#
fb22459d |
| 26-Apr-2024 |
Stefan Eissing |
vtls: TLS session storage overhaul - add session with destructor callback - remove vtls `session_free` method - let `Curl_ssl_addsessionid()` take ownership of session object,
vtls: TLS session storage overhaul - add session with destructor callback - remove vtls `session_free` method - let `Curl_ssl_addsessionid()` take ownership of session object, freeing it also on failures - change tls backend use - test_17, add tests for SSL session resumption Closes #13386
show more ...
|
#
32101010 |
| 22-Mar-2024 |
Stefan Eissing |
tls: use shared init code for TCP+QUIC Closes #13172
|
#
bf567dd9 |
| 09-Jan-2024 |
Jay Satiro |
lib: use multi instead of multi_easy for the active multi - Use data->multi and not data->multi_easy to refer to the active multi. The easy handle's active multi is always data->mul
lib: use multi instead of multi_easy for the active multi - Use data->multi and not data->multi_easy to refer to the active multi. The easy handle's active multi is always data->multi. This is a follow up to 757dfdf which changed curl so that an easy handle used with the easy interface and then multi interface cannot have two different multi handles associated with it at the same time (data->multi_easy from the easy interface and data->multi from the multi interface). Closes https://github.com/curl/curl/pull/12665
show more ...
|
#
f46385d3 |
| 25-Mar-2024 |
Michał Antoniak <47522782+MAntoniak@users.noreply.github.com> |
urldata: remove fields not used depending on used features Reduced size of dynamically_allocated_data structure. Reduced number of stored values in enum dupstring and enum dupblob.
urldata: remove fields not used depending on used features Reduced size of dynamically_allocated_data structure. Reduced number of stored values in enum dupstring and enum dupblob. This affects the reduced array placed in the UserDefined structure. Closes #13188
show more ...
|
#
e87751d6 |
| 13-Feb-2024 |
Stefan Eissing |
vtls: fix tls proxy peer verification - When verifying a proxy certificate for an ip address, use the correct ip family. Prior to this change the "connection" ip family was us
vtls: fix tls proxy peer verification - When verifying a proxy certificate for an ip address, use the correct ip family. Prior to this change the "connection" ip family was used, which was not necessarily the same. Reported-by: HsiehYuho@users.noreply.github.com Fixes https://github.com/curl/curl/issues/12831 Closes https://github.com/curl/curl/pull/12931
show more ...
|
#
24d6c288 |
| 09-Feb-2024 |
Jay Satiro |
schannel: fix hang on unexpected server close - Treat TLS connection close (either due to a close_notify from the server or just closed due to receiving 0) as pending data. Th
schannel: fix hang on unexpected server close - Treat TLS connection close (either due to a close_notify from the server or just closed due to receiving 0) as pending data. This is because in some cases schannel_recv knows the connection is closed but has to return actual pending data so it can't return 0 or an error to indicate no more data. In this case schannel_recv must be called again, which only happens if readwrite_data sees that there is still pending data. Prior to this change if the total size of the body that libcurl expected to receive from the server was unknown then it was possible under some network conditions that libcurl would hang waiting to receive more data, when in fact a close_notify alert indicating no more data would be sent was already processed. Fixes https://github.com/curl/curl/issues/12894 Closes https://github.com/curl/curl/pull/12910
show more ...
|
#
aff26089 |
| 01-Jan-2024 |
Viktor Szakats |
schannel: fix `-Warith-conversion` gcc 13 warning ``` lib/vtls/schannel.c:1201:22: warning: conversion to 'unsigned int' from 'int' may change the sign of the result [-Warith-conversion]
schannel: fix `-Warith-conversion` gcc 13 warning ``` lib/vtls/schannel.c:1201:22: warning: conversion to 'unsigned int' from 'int' may change the sign of the result [-Warith-conversion] 1201 | *extension_len = *list_len + | ^ ``` Closes #12616
show more ...
