-17 21:36:10 +01:00
Elia Tufarolo
07ebaf8378
http_negotiate: do not close connection until negotiation is completed
Fix HTTP POST using CURLAUTH_NEGOTIATE.

Closes #3275
2018-11-16 23:38:47 +01:00
Daniel Stenberg
6d0e487f9f
pop3: only do APOP with a valid timestamp
Brought-by: bobmitchell1956 on github
Fixes #3278
Closes #3279
2018-11-16 23:36:53 +01:00
Peter Wu
27e4ac24cd openssl: do not log excess "TLS app data" lines for TLS 1.3
The SSL_CTX_set_msg_callback callback is not just called for the
Handshake or Alert protocols, but also for the raw record header
(SSL3_RT_HEADER) and the decrypted inner record type
(SSL3_RT_INNER_CONTENT_TYPE). Be sure to ignore the latter to avoid
excess debug spam when using `curl -v` against a TLSv1.3-enabled server:

    * TLSv1.3 (IN), TLS app data, [no content] (0):

(Following this message, another callback for the decrypted
handshake/alert messages will be be present anyway.)

Closes https://github.com/curl/curl/pull/3281
2018-11-16 16:03:31 -05:00
Marc Hoersken
9cf7b7e660 tests: disable SO_EXCLUSIVEADDRUSE for stunnel on Windows
SO_EXCLUSIVEADDRUSE is on by default on Vista or newer,
but does not work together with SO_REUSEADDR being on.

The default changes were made with stunnel 5.34 and 5.35.
2018-11-15 21:10:29 +01:00
Kamil Dudka
3d988c5563
nss: remove version selecting dead code
Closes #3262
2018-11-13 23:55:22 +01:00
Daniel Stenberg
0c448093dd
nss: set default max-tls to 1.3/1.2
Fixes #3261
2018-11-13 23:54:13 +01:00
Daniel Gustafsson
2f5f31bb57 tool_cb_wrt: Silence function cast compiler warning
Commit 5bfaa86ceb introduced a new
compiler warning on Windows cross compilation with GCC. See below
for an example of the warning from the autobuild logs (whitespace
edited to fit):

/src/tool_cb_wrt.c:175:9: warning: cast from function call of type
    'intptr_t {aka long long int}' to non-matching type 'void *'
    [-Wbad-function-cast]
(HANDLE) _get_osfhandle(fileno(outs->stream)),
^

Store the return value from _get_osfhandle() in an intermediate
variable and cast the variable in WriteConsoleW() rather than the
function call directly to avoid a compiler warning.

In passing, also add inspection of the MultiByteToWideChar() return
value and return failure in case an error is reported.

Closes #3263
Reviewed-by: Marcel Raad <Marcel.Raad@teamviewer.com>
Reviewed-by: Viktor Szakats <commit@vszakats.net>
2018-11-13 13:51:46 +01:00
Daniel Stenberg
42fd235040
nss: fix fallthrough comment to fix picky compiler warning 2018-11-12 15:23:17 +01:00
Daniel Stenberg
f7fa04d7f3
docs: expanded on some CURLU details 2018-11-11 00:10:56 +01:00
Tim Rühsen
c05d77ee7d
ftp: avoid two unsigned int overflows in FTP listing parser
Curl_ftp_parselist: avoid unsigned integer overflows

The overflow has no real world impact, just avoid it for "best
practice".

Closes #3225
2018-11-09 23:08:46 +01:00
Daniel Stenberg
fcf3f13368
curl: --local-port range was not "including"
The end port number in a given range was not included in the range used,
as it is documented to be.

Reported-by: infinnovation-dev on github
Fixes #3251
Closes #3255
2018-11-09 22:34:14 +01:00
Jérémy Rocher
27cb384679
openssl: support BoringSSL TLS renegotiation
As per BoringSSL porting documentation [1], BoringSSL rejects peer
renegotiations by default.

curl fails when trying to authenticate to server through client
certificate if it is requested by server after the initial TLS
handshake.

Enable renegotiation by default with BoringSSL to get same behavior as
with OpenSSL. This is done by calling SSL_set_renegotiate_mode [2]
which was introduced in commit 1d5ef3bb1eb9 [3].

1 - https://boringssl.googlesource.com/boringssl/+/HEAD/PORTING.md#tls-renegotiation
2 - https://boringssl.googlesource.com/boringssl/+/master/include/openssl/ssl.h#3482
3 - https://boringssl.googlesource.com/boringssl/+/1d5ef3bb1eb97848617db5e7d633d735a401df86

Signed-off-by: Jérémy Rocher <rocher.jeremy@gmail.com>
Fixes #3258
Closes #3259
2018-11-09 22:32:47 +01:00
Daniel Stenberg
a1aabed817
HISTORY: add some milestones
Added a few of the more notable milestones in curl history that were
missing. Primarily more recent ones but I also noted some older that
could be worth mentioning.

[ci skip]
Closes #3257
2018-11-09 17:46:05 +01:00
Daniel Gustafsson
10c91b6660 KNOWN_BUGS: add --proxy-any connection issue
Add the identified issue with --proxy-any and proxy servers which
advertise authentication schemes other than the supported one.

Closes #876
Closes #3250
Reported-by: NTMan on Github
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-09 16:50:39 +01:00
Jim Fuller
5c4fe0d826
setopt: add CURLOPT_CURLU
Allows an application to pass in a pre-parsed URL via a URL handle.

