summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libs/libcurl/docs/CHANGES848
-rw-r--r--libs/libcurl/docs/THANKS6
-rw-r--r--libs/libcurl/include/curl/curl.h2
-rw-r--r--libs/libcurl/include/curl/curlver.h8
-rw-r--r--libs/libcurl/src/config-win32.h7
-rw-r--r--libs/libcurl/src/conncache.c27
-rw-r--r--libs/libcurl/src/connect.c27
-rw-r--r--libs/libcurl/src/connect.h7
-rw-r--r--libs/libcurl/src/curl_setup.h14
-rw-r--r--libs/libcurl/src/easy.c3
-rw-r--r--libs/libcurl/src/escape.c4
-rw-r--r--libs/libcurl/src/multi.c68
-rw-r--r--libs/libcurl/src/setup-os400.h9
-rw-r--r--libs/libcurl/src/sigpipe.h16
-rw-r--r--libs/libcurl/src/transfer.c4
-rw-r--r--libs/libcurl/src/vtls/mbedtls.c4
-rw-r--r--libs/libcurl/src/vtls/openssl.c21
-rw-r--r--libs/libcurl/src/vtls/vtls.c30
-rw-r--r--libs/libcurl/src/vtls/wolfssl.c65
-rw-r--r--libs/libcurl/src/vtls/x509asn1.c51
-rw-r--r--libs/libcurl/src/vtls/x509asn1.h11
21 files changed, 722 insertions, 510 deletions
diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES
index 8ea9d27b12..59c4a26dc0 100644
--- a/libs/libcurl/docs/CHANGES
+++ b/libs/libcurl/docs/CHANGES
@@ -6,6 +6,475 @@
Changelog
+Version 8.9.1 (31 Jul 2024)
+
+Daniel Stenberg (31 Jul 2024)
+
+- RELEASE-NOTES: synced
+
+- THANKS: add names from the 8.9.1 release notes
+
+ Also remove duplicates
+
+Stefan Eissing (30 Jul 2024)
+
+- x509asn1: unittests and fixes for gtime2str
+
+ Fix issues in GTime2str() and add unit test cases to verify correct
+ behaviour.
+
+ Follow-up to 3c914bc6801
+
+ Closes #14316
+
+Tal Regev (30 Jul 2024)
+
+- vtls: avoid forward declaration in MultiSSL builds
+
+ The MSVC compiler cannot have forward declaration with const and static
+ variable, causing this error:
+ ```
+ curl\lib\vtls\vtls.c(417,44): warning C4132: 'Curl_ssl_multi': const object s
+ hould be initialized
+ ```
+
+ Ref: #14276
+ Closes #14305
+
+Viktor Szakats (30 Jul 2024)
+
+- tidy-up: URL updates (one more)
+
+ Follow-up to 767d5811b5c783b42cea999dd42ecf0453085d17 #14318
+
+- tidy-up: URL updates
+
+ Closes #14318
+
+- cmake: drop `if(PKG_CONFIG_FOUND)` guard for `pkg_check_modules()`
+
+ The oldest cmake supported by curl is v3.7.0, which already has such
+ guard (using `PKG_CONFIG_EXECUTABLE`) inside `pkg_check_modules()`. The
+ advantage of leaving that guard to CMake is that it will define/reset
+ all output variables, while the manual guard doesn't do this and also
+ leaves for example `NETTLE_FOUND` undefined.
+
+ Delete the single use of this guard from the recently added `nettle`
+ detection, where I included it by accident. Then possibly re-introduce
+ it universally if we find it useful after more evaluation.
+
+ Follow-up to 669ce42275635dc1f881dab3dfc9a55c9ab49b21 #14285
+ Closes #14309
+
+Daniel Stenberg (30 Jul 2024)
+
+- mailmap: dedupe an author showing up twice in shortlog -s
+
+Ivan Kuchin (30 Jul 2024)
+
+- misc: cleanup after removing years from copyright
+
+ - remove leftover copyright years from few test files
+ - fix email in copyright lines
+ - consistent format of copyright lines
+
+ Closes #14312
+
+Alex Snast (30 Jul 2024)
+
+- wolfssl: avoid calling get_cached_x509_store if store is uncachable
+
+ There's no need for get_cached_x509_store call if the return value won't
+ be used for caching anyway.
+
+ Closes #14306
+
+Daniel Stenberg (30 Jul 2024)
+
+- contrithanks.sh: use -F with -v to match lines as strings
+
+ Makes names involving [brackets] work.
+
+Viktor Szakats (30 Jul 2024)
+
+- GHA/non-native: bump FreeBSD/arm64 python modules
+
+ FreeBSD seems to upgrade their Python separately for arm64
+ and Intel. Today, arm64 caught up with the Intel packages.
+ Update our CI to reflect it.
+
+ Closes #14310
+
+dependabot[bot] (30 Jul 2024)
+
+- GHA: bump github/codeql-action and msys2/setup-msys2
+
+ - bump github/codeql-action from 3.25.13 to 3.25.15
+
+ Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.
+ 25.13 to 3.25.15.
+ - [Release notes](https://github.com/github/codeql-action/releases)
+ - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
+ - [Commits](https://github.com/github/codeql-action/compare/2d790406f505036ef
+ 40ecba973cc774a50395aac...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a)
+
+ ---
+ updated-dependencies:
+ - dependency-name: github/codeql-action
+ dependency-type: direct:production
+ update-type: version-update:semver-patch
+ ...
+
+ Signed-off-by: dependabot[bot] <support@github.com>
+ Closes #14300
+
+ - bump msys2/setup-msys2 from 2.23.0 to 2.24.0
+
+ Bumps [msys2/setup-msys2](https://github.com/msys2/setup-msys2) from 2.23.0 t
+ o 2.24.0.
+ - [Release notes](https://github.com/msys2/setup-msys2/releases)
+ - [Changelog](https://github.com/msys2/setup-msys2/blob/main/CHANGELOG.md)
+ - [Commits](https://github.com/msys2/setup-msys2/compare/d0e80f58dffbc64f6a3a
+ 1f43527d469b4fc7b6c8...5df0ca6cbf14efcd08f8d5bd5e049a3cc8e07fd2)
+
+ ---
+ updated-dependencies:
+ - dependency-name: msys2/setup-msys2
+ dependency-type: direct:production
+ update-type: version-update:semver-minor
+ ...
+
+ Signed-off-by: dependabot[bot] <support@github.com>
+ Closes #14301
+
+Daniel Stenberg (30 Jul 2024)
+
+- x509asn1: clean up GTime2str
+
+ Co-authored-by: Stefan Eissing
+ Reported-by: Dov Murik
+
+ Closes #14307
+
+- tool_operate: more defensive socket code
+
+ - use 'struct sockaddr' to getsockname() and its sa_family member
+
+ - use 'curl_socklen_t' instead of 'socklen_t'
+
+ - check for AF_INET6 to exist instead assuming it does
+
+ Should be generally more portable.
+
+ Reported-by: Harry Sintonen
+ Closes #14304
+
+Viktor Szakats (29 Jul 2024)
+
+- configure: limit `__builtin_available` test to Darwin
+
+ This feature test always fails on non-Apple systems. (For Apple targets
+ it's supported by llvm and Apple clang.)
+
+ Syncs behaviour with CMake.
+
+ Follow-up to cfd6f43d6ca7e57670b422bab7bbf10221a2cf3e #14127
+ Cherry-picked from #14097
+ Closes #14196
+
+Daniel Stenberg (29 Jul 2024)
+
+- RELEASE-NOTES: synced
+
+- CURLOPT_SSL_CTX_FUNCTION.md: mention CA caching
+
+ and add a few more see-also
+
+ Closes #14302
+
+Viktor Szakats (29 Jul 2024)
+
+- cmake: detect `libssh` via `pkg-config`
+
+ Also:
+ - fix broken libssh `pkg-config` behaviour on old Linux.
+ (when found, `LIBSSH_LINK_LIBRARIES` remains undefined.)
+
+ - delete manual libssh config from Old Linux CI job,
+ it's no longer necessary.
