Commit Graph

27112 Commits

Author SHA1 Message Date
Daniel Stenberg
781864bedb
gnutls: make setting only the MAX TLS allowed version work
Previously, settting only the max allowed TLS version, leaving the
minimum one at default, didn't actually set it and left it to default
(TLS 1.3) too!

As a bonus, this change also removes the dead code handling of SSLv3
since that version can't be set anymore (since eff614fb02).

Reported-by: Daniel Carpenter
Fixes #6998
Closes #7000
2021-05-05 12:51:56 +02:00
Daniel Stenberg
8bdde6b14c
openldap: replace ldap_ prefix on private functions
Since openldap itself uses that prefix and with OpenĹDAP 2.5.4 (at
least) there's a symbol collision because of that.

The private functions now use the 'oldap_' prefix where it previously
used 'ldap_'.

Reported-by: 3eka on github
Fixes #7004
Closes #7005
2021-05-05 12:29:46 +02:00
Jay Satiro
ba0d3c28ca http2: fix potentially uninitialized variable
introduced several days ago in 3193170. caught by visual studio linker.
2021-05-05 03:16:06 -04:00
Gilles Vollant
77fc3859b2 SSL: support in-memory CA certs for some backends
- New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to
  specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
  and Secure Transport (Apple) SSL backends.

Prior to this change PEM certificates could only be imported from a file
and not from memory.

Co-authored-by: moparisthebest@users.noreply.github.com

Ref: https://github.com/curl/curl/pull/4679
Ref: https://github.com/curl/curl/pull/5677
Ref: https://github.com/curl/curl/pull/6109

Closes https://github.com/curl/curl/pull/6662
2021-05-05 02:29:16 -04:00
David Cook
70cf50fb4a
tests: ignore case of chunked hex numbers in tests
When hyper is used, it emits uppercase hexadecimal numbers for chunked
encoding lengths. Without hyper, lowercase hexadecimal numbers are used.
This change adds preprocessor statements to tests where this is an
issue, and adapts the fixtures to match.

Closes #6987
2021-05-04 15:57:57 +02:00
Daniel Stenberg
8419fe4d88
cmake: check for getppid and utimes
... as they're checked for in the configure script and are used by
source code.

Removed checks for perror, setvbuf and strlcat since those defines are
not checked for in source code.

Bonus: removed HAVE_STRLCPY from a few config-*.h files since that
symbol is not used in source code.

Closes #6997
2021-05-04 14:46:55 +02:00
Daniel Stenberg
91d9fead66
libtest: remove lib530.c
Follow up from e50a877df when test 530 was removed. Since then this
source file has not been used/needed.

Closes #6999
2021-05-04 14:45:52 +02:00
Daniel Stenberg
23e9b96a64
FILEFORMAT: mention sectransp as a feature
Been supported since at least 40259ca65

Closes #7001
2021-05-04 14:45:01 +02:00
Daniel Stenberg
964b840f34
RELEASE-NOTES: synced 2021-05-04 10:27:35 +02:00
Daniel Stenberg
7645324072
libssh2: ignore timeout during disconnect
... to avoid memory leaks!

libssh2 is tricky as we have to deal with the non-blockiness even in
close and shutdown cases. In the cases when we shutdown after a timeout
already expired, it is crucial that curl doen't let the timeout abort
the shutdown process as that then leaks memory!

Reported-by: Benjamin Riefenstahl
Fixes #6990
2021-05-04 08:20:40 +02:00
Daniel Stenberg
7d7a0a8b09
KNOWN_BUGS: add two HTTP/2 bugs 2021-05-03 17:27:35 +02:00
Daniel Stenberg
e41f2e5225
KNOWN_BUGS: add three HTTP/3 issues
... and moved the HTTP/2 issues to its own section

Closes #6606
Closes #6510
Closes #6494
2021-05-03 17:22:52 +02:00
ejanchivdorj
94241a9e78
CURLcode: add CURLE_SSL_CLIENTCERT
When a TLS server requests a client certificate during handshake and
none can be provided, libcurl now returns this new error code
CURLE_SSL_CLIENTCERT

Only supported by Secure Transport and OpenSSL for TLS 1.3 so far.

Closes #6721
2021-05-03 17:11:01 +02:00
Tobias Gabriel
0acfe05c2e
.github/FUNDING: add link to GitHub sponsors
Closes #6985
2021-05-03 16:46:30 +02:00
Harry Sintonen
5af7a48668
krb5/name_to_level: replace checkprefix with curl_strequal
Closes #6993
2021-05-03 16:35:27 +02:00
Harry Sintonen
6201f5c699
Curl_input_digest: require space after Digest
Closes #6993
2021-05-03 16:35:25 +02:00
Harry Sintonen
a60294cf43
Curl_http_header: check for colon when matching Persistent-Auth
Closes #6993
2021-05-03 16:35:22 +02:00
Harry Sintonen
b75620b9a0
Curl_http_input_auth: require valid separator after negotiation type
Closes #6993
2021-05-03 16:35:14 +02:00
Daniel Stenberg
8b9de77cd2
http: fix the check for 'Authorization' with Bearer
The code would wrongly check for it using an additional colon.

