#
998b17ea |
| 03-Jun-2024 |
Viktor Szakats |
windows: fix UWP builds, add GHA job Add new job to test building for UWP (aka `CURL_WINDOWS_APP`). Fix fallouts when building for UWP: - rand: do not use `BCryptGenRandom()`.
windows: fix UWP builds, add GHA job Add new job to test building for UWP (aka `CURL_WINDOWS_APP`). Fix fallouts when building for UWP: - rand: do not use `BCryptGenRandom()`. - cmake: disable using win32 LDAP. - cmake: disable telnet. - version_win32: fix code before declaration. - schannel: disable `HAS_MANUAL_VERIFY_API`. - schannel: disable `SSLSUPP_PINNEDPUBKEY` and make `schannel_checksum()` a stub. Ref: e178fbd40a896f2098278ae61e1166c88e7b31d0 #1429 - schannel: make `cert_get_name_string()` a failing stub. - system_win32: make `Curl_win32_impersonating()` a failing stub. - system_win32: try to fix `Curl_win32_init()` (untested). - threads: fix to use `CreateThread()`. - src: disable searching `PATH` for the CA bundle. - src: disable bold text support and capability detection. - src: disable `getfiletime()`/`setfiletime()`. - tests: make `win32_load_system_library()` a failing stub. - tests/server/util: make it compile. - tests/server/sockfilt: make it compile. - tests/lib3026: fix to use `CreateThread()`. See individual commits for build error details. Some of these fixes may have better solutions, and some may not work as expected. The goal of this patch is to make curl build for UWP. Closes #13870
show more ...
|
#
08872971 |
| 13-May-2024 |
Viktor Szakats |
lib/v*: tidy up types and casts Also add a couple of negative checks. Cherry-picked from #13489 Closes #13622
|
#
3829759b |
| 08-Dec-2023 |
Viktor Szakats |
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]. Enable new recommended warnings (except `-Wsign-conversion`): - enable `-Wformat=2` for clang (in both cmake and autotools). - add `CURL_PRINTF()` internal attribute and mark functions accepting printf arguments with it. This is a copy of existing `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible with redefinting the `printf` symbol: https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for mingw-w64 and enable it on this platform. - enable `-Wimplicit-fallthrough`. - enable `-Wtrampolines`. - add `-Wsign-conversion` commented with a FIXME. - cmake: enable `-pedantic-errors` the way we do it with autotools. Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format checks. Previously it was always disabled due to the internal `printf` macro. Fix them: - fix bug where an `set_ipv6_v6only()` call was missed in builds with `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`. - add internal `FALLTHROUGH()` macro. - replace obsolete fall-through comments with `FALLTHROUGH()`. - fix fallthrough markups: Delete redundant ones (showing up as warnings in most cases). Add missing ones. Fix indentation. - silence `-Wformat-nonliteral` warnings with llvm/clang. - fix one `-Wformat-nonliteral` warning. - fix new `-Wformat` and `-Wformat-security` warnings. - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its definition to `lib/curl_setup.h` allowing use in `tests/server`. - lib: fix two wrongly passed string arguments in log outputs. Co-authored-by: Jay Satiro - fix new `-Wformat` warnings on mingw-w64. [1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md Closes #12489
show more ...
|
#
fa714830 |
| 17-Nov-2023 |
Stefan Eissing |
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Cu
vtls/vquic, keep peer name information together - add `struct ssl_peer` to keep hostname, dispname and sni for a filter - allocate `sni` for use in VTLS backend - eliminate `Curl_ssl_snihost()` and its use of the download buffer - use ssl_peer in SSL and QUIC filters Closes #12349
show more ...
|
#
1af46f2f |
| 03-Nov-2023 |
Andrew Kurushin |
schannel: add CA cache support for files and memory blobs - Support CA bundle and blob caching. Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT. Closes
schannel: add CA cache support for files and memory blobs - Support CA bundle and blob caching. Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT. Closes https://github.com/curl/curl/pull/12261
show more ...
|
#
889c071d |
| 08-Dec-2022 |
Jay Satiro |
schannel: verify hostname independent of verify cert Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verif
schannel: verify hostname independent of verify cert Prior to this change when CURLOPT_SSL_VERIFYPEER (verifypeer) was off and CURLOPT_SSL_VERIFYHOST (verifyhost) was on we did not verify the hostname in schannel code. This fixes KNOWN_BUG 2.8 "Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname". We discussed a fix several years ago in #3285 but it went stale. Assisted-by: Daniel Stenberg Bug: https://curl.haxx.se/mail/lib-2018-10/0113.html Reported-by: Martin Galvan Ref: https://github.com/curl/curl/pull/3285 Fixes https://github.com/curl/curl/issues/3284 Closes https://github.com/curl/curl/pull/10056
show more ...
