code: language cleanup in comments

Based on the standards and guidelines we use for our documentation.

- expand contractions (they're => they are etc)
- host name = > hostname

code: language cleanup in comments

Based on the standards and guidelines we use for our documentation.

- expand contractions (they're => they are etc)
- host name = > hostname
- file name => filename
- user name = username
- man page => manpage
- run-time => runtime
- set-up => setup
- back-end => backend
- a HTTP => an HTTP
- Two spaces after a period => one space after period

Closes #14073

show more ...

lib: silence `-Wsign-conversion` in base64, strcase, mprintf

Closes #13467

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

strcase: use curl_str(n)equal for case insensitive matches

No point in having two entry points for the same functions.

Also merged the *safe* function treatment into these so that t

strcase: use curl_str(n)equal for case insensitive matches

No point in having two entry points for the same functions.

Also merged the *safe* function treatment into these so that they can
also be used when one or both pointers are NULL.

Closes #9837

show more ...

strcase: add and use Curl_timestrcmp

This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match

strcase: add and use Curl_timestrcmp

This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits

Closes #9658

show more ...

ctype: remove all use of <ctype.h>, use our own versions

Except in the test servers.

Closes #9433

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

strcase: some optimisations

Lookup tables for toupper() and tolower() make Curl_strcasecompare()
about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
early then a

strcase: some optimisations

Lookup tables for toupper() and tolower() make Curl_strcasecompare()
about 1.5 times faster. Reorganising Curl_strcasecompare() to fully exit
early then also allows simplifying the check at the end, for another
15%. In total, the changes make Curl_strcasecompare() around 1.6 to 1.7
times faster.

Note that these optimisation assume ASCII. The original
Curl_raw_toupper() and raw_tolower() look like they already made that
assumption.

Closes #8875

show more ...

url: check sasl additional parameters for connection reuse.

Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.

Bug:

url: check sasl additional parameters for connection reuse.

Also move static function safecmp() as non-static Curl_safecmp() since
its purpose is needed at several places.

Bug: https://curl.se/docs/CVE-2022-22576.html

CVE-2022-22576

Closes #8746

show more ...

lib: remove support for CURL_DOES_CONVERSIONS

TPF was the only user and support for that was dropped.

Closes #8378

curl.se: new home

Closes #6172

strcase: turn Curl_raw_tolower into static

Only ever used from within this file.

copyrights: update all copyright notices to 2019 on files changed this year

Closes #4547

strcase: fix raw lowercasing the letter X

Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to
this change.

Follow-up to 0023fce which added the function sev

strcase: fix raw lowercasing the letter X

Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to
this change.

Follow-up to 0023fce which added the function several days ago.

Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546

Closes https://github.com/curl/curl/pull/4408

show more ...

http: lowercase headernames for HTTP/2 and HTTP/3

Closes #4401
Fixes #4400

strcase: corrected comment header for Curl_strcasecompare()

Improve code readbility

... by removing the else branch after a return, break or continue.

Closes #1310

checksrc: stricter no-space-before-paren enforcement

In order to make the code style more uniform everywhere

proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is est

proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

--proxy-cacert FILE CA certificate to verify peer against
--proxy-capath DIR CA directory to verify peer against
--proxy-cert CERT[:PASSWD] Client certificate file and password
--proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
--proxy-ciphers LIST SSL ciphers to use
--proxy-crlfile FILE Get a CRL list in PEM format from the file
--proxy-insecure Allow connections to proxies with bad certs
--proxy-key KEY Private key file name
--proxy-key-type TYPE Private key file type (DER/PEM/ENG)
--proxy-pass PASS Pass phrase for the private key
--proxy-ssl-allow-beast Allow security flaw to improve interop
--proxy-sslv2 Use SSLv2
--proxy-sslv3 Use SSLv3
--proxy-tlsv1 Use TLSv1
--proxy-tlsuser USER TLS username
--proxy-tlspassword STRING TLS password
--proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.

show more ...

strcasecompare: include curl.h in strcase.c

This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
l

strcasecompare: include curl.h in strcase.c

This should fix the "warning: 'curl_strequal' redeclared without
dllimport attribute: previous dllimport ignored" message and subsequent
link error on Windows because of the missing CURL_EXTERN on the
prototype.

show more ...

curl_strequal: part of public API/ABI, needs to be kept

These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and A

curl_strequal: part of public API/ABI, needs to be kept

These two public functions have been mentioned as deprecated since a
very long time but since they are still part of the API and ABI we need
to keep them around.

show more ...

strcasecompare: all case insensitive string compares ignore locale now

We had some confusions on when each function was used. We should not act
differently on different locales anyway.

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the

strcasecompare: is the new name for strequal()

... to make it less likely that we forget that the function actually
does case insentive compares. Also replaced several invokes of the
function with a plain strcmp when case sensitivity is not an issue (like
comparing with "-").

show more ...