Reported-by: Blake Burkhart
Closes #6988
2021-05-02 12:08:20 +02:00
Kamil Dudka
3a6058cb97
http2: fix a resource leak in push_promise()
... detected by Coverity:

Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:532: alloc_fn: Storage is returned from allocation function "duphandle".
lib/http2.c:532: var_assign: Assigning: "newhandle" = storage returned from "duphandle(data)".
lib/http2.c:552: noescape: Resource "newhandle" is not freed or pointed-to in "set_transfer_url".
lib/http2.c:555: leaked_storage: Variable "newhandle" going out of scope leaks the storage it points to.

Closes #6986
2021-05-01 23:40:14 +02:00
Kamil Dudka
3193170470
http2: fix resource leaks in set_transfer_url()
... detected by Coverity:

Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:486: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:488: leaked_storage: Variable "u" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:493: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:495: leaked_storage: Variable "u" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:500: noescape: Resource "u" is not freed or pointed-to in "curl_url_set". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:502: leaked_storage: Variable "u" going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
lib/http2.c:480: alloc_fn: Storage is returned from allocation function "curl_url". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:480: var_assign: Assigning: "u" = storage returned from "curl_url()".
lib/http2.c:505: noescape: Resource "u" is not freed or pointed-to in "curl_url_get". [Note: The source code implementation of the function has been overridden by a builtin model.]
lib/http2.c:507: leaked_storage: Variable "u" going out of scope leaks the storage it points to.

Closes #6986
2021-05-01 23:39:18 +02:00
Jacob Hoffman-Andrews
8228002cd1
rustls: use ALPN
Update required rustls to 0.5.0

Closes #6960
2021-04-30 08:27:37 +02:00
MAntoniak
ea17a022b3
gskit: fix CURL_DISABLE_PROXY build
Removed localfd and remotefd from ssl_backend_data (ued only with proxy
connection). Function pipe_ssloverssl return always 0, when proxy is not
used.

Closes #6981
2021-04-30 00:30:43 +02:00
MAntoniak
71bffe73f8
gskit: fix undefined reference to 'conn'
Closes #6980
2021-04-29 23:01:19 +02:00
Jacob Hoffman-Andrews
a3268eca79
tls: add USE_HTTP2 define
This abstracts across the two HTTP/2 backends: nghttp2 and Hyper.

Add our own define for the "h2" ALPN protocol, so TLS backends can use
it without depending on a specific HTTP backend.

Closes #6959
2021-04-29 15:04:39 +02:00
Jacob Hoffman-Andrews
5c932f8fe9
lib: fix 0-length Curl_client_write calls
Closes #6954
2021-04-29 15:02:32 +02:00
Jacob Hoffman-Andrews
f4b85d24b2
lib: remove strlen call from Curl_client_write
At all call sites with an explicit 0 len, pass an appropriate nonzero
len.

Closes #6954
2021-04-29 15:02:16 +02:00
Ayushman Singh Chauhan
6aae7b1761
docs: camelcase it like GitHub everywhere
Closes #6979
2021-04-28 08:16:20 +02:00
Lucas Servén Marín
b08863822c docs: fix typo in fail-with-body doc
This commit fixes a small typo in the documentation for the
--fail-with-body flag.

Closes https://github.com/curl/curl/pull/6977
2021-04-27 15:11:08 -04:00
Jay Satiro
1d5d0ae9e5 lib: fix some misuse of curlx_convert_UTF8_to_tchar
curlx_convert_UTF8_to_tchar must be freed by curlx_unicodefree, but
prior to this change some uses mistakenly called free.

I've reviewed all other uses of curlx_convert_UTF8_to_tchar and
curlx_convert_tchar_to_UTF8.