Closes #3227
2018-11-09 15:47:28 +01:00
Gisle Vanem
073332b525
docs: ESCape "\n" codes
Groff / Troff will display a:
 printaf("Errno: %ld\n", error);
as:
  printf("Errno: %ld0, error);

when a "\n" is not escaped. Use "\\n" instead.

Closes #3246
2018-11-09 15:38:52 +01:00
Daniel Stenberg
f859b05c66
curl: --local-port fix followup
Regression by 52db54869e.

Reported-by: infinnovation-dev on github
Fixes #3248
Closes #3249
2018-11-08 13:59:16 +01:00
Gisle Vanem
08b1a851cc
More "\n" ESCaping 2018-11-07 13:32:17 +01:00
Daniel Stenberg
d9a7458557
RELEASE-NOTES: synced 2018-11-07 12:00:14 +01:00
Daniel Stenberg
52db54869e
curl: fix --local-port integer overflow
The tool's local port command line range parser didn't check for integer
overflows and could pass "weird" data to libcurl for this option.
libcurl however, has a strict range check for the values so it rejects
anything outside of the accepted range.

Reported-by: Brian Carpenter
Closes #3242
2018-11-07 11:48:17 +01:00
Daniel Stenberg
bda4ef417a
curl: correct the switch() logic in ourWriteOut
Follow-up to e431daf013, as I did the wrong correction for a compiler
warning. It should be a break and not a fall-through.

Pointed-out-by: Frank Gevaerts
2018-11-07 11:15:20 +01:00
Frank Gevaerts
e431daf013
curl: add %{stderr} and %{stdout} for --write-out
Closes #3115
2018-11-07 11:09:55 +01:00
Daniel Gustafsson
8a49b291cb winssl: be consistent in Schannel capitalization
The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
2018-11-07 10:11:13 +01:00
Daniel Stenberg
64f9d391ed
TODO: Have the URL API offer IDN decoding
Similar to how URL decoding/encoding is done, we could have URL
functions to convert IDN host names to punycode.

Suggested-by: Alexey Melnichuk
Closes #3232
2018-11-07 08:46:34 +01:00
Daniel Stenberg
9aa8ff2895
urlapi: only skip encoding the first '=' with APPENDQUERY set
APPENDQUERY + URLENCODE would skip all equals signs but now it only skip
encoding the first to better allow "name=content" for any content.

Reported-by: Alexey Melnichuk
Fixes #3231
Closes #3231
2018-11-07 08:28:48 +01:00
Daniel Stenberg
9df8dc101b
url: a short host name + port is not a scheme
The function identifying a leading "scheme" part of the URL considered a
few letters ending with a colon to be a scheme, making something like
"short:80" to become an unknown scheme instead of a short host name and
a port number.

Extended test 1560 to verify.

Also fixed test203 to use file_pwd to make it get the correct path on
windows. Removed test 2070 since it was a duplicate of 203.

Assisted-by: Marcel Raad
Reported-by: Hagai Auro
Fixes #3220
Fixes #3233
Closes #3223
Closes #3235
2018-11-06 19:11:58 +01:00
Sangamkar
74f4782319
libcurl: stop reading from paused transfers
In the transfer loop it would previously not acknwledge the pause bit
and continue until drained or loop ended.

Closes #3240
2018-11-06 19:07:17 +01:00
Jay Satiro
397664a065 tool: add undocumented option --dump-module-paths for win32
- Add an undocumented diagnostic option for Windows to show the full
  paths of all loaded modules regardless of whether or not libcurl
  initialization succeeds.

This is needed so that in the CI we can get a list of all DLL
dependencies after initialization (when they're most likely to have
finished loading) and then package them as artifacts so that a
functioning build can be downloaded. Also I imagine it may have some use
as a diagnostic for help requests.

Ref: https://github.com/curl/curl/pull/3103

Closes https://github.com/curl/curl/pull/3208
2018-11-06 03:15:44 -05:00
Jay Satiro
28429fb175 curl_multibyte: fix a malloc overcalculation
Prior to this change twice as many bytes as necessary were malloc'd when
converting wchar to UTF8. To allay confusion in the future I also
changed the variable name for the amount of bytes from len to bytes.

Closes https://github.com/curl/curl/pull/3209
2018-11-06 03:11:05 -05:00
Michael Kaufmann
53db15ba55 netrc: don't ignore the login name specified with "--user"
- for "--netrc", don't ignore the login/password specified with "--user",
  only ignore the login/password in the URL.
  This restores the netrc behaviour of curl 7.61.1 and earlier.
- fix the documentation of CURL_NETRC_REQUIRED
- improve the detection of login/password changes when reading .netrc
- don't read .netrc if both login and password are already set

Fixes #3213
Closes #3224
2018-11-05 20:34:01 +01:00
Patrick Monnerat
a77b640cc0 OS400: add URL API ccsid wrappers and sync ILE/RPG bindings 2018-11-05 15:37:23 +01:00
Yasuhiro Matsumoto
5bfaa86ceb
curl: fixed UTF-8 in current console code page (Windows)
Fixes #3211
Fixes #3175
Closes #3212
2018-11-05 09:58:29 +01:00
Daniel Stenberg
29c05ce9c3
TODO: 2.6 multi upkeep
Closes #3199
2018-11-05 09:54:18 +01:00