+
+ Closes #14199
+
+- GHA/non-native: improve, migrate x86_64 FreeBSD with tests from Cirrus CI
+
+ - run tests via `make test-ci` instead of `make check` with autotools.
+ - add `x86_64` job for FreeBSD, with tests.
+ It matches the existing Cirrus CI job, with these differences:
+ - finishes 3x faster (thanks to parallel tests enabled).
+ - librtmp is not enabled because it's slated for removal by FreeBSD.
+ (already past the removal deadline, thought the package still
+ installs.)
+ - DICT and TELNET servers fail to start. Couldn't figure out why.
+ It means skipping test 1450 and 1452.
+ - it runs more tests, e.g. websockets and ip6-localhost.
+ - no `pkg update -f`.
+ - it misses the `CRYPTOGRAPHY_DONT_BUILD_RUST=1`, `pkg delete curl`,
+ `chmod 777`, `sudo -u nobody` and `sysctl net.inet.tcp.blackhole`
+ tricks. The latter is the default in these runners, the others did
+ not affect results.
+ - set `-j0` for tests in the NetBSD job. Flaky otherwise.
+
+ Closes #14244
+
+- cmake: detect `nettle` when building with GnuTLS
+
+ `nettle` is a direct dependency of curl, when building with GnuTLS.
+ Add a new `Find` module to detect it.
+
+ Also:
+ - GHA/macos: drop `nettle` hack no longer necessary.
+ - add `nettle` to `libcurl.pc`.
+ - also add `nettle` to `libcurl.pc` in autotools builds.
+
+ Follow-up to 781242ffa44a9f9b95b6da5ac5a1bf6372ec6257 #11967
+ Closes #14285
+
+- macos: fix Apple SDK bug workaround for non-macOS targets
+
+ Turns out that MAC != OSX, despite what these names otherwise mean and
+ what's suggested by source code comments. "MAC" in fact means Darwin
+ (aka Apple), not macOS. "OSX" means macOS.
+
+ GitHub bumped the macos-14 runner default to Xcode 15.4, hitting the
+ llvm@15 incompatibility bug by default. Meaning the previous workaround
+ for the SDK bug is necessary.
+
+ This patch extend the workaround to not apply to mobile OS variants.
+
+ Follow-up to ff784af461175584c73e7e2b65af00b1a5a6f67f #14159
+ Reported-by: Sergey
+ Confirmed-by: Marcel Raad
+ Fixes #14269
+ Closes #14275
+
+Stefan Eissing (29 Jul 2024)
+
+- wolfssl: CA store share fix
+
+ When sharing the x509 store in wolfSSL, always use an explicitly
+ constructed one, as the SSLCTX might have "only" an internal one which
+ is not obeying reference count lifetimes.
+
+ Fixes #14278
+ Reported-by: Alex Snast
+ Closes #14279
+
+Randall S. Becker (29 Jul 2024)
+
+- curl: support __ss_family use on NonStop platforms
+
+ The definition of sockaddr_storage incorrectly specifies the ss_family
+ field as __ss_family. This fix conditionally allows builds to succeed on
+ all NonStop platforms.
+
+ Signed-off-by: Randall S. Becker <randall.becker@nexbridge.ca>
+
+ Closes #14273
+
+Daniel Stenberg (29 Jul 2024)
+
+- test993: list 1000 messages over POP3
+
+ Attempt to verify issue #14201
+
+ Closes #14297
+
+Stefan Eissing (29 Jul 2024)
+
+- connect: fix connection shutdown for event based processing
+
+ connections being shutdown would register sockets for events, but then
+ never remove these sockets again. Nor would the shutdown effectively
+ been performed.
+
+ - If a socket event involves a transfer, check if that is the
+ connection cache internal handle and run its multi_perform()
+ instead (the internal handle is used for all shutdowns).
+ - When a timer triggers for a transfer, check also if it is
+ about the connection cache internal handle.
+ - During processing shutdowns in the connection cache, assess
+ the shutdown timeouts. Register a Curl_expire() of the lowest
+ value for the cache's internal handle.
+
+ Reported-by: Gordon Parke
+ Fixes #14280
+ Closes #14296
+
+Daniel Stenberg (29 Jul 2024)
+
+- tests: provide FTP directory contents in the test file
+
+ Instead of providing a fixed single synthetic response in the test
+ server itself. To allow us to better use *different* directory listings
+ in different test cases. In this change, most listings remain the same
+ as before.
+
+ The wildcard match tests still use synthetic responses but we should fix
+ that as well.
+
+ Updated numerous test cases to use this.
+
+ Closes #14295
+
+- ftpserver.pl: make POP3 LIST serve content from the test file
+
+ instead of a fixed list in the test server.
+
+ Adjust test 853 accordingly.
+
+ Closes #14293
+
+- TODO: thread-safe sharing
+
+- CURLSHOPT_SHARE.md: mention sessions/cookies as not thread-safe
+
+ Sharing of these between threads are apparently also not done safely.
+
+ Ref: #14290
+ Reported-by: Aki Sakurai
+ Closes #14292
+
+- RELEASE-NOTES: synced
+
+Patrick Monnerat (28 Jul 2024)
+
+- os400: build cli manual.
+
+ Use PASE perl to run manual generation scripts.
+
+ As PASE perl is not aware of all possible input file encoding, convert
+ all files to UTF-8 upon build start (this might be lengthy).
+
+ OS/400 terminal emulation may only offer 76 columns, thus a new -c
+ parameter has been added to the managen program, defining the allowed
+ width.
+
+ If perl is not available, omit generation and disable online manual.
+
+ Closes #14289
+
+Daniel Stenberg (27 Jul 2024)
+
+- example/multi-uv: remove the use of globals
+
+ - shows how to pass on local variables (better)
+
+ - start the transfers nicer (with curl_multi_socket_action)
+
+ - consistent and helpful function naming - to better show what functions
+ and callbacks that are used for what
+
+ - build warning-free with gcc -W -Wall -pedantic
+
+ Closes #14287
+
+Viktor Szakats (27 Jul 2024)
+
+- runtests: fold timing details with GHA, sync `-r` tflags
+
+ - move timing details into a foldable group when run in GitHub Actions.
+ Spec:
+ https://docs.github.com/en/actions/using-workflows/workflow-commands-for-gi
+ thub-actions#grouping-log-lines
+
+ - enable `-r` (run time stats) option in autotools' `test-ci` target,
+ syncing it with cmake.
+
+ Closes #14284
+
+- GHA/windows: increase timeout for vcpkg build step [ci skip]
+
+ Examples:
+ https://github.com/curl/curl/actions/runs/10102112253/job/27937088909?pr=1427
+ 4
+ https://github.com/curl/curl/actions/runs/10102112253/job/27937082353?pr=1427
+ 4
+ https://github.com/curl/curl/actions/runs/10102112253/job/27937088478?pr=1427
+ 4
+
+- GHA/macos: update comment about default Xcode on macos-14 runner [ci skip]
+
+ New default since:
+ https://github.com/actions/runner-images/blob/releases/macos-14-arm64/2024072
+ 2/images/macos/macos-14-arm64-Readme.md
+
+Patrick Monnerat (27 Jul 2024)
+
+- os400: workaround an IBM ASCII run-time library bug
+
+ IBM-provided ASCII function puts() does not output an expected trailing
+ newline: emulate the correct behavior using other functions.
+
+ Closes #14281
+
+Stefan Eissing (27 Jul 2024)
+
+- transfer: speed limiting fix for 32bit systems
+
+ When checking if a speed limit on receives applies, compare the receive
+ sizes using the large int type to prevent an overflow on systems where
+ size_t is 32bit.
