Daniel Stenberg [Fri, 26 Mar 2021 13:25:45 +0000 (14:25 +0100)]
urldata: merge "struct DynamicStatic" into "struct UrlState"
Both were used for the same purposes and there was no logical separation
between them. Combined, this also saves 16 bytes in less holes in my
test build.
Jay Satiro [Fri, 26 Mar 2021 07:14:28 +0000 (03:14 -0400)]
KNOWN_BUGS: Update 11.9 - DoH option inheritance
- Add description: Explain that some options aren't inherited because
they are not relevant for the DoH SSL connections or may result in
unexpected behavior.
- Remove the reference to #4578 (SSL verify options not inherited) since
that was fixed by #6597 (separate DoH-specific options for verify).
- Explain that DoH-specific options (those created by #6597) are
available: CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
CURLOPT_DOH_SSL_VERIFYSTATUS.
- Add a reference to #6605 and explain that the user's debug function is
not inherited because it would be unexpected to pass internal handles
(ie DoH handles) to the user's callback.
Daniel Stenberg [Tue, 23 Mar 2021 10:17:32 +0000 (11:17 +0100)]
libssh2: kdb_callback: get the right struct pointer
After the recent conn/data refactor in this source file, this function
was mistakenly still getting the old struct pointer which would lead to
crash on servers with keyboard-interactive auth enabled.
Daniel Stenberg [Mon, 22 Mar 2021 23:24:59 +0000 (00:24 +0100)]
http: strip default port from URL sent to proxy
To make sure the Host: header and the URL provide the same authority
portion when sent to the proxy, strip the default port number from the
URL if one was provided.
Reported-by: Michael Brown
Fixes #6769
Closes #6778
Daniel Stenberg [Sat, 20 Mar 2021 23:10:04 +0000 (00:10 +0100)]
libssh2:ssh_connect: clear session pointer after free
If libssh2_knownhost_init() returns NULL, like in an OOM situation, the
ssh session was freed but the pointer wasn't cleared which made libcurl
later call libssh2 to cleanup using the stale pointer.
If we get a close_notify, treat that as EOF. If we get an EOF from the
TCP stream, treat that as an error (because we should have ended the
connection earlier, when we got a close_notify).
Jay Satiro [Wed, 17 Mar 2021 05:38:10 +0000 (01:38 -0400)]
docs: Add SSL backend names to CURL_SSL_BACKEND
- Document the names that can be used with CURL_SSL_BACKEND:
bearssl, gnutls, gskit, mbedtls, mesalink, nss, openssl, rustls,
schannel, secure-transport, wolfssl
Jay Satiro [Thu, 4 Mar 2021 05:55:53 +0000 (00:55 -0500)]
docs: Explain DOH transfers inherit some SSL settings
- Document in DOH that some SSL settings are inherited but DOH hostname
and peer verification are not and are controlled separately.
- Document that CURLOPT_SSL_CTX_FUNCTION is inherited by DOH handles but
we're considering changing behavior to no longer inherit it. Request
feedback.
Daniel Stenberg [Tue, 16 Mar 2021 13:41:06 +0000 (14:41 +0100)]
http: make 416 not fail with resume + CURLOPT_FAILONERRROR
When asked to resume a download, libcurl will convert that to HTTP logic
and if then the entire file is already transferred it will result in a
416 response from the HTTP server. With CURLOPT_FAILONERRROR set in that
scenario, it should *not* lead to an error return.
Updated test 1156, added test 1273
Reported-by: Jonathan Watt
Fixes #6740
Closes #6753
Daniel Stenberg [Mon, 15 Mar 2021 07:11:26 +0000 (08:11 +0100)]
Curl_timeleft: check both timeouts during connect
The duration of a connect and the total transfer are calculated from two
different time-stamps. It can end up with the total timeout triggering
before the connect timeout expires and we should make sure to
acknowledge whichever timeout that is reached first.
This is especially notable when a transfer first sits in PENDING, as
that time is counted in the total time but the connect timeout is based
on the time since the handle changed to the CONNECT state.
The CONNECTTIMEOUT is per connect attempt. The TIMEOUT is for the entire
operation.
Fixes #6744
Closes #6745 Reported-by: Andrei Bica Assisted-by: Jay Satiro
Previously, rustls was using an on-stack array for TLS data. However,
crustls has an (unusual) requirement that buffers it deals with are
initialized before writing to them. By using calloc, we can ensure the
buffer is initialized once and then reuse it across calls.
Marc Hoersken [Sat, 6 Mar 2021 14:52:09 +0000 (15:52 +0100)]
config: fix building SMB with configure using Win32 Crypto
Align conditions for NTLM features between CMake and configure
builds by differentiating between USE_NTLM and USE_CURL_NTLM_CORE,
just like curl_setup.h does internally to detect support of:
- USE_NTLM: required for NTLM crypto authentication feature
- USE_CURL_NTLM_CORE: required for SMB protocol
Implement USE_WIN32_CRYPTO detection by checking for Crypt functions
in wincrypt.h which are not available in the Windows App environment.
Link advapi32 and crypt32 for Crypto API and Schannel SSL backend.
Fix condition of Schannel SSL backend in CMake build accordingly.
