Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
Before this patch some places used `OPENSSL_VERSION_MAJOR`.
Also fix `lib/md4.c`, which included `opensslconf.h`, but that doesn't
define any version number in these implementations: BoringSSL, AWS-LC,
LibreSSL, wolfSSL. (Only in mainline OpenSSL/quictls). Switch that to
`opensslv.h`. This wasn't causing a deeper problem because the code is
looking for v3, which is only provided by OpenSSL/quictls as of now.
According to https://github.com/openssl/openssl/issues/17517, the macro
`OPENSSL_VERSION_NUMBER` is safe to use and not deprecated.
Reviewed-by: Marcel Raad
Closes#12298
Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
avoid it and use "http/1.1" instead.
This reverts commit df856cb5c9 (#10183).
Fixes#12259Closes#12285
- Pelles C: Unclear status, failed to obtain a fresh copy a few months
ago. Possible website is HTTP-only. ~10 years ago I left this compiler
dealing with crashes and other issues with no response on the forum
for years. It has seen some activity in curl back in 2021.
- LCC: Last stable release in September 2002.
- Salford C: Misses winsock2 support, possibly abandoned? Last mentioned
in 2006.
- Borland C++: We dropped Borland C++ support in 2018.
- MS Visual C++ 6.0: Released in 1998. curl already requires VS 2010
(or possibly 2008) as a minimum.
Closes#12222
We use `stdint.h` unconditionally in all places except one. These uses
are imposed by external dependencies / features. nghttp2, quic, wolfSSL
and `HAVE_MACH_ABSOLUTE_TIME` do require this C99 header. It means that
any of these features make curl require a C99 compiler. (In case of
MSVC, this means Visual Studio 2010 or newer.)
This patch changes the single use of `stdint.h` guarded by
`HAVE_STDINT_H` to use `stdint.h` unconditionally. Also stop using
`inttypes.h` as an alternative there. `HAVE_INTTYPES_H` wasn't used
anywhere else, allowing to delete this feature check as well.
Closes#12275
This PR has these changes:
Renaming of unencode_* to cwriter, e.g. client writers
- documentation of sendf.h functions
- move max decode stack checks back to content_encoding.c
- define writer phase which was used as order before
- introduce phases for monitoring inbetween decode phases
- offering default implementations for init/write/close
Add type paramter to client writer's do_write()
- always pass all writes through the writer stack
- writers who only care about BODY data will pass other writes unchanged
add RAW and PROTOCOL client writers
- RAW used for Curl_debug() logging of CURLINFO_DATA_IN
- PROTOCOL used for updates to data->req.bytecount, max_filesize checks and
Curl_pgrsSetDownloadCounter()
- remove all updates of data->req.bytecount and calls to
Curl_pgrsSetDownloadCounter() and Curl_debug() from other code
- adjust test457 expected output to no longer see the excess write
Closes#12184
autotools unexpectedly detects `arc4random` because it is also looking
into dependency libs. One dependency, LibreSSL, happens to publish an
`arc4random` function (via its shared lib before v3.7, also via static
lib as of v3.8.2). When trying to use this function in `lib/rand.c`,
its protoype is missing. To fix that, curl included a prototype, but
that used a C99 type without including `stdint.h`, causing:
```
../../lib/rand.c:37:1: error: unknown type name 'uint32_t'
37 | uint32_t arc4random(void);
| ^
1 error generated.
```
This patch improves this by dropping the local prototype and instead
limiting `arc4random` use for non-OpenSSL builds. OpenSSL builds provide
their own random source anyway.
The better fix would be to teach autotools to not link dependency libs
while detecting `arc4random`.
LibreSSL publishing a non-namespaced `arc4random` tracked here:
https://github.com/libressl/portable/issues/928
Regression from 755ddbe901cd0c921fbc3ac5b3775c0dc683bc73 #10672
Reviewed-by: Daniel Stenberg
Fixes#12257Closes#12274
This change fixes a compiler warning with gcc-12.2.0 when
`-DCURL_DISABLE_BEARER_AUTH=ON` is used.