|
#
3829759b |
| 08-Dec-2023 |
Viktor Szakats |
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]. Enable new recommended warnings (except `-Wsign-conversion`): - enable `-Wformat=2` for clang (in both cmake and autotools). - add `CURL_PRINTF()` internal attribute and mark functions accepting printf arguments with it. This is a copy of existing `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible with redefinting the `printf` symbol: https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for mingw-w64 and enable it on this platform. - enable `-Wimplicit-fallthrough`. - enable `-Wtrampolines`. - add `-Wsign-conversion` commented with a FIXME. - cmake: enable `-pedantic-errors` the way we do it with autotools. Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format checks. Previously it was always disabled due to the internal `printf` macro. Fix them: - fix bug where an `set_ipv6_v6only()` call was missed in builds with `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`. - add internal `FALLTHROUGH()` macro. - replace obsolete fall-through comments with `FALLTHROUGH()`. - fix fallthrough markups: Delete redundant ones (showing up as warnings in most cases). Add missing ones. Fix indentation. - silence `-Wformat-nonliteral` warnings with llvm/clang. - fix one `-Wformat-nonliteral` warning. - fix new `-Wformat` and `-Wformat-security` warnings. - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its definition to `lib/curl_setup.h` allowing use in `tests/server`. - lib: fix two wrongly passed string arguments in log outputs. Co-authored-by: Jay Satiro - fix new `-Wformat` warnings on mingw-w64. [1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md Closes #12489
show more ...
|
#
ff74cef5 |
| 11-Dec-2023 |
Daniel Stenberg |
lib: reduce use of strncpy - bearssl: select cipher without buffer copies - http_aws_sigv4: avoid strncpy, require exact timestamp length - http_aws_sigv4: use memcpy isntead of strn
lib: reduce use of strncpy - bearssl: select cipher without buffer copies - http_aws_sigv4: avoid strncpy, require exact timestamp length - http_aws_sigv4: use memcpy isntead of strncpy - openssl: avoid strncpy calls - schannel: check for 1.3 algos without buffer copies - strerror: avoid strncpy calls - telnet: avoid strncpy, return error on too long inputs - vtls: avoid strncpy in multissl_version() Closes #12499
show more ...
|
#
a17f041b |
| 06-Dec-2023 |
YX Hao |
lib: fix variable undeclared error caused by `infof` changes `--disable-verbose` yields `CURL_DISABLE_VERBOSE_STRINGS` defined. `infof` isn't `Curl_nop_stmt` anymore: dac293c. F
lib: fix variable undeclared error caused by `infof` changes `--disable-verbose` yields `CURL_DISABLE_VERBOSE_STRINGS` defined. `infof` isn't `Curl_nop_stmt` anymore: dac293c. Follow-up to dac293c Closes #12470
show more ...
|
#
9ac6023d |
| 19-Nov-2023 |
Jay Satiro |
schannel: fix unused variable warning Bug: https://github.com/curl/curl/pull/12349#issuecomment-1818000846 Reported-by: Viktor Szakats Closes https://github.com/curl/curl/pull/1
schannel: fix unused variable warning Bug: https://github.com/curl/curl/pull/12349#issuecomment-1818000846 Reported-by: Viktor Szakats Closes https://github.com/curl/curl/pull/12361
show more ...
|
#
fa714830 |
| 17-Nov-2023 |
Stefan Eissing |
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Cu
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
show more ...
|
#
1af46f2f |
| 03-Nov-2023 |
Andrew Kurushin |
schannel: add CA cache support for files and memory blobs - Support CA bundle and blob caching. Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT. Closes
schannel: add CA cache support for files and memory blobs - Support CA bundle and blob caching. Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT. Closes https://github.com/curl/curl/pull/12261
show more ...
