curl: make --libcurl output better CURLOPT_*SSLVERSION

The option is really two enums ORed together, so it needs special
attention to make the code output nice.

Added test 1481

curl: make --libcurl output better CURLOPT_*SSLVERSION

The option is really two enums ORed together, so it needs special
attention to make the code output nice.

Added test 1481 to verify. Both the server and the proxy versions.

Reported-by: Boris Verkhovskiy
Fixes #13127
Closes #13129

show more ...

tool_setopt: remove unused function tool_setopt_flags

This function is identical to tool_setopt_bitmask except that it treats
the argument as unsigned.

Closes #11943

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- save

copyright: update all copyright lines and remove year ranges

- they are mostly pointless in all major jurisdictions
- many big corporations and projects already don't use them
- saves us from pointless churn
- git keeps history for us
- the year range is kept in COPYING

checksrc is updated to allow non-year using copyright statements

Closes #10205

show more ...

cli tool: do not use disabled protocols

As they are now rejected by the library, take care of not passing
disabled protocol names to CURLOPT_PROTOCOLS_STR and
CURLOPT_REDIR_PROTOCOLS

cli tool: do not use disabled protocols

As they are now rejected by the library, take care of not passing
disabled protocol names to CURLOPT_PROTOCOLS_STR and
CURLOPT_REDIR_PROTOCOLS_STR.

Rather than using the CURLPROTO_* constants, dynamically assign protocol
numbers based on the order they are listed by curl_version_info().

New type proto_set_t implements prototype bit masks: it should therefore
be large enough to accomodate all library-enabled protocols. If not,
protocol numbers beyond the bit count of proto_set_t are recognized but
"inaccessible": when used, a warning is displayed and the value is
ignored. Should proto_set_t overflows, enabled protocols are reordered to
force those having a public CURLPROTO_* representation to be accessible.

Code has been added to subordinate RTMP?* protocols to the presence of
RTMP in the enabled protocol list, being returned by curl_version_info()
or not.

show more ...

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

curl: error out when options need features not present in libcurl

Trying to use a proxy when libcurl was built with proxy support disabled
should make curl error out properly.

R

curl: error out when options need features not present in libcurl

Trying to use a proxy when libcurl was built with proxy support disabled
should make curl error out properly.

Remove knowledge of disabled features from the tool code and instead
make it properly respond to what libcurl returns. Update all tests to
properly require the necessary features to be present/absent so that the
test suite can still be run even with libcurl builds with disabled
features.

Ref: https://curl.se/mail/archive-2022-03/0013.html
Closes #8565

show more ...

copyright: update copyright year ranges to 2021

schannel: Disable auto credentials; add an option to enable it

- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.

schannel: Disable auto credentials; add an option to enable it

- Disable auto credentials by default. This is a breaking change
for clients that are using it, wittingly or not.

- New libcurl ssl option value CURLSSLOPT_AUTO_CLIENT_CERT tells libcurl
to automatically locate and use a client certificate for
authentication, when requested by the server.

- New curl tool options --ssl-auto-client-cert and
--proxy-ssl-auto-client-cert map to CURLSSLOPT_AUTO_CLIENT_CERT.

This option is only supported for Schannel (the native Windows SSL
library). Prior to this change Schannel would, with no notification to
the client, attempt to locate a client certificate and send it to the
server, when requested by the server. Since the server can request any
certificate that supports client authentication in the OS certificate
store it could be a privacy violation and unexpected.

Fixes https://github.com/curl/curl/issues/2262
Reported-by: Jeroen Ooms
Assisted-by: Wes Hinsley
Assisted-by: Rich FitzJohn

Ref: https://curl.se/mail/lib-2021-02/0066.html
Reported-by: Morten Minde Neergaard

Closes https://github.com/curl/curl/pull/6673

show more ...

curl.se: new home

Closes #6172

hsts: add support for Strict-Transport-Security

- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION

hsts: add support for Strict-Transport-Security

- enable in the build (configure)
- header parsing
- host name lookup
- unit tests for the above
- CI build
- CURL_VERSION_HSTS bit
- curl_version_info support
- curl -V output
- curl-config --features
- CURLOPT_HSTS_CTRL
- man page for CURLOPT_HSTS_CTRL
- curl --hsts (sets CURLOPT_HSTS_CTRL and works with --libcurl)
- man page for --hsts
- save cache to disk
- load cache from disk
- CURLOPT_HSTS
- man page for CURLOPT_HSTS
- added docs/HSTS.md
- fixed --version docs
- adjusted curl_easy_duphandle

Closes #5896

show more ...

curl: make --libcurl show binary posts correctly

Reported-by: Stephan Mühlstrasser
Fixes #6031
Closes #6032

source cleanup: remove all custom typedef structs

- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public heade

source cleanup: remove all custom typedef structs

- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples

- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.

