From 69d3b201c14db069ad0aef4b21e8efb45e21df9b Mon Sep 17 00:00:00 2001 From: dartraiden Date: Sun, 12 Jan 2020 14:12:42 +0300 Subject: libcurl: update to 7.68 --- libs/libcurl/docs/CHANGES | 9851 ++++++++++++++------------- libs/libcurl/docs/COPYING | 2 +- libs/libcurl/docs/THANKS | 32 + libs/libcurl/include/curl/curl.h | 15 +- libs/libcurl/include/curl/curlver.h | 8 +- libs/libcurl/include/curl/multi.h | 15 +- libs/libcurl/include/curl/system.h | 27 +- libs/libcurl/src/CMakeLists.txt | 1 - libs/libcurl/src/Makefile.in | 45 +- libs/libcurl/src/Makefile.inc | 11 +- libs/libcurl/src/Makefile.m32 | 4 +- libs/libcurl/src/altsvc.c | 10 +- libs/libcurl/src/asyn-thread.c | 14 +- libs/libcurl/src/checksrc.pl | 13 +- libs/libcurl/src/config-dos.h | 2 +- libs/libcurl/src/config-mac.h | 2 +- libs/libcurl/src/config-plan9.h | 1 - libs/libcurl/src/config-symbian.h | 3 - libs/libcurl/src/config-tpf.h | 4 - libs/libcurl/src/config-vxworks.h | 3 - libs/libcurl/src/config-win32.h | 10 +- libs/libcurl/src/config-win32ce.h | 2 +- libs/libcurl/src/conncache.c | 31 +- libs/libcurl/src/conncache.h | 24 +- libs/libcurl/src/connect.c | 12 +- libs/libcurl/src/cookie.c | 3 +- libs/libcurl/src/curl_base64.h | 2 +- libs/libcurl/src/curl_config.h.cmake | 9 +- libs/libcurl/src/curl_config.h.in | 3 + libs/libcurl/src/curl_des.c | 2 +- libs/libcurl/src/curl_des.h | 2 +- libs/libcurl/src/curl_endian.c | 2 +- libs/libcurl/src/curl_fnmatch.h | 2 +- libs/libcurl/src/curl_gethostname.h | 2 +- libs/libcurl/src/curl_ldap.h | 2 +- libs/libcurl/src/curl_memrchr.h | 2 +- libs/libcurl/src/curl_multibyte.c | 2 +- libs/libcurl/src/curl_multibyte.h | 13 +- libs/libcurl/src/curl_ntlm_core.h | 4 +- libs/libcurl/src/curl_ntlm_wb.c | 17 +- libs/libcurl/src/curl_rtmp.h | 2 +- libs/libcurl/src/curl_setup.h | 25 +- libs/libcurl/src/curl_setup_once.h | 28 +- libs/libcurl/src/curl_sha256.h | 2 +- libs/libcurl/src/curl_sspi.c | 2 +- libs/libcurl/src/curl_sspi.h | 2 +- libs/libcurl/src/curl_threads.c | 2 +- libs/libcurl/src/curl_threads.h | 2 +- libs/libcurl/src/dict.h | 2 +- libs/libcurl/src/doh.c | 196 +- libs/libcurl/src/doh.h | 6 +- libs/libcurl/src/dotdot.c | 2 +- libs/libcurl/src/dotdot.h | 2 +- libs/libcurl/src/easy.c | 23 +- libs/libcurl/src/easyif.h | 2 +- libs/libcurl/src/file.c | 8 +- libs/libcurl/src/file.h | 2 +- libs/libcurl/src/ftp.c | 4 +- libs/libcurl/src/ftplistparser.h | 2 +- libs/libcurl/src/getinfo.h | 2 +- libs/libcurl/src/gopher.h | 2 +- libs/libcurl/src/hostcheck.h | 2 +- libs/libcurl/src/hostip.c | 4 + libs/libcurl/src/hostip4.c | 12 +- libs/libcurl/src/hostsyn.c | 2 +- libs/libcurl/src/http.c | 13 +- libs/libcurl/src/http.h | 5 + libs/libcurl/src/http2.c | 7 +- libs/libcurl/src/http2.h | 2 +- libs/libcurl/src/http_ntlm.c | 9 +- libs/libcurl/src/http_proxy.c | 5 +- libs/libcurl/src/imap.h | 2 +- libs/libcurl/src/inet_ntop.c | 2 +- libs/libcurl/src/inet_ntop.h | 2 +- libs/libcurl/src/inet_pton.c | 2 +- libs/libcurl/src/inet_pton.h | 2 +- libs/libcurl/src/krb5.c | 2 +- libs/libcurl/src/ldap.c | 2 +- libs/libcurl/src/libcurl.plist | 6 +- libs/libcurl/src/llist.h | 2 +- libs/libcurl/src/memdebug.h | 2 +- libs/libcurl/src/mprintf.c | 4 +- libs/libcurl/src/multi.c | 151 +- libs/libcurl/src/multihandle.h | 16 +- libs/libcurl/src/nonblock.c | 2 +- libs/libcurl/src/nonblock.h | 2 +- libs/libcurl/src/parsedate.c | 24 + libs/libcurl/src/parsedate.h | 8 +- libs/libcurl/src/pop3.h | 2 +- libs/libcurl/src/progress.c | 18 +- libs/libcurl/src/quic.h | 4 + libs/libcurl/src/rtsp.h | 2 +- libs/libcurl/src/select.c | 2 +- libs/libcurl/src/select.h | 2 +- libs/libcurl/src/sendf.c | 4 +- libs/libcurl/src/setopt.c | 4 +- libs/libcurl/src/sha256.c | 2 +- libs/libcurl/src/slist.c | 2 +- libs/libcurl/src/slist.h | 2 +- libs/libcurl/src/smtp.h | 2 +- libs/libcurl/src/sockaddr.h | 2 +- libs/libcurl/src/socketpair.c | 3 + libs/libcurl/src/socks.h | 2 +- libs/libcurl/src/ssh.h | 254 - libs/libcurl/src/strdup.c | 2 +- libs/libcurl/src/strerror.c | 578 +- libs/libcurl/src/strerror.h | 3 + libs/libcurl/src/strtok.c | 2 +- libs/libcurl/src/strtok.h | 2 +- libs/libcurl/src/strtoofft.c | 2 +- libs/libcurl/src/telnet.c | 4 +- libs/libcurl/src/telnet.h | 2 +- libs/libcurl/src/tftp.h | 2 +- libs/libcurl/src/transfer.c | 9 +- libs/libcurl/src/url.c | 48 +- libs/libcurl/src/urldata.h | 23 +- libs/libcurl/src/vauth/cram.c | 2 +- libs/libcurl/src/vauth/digest.h | 2 +- libs/libcurl/src/version.c | 2 +- libs/libcurl/src/vquic/ngtcp2.c | 278 +- libs/libcurl/src/vquic/ngtcp2.h | 2 +- libs/libcurl/src/vquic/quiche.c | 28 +- libs/libcurl/src/vssh/libssh.c | 10 +- libs/libcurl/src/vssh/libssh2.c | 128 +- libs/libcurl/src/vssh/ssh.h | 254 + libs/libcurl/src/vtls/bearssl.c | 866 +++ libs/libcurl/src/vtls/bearssl.h | 32 + libs/libcurl/src/vtls/gskit.h | 2 +- libs/libcurl/src/vtls/mbedtls.h | 2 +- libs/libcurl/src/vtls/nss.c | 2 +- libs/libcurl/src/vtls/openssl.c | 143 +- libs/libcurl/src/vtls/polarssl.h | 2 +- libs/libcurl/src/vtls/polarssl_threadlock.c | 2 +- libs/libcurl/src/vtls/polarssl_threadlock.h | 2 +- libs/libcurl/src/vtls/schannel.c | 8 +- libs/libcurl/src/vtls/schannel_verify.c | 23 +- libs/libcurl/src/vtls/vtls.c | 7 +- libs/libcurl/src/vtls/vtls.h | 1 + 138 files changed, 7542 insertions(+), 6059 deletions(-) delete mode 100644 libs/libcurl/src/ssh.h create mode 100644 libs/libcurl/src/vssh/ssh.h create mode 100644 libs/libcurl/src/vtls/bearssl.c create mode 100644 libs/libcurl/src/vtls/bearssl.h diff --git a/libs/libcurl/docs/CHANGES b/libs/libcurl/docs/CHANGES index d35f541998..b1f1e20ee3 100644 --- a/libs/libcurl/docs/CHANGES +++ b/libs/libcurl/docs/CHANGES @@ -6,7094 +6,7125 @@ Changelog -Version 7.67.0 (5 Nov 2019) +Version 7.68.0 (8 Jan 2020) -Daniel Stenberg (5 Nov 2019) -- RELEASE-NOTES: synced - - The 7.67.0 release +Daniel Stenberg (8 Jan 2020) +- RELEASE-NOTES: 7.68.0 -- THANKS: add new names from 7.67.0 +- THANKS: updated with names from the 7.68.0 release -- configure: only say ipv6 enabled when the variable is set +- RELEASE-PROCEDURE: add four future release dates - Previously it could say "IPv6: enabled" at the end of the configure run - but the define wasn't set because of a missing getaddrinfo(). + and remove four past release dates - Reported-by: Marcel Raad - Fixes #4555 - Closes #4560 + [skip ci] -Marcel Raad (2 Nov 2019) -- certs/Server-localhost-lastSAN-sv: regenerate with sha256 +Marcel Raad (6 Jan 2020) +- TrackMemory tests: always remove CR before LF - All other certificates were regenerated in commit ba782baac30, but - this one was missed. - Fixes test3001 on modern systems. + It was removed for output containing ' =' via `s/ =.*//`. With classic + MinGW, this made lines with `free()` end with CRLF, but lines with e.g. + `malloc()` end with only LF. The tests expect LF only. - Closes https://github.com/curl/curl/pull/4551 - -Daniel Stenberg (2 Nov 2019) -- [Vilhelm Prytz brought this change] + Closes https://github.com/curl/curl/pull/4788 - copyrights: update all copyright notices to 2019 on files changed this year +Daniel Stenberg (6 Jan 2020) +- multi.h: move INITIAL_MAX_CONCURRENT_STREAMS from public header - Closes #4547 - -- [Bastien Bouclet brought this change] + ... to the private multihhandle.h. It is not for public use and it + wasn't prefixed correctly anyway! + + Closes #4790 - mbedtls: add error message for cert validity starting in the future +- file: fix copyright year range - Closes #4552 + Follow-up to 1b71bc532bd -Jay Satiro (1 Nov 2019) -- schannel_verify: Fix concurrent openings of CA file +- curl -w: handle a blank input file correctly - - Open the CA file using FILE_SHARE_READ mode so that others can read - from it as well. + Previously it would end up with an uninitialized memory buffer that + would lead to a crash or junk getting output. - Prior to this change our schannel code opened the CA file without - sharing which meant concurrent openings (eg an attempt from another - thread or process) would fail during the time it was open without - sharing, which in curl's case would cause error: - "schannel: failed to open CA file". + Added test 1271 to verify. - Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html - Reported-by: Richard Alcock + Reported-by: Brian Carpenter + Closes #4786 -Daniel Stenberg (31 Oct 2019) -- gtls: make gnutls_bye() not wait for response on shutdown - - ... as it can make it wait there for a long time for no good purpose. +- file: on Windows, refuse paths that start with \\ - Patched-by: Jay Satiro - Reported-by: Bylon2 on github - Adviced-by: Nikos Mavrogiannopoulos + ... as that might cause an unexpected SMB connection to a given host + name. - Fixes #4487 - Closes #4541 + Reported-by: Fernando Muñoz + CVE-2019-15601 + Bug: https://curl.haxx.se/docs/CVE-2019-15601.html -- [Michał Janiszewski brought this change] +Jay Satiro (6 Jan 2020) +- CURLOPT_READFUNCTION.3: fix fopen params in example - appveyor: publish artifacts on appveyor +- CURLOPT_READFUNCTION.3: fix variable name in example - This allows obtaining upstream builds of curl directly from appveyor for - all the available configurations + Reported-by: Paul