lib: reduce variable scopes

Fixes Codacy/CppCheck warnings.

Closes https://github.com/curl/curl/pull/3872

cleanup: remove FIXME and TODO comments

They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing

cleanup: remove FIXME and TODO comments

They serve very little purpose and mostly just add noise. Most of them
have been around for a very long time. I read them all before removing
or rephrasing them.

Ref: #3876
Closes #3883

show more ...

multi: provide Curl_multiuse_state to update information

As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "b

multi: provide Curl_multiuse_state to update information

As soon as a TLS backend gets ALPN conformation about the specific HTTP
version it can now set the multiplex situation for the "bundle" and
trigger moving potentially queued up transfers to the CONNECT state.

show more ...

strerror: make the strerror function use local buffers

Instead of using a fixed 256 byte buffer in the connectdata struct.

In my build, this reduces the size of the connectdata stru

strerror: make the strerror function use local buffers

Instead of using a fixed 256 byte buffer in the connectdata struct.

In my build, this reduces the size of the connectdata struct by 11.8%,
from 2160 to 1904 bytes with no functionality or performance loss.

This also fixes a bug in schannel's Curl_verify_certificate where it
called Curl_sspi_strerror when it should have called Curl_strerror for
string from GetLastError. the only effect would have been no text or the
wrong text being shown for the error.

Co-authored-by: Jay Satiro

Closes #3612

show more ...

schannel: support CALG_ECDH_EPHEM algorithm

Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
algorithm option when selecting ciphers. This became available on the

schannel: support CALG_ECDH_EPHEM algorithm

Add support for Ephemeral elliptic curve Diffie-Hellman key exchange
algorithm option when selecting ciphers. This became available on the
Win10 SDK.

Closes https://github.com/curl/curl/pull/3608

show more ...

schannel: restore some debug output but only for debug builds

Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.

schannel: restore some debug output but only for debug builds

Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy
debug output in DEBUGF but omitted a few lines.

Ref: https://github.com/curl/curl/commit/84c10dc#r32292900

show more ...

schannel: be quiet

Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.

Bug: https://curl.hax

schannel: be quiet

Convert numerous infof() calls into debug-build only messages since they
are annoyingly verbose for regular applications. Removed a few.

Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html
Reported-by: Volker Schmid
Closes #3552

show more ...

url: close TLS before removing conn from cache

- Fix potential crashes in schannel shutdown.

Ensure any TLS shutdown messages are sent before removing the
association between th

url: close TLS before removing conn from cache

- Fix potential crashes in schannel shutdown.

Ensure any TLS shutdown messages are sent before removing the
association between the connection and the easy handle. Reverts
@bagder's previous partial fix for #3412.

Fixes https://github.com/curl/curl/issues/3412
Fixes https://github.com/curl/curl/issues/3505
Closes https://github.com/curl/curl/pull/3531

show more ...

spnego_sspi: add support for channel binding

Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
acce

spnego_sspi: add support for channel binding

Attempt to add support for Secure Channel binding when negotiate
authentication is used. The problem to solve is that by default IIS
accepts channel binding and curl doesn't utilise them. The result was a
401 response. Scope affects only the Schannel(winssl)-SSPI combination.

Fixes https://github.com/curl/curl/issues/3503
Closes https://github.com/curl/curl/pull/3509

show more ...

schannel: stop calling it "winssl"

Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alia

schannel: stop calling it "winssl"

Stick to "Schannel" everywhere. The configure option --with-winssl is
kept to allow existing builds to work but --with-schannel is added as an
alias.

Closes #3504

show more ...

schannel: preserve original certificate path parameter

Fixes #3480
Closes #3487

ntlm_sspi: add support for channel binding

Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

ntlm_sspi: add support for channel binding

Windows extended potection (aka ssl channel binding) is required
to login to ntlm IIS endpoint, otherwise the server returns 401
responses.

Fixes #3280
Closes #3321

show more ...

schannel: on connection close there might not be a transfer

Reported-by: Marcel Raad
Fixes #3412
Closes #3483

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differen

snprintf: renamed and we now only use msnprintf()

The function does not return the same value as snprintf() normally does,
so readers may be mislead into thinking the code works differently than
it actually does. A different function name makes this easier to detect.

Reported-by: Tomas Hoger
Assisted-by: Daniel Gustafsson
Fixes #3296
Closes #3297

show more ...

winssl: be consistent in Schannel capitalization

The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

C

winssl: be consistent in Schannel capitalization

The productname from Microsoft is "Schannel", but in infof/failf
reporting we use "schannel". This removes different versions.

