Commit Graph

128 Commits

Author SHA1 Message Date
Daniel Stenberg
1dc8aa870e
hostip/proxy: remove conn->data use
Closes #6513
2021-01-26 10:04:47 +01:00
Daniel Stenberg
8335c6417e
hostip: remove conn->data from resolver functions
This also moves the 'async' struct from the connectdata struct into the
Curl_easy struct, which seems like a better home for it.

Closes #6497
2021-01-22 08:25:09 +01:00
Daniel Stenberg
d0688dcbdf
socks: use the download buffer instead
The SOCKS code now uses the generic download buffer for temporary
storage during the connection procedure, instead of having its own
private 600 byte buffer that adds to the connectdata struct size. This
works fine because this point the buffer is allocated but is not use for
download yet since the connection hasn't completed.

This reduces the connection struct size by 22% on a 64bit arch!

The SOCKS buffer needs to be at least 600 bytes, and the download buffer
is guaranteed to never be smaller than 1000 bytes.

Closes #6491
2021-01-20 08:54:19 +01:00
Daniel Stenberg
a304051620
lib: more conn->data cleanups
Closes #6479
2021-01-19 09:14:51 +01:00
Daniel Stenberg
215db086e0
lib: pass in 'struct Curl_easy *' to most functions
... in most cases instead of 'struct connectdata *' but in some cases in
addition to.

- We mostly operate on transfers and not connections.

- We need the transfer handle to log, store data and more. Everything in
  libcurl is driven by a transfer (the CURL * in the public API).

- This work clarifies and separates the transfers from the connections
  better.

- We should avoid "conn->data". Since individual connections can be used
  by many transfers when multiplexing, making sure that conn->data
  points to the current and correct transfer at all times is difficult
  and has been notoriously error-prone over the years. The goal is to
  ultimately remove the conn->data pointer for this reason.

Closes #6425
2021-01-17 23:56:09 +01:00
Daniel Stenberg
aba01da639
failf: remove newline from formatting strings
... as failf adds one itself.

Also: add an assert() to failf() that triggers on a newline in the
format string!

Closes #6365
2020-12-25 23:42:16 +01:00
Daniel Stenberg
0b60d3685e
socks: check for DNS entries with the right port number
The resolve call is done with the right port number, but the subsequent
check used the wrong one, which then could find a previous resolve which
would return and leave the fresh resolve "incomplete" and leaking
memory.

Fixes #6247
Closes #6253
2020-11-26 22:29:34 +01:00
Daniel Stenberg
4d2f800677
curl.se: new home
Closes #6172
2020-11-04 23:59:47 +01:00
Daniel Stenberg
88b1ca7cba
CURLE_PROXY: new error code
Failures clearly returned from a (SOCKS) proxy now causes this return
code. Previously the situation was not very clear as what would be
returned and when.

In addition: when this error code is returned, an application can use
CURLINFO_PROXY_ERROR to query libcurl for the detailed error, which then
returns a value from the new 'CURLproxycode' enum.

Closes #5770
2020-08-24 08:41:48 +02:00
ihsinme
60aa961288
socks: use size_t for size variable
Use the unsigned type (size_t) in the arithmetic of pointers. In this
context, the signed type (ssize_t) is used unnecessarily.

Authored-by: ihsinme on github
Closes #5654
2020-07-12 22:52:19 +02:00
Daniel Stenberg
2a41e23671
socks: detect connection close during handshake
The SOCKS4/5 state machines weren't properly terminated when the proxy
connection got closed, leading to a busy-loop.

Reported-By: zloi-user on github
Fixes #5532
Closes #5542
2020-06-08 23:19:36 +02:00
xquery
b950120b2d
socks: remove unreachable breaks in socks.c and mime.c
Closes #5537
2020-06-08 11:04:44 +02:00
Marc Hoersken
3186f50054
timeouts: move ms timeouts to timediff_t from int and long
Now that all functions in select.[ch] take timediff_t instead
of the limited int or long, we can remove type conversions
and related preprocessor checks to silence compiler warnings.