+
+ Fixes #14272
+ Reported-by: Mamoru Tasaka
+ Closes #14277
+
+Anthony Hu (26 Jul 2024)
+
+- wolfSSL: allow wolfSSL's implementation of kyber to be used
+
+ Closes #14268
+
+Daniel Stenberg (26 Jul 2024)
+
+- lib: survive some NULL input args
+
+ The input string pointer to:
+
+ curl_escape
+ curl_easy_escape
+ curl_unescape
+ curl_easy_unescape
+
+ The running_handles pointer to:
+
+ curl_multi_perform
+ curl_multi_socket_action
+ curl_multi_socket_all
+ curl_multi_socket
+
+ Reported-by: icy17 on github
+ Fixes #14247
+ Closes #14262
+
+- RELEASE-PROCEDURE.md: restore next release date
+
+ Pointed-out-by: extrimexxx on github
+ Bug: https://github.com/curl/curl/pull/14267#issuecomment-2247062235
+
+- RELEASE-NOTES: synced
+
+ bumped to 8.9.1
+
+- RELEASE-PROCEDURE.md: remove the initial build step
+
+ Because it is no longer needed to be done by a person as the dmaketgz
+ script does it by itself.
+
+ Removed two past release dates, added two new future ones
+
+ Closes #14267
+
Version 8.9.0 (24 Jul 2024)
Daniel Stenberg (24 Jul 2024)
@@ -11351,382 +11820,3 @@ Michał Antoniak (10 Feb 2024)
Dan Fandrich (9 Feb 2024)
- CI: bump to actions/cache@v4 to avoid warning
-
-Evgeny Grin (Karlson2k) (9 Feb 2024)
-
-- test1165: improve pattern matching
-
- * Fix excluded digits at the end of the symbols ('CURL_DISABLE_POP3'
- was checked as 'CURL_DISABLE_POP')
-
- Closes #12903
-
-Dan Fandrich (9 Feb 2024)
-
-- scripts: Fix cijobs.pl for Azure and GHA
-
- The spacing in the yaml files changed.
-
-Daniel Stenberg (9 Feb 2024)
-
-- RELEASE-NOTES: synced
-
-- TODO: use pkg-config to find libpsl
-
- Closes #12919
-
-- TODO: avoid nroff
-
- Instead of adjusting roffit, skip the nroff step.
-
- Closes #12919
-
-Dan Fandrich (9 Feb 2024)
-
-- Revert "CI: run Circle macOS builds on x86 for now"
-
- This reverts commit 2683de3078eadc86d9b182e7417f4ee75a247e2c.
- ARM resources are now available in Circle CI, so run these builds on ARM
- again. This platform needs explicit paths set to libpsl and its
- dependency icu4c.
-
- Follow-up to 2683de30
-
- Closes #12635
-
-Viktor Szakats (9 Feb 2024)
-
-- cmake: add warning for using TLS libraries without 1.3 support
-
- Closes #12900
-
-Daniel Stenberg (9 Feb 2024)
-
-- configure: add warning for using TLS libraries without 1.3 support
-
- Closes #12900
-
-Michał Antoniak (9 Feb 2024)
-
-- mbedtls: fix building when MBEDTLS_X509_REMOVE_INFO flag is defined
-
- Closes #12904
-
-Stefan Eissing (9 Feb 2024)
-
-- ftp: fix socket wait activity in ftp_domore_getsock
-
- - when waiting on the data connection, always add the control socket to
- the pollset on state STOP or let the pingpong add the socket according
- to its needs.
-
- Reported-by: Fabian Vogt
- Fixes #12901
- Closes #12913
-
-Daniel Stenberg (9 Feb 2024)
-
-- dist: make sure the http tests are in the tarball
-
- Fixes #12914
- Reported-by: Fabian Vogt
- Closes #12917
-
-Stefan Eissing (9 Feb 2024)
-
-- multi: add xfer_buf to multi handle
-
- - can be borrowed by transfer during recv-write operation
- - needs to be released before borrowing again
- - adjustis size to `data->set.buffer_size`
- - used in transfer.c readwrite_data()
-
- Closes #12805
-
-Daniel Stenberg (9 Feb 2024)
-
-- write-out.md: clarify error handling details
-
- - it gets used even if the transfer fails
-
- - it does not cause error to be returned even if it fails
-
- Closes #12909
-
-Stefan Eissing (8 Feb 2024)
-
-- ftp: do lineend conversions in client writer
-
- - remove the ftp special handling from sendf.c
- - let ftp_do() add a client writer that does
- the linened conversions
- - change the lineend conversion to no longer
- modify the passed buffer, but write smaller
- chunks to the next cwriter instead. The
- inefficiency of this will be mitigated once
- we add output buffering for all client writes.
-
- Closes #12878
-
-- ftp: tracing improvements
-
- - trace socketindex for connection filters when not the first
- - trace socket fd in tcp
- - trace pollset adjusts in vtls
-
- Closes #12902
-
-Karthikdasari0423 (8 Feb 2024)
-
-- HTTP3.md: adjust the OpenSSL QUIC install instructions
-
- tried installing with old steps but failed
- tried with newly added setps and able to build
- ```
- root@ubuntu:~/curl# ./src/curl -V
- /root/curl/src/.libs/curl: /lib/x86_64-linux-gnu/libssl.so.3: version `OPENSS
- L_3.2.0' not found (required by /root/curl/lib/.libs/libcurl.so.4)
- root@ubuntu:~/curl#
- ```
- ```
- root@ubuntu:~/curl# ./src/curl -V
- curl 8.6.1-DEV (x86_64-pc-linux-gnu) libcurl/8.6.1-DEV OpenSSL/3.2.0 zlib/1.2
- .11 brotli/1.0.9 libpsl/0.21.0 nghttp3/1.1.0 OpenLDAP/2.5.16
- Release-Date: [unreleased]
- Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns
- ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
- Features: alt-svc AsynchDNS brotli HSTS HTTP3 HTTPS-proxy IPv6 Largefile libz
- NTLM PSL SSL threadsafe TLS-SRP UnixSockets
- root@ubuntu:~/curl#
- ```
-
- Closes #12896
-
-Daniel Stenberg (8 Feb 2024)
-
-- TODO: align the TOC with the header
-
-- docs: make sure curl.1 is included in dist tarballs
-
- Ref: https://github.com/curl/curl/issues/12832#issuecomment-1933271873
-
- Closes #12892
-
-Karthikdasari0423 (8 Feb 2024)
-
-- HTTP3.md: remove quiche word in Openssl 3.2
-
- Closes #12893
-
-Daniel Stenberg (7 Feb 2024)
-
-- curl: when allocating variables, add the name into the struct
-
- This saves the name from being an extra separate allocation.
-
- Closes #12891
-
-- lib582: remove code causing warning that is never run
-
- The previous realloc code in this code could trigger a compiler warning,
- but since that code path cannot happen in normal circumstances it now
- instead exits with an error message there.
-
- Ref: #12887
- Closes #12890
-
-Stefan Eissing (7 Feb 2024)
-
-- vtls: revert "receive max buffer" + add test case
-
- - add test_05_04 for requests using http/1.0, http/1.1 and h2 against an
- Apache resource that does an unclean TLS shutdown.
- - revert special workarund in openssl.c for suppressing shutdown errors
- on multiplexed connections
- - vlts.c restore to its state before 9a90c9dd64d2f03601833a70786d485851bd1b53
-
- Fixes #12885
- Fixes #12844
-
- Closes #12848
-
-Daniel Stenberg (7 Feb 2024)
-
-- tests: support setting/using blank content env variables
-
- - test450: remove --config from the keywords
- - test2080: change return code
- - test428: add --config as a keyword
- - test428: disable on Windows due to CI problems
-
-- curl: exit on config file parser errors
-
- Like when trying to import an environment variable that does not exist.
-
- Also fix a bug for reading env variables when there is a default value
- set.
-
- Bug: https://curl.se/mail/archive-2024-02/0008.html
- Reported-by: Brett Buddin
-
- Add test 462 to verify.
-
- Closes #12862
-
-Daniel Szmulewicz (7 Feb 2024)
-
-- CURLOPT_WRITEFUNCTION.md: typo fix
-
- The maximum amount of body data that is <be> passed to the write
- callback is defined in the curl.h header file
-
- Closes #12889
-
-Daniel Stenberg (7 Feb 2024)
-
-- lib: convert Curl_get_line to use dynbuf
-
- Create the line in a dynbuf. Aborts the reading of the file on
- errors. Avoids having to always allocate maximum amount from the
- start. Avoids direct malloc.