Joyce - Closes #4509 + Fixes https://github.com/curl/curl/issues/4787 -- url: make Curl_close() NULLify the pointer too - - This is the common pattern used in the code and by a unified approach we - avoid mistakes. +Daniel Stenberg (5 Jan 2020) +- curl:getparameter return error for --http3 if libcurl doesn't support - Closes #4534 - -- [Trivikram Kamat brought this change] + Closes #4785 - INSTALL: add missing space for configure commands +- docs: mention CURL_MAX_INPUT_LENGTH restrictions - Closes #4539 + ... for curl_easy_setopt() and curl_url_set(). + + [skip ci] + + Closes #4783 -- url: Curl_free_request_state() should also free doh handles +- curl: properly free mimepost data - ... or risk DoH memory leaks. + ... as it could otherwise leak memory when a transfer failed. - Reported-by: Paul Dreik - Fixes #4463 - Closes #4527 + Added test 1293 to verify. + + Reported-by: Brian Carpenter + Fixes #4781 + Closes #4782 -- examples: remove the "this exact code has not been verified" +- curl: cleanup multi handle on failure - ... as really confuses the reader to not know what to believe! + ... to fix memory leak in error path. + + Fixes #4772 + Closes #4780 + Reported-by: Brian Carpenter -- [Trivikram Kamat brought this change] +Marcel Raad (3 Jan 2020) +- lib: fix compiler warnings with `CURL_DISABLE_VERBOSE_STRINGS` + + Closes https://github.com/curl/curl/pull/4775 - HTTP3: fix typo somehere1 > somewhere1 +Daniel Stenberg (3 Jan 2020) +- COPYING: it's 2020! - Closes #4535 + [skip ci] -Jay Satiro (28 Oct 2019) -- [Javier Blazquez brought this change] +Jay Satiro (3 Jan 2020) +- [Marc Aldorasi brought this change] - HTTP3: fix invalid use of sendto for connected UDP socket + tests: Fix bounce requests with truncated writes - On macOS/BSD, trying to call sendto on a connected UDP socket fails - with a EISCONN error. Because the singleipconnect has already called - connect on the socket when we're trying to use it for QUIC transfers - we need to use plain send instead. + Prior to this change the swsbounce check in service_connection could + fail because prevtestno and prevpartno were not set, which would cause + the wrong response data to be sent to some tests and cause them to fail. - Fixes #4529 - Closes https://github.com/curl/curl/pull/4533 - -Daniel Stenberg (28 Oct 2019) -- RELEASE-NOTES: synced + Ref: https://github.com/curl/curl/pull/4717#issuecomment-570240785 -- [Javier Blazquez brought this change] - - HTTP3: fix Windows build - - The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv - in order to perform nonblocking operations. On Windows this flag does - not exist. Instead, the socket must be set to nonblocking mode via - ioctlsocket. +Marcel Raad (31 Dec 2019) +- tool: make a few char pointers point to const char instead - This change sets the nonblocking flag on UDP sockets used for QUIC on - all platforms so the use of MSG_DONTWAIT is not needed. + These are read-only. - Fixes #4531 - Closes #4532 + Closes https://github.com/curl/curl/pull/4771 -Marcel Raad (27 Oct 2019) -- appveyor: add --disable-proxy autotools build +Jay Satiro (31 Dec 2019) +- tests: Change NTLM tests to require SSL - This would have caught issue #3926. + Prior to this change tests that required NTLM feature did not require + SSL feature. - Also make formatting more consistent. + There are pending changes to cmake builds that will allow enabling NTLM + in non-SSL builds in Windows. In that case the NTLM auth strings created + are different from what is expected by the NTLM tests and they fail: - Closes https://github.com/curl/curl/pull/4526 - -Daniel Stenberg (25 Oct 2019) -- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 + "The issue with NTLM is that previous non-SSL builds would not enable + NTLM and so the NTLM tests would be skipped." - ... and invoke "curl -V" once done + Assisted-by: marc-groundctl@users.noreply.github.com - Co-Authored-By: Jay Satiro + Ref: https://github.com/curl/curl/pull/4717#issuecomment-566218729 - Closes #4523 + Closes https://github.com/curl/curl/pull/4768 -- [Francois Rivard brought this change] +- [Michael Forney brought this change] - schannel: reverse the order of certinfo insertions + bearssl: Improve I/O handling - Fixes #4518 - Closes #4519 - -Marcel Raad (24 Oct 2019) -- test1591: fix spelling of http feature + Factor out common I/O loop as bearssl_run_until, which reads/writes TLS + records until the desired engine state is reached. This is now used for + the handshake, read, write, and close. - The test never got run because the feature name is `http` in lowercase. + Match OpenSSL SSL_write behavior, and don't return the number of bytes + written until the corresponding records have been completely flushed + across the socket. This involves keeping track of the length of data + buffered into the TLS engine, and assumes that when CURLE_AGAIN is + returned, the write function will be called again with the same data + and length arguments. This is the same requirement of SSL_write. - Closes https://github.com/curl/curl/pull/4520 - -Daniel Stenberg (23 Oct 2019) -- [Michał Janiszewski brought this change] + Handle TLS close notify as EOF when reading by returning 0. + + Closes https://github.com/curl/curl/pull/4748 - appveyor: Use two parallel compilation on appveyor with CMake +- travis: Fix error detection - Appveyor provides 2 CPUs for each builder[1], make sure to use parallel - compilation, when running with CMake. CMake learned this new option in - version 3.12[2] and the version provided by appveyor is fresh enough. + - Stop using inline shell scripts for before_script and script sections. - Curl doesn't really take that long to build and it is using the slowest - builder available, msbuild, so expect only a moderate improvement in - build times. + Prior to this change Travis could ignore errors from commands in inline + scripts. I don't understand how or why it happens. This is a workaround. - [1] https://www.appveyor.com/docs/build-environment/ - [2] https://cmake.org/cmake/help/v3.12/release/3.12.html + Assisted-by: Simon Warta - Closes #4508 + Ref: https://github.com/travis-ci/travis-ci/issues/1066 + + Fixes https://github.com/curl/curl/issues/3730 + Closes https://github.com/curl/curl/pull/3755 -- conn-reuse: requests wanting NTLM can reuse non-NTLM connections +- tool_operate: fix mem leak when failed config parse - Added test case 338 to verify. + Found by fuzzing the config file. - Reported-by: Daniel Silverstone - Fixes #4499 - Closes #4514 - -Marcel Raad (23 Oct 2019) -- tests: add missing proxy features + Reported-by: Geeknik Labs + + Fixes https://github.com/curl/curl/issues/4767 -Daniel Stenberg (22 Oct 2019) -- RELEASE-NOTES: synced +- [Xiang Xiao brought this change] -Marcel Raad (21 Oct 2019) -- tests: use %FILE_PWD for file:// URLs + lib: remove erroneous +x file permission on some c files - This way, we always have exactly one slash after the host name, making - the tests pass when curl is compiled with the MSYS GCC. + Modified by commit eb9a604 accidentally. - Closes https://github.com/curl/curl/pull/4512 + Closes https://github.com/curl/curl/pull/4756 -- tests: add `connect to non-listen` keywords +- [Xiang Xiao brought this change] + + lib: fix warnings found when porting to NuttX - These tests try to connect to ports nothing is listening on. + - Undefine DEBUGASSERT in curl_setup_once.h in case it was already + defined as a system macro. - Closes https://github.com/curl/curl/pull/4511 - -- runtests: get textaware info from curl instead of perl + - Don't compile write32_le in curl_endian unless + CURL_SIZEOF_CURL_OFF_T > 4, since it's only used by Curl_write64_le. - The MSYS system on Windows can run the test suite for curl built with - any toolset. When built with the MSYS GCC, curl uses Unix line endings, - while it uses Windows line endings when built with the MinGW GCC, and - `^O` reports 'msys' in both cases. Use the curl executable itself to - determine the line endings instead, which reports 'x86_64-pc-msys' when - built with the MSYS GCC. + - Include in socketpair.c. - Closes https://github.com/curl/curl/pull/4506 + Closes https://github.com/curl/curl/pull/4756 -Daniel Stenberg (20 Oct 2019) -- [Michał Janiszewski brought this change] - - appveyor: Add MSVC ARM64 build +- os400: Add missing CURLE error constants - Closes #4507 + Bug: https://github.com/curl/curl/pull/4754#issuecomment-569126922 + Reported-by: Emil Engler -- http2_recv: a closed stream trumps pause state +- CURLOPT_HEADERFUNCTION.3: Document that size is always 1 - ... and thus should return 0, not EAGAIN. + For compatibility with `fwrite`, the `CURLOPT_HEADERFUNCTION` callback + is passed two `size_t` parameters which, when multiplied, designate the + number of bytes of data passed in. In practice, CURL always sets the + first parameter (`size`) to 1. - Reported-by: Tom van der Woerdt - Fixes #4496 - Closes #4505 - -- http2: expire a timeout at end of stream + This practice is also enshrined in documentation and cannot be changed + in future. The documentation states that the default callback