sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)

Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv da

sendf: change Curl_read_plain to wrap Curl_recv_plain (take 2)

Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv data may be
cached by libcurl and that data is only drained using Curl_recv_plain.

Rather than rewrite Curl_read_plain to handle cached recv data, I
changed it to wrap Curl_recv_plain, in much the same way that
Curl_write_plain already wraps Curl_send_plain.

Curl_read_plain -> Curl_recv_plain
Curl_write_plain -> Curl_send_plain

This fixes a bug in the schannel backend where decryption of arbitrary
TLS records fails because cached recv data is never drained. We send
data (TLS records formed by Schannel) using Curl_write_plain, which
calls Curl_send_plain, and that may do a recv-before-send
("pre-receive") to cache received data. The code calls Curl_read_plain
to read data (TLS records from the server), which prior to this change
did not call Curl_recv_plain and therefore cached recv data wasn't
retrieved, resulting in malformed TLS records and decryption failure
(SEC_E_DECRYPT_FAILURE).

The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
to the issue and PR for more information.

--

This is take 2 of the original fix. It preserves the original behavior
of Curl_read_plain to write 0 to the bytes read parameter on error,
since apparently some callers expect that (SOCKS tests were hanging).
The original fix which landed in 12e1def5 and was later reverted in
18383fbf failed to work properly because it did not do that.

Also, it changes Curl_write_plain the same way to complement
Curl_read_plain, and it changes Curl_send_plain to return -1 instead of
0 on CURLE_AGAIN to complement Curl_recv_plain.

Behavior on error with these changes:

Curl_recv_plain returns -1 and *code receives error code.
Curl_send_plain returns -1 and *code receives error code.
Curl_read_plain returns error code and *n (bytes read) receives 0.
Curl_write_plain returns error code and *written receives 0.

--

Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

Assisted-by: Joel Depooter
Reported-by: Egor Pugin

Fixes https://github.com/curl/curl/issues/9431
Closes https://github.com/curl/curl/pull/9949

show more ...

hyper: classify headers as CONNECT and 1XX

Closes #9947

ftp: fix "AUTH TLS" on primary conn and for SSL in PASV second conn

Follow-up to dafdb20a26d0c89

Reported-by: Anthony Hu
Closes #9948

CURLOPT_POST.3: Explain setting to 0 changes request type

Bug: https://github.com/curl/curl/issues/9849
Reported-by: MonkeybreadSoftware@users.noreply.github.com

Closes https:/

CURLOPT_POST.3: Explain setting to 0 changes request type

Bug: https://github.com/curl/curl/issues/9849
Reported-by: MonkeybreadSoftware@users.noreply.github.com

Closes https://github.com/curl/curl/pull/9942

show more ...

docs/INSTALL.md: expand on static builds

Remove from KNOWN_BUGS

Closes #9944

http: restore h3 to working condition after connection filter introduction

Follow-up to dafdb20a26d0c

HTTP/3 needs a special filter chain, since it does the TLS handling
itself.

http: restore h3 to working condition after connection filter introduction

Follow-up to dafdb20a26d0c

HTTP/3 needs a special filter chain, since it does the TLS handling
itself. This PR adds special setup handling in the HTTP protocol handler
that takes are of it.

When a handler, in its setup method, installs filters, the default
behaviour for managing the filter chain is overridden.

Reported-by: Karthikdasari0423 on github

Fixes #9931
Closes #9945

show more ...

urldata: change port num storage to int and unsigned short

Instead of long.

Closes #9946

Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"

This reverts commit 12e1def51a75392df62e65490416007d7e68dab9.

It introduced SOCKS proxy fails, like test 700 never end

Revert "sendf: change Curl_read_plain to wrap Curl_recv_plain"

This reverts commit 12e1def51a75392df62e65490416007d7e68dab9.

It introduced SOCKS proxy fails, like test 700 never ending.

Reopens #9431

show more ...

HTTP-COOKIES.md: update the 6265bis link to draft-11

Closes #9940

docs/WEBSOCKET.md: explain the URL use

Fixes #9936
Closes #9941

sendf: change Curl_read_plain to wrap Curl_recv_plain

Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv data may be

sendf: change Curl_read_plain to wrap Curl_recv_plain

Prior to this change Curl_read_plain would attempt to read the
socket directly. On Windows that's a problem because recv data may be
cached by libcurl and that data is only drained using Curl_recv_plain.

Rather than rewrite Curl_read_plain to handle cached recv data, I
changed it to wrap Curl_recv_plain, in much the same way that
Curl_write_plain already wraps Curl_send_plain.

