Currently the verbose output does not include which algorithms are used
for the signature and key exchange when using OpenSSL. Including the
algorithms used will enable better debugging when working on using new
algorithm implementations. Know what algorithms are used has become more
important with the fast growing research into new quantum-safe
algorithms.
This implementation includes a build time check for the OpenSSL version
to use a new function that will be included in OpenSSL 3.2 that was
introduced in openssl/openssl@6866824
Based-on-patch-by: Martin Schmatz <mrt@zurich.ibm.com>
Closes#12030
Getting nghttp2's error message helps users understand what's going
on. For example when the connection is brought down due a forbidden
header is used - as that header is then not displayed by curl itself.
Example:
curl: (92) Invalid HTTP header field was received: frame type: 1,
stream: 1, name: [upgrade], value: [h2,h2c]
Ref: #12172Closes#12179
... and make the code require both symbol and declaration.
This is because for Android, the symbol is always present in the lib at
build-time even when not actually available in run-time.
Assisted-by: Viktor Szakats
Reported-by: 12932 on github
Fixes#12086Closes#12158
An orphan call to `CheckQuicSupportInOpenSSL()` remained after a recent
update when checking QUIC for quiche. Move back QUIC detection to
a function and fixup callers to use that. Also make sure that quiche
gets QUIC from BoringSSL, because it doesn't support other forks at this
time.
Regression from dee310d54261f9a8416e87d50bccfe2cbe404949 #11555
Reported-by: Casey Bodley <cbodley@redhat.com>
Fixes#12160Closes#12162
Fixes a minor memory leak on LDAP connection reuse.
Doing the allocation already in *setup_connection() is wrong since that
connect struct might get discarded early when an existing connection is
reused instead.
Closes#12166
Remove the CURL_CA_FALLBACK logic. That build option was added to allow
primarily OpenSSL to use the default paths for loading the CA certs. For
GnuTLS it was instead made to load the "system certs", which is
different and not desirable.
The native CA store loading is now asked for with this option.
Follow-up to 7b55279d1d856
Co-authored-by: Jay Satiro
Closes#12137
- fix HTTP header parsing to report incomplete
lines it buffers as consumed!
- re-implement the RTP parser for interleave RTP
messages for robustness. It is now keeping its
state at the connection
- RTSP protocol handler "readwrite" implementation
now tracks if the response is before/in/after
header parsing or "in" a bod by calling
"Curl_http_readwrite_headers()" itself. This
allows it to know when non-RTP bytes are "junk"
or HEADER or BODY.
- tested with #12035 and various small receive
sizes where current master fails
Closes#12052
- fold the code to convert dynhds to the nghttp2 structs
into a dynhds internal method
- saves code duplication
- pacifies compiler analyzers
Closes#12097
Python precheck/postcheck alternatives were included but commented out.
Since these are not used and perl is guaranteed to be available to run
the perl versions anyway, the Python ones are removed.
To avoid the state machine to start over and redownload all the files
*again*.
Reported-by: lkordos on github
Regression from 843b3baa3e3cb228 (shipped in 8.1.0)
Bisect-by: Dan Fandrich
Fixes#11775Closes#12156
The checkcmd() and checktestcmd() functions would not have worked on
Windows due to hard-coding the UNIX PATH separator character and not
adding .exe file extension. This meant that tools like stunnel, valgrind
and nghttpx would not have been found and used on Windows, and
inspection of previous test runs show none of those being found in pure
Windows CI builds.
With this fixed, they can be used to detect the handle64.exe program
before attempting to use it. When handle64.exe was called
unconditionally without it existing, it caused perl to abort the test
run with the error
The running command stopped because the preference variable
"ErrorActionPreference" or common parameter is set to Stop:
sh: handle64.exe: command not found
Closes#12115
- Add 'threadsafe' to the feature list shown during build if POSIX
threads are being used.
This is a follow-up to 5adb6000 which added support for building a
thread-safe libcurl with older versions of gcc where atomic is not
available but pthread is.
Reported-by: Dan Fandrich
Co-authored-by: Dan Fandrich
Fixes https://github.com/curl/curl/issues/12125
Closes https://github.com/curl/curl/pull/12127
The idea of `check_library_exists_concat()` is that it detects an
optional component and adds it to the list of libs that we also use in
subsequent component checks. This caused problems when detecting
components with unnecessary dependencies that were not yet built.