Avoiding conversions from time_t was already done in 842f73de.

Based upon #5262
Supersedes #5214, #5220 and #5221
Follow up to #5343 and #5479
Closes #5490
2020-06-06 20:05:58 +02:00
Cherish98
e980cbb8e7
socks: fix expected length of SOCKS5 reply
Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the
reply ATYP is X'01'. This resulted in erroneously expecting more bytes
when the request length is greater than the reply length (e.g., when
remotely resolving the hostname).

Closes #5527
2020-06-05 23:20:10 +02:00
Daniel Stenberg
67521b5ecf
hostip: make Curl_printable_address not return anything
It was not used much anyway and instead we let it store a blank buffer
in case of failure.

Reported-by: MonocleAI
Fixes #5411
Closes #5418
2020-05-19 08:11:46 +02:00
Daniel Stenberg
8df455479f
source cleanup: remove all custom typedef structs
- Stick to a single unified way to use structs
 - Make checksrc complain on 'typedef struct {'
 - Allow them in tests, public headers and examples

 - Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
   typedef different types/structs depending on build conditions.

Closes #5338
2020-05-15 08:54:42 +02:00
Daniel Stenberg
a96c7529eb
select: make Curl_socket_check take timediff_t timeout
Coverity found CID 1461718:

Integer handling issues (CONSTANT_EXPRESSION_RESULT) "timeout_ms >
9223372036854775807L" is always false regardless of the values of its
operands. This occurs as the logical second operand of "||".

Closes #5240
2020-04-23 15:57:23 +02:00
Jay Satiro
0510cce8c0 socks: Fix blocking timeout logic
- Document in Curl_timeleft's comment block that returning 0 signals no
  timeout (ie there's infinite time left).

- Fix SOCKS' Curl_blockread_all for the case when no timeout was set.

Prior to this change if the timeout had a value of 0 and that was passed
to SOCKET_READABLE it would return right away instead of blocking. That
was likely because it was not well understood that when Curl_timeleft
returns 0 it is not a timeout of 0 ms but actually means no timeout.

Ref: https://github.com/curl/curl/pull/5214#issuecomment-612512360

Closes https://github.com/curl/curl/pull/5220
2020-04-12 18:32:16 -04:00
Jay Satiro
53f4070827 lib: fix conversion warnings for SOCKET_WRITABLE/READABLE
- If loss of data may occur converting a timediff_t to time_t and
  the time value is > TIME_T_MAX then treat it as TIME_T_MAX.

This is a follow-up to 8843678 which removed the (time_t) typecast
from the macros so that conversion warnings could be identified.

Closes https://github.com/curl/curl/pull/5199
2020-04-11 02:52:25 -04:00
Daniel Stenberg
f0e8160545
socks4: fix host resolve regression
1. The socks4 state machine was broken in the host resolving phase

2. The code now insists on IPv4-only when using SOCKS4 as the protocol
only supports that.

Regression from #4907 and 4a4b63d, shipped in 7.69.0

Reported-by: amishmm on github
Bug: https://github.com/curl/curl/issues/5053#issuecomment-596191594
Closes #5061
2020-03-08 22:51:47 +01:00
Daniel Stenberg
4b786abc43
socks5: switch state properly when the resolve is done
Regression from 4a4b63d (and #4907)
Reported-by: vitaha85 on github
Fixes #5053
Closes #5056
2020-03-07 10:47:44 +01:00
Daniel Stenberg
3735107d62
SOCKS: fix typo in printf formatting
Follow-up to 4a4b63daa

Reported-by: Peter Piekarski
Bug: 4a4b63daaa (r37351330)
2020-02-18 12:54:44 +01:00
Daniel Stenberg
4a4b63daaa
socks: make the connect phase non-blocking
Removes two entries from KNOWN_BUGS.

