Stefan Eissing [Wed, 11 Jan 2023 09:30:42 +0000 (10:30 +0100)]
curl_log: for failf/infof and debug logging implementations
- new functions and macros for cfilter debugging
- set CURL_DEBUG with names of cfilters where debug logging should be
enabled
- use GNUC __attribute__ to enable printf format checks during compile
Stefan Eissing [Thu, 5 Jan 2023 16:01:42 +0000 (17:01 +0100)]
ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
Using common method for SSL_CTX initialization of verfiy peer and CA
settings. This also provides X509_STORE sharing to become available for
ngtcp2+openssl HTTP/3.
Reported-by: violetlige on github
Fixes #10222
Closes #10239
Stefan Eissing [Mon, 9 Jan 2023 15:58:10 +0000 (16:58 +0100)]
tests-httpd: basic infra to run curl against an apache httpd plus nghttpx for h3
- adding '--with-test-httpd=<path>' to configure non-standard apache2
install
- python env and base classes for running httpd
- basic tests for connectivity with h1/h2/h3
- adding test cases for truncated responses in http versions.
- adding goaway test for HTTP/3.
- adding "stuttering" tests with parallel downloads in chunks with
varying delays between chunks.
- adding a curltest module to the httpd server, adding GOAWAY test.
- mod_curltest now installs 2 handlers
- 'echo': writing as response body what came as request body
- 'tweak': with query parameters to tweak response behaviour
- marked known fails as skip for now
- ECONNECTREFUSED has not its own fail message in quic filters
- Debug logging in connect eyballing improved
- Fix bug in ngtcp2/quiche that could lead to false success reporting.
Reported-by: Divy Le Ray
Fixes #10245
Closes #10248
Daniel Stenberg [Sat, 7 Jan 2023 15:03:40 +0000 (16:03 +0100)]
curl.h: allow up to 10M buffer size
Bump the limit from 512K. There might be reasons for applications using
h3 to set larger buffers and there is no strong reason for curl to have
a very small maximum.
Stefan Eissing [Mon, 2 Jan 2023 13:08:16 +0000 (14:08 +0100)]
msh3: run again in its cfilter
- test 2500, single GET works
- test 2501, single POST stalls
- test 2502, multiple, sequential GETs each use a new connection since
MsH3ConnectionGetState(qconn) no longer reports CONNECTED after one
GET.
Jay Satiro [Thu, 5 Jan 2023 07:14:53 +0000 (02:14 -0500)]
CURLOPT_HEADERDATA.3: warn DLL users must set write function
- Warn that in Windows if libcurl is running from a DLL and if
CURLOPT_HEADERDATA is set then CURLOPT_WRITEFUNCTION or
CURLOPT_HEADERFUNCTION must be set as well, otherwise the user may
experience crashes.
We already have a similar warning in CURLOPT_WRITEDATA. Basically, in
Windows libcurl could crash writing a FILE pointer that was created by
a different C runtime. In Windows each DLL that is part of a program may
or may not have its own C runtime.
Built-in TLS backends are detected at test time by scanning for their
names in the version string line returned by the cli tool: as this line
may also list the libssh configuration that mentions its own backend,
the curl backend may be wrongly determined.
In example, if the version line contains "libssh/0.10.4/openssl/zlib",
OpenSSL is detected as a curl-configured backend even if not.
This fix requires the backend names to appear as full words preceded by
spacing in the version line to be recognized as curl TLS backends.
Stefan Eissing [Thu, 5 Jan 2023 18:23:21 +0000 (19:23 +0100)]
quic: rename vquic implementations, fix for quiche build.
- quiche in debug mode did not build, fixed.
- moved all vquic implementation files to prefix curl_* to avoid
the potential mixups between provided .h files and our own.
- quich passes test 2500 and 2502. 2501, the POST, fail with
the body being rejected. Quich bug?
Stefan Eissing [Thu, 5 Jan 2023 10:13:17 +0000 (11:13 +0100)]
sectransp: fix for incomplete read/writes
SecureTransport expects result code errSSLWouldBlock when the requested
length could not be sent/recieved in full. The previous code returned
noErr, which let SecureTransport to believe that the IO had terminated
prematurely.