Closes #3243
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

schannel: make CURLOPT_CERTINFO support using Issuer chain

Closes #3197

schannel: use Curl_ prefix for global private symbols

Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our nam

schannel: use Curl_ prefix for global private symbols

Curl_verify_certificate() must use the Curl_ prefix since it is globally
available in the lib and otherwise steps outside of our namespace!

Closes #3201

show more ...

vtls: fix ssl version "or later" behavior change for many backends

- Treat CURL_SSLVERSION_MAX_NONE the same as
CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use

vtls: fix ssl version "or later" behavior change for many backends

- Treat CURL_SSLVERSION_MAX_NONE the same as
CURL_SSLVERSION_MAX_DEFAULT. Prior to this change NONE would mean use
the minimum version also as the maximum.

This is a follow-up to 6015cef which changed the behavior of setting
the SSL version so that the requested version would only be the minimum
and not the maximum. It appears it was (mostly) implemented in OpenSSL
but not other backends. In other words CURL_SSLVERSION_TLSv1_0 used to
mean use just TLS v1.0 and now it means use TLS v1.0 *or later*.

- Fix CURL_SSLVERSION_MAX_DEFAULT for OpenSSL.

Prior to this change CURL_SSLVERSION_MAX_DEFAULT with OpenSSL was
erroneously treated as always TLS 1.3, and would cause an error if
OpenSSL was built without TLS 1.3 support.

Co-authored-by: Daniel Gustafsson

Fixes https://github.com/curl/curl/issues/2969
Closes https://github.com/curl/curl/pull/3012

show more ...

schannel: avoid switch-cases that go to default anyway

SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
mingw and would require an ifdef otherwise.

Reported

schannel: avoid switch-cases that go to default anyway

SEC_E_APPLICATION_PROTOCOL_MISMATCH isn't defined in some versions of
mingw and would require an ifdef otherwise.

Reported-by: Thomas Glanzmann
Approved-by: Marc Hörsken
Bug: https://curl.haxx.se/mail/lib-2018-09/0020.html
Closes #2950

show more ...

schannel: unified error code handling

Closes #2901

schannel: client certificate store opening fix

1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
while opening certificate store would be sufficient in this scenario

schannel: client certificate store opening fix

1) Using CERT_STORE_OPEN_EXISTING_FLAG ( or CERT_STORE_READONLY_FLAG )
while opening certificate store would be sufficient in this scenario and
less-demanding in sense of required user credentials ( for example,
IIS_IUSRS will get "Access Denied" 0x05 error for existing CertOpenStore
call without any of flags mentioned above ),

2) as 'cert_store_name' is a DWORD, attempt to format its value like a
string ( in "Failed to open cert store" error message ) will throw null
pointer exception

3) adding GetLastError(), in my opinion, will make error message more
useful.

Bug: https://curl.haxx.se/mail/lib-2018-08/0198.html

Closes #2909

show more ...

schannel: enable CALG_TLS1PRF for w32api >= 5.1

The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e

schannel: enable CALG_TLS1PRF for w32api >= 5.1

The definition of CALG_TLS1PRF has been fixed in the 5.1 branch:
https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/commits/73aedcc0f2e6ba370de0d86ab878ad76a0dda7b5

show more ...

schannel: fix MinGW compile break

Original MinGW's w32api has a sytax error in its definition of
CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
until this bug [1] i

schannel: fix MinGW compile break

Original MinGW's w32api has a sytax error in its definition of
CALG_TLS1PRF [0]. Don't use original MinGW w32api's CALG_TLS1PRF
until this bug [1] is fixed.

[0] https://osdn.net/projects/mingw/scm/git/mingw-org-wsl/blobs/d1d4a17e51a2b78e252ef0147d483267d56c90cc/w32api/include/wincrypt.h
[1] https://osdn.net/projects/mingw/ticket/38391

Fixes https://github.com/curl/curl/pull/2721#issuecomment-403636043
Closes https://github.com/curl/curl/pull/2728

show more ...

schannel: fix -Wsign-compare warning

MinGW warns:
/lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
conditional expression [-Wsign-compare]

Fix this by casti

schannel: fix -Wsign-compare warning

MinGW warns:
/lib/vtls/schannel.c:219:64: warning: signed and unsigned type in
conditional expression [-Wsign-compare]

Fix this by casting the ptrdiff_t to size_t as we know it's positive.

Closes https://github.com/curl/curl/pull/2721

show more ...

schannel: workaround for wrong function signature in w32api

Original MinGW's w32api has CryptHashData's second parameter as BYTE *
instead of const BYTE *.

Closes https://github

schannel: workaround for wrong function signature in w32api

Original MinGW's w32api has CryptHashData's second parameter as BYTE *
instead of const BYTE *.

Closes https://github.com/curl/curl/pull/2721

show more ...