diff options
| author | dartraiden <wowemuh@gmail.com> | 2021-04-17 17:28:44 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2021-04-17 17:28:44 +0300 |
| commit | 5612cd9c7b03972631c46d117c595a34e71ecafd (patch) | |
| tree | 791e0aafd46c353e6edfbba8369577fad21bdfe0 | |
| parent | 6f2d6282c4efac04c18dcc7d493e18a3aaf08ad3 (diff) | |
libcurl: update to 7.76.1
36 files changed, 498 insertions, 476 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index 762a865fe1..62dce2ee97 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,6 +6,288 @@ Changelog +Version 7.76.1 (14 Apr 2021) + +Daniel Stenberg (14 Apr 2021) +- RELEASE-NOTES: synced + + curl 7.76.1 release + +- THANKS: add names from 7.76.1 + +- misc: update copyright year ranges to match latest updates + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Use ALPN h3-29 for now + + Fixes #6864 + Cloes #6886 + +Jay Satiro (11 Apr 2021) +- TODO: remove 18.22 --fail-with-body + + --fail-with-body was added in 8a964cb (precedes curl-7_76_0). + +Daniel Stenberg (10 Apr 2021) +- [Jürgen Gmach brought this change] + + src/tool_vms.c: remove duplicated word in comment + + Closes #6881 + +- configure: fix CURL_DARWIN_CFLAGS use + + The macro name change was not completely done. + + Follow-up to 5d2c384452543c + Bug: https://github.com/curl/curl/commit/5d2c384452543c7b6c9fb02eaa0afc84fd5ab941#commitcomment-49315187 + Reported-by: Marcel Raad + Closes #6878 + +- [Anthony Shaw brought this change] + + github/workflow: add "security-extended" to codeql-analysis.yml + + Extends the CodeQL code scan. + + Closes #6815 + +- [Jochem Broekhoff brought this change] + + examples/hiperfifo.c: check event_initialized before delete + + If event_del is called with the event struct (still) zeroed out, a + segmentation fault may occur. event_initialized checks whether the + event struct is nonzero. + + Closes #6876 + +- [Patrick Monnerat brought this change] + + ntlm: fix negotiated flags usage + + According to Microsoft document MS-NLMP, current flags usage is not + accurate: flag NTLMFLAG_NEGOTIATE_NTLM2_KEY controls the use of + extended security in an NTLM authentication message and NTLM version 2 + cannot be negotiated within the protocol. + + The solution implemented here is: if the extended security flag is set, + prefer using NTLM version 2 (as a server featuring extended security + should also support version 2). If version 2 has been disabled at + compile time, use extended security. + + Tests involving NTLM are adjusted to this new behavior. + + Fixes #6813 + Closes #6849 + +- [Patrick Monnerat brought this change] + + ntlm: support version 2 on 32-bit platforms + + Closes #6849 + +- [Patrick Monnerat brought this change] + + curl_ntlm_core.h: simplify conditionals for USE_NTLM2SESSION + + ... as !defined(CURL_DISABLE_CRYPTO_AUTH) is a prerequisite for the + whole NTLM. + + Closes #6849 + +- lib: remove unused HAVE_INET_NTOA_R* defines + + Closes #6867 + +- [Michael Forney brought this change] + + configure: include <time.h> unconditionally + + In 2682e5f5, several instances of AC_HEADER_TIME were removed since + it is a deprecated autoconf macro. However, this was the macro that + defined TIME_WITH_SYS_TIME, which was used to indicate that <time.h> + can be included alongside <sys/time.h>. TIME_WITH_SYS_TIME is still + used in the configure test body and since it is no longer defined, + <time.h> is *not* included on systems that have <sys/time.h>. + + In particular, at least on musl libc and glibc, <sys/time.h> does + not implicitly include <time.h> and does not declare clock_gettime, + gmtime_r, or localtime_r. This causes configure to fail to detect + those functions. + + The AC_HEADER_TIME macro deprecation text says + + > All current systems provide time.h; it need not be checked for. + > Not all systems provide sys/time.h, but those that do, all allow + > you to include it and time.h simultaneously. + + So, to fix this issue, simply include <time.h> unconditionally when + testing for time-related functions and in libcurl, and don't bother + checking for it. + + Closes #6859 + +- [Michael Forney brought this change] + + configure: remove use of RETSIGTYPE + + This was previously defined by the obsolete AC_TYPE_SIGNAL macro, + which was removed in 2682e5f5. The deprecation text says + + > Your code may safely assume C89 semantics that RETSIGTYPE is void. + + So, remove it and just use void instead. + + Closes #6861 + +- [Muhammed Yavuz Nuzumlalı brought this change] + + install: add instructions for Apple Darwin platforms + + Closes #6860 + +- [Muhammed Yavuz Nuzumlalı brought this change] + + configure: disable min version set for Darwin + + Fixes #6838 + Closes #6860 + +- [David Hu brought this change] + + docs/HTTP3.md: update the build instruction using gnutls + + In ngtcp2 the `with-gnutls` option is disabled by default, which will + cause `curl` unable to be `make` because of lacking the libraries + needed. + + Closes #6857 + +- RELEASE-NOTES: synced + +- typecheck-gcc: make the ssl-ctx-cb check use SSL_CTX pointers + + ... and not values. + + Reported-by: locpyl-tidnyd on github + Fixes #6818 + Closes #6819 + +- ngtcp2+gnutls: clear credentials when freed + + ... to avoid double-free. + + Reported-by: Kenneth Davidson + Fixes #6824 + Closes #6856 + +Jay Satiro (5 Apr 2021) +- [Cherish98 brought this change] + + tool_progress: Fix progress meter in parallel mode + + Make sure the total amount of DL/UL bytes are counted before the + transfer finalizes. Otherwise if a transfer finishes too quick, its + total numbers are not added, and results in a DL%/UL% that goes above + 100%. + + Detail: + + progress_meter() is called periodically, and it may not catch a + transfer's total bytes if the value was unknown during the last call, + and the transfer is finished and deleted (i.e., lost) during the next + call. + + Closes https://github.com/curl/curl/pull/6840 + +- [Emil Engler brought this change] + + libssh: get rid of PATH_MAX + + This removes the last occurrence of PATH_MAX inside our libssh + implementation by calculating the path length from the string length of + the two components. + + Closes #6829 + +Daniel Stenberg (5 Apr 2021) +- http_proxy: only loop on 407 + close if we have credentials + + ... to fix the retry-loop. + + Add test 718 to verify. + + Reported-by: Daniel Kurečka + Fixes #6828 + Closes #6850 + +- h2: allow 100 streams by default + + instead of 13, before the server has told how many streams it + accepts. The server can always reject new streams anyway if we go above + what it accepts. + + Ref: #6826 + Closes #6852 + +- [Luke Granger-Brown brought this change] + + file: support GETing directories again + + After 957bc1881e686f9714c4e6a01bf33535091f0e21, we