/home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth':
/home/tox/src/curl/lib/http.c:1147:12: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
1147 | ;
| ^
Closes#12262
Since vanilla OpenSSL does not support the QUIC API I think it helps
users to identify the correct OpenSSL fork in version output. The best
(crude) way to do that right now seems to be to check if ngtcp2 support
is enabled.
Closes#12270
- tunnel https proxy used for http: transfers does
no check if proxy-ssl configuration matches
- test cases added, test_10_12 fails on 8.4.0
Closes#12255
- Add these revocation errors to sspi error list:
CRYPT_E_NO_REVOCATION_DLL, CRYPT_E_NO_REVOCATION_CHECK,
CRYPT_E_REVOCATION_OFFLINE and CRYPT_E_NOT_IN_REVOCATION_DATABASE.
Prior to this change those error codes were not matched to their macro
name and instead shown as "unknown error".
Before:
schannel: next InitializeSecurityContext failed:
Unknown error (0x80092013) - The revocation function was
unable to check revocation because the revocation server was offline.
After:
schannel: next InitializeSecurityContext failed:
CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was
unable to check revocation because the revocation server was offline.
Bug: https://github.com/curl/curl/issues/12239
Reported-by: Niracler Li
Closes https://github.com/curl/curl/pull/12241
- Use malloc + strncpy instead of Curl_memdup to dupe the string before
null terminating it.
Prior to this change if Curl_strndup was passed a length longer than
the allocated string then it could copy out of bounds.
This change is for posterity. Curl_strndup was added in the parent
commit and currently none of the calls to it pass a length that would
cause it to read past the allocated length of the input.
Follow-up to d3b3ba35.
Closes https://github.com/curl/curl/pull/12254
- perform connection cache matching against `data->set.ssl.primary`
and proxy counterpart
- fully clone connection ssl config only when connection is used
Closes#12237
- disable HTTPS-proxy as well, since it can't work without HTTP
- curl_setup: when HTTP is disabled, also disable all features that are
HTTP-only
- version: HTTPS-proxy only exists if HTTP support exists
Closes#12223
Finding a 'Content-Range:' in the response changed the handling.
Add test case 1475 to verify -C - with 416 and Content-Range: header,
which is almost exactly like test 194 which instead uses a fixed -C
offset. Adjusted test 194 to also be considered fine.
Fixes#10521
Reported-by: Smackd0wn
Fixes#12174
Reported-by: Anubhav Rai
Closes#12176
After this patch we assume availability of `getaddrinfo` and
`freeaddrinfo`, first introduced in Windows XP. Meaning curl
now requires building for Windows XP as a minimum.
TODO: assume these also in autotools.
Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806Closes#12225
- On Windows if IPv6 is enabled but getaddrinfo is missing then #error
the build.
curl can be built with IPv6 support (ENABLE_IPV6) but without the
ability to resolve hosts to IPv6 addresses (HAVE_GETADDRINFO). On
Windows this is highly unlikely and should be considered a bad build
configuration.
Such a bad configuration has already given us a bug that was hard to
diagnose. See #12134 and #12136 for discussion.
Ref: https://github.com/curl/curl/issues/12134
Ref: https://github.com/curl/curl/pull/12136
Closes https://github.com/curl/curl/pull/12221
- If CURLSSLOPT_NATIVE_CA on Windows then import from intermediate CA
"CA" store after importing from root CA "ROOT" store.
This change allows curl to work in situations where a server does not
send all intermediate certs and they are present in the "CA" store (the
store with intermediate CAs). This is already allowed by the Schannel
backend.
Also this change makes partial chain verification possible for those
certs since we allow partial chain verification by default for OpenSSL
(unless CURLSSLOPT_NO_PARTIALCHAIN). This is not allowed by the Schannel
backend.
Prior to this change CURLSSLOPT_NATIVE_CA only imported "ROOT" certs.
Fixes https://github.com/curl/curl/issues/12155
Closes https://github.com/curl/curl/pull/12185
In 8.4.0 we deleted `_mingw.h` as part of purging old-mingw support.