|
#
47f5b1a3 |
| 04-Sep-2023 |
Stefan Eissing |
lib: introduce struct easy_poll_set for poll information Connection filter had a `get_select_socks()` method, inspired by the various `getsocks` functions involved during the lifetime of
lib: introduce struct easy_poll_set for poll information Connection filter had a `get_select_socks()` method, inspired by the various `getsocks` functions involved during the lifetime of a transfer. These, depending on transfer state (CONNECT/DO/DONE/ etc.), return sockets to monitor and flag if this shall be done for POLLIN and/or POLLOUT. Due to this design, sockets and flags could only be added, not removed. This led to problems in filters like HTTP/2 where flow control prohibits the sending of data until the peer increases the flow window. The general transfer loop wants to write, adds POLLOUT, the socket is writeable but no data can be written. This leads to cpu busy loops. To prevent that, HTTP/2 did set the `SEND_HOLD` flag of such a blocked transfer, so the transfer loop cedes further attempts. This works if only one such filter is involved. If a HTTP/2 transfer goes through a HTTP/2 proxy, two filters are setting/clearing this flag and may step on each other's toes. Connection filters `get_select_socks()` is replaced by `adjust_pollset()`. They get passed a `struct easy_pollset` that keeps up to `MAX_SOCKSPEREASYHANDLE` sockets and their `POLLIN|POLLOUT` flags. This struct is initialized in `multi_getsock()` by calling the various `getsocks()` implementations based on transfer state, as before. After protocol handlers/transfer loop have set the sockets and flags they want, the `easy_pollset` is *always* passed to the filters. Filters "higher" in the chain are called first, starting at the first not-yet-connection one. Each filter may add sockets and/or change flags. When all flags are removed, the socket itself is removed from the pollset. Example: * transfer wants to send, adds POLLOUT * http/2 filter has a flow control block, removes POLLOUT and adds POLLIN (it is waiting on a WINDOW_UPDATE from the server) * TLS filter is connected and changes nothing * h2-proxy filter also has a flow control block on its tunnel stream, removes POLLOUT and adds POLLIN also. * socket filter is connected and changes nothing * The resulting pollset is then mixed together with all other transfers and their pollsets, just as before. Use of `SEND_HOLD` is no longer necessary in the filters. All filters are adapted for the changed method. The handling in `multi.c` has been adjusted, but its state handling the the protocol handlers' `getsocks` method are untouched. The most affected filters are http/2, ngtcp2, quiche and h2-proxy. TLS filters needed to be adjusted for the connecting handshake read/write handling. No noticeable difference in performance was detected in local scorecard runs. Closes #11833
show more ...
|
#
3b6d18bb |
| 03-Oct-2023 |
Viktor Szakats |
spelling: fix codespell 2.2.6 typos Closes #12019
|
#
38029101 |
| 08-Aug-2023 |
Viktor Szakats |
mingw: delete support for legacy mingw.org toolchain Drop support for "old" / "legacy" / "classic" / "v1" / "mingw32" MinGW: https://en.wikipedia.org/wiki/MinGW, https://osdn.net/proje
mingw: delete support for legacy mingw.org toolchain Drop support for "old" / "legacy" / "classic" / "v1" / "mingw32" MinGW: https://en.wikipedia.org/wiki/MinGW, https://osdn.net/projects/mingw/ Its homepage used to be http://mingw.org/ [no HTTPS], and broken now. It supported the x86 CPU only and used a old Windows API header and implib set, often causing issues. It also misses most modern Windows features, offering old versions of both binutils and gcc (no llvm/clang support). It was last updated 2 years ago. curl now relies on toolchains based on the mingw-w64 project: https://www.mingw-w64.org/ https://sourceforge.net/projects/mingw-w64/ https://www.msys2.org/ https://github.com/msys2/msys2 https://github.com/mstorsjo/llvm-mingw (Also available via Linux and macOS package managers.) Closes #11625
show more ...
