Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
Add `NGTCP2_LIBS` envvar to override them with a custom list,
making it possible to use BoringSSL, or any other backend.
Closes#9109
- Increment nc regardless of qop type.
Prior to this change nc was only incremented for qop type auth even
though libcurl sends nc with any qop.
Closes https://github.com/curl/curl/pull/9090
ftp_filemethod, ftpsslauth and ftp_ccc are now uchars
accepttimeout is now unsigned int - almost 50 days ought to be enough
for this value.
Closes#9106
Starting now, CURLOPT_FTP_RESPONSE_TIMEOUT is the alias instead of the
other way around.
Since 7.20.0, CURLOPT_SERVER_RESPONSE_TIMEOUT has existed as an alias
but since the option is for more protocols than FTP the more "correct"
version of the option is the "server" one so now we switch.
Closes#9104
When building curl for target platform other than x64 and x86, it is now
possible to pass `ARCH=custom`, that will omit all hardcoded logic for
setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
This makes it possible to use `makefile.m32` to build for ARM64 for
example.
Reviewed-by: Daniel Stenberg
Closes#9092
- Use the Windows API to seed the fallback random generator.
This ensures to always have a random seed, even when libcurl is built
with a vtls backend lacking a random generator API, such as rustls
(experimental), GSKit and certain mbedTLS builds, or, when libcurl is
built without a TLS backend. We reuse the Windows-specific random
function from the Schannel backend.
- Implement support for `BCryptGenRandom()` [1] on Windows, as a
replacement for the deprecated `CryptGenRandom()` [2] function.
It is used as the secure random generator for Schannel, and also to
provide entropy for libcurl's fallback random generator. The new
function is supported on Vista and newer via its `bcrypt.dll`. It is
used automatically when building for supported versions. It also works
in UWP apps (the old function did not).
- Clear entropy buffer before calling the Windows random generator.
This avoids using arbitrary application memory as entropy (with
`CryptGenRandom()`) and makes sure to return in a predictable state
when an API call fails.
[1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
[2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandomCloses#9027
... as replacements for deprecated CURLOPT_PROTOCOLS and
CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
32 bit limit the old ones are facing.
CURLINFO_PROTCOOL is now deprecated.
The curl tool is updated to use the new options.
Added test 1597 to verify the libcurl protocol parser.
Closes#8992
Also shortened the names and moved them to the .c file since they are
private for this source file only. Also made them #defines instead of
enum.
Closes#9079
Delete `-DDEBUGBUILD=0` windres option. This was likely meant to
disable VS_FF_DEBUG in FILEFLAGS, but any assigned value enabled
it instead. Delete this unnecessary option and thus sync up with
how CMake compiles libcurl.rc by default.
Reviewed-by: Jay Satiro
Closes#9069
To work with more compilers without requiring separate libs to
link. Like with gcc-12 for RISC-V on Linux.
Reported-by: Adam Sampson
Fixes#9055Closes#9061
- Send no more than 150 cookies per request
- Cap the max length used for a cookie: header to 8K
- Cap the max number of received Set-Cookie: headers to 50
Bug: https://curl.se/docs/CVE-2022-32205.html
CVE-2022-32205
Reported-by: Harry Sintonen
Closes#9048
clang 14 warns about its use. It is being deprecated by the working
group for the programming language C: "The macro ATOMIC_VAR_INIT is
basically useless for the purpose for which it was designed"
Ref: https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2886.htm
Reported-by: Tatsuhiro Tsujikawa
Fixes#9041Closes#9042
Testing on macOS 12.4, sendmsg() fails with EINVAL when a msg_control
buffer is provided in sengmsg(), even though msg_controllen was set to
0.
Initialize msg.msg_controllen just as needed and also perform the size
assertion only when needed.
Closes#9039
connect_init() (lib/http_proxy.c) swaps out the protocol state while
working on the proxy connection, this is then restored by
Curl_connect_done() after the connection completes.
ftp_do_more() extracted the protocol state pointer to a local variable
at the start of the function then calls Curl_proxy_connect(). If the proxy
connection completes, Curl_proxy_connect() will call Curl_connect_done()
(via Curl_proxyCONNECT()), which restores data->req.p to point to the ftp
protocol state instead of the http proxy protocol state, but the local
variable in ftp_do_more still pointed to the old value.
Ultimately this meant that the state worked on by ftp_do_more() was the
http proxy state not the ftp state initialised by ftp_connect(), but
subsequent calls to any ftp_ function would use the original state.
For my use-case, the visible consequence was that ftp->downloadsize was
never set and so downloaded data was never returned to the application.
This commit updates the ftp protocol state pointer in ftp_do_more() after
Curl_proxy_connect() returns, ensuring that the correct state pointer is
used.
Fixes#8737Closes#9043
Prior to this change _mingw.h needed to be included in each unit before
evaluating __MINGW{32,64}_xxx_VERSION macros since it defines them. It
is included only in some mingw headers (eg stdio.h) and not others
(eg windows.h) so it's better to explicitly include it once.
Closes https://github.com/curl/curl/pull/9036
- Prevent CMake to auto-detect /dev/urandom when cross-building.
Before this patch, it would detect it in a cross-build scenario on *nix
hosts with this device present. This was a problem for example with
Windows builds, but it could affect any target system with this device
missing. This also syncs detection behaviour with autotools, which also
skips it for cross-builds.
- Also, make sure to never use the file RANDOM_FILE as entropy for libcurl's
fallback random number generator on Windows. Windows does not have the
concept of reading a random stream from a filename, nor any guaranteed
non-world-writable path on disk. With this, a manual misconfiguration or
an overeager auto-detection can no longer result in a user-controllable
seed source.
Reviewed-by: Daniel Stenberg
Closes#9038
Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
XP when the `-ipv6` option is selected. Maybe this was added to support
pre-XP Windows versions (?). These days libcurl builds fine for both XP
and post-XP versions with IPv6 support enabled. The relevance of pre-XP
version is also low by now. Other build methods also do not impose such
limitation for a similar configuration. So, drop this hard-wired
`_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
Windows version set by the compiler. This is Vista for recent MinGW
versions.
Old behaviour can be restored by setting this envvar:
export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
[1] 98a61d8e2eCloses#9035
Append to the upload buffer when only small amount remains in buffer
rather than performing a separate tiny send to empty buffer.
Avoid degenerative upload behavior which might cause curl to send mostly
1-byte DATA frames after exhausing the h2 send window size
Related discussion: https://github.com/nghttp2/nghttp2/issues/1722
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Closes#8965
As per the documentation :
> Setting a part to a NULL pointer will effectively remove that
> part's contents from the CURLU handle.
But currently clearing CURLUPART_URL does nothing and returns
CURLUE_OK. This change will clear all parts of the URL at once.
Closes#9028
.. and update some docs to explain curl_global_* is now thread-safe.
Follow-up to 23af112 which made curl_global_init/cleanup thread-safe.
Closes https://github.com/curl/curl/pull/9016
Referring to Daniel's article [1], making the init function thread-safe
was the last bit to make libcurl thread-safe as a whole. So the name of
the feature may as well be the more concise 'threadsafe', also telling
the story that libcurl is now fully thread-safe, not just its init
function. Chances are high that libcurl wants to remain so in the
future, so there is little likelihood of ever needing any other distinct
`threadsafe-<name>` feature flags.
For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
`CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
thread safety documentation.
[1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes#8989