is + `fwrite`, which means `fwrite` must be a suitable function for this + purpose. However, the documentation also states that the callback must + return the number of *bytes* it successfully handled, whereas ISO C + `fwrite` returns the number of items (each of size `size`) which it + wrote. The only way these numbers can be equal is if `size` is 1. - To make sure that transfer is being dealt with. Streams without - Content-Length need a final read to notice the end-of-stream state. + Since `size` is 1 and can never be changed in future anyway, document + that fact explicitly and let users rely on it. - Reported-by: Tom van der Woerdt - Fixes #4496 - -Dan Fandrich (18 Oct 2019) -- travis: Add an ARM64 build + Reported-by: Frank Gevaerts + Commit-message-by: Christopher Head - Test 323 is failing for some reason, so disable it there for now. + Ref: https://github.com/curl/curl/pull/2787 + + Fixes https://github.com/curl/curl/issues/4758 -Marcel Raad (18 Oct 2019) -- examples/sslbackend: fix -Wchar-subscripts warning +- examples/postinmemory.c: Call curl_global_cleanup always - With the `isdigit` implementation that comes with MSYS2, the argument - is used as an array subscript, resulting in a -Wchar-subscripts - warning. `isdigit`'s behavior is undefined if the argument is negative - and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable - to `unsigned char` to avoid that. + Prior to this change curl_global_cleanup was not called if + curl_easy_init failed. - [0] https://en.cppreference.com/w/c/string/byte/isdigit + Reported-by: kouzhudong@users.noreply.github.com - Closes https://github.com/curl/curl/pull/4503 + Fixes https://github.com/curl/curl/issues/4751 -Daniel Stenberg (18 Oct 2019) -- configure: remove all cyassl references +Daniel Stenberg (21 Dec 2019) +- url2file.c: fix copyright year - In particular, this removes the case where configure would find an old - cyall installation rather than a wolfssl one if present. The library is - named wolfssl in modern days so there's no real need to keep support for - the former. - - Reported-by: Jacob Barthelmeh - Closes #4502 + Follow-up to 525787269599b5 -Marcel Raad (17 Oct 2019) -- test1162: disable MSYS2's POSIX path conversion +- [Rickard Hallerbäck brought this change] + + examples/url2file.c: corrected a comment - This avoids MSYS2 converting the backslasb in the URL to a slash, - causing the test to fail. + The comment was confusing and suggested that setting CURLOPT_NOPROGRESS + to 0L would both enable and disable debug output at the same time, like + a Schrödinger's cat of CURLOPTs. + + Closes #4745 + +- HISTORY: OSS-Fuzz started fuzzing libcurl in 2017 -Daniel Stenberg (17 Oct 2019) - RELEASE-NOTES: synced -Jay Satiro (16 Oct 2019) -- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time +Jay Satiro (20 Dec 2019) +- ngtcp2: Support the latest update key callback type - Prior to this change some users did not understand that the "request" - starts when the handle is added to the multi handle, or probably they - did not understand that some of those transfers may be queued and that - time is included in timeout. + - Remove our cb_update_key in favor of ngtcp2's new + ngtcp2_crypto_update_key_cb which does the same thing. - Reported-by: Jeroen Ooms + Several days ago the ngtcp2_update_key callback function prototype was + changed in ngtcp2/ngtcp2@42ce09c. Though it would be possible to + fix up our cb_update_key for that change they also added + ngtcp2_crypto_update_key_cb which does the same thing so we'll use that + instead. - Fixes https://github.com/curl/curl/issues/4486 - Closes https://github.com/curl/curl/pull/4489 - -- [Stian Soiland-Reyes brought this change] + Ref: https://github.com/ngtcp2/ngtcp2/commit/42ce09c + + Closes https://github.com/curl/curl/pull/4735 - tool_operate: Fix retry sleep time shown to user when Retry-After +Daniel Stenberg (19 Dec 2019) +- sws: search for "Testno:" header uncondtionally if no testno - - If server header Retry-After is being used for retry sleep time then - show that value to the user instead of the normal retry sleep time. + Even if the initial request line wasn't found. With the fix to 1455, the + test number is now detected correctly. - This is a follow-up to 640b973 (7.66.0) which changed curl tool so that - the value from Retry-After header overrides other retry timing options. + (Problem found when running tests in random order.) - Closes https://github.com/curl/curl/pull/4498 + Closes #4744 -Daniel Stenberg (16 Oct 2019) -- url: normalize CURLINFO_EFFECTIVE_URL +- tests: set LC_ALL in more tests - The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as - input in most cases, which made it not get a scheme prefixed like before - if the URL was given without one, and it didn't remove dotdot sequences - etc. + Follow-up to 23208e330ac0c21 - Added test case 1907 to verify that this now works as intended and as - before 7.62.0. + Closes #4743 + +- test165: set LC_ALL=en_US.UTF-8 too - Regression introduced in 7.62.0 + On my current Debian Unstable with libidn2 2.2.0, I get an error if + LC_ALL is set to blank. Then curl errors out with: - Reported-by: Christophe Dervieux - Fixes #4491 - Closes #4493 + curl: (3) Failed to convert www.åäö.se to ACE; could not convert string to UTF-8 + + Closes #4738 -Marcel Raad (16 Oct 2019) -- tests: line ending fixes for Windows +- curl.h: add two defines for the "pre ISO C" case - Mark some files as text. + Without this fix, this caused a compilation failure on AIX with IBM xlc + 13.1.3 compiler. - Closes https://github.com/curl/curl/pull/4490 + Reported-by: Ram Krushna Mishra + Fixes #4739 + Closes #4740 -- tests: use proxy feature +- create_conn: prefer multiplexing to using new connections - This makes the tests succeed when using --disable-proxy. + ... as it would previously prefer new connections rather than + multiplexing in most conditions! The (now removed) code was a leftover + from the Pipelining code that was translated wrongly into a + multiplex-only world. - Closes https://github.com/curl/curl/pull/4488 + Reported-by: Kunal Ekawde + Bug: https://curl.haxx.se/mail/lib-2019-12/0060.html + Closes #4732 -- smbserver: fix Python 3 compatibility +- test1456: remove the use of a fixed local port - Python 2's `ConfigParser` module is spelled `configparser` in Python 3. + Fixup the test to instead not compare the port number. It sometimes + caused problems like this: - Closes https://github.com/curl/curl/pull/4484 + "curl: (45) bind failed with errno 98: Address already in use" + + Closes #4733 -- security: silence conversion warning +Jay Satiro (18 Dec 2019) +- CURLOPT_QUOTE.3: fix typos - With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, - while `read` expects a 32 bit signed integer. - Use `sread` instead of `read` to use the correct parameter type. + Prior to this change the EXAMPLE in the QUOTE/PREQUOTE/POSTQUOTE man + pages would not compile because a variable name was incorrect. - Closes https://github.com/curl/curl/pull/4483 + Reported-by: Bylon2@users.noreply.github.com + + Fixes https://github.com/curl/curl/issues/4736 -- connect: silence sign-compare warning +- [Gisle Vanem brought this change] + + strerror: Fix compiler warning "empty expression" - With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the - result of `sizeof` is unsigned. + - Remove the final semi-colon in the SEC2TXT() macro definition. - Closes https://github.com/curl/curl/pull/4483 + Before: #define SEC2TXT(sec) case sec: txt = #sec; break; + + After: #define SEC2TXT(sec) case sec: txt = #sec; break + + Prior to this change SEC2TXT(foo); would generate break;; which caused + the empty expression warning. + + Ref: https://github.com/curl/curl/commit/5b22e1a#r36458547 -Daniel Stenberg (13 Oct 2019) -- TODO: Handle growing SFTP files +Daniel Stenberg (18 Dec 2019) +- curl/parseconfig: use curl_free() to free memory allocated by libcurl - Closes #4344 + Reported-by: bxac on github + Fixes #4730 + Closes #4731 -- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" +- curl/parseconfig: fix mem-leak - The curl_formadd() function is deprecated and shouldn't be used so the - real fix for applications is to switch to the curl_mime_* API. + When looping, first trying '.curlrc' and then '_curlrc', the function + would not free the first string. + + Closes #4731 -- KNOWN_BUGS: "LDAP on Windows does authentication wrong" +- CURLOPT_URL.3: "curl supports SMB version 1 (only)" - Closes #3116 + [skip ci] -- appveyor: add a winbuild that uses VS2017 +- test1270: a basic -w redirect_url test - Closes #4482 + Closes #4728 -- [Harry Sintonen brought this change] +- HISTORY: the SMB(S) support landed in 2014 - socketpair: fix include and define for older TCP header systems +- define: remove HAVE_ENGINE_LOAD_BUILTIN_ENGINES, not used anymore - fixed build for systems that need netinet/in.h for IPPROTO_TCP and are - missing INADDR_LOOPBACK + It is covered by USE_OPENSSL_ENGINE now. - Closes #4480 - -- socketpair: fix double-close in error case + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/87b9337c8f76c21c57b204e88b68c6ecf3bd1ac0#commitcomment-36447951 - Follow-up to bc2dbef0afc08 - -- gskit: use the generic Curl_socketpair - -- asyn-thread: make use of Curl_socketpair() where available + Closes #4725 -- socketpair: an implemention for Windows and more +- lib: remove ASSIGNWITHINCONDITION exceptions, use our code style - Curl_socketpair() is designed to be used and work everywhere if there's - no native version or the native version isn't good enough. + ... even for macros - Closes #4466 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Jay Satiro + Reported-by: Jay Satiro + Fixes #4683 + Closes #4722 -- RELEASE-NOTES: synced +- tests: make sure checksrc runs on header files too -- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT +- Revert "checksrc: fix regexp for ASSIGNWITHINCONDITION" - Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no - matter what errno said. - - This makes for example --retry work on these transfer failures. + This reverts commit ba82673dac3e8d00a76aa5e3779a0cb80e7442af. - Reported-by: Nathaniel J. Smith - Fixes #4461 - Clsoes #4462 + Bug: #4683 -- cirrus: switch off blackhole status on the freebsd CI machines +- KNOWN_BUGS: TLS session cache doesn't work with TFO + + [skip ci] + Closes #4301 -- tests: use port 2 instead of 60000 for a safer non-listening port +- KNOWN_BUGS: Connection information when using TCP Fast Open - ... when the tests want "connection refused". + Also point to #4296 for more details + Closes #4296 -- KNOWN_BUGS: IDN tests failing on Windows +- KNOWN_BUGS: LDAP on Windows doesn't work - Closes #3747 + Closes #4261 -Dan Fandrich (9 Oct 2019) -- cirrus: Increase the git clone depth. +- docs: TLS SRP doesn't work with TLS 1.3 - If more commits are submitted to master between the time of triggering - the first Cirrus build and the time the final build gets started, the - desired commit is no longer at HEAD and the build will error out. + Reported-by: sayrer on github + Closes #4262 [skip ci] -Daniel Stenberg (9 Oct 2019) -- docs: make sure the --no-progress-meter docs file is in dist too +Dan Fandrich (16 Dec 2019) +- cirrus: Switch to the FreeBSD 12.1 point release & enable more tests. + + A few tests are now passing on FreeBSD, so no longer skip them. + [skip ci] -- docs: document it as --no-progress-meter instead of the reverse +Daniel Stenberg (16 Dec 2019) +- azure: the macos cmake doesn't need to install cmake - Follow-up to 93373a960c3bb4 + Error: cmake 3.15.5 is already installed + To upgrade to 3.16.1, run `brew upgrade cmake`. - Reported-by: infinnovation-dev on github - Fixes #4474 - Closes #4475 + Closes #4723 -Dan Fandrich (9 Oct 2019) -- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. +Jay Satiro (15 Dec 2019) +- winbuild: Document CURL_STATICLIB requirement for static libcurl - Also, select the images using image_family to get the latest snapshots - automatically. - [skip ci] - -Daniel Stenberg (8 Oct 2019) -- curl: --no-progress-meter + A static libcurl (ie winbuild mode=static) requires that the user define + CURL_STATICLIB when using it in their application. This is already + covered in the FAQ and INSTALL.md, but is a pretty important point so + now it's noted in the BUILD.WINDOWS.txt as well. - New option that allows a user to ONLY switch off curl's progress meter - and leave everything else in "talkative" mode. + Assisted-by: Michael Vittiglio - Reported-by: Piotr Komborski - Fixes #4422 - Closes #4470 + Closes https://github.com/curl/curl/pull/4721 -- TODO: Consult %APPDATA% also for .netrc +Daniel Stenberg (15 Dec 2019) +- [Santino Keupp brought this change] + + libssh2: add support for ECDSA and ed25519 knownhost keys - Closes #4016 + ... if a new enough libssh2 version is present. + + Source: https://curl.haxx.se/mail/archive-2019-12/0023.html + Co-Authored-by: Daniel Stenberg + Closes #4714 -- CURLOPT_TIMEOUT.3: remove the mention of "minutes" +- lib1591: free memory properly on OOM, in the trailers callback - ... just say that limiting operations risk aborting otherwise fine - working transfers. If that means seconds, minutes or hours, we leave to - the user. + Detected by torture tests. - Reported-by: Martin Gartner - Closes #4469 + Closes #4720 -- [Andrei Valeriu BICA brought this change] +- runtests: --repeat=[num] to repeat tests + + Closes #4715 - docs: added multi-event.c example +- RELEASE-NOTES: synced + +- azure: add a torture test on mac - Similar to multi-uv.c but using libevent 2. This is a simpler libevent - integration example then hiperfifo.c. + Uses --shallow=25 to keep it small enough to get through in time. - Closes #4471 - -Jay Satiro (5 Oct 2019) -- [Nicolas brought this change] + Closes #4712 - ldap: fix OOM error on missing query string +- multi: free sockhash on OOM - - Allow missing queries, don't return NO_MEMORY error in such a case. + This would otherwise leak memory in the error path. - It is acceptable for there to be no specified query string, for example: + Detected by torture test 1540. - curl ldap://ldap.forumsys.com + Closes #4713 + +Marcel Raad (13 Dec 2019) +- tests: use DoH feature for DoH tests - A regression bug in 1b443a7 caused this issue. + Previously, http/2 was used instead. - This is a partial fix for #4261. + Assisted-by: Jay Satiro + Closes https://github.com/curl/curl/pull/4692 + +- hostip: suppress compiler warning - Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 - Reported-by: Jojojov@users.noreply.github.com - Analyzed-by: Samuel Surtees + With `--disable-doh --disable-threaded-resolver`, the `dns` parameter + is not used. - Closes https://github.com/curl/curl/pull/4467 + Closes https://github.com/curl/curl/pull/4692 -- [Paul B. Omta brought this change] +- tests: fix build with `CURL_DISABLE_DOH` + + Closes https://github.com/curl/curl/pull/4692 - build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines +Daniel Stenberg (13 Dec 2019) +- azure: add a torture test - Closes https://github.com/curl/curl/pull/4460 + Skipping all FTP tests for speed reasons. + + Closes #4697 -Daniel Stenberg (5 Oct 2019) -- RELEASE-NOTES: synced +- azure: make the default build use --enable-debug --enable-werror -- [Stian Soiland-Reyes brought this change] +- ntlm_wb: fix double-free in OOM + + Detected by torture testing test 1310 + + Closes #4710 - curl: ensure HTTP 429 triggers --retry +Dan Fandrich (13 Dec 2019) +- cirrus: Drop the FreeBSD 10.4 build - This completes #3794. + Upstream support for 10.4 ended a year ago, and it looks like the image + is now gone, too. + [skip ci] + +Daniel Stenberg (13 Dec 2019) +- unit1620: fix bad free in OOM - Also make sure the new tests from #4195 are enabled + Closes #4709 + +- unit1609: fix mem-leak in OOM - Closes #4465 + Closes #4709 -Marcel Raad (4 Oct 2019) -- [apique brought this change] +- unit1607: fix mem-leak in OOM + + Closes #4709 - winbuild: add ENABLE_UNICODE option +- lib1559: fix mem-leak in OOM - Fixes https://github.com/curl/curl/issues/4308 - Closes https://github.com/curl/curl/pull/4309 + Closes #4709 -Daniel Stenberg (4 Oct 2019) -- ngtcp2: adapt to API change +- lib1557: fix mem-leak in OOM - Closes #4457 + Closes #4709 -- cookies: change argument type for Curl_flush_cookies +- altsvc: make the save function ignore NULL filenames - The second argument is really a 'bool' so use that and pass in TRUE/FALSE - to make it clear. + It might happen in OOM situations. Detected bv torture tests. - Closes #4455 + Closes #4707 -- http2: move state-init from creation to pre-transfer +- curl: fix memory leak in OOM in etags logic - To make sure that the HTTP/2 state is initialized correctly for - duplicated handles. It would otherwise easily generate "spurious" - PRIORITY frames to get sent over HTTP/2 connections when duplicated easy - handles were used. + Detected by torture tests - Reported-by: Daniel Silverstone - Fixes #4303 - Closes #4442 + Closes #4706 -- urlapi: fix use-after-free bug +- doh: make it behave when built without proxy support - Follow-up from 2c20109a9b5d04 + Reported-by: Marcel Raad + Bug: https://github.com/curl/curl/pull/4692#issuecomment-564115734 - Added test 663 to verify. + Closes #4704 + +- curl: improved cleanup in upload error path - Reported by OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/17954 + Memory leak found by torture test 58 - Closes #4453 + Closes #4705 -- [Paul Dreik brought this change] +- mailmap: fix Andrew Ishchuk - cookie: avoid harmless use after free +- travis: make torture use --shallow=40 - This fix removes a use after free which can be triggered by - the internal cookie fuzzer, but otherwise is probably - impossible to trigger from an ordinary application. - - The following program reproduces it: + As a first step to enable it to run over a more diverse set of tests in + a reasonable time. + +- runtests: introduce --shallow to reduce huge torture tests - curl_global_init(CURL_GLOBAL_DEFAULT); - CURL* handle=curl_easy_init(); - CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); - curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); - Curl_flush_cookies(handle, true); - Curl_cookie_cleanup(info); - curl_easy_cleanup(handle); - curl_global_cleanup(); + When