Jay Satiro [Mon, 22 Jun 2020 16:01:32 +0000 (12:01 -0400)]
openssl: Don't ignore CA paths when using Windows CA store
This commit changes the behavior of CURLSSLOPT_NATIVE_CA so that it does
not override CURLOPT_CAINFO / CURLOPT_CAPATH, or the hardcoded default
locations. Instead the CA store can now be used at the same time.
The change is due to the impending release. The issue is still being
discussed. The behavior of CURLSSLOPT_NATIVE_CA is subject to change and
is now documented as experimental.
Jay Satiro [Sat, 20 Jun 2020 06:39:37 +0000 (02:39 -0400)]
tool_operate: Don't use Windows CA store as a fallback
Background:
148534d added CURLSSLOPT_NATIVE_CA to use the Windows OS certificate
store in libcurl w/ OpenSSL on Windows. CURLSSLOPT_NATIVE_CA overrides
CURLOPT_CAINFO if both are set. The curl tool will fall back to
CURLSSLOPT_NATIVE_CA if it could not find a certificate bundle to set
via CURLOPT_CAINFO.
Problem:
libcurl may be built with hardcoded paths to a certificate bundle or
directory, and if CURLSSLOPT_NATIVE_CA is used then those paths are
ignored.
Solution:
A solution is still being discussed but since there's an impending
release this commit removes using CURLSSLOPT_NATIVE_CA in the curl tool.
Daniel Stenberg [Thu, 18 Jun 2020 11:27:59 +0000 (13:27 +0200)]
urlglob: treat literal IPv6 addresses with zone IDs as a host name
... and not as a "glob". Now done by passing the supposed host to the
URL parser which supposedly will do a better job at identifying "real"
numerical IPv6 addresses.
Reported-by: puckipedia on github
Fixes #5576
Closes #5579
rcombs [Wed, 13 May 2020 23:49:57 +0000 (18:49 -0500)]
multi: implement wait using winsock events
This avoids using a pair of TCP ports to provide wakeup functionality
for every multi instance on Windows, where socketpair() is emulated
using a TCP socket on loopback which could in turn lead to socket
resource exhaustion.
Reviewed-by: Gergely Nagy Reviewed-by: Marc Hörsken
Closes #5397
Daniel Stenberg [Mon, 15 Jun 2020 09:28:17 +0000 (11:28 +0200)]
http: move header storage to Curl_easy from connectdata
Since the connection can be used by many independent requests (using
HTTP/2 or HTTP/3), things like user-agent and other transfer-specific
data MUST NOT be kept connection oriented as it could lead to requests
getting the wrong string for their requests. This struct data was
lingering like this due to old HTTP1 legacy thinking where it didn't
mattered..
Daniel Stenberg [Thu, 11 Jun 2020 10:04:05 +0000 (12:04 +0200)]
CODE_REVIEW.md: how to do code reviews in curl
Assisted-by: Daniel Gustafsson Assisted-by: Rich Salz Assisted-by: Hugo van Kemenade Assisted-by: James Fuller Assisted-by: Marc Hörsken Assisted-by: Jay Satiro
Closes #5555
Daniel Stenberg [Thu, 11 Jun 2020 08:16:32 +0000 (10:16 +0200)]
share: don't set the share flag it something fails
When asking for a specific feature to be shared in the share object,
that bit was previously set unconditionally even if the shared feature
failed or otherwise wouldn't work.
Marc Hoersken [Mon, 1 Jun 2020 06:49:20 +0000 (08:49 +0200)]
timeouts: move ms timeouts to timediff_t from int and long
Now that all functions in select.[ch] take timediff_t instead
of the limited int or long, we can remove type conversions
and related preprocessor checks to silence compiler warnings.
Avoiding conversions from time_t was already done in 842f73de.
Based upon #5262
Supersedes #5214, #5220 and #5221
Follow up to #5343 and #5479
Closes #5490
On some systems, openssl 1.0.x is still the default, but it has been
patched to contain all the recent security fixes. As a result of this
patching, it is possible for macro X509_V_FLAG_NO_ALT_CHAINS to be
defined, while the previous behavior of openssl to not look at trusted
chains first, remains.
Fix it: ensure X509_V_FLAG_TRUSTED_FIRST is always set, do not try to
probe for the behavior of openssl based on the existence ofmacros.