Closes #4907
2020-02-17 00:08:48 +01:00
Jay Satiro
5ee88eee68 socks: Fix destination host shown on SOCKS5 error
Prior to this change when a server returned a socks5 connect error then
curl would parse the destination address:port from that data and show it
to the user as the destination:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.12.206 (locally resolved)
* Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)
curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1)

That's incorrect because the address:port included in the connect error
is actually a bind address:port (typically unused) and not the
destination address:port. This fix changes curl to show the destination
information that curl sent to the server instead:

curld -v --socks5 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved)
* Can't complete SOCKS5 connection to 172.217.7.14:99. (1)
curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1)

curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99
* SOCKS5 communication to google.com:99
* SOCKS5 connect to google.com:99 (remotely resolved)
* Can't complete SOCKS5 connection to google.com:99. (1)
curl: (7) Can't complete SOCKS5 connection to google.com:99. (1)

Ref: https://tools.ietf.org/html/rfc1928#section-6

Closes https://github.com/curl/curl/pull/4394
2019-09-21 23:45:02 -04:00
Daniel Stenberg
12d655d456
doh: disable DOH for the cases it doesn't work
Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for
DOH resolves. This fix disables DOH for those.

Limitation added to KNOWN_BUGS.

Fixes #3850
Closes #3857
2019-05-11 11:38:58 +02:00
Daniel Stenberg
8ebc42be04
socks: fix error message 2019-04-08 23:30:53 +02:00
Daniel Stenberg
f4b6901230
socks5: user name and passwords must be shorter than 256
bytes... since the protocol needs to store the length in a single byte field.

Reported-by: XmiliaH on github
Fixes #3737
Closes #3740
2019-04-07 23:27:11 +02:00
Daniel Stenberg
4ed62bc0dc
source: fix two 'nread' may be used uninitialized warnings
Both seem to be false positives but we don't like warnings.

Closes #3646
2019-03-05 13:03:43 +01:00
Viktor Szakats
b801b453af whitespace fixes
- replace tabs with spaces where possible
- remove line ending spaces
- remove double/triple newlines at EOF
- fix a non-UTF-8 character
- cleanup a few indentations/line continuations
  in manual examples

Closes https://github.com/curl/curl/pull/3037
2018-09-23 22:24:02 +00:00
Viktor Szakats
f078361c0e URL and mailmap updates, remove an obsolete directory [ci skip]
Closes https://github.com/curl/curl/pull/3031
2018-09-22 07:58:32 +00:00
Daniel Stenberg
1a890997a4
all: s/int/size_t cleanup
Assisted-by: Rikard Falkeborn

Closes #2922
2018-09-01 10:40:42 +02:00
Marian Klymov
c45360d463
cppcheck: fix warnings
- Get rid of variable that was generating false positive warning
(unitialized)

- Fix issues in tests

- Reduce scope of several variables all over

etc

Closes #2631
2018-06-11 11:14:48 +02:00
Daniel Stenberg
0d85eed3df
Curl_timeleft: change return type to timediff_t
returning 'time_t' is problematic when that type is unsigned and we
return values less than zero to signal "already expired", used in
several places in the code.

Closes #2021
2017-10-28 10:40:51 +02:00
Jay Satiro
6d436642dd socks: fix incorrect port number in SOCKS4 error message
Prior to this change it appears the SOCKS5 port parsing was erroneously
used for the SOCKS4 error message, and as a result an incorrect port
would be shown in the error message.

Bug: https://github.com/curl/curl/issues/1892
Reported-by: Jackarain@users.noreply.github.com
2017-09-18 03:07:57 -04:00
Daniel Stenberg
e5743f08e7
code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
Daniel Stenberg
6b84438d9a
code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
Kamil Dudka
8924f58c37 CURLOPT_SOCKS5_AUTH: allowed methods for SOCKS5 proxy auth
If libcurl was built with GSS-API support, it unconditionally advertised
GSS-API authentication while connecting to a SOCKS5 proxy.  This caused
problems in environments with improperly configured Kerberos: a stock
libcurl failed to connect, despite libcurl built without GSS-API
connected fine using username and password.

This commit introduces the CURLOPT_SOCKS5_AUTH option to control the
allowed methods for SOCKS5 authentication at run time.

Note that a new option was preferred over reusing CURLOPT_PROXYAUTH
for compatibility reasons because the set of authentication methods
allowed by default was different for HTTP and SOCKS5 proxies.