|
#
3f8fc257 |
| 09-May-2023 |
Viktor Szakats |
cmake: add support for "unity" builds Aka "jumbo" or "amalgamation" builds. It means to compile all sources per target as a single C source. This is experimental. You can enable
cmake: add support for "unity" builds Aka "jumbo" or "amalgamation" builds. It means to compile all sources per target as a single C source. This is experimental. You can enable it by passing `-DCMAKE_UNITY_BUILD=ON` to cmake. It requires CMake 3.16 or newer. It makes builds (much) faster, allows for better optimizations and tends to promote less ambiguous code. Also add a new AppVeyor CI job and convert an existing one to use "unity" mode (one MSVC, one MinGW), and enable it for one macOS CI job. Fix related issues: - add missing include guard to `easy_lock.h`. - rename static variables and functions (and a macro) with names reused across sources, or shadowed by local variables. - add an `#undef` after use. - add a missing `#undef` before use. - move internal definitions from `ftp.h` to `ftp.c`. - `curl_memory.h` fixes to make it work when included repeatedly. - stop building/linking curlx bits twice for a static-mode curl tool. These caused doubly defined symbols in unity builds. - silence missing extern declarations compiler warning for ` _CRT_glob`. - fix extern declarations for `tool_freq` and `tool_isVistaOrGreater`. - fix colliding static symbols in debug mode: `debugtime()` and `statename`. - rename `ssl_backend_data` structure to unique names for each TLS-backend, along with the `ssl_connect_data` struct member referencing them. This required adding casts for each access. - add workaround for missing `[P]UNICODE_STRING` types in certain Windows builds when compiling `lib/ldap.c`. To support "unity" builds, we had to enable `SCHANNEL_USE_BLACKLISTS` for Schannel (a Windows `schannel.h` option) _globally_. This caused an indirect inclusion of Windows `schannel.h` from `ldap.c` via `winldap.h` to have it enabled as well. This requires `[P]UNICODE_STRING` types, which is apperantly not defined automatically (as seen with both MSVS and mingw-w64). This patch includes `<subauth.h>` to fix it. Ref: https://github.com/curl/curl/runs/13987772013 Ref: https://dev.azure.com/daniel0244/curl/_build/results?buildId=15827&view=logs&jobId=2c9f582d-e278-56b6-4354-f38a4d851906&j=2c9f582d-e278-56b6-4354-f38a4d851906&t=90509b00-34fa-5a81-35d7-5ed9569d331c - tweak unity builds to compile `lib/memdebug.c` separately in memory trace builds to avoid PP confusion. - force-disable unity for test programs. - do not compile and link libcurl sources to libtests _twice_ when libcurl is built in static mode. KNOWN ISSUES: - running tests with unity builds may fail in cases. - some build configurations/env may not compile in unity mode. E.g.: https://ci.appveyor.com/project/curlorg/curl/builds/47230972/job/51wfesgnfuauwl8q#L250 Ref: https://github.com/libssh2/libssh2/issues/1034 Ref: https://cmake.org/cmake/help/latest/prop_tgt/UNITY_BUILD.html Ref: https://en.wikipedia.org/wiki/Unity_build Closes #11095
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
af22c2a5 |
| 22-Nov-2022 |
Stefan Eissing |
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct co
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
show more ...
|
#
dafdb20a |
| 11-Nov-2022 |
Stefan Eissing |
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and
lib: connection filters (cfilter) addition to curl: - general construct/destroy in connectdata - default implementations of callback functions - connect: cfilters for connect and accept - socks: cfilter for socks proxying - http_proxy: cfilter for http proxy tunneling - vtls: cfilters for primary and proxy ssl - change in general handling of data/conn - Curl_cfilter_setup() sets up filter chain based on data settings, if none are installed by the protocol handler setup - Curl_cfilter_connect() boot straps filters into `connected` status, used by handlers and multi to reach further stages - Curl_cfilter_is_connected() to check if a conn is connected, e.g. all filters have done their work - Curl_cfilter_get_select_socks() gets the sockets and READ/WRITE indicators for multi select to work - Curl_cfilter_data_pending() asks filters if the have incoming data pending for recv - Curl_cfilter_recv()/Curl_cfilter_send are the general callbacks installed in conn->recv/conn->send for io handling - Curl_cfilter_attach_data()/Curl_cfilter_detach_data() inform filters and addition/removal of a `data` from their connection - adding vtl functions to prevent use of Curl_ssl globals directly in other parts of the code. Reviewed-by: Daniel Stenberg Closes #9855
show more ...
|
#
ad9bc597 |
| 17-May-2022 |
max.mehl |
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the
copyright: make repository REUSE compliant Add licensing and copyright information for all files in this repository. This either happens in the file itself as a comment header or in the file `.reuse/dep5`. This commit also adds a Github workflow to check pull requests and adapts copyright.pl to the changes. Closes #8869
show more ...