Curl_read_plain -> Curl_recv_plain
Curl_write_plain -> Curl_send_plain

This fixes a bug in the schannel backend where decryption of arbitrary
TLS records fails because cached recv data is never drained. We send
data (TLS records formed by Schannel) using Curl_write_plain, which
calls Curl_send_plain, and that may do a recv-before-send
("pre-receive") to cache received data. The code calls Curl_read_plain
to read data (TLS records from the server), which prior to this change
did not call Curl_recv_plain and therefore cached recv data wasn't
retrieved, resulting in malformed TLS records and decryption failure
(SEC_E_DECRYPT_FAILURE).

The bug has only been observed during Schannel TLS 1.3 handshakes. Refer
to the issue and PR for more information.

Ref: https://github.com/curl/curl/issues/9431#issuecomment-1312420361

Assisted-by: Joel Depooter
Reported-by: Egor Pugin

Fixes https://github.com/curl/curl/issues/9431
Closes https://github.com/curl/curl/pull/9904

show more ...

test3026: reduce runtime in legacy mingw builds

- Load Windows system libraries secur32 and iphlpapi beforehand, so
that libcurl's repeated global init/cleanup only increases/decreases

test3026: reduce runtime in legacy mingw builds

- Load Windows system libraries secur32 and iphlpapi beforehand, so
that libcurl's repeated global init/cleanup only increases/decreases
the library's refcount rather than causing it to load/unload.

Assisted-by: Marc Hoersken

Closes https://github.com/curl/curl/pull/9412

show more ...

url: move back the IDN conversion of proxy names

Regression: in commit 53bcf55 we moved the IDN conversion calls to
happen before the HSTS checks. But the HSTS checks are only done on th

url: move back the IDN conversion of proxy names

Regression: in commit 53bcf55 we moved the IDN conversion calls to
happen before the HSTS checks. But the HSTS checks are only done on the
server host name, not the proxy names. By moving the proxy name IDN
conversions, we accidentally broke the verbose output showing the proxy
name.

This change moves back the IDN conversions for the proxy names to the
place in the code path they were before 53bcf55.

Reported-by: Andy Stamp
Fixes #9937
Closes #9939

show more ...

CURLOPT_QUICK_EXIT: don't wait for DNS thread on exit

Fixes #2975
Closes #9147

HTTP-COOKIES.md: mention that http://localhost is a secure context

Reported-by: Trail of Bits

Closes #9938

lib: parse numbers with fixed known base 10

... instead of using 0 argument that allows decimal, hex or octal when
the number is documented and assumed to use base 10.

Closes #9

lib: parse numbers with fixed known base 10

... instead of using 0 argument that allows decimal, hex or octal when
the number is documented and assumed to use base 10.

Closes #9933

show more ...

RELEASE-NOTES: synced

scripts/delta: adapt to curl.h changes for the opt counter

cookie: expire cookies at once when max-age is negative

Update test 329 to verify

Reported-by: godmar on github
Fixes #9930
Closes #9932

proxy: haproxy filter is only available when PROXY and HTTP are

Closes #9935

OtherTests.cmake: check for cross-compile, not for toolchain

Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should
not be used as a sign that this is a cross-compile.

OtherTests.cmake: check for cross-compile, not for toolchain

Build systems like vcpkg alway sets `CMAKE_TOOLCHAIN_FILE` so it should
not be used as a sign that this is a cross-compile.

Also indented the function correctly.

Reported-by: Philip Chan
Fixes #9921
Closes #9923

show more ...

ntlm: improve comment for encrypt_des

Reported-by: Andrei Rybak
Fixes #9903
Closes #9925

include/curl/curl.h: bump the deprecated requirements to gcc 5.3

Reported-by: Stephan Guilloux
Fixes #9917
Closes #9918

proxy: refactor haproxy protocol handling as connection filter

Closes #9893

lib: feature deprecation warnings in gcc >= 4.3

Add a deprecated attribute to functions and enum values that should not
be used anymore.
This uses a gcc 4.3 dialect, thus is only ava

lib: feature deprecation warnings in gcc >= 4.3

Add a deprecated attribute to functions and enum values that should not
be used anymore.
This uses a gcc 4.3 dialect, thus is only available for this version of
gcc and newer. Note that the _Pragma() keyword is introduced by C99, but
is available as part of the gcc dialect even when compiling in C89 mode.

It is still possible to disable deprecation at a calling module compile
time by defining CURL_DISABLE_DEPRECATION.

Gcc type checking macros are made aware of possible deprecations.

Some testing support Perl programs are adapted to the extended
declaration syntax.

Several test and unit test C programs intentionally use deprecated
functions/options and are annotated to not generate a warning.

New test 1222 checks the deprecation status in doc and header files.

Closes #9667

show more ...