Jay Satiro [Thu, 8 Dec 2022 06:26:13 +0000 (01:26 -0500)]
schannel: verify hostname independent of verify cert
Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off
and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the
hostname in schannel code.
This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and
verify hostname". We discussed a fix several years ago in #3285 but it
went stale.
Assisted-by: Daniel Stenberg
Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan
Ref: https://github.com/curl/curl/pull/3285
The above automatically enabled for Windows builds, with an option to
disable with `SHARE_LIB_OBJECT=OFF`.
This patch extend this feature to all platforms as a manual option.
You can enable it by setting `SHARE_LIB_OBJECT=ON`. Then shared objects
are built in PIC mode, meaning the static lib will also have PIC code.
Viktor Szakats [Tue, 8 Aug 2023 09:41:20 +0000 (09:41 +0000)]
cmake: assume `wldap32` availability on Windows
This system library first shipped with Windows ME, available as an extra
install for some older releases (according to [1]). The import library
was present already in old MinGW 3.4.2 (year 2007).
Drop the feature check and its associated `HAVE_WLDAP32` variable.
To manually disable `wldap32`, you can use the `USE_WIN32_LDAP=OFF`
CMake option, like before.
Daniel Stenberg [Wed, 9 Aug 2023 07:26:18 +0000 (09:26 +0200)]
cmdline-opts/page-header: reorder, clean up
- removed some unnecessary blurb to focus
- moved up the more important URL details
- put "globbing" into its own subtitle and moved down a little
- mention the online man page in the version section
OpenSSL 1.1.1 defines this macro, but no ealier version, or any of the
popular forks (yet). Use the macro itself to detect its presence,
replacing the hard-wired fork-specific conditions.
This way the feature will enable automatically when forks implement it,
while also shorter and possibly requiring less future maintenance.
Viktor Szakats [Mon, 7 Aug 2023 19:50:11 +0000 (19:50 +0000)]
cmake: drop `HAVE_LIBWINMM` and `HAVE_LIBWS2_32` feature checks
- `HAVE_LIBWINMM` was detected but unused. The `winmm` system library is
also not used by curl, but it is by its optional dependency `librtmp`.
Change the logic to always add `winmm` when `USE_LIBRTMP` is set. This
library has been available since the early days of Windows.
- `HAVE_LIBWS2_32` detected `ws2_32` lib on Windows. This lib is present
since Windows 95 OSR2 (AFAIR). Winsock1 already wasn't supported and
other existing logic already assumed this lib being present, so delete
the check and replace the detection variable with `WIN32` and always
add `ws2_32` on Windows.
Viktor Szakats [Mon, 7 Aug 2023 16:32:46 +0000 (16:32 +0000)]
openssl: switch to modern init for LibreSSL 2.7.0+
LibreSSL 2.7.0 (2018-03-21) introduced automatic initialization,
`OPENSSL_init_ssl()` function and deprecated the old, manual init
method, as seen in OpenSSL 1.1.0. Switch to the modern method when
available.
Daniel Stenberg [Mon, 7 Aug 2023 11:02:32 +0000 (13:02 +0200)]
gskit: remove
We remove support for building curl with gskit.
- This is a niche TLS library, only running on some IBM systems
- no regular curl contributors use this backend
- no CI builds use or verify this backend
- gskit, or the curl adaption for it, lacks many modern TLS features
making it an inferior solution
- build breakages in this code take weeks or more to get detected
- fixing gskit code is mostly done "flying blind"
This removal has been advertized in DEPRECATED in Jan 2, 2023 and it has
been mentioned on the curl-library mailing list.
It could be brought back, this is not a ban. Given proper effort and
will, gskit support is welcome back into the curl TLS backend family.
Daniel Stenberg [Fri, 4 Aug 2023 14:07:16 +0000 (16:07 +0200)]
docs/cmdline: add small "warning" to verbose options
"Note that verbose output of curl activities and network traffic might
contain sensitive data, including user names, credentials or secret data
content. Be aware and be careful when sharing trace logs with others."