-
- Closes #12846
-
-- KNOWN_BUGS: unicode on Windows
-
- Closes #11461
- Closes #12231
- Closes #12883
-
-- tool_operate: change precedence of server Retry-After time
-
- - When calculating the retry time, no longer allow a server's requested
- Retry-After time to take precedence over a longer retry time (either
- default algorithmic or user-specified).
-
- Prior to this change the server's Retry-After time took precedence over
- curl's retry time in all cases, but that's not always practical for
- short Retry-After times depending on how busy the server is.
-
- Bug: https://curl.se/mail/archive-2024-01/0022.html
- Reported-by: Dirk Hünniger
-
- Closes https://github.com/curl/curl/pull/12871
-
-- cmdline-docs: quote and angle bracket cleanup
-
- - make sure angle brackets are escaped
- - remove a lot of superfluous double quotes
- - replace several double quotes with backticks
-
- To make nicer-looking markdown.
-
- Closes #12884
-
-- badwords: use hostname, not host name
-
- and username, filename - consistently. Fixed the patterns in
- badwords.txt to catch these.
-
- Closes #12888
-
-Viktor Szakats (6 Feb 2024)
-
-- cmake: fix function description in comment [ci skip]
-
- Closes #12879
-
-Daniel Stenberg (6 Feb 2024)
-
-- header.md: remove backslash, make nicer markdown
-
- - remove a leftover backslash before a dash
- - use backticks for "code" strings
-
- Closes #12877
-
-- docs: add mk-ca-bundle.1 to dist
-
- ... which also makes it get built. But don't build this or curl-config.1
- if build docs is disabled.
-
- Closes #12875
-
-Stefan Eissing (6 Feb 2024)
-
-- https-proxy: use IP address and cert with ip in alt names
-
- - improve info logging when peer verification fails to indicate
- if DNS name or ip address has been tried to match
- - add test case for contacting https proxy with ip address
- - add pytest env check on loaded credentials and re-issue
- when they are no longer valid
- - disable proxy ip address test for bearssl, since not supported there
-
- Ref: #12831
- Closes #12838
-
-Jiawen Geng (6 Feb 2024)
-
-- docs: add necessary setup for nghttp3
-
- Now nghttp3 has submodules
- https://github.com/ngtcp2/nghttp3/blob/main/.gitmodules
-
- Closes #12859
-
-Peter Krefting (6 Feb 2024)
-
-- version: allow building with ancient libpsl
-
- The psl_check_version_number() API was added in libpsl 0.11.0. CentOS 7
- ships with version 0.7.0 which lacks this API. Revert to using the older
- versioning API if we detect an old libpsl version.
-
- Follow-up to 72bd88adde0e8cf6e63644a7d6df1da01a399db4
- Bug: https://curl.se/mail/archive-2024-02/0004.html
- Reported-by: Scott Mutter
- Closes #12872
-
-Daniel Stenberg (6 Feb 2024)
-
-- TODO: Support latest rustls
-
- Closes #12737
- Closes #12874
-
-- docs: make curldown do angle brackets like markdown
-
- Make sure we use \< and \> in markdown all over so that it renders
- correctly, on GitHub and elsewhere. cd2nroff now outputs a warning if it
- finds an unescaled angle bracket.
-
- Ref: #12854
- Closes #12869
-
-- docs: fix the --disable-docs for autotools
-
- Follow-up to 541321507e386
-
- Closes #12870
-
-- RELEASE-NOTES: synced
-
-- libcurl-security.md: Active FTP passes on the local IP address
-
- Reported-by: Harry Sintonen
- Closes #12867
-
-Stefan Eissing (5 Feb 2024)
-
-- configure: do not link with nghttp3 unless necessary
-
- Fixes #12833
- Closes #12864
- Reported-by: Ryan Carsten Schmidt
-
-Daniel Stenberg (5 Feb 2024)
-
-- THANKS: add Dmitry Tretyakov
-
- ... since I missed to give credit to the report in the fix of #12861
diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS
index cb276cd0bd..5b3d9eaeb9 100644
--- a/libs/libcurl/docs/THANKS
+++ b/libs/libcurl/docs/THANKS
@@ -51,6 +51,7 @@ Ajit Dhumale
Akhil Kedia
Akhilesh Nema
Aki Koskinen
+Aki Sakurai
Akos Pasztory
Akshay Vernekar
Alain Danteny
@@ -922,6 +923,7 @@ Evert Pot
Evgeny Grin (Karlson2k)
Evgeny Turnaev
eXeC64 on github
+extrimexxx on github
Eygene Ryabinkin
Eylem Ugurel
Fabian Fischer
@@ -1062,6 +1064,7 @@ Godwin Stewart
Gonçalo Carvalho
Google Inc.
Gordon Marler
+Gordon Parke
Gorilla Maguila
Goro FUJI
Gou Lingfeng
@@ -1226,6 +1229,7 @@ Ishan SinghLevett
Ithubg on github
Ivan
Ivan Avdeev
+Ivan Kuchin
Ivan Tsybulin
ivanfywang
IvanoG on github
@@ -3169,9 +3173,7 @@ Yusuke Nakamura
Yves Arrouye
Yves Lejeune
YX Hao
-z2-2z on github
z2_
-z2_ on hackerone
Zachary Seguin
Zdenek Pavlas
Zekun Ni
diff --git a/libs/libcurl/include/curl/curl.h b/libs/libcurl/include/curl/curl.h
index b7016055eb..f2feb26eb9 100644
--- a/libs/libcurl/include/curl/curl.h
+++ b/libs/libcurl/include/curl/curl.h
@@ -2133,7 +2133,7 @@ typedef enum {
/* the EC curves requested by the TLS client (RFC 8422, 5.1);
* OpenSSL support via 'set_groups'/'set_curves':
- * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
+ * https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/
*/
CURLOPT(CURLOPT_SSL_EC_CURVES, CURLOPTTYPE_STRINGPOINT, 298),
diff --git a/libs/libcurl/include/curl/curlver.h b/libs/libcurl/include/curl/curlver.h
index 5cdafed8a1..02d45da8df 100644
--- a/libs/libcurl/include/curl/curlver.h
+++ b/libs/libcurl/include/curl/curlver.h
@@ -32,13 +32,13 @@
/* This is the version number of the libcurl package from which this header
file origins: */
-#define LIBCURL_VERSION "8.9.0"
+#define LIBCURL_VERSION "8.9.1"
/* The numeric version number is also available "in parts" by using these
defines: */
#define LIBCURL_VERSION_MAJOR 8
#define LIBCURL_VERSION_MINOR 9
-#define LIBCURL_VERSION_PATCH 0
+#define LIBCURL_VERSION_PATCH 1
/* This is the numeric version of the libcurl version number, meant for easier
parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will
@@ -59,7 +59,7 @@
CURL_VERSION_BITS() macro since curl's own configure script greps for it
and needs it to contain the full number.
