vtls: refuse setting any SSL version

... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in

vtls: refuse setting any SSL version

... previously they were supported if a TLS library would (unexpectedly)
still support them, but from this change they will be refused already in
curl_easy_setopt(). SSLv2 and SSLv3 have been known to be insecure for
many years now.

Closes #6773

show more ...

curl: ignore options asking for SSLv2 or SSLv3

Instead output a warning about it and continue with the defaults.

These SSL versions are typically not supported by the TLS libraries

curl: ignore options asking for SSLv2 or SSLv3

Instead output a warning about it and continue with the defaults.

These SSL versions are typically not supported by the TLS libraries since a
long time back already since they are inherently insecure and broken. Asking
for them to be used will just cause an error to be returned slightly later.

In the unlikely event that a user's TLS library actually still supports these
protocol versions, this change might make the request a little less insecure.

Closes #6772

show more ...

test972: verify the json output with jsonlint

Make sure one of the azure jobs has jsonlint installed so that the test
runs there.

Ref: #6905

tool_writeout: fix the HTTP_CODE json output

Update test 970 accordingly.

Reported-by: Michal Rus
Fixes #6905
Closes #6906

openldap: protect SSL-specific code with proper #ifdef

Closes #6901

libssh2: fix Value stored to 'sshp' is never read

Pointed out by scan-build

Closes #6900

tool_getparam: replace (in-place) '%20' by '+' according to RFC1866

Signed-off-by: Victor Vieux <victorvieux@gmail.com>

Closes #6895

configure: provide --with-openssl, deprecate --with-ssl

Makes the option more explicit.

Closes #6887

RELEASE-NOTES: synced

and bumped curlver to 7.77.0

rustls: only return CURLE_AGAIN when TLS session is fully drained

The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could b

rustls: only return CURLE_AGAIN when TLS session is fully drained

The code in cr_recv was returning prematurely as soon as the socket
reported no more data to read. However, this could be leaving some
unread plaintext data in the rustls session from a previous call,
causing causing the transfer to hang if the socket never receives
further data.

We need to ensure that the session is fully drained of plaintext data
before returning CURLE_AGAIN to the caller.

Reviewed-by: Jacob Hoffman-Andrews
Closes #6894

show more ...

cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies

Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
the cookiejar from memory.

Reported-by: S

cookie: CURLOPT_COOKIEFILE set to NULL switches off cookies

Add test 676 to verify that setting CURLOPT_COOKIEFILE to NULL again clears
the cookiejar from memory.

Reported-by: Stefan Karpinski
Fixes #6889
Closes #6891

show more ...

RELEASE-NOTES: synced

curl 7.76.1 release

THANKS: add names from 7.76.1

misc: update copyright year ranges to match latest updates

ngtcp2: Use ALPN h3-29 for now

Fixes #6864
Cloes #6886

TODO: remove 18.22 --fail-with-body

--fail-with-body was added in 8a964cb (precedes curl-7_76_0).

src/tool_vms.c: remove duplicated word in comment

Closes #6881

configure: fix CURL_DARWIN_CFLAGS use

The macro name change was not completely done.

Follow-up to 5d2c384452543c
Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02

configure: fix CURL_DARWIN_CFLAGS use

The macro name change was not completely done.

Follow-up to 5d2c384452543c
Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187
Reported-by: Marcel Raad
Closes #6878

show more ...

github/workflow: add "security-extended" to codeql-analysis.yml

Extends the CodeQL code scan.

Closes #6815

examples/hiperfifo.c: check event_initialized before delete

If event_del is called with the event struct (still) zeroed out, a
segmentation fault may occur. event_initialized checks whe

examples/hiperfifo.c: check event_initialized before delete

If event_del is called with the event struct (still) zeroed out, a
segmentation fault may occur. event_initialized checks whether the
event struct is nonzero.

Closes #6876

show more ...

ntlm: fix negotiated flags usage

According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security

ntlm: fix negotiated flags usage

According to Microsoft document MS-NLMP, current flags usage is not
accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of
extended security in an NTLM authentication message and NTLM version 2
cannot be negotiated within the protocol.

The solution implemented here is: if the extended security flag is set,
prefer using NTLM version 2 (as a server featuring extended security
should also support version 2). If version 2 has been disabled at
compile time, use extended security.

Tests involving NTLM are adjusted to this new behavior.

Fixes #6813
Closes #6849

show more ...

ntlm: support version 2 on 32-bit platforms

Closes #6849

curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION

... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the
whole NTLM.

Closes #6849

lib: remove unused HAVE_INET_NTOA_R* defines

Closes #6867

configure: include <time.h> unconditionally

In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
de

configure: include <time.h> unconditionally

In 2682e5f5, several instances of AC_HEADER_TIME were removed since
it is a deprecated autoconf macro. However, this was the macro that
defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h>
can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still
used in the configure test body and since it is no longer defined,
<time.h> is *not* included on systems that have <sys/time.h>.

In particular, at least on musl libc and glibc, <sys/time.h> does
not implicitly include <time.h> and does not declare clock_gettime,
gmtime_r, or localtime_r. This causes configure to fail to detect
those functions.

The AC_HEADER_TIME macro deprecation text says

> All current systems provide time.h; it need not be checked for.
> Not all systems provide sys/time.h, but those that do, all allow
> you to include it and time.h simultaneously.

So, to fix this issue, simply include <time.h> unconditionally when
testing for time-related functions and in libcurl, and don't bother
checking for it.

Closes #6859

show more ...