6. License Issues
- curl and libcurl are released under a MIT/X derivative license. The license
+ curl and libcurl are released under an MIT/X derivative license. The license
is liberal and should not impose a problem for your project. This section is
just a brief summary for the cases we get the most questions. (Parts of this
section was much enhanced by Bjorn Reese.)
./configure --host aarch64-linux-android --with-pic --disable-shared
Note that this does not give you SSL/TLS support. If you need SSL/TLS, you
-have to build curl with a SSL/TLS library, e.g. OpenSSL, because it is
+have to build curl with an SSL/TLS library, e.g. OpenSSL, because it is
impossible for curl to access Android's native SSL/TLS layer. To build curl
for Android using OpenSSL, follow the OpenSSL build instructions and then
install `libssl.a` and `libcrypto.a` to `$TOOLCHAIN/sysroot/usr/lib` and copy
9.1 SFTP does not do CURLOPT_POSTQUOTE correct
- When libcurl sends CURLOPT_POSTQUOTE commands when connected to a SFTP server
- using the multi interface, the commands are not being sent correctly and
- instead the connection is "cancelled" (the operation is considered done)
+ When libcurl sends CURLOPT_POSTQUOTE commands when connected to an SFTP
+ server using the multi interface, the commands are not being sent correctly
+ and instead the connection is "cancelled" (the operation is considered done)
prematurely. There is a half-baked (busy-looping) patch provided in the bug
report but it cannot be accepted as-is. See
https://curl.se/bug/view.cgi?id=748
Some broken servers fail to support the protocol negotiation properly that
SSL servers are supposed to handle. This may cause the connection to fail
- completely. Sometimes you may need to explicitly select a SSL version to use
- when connecting to make the connection succeed.
+ completely. Sometimes you may need to explicitly select an SSL version to
+ use when connecting to make the connection succeed.
An additional complication can be that modern SSL libraries sometimes are
built with support for older SSL and TLS versions disabled.
See https://github.com/curl/curl/issues/4915 and lib1541.c
The share interface offers CURL_LOCK_DATA_HSTS to have multiple easy handle
- share a HSTS cache, but this is not thread-safe.
+ share an HSTS cache, but this is not thread-safe.
1.5 get rid of PATH_MAX
11.1 File listing support
- Add support for listing the contents of a SMB share. The output should
+ Add support for listing the contents of an SMB share. The output should
probably be the same as/similar to FTP.
11.2 Honor file timestamps
## LDAP
-The path part of a LDAP request can be used to specify the: Distinguished
-Name, Attributes, Scope, Filter and Extension for a LDAP search. Each field is
-separated by a question mark and when that field is not required an empty
+The path part of an LDAP request can be used to specify the: Distinguished
+Name, Attributes, Scope, Filter and Extension for an LDAP search. Each field
+is separated by a question mark and when that field is not required an empty
string with the question mark separator should be included.
Search for the `DN` as `My Organization`:
ldap://ldap.example.com/?rootDomainNamingContext
-For more information about the individual components of a LDAP URL please
-see [RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516).
+For more information about the individual components of an LDAP URL please see
+[RFC 4516](https://datatracker.ietf.org/doc/html/rfc4516).
## POP3
/ home directory is returned.
## SMB
-The path part of a SMB request specifies the file to retrieve and from what
+The path part of an SMB request specifies the file to retrieve and from what
share and directory or the share to upload to and as such, may not be omitted.
If the username is embedded in the URL then it must contain the domain name
and as such, the backslash must be URL encoded as %2f.
## SMTP
-The path part of a SMTP request specifies the hostname to present during
+The path part of an SMTP request specifies the hostname to present during
communication with the mail server. If the path is omitted, then libcurl
attempts to resolve the local computer's hostname. However, this may not
return the fully qualified domain name that is required by some mail servers
curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret");
/* This fetches message 1 from the user's inbox. Note the use of
- * imaps:// rather than imap:// to request a SSL based connection. */
+ * imaps:// rather than imap:// to request an SSL based connection. */
curl_easy_setopt(curl, CURLOPT_URL,
"imaps://imap.example.com/INBOX/;UID=1");
/*
List of URLs to fetch.
