Commit Graph

30828 Commits

Author SHA1 Message Date
Graham Campbell
8eda84bdc1
CI: use openssl 3.0.10+quic, nghttp3 0.14.0, ngtcp2 0.18.0
Closes #11585
2023-08-06 23:20:45 +02:00
Daniel Stenberg
8b12f9e203
TODO: add *5* entries for aws-sigv4
Closes #7559
Closes #8107
Closes #8810
Closes #9717
Closes #10129
2023-08-06 23:04:57 +02:00
Daniel Stenberg
26b437393e
TODO: LDAP Certificate-Based Authentication
Closes #9641
2023-08-06 22:58:42 +02:00
Stefan Eissing
fbacb14c4c
http2: cleanup trace messages
- more compact format with bracketed stream id
- all frames traced in and out

Closes #11592
2023-08-06 17:47:38 +02:00
Daniel Stenberg
03eba3c8b2
tests/tftpd+mqttd: make variables static to silence picky warnings
Closes #11594
2023-08-06 17:21:25 +02:00
Daniel Stenberg
c71ce0007e
docs/cmdline: remove repeated working for negotiate + ntlm
The extra wording is added automatically by the gen.pl tool

Closes #11597
2023-08-06 17:19:37 +02:00
Daniel Stenberg
efb594daac
docs/cmdline: add small "warning" to verbose options
"Note that verbose output of curl activities and network traffic might
contain sensitive data, including user names, credentials or secret data
content. Be aware and be careful when sharing trace logs with others."

Closes #11596
2023-08-06 17:17:27 +02:00
Daniel Stenberg
f308f65280
RELEASE-NOTES: synced 2023-08-04 16:00:08 +02:00
Daniel Stenberg
83319e0271
pingpong: don't use *bump_headersize
We use that for HTTP(S) only.

Follow-up to 3ee79c1674

Closes #11590
2023-08-04 11:06:39 +02:00
Daniel Stenberg
8a9f4d481a
urldata: remove spurious parenthesis to unbreak no-proxy build
Follow-up to e12b39e133

Closes #11591
2023-08-04 11:04:24 +02:00
Daniel Stenberg
c15569bb41
easy: don't call Curl_trc_opt() in disabled-verbose builds
Follow-up to e12b39e133

Closes #11588
2023-08-04 10:07:57 +02:00
Daniel Stenberg
a2a894f550
http: use %u for printfing int
Follow-up to 3ee79c1674

Closes #11587
2023-08-04 09:34:44 +02:00
Goro FUJI
ae91bb7e1a
vquic: show stringified messages for errno
Closes #11584
2023-08-03 22:44:36 +02:00
Stefan Eissing
e12b39e133
trace: make tracing available in non-debug builds
Add --trace-config to curl

Add curl_global_trace() to libcurl

Closes #11421
2023-08-03 17:32:25 +02:00
Daniel Stenberg
0f49b5bacb
TODO: remove "Support intermediate & root pinning for PINNEDPUBLICKEY"
See also https://github.com/curl/curl/pull/7507
2023-08-03 17:28:27 +02:00
Daniel Stenberg
16d077330b
TODO: add "WebSocket read callback"
remove "Upgrade to websockets" as we already have this

Closes #11402
2023-08-03 17:21:38 +02:00
Daniel Stenberg
260f51ae8b
test497: verify rejecting too large incoming headers 2023-08-03 17:08:56 +02:00
Daniel Stenberg
3ee79c1674
http: return error when receiving too large header set
To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete research
suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
1MB.

Closes #11582
2023-08-03 17:08:13 +02:00
Stefan Eissing
944e219f10
http2: upgrade tests and add fix for non-existing stream
- check in h2 filter recv that stream actually exists
  and return error if not
- add test for parallel, extreme h2 upgrades that fail if
  connections get reused before fully switched
- add h2 upgrade upload test just for completeness

Closes #11563
2023-08-03 17:05:13 +02:00
Viktor Szakats
db70846e2e
tests: ensure libcurl.def contains all exports
Add `test1279` to verify that `libcurl.def` lists all exported API
functions found in libcurl headers.

Also:

- extend test suite XML `stdout` tag with the `loadfile` attribute.

- fix `tests/extern-scan.pl` and `test1135` to include websocket API.

- use all headers (sorted) in `test1135` instead of a manual list.

- add options `--sort`, `--heading=` to `tests/extern-scan.pl`.

- add `libcurl.def` to the auto-labeler GHA task.

Follow-up to 2ebc74c36a

Closes #11570
2023-08-03 11:07:47 +00:00
Daniel Stenberg
d135d040df
url: change default value for CURLOPT_MAXREDIRS to 30
It was previously unlimited by default, but that's not a sensible
default. While changing this has a remote risk of breaking an existing
use case, I figure it is more likely to actually save users from loops.