Turns out `_mingw.h` had the side-effect of setting a default
`_WIN32_WINNT` value expected by `lib/config-win32.h` to enable
`getaddrinfo` support in `Makefile.mk` mingw-w64 builds. This caused
disabling support for this unless specifying the value manually.
Restore this header and update its comment to tell why we continue
to need it.
This triggered a regression in official Windows curl builds starting
with 8.4.0_1. Fixed in 8.4.0_6. (8.5.0 will be using CMake.)
Regression from 38029101e2d78ba125732b3bab6ec267b80a0e72 #11625
Reported-by: zhengqwe on github
Helped-by: Nico Rieck
Fixes#12134Fixes#12136Closes#12217
- fixed libssh.c workaround for a socket being closed by
the library
- eliminate the terrible hack in cf-socket.c to guess when
this happened and try not closing the socket again.
- fixes race in eyeballing when socket could have failed to
be closed for a discarded connect attempt
Closes#12207
- test for a simplified C99 variadic check
- args to infof() in --disable-verbose are no longer disregarded but
must compile.
Closes#12167Fixes#12083Fixes#11880Fixes#11891
- resolving is done for a connection, not for every transfer
- save create/dup/free of a cares channel for each transfer
- check values of setopt calls against a local channel if no
connection has been attached yet, when needed.
Closes#12198
Connection filter had a `get_select_socks()` method, inspired by the
various `getsocks` functions involved during the lifetime of a
transfer. These, depending on transfer state (CONNECT/DO/DONE/ etc.),
return sockets to monitor and flag if this shall be done for POLLIN
and/or POLLOUT.
Due to this design, sockets and flags could only be added, not
removed. This led to problems in filters like HTTP/2 where flow control
prohibits the sending of data until the peer increases the flow
window. The general transfer loop wants to write, adds POLLOUT, the
socket is writeable but no data can be written.
This leads to cpu busy loops. To prevent that, HTTP/2 did set the
`SEND_HOLD` flag of such a blocked transfer, so the transfer loop cedes
further attempts. This works if only one such filter is involved. If a
HTTP/2 transfer goes through a HTTP/2 proxy, two filters are
setting/clearing this flag and may step on each other's toes.
Connection filters `get_select_socks()` is replaced by
`adjust_pollset()`. They get passed a `struct easy_pollset` that keeps
up to `MAX_SOCKSPEREASYHANDLE` sockets and their `POLLIN|POLLOUT`
flags. This struct is initialized in `multi_getsock()` by calling the
various `getsocks()` implementations based on transfer state, as before.
After protocol handlers/transfer loop have set the sockets and flags
they want, the `easy_pollset` is *always* passed to the filters. Filters
"higher" in the chain are called first, starting at the first
not-yet-connection one. Each filter may add sockets and/or change
flags. When all flags are removed, the socket itself is removed from the
pollset.
Example:
* transfer wants to send, adds POLLOUT
* http/2 filter has a flow control block, removes POLLOUT and adds
POLLIN (it is waiting on a WINDOW_UPDATE from the server)
* TLS filter is connected and changes nothing
* h2-proxy filter also has a flow control block on its tunnel stream,
removes POLLOUT and adds POLLIN also.
* socket filter is connected and changes nothing
* The resulting pollset is then mixed together with all other transfers
and their pollsets, just as before.
Use of `SEND_HOLD` is no longer necessary in the filters.
All filters are adapted for the changed method. The handling in
`multi.c` has been adjusted, but its state handling the the protocol
handlers' `getsocks` method are untouched.
The most affected filters are http/2, ngtcp2, quiche and h2-proxy. TLS
filters needed to be adjusted for the connecting handshake read/write
handling.
No noticeable difference in performance was detected in local scorecard
runs.
Closes#11833
The goal of this patch is to avoid unnecessary feature detection work
when doing Windows builds with CMake. Do this by pre-filling well-known
detection results for Windows and specifically for mingw-w64 and MSVC
compilers. Also limit feature checks to platforms where the results are
actually used. Drop a few redundant ones. And some tidying up.
- pre-fill remaining detection values in Windows CMake builds.