- If you intend to use a SSL-based protocol here you might need to setup TLS
+ If you intend to use an SSL-based protocol here you might need to setup TLS
library mutex callbacks as described here:
https://curl.se/libcurl/c/threadsafe.html
curl_easy_setopt(curl, CURLOPT_USERNAME, "user");
curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret");
- /* This retrieves message 1 from the user's mailbox. Note the use of
- * pop3s:// rather than pop3:// to request a SSL based connection. */
+ /* This retrieves message 1 from the user's mailbox. Note the use of *
+ pop3s:// rather than pop3:// to request an SSL based connection. */
curl_easy_setopt(curl, CURLOPT_URL, "pop3s://pop.example.com/1");
/* If you want to connect to a site who is not using a certificate that is
curl_easy_setopt(curl, CURLOPT_PASSWORD, "secret");
/* This is the URL for your mailserver. Note the use of smtps:// rather
- * than smtp:// to request a SSL based connection. */
+ * than smtp:// to request an SSL based connection. */
curl_easy_setopt(curl, CURLOPT_URL, "smtps://mainserver.example.net");
/* If you want to connect to a site who is not using a certificate that is
The protocols on the other hand no longer have to care to package data most efficiently. At any time, should more data be needed, it can be read from the client. This is used when sending HTTP requests headers to add as much request body data to the initial sending as there is room for.
Future enhancements based on the client readers:
-* `expect-100` handling: place that into a HTTP specific reader at `CURL_CR_PROTOCOL` and eliminate the checks in the generic transfer parts.
-* `eos forwarding`: transfer should forward an `eos` flag to the connection filters. Filters like HTTP/2 and HTTP/3 can make use of that, terminating streams early. This would also eliminate length checks in stream handling.
+* `expect-100` handling: place that into an HTTP specific reader at
+ `CURL_CR_PROTOCOL` and eliminate the checks in the generic transfer parts.
+* `eos forwarding`: transfer should forward an `eos` flag to the connection
+ filters. Filters like HTTP/2 and HTTP/3 can make use of that, terminating
+ streams early. This would also eliminate length checks in stream handling.
top of each other (or "chained" if you prefer that metaphor). In the common
scenario that you want to retrieve a `https:` URL with curl, you need 2 basic
things to send the request and get the response: a TCP connection, represented
-by a `socket` and a SSL instance en- and decrypt over that socket. You write
+by a `socket` and an SSL instance en- and decrypt over that socket. You write
your request to the SSL instance, which encrypts and writes that data to the
socket, which then sends the bytes over the network.
## `CURL_DBG_SOCK_RBLOCK`
-The percentage of recv() calls that should be answered with a EAGAIN at random.
-For TCP/UNIX sockets.
+The percentage of recv() calls that should be answered with an EAGAIN at
+random. For TCP/UNIX sockets.
## `CURL_DBG_SOCK_RMAX`
## `CURL_DBG_SOCK_WBLOCK`
-The percentage of send() calls that should be answered with a EAGAIN at random.
-For TCP/UNIX sockets.
+The percentage of send() calls that should be answered with an EAGAIN at
+random. For TCP/UNIX sockets.
## `CURL_DBG_SOCK_WPARTIAL`
## `SSLKEYLOGFILE`
-When set and libcurl runs with a SSL backend that supports this feature,
+When set and libcurl runs with an SSL backend that supports this feature,
libcurl saves SSL secrets into the given filename. Using those SSL secrets,
other tools (such as Wireshark) can decrypt the SSL communication and
analyze/view the traffic.
## CURLE_FTP_WEIRD_PASV_REPLY (13)
libcurl failed to get a sensible result back from the server as a response to
-either a PASV or a EPSV command. The server is flawed.
+either a PASV or an EPSV command. The server is flawed.
## CURLE_FTP_WEIRD_227_FORMAT (14)
if(conn->bits.tls_enable_alpn) {
#ifdef USE_HTTPSRR
- /* Is there a HTTPSRR use its ALPNs here.
+ /* Is there an HTTPSRR use its ALPNs here.