Daniel Stenberg [Wed, 2 Aug 2023 21:34:48 +0000 (23:34 +0200)]
http: return error when receiving too large header set
To avoid abuse. The limit is set to 300 KB for the accumulated size of
all received HTTP headers for a single response. Incomplete research
suggests that Chrome uses a 256-300 KB limit, while Firefox allows up to
1MB.
Stefan Eissing [Tue, 1 Aug 2023 08:31:58 +0000 (10:31 +0200)]
http2: upgrade tests and add fix for non-existing stream
- check in h2 filter recv that stream actually exists
and return error if not
- add test for parallel, extreme h2 upgrades that fail if
connections get reused before fully switched
- add h2 upgrade upload test just for completeness
Daniel Stenberg [Wed, 2 Aug 2023 16:03:59 +0000 (18:03 +0200)]
url: change default value for CURLOPT_MAXREDIRS to 30
It was previously unlimited by default, but that's not a sensible
default. While changing this has a remote risk of breaking an existing
use case, I figure it is more likely to actually save users from loops.
Jay Satiro [Sun, 19 Mar 2023 08:05:08 +0000 (04:05 -0400)]
schannel: fix user-set legacy algorithms in Windows 10 & 11
- If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then
use the SCHANNEL_CRED legacy structure to pass the list to Schannel.
- If the user set both a legacy algorithm list and a TLS 1.3 cipher list
then abort.
Although MS doesn't document it, Schannel will not negotiate TLS 1.3
when SCHANNEL_CRED is used. That means setting a legacy algorithm list
limits the user to earlier versions of TLS.
Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would
ignore legacy algorithms in Windows 10 1809 and later.
Viktor Szakats [Mon, 31 Jul 2023 11:52:44 +0000 (11:52 +0000)]
egd: delete feature detection and related source code
EGD is Entropy Gathering Daemon, a socket-based entropy source supported
by pre-OpenSSL v1.1 versions and now deprecated. curl also deprecated it
a while ago.
Its detection in CMake was broken all along because OpenSSL libs were
not linked at the point of feature check.
Delete detection from both cmake and autotools, along with the related
source snippet, and the `--with-egd-socket=` `./configure` option.
Stefan Eissing [Mon, 31 Jul 2023 08:56:00 +0000 (10:56 +0200)]
tests: fix h3 server check and parallel instances
- fix check for availability of nghttpx server
- add `tcp` frontend config for same port as quic, as
without this, port 3000 is bound which clashes for parallel
testing
Daniel Stenberg [Mon, 31 Jul 2023 15:27:03 +0000 (17:27 +0200)]
http2: avoid too early connection re-use/multiplexing
HTTP/1 connections that are upgraded to HTTP/2 should not be picked up
for reuse and multiplexing by other handles until the 101 switching
process is completed.
Lots-of-debgging-by: Stefan Eissing Reported-by: Richard W.M. Jones
Bug: https://curl.se/mail/lib-2023-07/0045.html
Closes #11557
Viktor Szakats [Sun, 30 Jul 2023 12:14:23 +0000 (12:14 +0000)]
cmake: add support for single libcurl compilation pass
Before this patch CMake builds used two separate compilation passes to
build the shared and static libcurl respectively. This patch allows to
reduce that to a single pass if the target platform and build settings
allow it.
This reduces CMake build times when building both static and shared
libcurl at the same time, making these dual builds an almost zero-cost
option.
Enable this feature for Windows builds, where the difference between the
two passes was the use of `__declspec(dllexport)` attribute for exported
API functions for the shared builds. This patch replaces this method
with the use of `libcurl.def` at DLL link time.
Also update `Makefile.mk` to use `libcurl.def` to export libcurl API
symbols on Windows. This simplifies (or fixes) this build method (e.g.
in curl-for-win, which generated a `libcurl.def` from `.h` files using
an elaborate set of transformations).
`libcurl.def` has the maintenance cost of keeping the list of public
libcurl API symbols up-to-date. This list seldom changes, so the cost
is low.
While here, also fix `RAND_egd()` detection which was broken, likely all
along. This feature is probably broken with CMake builds and also
requires a sufficiently obsolete OpenSSL version, so this part of the
update was not tested.