Closes #5338

show more ...

build: Disable Visual Studio warning "conditional expression is constant"

- Disable warning C4127 "conditional expression is constant" globally
in curl_setup.h for when building with M

build: Disable Visual Studio warning "conditional expression is constant"

- Disable warning C4127 "conditional expression is constant" globally
in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

#define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658

show more ...

curl: create easy handles on-demand and not ahead of time

This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting

curl: create easy handles on-demand and not ahead of time

This should again enable crazy-large download ranges of the style
[1-10000000] that otherwise easily ran out of memory starting in 7.66.0
when this new handle allocating scheme was introduced.

Reported-by: Peter Sumatra
Fixes #4393
Closes #4438

show more ...

curl: improved skip-setopt-options when built with disabled features

Reduces #ifdefs in src/tool_operate.c

Follow-up from 4e86f2fc4e6
Closes #3936

tool_setopt: for builds with disabled-proxy, skip all proxy setopts()

Reported-by: Marcel Raad
Fixes #3926
Closes #3929

cli tool: fix mime post with --disable-libcurl-option configure option

Reported-by: Marcel Raad
Fixes #3576
Closes #3583

cli tool: do not use mime.h private structures.

Option -F generates an intermediate representation of the mime structure
that is used later to create the libcurl mime structure and gener

cli tool: do not use mime.h private structures.

Option -F generates an intermediate representation of the mime structure
that is used later to create the libcurl mime structure and generate
the --libcurl statements.

Reported-by: Daniel Stenberg
Fixes #3532
Closes #3546

show more ...

mime: use in curl cli tool instead of form API.

Extended -F option syntax to support multipart mail messages.
-F keyword headers= added to include custom headers in parts.
Documentat

mime: use in curl cli tool instead of form API.

Extended -F option syntax to support multipart mail messages.
-F keyword headers= added to include custom headers in parts.
Documentation upgraded.

show more ...

curl --socks5-{basic,gssapi}: control socks5 auth

Closes https://github.com/curl/curl/pull/1454

OS400: Fix symbols

- s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
Follow-up to 7907a2b and 845522c.

- Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.

- Add id for CURL

OS400: Fix symbols

- s/CURLOPT_SOCKS_PROXY/CURLOPT_PRE_PROXY
Follow-up to 7907a2b and 845522c.

- Fix incorrect id for CURLOPT_PROXY_PINNEDPUBLICKEY.

- Add id for CURLOPT_ABSTRACT_UNIX_SOCKET.

Bug: https://github.com/curl/curl/issues/1237
Reported-by: jonrumsey@users.noreply.github.com

show more ...

proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is est

proxy: Support HTTPS proxy and SOCKS+HTTP(s)

* HTTPS proxies:

An HTTPS proxy receives all transactions over an SSL/TLS connection.
Once a secure connection with the proxy is established, the user agent
uses the proxy as usual, including sending CONNECT requests to instruct
the proxy to establish a [usually secure] TCP tunnel with an origin
server. HTTPS proxies protect nearly all aspects of user-proxy
communications as opposed to HTTP proxies that receive all requests
(including CONNECT requests) in vulnerable clear text.

With HTTPS proxies, it is possible to have two concurrent _nested_
SSL/TLS sessions: the "outer" one between the user agent and the proxy
and the "inner" one between the user agent and the origin server
(through the proxy). This change adds supports for such nested sessions
as well.

A secure connection with a proxy requires its own set of the usual SSL
options (their actual descriptions differ and need polishing, see TODO):

--proxy-cacert FILE CA certificate to verify peer against
--proxy-capath DIR CA directory to verify peer against
--proxy-cert CERT[:PASSWD] Client certificate file and password
--proxy-cert-type TYPE Certificate file type (DER/PEM/ENG)
--proxy-ciphers LIST SSL ciphers to use
--proxy-crlfile FILE Get a CRL list in PEM format from the file
--proxy-insecure Allow connections to proxies with bad certs
--proxy-key KEY Private key file name
--proxy-key-type TYPE Private key file type (DER/PEM/ENG)
--proxy-pass PASS Pass phrase for the private key
--proxy-ssl-allow-beast Allow security flaw to improve interop
--proxy-sslv2 Use SSLv2
--proxy-sslv3 Use SSLv3
--proxy-tlsv1 Use TLSv1
--proxy-tlsuser USER TLS username
--proxy-tlspassword STRING TLS password
--proxy-tlsauthtype STRING TLS authentication type (default SRP)

All --proxy-foo options are independent from their --foo counterparts,
except --proxy-crlfile which defaults to --crlfile and --proxy-capath
which defaults to --capath.

Curl now also supports %{proxy_ssl_verify_result} --write-out variable,
similar to the existing %{ssl_verify_result} variable.

Supported backends: OpenSSL, GnuTLS, and NSS.

* A SOCKS proxy + HTTP/HTTPS proxy combination:

If both --socks* and --proxy options are given, Curl first connects to
the SOCKS proxy and then connects (through SOCKS) to the HTTP or HTTPS
proxy.

TODO: Update documentation for the new APIs and --proxy-* options.
Look for "Added in 7.XXX" marks.

show more ...

URLs: change all http:// URLs to https://

SSL: Add an option to disable certificate revocation checks

New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applie

SSL: Add an option to disable certificate revocation checks

New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>

show more ...

tool_operate: we prefer 'CURLcode result'