* We are here after having selected a connection to a host+port and
* can no longer change that. Any HTTPSRR advice for other hosts and ports
* we need to ignore. */
/*
* Curl_create_sspi_identity()
*
- * This is used to populate a SSPI identity structure based on the supplied
+ * This is used to populate an SSPI identity structure based on the supplied
* username and password.
*
* Parameters:
/*
* Curl_sspi_free_identity()
*
- * This is used to free the contents of a SSPI identifier structure.
+ * This is used to free the contents of an SSPI identifier structure.
*
* Parameters:
*
CURLcode Curl_sspi_global_init(void);
void Curl_sspi_global_cleanup(void);
-/* This is used to populate the domain in a SSPI identity structure */
+/* This is used to populate the domain in an SSPI identity structure */
CURLcode Curl_override_sspi_http_realm(const char *chlg,
SEC_WINNT_AUTH_IDENTITY *identity);
#endif
if(data->set.use_ssl && !conn->bits.ftp_use_control_ssl) {
- /* We do not have a SSL/TLS control connection yet, but FTPS is
- requested. Try a FTPS connection now */
+ /* We do not have an SSL/TLS control connection yet, but FTPS is
+ requested. Try an FTPS connection now */
ftpc->count3 = 0;
switch(data->set.ftpsslauth) {
/* We expect more response from HTTP/2 later */
k->header = TRUE;
k->headerline = 0; /* restart the header line counter */
- k->httpversion_sent = 20; /* It's a HTTP/2 request now */
+ k->httpversion_sent = 20; /* It's an HTTP/2 request now */
/* Any remaining `buf` bytes are already HTTP/2 and passed to
* be processed. */
result = Curl_http2_upgrade(data, conn, FIRSTSOCKET, buf, blen);
POST_CR state. */
CHUNK_DATA,
- /* POSTLF should get a CR and then a LF and nothing else, then move back to
+ /* POSTLF should get a CR and then an LF and nothing else, then move back to
HEX as the CRLF combination marks the end of a chunk. A missing CR is no
big deal. */
CHUNK_POSTLF,
CHUNK_TRAILER,
/* A trailer CR has been found - next state is CHUNK_TRAILER_POSTCR.
- Next char must be a LF */
+ Next char must be an LF */
CHUNK_TRAILER_CR,
/* A trailer LF must be found now, otherwise CHUNKE_BAD_CHUNK will be
(void)instate; /* no use for this yet */
- /* Do we have a untagged response? */
+ /* Do we have an untagged response? */
if(imapcode == '*') {
line += 2;
* Returns `dst' (as a const)
* Note:
* - uses no statics
- * - takes a unsigned char* not an in_addr as input
+ * - takes an unsigned char* not an in_addr as input
*/
static char *inet_ntop4(const unsigned char *src, char *dst, size_t size)
{
line = curlx_dyn_ptr(&pop3c->pp.recvbuf);
len = pop3c->pp.nfinal;
- /* Do we have a untagged continuation response? */
+ /* Do we have an untagged continuation response? */
if(pop3code == '*') {
/* Does the server support the STLS capability? */
if(len >= 4 && !memcmp(line, "STLS", 4))
break;
case CURLOPT_SSL_CTX_DATA:
/*
- * Set a SSL_CTX callback parameter pointer
+ * Set an SSL_CTX callback parameter pointer
*/
#ifdef USE_SSL
if(Curl_ssl_supports(data, SSLSUPP_SSL_CTX)) {
break;
case CURLOPT_SSL_CTX_FUNCTION:
/*
- * Set a SSL_CTX callback
+ * Set an SSL_CTX callback
*/
#ifdef USE_SSL
if(Curl_ssl_supports(data, SSLSUPP_SSL_CTX)) {
*
* smtp_perform_command()
*
- * Sends a SMTP based command.
+ * Sends an SMTP based command.