|
#
f6700c74 |
| 08-Aug-2023 |
Nathan Moinvaziri |
schannel: fix ordering of cert chain info - Use CERT_CONTEXT's pbCertEncoded to determine chain order. CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains end-entity/serv
schannel: fix ordering of cert chain info - Use CERT_CONTEXT's pbCertEncoded to determine chain order. CERT_CONTEXT from SECPKG_ATTR_REMOTE_CERT_CONTEXT contains end-entity/server certificate in pbCertEncoded. We can use this pointer to determine the order of certificates when enumerating hCertStore using CertEnumCertificatesInStore. This change is to help ensure that the ordering of the certificate chain requested by the user via CURLINFO_CERTINFO has the same ordering on all versions of Windows. Prior to this change Schannel certificate order was reversed in 8986df80 but that was later reverted in f540a39b when it was discovered that Windows 11 22H2 does the reversal on its own. Ref: https://github.com/curl/curl/issues/9706 Closes https://github.com/curl/curl/pull/11632
show more ...
|
#
5e2beb33 |
| 23-Aug-2023 |
Daniel Stenberg |
spelling: use 'reuse' not 're-use' in code and elsewhere Unify the spelling as both versions were previously used intermittently Closes #11717
|
#
889c071d |
| 08-Dec-2022 |
Jay Satiro |
schannel: verify hostname independent of verify cert Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verif
schannel: verify hostname independent of verify cert Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in #3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/pull/3285 Fixes https://github.com/curl/curl/issues/3284 Closes https://github.com/curl/curl/pull/10056
show more ...
|
#
b4f9ae51 |
| 19-Mar-2023 |
Jay Satiro |
schannel: fix user-set legacy algorithms in Windows 10 & 11 - If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then use the SCHANNEL_CRED legacy structure to pass the
schannel: fix user-set legacy algorithms in Windows 10 & 11 - If the user set a legacy algorithm list (CURLOPT_SSL_CIPHER_LIST) then use the SCHANNEL_CRED legacy structure to pass the list to Schannel. - If the user set both a legacy algorithm list and a TLS 1.3 cipher list then abort. Although MS doesn't document it, Schannel will not negotiate TLS 1.3 when SCHANNEL_CRED is used. That means setting a legacy algorithm list limits the user to earlier versions of TLS. Prior to this change, since 8beff435 (precedes 7.85.0), libcurl would ignore legacy algorithms in Windows 10 1809 and later. Reported-by: zhihaoy@users.noreply.github.com Fixes https://github.com/curl/curl/pull/10741 Closes https://github.com/curl/curl/pull/10746
show more ...
|
#
f540a39b |
| 28-Jul-2023 |
Nathan Moinvaziri |
Revert "schannel: reverse the order of certinfo insertions" This reverts commit 8986df802db9b5338d9d50a54232ebae4dbcf6dd. Windows does not guarantee a particular certificate orderin
Revert "schannel: reverse the order of certinfo insertions" This reverts commit 8986df802db9b5338d9d50a54232ebae4dbcf6dd. Windows does not guarantee a particular certificate ordering, even though TLS may have its own ordering/relationship guarantees. Recent versions of Windows 11 reversed the ordering of ceritifcates returned by CertEnumCertificatesInStore, therefore this commit no longer works as initially intended. libcurl makes no guarantees about certificate ordering if the operating system can't. Ref: https://github.com/curl/curl/issues/9706 Closes https://github.com/curl/curl/pull/11536
show more ...