set, shallow mode limits runtests -t to make no more than NUM fails + per test case. If more are found, it will randomly discard entries until + the number is right. The random seed can also be set. - This was found through fuzzing. + This is particularly useful when running MANY tests as then most torture + failures will already fail the same functions over and over and make the + total operation painfully tedious. - Closes #4454 + Closes #4699 -- [Denis Chaplygin brought this change] - - docs: add note on failed handles not being counted by curl_multi_perform +- conncache: CONNECT_ONLY connections assumed always in-use - Closes #4446 - -- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo + This makes them never to be considered "the oldest" to be discarded when + reaching the connection cache limit. The reasoning here is that + CONNECT_ONLY is primarily used in combination with using the + connection's socket post connect and since that is used outside of + curl's knowledge we must assume that it is in use until explicitly + closed. + + Reported-by: Pavel Pavlov + Reported-by: Pavel Löbl + Fixes #4426 + Fixes #4369 + Closes #4696 -- [Niall brought this change] +- [Gisle Vanem brought this change] - ESNI: initial build/setup + vtls: make BearSSL possible to set with CURL_SSL_BACKEND - Closes #4011 + Ref: https://github.com/curl/curl/commit/9b879160df01e7ddbb4770904391d3b74114302b#commitcomment-36355622 + + Closes #4698 - RELEASE-NOTES: synced -- redirect: when following redirects to an absolute URL, URL encode it +- travis: remove "coverage", make it "torture" - ... to make it handle for example (RFC violating) embeded spaces. + The coveralls service and test coverage numbers are just too unreliable. + Removed badge from README.md as well. - Reported-by: momala454 on github - Fixes #4445 - Closes #4447 - -- urlapi: fix URL encoding when setting a full URL + Fixes #4694 + Closes #4695 -- tool_operate: rename functions to make more sense +- azure: add libssh2 and cmake macos builds + + Removed the macos libssh2 build from travis + + Closes #4686 -- curl: create easy handles on-demand and not ahead of time +- curl: use errorf() better - This should again enable crazy-large download ranges of the style - [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 - when this new handle allocating scheme was introduced. + Change series of error outputs to use errorf(). - Reported-by: Peter Sumatra - Fixes #4393 - Closes #4438 + Only errors that are due to mistakes in command line option usage should + use helpf(), other types of errors in the tool should rather use + errorf(). + + Closes #4691 -- [Kunal Ekawde brought this change] +Jay Satiro (9 Dec 2019) +- [Marc Hoersken brought this change] - CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt + tests: make it possible to set executable extensions - Closes #4410 - -- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error + This enables the use of Windows Subsystem for Linux (WSL) to run the + testsuite against Windows binaries while using Linux servers. - Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the - response is chunked-encoded. + This commit introduces the following environment variables: + - CURL_TEST_EXE_EXT: set the executable extension for all components + - CURL_TEST_EXE_EXT_TOOL: set it for the curl tool only + - CURL_TEST_EXE_EXT_SSH: set it for the SSH tools only - Reported-by: Ilya Kosarev - Fixes #4310 - Closes #4449 - -Marcel Raad (1 Oct 2019) -- checksrc: fix uninitialized variable warning + Later testcurl.pl could be adjusted to make use of those variables. + - CURL_TEST_EXE_EXT_SRV: set it for the test servers only - The loop doesn't need to be executed without a file argument. + (This is one of several commits to support use of WSL for the tests.) - Closes https://github.com/curl/curl/pull/4444 + Closes https://github.com/curl/curl/pull/3899 -- urlapi: fix unused variable warning +- [Marc Hoersken brought this change] + + tests: fix permissions of ssh keys in WSL - `dest` is only used with `ENABLE_IPV6`. + Keys created on Windows Subsystem for Linux (WSL) require it for some + reason. - Closes https://github.com/curl/curl/pull/4444 - -- lib: silence conversion warnings + (This is one of several commits to support use of WSL for the tests.) - Closes https://github.com/curl/curl/pull/4444 + Ref: https://github.com/curl/curl/pull/3899 -- AppVeyor: add 32-bit MinGW-w64 build +- [Marc Hoersken brought this change] + + tests: use \r\n for log messages in WSL - With WinSSL and testing enabled so that it would have detected most of - the warnings fixed in [0] and [1]. + Bash in Windows Subsystem for Linux (WSL) requires it for some reason. - [0] https://github.com/curl/curl/pull/4398 - [1] https://github.com/curl/curl/pull/4415 + (This is one of several commits to support use of WSL for the tests.) - Closes https://github.com/curl/curl/pull/4433 + Ref: https://github.com/curl/curl/pull/3899 -- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild +- [Andrew Ishchuk brought this change] + + winbuild: Define CARES_STATICLIB when WITH_CARES=static - It's only used for MSYS2 with MinGW. + When libcurl is built with MODE=static, c-ares is forced into static + linkage too. That doesn't happen when MODE=dll so linker would break + over undefined symbols. - Closes + closes https://github.com/curl/curl/pull/4688 -Daniel Stenberg (30 Sep 2019) -- [Emil Engler brought this change] - - git: add tests/server/disabled to .gitignore +Daniel Stenberg (9 Dec 2019) +- conn: always set bits.close with connclose() - Closes #4441 + Closes #4690 -- altsvc: accept quoted ma and persist values +- cirrus: enable clang sanitizers on freebsd 13 + +- conncache: fix multi-thread use of shared connection cache - As mandated by the spec. Test 1654 is extended to verify. + It could accidentally let the connection get used by more than one + thread, leading to double-free and more. - Closes #4443 + Reported-by: Christopher Reid + Fixes #4544 + Closes #4557 -- mailmap: a Lucas fix - -Alessandro Ghedini (29 Sep 2019) -- [Lucas Pardue brought this change] +- azure: add a vanilla macos build + + Closes #4685 - quiche: update HTTP/3 config creation to new API +- curl: make the etag load logic work without fseek + + The fseek()s were unnecessary and caused Coverity warning CID 1456554 + + Closes #4681 -Daniel Stenberg (29 Sep 2019) -- BINDINGS: PureBasic, Net::Curl for perl and Nim +- mailmap: Mohammad Hasbini -- BINDINGS: Kapito is an Erlang library, basically a binding +- [Mohammad Hasbini brought this change] -- BINDINGS: added clj-curl + docs: fix some typos - Reported-by: Lucas Severo + Closes #4680 -- [Jay Satiro brought this change] +- RELEASE-NOTES: synced - docs: disambiguate CURLUPART_HOST is for host name (ie no port) +Jay Satiro (5 Dec 2019) +- lib: fix some loose ends for recently added CURLSSLOPT_NO_PARTIALCHAIN - Closes #4424 - -- cookies: using a share with cookies shouldn't enable the cookie engine + Add support for CURLSSLOPT_NO_PARTIALCHAIN in CURLOPT_PROXY_SSL_OPTIONS + and OS400 package spec. - The 'share object' only sets the storage area for cookies. The "cookie - engine" still needs to be enabled or activated using the normal cookie - options. + Also I added the option to the NameValue list in the tool even though it + isn't exposed as a command-line option (...yet?). (NameValue stringizes + the option name for the curl cmd -> libcurl source generator) - This caused the curl command line tool to accidentally use cookies - without having been told to, since curl switched to using shared cookies - in 7.66.0. + Follow-up to 564d88a which added CURLSSLOPT_NO_PARTIALCHAIN. - Test 1166 verifies + Ref: https://github.com/curl/curl/pull/4655 + +- setopt: Fix ALPN / NPN user option when built without HTTP2 - Updated test 506 + - Stop treating lack of HTTP2 as an unknown option error result for + CURLOPT_SSL_ENABLE_ALPN and CURLOPT_SSL_ENABLE_NPN. - Fixes #4429 - Closes #4434 + Prior to this change it was impossible to disable ALPN / NPN if libcurl + was built without HTTP2. Setting either option would result in + CURLE_UNKNOWN_OPTION and the respective internal option would not be + set. That was incorrect since ALPN and NPN are used independent of + HTTP2. + + Reported-by: Shailesh Kapse + + Fixes https://github.com/curl/curl/issues/4668 + Closes https://github.com/curl/curl/pull/4672 -- setopt: handle ALTSVC set to NULL +Daniel Stenberg (5 Dec 2019) +- etag: allow both --etag-compare and --etag-save in same cmdline + + Fixes #4669 + Closes #4678 -- RELEASE-NOTES: synced +Marcel Raad (5 Dec 2019) +- curl_setup: fix `CURLRES_IPV6` condition + + Move the definition of `CURLRES_IPV6` to before undefining + `HAVE_GETADDRINFO`. Regression from commit 67a08dca27a which caused + some tests to fail and others to be skipped with c-ares. + + Fixes https://github.com/curl/curl/issues/4673 + Closes https://github.com/curl/curl/pull/4677 -- [grdowns brought this change] +Daniel