Stefan Eissing [Wed, 4 Jan 2023 13:37:52 +0000 (14:37 +0100)]
tool_operate: fix headerfile writing
Do not rely on the first transfer started to be the first to get a
response (remember -Z). All transfers now write the headefile (-D) in
append mode, making sure that the order of transfer responses does not
lead to overwrites of previous data.
Daniel Stenberg [Sun, 1 Jan 2023 10:26:22 +0000 (11:26 +0100)]
misc: reduce struct and struct field sizes
- by using BIT() instead of bool
- imap: shrink struct
- ftp: make state 'unsigned char'
- ftp: sort ftp_conn struct entries on size
- urldata: use smaller fields for SSL version info storage
- pop3: reduce the pop3_conn struct size
- smtp: reduce the size of the smtp structs
Jay Satiro [Tue, 3 Jan 2023 22:15:26 +0000 (17:15 -0500)]
http2: fix compiler warning due to uninitialized variable
Prior to this change http2_cfilter_add could return an uninitialized
cfilter pointer in an OOM condition. In this case though, the pointer
is discarded and not dereferenced so there was no risk of a crash.
Stefan Eissing [Tue, 3 Jan 2023 12:13:37 +0000 (13:13 +0100)]
cf-socket: keep sockaddr local in the socket filters
- copy `struct Curl_addrinfo` on filter setup into context
- remove `struct Curl_addrinfoi *` with `struct Curl_sockaddr_ex *` in
connectdata that is set and NULLed by the socket filter
- this means we have no reference to the resolver info in connectdata or
its filters
- trigger the CF_CTRL_CONN_INFO_UPDATE event when the complete filter
chain reaches connected status
- update easy handle connection information on CF_CTRL_DATA_SETUP event.
Daniel Stenberg [Mon, 2 Jan 2023 12:51:48 +0000 (13:51 +0100)]
copyright: update all copyright lines and remove year ranges
- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING
checksrc is updated to allow non-year using copyright statements
Daniel Stenberg [Mon, 2 Jan 2023 10:43:51 +0000 (11:43 +0100)]
docs/DEPRECATE.md: deprecate gskit
Ref: #10163
- This is a niche TLS library, only running on some IBM systems
- no regular curl contributors use this backend
- no CI builds use or verify this backend
- gskit, or the curl adaption for it, lacks many modern TLS features
making it an inferior solution
- build breakages in this code take weeks or more to get detected
- fixing gskit code is mostly done "flying blind"
Josh Brobst [Sat, 31 Dec 2022 19:41:44 +0000 (14:41 -0500)]
http: decode transfer encoding first
The unencoding stack is added to as Transfer-Encoding and
Content-Encoding fields are encountered with no distinction between the
two, meaning the stack will be incorrect if, e.g., the message has both
fields and a non-chunked Transfer-Encoding comes first. This commit
fixes this by ordering the stack with transfer encodings first.
http: add additional condition for including stdint.h
stdint.h was only included in http.h when ENABLE_QUIC was defined, but
symbols from stdint.h are also used when USE_NGHTTP2 is defined. This
causes build errors when USE_NGHTTP2 is defined but ENABLE_QUIC is not.
Daniel Stenberg [Fri, 30 Dec 2022 14:04:57 +0000 (15:04 +0100)]
urldata: cease storing TLS auth type
The only TLS auth type libcurl ever supported is SRP and that is the
default type. Since nobody ever sets any other type, there is no point
in wasting space to store the set type and code to check the type.
Stefan Eissing [Fri, 30 Dec 2022 08:14:55 +0000 (09:14 +0100)]
lib: connect/h2/h3 refactor
Refactoring of connection setup and happy eyeballing. Move
nghttp2. ngtcp2, quiche and msh3 into connection filters.
- eyeballing cfilter that uses sub-filters for performing parallel connects
- socket cfilter for all transport types, including QUIC
- QUIC implementations in cfilter, can now participate in eyeballing
- connection setup is more dynamic in order to adapt to what filter did
really connect. Relevant to see if a SSL filter needs to be added or
if SSL has already been provided
- HTTP/3 test cases similar to HTTP/2
- multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche
- Fix for data attach/detach in VTLS filters that could lead to crashes
during parallel transfers.
- Eliminating setup() methods in cfilters, no longer needed.
- Improving Curl_conn_is_alive() to replace Curl_connalive() and
integrated ssl alive checks into cfilter.
- Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update
connection into and persist it at the easy handle.