*/
static CURLcode smtp_perform_command(struct Curl_easy *data,
struct smtp_conn *smtpc,
if(smtpcode != 1) {
if(data->set.use_ssl && !Curl_conn_is_ssl(data->conn, FIRSTSOCKET)) {
- /* We do not have a SSL/TLS connection yet, but SSL is requested */
+ /* We do not have an SSL/TLS connection yet, but SSL is requested */
if(smtpc->tls_supported)
/* Switch to TLS connection now */
result = smtp_perform_starttls(data, smtpc);
/*
* Curl_override_sspi_http_realm()
*
- * This is used to populate the domain in a SSPI identity structure
+ * This is used to populate the domain in an SSPI identity structure
* The realm is extracted from the challenge message and used as the
* domain if it is not already explicitly set.
*
/*
* Curl_auth_build_spn()
*
- * This is used to build a SPN string in the following formats:
+ * This is used to build an SPN string in the following formats:
*
* service/host@realm (Not currently used)
* service/host (Not used by GSS-API)
*/
bool Curl_auth_allowed_to_host(struct Curl_easy *data);
-/* This is used to build a SPN string */
+/* This is used to build an SPN string */
#if !defined(USE_WINDOWS_SSPI)
char *Curl_auth_build_spn(const char *service, const char *host,
const char *realm);
}
-/* this function does a SSL/TLS (re-)handshake */
+/* this function does an SSL/TLS (re-)handshake */
static CURLcode handshake(struct Curl_cfilter *cf,
struct Curl_easy *data)
{
linelen = strlen(line);
if(linelen == 0 || linelen > sizeof(buf) - 2) {
- /* Empty line or too big to fit in a LF and NUL. */
+ /* Empty line or too big to fit in an LF and NUL. */
return FALSE;
}
const unsigned char *secret, size_t secretlen);
/*
- * Appends a line to the key log file, ensure it is terminated by a LF.
+ * Appends a line to the key log file, ensure it is terminated by an LF.
* Returns true iff the key log file is open and a valid line was provided.
*/
bool Curl_tls_keylog_write_line(const char *line);
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
- OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability:
+ OpenSSL added a work-around for an SSL 3.0/TLS 1.0 CBC vulnerability:
https://web.archive.org/web/20240114184648/openssl.org/~bodo/tls-cbc.txt.
In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around
despite the fact that SSL_OP_ALL is documented to do "rather harmless"
void *sobj,
Curl_ssl_scache_obj_dtor *sobj_dtor_cb);
-/* All about a SSL session ticket */
+/* All about an SSL session ticket */
struct Curl_ssl_session {
const void *sdata; /* session ticket data, plain bytes */
size_t sdata_len; /* number of bytes in sdata */
http
</server>
<name>
-HTTP GET with a invalid HTTP/1 response line start
+HTTP GET with an invalid HTTP/1 response line start
</name>
<command>
http://%HOSTIP:%HTTPPORT/%TESTNUMBER --http0.9
http
</server>
<name>
-HTTP/1 doing HTTP/2 Upgrade: getting a HTTP/2 101 response
+HTTP/1 doing HTTP/2 Upgrade: getting an HTTP/2 101 response
</name>
<command>
http://%HOSTIP:%HTTPPORT/%TESTNUMBER --http2
proxy
</features>
<name>
-HTTP PUT to a FTP URL with username+password - over HTTP proxy
+HTTP PUT to an FTP URL with username+password - over HTTP proxy
</name>
<command>
-x http://%HOSTIP:%HTTPPORT ftp://daniel:mysecret@host.com/we/want/%TESTNUMBER -T %LOGDIR/test%TESTNUMBER.txt
def main():
parser = argparse.ArgumentParser(prog='scorecard', description="""
- Run a range of tests to give a scorecard for a HTTP protocol
+ Run a range of tests to give a scorecard for an HTTP protocol
'h3' or 'h2' implementation in curl.