Stenberg (5 Dec 2019) +- test342: make it return a 304 as the tag matches - INSTALL: add vcpkg installation instructions +Peter Wu (4 Dec 2019) +- CMake: add support for building with the NSS vtls backend - Closes #4435 - -- [Zenju brought this change] + Options are cross-checked with configure.ac and acinclude.m4. + Tested on Arch Linux, untested on other platforms like Windows or macOS. + + Closes #4663 + Reviewed-by: Kamil Dudka - FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs +Daniel Stenberg (4 Dec 2019) +- azure: add more builds - Add libtest 661 + ... removed two from travis (that now runs on azure instead) - Closes #4417 + Closes #4671 -- [Zenju brought this change] +- CURLOPT_VERBOSE.3: see also ERRORBUFFER - FTP: url-decode path before evaluation - - Closes #4428 +- hostip4.c: bump copyright year range -Marcel Raad (27 Sep 2019) -- tests: fix narrowing conversion warnings +Marcel Raad (3 Dec 2019) +- configure: enable IPv6 support without `getaddrinfo` - `timediff_t` is 64 bits wide also on 32-bit systems since - commit b1616dad8f0. + This makes it possible to recognize and connect to literal IPv6 + addresses when `getaddrinfo` is not available, which is already the + case for the CMake build. This affects e.g. classic MinGW because it + still targets Windows 2000 by default, where `getaddrinfo` is not + available, but general IPv6 support is. - Closes https://github.com/curl/curl/pull/4415 - -Jay Satiro (27 Sep 2019) -- [julian brought this change] + Instead of checking for `getaddrinfo`, check for `sockaddr_in6` as the + CMake build does. + + Closes https://github.com/curl/curl/pull/4662 - vtls: Fix comment typo about macosx-version-min compiler flag +- curl_setup: disable IPv6 resolver without `getaddrinfo` - Closes https://github.com/curl/curl/pull/4425 + Also, use `CURLRES_IPV6` only for actual DNS resolution, not for IPv6 + address support. This makes it possible to connect to IPv6 literals by + setting `ENABLE_IPV6` even without `getaddrinfo` support. It also fixes + the CMake build when using the synchronous resolver without + `getaddrinfo` support. + + Closes https://github.com/curl/curl/pull/4662 -Daniel Stenberg (26 Sep 2019) -- [Yechiel Kalmenson brought this change] +Daniel Stenberg (3 Dec 2019) +- github action/azure pipeline: run 'make test-nonflaky' for tests + + To match travis and give more info on failures. - README: minor grammar fix +- openssl: CURLSSLOPT_NO_PARTIALCHAIN can disable partial cert chains - Closes #4431 + Closes #4655 -- [Spezifant brought this change] +- openssl: set X509_V_FLAG_PARTIAL_CHAIN + + Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. + + Other TLS backends already accept partial chains. + + Reported-by: Jeffrey Walton + Bug: https://curl.haxx.se/mail/lib-2019-11/0094.html - HTTP3: fix prefix parameter for ngtcp2 build +- curl: show better error message when no homedir is found - Closes #4430 + Reported-by: Vlastimil Ovčáčík + Fixes #4644 + Closes #4665 -- quiche: don't close connection at end of stream! +- OPENSOCKETFUNCTION.3: correct the purpose description + + Reported-by: Jeff Mears + Bug: https://curl.haxx.se/mail/lib-2019-12/0007.html + + Closes #4667 -- quiche: set 'drain' when returning without having drained the queues +- [Peter Wu brought this change] -- Revert "FTP: url-decode path before evaluation" + travis: do not use OVERRIDE_CC or OVERRIDE_CXX if empty - This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. + Fixes the macOS builds where OVERRIDE_CC and OVERRIDE_CXX are not set. + + Reported-by: Jay Satiro + Fixes #4659 + Closes #4661 + Closes #4664 -- HTTP3: merged and simplified the two 'running' sections +- azure-pipelines: fix the test script -- HTTP3: show an --alt-svc using example too +- Azure Pipelines: initial CI setup + + [skip ci] -- [Zenju brought this change] +- docs: add "added: 7.68.0" to the --etag-* docs - FTP: url-decode path before evaluation +- copyright: fix the year ranges for two files - Closes #4423 + Follow-up to 9c1806ae -- openssl: use strerror on SSL_ERROR_SYSCALL +Jay Satiro (1 Dec 2019) +- build: Disable Visual Studio warning "conditional expression is constant" - Instead of showing the somewhat nonsensical errno number, use strerror() - to provide a more relatable error message. + - Disable warning C4127 "conditional expression is constant" globally + in curl_setup.h for when building with Microsoft's compiler. - Closes #4411 - -- HTTP3: update quic.aiortc.org + add link to server list + This mainly affects building with the Visual Studio project files found + in the projects dir. - Reported-by: Jeremy Lainé - -Jay Satiro (26 Sep 2019) -- url: don't set appconnect time for non-ssl/non-ssh connections + Prior to this change the cmake and winbuild build systems already + disabled 4127 globally for when building with Microsoft's compiler. + Also, 4127 was already disabled for all build systems in the limited + circumstance of the WHILE_FALSE macro which disabled the warning + specifically for while(0). This commit removes the WHILE_FALSE macro and + all other cruft in favor of disabling globally in curl_setup. - Prior to this change non-ssl/non-ssh connections that were reused set - TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH - handshake took place. + Background: - [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in - libcurl and %{time_appconnect} in the curl tool. It is documented as - "the time until the SSL/SSH handshake is completed". + We have various macros that cause 0 or 1 to be evaluated, which would + cause warning C4127 in Visual Studio. For example this causes it: - Reported-by: Marcel Hernandez + #define Curl_resolver_asynch() 1 - Ref: https://github.com/curl/curl/issues/3760 + Full behavior is not clearly defined and inconsistent across versions. + However it is documented that since VS 2015 Update 3 Microsoft has + addressed this somewhat but not entirely, not warning on while(true) for + example. - Closes https://github.com/curl/curl/pull/3773 + Prior to this change some C4127 warnings occurred when I built with + Visual Studio using the generated projects in the projects dir. + + Closes https://github.com/curl/curl/pull/4658 -Daniel Stenberg (25 Sep 2019) -- ngtcp2: remove fprintf() calls +- openssl: retrieve reported LibreSSL version at runtime - - convert some of them to H3BUF() calls to infof() - - remove some of them completely - - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now + - Retrieve LibreSSL runtime version when supported (>= 2.7.1). - Closes #4421 - -- [Jay Satiro brought this change] - - url: fix the NULL hostname compiler warning case + For earlier versions we continue to use the compile-time version. - Closes #4403 + Ref: https://man.openbsd.org/OPENSSL_VERSION_NUMBER.3 + + Closes https://github.com/curl/curl/pull/2425 -- [Jay Satiro brought this change] +- strerror: Add Curl_winapi_strerror for Win API specific errors + + - In all code call Curl_winapi_strerror instead of Curl_strerror when + the error code is known to be from Windows GetLastError. + + Curl_strerror prefers CRT error codes (errno) over Windows API error + codes (GetLastError) when the two overlap. When we know the error code + is from GetLastError it is more accurate to prefer the Windows API error + messages. + + Reported-by: Richard Alcock + + Fixes https://github.com/curl/curl/issues/4550 + Closes https://github.com/curl/curl/pull/4581 - travis: move the go install to linux-only +Daniel Stenberg (2 Dec 2019) +- global_init: undo the "intialized" bump in case of failure - ... to repair the build again - Closes #4403 + ... so that failures in the global init function don't count as a + working init and it can then be called again. + + Reported-by: Paul Groke + Fixes #4636 + Closes #4653 -- altsvc: correct the #ifdef for the ngtcp2 backend +- parsedate: offer a getdate_capped() alternative + + ... and use internally. This function will return TIME_T_MAX instead of + failure if the parsed data is found to be larger than what can be + represented. TIME_T_MAX being the largest value curl can represent. + + Reviewed-by: Daniel Gustafsson + Reported-by: JanB on github + Fixes #4152 + Closes #4651 -- altsvc: save h3 as h3-23 +- docs: add more references to curl_multi_poll - Follow-up to d176a2c7e5 + Fixes #4643 + Closes #4652 -- urlapi: question mark within fragment is still fragment +- sha256: bump the copyright year range - The parser would check for a query part before fragment, which caused it - to do wrong when the fragment contains a question mark. + Follow-up from 66e21520f + +Daniel Gustafsson (28 Nov 2019) +- curl_setup_once: consistently use WHILE_FALSE in macros - Extended test 1560 to verify. + The WHILE_FALSE construction is used to avoid compiler warnings in + macro constructions. This fixes a few instances where it was not + used in order to keep the code consistent. - Reported-by: Alex Konev - Fixes #4412 - Closes #4413 + Closes #4649 + Reviewed-by: Daniel Stenberg -- [Alex Samorukov brought this change] +Daniel Stenberg (28 Nov 2019) +- [Steve Holme brought this change] - HTTP3.md: move -p for mkdir, remove -j for make - - - mkdir on OSX/Darwin requires `-p` argument before dir + http_ntlm: Remove duplicate NSS initialisation - - portabbly figuring out number of cores is an exercise for somewhere - else + Given that this is performed by the NTLM code there is no need to + perform the initialisation in the HTTP layer. This also keeps the + initialisation the same as the SASL based protocols and also fixes a + possible compilation issue if both NSS and SSPI were to be used as + multiple SSL backends. - Closes #4407 + Reviewed-by: Kamil Dudka + Closes #3935 -Patrick Monnerat (24 Sep 2019) -- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, +Daniel Gustafsson (28 Nov 2019) +- checksrc: fix regexp for ASSIGNWITHINCONDITION - As libcurl now uses these 2 system functions, wrappers are needed on os400 - to convert returned AF_UNIX sockaddrs to ascii. + The regexp looking for assignments within conditions was too greedy + and matched a too long string in the case of multiple conditionals + on the same line. This is basically only a problem in single line + macros, and the code which exemplified this was essentially: - This is a follow-up to commit 7fb54ef. - See also #4037. - Closes #4214 + do { if((x) != NULL) { x = NULL; } } while(0) + + ..where the final parenthesis of while(0) matched the regexp, and + the legal assignment in the block triggered the warning. Fix by + making the regexp less greedy by matching for the tell-tale signs + of the if statement ending. + + Also remove the one occurrence where the warning was disabled due + to a construction like the above, where the warning didn't apply + when fixed. + + Closes #4647 + Reviewed-by: Daniel Stenberg -Jay Satiro (24 Sep 2019) -- [Lucas Pardue brought this change] +Daniel Stenberg (28 Nov 2019) +- RELEASE-NOTES: synced - strcase: fix raw lowercasing the letter X +- [Maros Priputen brought this change] + + curl: two new command line options for etags - Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to - this change. + --etag-compare and --etag-save - Follow-up to 0023fce which added the function several days ago. + Suggested-by: Paul Hoffman + Fixes #4277 + Closes #4543 + +Daniel Gustafsson (28 Nov 2019) +- docs: fix typos + +Daniel Stenberg (28 Nov 2019) +- mailmap: Niall O'Reilly's name + +- [Niall O'Reilly brought this change] + + doh: use dedicated probe slots - Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 + ... to easier allow additional DNS transactions. - Closes https://github.com/curl/curl/pull/4408 + Closes #4629 -Daniel Stenberg (23 Sep 2019) -- http2: Expression 'stream->stream_id != - 1' is always true +- travis: build ngtcp2 with --enable-lib-only - PVS-Studio warning - Fixes #4402 - -- http2: A value is being subtracted from the unsigned variable + ... makes it skip the examples and other stuff we don't neeed. - PVS-Studio warning - Fixes #4402 + Closes #4646 -- libssh: part of conditional expression is always true: !result - - PVS-Studio warning - Fixed #4402 +- [David Benjamin brought this change] -- libssh: part of conditional expression is always true + ngtcp2: fix thread-safety bug in error-handling - PVS-Studio warning - Fixes #4402 + ERR_error_string(NULL) should never be called. It places the error in a + global buffer, which is not thread-safe. Use ERR_error_string_n with a + local buffer instead. + + Closes #4645 -- libssh: The expression is excessive or contains a misprint +- travis: export the CC/CXX variables when set - PVS-Studio warning - Fixes #4402 + Suggested-by: Peter Wu + Fixes #4637 + Closes #4640 -- quiche: The expression must be surrounded by parentheses +Marcel Raad (26 Nov 2019) +- dist: add error-codes.pl - PVS-Studio warning - Fixes #4402 + Follow-up to commit 74f441c6d31. + This should fix test 1175 when run via the daily source tarballs. + + Closes https://github.com/curl/curl/pull/4638 -- vauth: The parameter 'status' must be surrounded by parentheses +Daniel Stenberg (26 Nov 2019) +- [John Schroeder brought this change] + + curl: fix --upload-file . hangs if delay in STDIN - PVS-Studio warning - Fixes #4402 + Attempt to unpause a busy read in the CURLOPT_XFERINFOFUNCTION. + + When uploading from stdin in non-blocking mode, a delay in reading + the stream (EAGAIN) causes curl to pause sending data + (CURL_READFUNC_PAUSE). Prior to this change, a busy read was + detected and unpaused only in the CURLOPT_WRITEFUNCTION handler. + This change performs the same busy read handling in a + CURLOPT_XFERINFOFUNCTION handler. + + Fixes #2051 + Closes #4599 + Reported-by: bdry on github -- [Paul Dreik brought this change] +- [John Schroeder brought this change] - doh: allow only http and https in debug mode + XFERINFOFUNCTION: support CURL_PROGRESSFUNC_CONTINUE - Otherwise curl may be told to use for instance pop3 to - communicate with the doh server, which most likely - is not what you want. + (also for PROGRESSFUNCTION) - Found through fuzzing. + By returning this value from the callback, the internal progress + function call is still called afterward. - Closes #4406 + Closes #4599 -- [Paul Dreik brought this change] +- [Michael Forney brought this change] - doh: return early if there is no time left + TLS: add BearSSL vtls implementation - Closes #4406 + Closes #4597 -- [Barry Pollard brought this change] +- curl_multi_wakeup.3: add example and AVAILABILITY + + Reviewed-by: Gergely Nagy + Closes #4635 - http: lowercase headernames for HTTP/2 and HTTP/3 +- [Gergely Nagy brought this change] + + multi: add curl_multi_wakeup() - Closes #4401 - Fixes #4400 + This commit adds curl_multi_wakeup() which was previously in the TODO + list under the curl_multi_unblock name. + + On some platforms and with some configurations this feature might not be + available or can fail, in these cases a new error code + (CURLM_WAKEUP_FAILURE) is returned from curl_multi_wakeup(). + + Fixes #4418 + Closes #4608 -Marcel Raad (23 Sep 2019) -- vtls: fix narrowing conversion warnings +Jay Satiro (24 Nov 2019) +- [Xiaoyin Liu brought this change] + + schannel: fix --tls-max for when min is --tlsv1 or default - Curl_timeleft returns `timediff_t`, which is 64 bits wide also on - 32-bit systems since commit b1616dad8f0. + Prior to this change schannel ignored --tls-max (CURL_SSLVERSION_MAX_ + macros) when --tlsv1 (CURL_SSLVERSION_TLSv1) or default TLS + (CURL_SSLVERSION_DEFAULT), using a max of TLS 1.2 always. - Closes https://github.com/curl/curl/pull/4398 + Closes https://github.com/curl/curl/pull/4633 -Daniel Stenberg (23 Sep 2019) -- [Joel Depooter brought this change] +- checksrc.bat: Add a check for vquic and vssh directories + + Ref: https://github.com/curl/curl/pull/4607 - winbuild: Add manifest to curl.exe for proper OS version detection +- projects: Fix Visual Studio projects SSH builds - This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 - in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to - CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is - overwritten. The fix is to append values to CURL_RC_FLAGS instead of - overwriting + - Generate VQUIC and VSSH filenames in Visual Studio project files. - Closes #4399 + Prior to this change generated Visual Studio project configurations that + enabled SSH did not build properly. Broken since SSH files were moved to + lib/vssh 3 months ago in 5b2d703. + + Fixes https://github.com/curl/curl/issues/4492 + Fixes https://github.com/curl/curl/issues/4630 + Closes https://github.com/curl/curl/pull/4607 +Daniel Stenberg (23 Nov 2019) - RELEASE-NOTES: synced -Marcel Raad (22 Sep 2019) -- openssl: fix compiler warning with LibreSSL +Jay Satiro (22 Nov 2019) +- openssl: Revert to less sensitivity for SYSCALL errors - It was already fixed for BoringSSL in commit a0f8fccb1e0. - LibreSSL has had the second argument to SSL_CTX_set_min_proto_version - as uint16_t ever since the function was added in [0]. + - Disable the extra sensitivity except in debug builds (--enable-debug). - [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda + - Improve SYSCALL error message logic in ossl_send and ossl_recv so that + "No error" / "Success" socket error text isn't shown on SYSCALL error. - Closes https://github.com/curl/curl/pull/4397 + Prior to this change 0ab38f5 (precedes 7.67.0) increased the sensitivity + of OpenSSL's SSL_ERROR_SYSCALL error so that abrupt server closures were + also considered errors. For example, a server that does not send a known + protocol termination point (eg HTTP content length or chunked encoding) + _and_ does not send a TLS termination point (close_notify alert) would + cause an error if it closed the connection. + + To be clear that behavior made it into release build 7.67.0 + unintentionally. Several users have reported it as an issue. + + Ultimately the idea is a good one, since it can help prevent against a + truncation attack. Other SSL backends may already behave similarly (such + as Windows native OS SSL Schannel). However much more of our user base + is using OpenSSL and there is a mass of legacy users in that space, so I + think that