*/
-#define LIBCURL_VERSION_NUM 0x080900
+#define LIBCURL_VERSION_NUM 0x080901
/*
* This is the date and time when the full source package was created. The
@@ -70,7 +70,7 @@
*
* "2007-11-23"
*/
-#define LIBCURL_TIMESTAMP "2024-07-24"
+#define LIBCURL_TIMESTAMP "2024-07-31"
#define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z))
#define CURL_AT_LEAST_VERSION(x,y,z) \
diff --git a/libs/libcurl/src/config-win32.h b/libs/libcurl/src/config-win32.h
index 6b61216c9b..17924e3dec 100644
--- a/libs/libcurl/src/config-win32.h
+++ b/libs/libcurl/src/config-win32.h
@@ -158,10 +158,6 @@
/* Define if you have the socket function. */
#define HAVE_SOCKET 1
-/* Define if libSSH2 is in use */
-#define USE_LIBSSH2 1
-#define HAVE_LIBSSH2_H 1
-
/* Define if you have the strcasecmp function. */
#if defined(__MINGW32__)
#define HAVE_STRCASECMP 1
@@ -478,9 +474,6 @@ Vista
#define USE_WIN32_LDAP 1
#endif
-/* if SSL is enabled */
-#define USE_OPENSSL 1
-
/* Define to use the Windows crypto library. */
#if !defined(CURL_WINDOWS_APP)
#define USE_WIN32_CRYPTO
diff --git a/libs/libcurl/src/conncache.c b/libs/libcurl/src/conncache.c
index 87ddfd5e71..af470d81cd 100644
--- a/libs/libcurl/src/conncache.c
+++ b/libs/libcurl/src/conncache.c
@@ -584,15 +584,15 @@ static void connc_close_all(struct conncache *connc)
return;
/* Move all connections to the shutdown list */
+ sigpipe_init(&pipe_st);
conn = connc_find_first_connection(connc);
while(conn) {
connc_remove_conn(connc, conn);
- sigpipe_ignore(data, &pipe_st);
+ sigpipe_apply(data, &pipe_st);
/* This will remove the connection from the cache */
connclose(conn, "kill all");
Curl_conncache_remove_conn(connc->closure_handle, conn, TRUE);
connc_discard_conn(connc, connc->closure_handle, conn, FALSE);
- sigpipe_restore(&pipe_st);
conn = connc_find_first_connection(connc);
}
@@ -613,7 +613,7 @@ static void connc_close_all(struct conncache *connc)
/* discard all connections in the shutdown list */
connc_shutdown_discard_all(connc);
- sigpipe_ignore(data, &pipe_st);
+ sigpipe_apply(data, &pipe_st);
Curl_hostcache_clean(data, data->dns.hostcache);
Curl_close(&data);
sigpipe_restore(&pipe_st);
@@ -628,7 +628,6 @@ static void connc_shutdown_discard_oldest(struct conncache *connc)
{
struct Curl_llist_element *e;
struct connectdata *conn;
- SIGPIPE_VARIABLE(pipe_st);
DEBUGASSERT(!connc->shutdowns.iter_locked);
if(connc->shutdowns.iter_locked)
@@ -636,9 +635,11 @@ static void connc_shutdown_discard_oldest(struct conncache *connc)
e = connc->shutdowns.conn_list.head;
if(e) {
+ SIGPIPE_VARIABLE(pipe_st);
conn = e->ptr;
Curl_llist_remove(&connc->shutdowns.conn_list, e, NULL);
- sigpipe_ignore(connc->closure_handle, &pipe_st);
+ sigpipe_init(&pipe_st);
+ sigpipe_apply(connc->closure_handle, &pipe_st);
connc_disconnect(NULL, conn, connc, FALSE);
sigpipe_restore(&pipe_st);
}
@@ -900,6 +901,9 @@ static void connc_perform(struct conncache *connc)
struct Curl_llist_element *e = connc->shutdowns.conn_list.head;
struct Curl_llist_element *enext;
struct connectdata *conn;
+ struct curltime *nowp = NULL;
+ struct curltime now;
+ timediff_t next_from_now_ms = 0, ms;
bool done;
if(!e)
@@ -922,9 +926,22 @@ static void connc_perform(struct conncache *connc)
Curl_llist_remove(&connc->shutdowns.conn_list, e, NULL);
connc_disconnect(NULL, conn, connc, FALSE);
}
+ else {
+ /* Not done, when does this connection time out? */
+ if(!nowp) {
+ now = Curl_now();
+ nowp = &now;
+ }
+ ms = Curl_conn_shutdown_timeleft(conn, nowp);
+ if(ms && ms < next_from_now_ms)
+ next_from_now_ms = ms;
+ }
e = enext;
}
connc->shutdowns.iter_locked = FALSE;
+
+ if(next_from_now_ms)
+ Curl_expire(data, next_from_now_ms, EXPIRE_RUN_NOW);
}
void Curl_conncache_multi_perform(struct Curl_multi *multi)
diff --git a/libs/libcurl/src/connect.c b/libs/libcurl/src/connect.c
index f31a4d7c88..943551d321 100644
--- a/libs/libcurl/src/connect.c
+++ b/libs/libcurl/src/connect.c
@@ -161,6 +161,7 @@ timediff_t Curl_shutdown_timeleft(struct connectdata *conn, int sockindex,
struct curltime *nowp)
{
struct curltime now;
+ timediff_t left_ms;
if(!conn->shutdown.start[sockindex].tv_sec || !conn->shutdown.timeout_ms)
return 0; /* not started or no limits */
@@ -169,8 +170,30 @@ timediff_t Curl_shutdown_timeleft(struct connectdata *conn, int sockindex,
now = Curl_now();
nowp = &now;
}
- return conn->shutdown.timeout_ms -
- Curl_timediff(*nowp, conn->shutdown.start[sockindex]);
+ left_ms = conn->shutdown.timeout_ms -
+ Curl_timediff(*nowp, conn->shutdown.start[sockindex]);
+ return left_ms? left_ms : -1;
+}
+
+timediff_t Curl_conn_shutdown_timeleft(struct connectdata *conn,
+ struct curltime *nowp)
+{
+ timediff_t left_ms = 0, ms;
+ struct curltime now;
+ int i;
+
+ for(i = 0; conn->shutdown.timeout_ms && (i < 2); ++i) {
+ if(!conn->shutdown.start[i].tv_sec)
+ continue;
+ if(!nowp) {
+ now = Curl_now();
+ nowp = &now;
+ }
+ ms = Curl_shutdown_timeleft(conn, i, nowp);
+ if(ms && (!left_ms || ms < left_ms))
+ left_ms = ms;
+ }
+ return left_ms;
}
void Curl_shutdown_clear(struct Curl_easy *data, int sockindex)
diff --git a/libs/libcurl/src/connect.h b/libs/libcurl/src/connect.h
index d590f7fd19..33ba201545 100644
--- a/libs/libcurl/src/connect.h
+++ b/libs/libcurl/src/connect.h
@@ -46,10 +46,15 @@ void Curl_shutdown_start(struct Curl_easy *data, int sockindex,
struct curltime *nowp);
/* return how much time there is left to shutdown the connection at
- * sockindex. */
+ * sockindex. Returns 0 if there is no limit or shutdown has not started. */
timediff_t Curl_shutdown_timeleft(struct connectdata *conn, int sockindex,
struct curltime *nowp);
+/* return how much time there is left to shutdown the connection.