no longer compute an + expected_size for directories. This has the upshot that when we compare + even an empty Range with the available size, we fail. + + This brings back the previous behaviour, which was to succeed, but with + empty content. This also removes the "Accept-ranges: bytes" header, + which is nonsensical on directories. + + Adds test 3016 + Fixes #6845 + Closes #6846 + +- RELEASE-NOTES: synced + + and bumped to 7.76.1 + +- TLS: fix HTTP/2 selection + + for GnuTLS, BearSSL, mbedTLS, NSS, SChannnel, Secure Transport and + wolfSSL... + + Regression since 88dd1a8a115b1f5ece (shipped in 7.76.0) + Reported-by: Kenneth Davidson + Reported-by: romamik om github + Fixes #6825 + Closes #6827 + +Jay Satiro (2 Apr 2021) +- hostip: Fix for builds that disable all asynchronous DNS + + - Define Curl_resolver_error function only when USE_CURL_ASYNC. + + Prior to this change building curl without an asynchronous resolver + backend (c-ares or threaded) and without DoH (DNS-over-HTTPS, which is + also asynchronous but independent of resolver backend) would cause a + build error since Curl_resolver_error is called by and evaluates + variables only available in asynchronous builds. + + Reported-by: Benbuck Nason + + Fixes https://github.com/curl/curl/issues/6831 + Closes https://github.com/curl/curl/pull/6832 + +Daniel Stenberg (31 Mar 2021) +- [Gilles Vollant brought this change] + + openssl: Fix CURLOPT_SSLCERT_BLOB without CURLOPT_SSLCERT_KEY + + Reported-by: Christian Schmitz + Fixes #6816 + Closes #6820 + Version 7.76.0 (31 Mar 2021) Daniel Stenberg (31 Mar 2021) @@ -7394,269 +7676,3 @@ Daniel Stenberg (28 Jul 2020) Reviewed-by: Nicolas Sterchele Closes #5732 - -- transfer: fix data_pending for builds with both h2 and h3 enabled - - Closes #5734 - -- curl_multi_setopt: fix compiler warning "result is always false" - - On systems with 32 bit long the expression is always false. Avoid - the warning. - - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/61a08508f6a458fe21bbb18cd2a9bac2f039452b#commitcomment-40941232 - Closes #5736 - -- curl: improve the existing file check with -J - - Previously a file that isn't user-readable but is user-writable would - not be properly avoided and would get overwritten. - - Reported-by: BrumBrum on hackerone - Assisted-by: Jay Satiro - Bug: https://hackerone.com/reports/926638 - Closes #5731 - -- [Jonathan Nieder brought this change] - - multi: update comment to say easyp list is linear - - Since 09b9fc900 (multi: remove 'Curl_one_easy' struct, phase 1, - 2013-08-02), the easy handle list is not circular but ends with - ->next pointing to NULL. - - Reported-by: Masaya Suzuki <masayasuzuki@google.com> - Closes #5737 - -- CURLOPT_NOBODY.3: fix the syntax for referring to options - - As test 1140 fails otherwise! - - Follow-up to e1bac81cc815 - -- ngtcp2: store address in sockaddr_storage - - Reported-by: Tatsuhiro Tsujikawa - Closes #5733 - -- CURLOPT_NOBODY.3: clarify what setting to 0 means - - ... and mention that HTTP with other methods than HEAD might get a body and - there's no option available to stop that. - - Closes #5729 - -- setopt: unset NOBODY switches to GET if still HEAD - - Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented - action but before 7.71.0 that used to switch back to GET and with this - change (assuming the method is still set to HEAD) this behavior is - brought back. - - Reported-by: causal-agent on github - Fixes #5725 - Closes #5728 - -- [Ehren Bendler brought this change] - - configure: cleanup wolfssl + pkg-config conflicts when cross compiling. - - Also choose a different wolfSSL function to test for NTLM support. - - Fixes #5605 - Closes #5682 - -- configure: show zstd "no" in summary when built without it - - Reported-by: Marc Hörsken - Fixes #5720 - Closes #5730 - -- quiche: handle calling disconnect twice - - Reported-by: lilongyan-huawei on github - Fixes #5726 - Closes #5727 - -- [Nicolas Sterchele brought this change] - - getinfo: reset retry-after value in initinfo - - - Avoid re-using retry_after value from preceding request - - Add libtest 3010 to verify - - Reported-by: joey-l-us on github - Fixes #5661 - Closes #5672 - -Marcel Raad (27 Jul 2020) -- WIN32: stop forcing narrow-character API - - Except where the results are only used for character output. - getenv is not touched because it's part of the public API, and having - it return UTF-8 instead of ANSI would be a breaking change. - - Fixes https://github.com/curl/curl/issues/5658 - Fixes https://github.com/curl/curl/issues/5712 - Closes https://github.com/curl/curl/pull/5718 - -Jay Satiro (27 Jul 2020) -- [Tobias Stoeckmann brought this change] - - mprintf: Fix stack overflows - - Stack overflows can occur with precisions for integers and floats. - - Proof of concepts: - - curl_mprintf("%d, %.*1$d", 500, 1); - - curl_mprintf("%d, %+0500.*1$f", 500, 1); - - Ideally, compile with -fsanitize=address which makes this undefined - behavior a bit more defined for debug purposes. - - The format strings are valid. The overflows occur due to invalid - arguments. If these arguments are variables with contents controlled - by an attacker, the function's stack can be corrupted. - - Also see CVE-2016-9586 which partially fixed the float aspect. - - Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> - - Closes https://github.com/curl/curl/pull/5722 - -- [Tobias Stoeckmann brought this change] - - mprintf: Fix dollar string handling - - Verify that specified parameters are in range. If parameters are too - large, fail early on and avoid out of boundary accesses. - - Also do not read behind boundaries of illegal format strings. - - These are defensive measures since it is expected that format strings - are well-formed. Format strings should not be modifiable by user - input due to possible generic format string attacks. - - Closes https://github.com/curl/curl/pull/5722 - -Daniel Stenberg (26 Jul 2020) -- ntlm: free target_info before (re-)malloc - - OSS-Fuzz found a way this could get called again with the pointer still - pointing to a malloc'ed memory, leading to a leak. - - Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24379 - - Closes #5724 - -Marcel Raad (26 Jul 2020) -- CI/macos: set minimum macOS version - - This enables some deprecation warnings. - Previously, autotools defaulted to 10.8. - - Closes https://github.com/curl/curl/pull/5723 - -Daniel Stenberg (26 Jul 2020) -- RELEASE-NOTES: synced - -Marcel Raad (25 Jul 2020) -- CI/macos: enable warnings as errors for CMake builds - - Closes https://github.com/curl/curl/pull/5716 - -- CMake: fix test for warning suppressions - - GCC doesn't warn for unknown `-Wno-` options, except if there are other - warnings or errors [0]. This was