Cherish98 [Fri, 5 Jun 2020 17:36:11 +0000 (17:36 +0000)]
socks: fix expected length of SOCKS5 reply
Commit 4a4b63d forgot to set the expected SOCKS5 reply length when the
reply ATYP is X'01'. This resulted in erroneously expecting more bytes
when the request length is greater than the reply length (e.g., when
remotely resolving the hostname).
Marc Hoersken [Fri, 5 Jun 2020 17:54:34 +0000 (19:54 +0200)]
.gitignore: add directory containing the stats repo
Since the new curl/stats repository is designed to be
checked out into the curl repository working tree as stats/
it should be on the ignore list to aid in commit staging.
Daniel Stenberg [Thu, 4 Jun 2020 16:11:36 +0000 (18:11 +0200)]
configure: only strip first -L from LDFLAGS
In the logic that works out if a given OpenSSL path works, it stripped
off a possibly leading -L flag using an incorrect sed pattern which
would remove all instances of -L in the string, including if the path
itself contained that two-letter sequence!
The same pattern was used and is now updated in multiple places. Now it
only removes -L if it starts the strings.
Daniel Stenberg [Mon, 1 Jun 2020 20:58:46 +0000 (22:58 +0200)]
urldata: let the HTTP method be in the set.* struct
When the method is updated inside libcurl we must still not change the
method as set by the user as then repeated transfers with that same
handle might not execute the same operation anymore!
Daniel Stenberg [Tue, 2 Jun 2020 07:21:03 +0000 (09:21 +0200)]
test970: make it require proxy support
This test verifies the -w %json output and the test case includes a full
generated "blob". If there's no proxy support built into libcurl, it
will return an error for proxy related info variables and they will not
be included in the json, thus causing a mismatch and this test fails.
Reported-by: Marc Hörsken
Fixes #5501
Closes #5502
If `index.html` does not exist in the directory from which the example
is invoked, the fopen(upload, "rb") invocation in `setup` would fail,
returning NULL. This value is subsequently passed as the FILE* argument
of the `fread` invocation in the `read_callback` function, which is the
actual cause of the crash (apparently `fread` assumes that argument to
be non-null).
In addition, mitigate some possible crashes of similar origin.
Daniel Stenberg [Mon, 1 Jun 2020 07:34:36 +0000 (09:34 +0200)]
transfer: remove k->str NULL check
"Null-checking k->str suggests that it may be null, but it has already
been dereferenced on all paths leading to the check" - and it can't
legally be NULL at this point. Remove check.
Marc Hoersken [Thu, 28 May 2020 20:11:32 +0000 (22:11 +0200)]
azure: use matrix strategy to avoid configuration redundancy
This also includes the following changes:
- Use the same timeout for all jobs on Linux (60 minutes)
and Windows (90 minutes)
- Use CLI stable apt-get install -y instead of apt install
which warns about that and run apt-get update first
- Enable MQTT for Windows msys2 builds instead of
legacy msys1 builds
- Add ./configure --prefix parameter to the msys2 builds
- The MSYSTEM environment variable is now preset inside
the container images for the msys2 builds
Note: on Azure Pipelines the matrix strategy is basically
just a simple list of job copies and not really a matrix.
Daniel Stenberg [Thu, 28 May 2020 16:30:47 +0000 (18:30 +0200)]
url: alloc the download buffer at transfer start
... and free it as soon as the transfer is done. It removes the extra
alloc when a new size is set with setopt() and reduces memory for unused
easy handles.
In addition: the closure_handle now doesn't use an allocated buffer at
all but the smallest supported size as a stack based one.
Marc Hoersken [Tue, 5 May 2020 19:39:39 +0000 (21:39 +0200)]
select: use timediff_t instead of time_t and int for timeout_ms
Make all functions in select.[ch] take timeout_ms as timediff_t
which should always be large enough and signed on all platforms
to take all possible timeout values and avoid type conversions.