|
#
fbba7dd7 |
| 06-Apr-2022 |
Daniel Stenberg |
schannel: remove dead code that will never run As the condition can't ever evaluate true Reported-by: Andrey Alifanov Ref: #8675 Closes #8677
|
#
ccc2752c |
| 17-Feb-2022 |
MAntoniak <47522782+MAntoniak@users.noreply.github.com> |
ssl: reduce allocated space for ssl backend when FTP is disabled Add assert() for the backend pointer in many places Closes #8471
|
#
65c6e37f |
| 10-Feb-2022 |
Henrik Holst |
hostcheck: reduce strlen calls on chained certificates Closes #8428
|
#
d15692eb |
| 09-Feb-2022 |
Daniel Stenberg |
hostcheck: pass in pattern length too, to avoid a strlen call Removes one strlen() call per SAN name in a cert-check. Closes #8418
|
#
955cb991 |
| 24-Jan-2022 |
Daniel Stenberg |
hostcheck: fixed to not touch used input strings Avoids the need to clone the strings before check, thus avoiding mallocs, which for cases where there are many SAN names in a cert could
hostcheck: fixed to not touch used input strings Avoids the need to clone the strings before check, thus avoiding mallocs, which for cases where there are many SAN names in a cert could end up numerous. Closes #8321
show more ...
|
#
7da636ca |
| 07-Oct-2021 |
Wyatt O'Day |
version_win32: Check build number and platform id Prior to this change the build number was not checked during version comparison, and the platform id was supposed to be checked but wasn
version_win32: Check build number and platform id Prior to this change the build number was not checked during version comparison, and the platform id was supposed to be checked but wasn't. Checking the build number is required for enabling "evergreen" Windows 10/11 features (like TLS 1.3). Ref: https://github.com/curl/curl/pull/7784 Closes https://github.com/curl/curl/pull/7824 Closes https://github.com/curl/curl/pull/7867
show more ...
|
#
f67883e5 |
| 13-Aug-2021 |
Ikko Ashimine |
vtls: fix typo in schannel_verify.c occurence -> occurrence Closes #7566
|
#
e7416cfd |
| 06-Jul-2021 |
Daniel Stenberg |
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes info
infof: remove newline from format strings, always append it - the data needs to be "line-based" anyway since it's also passed to the debug callback/application - it makes infof() work like failf() and consistency is good - there's an assert that triggers on newlines in the format string - Also removes a few instances of "..." - Removes the code that would append "..." to the end of the data *iff* it was truncated in infof() Closes #7357
show more ...
|
Revision tags: curl-7_76_1, curl-7_76_0, curl-7_75_0, curl-7_74_0, curl-7_73_0, tiny-curl-7_72_0, curl-7_72_0 |
|
#
77fc3859 |
| 13-Jul-2020 |
Gilles Vollant |
SSL: support in-memory CA certs for some backends - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to specify in-memory PEM certificates for OpenSSL, Schannel (Windows)
SSL: support in-memory CA certs for some backends - New options CURLOPT_CAINFO_BLOB and CURLOPT_PROXY_CAINFO_BLOB to specify in-memory PEM certificates for OpenSSL, Schannel (Windows) and Secure Transport (Apple) SSL backends. Prior to this change PEM certificates could only be imported from a file and not from memory. Co-authored-by: moparisthebest@users.noreply.github.com Ref: https://github.com/curl/curl/pull/4679 Ref: https://github.com/curl/curl/pull/5677 Ref: https://github.com/curl/curl/pull/6109 Closes https://github.com/curl/curl/pull/6662
show more ...
|
#
e4ba9996 |
| 25-Feb-2021 |
Michał Antoniak |
vtls: deduplicate some DISABLE_PROXY ifdefs continue from #5735 - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other tls backend - create SSL_HOST_P
vtls: deduplicate some DISABLE_PROXY ifdefs continue from #5735 - using SSL_HOST_NAME, SSL_HOST_DISPNAME, SSL_PINNED_PUB_KEY for other tls backend - create SSL_HOST_PORT Closes #6660
show more ...
|
#
063d3f3b |
| 19-Apr-2021 |
Daniel Stenberg |
tidy-up: make conditional checks more consistent ... remove '== NULL' and '!= 0' Closes #6912
|
#
7a33c4df |
| 04-Mar-2021 |
Jay Satiro |
schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro - Change use of those options from CURLOPT_SSL_OPTIONS that are not already evaluated via SSL_SET_OPTION in schannel and
schannel: Evaluate CURLOPT_SSL_OPTIONS via SSL_SET_OPTION macro - Change use of those options from CURLOPT_SSL_OPTIONS that are not already evaluated via SSL_SET_OPTION in schannel and secure transport to use that instead of data->set.ssl.optname. Example: Evaluate SSL_SET_OPTION(no_revoke) instead of data->set.ssl.no_revoke. This change is because options set via CURLOPT_SSL_OPTIONS (data->set.ssl.optname) are separate from those set for HTTPS proxy via CURLOPT_PROXY_SSL_OPTIONS (data->set.proxy_ssl.optname). The SSL_SET_OPTION macro determines whether the connection is for HTTPS proxy and based on that which option to evaluate. Since neither Schannel nor Secure Transport backends currently support HTTPS proxy in libcurl, this change is for posterity and has no other effect. Closes https://github.com/curl/curl/pull/6690
show more ...
|
#
bbe3aa9f |
| 13-Jan-2021 |
Patrick Monnerat |
vtls: reduce conn->data use Closes #6474
|
#
3d0b62fd |
| 15-Jan-2021 |
Daniel Stenberg |
schannel_verify: fix safefree call typo Follow-up from e87ad71d1ba00519 Closes #6459
|