Bug: https://github.com/curl/curl/pull/6602#issuecomment-825236763
Reported-by: sergio-nsk@users.noreply.github.com

Closes https://github.com/curl/curl/pull/6938
2021-04-27 15:09:23 -04:00
Daniel Stenberg
3e820fbf25
ntlm: precaution against super huge type2 offsets
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
2021-04-27 16:02:02 +02:00
Daniel Stenberg
826c438c61
c-hyper: fix unused variable ‘wrote’ 2021-04-27 16:00:48 +02:00
Daniel Stenberg
2e23f3b8d5
libcurl-security.3: be careful of setuid
Reported-by: Harry Sintonen
Closes #6970
2021-04-27 07:51:42 +02:00
Kevin Burke
76f33fd373
c-hyper: don't write to set.writeheader if null
Previously if a caller set CURLOPT_WRITEFUNCTION but did not set a
CURLOPT_HEADERDATA buffer, Hyper would still attempt to write headers to
the data->set.writeheader header buffer, even though it is null.  This
led to NPE segfaults attempting to use libcurl+Hyper with Git, for
example.

Instead, process the client write for the status line using the same
logic we use to process the client write for the later HTTP headers,
which contains the appropriate guard logic. As a side benefit,
data->set.writeheader is now only read in one file instead of two.

Fixes #6619
Fixes abetterinternet/crustls#49
Fixes hyperium/hyper#2438
Closes #6971
2021-04-27 07:49:05 +02:00
Daniel Stenberg
9fc284427c
wolfssl: handle SSL_write() returns 0 for error
Reported-by: Timo Lange

Closes #6967
2021-04-26 14:27:45 +02:00
Daniel Stenberg
f154ae9de3
easy: ignore sigpipe in curl_easy_send
Closes #6965
2021-04-26 13:22:20 +02:00
Daniel Stenberg
9ec1ef7f41
sigpipe: ignore SIGPIPE when using wolfSSL as well
Closes #6966
2021-04-26 12:59:42 +02:00
Daniel Stenberg
7fdf01f32e
libcurl-security.3: don't try to filter IPv4 hosts based on the URL
Closes #6942
2021-04-26 10:25:03 +02:00
Harry Sintonen
f2e1163bc8
nss_set_blocking: avoid static for sock_opt
Reviewed-by: Kamil Dudka
Closes #6945
2021-04-26 08:45:54 +02:00
Daniel Stenberg
56e2319611
RELEASE-NOTES: synced 2021-04-26 08:30:44 +02:00
Yusuke Nakamura
c1311dba6e
docs/HTTP3.md: fix nghttp2's HTTP/3 server port
Port 8443 does not work now.
Correct origin is in the quicwg's wiki.
https://github.com/quicwg/base-drafts/wiki/Implementations#ngtcp2

Closes #6964
2021-04-26 08:07:37 +02:00
Daniel Stenberg
994af2a1e9
krb5: don't use 'static' to store PBSZ size response
... because it makes the knowledge and usage cross-transfer in funny and
unexpected ways.

Reported-by: Harry Sintonen
Closes #6963
2021-04-26 08:04:52 +02:00
Kevin Burke
9f71cc293f
m4: add security frameworks on Mac when compiling rustls
Previously compiling rustls on Mac would only complete if you also
compiled the SecureTransport TLS backend, which curl would prefer to
the Rust backend.

Appending these flags to LDFLAGS makes it possible to compile the
Rustls backend on Mac without the SecureTransport backend, which means
this patch will make it possible for Mac users to use the Rustls
backend for TLS.

Reviewed-by: Jacob Hoffman-Andrews

Fixes #6955
Cloes #6956
2021-04-25 23:30:08 +02:00
Daniel Stenberg
7843fe0a1b
krb5: remove the unused 'overhead' function
Closes #6947
2021-04-25 14:51:34 +02:00
Johann150
68f6c56396
curl_url_set.3: add memory management information
wording taken from man page for CURLOPT_URL.3

As far as I can see, the URL part is either malloc'ed before due to
encoding or it is strdup'ed.

Closes #6953
2021-04-25 14:13:29 +02:00
Jacob Hoffman-Andrews
5e7fc49c19
c-hpyer: fix handling of zero-byte chunk from hyper
Closes #6951
2021-04-25 14:11:21 +02:00
Daniel Stenberg
f014eeceb2
CURLOPT_POSTFIELDS.3: clarify how it gets the size of the data
Ref: https://curl.se/mail/lib-2021-04/0085.html
Closes #6943
2021-04-23 23:20:31 +02:00
Ralph Langendam
a60b111980
cmake: make libcurl output filename configurable
Reviewed-by: Jakub Zakrzewski
Closes #6933
2021-04-23 18:42:31 +02:00
Patrick Monnerat
a4554b2c5e
vtls: reset ssl use flag upon negotiation failure
Fixes the segfault in ldaps disconnect.

Reported-by: Illarion Taev
Fixes #6934
Closes #6937
2021-04-23 14:41:39 +02:00
Daniel Stenberg
47e169e7a4
configure: fix typo in TLS error message
Reported-by: Pontus Lundkvist
2021-04-23 09:21:02 +02:00