Based on actual detection results observed in CI runs, preceding
similar work over libssh2 and matching up values with
`lib/config-win32.h`.
This brings down CMake configuration time from 58 to 14 seconds on the
same local machine.
On AppVeyor CI this translates to:
- 128 seconds -> 50 seconds VS2022 MSVC with OpenSSL (per CMake job):
https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/4gw66ecrjpy7necb#L296https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/8m4fwrr2fe249uo8#L186
- 62 seconds -> 16 seconds VS2017 MINGW (per CMake job):
https://ci.appveyor.com/project/curlorg/curl/builds/48208419/job/s1y8q5ivlcs7ub29?fullLog=true#L290https://ci.appveyor.com/project/curlorg/curl/builds/48217440/job/pchpxyjsyc9kl13a?fullLog=true#L194
The formula is about 1-3 seconds delay for each detection. Almost all
of these trigger a full compile-link cycle behind the scenes, slow
even today, both cross and native, mingw-w64 and apparently MSVC too.
Enabling .map files or other custom build features slows it down
further. (Similar is expected for autotools configure.)
- stop detecting `idn2.h` if idn2 was deselected.
autotools does this.
- stop detecting `idn2.h` if idn2 was not found.
This deviates from autotools. Source code requires both header and
lib, so this is still correct, but faster.
- limit `ADDRESS_FAMILY` detection to Windows.
- normalize `HAVE_WIN32_WINNT` value to lowercase `0x0a12` format.
- pre-fill `HAVE_WIN32_WINNT`-dependent detection results.
Saving 4 (slow) feature-detections in most builds: `getaddrinfo`,
`freeaddrinfo`, `inet_ntop`, `inet_pton`
- fix pre-filled `HAVE_SYS_TIME_H`, `HAVE_SYS_PARAM_H`,
`HAVE_GETTIMEOFDAY` for mingw-w64.
Luckily this do not change build results, as `WIN32` took
priority over `HAVE_GETTIMEOFDAY` with the current source
code.
- limit `HAVE_CLOCK_GETTIME_MONOTONIC_RAW` and
`HAVE_CLOCK_GETTIME_MONOTONIC` detections to non-Windows.
We're not using these in the source code for Windows.
- reduce compiler warning noise in CMake internal logs:
- fix to include `winsock2.h` before `windows.h`.
Apply it to autotools test snippets too.
- delete previous `-D_WINSOCKAPI_=` hack that aimed to fix the above.
- cleanup `CMake/CurlTests.c` to emit less warnings.
- delete redundant `HAVE_MACRO_SIGSETJMP` feature check.
It was the same check as `HAVE_SIGSETJMP`.
- delete 'experimental' marking from `CURL_USE_OPENSSL`.
- show CMake version via `CMakeLists.txt`.
Credit to the `zlib-ng` project for the idea:
61e181c8ae/CMakeLists.txt (L7)
- make `CMake/CurlTests.c` pass `checksrc`.
- `CMake/WindowsCache.cmake` tidy-ups.
- replace `WIN32` guard with `_WIN32` in `CMake/CurlTests.c`.
Closes#12044
Currently the verbose output does not include which algorithms are used
for the signature and key exchange when using OpenSSL. Including the
algorithms used will enable better debugging when working on using new
algorithm implementations. Know what algorithms are used has become more
important with the fast growing research into new quantum-safe
algorithms.
This implementation includes a build time check for the OpenSSL version
to use a new function that will be included in OpenSSL 3.2 that was
introduced in openssl/openssl@6866824
Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
Closes#12030
Getting nghttp2's error message helps users understand what's going
on. For example when the connection is brought down due a forbidden
header is used - as that header is then not displayed by curl itself.
Example:
curl: (92) Invalid HTTP header field was received: frame type: 1,
stream: 1, name: [upgrade], value: [h2,h2c]
Ref: #12172Closes#12179
... and make the code require both symbol and declaration.
This is because for Android, the symbol is always present in the lib at
build-time even when not actually available in run-time.
Assisted-by: Viktor Szakats
Reported-by: 12932 on github
Fixes#12086Closes#12158