|
#
3f8fc257 |
| 09-May-2023 |
Viktor Szakats |
cmake: add support for "unity" builds Aka "jumbo" or "amalgamation" builds. It means to compile all sources per target as a single C source. This is experimental. You can enable
cmake: add support for "unity" builds Aka "jumbo" or "amalgamation" builds. It means to compile all sources per target as a single C source. This is experimental. You can enable it by passing `-DCMAKE_UNITY_BUILD=ON` to cmake. It requires CMake 3.16 or newer. It makes builds (much) faster, allows for better optimizations and tends to promote less ambiguous code. Also add a new AppVeyor CI job and convert an existing one to use "unity" mode (one MSVC, one MinGW), and enable it for one macOS CI job. Fix related issues: - add missing include guard to `easy_lock.h`. - rename static variables and functions (and a macro) with names reused across sources, or shadowed by local variables. - add an `#undef` after use. - add a missing `#undef` before use. - move internal definitions from `ftp.h` to `ftp.c`. - `curl_memory.h` fixes to make it work when included repeatedly. - stop building/linking curlx bits twice for a static-mode curl tool. These caused doubly defined symbols in unity builds. - silence missing extern declarations compiler warning for ` _CRT_glob`. - fix extern declarations for `tool_freq` and `tool_isVistaOrGreater`. - fix colliding static symbols in debug mode: `debugtime()` and `statename`. - rename `ssl_backend_data` structure to unique names for each TLS-backend, along with the `ssl_connect_data` struct member referencing them. This required adding casts for each access. - add workaround for missing `[P]UNICODE_STRING` types in certain Windows builds when compiling `lib/ldap.c`. To support "unity" builds, we had to enable `SCHANNEL_USE_BLACKLISTS` for Schannel (a Windows `schannel.h` option) _globally_. This caused an indirect inclusion of Windows `schannel.h` from `ldap.c` via `winldap.h` to have it enabled as well. This requires `[P]UNICODE_STRING` types, which is apperantly not defined automatically (as seen with both MSVS and mingw-w64). This patch includes `<subauth.h>` to fix it. Ref: https://github.com/curl/curl/runs/13987772013 Ref: https://dev.azure.com/daniel0244/curl/_build/results?buildId=15827&view=logs&jobId=2c9f582d-e278-56b6-4354-f38a4d851906&j=2c9f582d-e278-56b6-4354-f38a4d851906&t=90509b00-34fa-5a81-35d7-5ed9569d331c - tweak unity builds to compile `lib/memdebug.c` separately in memory trace builds to avoid PP confusion. - force-disable unity for test programs. - do not compile and link libcurl sources to libtests _twice_ when libcurl is built in static mode. KNOWN ISSUES: - running tests with unity builds may fail in cases. - some build configurations/env may not compile in unity mode. E.g.: https://ci.appveyor.com/project/curlorg/curl/builds/47230972/job/51wfesgnfuauwl8q#L250 Ref: https://github.com/libssh2/libssh2/issues/1034 Ref: https://cmake.org/cmake/help/latest/prop_tgt/UNITY_BUILD.html Ref: https://en.wikipedia.org/wiki/Unity_build Closes #11095
show more ...
|
#
f198d33e |
| 18-May-2023 |
Emanuele Torre |
checksrc: disallow spaces before labels Out of 415 labels throughout the code base, 86 of those labels were not at the start of the line. Which means labels always at the start of th
checksrc: disallow spaces before labels Out of 415 labels throughout the code base, 86 of those labels were not at the start of the line. Which means labels always at the start of the line is the favoured style overall with 329 instances. Out of the 86 labels not at the start of the line: * 75 were indented with the same indentation level of the following line * 8 were indented with exactly one space * 2 were indented with one fewer indentation level then the following line * 1 was indented with the indentation level of the following line minus three space (probably unintentional) Co-Authored-By: Viktor Szakats Closes #11134
show more ...
|
#
90aea8e2 |
| 11-Apr-2023 |
Daniel Stenberg |
schannel: add clarifying comment Explaining how the PVS warning in #10929 is wrong: Dereferencing of the null pointer 'backend->cred' might take place. Closes #10931
|
#
e135bc9d |
| 01-Mar-2023 |
Daniel Stenberg |
schannel: loop over the algos to pick the selected one Avoid using the funny macro and the extra buffer copy. Closes #10647
|