problematic with `CURL_WERROR` as that - warning-as-error cannot be suppressed. Notably, this always happened - with `-Wno-pedantic-ms-format` when not targeting Windows. So test for - the positive form of the warning instead, which should always result in - a diagnostic if unknown. - - [0] https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html - - Closes https://github.com/curl/curl/pull/5714 - -Jay Satiro (23 Jul 2020) -- curl.h: update CURLINFO_LASTONE - - CURLINFO_LASTONE should have been updated when - CURLINFO_EFFECTIVE_METHOD was added. - - Reported-by: xwxbug@users.noreply.github.com - - Fixes https://github.com/curl/curl/issues/5711 - -Marc Hoersken (22 Jul 2020) -- CI/azure: unconditionally enable warnings-as-errors with autotools - - Reviewed-by: Marcel Raad - - Follow up to #5694 - Closes #5706 - -Marcel Raad (21 Jul 2020) -- doh: remove redundant cast - - Closes https://github.com/curl/curl/pull/5704 - -- CI/macos: unconditionally enable warnings-as-errors with autotools - - Previously, warnings were only visible in the output for most jobs. - - Closes https://github.com/curl/curl/pull/5694 - -- util: silence conversion warnings - - timeval::tv_usec might be a 32-bit integer and timespec::tv_nsec might - be a 64-bit integer. This is the case when building for recent macOS - versions, for example. Just treat tv_usec as an int, which should - hopefully always be sufficient on systems with - `HAVE_CLOCK_GETTIME_MONOTONIC`. - - Closes https://github.com/curl/curl/pull/5695 - -- md(4|5): don't use deprecated macOS functions - - They are marked as deprecated for -mmacosx-version-min >= 10.15, - which might result in warnings-as-errors. - - Closes https://github.com/curl/curl/pull/5695 - -Daniel Stenberg (18 Jul 2020) -- strdup: remove the odd strlen check - - It confuses code analyzers with its use of -1 for unsigned value. Also, - a check that's not normally used in strdup() code - and not necessary. - - Closes #5697 - -- [Alessandro Ghedini brought this change] - - travis: update quiche builds for new boringssl layout - - This is required after https://github.com/cloudflare/quiche/pull/593 - moved BoringSSL around slightly. - - This also means that Go is not needed to build BoringSSL anymore (the - one provided by quiche anyway). - - Closes #5691 - -Marcel Raad (17 Jul 2020) -- configure: allow disabling warnings - - When using `--enable-warnings`, it was not possible to disable warnings - via CFLAGS that got explicitly enabled. Now warnings are not enabled - anymore if they are explicitly disabled (or enabled) in CFLAGS. This - works for at least GCC, clang, and TCC as they have corresponding - `-Wno-` options for every warning. - - Closes https://github.com/curl/curl/pull/5689 - -Daniel Stenberg (16 Jul 2020) -- ngtcp2: adjust to recent sockaddr updates - - Closes #5690 diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index 91a9f3c396..6f164a9adf 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -174,6 +174,7 @@ Anthony Avina Anthony Bryan Anthony G. Basile Anthony Ramine +Anthony Shaw Antoine Aubert Antoine Calando Anton Bychkov @@ -341,6 +342,7 @@ Catalin Patulea causal-agent on github cbartl on github cclauss on github +Cesar Eduardo Barros Chad Monroe Chandrakant Bagul Charles Kerr @@ -466,6 +468,7 @@ Daniel Jeliński Daniel Johnson Daniel Kahn Gillmor Daniel Krügler +Daniel Kurečka Daniel Lee Hwang Daniel Lublin Daniel Marjamäki @@ -1038,6 +1041,7 @@ Jiří Malák jmdavitt on github jnbr on github Jocelyn Jaubert +Jochem Broekhoff Joe Halpin Joe Malicki Joe Mason @@ -1164,6 +1168,7 @@ János Fekete Jérémy Rocher Jörg Mueller-Tolk Jörn Hartroth +Jürgen Gmach K. R. Walker ka7 on github Kael1117 on github @@ -1192,6 +1197,7 @@ Keith Mok Ken Brown Ken Hirsch Ken Rastatter +Kenneth Davidson Kenny To Kent Boortz Keshav Krity @@ -1297,6 +1303,7 @@ Liviu Chircu Liza Alenchery Lloyd Fournier Lluís Batlle i Rossell +locpyl-tidnyd on github Loganaden Velvindron Loic Dachary Loren Kirkby @@ -1316,6 +1323,7 @@ lukaszgn on github Luke Amery Luke Call Luke Dashjr +Luke Granger-Brown Luo Jinghua Luong Dinh Dung Luz Paz @@ -1554,6 +1562,7 @@ Moti Avrahami MrdUkk on github MrSorcus on github Muhammad Herdiansyah +Muhammed Yavuz Nuzumlalı Murugan Balraj Muz Dima Myk Taylor @@ -1914,6 +1923,7 @@ Rolland Dudemaine Romain Coltel Romain Fliedel Romain Geissler +romamik om github Roman Koifman Roman Mamedov Romulo A. Ceccon diff --git a/libs/libcurl/include/curl/curlver.h b/libs/libcurl/include/curl/curlver.h index ea137ef7ab..b74cdc1170 100644 --- a/libs/libcurl/include/curl/curlver.h +++ b/libs/libcurl/include/curl/curlver.h @@ -30,13 +30,13 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.76.0" +#define LIBCURL_VERSION "7.76.1" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 #define LIBCURL_VERSION_MINOR 76 -#define LIBCURL_VERSION_PATCH 0 +#define LIBCURL_VERSION_PATCH 1 /* This is the numeric version of the libcurl version number, meant for easier parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will @@ -57,7 +57,7 @@ CURL_VERSION_BITS() macro since curl's own configure script greps for it and needs it to contain the full number. */ -#define LIBCURL_VERSION_NUM 0x074c00 +#define LIBCURL_VERSION_NUM 0x074c01 /* * This is the date and time when the full source package was created. The @@ -68,7 +68,7 @@ * * "2007-11-23" */ -#define LIBCURL_TIMESTAMP "2021-03-31" +#define LIBCURL_TIMESTAMP "2021-04-14" #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z)) #define CURL_AT_LEAST_VERSION(x,y,z) \ diff --git a/libs/libcurl/include/curl/typecheck-gcc.h b/libs/libcurl/include/curl/typecheck-gcc.h index 230f4c1067..34d0267ed9 100644 --- a/libs/libcurl/include/curl/typecheck-gcc.h +++ b/libs/libcurl/include/curl/typecheck-gcc.