Marc Hoersken [Thu, 4 Mar 2021 21:10:45 +0000 (22:10 +0100)]
config: fix detection of restricted Windows App environment
Move the detection of the restricted Windows App environment
in curl_setup.h before the definition of USE_WIN32_CRYPTO
via included config-win32.h in case no build system is used.
MAX_HSTS_SUBLEN and MAX_HSTS_SUBLENSTR were unused from the initial commit,
and mostly likely leftovers from early development. Remove as they're not
used for anything.
Closes #6741 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
This requires the latest main branch of crustls, which provides
rustls_client_config_builder_dangerous_set_certificate_verifier and
rustls_client_config_builder_set_enable_sni.
This refactors the session setup into its own function, and adds a new
function cr_hostname_is_ip. Because crustls doesn't support verification
of IP addresses, special handling is needed: We disable SNI and set a
placeholder hostname (which never actually gets sent on the wire).
cookies: Fix potential NULL pointer deref with PSL
Curl_cookie_init can be called with data being NULL, and this can in turn
be passed to Curl_cookie_add, meaning that both functions must be careful
to only use data where it's checked for being a NULL pointer. The libpsl
support code does however dereference data without checking, so if we are
indeed having an unset data pointer we cannot PSL check the cookiedomain.
This is currently not a reachable dereference, as the only caller with a
NULL data isn't passing a file to initialize cookies from, but since the
API has this contract let's ensure we hold it.
Closes #6731 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Michael Hordijk [Tue, 9 Mar 2021 20:04:06 +0000 (15:04 -0500)]
configure: only add OpenSSL paths if they are defined
Add paths for OpenSSL compiling and linking only if they have been
defined. If they haven't been defined, we'll assume that the paths are
already available to the toolchain.
Jay Satiro [Thu, 11 Mar 2021 07:36:37 +0000 (02:36 -0500)]
retry-all-errors.d: Explain curl errors versus HTTP response errors
- Add a paragraph explaining that curl does not consider HTTP response
errors as curl errors, and how that behavior can be modified by using
--retry and --fail.
The --retry-all-errors doc says "Retry on any error" which some users
may find misleading without the added explanation.
Jay Satiro [Thu, 4 Mar 2021 08:02:38 +0000 (03:02 -0500)]
schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro
- Change use of those options from CURLOPT_SSL_OPTIONS that are not
already evaluated via SSL_SET_OPTION in schannel and secure transport
to use that instead of data->set.ssl.optname.
Example:
Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke.
This change is because options set via CURLOPT_SSL_OPTIONS
(data->set.ssl.optname) are separate from those set for HTTPS proxy via
CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The
SSL_SET_OPTION macro determines whether the connection is for HTTPS
proxy and based on that which option to evaluate.
Since neither Schannel nor Secure Transport backends currently support
HTTPS proxy in libcurl, this change is for posterity and has no other
effect.
Jay Satiro [Mon, 1 Mar 2021 08:20:58 +0000 (03:20 -0500)]
projects: Update VS projects for OpenSSL 1.1.x
- Update VS project templates to use the OpenSSL lib names and include
directories for OpenSSL 1.1.x.
This change means the VS project files will now build only with OpenSSL
1.1.x when an OpenSSL configuration is chosen. Prior to this change the
project files built only with OpenSSL 1.0.x (end-of-life) when an
OpenSSL configuration was chosen.
The template changes in this commit were made by script:
And since the output directory now contains the includes it's prepended:
..\..\..\..\..\openssl\build\Win{32,64}\VC{6..15}\{DLL,LIB}
{Debug,Release}\include
- Change build-openssl.bat to copy the build's include directory to the
output directory (as seen above).
Each build has its own opensslconf.h which is different so we can't just
include the source include directory any longer.
Note the include directory in the output directory is a full copy from
the build so technically we don't need to include the OpenSSL source
include directory in the template. However, I left it last in case the
user made a custom OpenSSL build using the old method which would put
opensslconf in the OpenSSL source include directory.
- Change build-openssl.bat to use a temporary install directory that is
different from the temporary build directory.
For OpenSSL 1.1.x the temporary paths must be separate not a descendant
of the other, otherwise pdb files will be lost between builds.
Jay Satiro [Thu, 25 Feb 2021 20:49:00 +0000 (15:49 -0500)]
doh: Inherit CURLOPT_STDERR from user's easy handle
Prior to this change if the user set their easy handle's error stream
to something other than stderr it was not inherited by the doh handles,
which meant that they would still write to the default standard error
stream (stderr) for verbose output.
unescaped is coming from Curl_urldecode and not a unicode conversion
function, so reclaiming its memory should be performed with a normal
call to free rather than curlx_unicodefree. In reality, this is the
same thing as curlx_unicodefree is implemented as a call to free but
that's not guaranteed to always hold. Using the curlx macro present
issues with memory debugging as well.
Closes #6671 Reviewed-by: Jay Satiro <raysatiro@yahoo.com> Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Jay Satiro [Sat, 27 Feb 2021 23:08:53 +0000 (18:08 -0500)]
tool_help: Increase space between option and description
- Increase the minimum number of spaces between the option and the
description from 1 to 2.
Before:
~~~
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
-w, --write-out <format> Use output FORMAT after completion
--xattr Store metadata in extended file attributes
~~~
After:
~~~
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
-w, --write-out <format> Use output FORMAT after completion
--xattr Store metadata in extended file attributes
~~~
projects / thirdparty / curl.git / log