Pablo Busse [Thu, 22 Jun 2023 06:13:07 +0000 (06:13 +0000)]
openssl: Support async cert verify callback
- Update the OpenSSL connect state machine to handle
SSL_ERROR_WANT_RETRY_VERIFY.
This allows libcurl users that are using custom certificate validation
to suspend processing while waiting for external I/O during certificate
validation.
Jay Satiro [Tue, 4 Apr 2023 09:10:52 +0000 (05:10 -0400)]
tool_cb_wrt: fix invalid unicode for windows console
- Suppress an incomplete UTF-8 sequence at the end of the buffer.
- Attempt to reconstruct incomplete UTF-8 sequence from prior call(s)
in current call.
Prior to this change, in Windows console UTF-8 sequences split between
two or more calls to the write callback would cause invalid "replacement
characters" U+FFFD to be printed instead of the actual Unicode
character. This is because in Windows only UTF-16 encoded characters are
printed to the console, therefore we convert the UTF-8 contents to
UTF-16, which cannot be done with partial UTF-8 sequences.
Reported-by: Maksim Arhipov
Fixes https://github.com/curl/curl/issues/9841
Closes https://github.com/curl/curl/pull/10890
Daniel Stenberg [Mon, 31 Jul 2023 09:01:51 +0000 (11:01 +0200)]
sectransp: prevent CFRelease() of NULL
When SecCertificateCopyCommonName() returns NULL, the common_name
pointer remains set to NULL which apparently when calling CFRelease() on
(sometimes?) crashes.
`u->path = Curl_memdup(path, pathlen + 1);` accesses bytes after the null-terminator.
```
==2676==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x04d48c75 at pc 0x0112708a bp 0x006fb7e0 sp 0x006fb3c4
READ of size 78 at 0x04d48c75 thread T0
#0 0x1127089 in __asan_wrap_memcpy D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\sanitizer_common\sanitizer_common_interceptors.inc:840
#1 0x1891a0e in Curl_memdup C:\actions-runner\_work\client\client\third_party\curl\lib\strdup.c:97
#2 0x18db4b0 in parseurl C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1297
#3 0x18db819 in parseurl_and_replace C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1342
#4 0x18d6e39 in curl_url_set C:\actions-runner\_work\client\client\third_party\curl\lib\urlapi.c:1790
#5 0x1877d3e in parseurlandfillconn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:1768
#6 0x1871acf in create_conn C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3403
#7 0x186d8dc in Curl_connect C:\actions-runner\_work\client\client\third_party\curl\lib\url.c:3888
#8 0x1856b78 in multi_runsingle C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:1982
#9 0x18531e3 in curl_multi_perform C:\actions-runner\_work\client\client\third_party\curl\lib\multi.c:2756
```
Daniel Stenberg [Mon, 31 Jul 2023 09:50:28 +0000 (11:50 +0200)]
tool: add "variable" support
Add support for command line variables. Set variables with --variable
name=content or --variable name@file (where "file" can be stdin if set
to a single dash (-)).
Variable content is expanded in option parameters using "{{name}}"
(without the quotes) if the option name is prefixed with
"--expand-". This gets the contents of the variable "name" inserted, or
a blank if the name does not exist as a variable. Insert "{{" verbatim
in the string by prefixing it with a backslash, like "\\{{".
Import an environment variable with --variable %name. It makes curl exit
with an error if the environment variable is not set. It can also rather
get a default value if the variable does not exist, using =content or
@file like shown above.
Example: get the USER environment variable into the URL:
When expanding variables, curl supports a set of functions that can make
the variable contents more convenient to use. It can trim leading and
trailing white space with "trim", output the contents as a JSON quoted
string with "json", URL encode it with "url" and base 64 encode it with
"b64". To apply functions to a variable expansion, add them colon
separated to the right side of the variable. They are then performed in
a left to right order.
Example: get the contents of a file called $HOME/.secret into a variable
called "fix". Make sure that the content is trimmed and percent-encoded
sent as POST data:
projects / thirdparty / curl.git / log