- Several more cfilter related cleanups and moves:
- stream_weigth and dependency info is now wrapped in struct
Curl_data_priority
- Curl_data_priority members depend is available in HTTP2|HTTP3
- Curl_data_priority members depend on NGHTTP2 support
- handling init/reset/cleanup of priority part of url.c
- data->state.priority same struct, but shallow copy for compares only
- PROTOPT_STREAM has been removed
- Curl_conn_is_mulitplex() now available to check on capability
- Adding query method to connection filters.
- ngtcp2+quiche: implementing query for max concurrent transfers.
- Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event.
- setting keepalive timestamp on connect
- DATA_SETUP is called after the connection has been completely
setup (but may not connected yet) to allow filters to initialize
data members they use.
- there is no socket to be had with msh3, it is unclear how select
shall work
- manual test via "curl --http3 https://curl.se" fail with "empty
reply from server".
- Various socket/conn related cleanups:
- Curl_socket is now Curl_socket_open and in cf-socket.c
- Curl_closesocket is now Curl_socket_close and in cf-socket.c
- Curl_ssl_use has been replaced with Cur_conn_is_ssl
- Curl_conn_tcp_accepted_set has been split into
Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set
with a clearer purpose
Daniel Stenberg [Wed, 28 Dec 2022 10:08:44 +0000 (11:08 +0100)]
transfer: break the read loop when RECV is cleared
When the RECV bit is cleared because the response reading for this
transfer is complete, the read loop should be stopped. data_pending()
can otherwise still return TRUE and another read would be attempted.
Stefan Eissing [Wed, 28 Dec 2022 08:58:09 +0000 (09:58 +0100)]
openssl: remove attached easy handles from SSL instances
- keeping the "current" easy handle registered at SSL* is no longer
necessary, since the "calling" data object is already stored in the
cfilter's context (and used by other SSL backends from there).
- The "detach" of an easy handle that goes out of scope is then avoided.
- using SSL_set0_wbio for clear reference counting where available.
Daniel Stenberg [Tue, 27 Dec 2022 16:19:51 +0000 (17:19 +0100)]
socketpair: allow localhost MITM sniffers
Windows allow programs to MITM connections to localhost. The previous
check here would detect that and error out. This new method writes data
to verify the pipe thus allowing MITM.
Reported-by: SerusDev on github
Fixes #10144
Closes #10169
Daniel Stenberg [Mon, 26 Dec 2022 08:59:20 +0000 (09:59 +0100)]
cfilters:Curl_conn_get_select_socks: use the first non-connected filter
When there are filters addded for both socket and SSL, the code
previously checked the SSL sockets during connect when it *should* first
check the socket layer until that has connected.
Patrick Monnerat [Fri, 23 Dec 2022 14:35:27 +0000 (15:35 +0100)]
typecheck: accept expressions for option/info parameters
As expressions can have side effects, evaluate only once.
To enable deprecation reporting only once, get rid of the __typeof__
use to define the local temporary variable and use the target type
(CURLoption/CURLINFO). This also avoids multiple reports on type
conflicts (if some) by the curlcheck_* macros.
Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
their values: a curl_easy_setopt call with an integer constant as option
will never report a deprecation.
Reported-by: Thomas Klausner
Fixes #10148
Closes #10149
Paul Howarth [Fri, 23 Dec 2022 12:34:49 +0000 (12:34 +0000)]
tests: avoid use of sha1 in certificates
The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.
Fixes #10135
This gets rid of issues related to sha1 signatures.
Manual steps after "make clean-certs" and "make build-certs":
- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)
- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087
Radu Hociung [Mon, 26 Dec 2022 05:39:52 +0000 (00:39 -0500)]
http: remove the trace message "Mark bundle... multiuse"
The message "Mark bundle as not supporting multiuse" was added at commit 29364d93 when an http/2-related bug was fixed, and it appears to be a
leftover trace message.
This message should be removed because:
* it conveys no information to the user
* it is enabled in the default build (--enable-verbose)
* it reads like a warning/unexpected condition
* it is equivalent to "Detected http proto < 2", which is
not a useful message.
* it is a time-wasting red-herring for anyone who encounters
it for the first time while investigating some other, real
problem.
This commit removes the trace message "Mark bundle as not
supporting multiuse"
projects / thirdparty / curl.git / log