+ * Returns 0 if there is no limit or shutdown has not started. */
+timediff_t Curl_conn_shutdown_timeleft(struct connectdata *conn,
+ struct curltime *nowp);
+
void Curl_shutdown_clear(struct Curl_easy *data, int sockindex);
/* TRUE iff shutdown has been started */
diff --git a/libs/libcurl/src/curl_setup.h b/libs/libcurl/src/curl_setup.h
index 9a560df761..7cb35f319f 100644
--- a/libs/libcurl/src/curl_setup.h
+++ b/libs/libcurl/src/curl_setup.h
@@ -71,7 +71,9 @@
the necessary dynamic detection features, so the SDK falls back to
a codepath that sets both the old and new macro to 1. */
#if defined(TARGET_OS_MAC) && TARGET_OS_MAC && \
- defined(TARGET_OS_OSX) && !TARGET_OS_OSX
+ defined(TARGET_OS_OSX) && !TARGET_OS_OSX && \
+ (!defined(TARGET_OS_IPHONE) || !TARGET_OS_IPHONE) && \
+ (!defined(TARGET_OS_SIMULATOR) || !TARGET_OS_SIMULATOR)
#undef TARGET_OS_OSX
#define TARGET_OS_OSX TARGET_OS_MAC
#endif
@@ -97,6 +99,16 @@
# ifndef NOGDI
# define NOGDI
# endif
+/* Detect Windows App environment which has a restricted access
+ * to the Win32 APIs. */
+# if (defined(_WIN32_WINNT) && (_WIN32_WINNT >= 0x0602)) || \
+ defined(WINAPI_FAMILY)
+# include <winapifamily.h>
+# if WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_APP) && \
+ !WINAPI_FAMILY_PARTITION(WINAPI_PARTITION_DESKTOP)
+# define CURL_WINDOWS_APP
+# endif
+# endif
#endif
/* Compatibility */
diff --git a/libs/libcurl/src/easy.c b/libs/libcurl/src/easy.c
index 6e5b91a76e..034dd93d99 100644
--- a/libs/libcurl/src/easy.c
+++ b/libs/libcurl/src/easy.c
@@ -764,7 +764,8 @@ static CURLcode easy_perform(struct Curl_easy *data, bool events)
/* assign this after curl_multi_add_handle() */
data->multi_easy = multi;
- sigpipe_ignore(data, &pipe_st);
+ sigpipe_init(&pipe_st);
+ sigpipe_apply(data, &pipe_st);
/* run the transfer */
result = events ? easy_events(multi) : easy_transfer(multi);
diff --git a/libs/libcurl/src/escape.c b/libs/libcurl/src/escape.c
index b154c584f6..96e108cd2c 100644
--- a/libs/libcurl/src/escape.c
+++ b/libs/libcurl/src/escape.c
@@ -60,7 +60,7 @@ char *curl_easy_escape(struct Curl_easy *data, const char *string,
struct dynbuf d;
(void)data;
- if(inlength < 0)
+ if(!string || (inlength < 0))
return NULL;
Curl_dyn_init(&d, CURL_MAX_INPUT_LENGTH * 3);
@@ -181,7 +181,7 @@ char *curl_easy_unescape(struct Curl_easy *data, const char *string,
{
char *str = NULL;
(void)data;
- if(length >= 0) {
+ if(string && (length >= 0)) {
size_t inputlen = (size_t)length;
size_t outputlen;
CURLcode res = Curl_urldecode(string, inputlen, &str, &outputlen,
diff --git a/libs/libcurl/src/multi.c b/libs/libcurl/src/multi.c
index fd2ee5238f..39f4c2c4f2 100644
--- a/libs/libcurl/src/multi.c
+++ b/libs/libcurl/src/multi.c
@@ -2714,6 +2714,7 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
CURLMcode returncode = CURLM_OK;
struct Curl_tree *t;
struct curltime now = Curl_now();
+ SIGPIPE_VARIABLE(pipe_st);
if(!GOOD_MULTI_HANDLE(multi))
return CURLM_BAD_HANDLE;
@@ -2721,12 +2722,10 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
if(multi->in_callback)
return CURLM_RECURSIVE_API_CALL;
+ sigpipe_init(&pipe_st);
data = multi->easyp;
if(data) {
CURLMcode result;
- bool nosig = data->set.no_signal;
- SIGPIPE_VARIABLE(pipe_st);
- sigpipe_ignore(data, &pipe_st);
/* Do the loop and only alter the signal ignore state if the next handle
has a different NO_SIGNAL state than the previous */
do {
@@ -2734,22 +2733,23 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
pointer now */
struct Curl_easy *datanext = data->next;
- if(data->set.no_signal != nosig) {
- sigpipe_restore(&pipe_st);
- sigpipe_ignore(data, &pipe_st);
- nosig = data->set.no_signal;
+ if(data != multi->conn_cache.closure_handle) {
+ /* connection cache handle is processed below */
+ sigpipe_apply(data, &pipe_st);
+ result = multi_runsingle(multi, &now, data);
+ if(result)
+ returncode = result;
}
- result = multi_runsingle(multi, &now, data);
- if(result)
- returncode = result;
data = datanext; /* operate on next handle */
} while(data);
- sigpipe_restore(&pipe_st);
}
+ sigpipe_apply(multi->conn_cache.closure_handle, &pipe_st);
Curl_conncache_multi_perform(multi);
+ sigpipe_restore(&pipe_st);
+
/*
* Simply remove all expired timers from the splay since handles are dealt
* with unconditionally by this function and curl_multi_timeout() requires
@@ -2778,7 +2778,8 @@ CURLMcode curl_multi_perform(struct Curl_multi *multi, int *running_handles)
}
} while(t);
- *running_handles = (int)multi->num_alive;
+ if(running_handles)
+ *running_handles = (int)multi->num_alive;
if(CURLM_OK >= returncode)
returncode = Curl_update_timer(multi);
@@ -3188,8 +3189,7 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
struct Curl_easy *data = NULL;
struct Curl_tree *t;
struct curltime now = Curl_now();
- bool first = FALSE;
- bool nosig = FALSE;
+ bool run_conn_cache = FALSE;
SIGPIPE_VARIABLE(pipe_st);
if(checkall) {
@@ -3234,11 +3234,15 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
DEBUGASSERT(data);
DEBUGASSERT(data->magic == CURLEASY_MAGIC_NUMBER);
- if(data->conn && !(data->conn->handler->flags & PROTOPT_DIRLOCK))
- /* set socket event bitmask if they are not locked */
- data->state.select_bits |= (unsigned char)ev_bitmask;
+ if(data == multi->conn_cache.closure_handle)
+ run_conn_cache = TRUE;
+ else {
+ if(data->conn && !(data->conn->handler->flags & PROTOPT_DIRLOCK))
+ /* set socket event bitmask if they are not locked */
+ data->state.select_bits |= (unsigned char)ev_bitmask;
- Curl_expire(data, 0, EXPIRE_RUN_NOW);
+ Curl_expire(data, 0, EXPIRE_RUN_NOW);
+ }
}
/* Now we fall-through and do the timer-based stuff, since we do not want
@@ -3265,19 +3269,13 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
* to process in the splay and 'data' will be re-assigned for every expired
* handle we deal with.
*/
+ sigpipe_init(&pipe_st);
do {
+ if(data == multi->conn_cache.closure_handle)
+ run_conn_cache = TRUE;
/* the first loop lap 'data' can be NULL */
- if(data) {
- if(!first) {
- first = TRUE;
- nosig = data->set.no_signal; /* initial state */
- sigpipe_ignore(data, &pipe_st);
- }
- else if(data->set.no_signal != nosig) {
- sigpipe_restore(&pipe_st);
- sigpipe_ignore(data, &pipe_st);
- nosig = data->set.no_signal; /* remember new state */
- }
+ else if(data) {
+ sigpipe_apply(data, &pipe_st);
result = multi_runsingle(multi, &now, data);
if(CURLM_OK >= result) {
@@ -3299,10 +3297,16 @@ static CURLMcode multi_socket(struct Curl_multi *multi,
}
} while(t);
- if(first)
- sigpipe_restore(&pipe_st);
- *running_handles = (int)multi->num_alive;
+ if(run_conn_cache) {
+ sigpipe_apply(multi->conn_cache.closure_handle, &pipe_st);
+ Curl_conncache_multi_perform(multi);
+ }
+
+ sigpipe_restore(&pipe_st);
+
+ if(running_handles)
+ *running_handles = (int)multi->num_alive;
return result;
}
diff --git a/libs/libcurl/src/setup-os400.h b/libs/libcurl/src/setup-os400.h
index e506b93d89..e854f9f33f 100644
--- a/libs/libcurl/src/setup-os400.h
+++ b/libs/libcurl/src/setup-os400.h
@@ -38,6 +38,15 @@ typedef unsigned long u_int32_t;
#define isatty(fd) 0
+/* Workaround bug in IBM QADRT runtime library:
+ * function puts() does not output the implicit trailing newline.