Bug: https://curl.haxx.se/mail/lib-2017-01/0005.html
Closes https://github.com/curl/curl/pull/1454
2017-06-28 08:02:58 +02:00
Kamil Dudka
cd1c9f0807 socks: deduplicate the code for auth request 2017-06-28 07:48:34 +02:00
Kamil Dudka
641072b919 socks: use proxy_user instead of proxy_name
... to make it obvious what the data is used for
2017-06-28 07:48:34 +02:00
Sylvestre Ledru
66de563482 Improve code readbility
... by removing the else branch after a return, break or continue.

Closes #1310
2017-03-13 23:11:45 +01:00
Daniel Stenberg
8657c268e1 checksrc: white space edits to comply to stricter checksrc 2016-11-24 23:58:22 +01:00
Alex Rousskov
cb4e2be7c6 proxy: Support HTTPS proxy and SOCKS+HTTP(s)
* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

  --proxy-cacert FILE        CA certificate to verify peer against
  --proxy-capath DIR         CA directory to verify peer against
  --proxy-cert CERT[:PASSWD] Client certificate file and password
  --proxy-cert-type TYPE     Certificate file type (DER/PEM/ENG)
  --proxy-ciphers LIST       SSL ciphers to use
  --proxy-crlfile FILE       Get a CRL list in PEM format from the file
  --proxy-insecure           Allow connections to proxies with bad certs
  --proxy-key KEY            Private key file name
  --proxy-key-type TYPE      Private key file type (DER/PEM/ENG)
  --proxy-pass PASS          Pass phrase for the private key
  --proxy-ssl-allow-beast    Allow security flaw to improve interop
  --proxy-sslv2              Use SSLv2
  --proxy-sslv3              Use SSLv3
  --proxy-tlsv1              Use TLSv1
  --proxy-tlsuser USER       TLS username
  --proxy-tlspassword STRING TLS password
  --proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.
2016-11-24 23:41:44 +01:00
Marcel Raad
21aa32d30d lib: fix compiler warnings after de4de4e3c7
Visual C++ now complains about implicitly casting time_t (64-bit) to
long (32-bit). Fix this by changing some variables from long to time_t,
or explicitly casting to long where the public interface would be
affected.

Closes #1131
2016-11-18 10:11:55 +01:00
Daniel Stenberg
502acba2af strcasecompare: is the new name for strequal()
... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").
2016-10-31 08:46:35 +01:00
Daniel Stenberg
8a6e89a9eb select: switch to macros in uppercase
Curl_select_ready() was the former API that was replaced with
Curl_select_check() a while back and the former arg setup was provided
with a define (in order to leave existing code unmodified).

Now we instead offer SOCKET_READABLE and SOCKET_WRITABLE for the most
common shortcuts where only one socket is checked. They're also more
visibly macros.
2016-10-18 11:05:45 +02:00
Marc Hoersken
b820e40f34 socks.c: display the hostname returned by the SOCKS5 proxy server
Instead of displaying the requested hostname the one returned
by the SOCKS5 proxy server is used in case of connection error.
The requested hostname is displayed earlier in the connection sequence.

The upper-value of the port is moved to a temporary variable and
replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 21:38:43 +02:00
Marc Hoersken
d6bf400e9f socks.c: use Curl_printable_address in SOCKS5 connection sequence
Replace custom string formatting with Curl_printable_address.
Add additional debug and error output in case of failures.
2016-08-20 21:15:00 +02:00
Marc Hoersken
213c27e487 socks.c: align SOCKS4 connection sequence with SOCKS5
Calling sscanf is not required since the raw IPv4 address is
available and the protocol can be detected using ai_family.
2016-08-20 21:15:00 +02:00
Marc Hoersken
d1bfb1cf54 socks.c: improve verbose output of SOCKS5 connection sequence 2016-08-20 20:07:10 +02:00
Marc Hoersken
b7ee5316c2 socks.c: Correctly calculate position of port in response packet
Third commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:07:11 +02:00