Reviewed-by: Jay Satiro Reviewed-by: Daniel Stenberg
Replaces #5107 and partially #5262
Related to #5240 and #5286
Closes #5343
Marc Hoersken [Thu, 28 May 2020 19:04:07 +0000 (21:04 +0200)]
tests/libtest: fix undefined reference to 'curlx_win32_fopen'
Since curl_setup.h now makes use of curlx_win32_fopen for Win32
builds with USE_WIN32_LARGE_FILES or USE_WIN32_SMALL_FILES defined,
we need to include the relevant files for tests using fopen,
because the libtest sources are also including curl_setup.h
Reviewed-by: Marcel Raad Reviewed-by: Daniel Stenberg
Follow up to #3784 (ffdddb45d9)
Closes #5475
Daniel Stenberg [Thu, 28 May 2020 14:32:07 +0000 (16:32 +0200)]
configure: repair the check if argv can be written to
Due to bad escaping of the test code, the test wouldn't build and thus
result in a negative test result, which would lead to the unconditional
assumption that overwriting the arguments doesn't work and thus curl
would never hide credentials given in the command line, even when it
would otherwise be possible.
Peter Wu [Sun, 3 May 2020 23:41:46 +0000 (01:41 +0200)]
ngtcp2: use common key log routine for better thread-safety
Tested with ngtcp2 built against the OpenSSL library. Additionally
tested with MultiSSL (NSS for TLS and ngtcp2+OpenSSL for QUIC).
The TLS backend (independent of QUIC) may or may not already have opened
the keylog file before. Therefore Curl_tls_keylog_open is always called
to ensure the file is open.
Peter Wu [Sun, 3 May 2020 22:16:40 +0000 (00:16 +0200)]
wolfssl: add SSLKEYLOGFILE support
Tested following the same curl and tshark commands as in commit
"vtls: Extract and simplify key log file handling from OpenSSL" using
WolfSSL v4.4.0-stable-128-g5179503e8 from git master built with
`./configure --enable-all --enable-debug CFLAGS=-DHAVE_SECRET_CALLBACK`.
Full support for this feature requires certain wolfSSL build options,
see "Availability note" in lib/vtls/wolfssl.c for details.
Peter Wu [Sun, 3 May 2020 15:10:40 +0000 (17:10 +0200)]
vtls: Extract and simplify key log file handling from OpenSSL
Create a set of routines for TLS key log file handling to enable reuse
with other TLS backends. Simplify the OpenSSL backend as follows:
- Drop the ENABLE_SSLKEYLOGFILE macro as it is unconditionally enabled.
- Do not perform dynamic memory allocation when preparing a log entry.
Unless the TLS specifications change we can suffice with a reasonable
fixed-size buffer.
- Simplify state tracking when SSL_CTX_set_keylog_callback is
unavailable. My original sslkeylog.c code included this tracking in
order to handle multiple calls to SSL_connect and detect new keys
after renegotiation (via SSL_read/SSL_write). For curl however we can
be sure that a single master secret eventually becomes available
after SSL_connect, so a simple flag is sufficient. An alternative to
the flag is examining SSL_state(), but this seems more complex and is
not pursued. Capturing keys after server renegotiation was already
unsupported in curl and remains unsupported.
Tested with curl built against OpenSSL 0.9.8zh, 1.0.2u, and 1.1.1f
(`SSLKEYLOGFILE=keys.txt curl -vkso /dev/null https://localhost:4433`)
against an OpenSSL 1.1.1f server configured with:
# Force non-TLSv1.3, use TLSv1.0 since 0.9.8 fails with 1.1 or 1.2
openssl s_server -www -tls1
# Likewise, but fail the server handshake.
openssl s_server -www -tls1 -Verify 2
# TLS 1.3 test. No need to test the failing server handshake.
openssl s_server -www -tls1_3
Verify that all secrets (1 for TLS 1.0, 4 for TLS 1.3) are correctly
written using Wireshark. For the first and third case, expect four
matches per connection (decrypted Server Finished, Client Finished, HTTP
Request, HTTP Response). For the second case where the handshake fails,
expect a decrypted Server Finished only.
tshark -i lo -pf tcp -otls.keylog_file:keys.txt -Tfields \
-eframe.number -eframe.time -etcp.stream -e_ws.col.Info \
-dtls.port==4433,http -ohttp.desegment_body:FALSE \
-Y 'tls.handshake.verify_data or http'
A single connection can easily be identified via the `tcp.stream` field.
Michael Kaufmann [Thu, 21 May 2020 11:10:04 +0000 (13:10 +0200)]
transfer: close connection after excess data has been read
For HTTP 1.x, it's a protocol error when the server sends more bytes
than announced. If this happens, don't reuse the connection, because the
start position of the next response is undefined.
projects / thirdparty / curl.git / log