+ */
+
+#include <stdio.h> /* Be sure it is loaded. */
+#undef puts
+#define puts(s) (fputs((s), stdout) == EOF? EOF: putchar('\n'))
+
+
/* System API wrapper prototypes & definitions to support ASCII parameters. */
#include <sys/socket.h>
diff --git a/libs/libcurl/src/sigpipe.h b/libs/libcurl/src/sigpipe.h
index 4bfff9744b..8126d59325 100644
--- a/libs/libcurl/src/sigpipe.h
+++ b/libs/libcurl/src/sigpipe.h
@@ -36,6 +36,11 @@ struct sigpipe_ignore {
#define SIGPIPE_VARIABLE(x) struct sigpipe_ignore x
+static void sigpipe_init(struct sigpipe_ignore *ig)
+{
+ memset(ig, 0, sizeof(*ig));
+}
+
/*
* sigpipe_ignore() makes sure we ignore SIGPIPE while running libcurl
* internals, and then sigpipe_restore() will restore the situation when we
@@ -70,9 +75,20 @@ static void sigpipe_restore(struct sigpipe_ignore *ig)
sigaction(SIGPIPE, &ig->old_pipe_act, NULL);
}
+static void sigpipe_apply(struct Curl_easy *data,
+ struct sigpipe_ignore *ig)
+{
+ if(data->set.no_signal != ig->no_signal) {
+ sigpipe_restore(ig);
+ sigpipe_ignore(data, ig);
+ }
+}
+
#else
/* for systems without sigaction */
#define sigpipe_ignore(x,y) Curl_nop_stmt
+#define sigpipe_apply(x,y) Curl_nop_stmt
+#define sigpipe_init(x) Curl_nop_stmt
#define sigpipe_restore(x) Curl_nop_stmt
#define SIGPIPE_VARIABLE(x)
#endif
diff --git a/libs/libcurl/src/transfer.c b/libs/libcurl/src/transfer.c
index b21ada91a5..598f59a83f 100644
--- a/libs/libcurl/src/transfer.c
+++ b/libs/libcurl/src/transfer.c
@@ -281,13 +281,13 @@ static CURLcode readwrite_data(struct Curl_easy *data,
buf = xfer_buf;
bytestoread = xfer_blen;
- if(bytestoread && data->set.max_recv_speed) {
+ if(bytestoread && data->set.max_recv_speed > 0) {
/* In case of speed limit on receiving: if this loop already got
* data, break out. If not, limit the amount of bytes to receive.
* The overall, timed, speed limiting is done in multi.c */
if(total_received)
break;
- if((size_t)data->set.max_recv_speed < bytestoread)
+ if(data->set.max_recv_speed < (curl_off_t)bytestoread)
bytestoread = (size_t)data->set.max_recv_speed;
}
diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c
index a6286f82d6..9500baff40 100644
--- a/libs/libcurl/src/vtls/mbedtls.c
+++ b/libs/libcurl/src/vtls/mbedtls.c
@@ -249,8 +249,8 @@ static const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr =
1024, /* RSA min key len */
};
-/* See https://tls.mbed.org/discussions/generic/
- howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
+/* See https://web.archive.org/web/20200921194007/tls.mbed.org/discussions/
+ generic/howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
*/
#define RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
#define ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_ECP_MAX_BYTES)
diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c
index 7cc15350a4..69329a7e4b 100644
--- a/libs/libcurl/src/vtls/openssl.c
+++ b/libs/libcurl/src/vtls/openssl.c
@@ -231,7 +231,7 @@
/*
* Whether SSL_CTX_set1_curves_list is available.
* OpenSSL: supported since 1.0.2, see
- * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
+ * https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/
* BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30)
* LibreSSL: since 2.5.3 (April 12, 2017)
*/
@@ -3244,7 +3244,8 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf,
problems with server-sent legacy intermediates. Newer versions of
OpenSSL do alternate chain checking by default but we do not know how to
determine that in a reliable manner.
- https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
+ https://web.archive.org/web/20190422050538/
+ rt.openssl.org/Ticket/Display.html?id=3621
*/
#if defined(X509_V_FLAG_TRUSTED_FIRST)
X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
@@ -3567,12 +3568,12 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
CVE-2010-4180 when using previous OpenSSL versions we no longer enable
this option regardless of OpenSSL version and SSL_OP_ALL definition.
- OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
- (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
- SSL_OP_ALL that _disables_ that work-around despite the fact that
- SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
- keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
- must not be set.
+ OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability:
+ https://web.archive.org/web/20240114184648/openssl.org/~bodo/tls-cbc.txt.
+ In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around
+ despite the fact that SSL_OP_ALL is documented to do "rather harmless"
+ workarounds. In order to keep the secure work-around, the
+ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set.
*/
ctx_options = SSL_OP_ALL;
@@ -4363,7 +4364,7 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
if(!buff1)
break; /* failed */
- /* https://www.openssl.org/docs/crypto/d2i_X509.html */
+ /* https://docs.openssl.org/master/man3/d2i_X509/ */
len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
/*
@@ -4975,7 +4976,7 @@ static ssize_t ossl_recv(struct Curl_cfilter *cf,
default:
/* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
value/errno" */
- /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
+ /* https://docs.openssl.org/master/man3/ERR_get_error/ */
if(octx->io_result == CURLE_AGAIN) {
*curlcode = CURLE_AGAIN;
nread = -1;
diff --git a/libs/libcurl/src/vtls/vtls.c b/libs/libcurl/src/vtls/vtls.c
index 8e5f8a5491..72fe052c56 100644
--- a/libs/libcurl/src/vtls/vtls.c
+++ b/libs/libcurl/src/vtls/vtls.c
@@ -413,23 +413,6 @@ int Curl_ssl_init(void)
return Curl_ssl->init();
}
-#if defined(CURL_WITH_MULTI_SSL)
-static const struct Curl_ssl Curl_ssl_multi;
-#endif
-
-/* Global cleanup */
-void Curl_ssl_cleanup(void)
-{
- if(init_ssl) {
- /* only cleanup if we did a previous init */
- Curl_ssl->cleanup();
-#if defined(CURL_WITH_MULTI_SSL)
- Curl_ssl = &Curl_ssl_multi;
-#endif
- init_ssl = FALSE;
- }
-}
-
static bool ssl_prefs_check(struct Curl_easy *data)
{
/* check for CURLOPT_SSLVERSION invalid parameter value */
@@ -1404,6 +1387,19 @@ static const struct Curl_ssl *available_backends[] = {
NULL
};
+/* Global cleanup */
+void Curl_ssl_cleanup(void)
+{
+ if(init_ssl) {
+ /* only cleanup if we did a previous init */
+ Curl_ssl->cleanup();
+#if defined(CURL_WITH_MULTI_SSL)
+ Curl_ssl = &Curl_ssl_multi;
+#endif
+ init_ssl = FALSE;
+ }
+}
+
static size_t multissl_version(char *buffer, size_t size)
{
static const struct Curl_ssl *selected;
diff --git a/libs/libcurl/src/vtls/wolfssl.c b/libs/libcurl/src/vtls/wolfssl.c
index a305b5f080..d9a8e84325 100644
--- a/libs/libcurl/src/vtls/wolfssl.c
+++ b/libs/libcurl/src/vtls/wolfssl.c
@@ -212,7 +212,7 @@ static int do_file_type(const char *type)
return -1;
}
-#ifdef HAVE_LIBOQS
+#ifdef WOLFSSL_HAVE_KYBER
struct group_name_map {
const word16 group;
const char *name;
@@ -434,10 +434,10 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf,
}
infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
- wssl->x509_store_setup = TRUE;
}
#endif
(void)store;
+ wssl->x509_store_setup = TRUE;
return CURLE_OK;
}
@@ -571,7 +571,7 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf,
bool cache_criteria_met;
/* Consider the X509 store cacheable if it comes exclusively from a CAfile,
- or no source is provided and we are falling back to OpenSSL's built-in
+ or no source is provided and we are falling back to wolfSSL's built-in
default. */
cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
conn_config->verifypeer &&
@@ -580,19 +580,30 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf,
!ssl_config->primary.CRLfile &&
!ssl_config->native_ca_store;
- cached_store = get_cached_x509_store(cf, data);
- if(cached_store && cache_criteria_met
- && wolfSSL_X509_STORE_up_ref(cached_store)) {
+ cached_store = cache_criteria_met ? get_cached_x509_store(cf, data) : NULL;
+ if(cached_store && wolfSSL_X509_STORE_up_ref(cached_store)) {
wolfSSL_CTX_set_cert_store(wssl->ctx, cached_store);
}
- else {
- X509_STORE *store = wolfSSL_CTX_get_cert_store(wssl->ctx);
+ else if(cache_criteria_met) {
+ /* wolfSSL's initial store in CTX is not shareable by default.