Closes #11581
2023-08-02 23:59:59 +02:00
Daniel Stenberg
367a66b130
lib: fix a few *printf() flag mistakes
Reported-by: Gisle Vanem
Ref: #11574
Closes #11579
2023-08-02 23:11:09 +02:00
Samuel Chiang
20f4e94eeb
openssl: make aws-lc version support OCSP
And bump version in CI

Closes #11568
2023-08-02 16:23:45 +02:00
Daniel Stenberg
ce1fc742c1
tool: make the length argument an int for printf()-.* flags
Closes #11578
2023-08-02 16:11:55 +02:00
Daniel Stenberg
139ecfb869
tool_operate: fix memory leak when SSL_CERT_DIR is used
Detected by Coverity

Follow-up to 29bce9857a

Closes #11577
2023-08-02 16:10:49 +02:00
Daniel Stenberg
c17bf311f1
tool/var: free memory on OOM
Coverity detected this memory leak in OOM situation

Follow-up to 2e160c9c65

Closes #11575
2023-08-02 16:09:43 +02:00
Viktor Szakats
ddb179586f
gha: bump libressl and mbedtls versions
Closes #11573
2023-08-02 10:39:01 +00:00
Jay Satiro
b4f9ae5126 schannel: fix user-set legacy algorithms in Windows 10 & 11
- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
  use the SCHANNEL_CRED legacy structure to pass the list to Schannel.

- If the user set both a legacy algorithm list and a TLS 1.3 cipher list
  then abort.

Although MS doesn't document it, Schannel will not negotiate TLS 1.3
when SCHANNEL_CRED is used. That means setting a legacy algorithm list
limits the user to earlier versions of TLS.

Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
ignore legacy algorithms in Windows 10 1809 and later.

Reported-by: zhihaoy@users.noreply.github.com

Fixes https://github.com/curl/curl/pull/10741
Closes https://github.com/curl/curl/pull/10746
2023-08-02 03:43:13 -04:00
Daniel Stenberg
4169943d15
variable.d: setting a variable again overwrites it
Reported-by: Niall McGee
Bug: https://twitter.com/niallmcgee/status/1686523075423322113
Closes #11571
2023-08-02 09:32:08 +02:00
Jay Satiro
783e4714d9 CURLOPT_PROXY_SSL_OPTIONS.3: sync formatting
- Re-wrap CURLSSLOPT_ALLOW_BEAST description.
2023-08-02 03:19:29 -04:00
Daniel Stenberg
8c5f117882
RELEASE-NOTES: synced 2023-08-02 08:37:42 +02:00
Daniel Stenberg
d3142b5729
resolve: use PF_INET6 family lookups when CURL_IPRESOLVE_V6 is set
Previously it would always do PF_UNSPEC if CURL_IPRESOLVE_V4 is not
used, thus unnecessarily asking for addresses that will not be used.

Reported-by: Joseph Tharayil
Fixes #11564
Closes #11565
2023-08-02 00:49:16 +02:00
Daniel Stenberg
fc1e42190f
docs: link to the website versions instead of markdowns
... to make the links work when the markdown is converted to webpages on
https://curl.se

Reported-by: Maurício Meneghini Fauth
Fixes https://github.com/curl/curl-www/issues/272
Closes #11569
2023-08-02 00:47:41 +02:00
Viktor Szakats
00f8f9c22b
cmake: cache more config and delete unused ones
- cache more Windows config results for faster initialization.

- delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.

- delete dead references to `sys/utsname.h`.

Closes #11551
2023-08-01 21:59:00 +00:00
Viktor Szakats
c09466abff
egd: delete feature detection and related source code
EGD is Entropy Gathering Daemon, a socket-based entropy source supported
by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
a while ago.

Its detection in CMake was broken all along because OpenSSL libs were
not linked at the point of feature check.

Delete detection from both cmake and autotools, along with the related
source snippet, and the `--with-egd-socket=` `./configure` option.

Closes #11556
2023-08-01 21:58:56 +00:00
Stefan Eissing
bb07240263
tests: fix h3 server check and parallel instances
- fix check for availability of nghttpx server
- add `tcp` frontend config for same port as quic, as
  without this, port 3000 is bound which clashes for parallel
  testing

Closes #11553
2023-08-01 16:11:48 +02:00
Daniel Stenberg
f4ff8072f2
docs/cmdline-opts: spellfixes, typos and polish
To make them accepted by the spell checker

Closes #11562
2023-08-01 14:12:22 +02:00
Daniel Stenberg
6b11d9d86b
CI/spellcheck: build curl.1 and spellcheck it
Added acceptable words

Closes #11562
2023-08-01 14:12:03 +02:00
Alexander Jaeger
959e613e7c
misc: fix various typos
Closes #11561
2023-08-01 14:09:32 +02:00
Daniel Stenberg
d4618a3fc4
http2: avoid too early connection re-use/multiplexing
HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
for reuse and multiplexing by other handles until the 101 switching
process is completed.