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -667,11 +667,11 @@ typedef CURLcode (*_curl_ssl_ctx_callback4)(CURL *, const void *, /* hack: if we included OpenSSL's ssl.h, we know about SSL_CTX * this will of course break if we're included before OpenSSL headers... */ -typedef CURLcode (*_curl_ssl_ctx_callback5)(CURL *, SSL_CTX, void *); -typedef CURLcode (*_curl_ssl_ctx_callback6)(CURL *, SSL_CTX, const void *); -typedef CURLcode (*_curl_ssl_ctx_callback7)(CURL *, const SSL_CTX, void *); -typedef CURLcode (*_curl_ssl_ctx_callback8)(CURL *, const SSL_CTX, - const void *); +typedef CURLcode (*_curl_ssl_ctx_callback5)(CURL *, SSL_CTX *, void *); +typedef CURLcode (*_curl_ssl_ctx_callback6)(CURL *, SSL_CTX *, const void *); +typedef CURLcode (*_curl_ssl_ctx_callback7)(CURL *, const SSL_CTX *, void *); +typedef CURLcode (*_curl_ssl_ctx_callback8)(CURL *, const SSL_CTX *, + const void *); #else typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback5; typedef _curl_ssl_ctx_callback1 _curl_ssl_ctx_callback6; diff --git a/libs/libcurl/src/Makefile.netware b/libs/libcurl/src/Makefile.netware index 10b77f8ffb..863bde0224 100644 --- a/libs/libcurl/src/Makefile.netware +++ b/libs/libcurl/src/Makefile.netware @@ -5,8 +5,8 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 2004 - 2015, Guenter Knauf -# Copyright (C) 2001 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. +# Copyright (C) 2004 - 2015, 2021, Guenter Knauf +# Copyright (C) 2001 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -599,7 +599,6 @@ endif @echo $(DL)#define HAVE_UTIME 1$(DL) >> $@ @echo $(DL)#define HAVE_UTIME_H 1$(DL) >> $@ @echo $(DL)#define HAVE_WRITEV 1$(DL) >> $@ - @echo $(DL)#define RETSIGTYPE void$(DL) >> $@ @echo $(DL)#define SIZEOF_INT 4$(DL) >> $@ @echo $(DL)#define SIZEOF_SHORT 2$(DL) >> $@ @echo $(DL)#define SIZEOF_STRUCT_IN_ADDR 4$(DL) >> $@ diff --git a/libs/libcurl/src/config-amigaos.h b/libs/libcurl/src/config-amigaos.h index 3c9d76ef3d..381bf302c9 100644 --- a/libs/libcurl/src/config-amigaos.h +++ b/libs/libcurl/src/config-amigaos.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -103,7 +103,6 @@ #define PACKAGE_VERSION "-" #define CURL_CA_BUNDLE "s:curl-ca-bundle.crt" -#define RETSIGTYPE void #define SELECT_TYPE_ARG1 int #define SELECT_TYPE_ARG234 (fd_set *) #define SELECT_TYPE_ARG5 (struct timeval *) diff --git a/libs/libcurl/src/config-dos.h b/libs/libcurl/src/config-dos.h index 50816ac756..0fb98e385d 100644 --- a/libs/libcurl/src/config-dos.h +++ b/libs/libcurl/src/config-dos.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -84,7 +84,6 @@ #define NEED_MALLOC_H 1 -#define RETSIGTYPE void #define SIZEOF_INT 4 #define SIZEOF_LONG 4 #define SIZEOF_LONG_DOUBLE 16 diff --git a/libs/libcurl/src/config-mac.h b/libs/libcurl/src/config-mac.h index 4e610562f6..163686ec94 100644 --- a/libs/libcurl/src/config-mac.h +++ b/libs/libcurl/src/config-mac.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -81,8 +81,6 @@ #define HAVE_IOCTL 1 #define HAVE_IOCTL_FIONBIO 1 -#define RETSIGTYPE void - #define SIZEOF_INT 4 #define SIZEOF_SHORT 2 #define SIZEOF_SIZE_T 4 diff --git a/libs/libcurl/src/config-os400.h b/libs/libcurl/src/config-os400.h index 67fbc41d8b..b5a9823fd1 100644 --- a/libs/libcurl/src/config-os400.h +++ b/libs/libcurl/src/config-os400.h @@ -376,9 +376,6 @@ /* Name of package */ #undef PACKAGE -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - /* The size of `int', as computed by sizeof. */ #define SIZEOF_INT 4 diff --git a/libs/libcurl/src/config-plan9.h b/libs/libcurl/src/config-plan9.h index fc19c5f036..ecfc273722 100644 --- a/libs/libcurl/src/config-plan9.h +++ b/libs/libcurl/src/config-plan9.h @@ -40,8 +40,6 @@ #define RANDOM_FILE "/dev/random" #define VERSION "0.0.0" /* TODO */ -#define RETSIGTYPE void - #define STDC_HEADERS 1 #ifdef _BITS64 diff --git a/libs/libcurl/src/config-riscos.h b/libs/libcurl/src/config-riscos.h index 43b1deb6d2..2dc3c66311 100644 --- a/libs/libcurl/src/config-riscos.h +++ b/libs/libcurl/src/config-riscos.h @@ -353,9 +353,6 @@ /* Name of package */ #undef PACKAGE -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - /* The size of `int', as computed by sizeof. */ #define SIZEOF_INT 4 diff --git a/libs/libcurl/src/config-tpf.h b/libs/libcurl/src/config-tpf.h index 4f8a07e9bc..3fdb8924c5 100644 --- a/libs/libcurl/src/config-tpf.h +++ b/libs/libcurl/src/config-tpf.h @@ -578,9 +578,6 @@ /* a suitable file to read random data from */ /* #undef RANDOM_FILE */ -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - /* Define to the type of arg 1 for `select'. */ #define SELECT_TYPE_ARG1 int diff --git a/libs/libcurl/src/config-vxworks.h b/libs/libcurl/src/config-vxworks.h index f811952853..916d023383 100644 --- a/libs/libcurl/src/config-vxworks.h +++ b/libs/libcurl/src/config-vxworks.h @@ -272,15 +272,6 @@ /* Define to 1 if you have the `inet_addr' function. */ #define HAVE_INET_ADDR 1 -/* Define to 1 if you have the inet_ntoa_r function. */ -/* #undef HAVE_INET_NTOA_R */ - -/* inet_ntoa_r() takes 2 args */ -/* #undef HAVE_INET_NTOA_R_2 */ - -/* inet_ntoa_r() takes 3 args */ -/* #undef HAVE_INET_NTOA_R_3 */ - /* Define to 1 if you have a IPv6 capable working inet_ntop function. */ /* #undef HAVE_INET_NTOP */ @@ -769,9 +760,6 @@ /* Define to the function return type for recv. */ #define RECV_TYPE_RETV int -/* Define as the return type of signal handlers (`int' or `void'). */ -#define RETSIGTYPE void - /* Define to the type qualifier of arg 5 for select. */ #define SELECT_QUAL_ARG5 diff --git a/libs/libcurl/src/config-win32.h b/libs/libcurl/src/config-win32.h index 7836199947..2e060f95c7 100644 --- a/libs/libcurl/src/config-win32.h +++ b/libs/libcurl/src/config-win32.h @@ -246,10 +246,6 @@ /* Define if you have the socket function. */ #define HAVE_SOCKET 1 -/* Define if libSSH2 is in use */ -#define USE_LIBSSH2 1 -#define HAVE_LIBSSH2_H 1 - /* Define if you have the strcasecmp function. */ #ifdef __MINGW32__ #define HAVE_STRCASECMP 1 @@ -366,9 +362,6 @@ /* Define if in_addr_t is not an available 'typedefed' type. */ #define in_addr_t unsigned long -/* Define to the return type of signal handlers (int or void). */ -#define RETSIGTYPE void - /* Define if ssize_t is not an available 'typedefed' type. */ #ifndef _SSIZE_T_DEFINED # if (defined(__WATCOMC__) && (__WATCOMC__ >= 1240)) || \ @@ -715,9 +708,6 @@ Vista # define CURL_DISABLE_LDAP 1 #endif -/* if SSL is enabled */ -#define USE_OPENSSL 1 - /* Define to use the Windows crypto library. */ #if !defined(CURL_WINDOWS_APP) #define USE_WIN32_CRYPTO diff --git a/libs/libcurl/src/config-win32ce.h b/libs/libcurl/src/config-win32ce.h index 7f59fd562b..fb29e088f6 100644 --- a/libs/libcurl/src/config-win32ce.h +++ b/libs/libcurl/src/config-win32ce.h @@ -307,9 +307,6 @@ /* Define this if in_addr_t is not an available 'typedefed' type */ #define in_addr_t unsigned long -/* Define as the return type of signal handlers (int or void). */ -#define RETSIGTYPE void - /* Define ssize_t if it is not an available 'typedefed' type */ #if (defined(__WATCOMC__) && (__WATCOMC__ >= 1240)) || defined(__POCC__) #elif defined(_WIN64) diff --git a/libs/libcurl/src/curl_config.h.cmake b/libs/libcurl/src/curl_config.h.cmake index fc1857ebb1..fbe17bc5b0 100644 --- a/libs/libcurl/src/curl_config.h.cmake +++ b/libs/libcurl/src/curl_config.h.cmake @@ -322,15 +322,6 @@ /* Define to 1 if you have the `inet_addr' function. */ #cmakedefine HAVE_INET_ADDR 1 -/* Define to 1 if you have the inet_ntoa_r function. */ -#cmakedefine HAVE_INET_NTOA_R 1 - -/* inet_ntoa_r() takes 2 args */ -#cmakedefine HAVE_INET_NTOA_R_2 1 - -/* inet_ntoa_r() takes 3 args */ -#cmakedefine HAVE_INET_NTOA_R_3 1 - /* Define to 1 if you have a IPv6 capable working inet_ntop function. */ #cmakedefine HAVE_INET_NTOP 1 @@ -876,9 +867,6 @@ /* Define to the function return type for recv. */ #cmakedefine RECV_TYPE_RETV ${RECV_TYPE_RETV} -/* Define as the return type of signal handlers (`int' or `void'). */ -#cmakedefine RETSIGTYPE ${RETSIGTYPE} - /* Define to the type qualifier of arg 5 for select. */ #cmakedefine SELECT_QUAL_ARG5 ${SELECT_QUAL_ARG5} diff --git a/libs/libcurl/src/curl_config.h.in b/libs/libcurl/src/curl_config.h.in index 89a1d195a6..ae942fbfb8 100644 --- a/libs/libcurl/src/curl_config.h.in +++ b/libs/libcurl/src/curl_config.h.in @@ -762,9 +762,6 @@ /* Define to 1 if you have the <termio.h> header file. */ #undef HAVE_TERMIO_H -/* Define to 1 if you have the <time.h> header file. */ -#undef HAVE_TIME_H - /* Define this if time_t is unsigned */ #undef HAVE_TIME_T_UNSIGNED diff --git a/libs/libcurl/src/curl_ntlm_core.c b/libs/libcurl/src/curl_ntlm_core.c index 66146a881c..89d4ec872e 100644 --- a/libs/libcurl/src/curl_ntlm_core.c +++ b/libs/libcurl/src/curl_ntlm_core.c @@ -513,6 +513,56 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, #if defined(USE_NTLM_V2) && !defined(USE_WINDOWS_SSPI) +/* Timestamp in tenths of a microsecond since January 1, 1601 00:00:00 UTC. */ +struct ms_filetime { + unsigned int dwLowDateTime; + unsigned int dwHighDateTime; +}; + +/* Convert a time_t to an MS FILETIME (MS-DTYP section 2.3.3). */ +static void time2filetime(struct ms_filetime *ft, time_t t) +{ +#if SIZEOF_TIME_T > 4 + t = (t + CURL_OFF_T_C(11644473600)) * 10000000; + ft->dwLowDateTime = (unsigned int) (t & 0xFFFFFFFF); + ft->dwHighDateTime = (unsigned int) (t >> 32); +#else + unsigned int r, s; + unsigned int i; + + ft->dwLowDateTime = t & 0xFFFFFFFF; + ft->dwHighDateTime = 0; + +# ifndef HAVE_TIME_T_UNSIGNED + /* Extend sign if needed. */ + if(ft->dwLowDateTime & 0x80000000) + ft->dwHighDateTime = ~0; +# endif + + /* Bias seconds to Jan 1, 1601. + 134774 days = 11644473600 seconds = 0x2B6109100 */ + r = ft->dwLowDateTime; + ft->dwLowDateTime = (ft->dwLowDateTime + 0xB6109100U) & 0xFFFFFFFF; + ft->dwHighDateTime += ft->dwLowDateTime < r? 0x03: 0x02; + + /* Convert to tenths of microseconds. */ + ft->dwHighDateTime *= 10000000; + i = 32; + do { + i -= 8; + s = ((ft->dwLowDateTime >> i) & 0xFF) * (10000000 - 1); + r = (s << i) & 0xFFFFFFFF; + s >>= 1; /* Split shift to avoid width overflow. */ + s >>= 31 - i; + ft->dwLowDateTime = (ft->dwLowDateTime + r) & 0xFFFFFFFF; + if(ft->dwLowDateTime < r) + s++; + ft->dwHighDateTime += s; + } while(i); + ft->dwHighDateTime &= 0xFFFFFFFF; +#endif +} + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode * (uppercase UserName + Domain) as the data */ @@ -586,22 +636,18 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_resp(unsigned char *ntlmv2hash, unsigned int len = 0; unsigned char *ptr = NULL; unsigned char hmac_output[HMAC_MD5_LENGTH]; - curl_off_t tw; + struct ms_filetime tw; CURLcode result = CURLE_OK; -#if SIZEOF_CURL_OFF_T < 8 -#error "this section needs 64bit support to work" -#endif - /* Calculate the timestamp */ #ifdef DEBUGBUILD char *force_timestamp = getenv("CURL_FORCETIME"); if(force_timestamp) - tw = CURL_OFF_T_C(11644473600) * 10000000; + time2filetime(&tw, (time_t) 0); else #endif - tw = ((curl_off_t)time(NULL) + CURL_OFF_T_C(11644473600)) * 10000000; + time2filetime(&tw, time(NULL)); /* Calculate the response len */ len = HMAC_MD5_LENGTH + NTLMv2_BLOB_LEN; @@ -613,13 +659,14 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_resp(unsigned char *ntlmv2hash, /* Create the BLOB structure */ msnprintf((char *)ptr + HMAC_MD5_LENGTH, NTLMv2_BLOB_LEN, - "%c%c%c%c" /* NTLMv2_BLOB_SIGNATURE */ - "%c%c%c%c", /* Reserved = 0 */ + "%c%c%c%c" /* NTLMv2_BLOB_SIGNATURE */ + "%c%c%c%c" /* Reserved = 0 */ + "%c%c%c%c%c%c%c%c", /* Timestamp */ NTLMv2_BLOB_SIGNATURE[0], NTLMv2_BLOB_SIGNATURE[1], NTLMv2_BLOB_SIGNATURE[2], NTLMv2_BLOB_SIGNATURE[3], - 0, 0, 0, 0); + 0, 0, 0, 0, + LONGQUARTET(tw.dwLowDateTime), LONGQUARTET(tw.dwHighDateTime)); - Curl_write64_le(tw, ptr + 24); memcpy(ptr + 32, challenge_client, 8); memcpy(ptr + 44, ntlm->target_info, ntlm->target_info_len); diff --git a/libs/libcurl/src/curl_ntlm_core.h b/libs/libcurl/src/curl_ntlm_core.h index 75fcdeb16e..02b39d4858 100644 --- a/libs/libcurl/src/curl_ntlm_core.h +++ b/libs/libcurl/src/curl_ntlm_core.h @@ -47,19 +47,22 @@ #define USE_NTRESPONSES /* Define USE_NTLM2SESSION in order to make the type-3 message include the - NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and - MD5 support */ -#if defined(USE_NTRESPONSES) && !defined(CURL_DISABLE_CRYPTO_AUTH) + NTLM2Session response message, requires USE_NTRESPONSES defined to 1 */ +#if defined(USE_NTRESPONSES) #define USE_NTLM2SESSION #endif /* Define USE_NTLM_V2 in order to allow the type-3 message to include the - LMv2 and NTLMv2 response messages, requires USE_NTRESPONSES defined to 1 - and support for 64-bit integers. */ -#if defined(USE_NTRESPONSES) && (SIZEOF_CURL_OFF_T > 4) + LMv2 and NTLMv2 response messages, requires USE_NTRESPONSES defined to 1 */ +#if defined(USE_NTRESPONSES) #define USE_NTLM_V2 #endif +/* Helpers to generate function byte arguments in little endian order */ +#define SHORTPAIR(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff)) +#define LONGQUARTET(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff)), \ + ((int)(((x) >> 16) & 0xff)), ((int)(((x) >> 24) & 0xff)) + void Curl_ntlm_core_lm_resp(const unsigned char *keys, const unsigned char *plaintext, unsigned char *results); diff --git a/libs/libcurl/src/curl_setup_once.h b/libs/libcurl/src/curl_setup_once.h index ef60bc7ae7..22d0a063ef 100644 --- a/libs/libcurl/src/curl_setup_once.h +++ b/libs/libcurl/src/curl_setup_once.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -32,6 +32,7 @@ #include <string.h> #include <stdarg.h> #include <ctype.h> +#include <time.h> #ifdef HAVE_ERRNO_H #include <errno.h> @@ -55,13 +56,6 @@ #ifdef HAVE_SYS_TIME_H #include <sys/time.h> -#ifdef TIME_WITH_SYS_TIME -#include <time.h> -#endif -#else -#ifdef HAVE_TIME_H -#include <time.h> -#endif #endif #ifdef WIN32 @@ -351,15 +345,6 @@ typedef int sig_atomic_t; /* - * Default return type for signal handlers. - */ - -#ifndef RETSIGTYPE -#define RETSIGTYPE void -#endif - - -/* * Macro used to include code only in debug builds. */ diff --git a/libs/libcurl/src/file.c b/libs/libcurl/src/file.c index dd8a1fd12a..1d174e519e 100644 --- a/libs/libcurl/src/file.c +++ b/libs/libcurl/src/file.c @@ -417,12 +417,12 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) result = Curl_client_write(data, CLIENTWRITE_HEADER, header, 0); if(result) return result; - } - result = Curl_client_write(data, CLIENTWRITE_HEADER, - (char *)"Accept-ranges: bytes\r\n", 0); - if(result) - return