CMake offers the `CMAKE_REQUIRED_LIBRARIES` variable to set libs used
for component checks, which we already use in most cases. That left 4
uses of `check_library_exists_concat()`. Only one of these actually
needed the 'concat' feature (ldap/lber).
Delete this function and replace it with standard
`check_library_exists()` and manual management of our `CURL_LIBS`
list we use when linking build targets. And special logic to handle the
ldap/lber case.
(We have a similar function for headers: `check_include_file_concat()`.
It works, but problematic for performance reasons and because it hides
the actual headers required in `check_symbol_exists()` calls.)
Ref: #11537#11558Fixes#11285Fixes#11648Closes#12070
- Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
function.
Apparently this parameter was *not* optional on older Windows versions.
Issue observed on Windows XP SP2. Issue not observed on Windows 7 SP1.
So at some point between those two Microsoft changed the behavior.
Prior to this change, on those versions if parameter is NULL then the
function call fails with error ERROR_INVALID_ACCESS.
Regression since af3f4e41.
Ref: https://github.com/MicrosoftDocs/Console-Docs/issues/299
Fixes https://github.com/curl/curl/issues/12131
Closes https://github.com/curl/curl/pull/12130
- Add additional checking for missing and too-short SOCKS5 handshake
messages.
Prior to this change the SOCKS5 test server did not check that all parts
of the handshake were received successfully. If those parts were missing
or too short then the server would access uninitialized memory.
This issue was discovered in CI job 'memory-sanitizer' test results.
Test 2055 was failing due to the SOCKS5 test server not running. It was
not running because either it crashed or memory sanitizer aborted it
during Test 728. Test 728 connects to the SOCKS5 test server on a
redirect but does not send any data on purpose. The test server was not
prepared for that.
Reported-by: Dan Fandrich
Fixes https://github.com/curl/curl/issues/12117
Closes https://github.com/curl/curl/pull/12118
Currently, curl allows users to specify absurd request rates that might
be higher than the number of milliseconds in the unit (ex: curl --rate
3600050/h http://localhost:8080 does not error out despite there being
only 3600000ms in a hour).
This change adds a conditional check before the millisecond calculation
making sure that the number is not higher than the numerator (the unit)
If the number is higher, curl errors out with PARAM_NUMBER_TOO_LARGE
Closes#12116
- Remove DEBUGASSERT that an internal handle must not have user
private_data set before calling the user's debug callback.
This is a follow-up to 0dc40b2a. The user can distinguish their easy
handle from an internal easy handle by setting CURLOPT_PRIVATE on their
easy handle. I had wrongly assumed that meant the user couldn't then
set CURLOPT_PRIVATE on an internal handle as well.
Bug: https://github.com/curl/curl/pull/12060#issuecomment-1754594697
Reported-by: Daniel Stenberg
Closes https://github.com/curl/curl/pull/12104
This test would show an error message if the output was missing during
the log post-processing step, but the message was not captured by the
test harness and wasn't useful since the normal golden log file
comparison would the problem more clearly.
- configure a 120s idle timeout on our side of the connection
- track the timestamp when actual socket IO happens
- check IO timestamp to our *and* the peer's idle timeouts
in "is this connection alive" checks
Reported-by: calvin2021y on github
Fixes#12064Closes#12077
This test fails sometimes with a super fast retry loop due to what may
just be a compiler bug. The test results are ignored on the one CI job
where it occurs because there seems to be nothing we can do to fix it.
Fixes#12040Closes#12106
populate_binsettings now returns a negative value on error, instead of a
huge positive value. Both places which call this function have been
updated to handle this change in its contract.
The way populate_binsettings had been used prior to this change the huge
positive values -- due to signed->unsigned conversion of the potentially
negative result of nghttp2_pack_settings_payload which returns negative
values on error -- are not possible. But only because http2.c currently
always provides a large enough output buffer and provides H2 SETTINGS
IVs which pass the verification logic inside nghttp2. If the
verification logic were to change or if http2.c started passing in more
IVs without increasing the output buffer size, the overflow could become
reachable, and libcurl/curl might start leaking memory contents to
servers/proxies...
Closes#12101