Lots-of-debgging-by: Stefan Eissing
Reported-by: Richard W.M. Jones
Bug: https://curl.se/mail/lib-2023-07/0045.html
Closes #11557
2023-08-01 11:30:07 +02:00
Daniel Stenberg
15c40a32b7
Revert "KNOWN_BUGS: build for iOS simulator on macOS 13.2 with Xcode 14"
This reverts commit 2e8a3d7cb7.

It's a user error for supplying incomplete information to the build system.

Reported-by: Ryan Schmidt
Ref: https://github.com/curl/curl/issues/11215#issuecomment-1658729367
2023-08-01 10:22:39 +02:00
Viktor Szakats
2ebc74c36a
cmake: add support for single libcurl compilation pass
Before this patch CMake builds used two separate compilation passes to
build the shared and static libcurl respectively. This patch allows to
reduce that to a single pass if the target platform and build settings
allow it.

This reduces CMake build times when building both static and shared
libcurl at the same time, making these dual builds an almost zero-cost
option.

Enable this feature for Windows builds, where the difference between the
two passes was the use of `__declspec(dllexport)` attribute for exported
API functions for the shared builds. This patch replaces this method
with the use of `libcurl.def` at DLL link time.

Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
symbols on Windows. This simplifies (or fixes) this build method (e.g.
in curl-for-win, which generated a `libcurl.def` from `.h` files using
an elaborate set of transformations).

`libcurl.def` has the maintenance cost of keeping the list of public
libcurl API symbols up-to-date. This list seldom changes, so the cost
is low.

Closes #11546
2023-08-01 08:12:26 +00:00
Viktor Szakats
dee310d542
cmake: detect SSL_set0_wbio in OpenSSL
Present in OpenSSL 1.1.0 and BoringSSL.
Missing from LibreSSL 3.8.0.

Follow-up to f39472ea9f

While here, also fix `RAND_egd()` detection which was broken, likely all
along. This feature is probably broken with CMake builds and also
requires a sufficiently obsolete OpenSSL version, so this part of the
update was not tested.

Closes #11555
2023-08-01 08:12:18 +00:00
Viktor Szakats
4a67b23f33
cmake: fixup H2 duplicate symbols for unity builds
Closes #11550
2023-08-01 08:12:07 +00:00
Pablo Busse
11d46bcfb2 openssl: Support async cert verify callback
- Update the OpenSSL connect state machine to handle
  SSL_ERROR_WANT_RETRY_VERIFY.

This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.

Closes https://github.com/curl/curl/pull/11499
2023-08-01 03:49:07 -04:00
Jay Satiro
af3f4e419b tool_cb_wrt: fix invalid unicode for windows console
- Suppress an incomplete UTF-8 sequence at the end of the buffer.

- Attempt to reconstruct incomplete UTF-8 sequence from prior call(s)
  in current call.

Prior to this change, in Windows console UTF-8 sequences split between
two or more calls to the write callback would cause invalid "replacement
characters" U+FFFD to be printed instead of the actual Unicode
character. This is because in Windows only UTF-16 encoded characters are
printed to the console, therefore we convert the UTF-8 contents to
UTF-16, which cannot be done with partial UTF-8 sequences.

Reported-by: Maksim Arhipov

Fixes https://github.com/curl/curl/issues/9841
Closes https://github.com/curl/curl/pull/10890
2023-08-01 03:28:12 -04:00
Daniel Stenberg
0b947e8ca2
sectransp: prevent CFRelease() of NULL
When SecCertificateCopyCommonName() returns NULL, the common_name
pointer remains set to NULL which apparently when calling CFRelease() on
(sometimes?) crashes.

Reported-by: Guillaume Algis
Fixes #9194
Closes #11554
2023-08-01 08:17:26 +02:00
Jay Satiro
2fcb674cdf
vtls: clarify "ALPN: offers" message
Before:
* ALPN: offers h2,http/1.1

After:
* ALPN: curl offers h2,http/1.1

Bug: https://curl.se/mail/lib-2023-07/0041.html
Reported-by: Richard W.M. Jones
Closes #11544
2023-08-01 08:16:14 +02:00
Daniel Stenberg
49e2443186
urlapi: make sure zoneid is also duplicated in curl_url_dup
Add several curl_url_dup() tests to the general lib1560 test.

Reported-by: Rutger Broekhoff
Bug: https://curl.se/mail/lib-2023-07/0047.html
Closes #11549
2023-08-01 08:00:28 +02:00
Sergey
a21f318992
urlapi: fix heap buffer overflow
`u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-terminator.

```
==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 at pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
READ of size 78 at 0x04d48c75 thread T0
    #0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
    #1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_party\curl\lib\strdup.c:97
    #2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1297
    #3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1342
    #4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1790
    #5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:1768
    #6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3403
    #7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3888
    #8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:1982
    #9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:2756
```

Closes #11560
2023-08-01 07:59:07 +02:00