result; + result = Curl_client_write(data, CLIENTWRITE_HEADER, + (char *)"Accept-ranges: bytes\r\n", 0); + if(result != CURLE_OK) + return result; + } filetime = (time_t)statbuf.st_mtime; result = Curl_gmtime(filetime, &buffer); @@ -464,18 +464,23 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) data->state.resume_from += (curl_off_t)statbuf.st_size; } - if(data->state.resume_from <= expected_size) - expected_size -= data->state.resume_from; - else { - failf(data, "failed to resume file:// transfer"); - return CURLE_BAD_DOWNLOAD_RESUME; + if(data->state.resume_from > 0) { + /* We check explicitly if we have a start offset, because + * expected_size may be -1 if we don't know how large the file is, + * in which case we should not adjust it. */ + if(data->state.resume_from <= expected_size) + expected_size -= data->state.resume_from; + else { + failf(data, "failed to resume file:// transfer"); + return CURLE_BAD_DOWNLOAD_RESUME; + } } /* A high water mark has been specified so we obey... */ if(data->req.maxdownload > 0) expected_size = data->req.maxdownload; - if(!fstated || (expected_size == 0)) + if(!fstated || (expected_size <= 0)) size_known = FALSE; else size_known = TRUE; @@ -484,7 +489,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done) this is both more efficient than the former call to download() and it avoids problems with select() and recv() on file descriptors in Winsock */ - if(fstated) + if(size_known) Curl_pgrsSetDownloadSize(data, expected_size); if(data->state.resume_from) { diff --git a/libs/libcurl/src/hostip.c b/libs/libcurl/src/hostip.c index 750afe8a97..05c09f6835 100644 --- a/libs/libcurl/src/hostip.c +++ b/libs/libcurl/src/hostip.c @@ -631,7 +631,7 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, * within a signal handler which is nonportable and could lead to problems. */ static -RETSIGTYPE alarmfunc(int sig) +void alarmfunc(int sig) { /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ (void)sig; @@ -1130,6 +1130,7 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done) * resolve error */ +#ifdef USE_CURL_ASYNC CURLcode Curl_resolver_error(struct Curl_easy *data) { const char *host_or_proxy; @@ -1153,3 +1154,4 @@ CURLcode Curl_resolver_error(struct Curl_easy *data) return result; } +#endif /* USE_CURL_ASYNC */ diff --git a/libs/libcurl/src/http2.h b/libs/libcurl/src/http2.h index 150f7219f0..114b382718 100644 --- a/libs/libcurl/src/http2.h +++ b/libs/libcurl/src/http2.h @@ -29,7 +29,7 @@ /* value for MAX_CONCURRENT_STREAMS we use until we get an updated setting from the peer */ -#define DEFAULT_MAX_CONCURRENT_STREAMS 13 +#define DEFAULT_MAX_CONCURRENT_STREAMS 100 /* * Store nghttp2 version info in this buffer, Prefix with a space. Return diff --git a/libs/libcurl/src/http_proxy.c b/libs/libcurl/src/http_proxy.c index 732fea7e34..f403ffc0e0 100644 --- a/libs/libcurl/src/http_proxy.c +++ b/libs/libcurl/src/http_proxy.c @@ -358,7 +358,8 @@ static CURLcode CONNECT(struct Curl_easy *data, break; } else if(gotbytes <= 0) { - if(data->set.proxyauth && data->state.authproxy.avail) { + if(data->set.proxyauth && data->state.authproxy.avail && + data->state.aptr.proxyuserpwd) { /* proxy auth was requested and there was proxy auth available, then deem this as "mere" proxy disconnect */ conn->bits.proxy_connect_closed = TRUE; diff --git a/libs/libcurl/src/libcurl.plist b/libs/libcurl/src/libcurl.plist index 0b9abed3c0..f787761ced 100644 --- a/libs/libcurl/src/libcurl.plist +++ b/libs/libcurl/src/libcurl.plist @@ -15,7 +15,7 @@ <string>se.curl.libcurl</string> <key>CFBundleVersion</key> - <string>7.76.0</string> + <string>7.76.1</string> <key>CFBundleName</key> <string>libcurl</string> @@ -27,9 +27,9 @@ <string>????</string> <key>CFBundleShortVersionString</key> - <string>libcurl 7.76.0</string> + <string>libcurl 7.76.1</string> <key>CFBundleGetInfoString</key> - <string>libcurl.plist 7.76.0</string> + <string>libcurl.plist 7.76.1</string> </dict> </plist> diff --git a/libs/libcurl/src/vauth/ntlm.c b/libs/libcurl/src/vauth/ntlm.c index a3117f3fee..4adf49704f 100644 --- a/libs/libcurl/src/vauth/ntlm.c +++ b/libs/libcurl/src/vauth/ntlm.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -64,10 +64,6 @@ /* "NTLMSSP" signature is always in ASCII regardless of the platform */ #define NTLMSSP_SIGNATURE "\x4e\x54\x4c\x4d\x53\x53\x50" -#define SHORTPAIR(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff)) -#define LONGQUARTET(x) ((int)((x) & 0xff)), ((int)(((x) >> 8) & 0xff)), \ - ((int)(((x) >> 16) & 0xff)), ((int)(((x) >> 24) & 0xff)) - #if DEBUG_ME # define DEBUG_OUT(x) x static void ntlm_print_flags(FILE *handle, unsigned long flags) @@ -407,7 +403,8 @@ CURLcode Curl_auth_create_ntlm_type1_message(struct Curl_easy *data, /* Clean up any former leftovers and initialise to defaults */ Curl_auth_cleanup_ntlm(ntlm); -#if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION) +#if defined(USE_NTRESPONSES) && \ + (defined(USE_NTLM2SESSION) || defined(USE_NTLM_V2)) #define NTLM2FLAG NTLMFLAG_NEGOTIATE_NTLM2_KEY #else #define NTLM2FLAG 0 @@ -563,12 +560,20 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, hostlen = strlen(host); } -#if defined(USE_NTRESPONSES) && defined(USE_NTLM_V2) +#if defined(USE_NTRESPONSES) && \ + (defined(USE_NTLM2SESSION) || defined(USE_NTLM_V2)) + /* We don't support NTLM2 or extended security if we don't have + USE_NTRESPONSES */ if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM2_KEY) { +# if defined(USE_NTLM_V2) unsigned char ntbuffer[0x18]; unsigned char entropy[8]; unsigned char ntlmv2hash[0x18]; + /* Full NTLM version 2 + Although this cannot be negotiated, it is used here if available, as + servers featuring extended security are likely supporting also + NTLMv2. */ result = Curl_rand(data, entropy, 8); if(result) return result; @@ -595,21 +600,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, return result; ptr_ntresp = ntlmv2resp; - } - else -#endif - -#if defined(USE_NTRESPONSES) && defined(USE_NTLM2SESSION) - -#define CURL_MD5_DIGEST_LENGTH 16 /* fixed size */ - - /* We don't support NTLM2 if we don't have USE_NTRESPONSES */ - if(ntlm->flags & NTLMFLAG_NEGOTIATE_NTLM_KEY) { +# else /* defined(USE_NTLM_V2) */ unsigned char ntbuffer[0x18]; unsigned char tmp[0x18]; - unsigned char md5sum[CURL_MD5_DIGEST_LENGTH]; + unsigned char md5sum[MD5_DIGEST_LEN]; unsigned char entropy[8]; + /* NTLM version 1 with extended security. */ + /* Need to create 8 bytes random data */ result = Curl_rand(data, entropy, 8); if(result) @@ -639,6 +637,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* NTLM v2 session security is a misnomer because it is not NTLM v2. It is NTLM v1 using the extended session security that is also in NTLM v2 */ +# endif /* defined(USE_NTLM_V2) */ } else #endif @@ -649,6 +648,8 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, #endif unsigned char lmbuffer[0x18]; + /* NTLM version 1 */ + #ifdef USE_NTRESPONSES result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer); if(result) @@ -662,6 +663,7 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, return result; Curl_ntlm_core_lm_resp(lmbuffer, &ntlm->nonce[0], lmresp); + ntlm->flags &= ~NTLMFLAG_NEGOTIATE_NTLM2_KEY; /* A safer but less compatible alternative is: * Curl_ntlm_core_lm_resp(ntbuffer, &ntlm->nonce[0], lmresp); diff --git a/libs/libcurl/src/vquic/ngtcp2.c b/libs/libcurl/src/vquic/ngtcp2.c index 9569431ca2..3d64519987 100644 --- a/libs/libcurl/src/vquic/ngtcp2.c +++ b/libs/libcurl/src/vquic/ngtcp2.c @@ -57,6 +57,8 @@ #define H3BUGF(x) do { } while(0) #endif +#define H3_ALPN_H3_29 "\x5h3-29" + /* * This holds outgoing HTTP/3 stream data that is used by nghttp3 until acked. * It is used as a circular buffer. Add new bytes at the end until it reaches @@ -351,8 +353,8 @@ static int quic_init_ssl(struct quicsocket *qs) SSL_set_app_data(qs->ssl, qs); SSL_set_connect_state(qs->ssl); - alpn = (const uint8_t *)NGHTTP3_ALPN_H3; - alpnlen = sizeof(NGHTTP3_ALPN_H3) - 1; + alpn = (const uint8_t *)H3_ALPN_H3_29; + alpnlen = sizeof(H3_ALPN_H3_29) - 1; if(alpn) SSL_set_alpn_protos(qs->ssl, alpn, (int)alpnlen); @@ -529,8 +531,8 @@ static int quic_init_ssl(struct quicsocket *qs) } /* strip the first byte (the length) from NGHTTP3_ALPN_H3 */ - alpn.data = (unsigned char *)NGHTTP3_ALPN_H3 + 1; - alpn.size = sizeof(NGHTTP3_ALPN_H3) - 2; + alpn.data = (unsigned char *)H3_ALPN_H3_29 + 1; + alpn.size = sizeof(H3_ALPN_H3_29) - 2; if(alpn.data) gnutls_alpn_set_protocols(qs->ssl, &alpn, 1, 0); @@ -873,8 +875,10 @@ static void qs_disconnect(struct quicsocket *qs) #endif qs->ssl = NULL; #ifdef USE_GNUTLS - if(qs->cred) + if(qs->cred) { gnutls_certificate_free_credentials(qs->cred); + qs->cred = NULL; + } #endif for(i = 0; i < 3; i++) Curl_safefree(qs->crypto_data[i].buf); diff --git a/libs/libcurl/src/vssh/libssh.c b/libs/libcurl/src/vssh/libssh.c index 1bb644eedd..4644f4cb96 100644 --- a/libs/libcurl/src/vssh/libssh.c +++ b/libs/libcurl/src/vssh/libssh.c @@ -1453,16 +1453,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block) if((sshc->readdir_attrs->flags & SSH_FILEXFER_ATTR_PERMISSIONS) && ((sshc->readdir_attrs->permissions & S_IFMT) == S_IFLNK)) { - sshc->readdir_linkPath = malloc(PATH_MAX + 1); + sshc->readdir_linkPath = aprintf("%s%s", protop->path, + sshc->readdir_filename); + if(sshc->readdir_linkPath == NULL) { state(data, SSH_SFTP_CLOSE); sshc->actualcode = CURLE_OUT_OF_MEMORY; break; } - msnprintf(sshc->readdir_linkPath, PATH_MAX, "%s%s", protop->path, - sshc->readdir_filename); - state(data, SSH_SFTP_READDIR_LINK); break; } diff --git a/libs/libcurl/src/vtls/bearssl.c b/libs/libcurl/src/vtls/bearssl.c index 39fc1a2920..a63056d4ef 100644 --- a/libs/libcurl/src/vtls/bearssl.c +++ b/libs/libcurl/src/vtls/bearssl.c @@ -391,7 +391,7 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, */ #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) #endif diff --git a/libs/libcurl/src/vtls/gtls.c b/libs/libcurl/src/vtls/gtls.c index 3b0d940a60..e3fad7fe02 100644 --- a/libs/libcurl/src/vtls/gtls.c +++ b/libs/libcurl/src/vtls/gtls.c @@ -612,7 +612,7 @@ gtls_connect_step1(struct Curl_easy *data, gnutls_datum_t protocols[2]; #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) #endif diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c index 93a7ac1fd8..4b36f2d20c 100644 --- a/libs/libcurl/src/vtls/mbedtls.c +++ b/libs/libcurl/src/vtls/mbedtls.c @@ -497,7 +497,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, if(conn->bits.tls_enable_alpn) { const char **p = &backend->protocols[0]; #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2) + if(data->state.httpwant >= CURL_HTTP_VERSION_2) *p++ = NGHTTP2_PROTO_VERSION_ID; #endif *p++ = ALPN_HTTP_1_1; diff --git a/libs/libcurl/src/vtls/nss.c b/libs/libcurl/src/vtls/nss.c index bc6c3caeb9..a9f6959e3b 100644 --- a/libs/libcurl/src/vtls/nss.c +++ b/libs/libcurl/src/vtls/nss.c @@ -2080,7 +2080,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, unsigned char protocols[128]; #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) #endif diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index 68b98984b4..6583300b3c 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -600,11 +600,16 @@ static bool is_pkcs11_uri(const char *string) static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine); static int -SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type, - const char *key_passwd) +SSL_CTX_use_certificate_blob(SSL_CTX *ctx, const struct curl_blob *blob, + int type, const char *key_passwd) { int ret = 0; X509 *x = NULL; + /* the typecast of blob->len is fine since it is guaranteed to never be + larger than CURL_MAX_INPUT_LENGTH */ + BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len)); + if(!in) + return CURLE_OUT_OF_MEMORY; if(type == SSL_FILETYPE_ASN1) { /* j = ERR_R_ASN1_LIB; */ @@ -628,15 +633,19 @@ SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type, ret = SSL_CTX_use_certificate(ctx, x); end: X509_free(x); + BIO_free(in); return ret; } static int -SSL_CTX_use_PrivateKey_bio(SSL_CTX *ctx, BIO* in, int type, - const char *key_passwd) +SSL_CTX_use_PrivateKey_blob(SSL_CTX *ctx, const struct curl_blob *blob, + int type, const char *key_passwd) { int ret = 0; EVP_PKEY *pkey = NULL; + BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len)); + if(!in) + return CURLE_OUT_OF_MEMORY; if(type == SSL_FILETYPE_PEM) pkey = PEM_read_bio_PrivateKey(in, NULL, passwd_callback, @@ -654,11 +663,12 @@ SSL_CTX_use_PrivateKey_bio(SSL_CTX *ctx, BIO* in, int type, ret = SSL_CTX_use_PrivateKey(ctx, pkey); EVP_PKEY_free(pkey); end: + BIO_free(in); return ret; } static int -SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, +SSL_CTX_use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob, const char *key_passwd) { /* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */ @@ -668,6 +678,9 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, int ret = 0; X509 *x = NULL; void *passwd_callback_userdata = (void *)key_passwd; + BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len)); + if(!in) + return CURLE_OUT_OF_MEMORY; ERR_clear_error(); @@ -682,7 +695,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, ret = SSL_CTX_use_certificate(ctx, x); if(ERR_peek_error() != 0) - ret = 0; + ret = 0; if(ret) { X509 *ca; @@ -714,6 +727,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, end: X509_free(x); + BIO_free(in); return ret; #else (void)ctx; /* unused */ @@ -727,10 +741,10 @@ static int cert_stuff(struct Curl_easy *data, SSL_CTX* ctx, char *cert_file, - BIO *cert_bio, + const struct curl_blob *cert_blob, const char *cert_type, char *key_file, - BIO* key_bio, + const struct curl_blob *key_blob, const char *key_type, char *key_passwd) { @@ -739,7 +753,7 @@ int cert_stuff(struct Curl_easy *data, int file_type = do_file_type(cert_type); - if(cert_file || cert_bio || (file_type == SSL_FILETYPE_ENGINE)) { + if(cert_file || cert_blob || (file_type == SSL_FILETYPE_ENGINE)) { SSL *ssl; X509 *x509; int cert_done = 0; @@ -756,9 +770,9 @@ int cert_stuff(struct Curl_easy *data, switch(file_type) { case SSL_FILETYPE_PEM: /* SSL_CTX_use_certificate_chain_file() only works on PEM files */ - cert_use_result = cert_bio ? - SSL_CTX_use_certificate_chain_bio(ctx, cert_bio, key_passwd) : - SSL_CTX_use_certificate_chain_file(ctx, cert_file); + cert_use_result = cert_blob ? + SSL_CTX_use_certificate_chain_blob(ctx, cert_blob, key_passwd) : + SSL_CTX_use_certificate_chain_file(ctx, cert_file); if(cert_use_result != 1) { failf(data, "could not load PEM client certificate, " OSSL_PACKAGE @@ -775,10 +789,10 @@ int cert_stuff(struct Curl_easy *data, we use the case above for PEM so this can only be performed with ASN1 files. */ - cert_use_result = cert_bio ? - SSL_CTX_use_certificate_bio(ctx, cert_bio, - file_type, key_passwd) : - SSL_CTX_use_certificate_file(ctx, cert_file, file_type); + cert_use_result = cert_blob ? + SSL_CTX_use_certificate_blob(ctx, cert_blob, + file_type, key_passwd) : + SSL_CTX_use_certificate_file(ctx, cert_file, file_type); if(cert_use_result != 1) { failf(data, "could not load ASN1 client certificate, " OSSL_PACKAGE @@ -855,13 +869,24 @@ int cert_stuff(struct Curl_easy *data, case SSL_FILETYPE_PKCS12: { - BIO *fp = NULL; + BIO *cert_bio = NULL; PKCS12 *p12 = NULL; EVP_PKEY *pri; STACK_OF(X509) *ca = NULL; - if(!cert_bio) { - fp = BIO_new(BIO_s_file()); - if(fp == NULL) { + if(cert_blob) { + cert_bio = BIO_new_mem_buf(cert_blob->data, (int)(cert_blob->len)); + if(cert_bio == NULL) { + failf(data, + "BIO_new_mem_buf NULL, " OSSL_PACKAGE + " error %s", + ossl_strerror(ERR_get_error(), error_buffer, + sizeof(error_buffer)) ); + return 0; + } + } + else { + cert_bio = BIO_new(BIO_s_file()); + if(cert_bio == NULL) { failf(data, "BIO_new return NULL, " OSSL_PACKAGE " error %s", @@ -870,20 +895,19 @@ int cert_stuff(struct Curl_easy *data, return 0; } - if(BIO_read_filename(fp, cert_file) <= 0) { + if(BIO_read_filename(cert_bio, cert_file) <= 0) { failf(data, "could not open PKCS12 file '%s'", cert_file); - BIO_free(fp); + BIO_free(cert_bio); return 0; } } - p12 = d2i_PKCS12_bio(cert_bio ? cert_bio : fp, NULL); - if(fp) - BIO_free(fp); + p12 = d2i_PKCS12_bio(cert_bio, NULL); + BIO_free(cert_bio); if(!p12) { failf(data, "error reading PKCS12 file '%s'", - cert_bio ? "(memory blob)" : cert_file); + cert_blob ? "(memory blob)" : cert_file); return 0; } @@ -964,9 +988,9 @@ int cert_stuff(struct Curl_easy *data, return 0; } - if((!key_file) && (!key_bio)) { + if((!key_file) && (!key_blob)) { key_file = cert_file; - key_bio = cert_bio; + key_blob = cert_blob; } else file_type = do_file_type(key_type); @@ -977,8 +1001,8 @@ int cert_stuff(struct Curl_easy *data, break; /* FALLTHROUGH */ case SSL_FILETYPE_ASN1: - cert_use_result = key_bio ? - SSL_CTX_use_PrivateKey_bio(ctx, key_bio, file_type, key_passwd) : + cert_use_result = key_blob ? + SSL_CTX_use_PrivateKey_blob(ctx, key_blob, file_type, key_passwd) : SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type); if(cert_use_result != 1) { failf(data, "unable to set private key file: '%s' type %s", @@ -2775,32 +2799,12 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #endif if(ssl_cert || ssl_cert_blob || ssl_cert_type) { - BIO *ssl_cert_bio = NULL; - BIO *ssl_key_bio = NULL; - if(ssl_cert_blob) { - /* the typecast of blob->len is fine since it is guaranteed to never be - larger than CURL_MAX_INPUT_LENGTH */ - ssl_cert_bio = BIO_new_mem_buf(ssl_cert_blob->data, - (int)ssl_cert_blob->len); - if(!ssl_cert_bio) - result = CURLE_OUT_OF_MEMORY; - } - if(!result && SSL_SET_OPTION(key_blob)) { - ssl_key_bio = BIO_new_mem_buf(SSL_SET_OPTION(key_blob)->data, - (int)SSL_SET_OPTION(key_blob)->len); - if(!ssl_key_bio) - result = CURLE_OUT_OF_MEMORY; - } if(!result && !cert_stuff(data, backend->ctx, - ssl_cert, ssl_cert_bio, ssl_cert_type, - SSL_SET_OPTION(key), ssl_key_bio, + ssl_cert, ssl_cert_blob, ssl_cert_type, + SSL_SET_OPTION(key), SSL_SET_OPTION(key_blob), SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd))) result = CURLE_SSL_CERTPROBLEM; - if(ssl_cert_bio) - BIO_free(ssl_cert_bio); - if(ssl_key_bio) - BIO_free(ssl_key_bio); if(result) /* failf() is already done in cert_stuff() */ return result; diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c index 931bd853eb..961a71f6d5 100644 --- a/libs/libcurl/src/vtls/schannel.c +++ b/libs/libcurl/src/vtls/schannel.c @@ -862,7 +862,7 @@ schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, list_start_index = cur; #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2) { + if(data->state.httpwant >= CURL_HTTP_VERSION_2) { memcpy(&alpn_buffer[cur], NGHTTP2_PROTO_ALPN, NGHTTP2_PROTO_ALPN_LEN); cur += NGHTTP2_PROTO_ALPN_LEN; infof(data, "schannel: ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); diff --git a/libs/libcurl/src/vtls/sectransp.c b/libs/libcurl/src/vtls/sectransp.c index e69b99b72c..9d637da2ec 100644 --- a/libs/libcurl/src/vtls/sectransp.c +++ b/libs/libcurl/src/vtls/sectransp.c @@ -1613,7 +1613,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, &kCFTypeArrayCallBacks); #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2 + if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY && (!isproxy || !conn->bits.tunnel_proxy) #endif diff --git a/libs/libcurl/src/vtls/wolfssl.c b/libs/libcurl/src/vtls/wolfssl.c index 8fb2ea7acf..c6f428034f 100644 --- a/libs/libcurl/src/vtls/wolfssl.c +++ b/libs/libcurl/src/vtls/wolfssl.c @@ -475,7 +475,7 @@ wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, protocols in descending order of preference, eg: "h2,http/1.1" */ #ifdef USE_NGHTTP2 - if(data->state.httpversion >= CURL_HTTP_VERSION_2) { + if(data->state.httpwant >= CURL_HTTP_VERSION_2) { strcpy(protocols + strlen(protocols), NGHTTP2_PROTO_VERSION_ID ","); infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); } @@ -726,7 +726,7 @@ wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, !memcmp(protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) conn->negnpn = CURL_HTTP_VERSION_1_1; #ifdef USE_NGHTTP2 - else if(data->state.httpversion >= CURL_HTTP_VERSION_2 && + else if(data->state.httpwant >= CURL_HTTP_VERSION_2 && protocol_len == NGHTTP2_PROTO_VERSION_ID_LEN && !memcmp(protocol, NGHTTP2_PROTO_VERSION_ID, NGHTTP2_PROTO_VERSION_ID_LEN)) |