""")
parser.add_argument("-v", "--verbose", action='count', default=1,
@pytest.mark.skipif(condition=not Env.have_h3(), reason="h3 not supported")
def test_12_03_as_follow_h2h3(self, env: Env, httpd, configures_httpd, nghttpx):
- # write a alt-svc file that advises h3 instead of h2
+ # write an alt-svc file that advises h3 instead of h2
asfile = os.path.join(env.gen_dir, 'alt-svc-12_03.txt')
self.create_asfile(asfile, f'h2 {env.domain1} {env.https_port} h3 {env.domain1} {env.h3_port}')
curl = CurlClient(env=env)
@pytest.mark.skipif(condition=not Env.have_h3(), reason="h3 not supported")
def test_12_04_as_follow_h3h2(self, env: Env, httpd, configures_httpd, nghttpx):
count = 2
- # write a alt-svc file the advises h2 instead of h3
+ # write an alt-svc file the advises h2 instead of h3
asfile = os.path.join(env.gen_dir, 'alt-svc-12_04.txt')
ts = datetime.now() + timedelta(hours=24)
expires = f'{ts.year:04}{ts.month:02}{ts.day:02} {ts.hour:02}:{ts.minute:02}:{ts.second:02}'
def test_12_05_as_follow_h3h1(self, env: Env, httpd, configures_httpd, nghttpx):
# With '--http3` an Alt-Svc redirection from h3 to h1 is allowed
count = 2
- # write a alt-svc file the advises h1 instead of h3
+ # write an alt-svc file the advises h1 instead of h3
asfile = os.path.join(env.gen_dir, 'alt-svc-12_05.txt')
ts = datetime.now() + timedelta(hours=24)
expires = f'{ts.year:04}{ts.month:02}{ts.day:02} {ts.hour:02}:{ts.minute:02}:{ts.second:02}'
def test_12_06_as_ignore_h3h1(self, env: Env, httpd, configures_httpd, nghttpx):
# With '--http3-only` an Alt-Svc redirection from h3 to h1 is ignored
count = 2
- # write a alt-svc file the advises h1 instead of h3
+ # write an alt-svc file the advises h1 instead of h3
asfile = os.path.join(env.gen_dir, 'alt-svc-12_05.txt')
ts = datetime.now() + timedelta(hours=24)
expires = f'{ts.year:04}{ts.month:02}{ts.day:02} {ts.hour:02}:{ts.minute:02}:{ts.second:02}'
@pytest.mark.skipif(condition=not Env.have_h3(), reason="h3 not supported")
def test_12_07_as_ignore_h2h3(self, env: Env, httpd, configures_httpd, nghttpx):
# With '--http2` an Alt-Svc redirection from h2 to h3 is ignored
- # write a alt-svc file that advises h3 instead of h2
+ # write an alt-svc file that advises h3 instead of h2
asfile = os.path.join(env.gen_dir, 'alt-svc-12_03.txt')
self.create_asfile(asfile, f'h2 {env.domain1} {env.https_port} h3 {env.domain1} {env.h3_port}')
curl = CurlClient(env=env)
* HTTP1 amd HTTP2 (no multiplexing) two transfers (expected two descriptors),
* HTTP2 with multiplexing (expected one descriptors)
* Improper inputs to the API result in CURLM_BAD_FUNCTION_ARGUMENT.
- * Sending a empty ufds, and size = 0 will return the number of fds needed.
+ * Sending an empty ufds, and size = 0 will return the number of fds needed.
* Sending a non-empty ufds, but smaller than the fds needed will result in a
* CURLM_OUT_OF_MEMORY, and a number of fds that is >= to the number needed.
*
}
}
-#endif /* using a FD_SETSIZE bound select() */
+#endif /* using an FD_SETSIZE bound select() */
/*
* Old or 'backwards compatible' implementations of stdio do not allow
}
}
-#endif /* using a FD_SETSIZE bound select() */
+#endif /* using an FD_SETSIZE bound select() */
/*
* Old or 'backwards compatible' implementations of stdio do not allow
{ "2.example.com", NULL,
"max-age=\"21536000\"; includeSubDomains; includeSubDomains;",
CURLE_BAD_FUNCTION_ARGUMENT },
- /* use a unknown directive "include" that should be ignored */
+ /* use an unknown directive "include" that should be ignored */
{ "3.example.com", NULL, "max-age=\"21536000\"; include; includeSubDomains;",
CURLE_OK },
/* remove the "3.example.com" one, should still match the example.com */
projects / thirdparty / curl.git / commitdiff