+ * Make a new one, suitable for adding to the cache. See #14278 */
+ X509_STORE *store = wolfSSL_X509_STORE_new();
+ if(!store) {
+ failf(data, "SSL: could not create a X509 store");
+ return CURLE_OUT_OF_MEMORY;
+ }
+ wolfSSL_CTX_set_cert_store(wssl->ctx, store);
result = populate_x509_store(cf, data, store, wssl);
- if(result == CURLE_OK && cache_criteria_met) {
+ if(!result) {
set_cached_x509_store(cf, data, store);
}
}
+ else {
+ /* We never share the CTX's store, use it. */
+ X509_STORE *store = wolfSSL_CTX_get_cert_store(wssl->ctx);
+ result = populate_x509_store(cf, data, store, wssl);
+ }
return result;
}
@@ -611,8 +622,8 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
const struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
WOLFSSL_METHOD* req_method = NULL;
-#ifdef HAVE_LIBOQS
- word16 oqsAlg = 0;
+#ifdef WOLFSSL_HAVE_KYBER
+ word16 pqkem = 0;
size_t idx = 0;
#endif
#ifdef HAVE_SNI
@@ -739,15 +750,15 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
curves = conn_config->curves;
if(curves) {
-#ifdef HAVE_LIBOQS
+#ifdef WOLFSSL_HAVE_KYBER
for(idx = 0; gnm[idx].name != NULL; idx++) {
if(strncmp(curves, gnm[idx].name, strlen(gnm[idx].name)) == 0) {
- oqsAlg = gnm[idx].group;
+ pqkem = gnm[idx].group;
break;
}
}
- if(oqsAlg == 0)
+ if(pqkem == 0)
#endif
{
if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) {
@@ -821,8 +832,14 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
/* give application a chance to interfere with SSL set up. */
if(data->set.ssl.fsslctx) {
- CURLcode result = (*data->set.ssl.fsslctx)(data, backend->ctx,
- data->set.ssl.fsslctxp);
+ CURLcode result;
+ if(!backend->x509_store_setup) {
+ result = Curl_wssl_setup_x509_store(cf, data, backend);
+ if(result)
+ return result;
+ }
+ result = (*data->set.ssl.fsslctx)(data, backend->ctx,
+ data->set.ssl.fsslctxp);
if(result) {
failf(data, "error signaled by ssl ctx callback");
return result;
@@ -847,10 +864,10 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
return CURLE_OUT_OF_MEMORY;
}
-#ifdef HAVE_LIBOQS
- if(oqsAlg) {
- if(wolfSSL_UseKeyShare(backend->handle, oqsAlg) != WOLFSSL_SUCCESS) {
- failf(data, "unable to use oqs KEM");
+#ifdef WOLFSSL_HAVE_KYBER
+ if(pqkem) {
+ if(wolfSSL_UseKeyShare(backend->handle, pqkem) != WOLFSSL_SUCCESS) {
+ failf(data, "unable to use PQ KEM");
}
}
#endif
@@ -1059,15 +1076,9 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
/* After having send off the ClientHello, we prepare the x509
* store to verify the coming certificate from the server */
CURLcode result;
- struct wolfssl_ctx wssl;
- wssl.ctx = backend->ctx;
- wssl.handle = backend->handle;
- wssl.io_result = CURLE_OK;
- wssl.x509_store_setup = FALSE;
- result = Curl_wssl_setup_x509_store(cf, data, &wssl);
+ result = Curl_wssl_setup_x509_store(cf, data, backend);
if(result)
return result;
- backend->x509_store_setup = wssl.x509_store_setup;
}
connssl->io_need = CURL_SSL_IO_NEED_NONE;
diff --git a/libs/libcurl/src/vtls/x509asn1.c b/libs/libcurl/src/vtls/x509asn1.c
index f8b0dd38e5..5d90c45067 100644
--- a/libs/libcurl/src/vtls/x509asn1.c
+++ b/libs/libcurl/src/vtls/x509asn1.c
@@ -494,7 +494,7 @@ static CURLcode GTime2str(struct dynbuf *store,
/* Convert an ASN.1 Generalized time to a printable string.
Return the dynamically allocated string, or NULL if an error occurs. */
- for(fracp = beg; fracp < end && *fracp >= '0' && *fracp <= '9'; fracp++)
+ for(fracp = beg; fracp < end && ISDIGIT(*fracp); fracp++)
;
/* Get seconds digits. */
@@ -513,32 +513,44 @@ static CURLcode GTime2str(struct dynbuf *store,
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- /* Scan for timezone, measure fractional seconds. */
+ /* timezone follows optional fractional seconds. */
tzp = fracp;
- fracl = 0;
+ fracl = 0; /* no fractional seconds detected so far */
if(fracp < end && (*fracp == '.' || *fracp == ',')) {
- fracp++;
- do
+ /* Have fractional seconds, e.g. "[.,]\d+". How many? */
+ fracp++; /* should be a digit char or BAD ARGUMENT */
+ tzp = fracp;
+ while(tzp < end && ISDIGIT(*tzp))
tzp++;
- while(tzp < end && *tzp >= '0' && *tzp <= '9');
- /* Strip leading zeroes in fractional seconds. */
- for(fracl = tzp - fracp - 1; fracl && fracp[fracl - 1] == '0'; fracl--)
- ;
+ if(tzp == fracp) /* never looped, no digit after [.,] */
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ fracl = tzp - fracp; /* number of fractional sec digits */
+ DEBUGASSERT(fracl > 0);
+ /* Strip trailing zeroes in fractional seconds.
+ * May reduce fracl to 0 if only '0's are present. */
+ while(fracl && fracp[fracl - 1] == '0')
+ fracl--;
}
/* Process timezone. */
- if(tzp >= end)
- ; /* Nothing to do. */
+ if(tzp >= end) {
+ tzp = "";
+ tzl = 0;
+ }
else if(*tzp == 'Z') {
- tzp = " GMT";
- end = tzp + 4;
+ sep = " ";
+ tzp = "GMT";
+ tzl = 3;
+ }
+ else if((*tzp == '+') || (*tzp == '-')) {
+ sep = " UTC";
+ tzl = end - tzp;
}
else {
sep = " ";
- tzp++;
+ tzl = end - tzp;
}
- tzl = end - tzp;
return Curl_dyn_addf(store,
"%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s",
beg, beg + 4, beg + 6,
@@ -547,6 +559,15 @@ static CURLcode GTime2str(struct dynbuf *store,
sep, (int)tzl, tzp);
}
+#ifdef UNITTESTS
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end)
+{
+ return GTime2str(store, beg, end);
+}
+#endif
+
/*
* Convert an ASN.1 UTC time to a printable string.
*
diff --git a/libs/libcurl/src/vtls/x509asn1.h b/libs/libcurl/src/vtls/x509asn1.h
index 8d245c2d6d..b0155d11a2 100644
--- a/libs/libcurl/src/vtls/x509asn1.h
+++ b/libs/libcurl/src/vtls/x509asn1.h
@@ -77,5 +77,16 @@ CURLcode Curl_extract_certinfo(struct Curl_easy *data, int certnum,
const char *beg, const char *end);
CURLcode Curl_verifyhost(struct Curl_cfilter *cf, struct Curl_easy *data,
const char *beg, const char *end);
+
+#ifdef UNITTESTS
+#if defined(USE_GNUTLS) || defined(USE_SCHANNEL) || defined(USE_SECTRANSP) || \
+ defined(USE_MBEDTLS)
+
+/* used by unit1656.c */
+CURLcode Curl_x509_GTime2str(struct dynbuf *store,
+ const char *beg, const char *end);
+#endif
+#endif
+
#endif /* USE_GNUTLS or USE_WOLFSSL or USE_SCHANNEL or USE_SECTRANSP */
#endif /* HEADER_CURL_X509ASN1_H */