behavior should be partially reverted and then rolled out + slowly. + + This commit changes the behavior so that the increased sensitivity is + disabled in all curl builds except curl debug builds (DEBUGBUILD). If + after a period of time there are no major issues then it can be enabled + in dev and release builds with the newest OpenSSL (1.1.1+), since users + using the newest OpenSSL are the least likely to have legacy problems. + + Bug: https://github.com/curl/curl/issues/4409#issuecomment-555955794 + Reported-by: Bjoern Franke + + Fixes https://github.com/curl/curl/issues/4624 + Closes https://github.com/curl/curl/pull/4623 -Daniel Stenberg (22 Sep 2019) -- curl: exit the create_transfers loop on errors +- [Daniel Stenberg brought this change] + + openssl: improve error message for SYSCALL during connect - When looping around the ranges and given URLs to create transfers, all - errors should exit the loop and return. Previously it would keep - looping. + Reported-by: Paulo Roberto Tomasi + Bug: https://curl.haxx.se/mail/archive-2019-11/0005.html - Reported-by: SumatraPeter on github - Bug: #4393 - Closes #4396 + Closes https://github.com/curl/curl/pull/4593 -Jay Satiro (21 Sep 2019) -- socks: Fix destination host shown on SOCKS5 error +Daniel Stenberg (22 Nov 2019) +- test1175: verify symbols-in-versions and libcurl-errors.3 in sync - Prior to this change when a server returned a socks5 connect error then - curl would parse the destination address:port from that data and show it - to the user as the destination: + Closes #4628 + +- include: make CURLE_HTTP3 use a new error code - curld -v --socks5 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) - * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) - curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + To avoid potential issues with error code reuse. - That's incorrect because the address:port included in the connect error - is actually a bind address:port (typically unused) and not the - destination address:port. This fix changes curl to show the destination - information that curl sent to the server instead: + Reported-by: Christoph M. Becker + Assisted-by: Dan Fandrich + Fixes #4601 + Closes #4627 + +- bump: next release will be 7.68.0 + +- curl: add --parallel-immediate - curld -v --socks5 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) - * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) - curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + Starting with this change when doing parallel transfers, without this + option set, curl will prefer to create new transfers multiplexed on an + existing connection rather than creating a brand new one. - curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 - * SOCKS5 communication to google.com:99 - * SOCKS5 connect to google.com:99 (remotely resolved) - * Can't complete SOCKS5 connection to google.com:99. (1) - curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) + --parallel-immediate can be set to tell curl to prefer to use new + connections rather than to wait and try to multiplex. - Ref: https://tools.ietf.org/html/rfc1928#section-6 + libcurl-wise, this means that curl will set CURLOPT_PIPEWAIT by default + on parallel transfers. - Closes https://github.com/curl/curl/pull/4394 + Suggested-by: Tom van der Woerdt + Closes #4500 -Daniel Stenberg (21 Sep 2019) -- travis: enable ngtcp2 h3-23 builds +Daniel Gustafsson (20 Nov 2019) +- [Victor Magierski brought this change] -- altsvc: both backends run h3-23 now + docs: fix typos - Closes #4395 - -- http: fix warning on conversion from int to bit + Change 'experiemental' to 'experimental'. - Follow-up from 03ebe66d70 + Closes #4618 + Reviewed-by: Daniel Gustafsson -- urldata: use 'bool' for the bit type on MSVC compilers +Jay Satiro (18 Nov 2019) +- projects: Fix Visual Studio wolfSSL configurations - Closes #4387 - Fixes #4379 - -- appveyor: upgrade VS2017 to VS2019 + - s/USE_CYASSL/USE_WOLFSSL/ - Closes #4383 + - Remove old compatibility macros. + + Follow-up to 1c6c59a from several months ago when CyaSSL named symbols + were renamed to wolfSSL. The wolfSSL library was formerly named CyaSSL + and we kept using their old name for compatibility reasons, until + earlier this year. -- [Zenju brought this change] +Daniel Stenberg (18 Nov 2019) +- RELEASE-NOTES: synced - FTP: FTPFILE_NOCWD: avoid redundant CWDs +- [Javier Blazquez brought this change] + + ngtcp2: use overflow buffer for extra HTTP/3 data - Closes #4382 + Fixes #4525 + Closes #4603 -- cookie: pass in the correct cookie amount to qsort() +- altsvc: bump to h3-24 - As the loop discards cookies without domain set. This bug would lead to - qsort() trying to sort uninitialized pointers. We have however not found - it a security problem. + ... as both ngtcp2 and quiche now support that in their master branches - Reported-by: Paul Dreik - Closes #4386 - -- [Paul Dreik brought this change] + Closes #4604 - urlapi: avoid index underflow for short ipv6 hostnames +- ngtcp2: free used resources on disconnect - If the input hostname is "[", hlen will underflow to max of size_t when - it is subtracted with 2. + Fixes #4614 + Closes #4615 + +- ngtcp2: handle key updates as ngtcp2 master branch tells us - hostname[hlen] will then cause a warning by ubsanitizer: + Reviewed-by: Tatsuhiro Tsujikawa - runtime error: addition of unsigned offset to 0x overflowed to - 0x + Fixes #4612 + Closes #4613 + +Jay Satiro (17 Nov 2019) +- [Gergely Nagy brought this change] + + multi: Fix curl_multi_poll wait when extra_fds && !extra_nfds - I think that in practice, the generated code will work, and the output - of hostname[hlen] will be the first character "[". + Prior to this change: - This can be demonstrated by the following program (tested in both clang - and gcc, with -O3) + The check if an extra wait is necessary was based not on the + number of extra fds but on the pointer. - int main() { - char* hostname=strdup("["); - size_t hlen = strlen(hostname); + If a non-null pointer was given in extra_fds, but extra_nfds + was zero, then the wait was skipped even though poll was not + called. - hlen-=2; - hostname++; - printf("character is %d\n",+hostname[hlen]); - free(hostname-1); - } + Closes https://github.com/curl/curl/pull/4610 + +- lib: Move lib/ssh.h -> lib/vssh/ssh.h - I found this through fuzzing, and even if it seems harmless, the proper - thing is to return early with an error. + Follow-up to 5b2d703 which moved ssh source files to vssh. - Closes #4389 + Closes https://github.com/curl/curl/pull/4609 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (16 Nov 2019) +- [Andreas Falkenhahn brought this change] - ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 + INSTALL.md: provide Android build instructions - Closes #4392 + Closes #4606 -- THANKS-filter: deal with my typos 'Jat' => 'Jay' +- [Niall O'Reilly brought this change] -- travis: use go master + doh: improced both encoding and decoding - ... as the boringssl builds needs a very recent version + Improved estimation of expected_len and updated related comments; + increased strictness of QNAME-encoding, adding error detection for empty + labels and names longer than the overall limit; avoided treating DNAME + as unexpected; - Co-authored-by: Jat Satiro - Closes #4361 - -- tool_operate: removed unused variable 'done' + updated unit test 1655 with more thorough set of proofs and tests - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4598 -- tool_operate: Expression 'config->resume_from' is always true +- ngtcp2: increase QUIC window size when data is consumed - Fixes warning detected by PVS-Studio - Fixes #4374 + Assisted-by: Javier Blazquez + Ref #4525 (partial fix) + Closes #4600 -- tool_getparam: remove duplicate switch case - - Fixes warning detected by PVS-Studio - Fixes #4374 +- [Melissa Mears brought this change] -- libssh2: part of conditional expression is always true: !result + config-win32: cpu-machine-OS for Windows on ARM - Fixes warning detected by PVS-Studio - Fixes #4374 - -- urlapi: Expression 'storep' is always true + Define the OS macro properly for Windows on ARM builds. Also, we might + as well add the GCC-style IA-64 macro. - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4590 -- urlapi: 'scheme' is always true +- examples: add multi-poll.c - Fixes warning detected by PVS-Studio - Fixes #4374 - -- urlapi: part of conditional expression is always true: (relurl[0] == '/') + Show how curl_multi_poll() makes it even easier to use the multi + interface. - Fixes warning detected by PVS-Studio - Fixes #4374 + Closes #4596 -- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly +- multi_poll: avoid busy-loop when called without easy handles attached - Fixes bug detected by PVS-Studio - Fixes #4374 + Fixes #4594 + Closes #4595 + Reported-by: 3dyd on github -- mime: make Curl_mime_duppart() assert if called without valid dst +- curl: fix -T globbing - Fixes warning detected by PVS-Studio - Fixes #4374 - -- http_proxy: part of conditional expression is always true: !error + Regression from e59371a4936f8 (7.67.0) - Fixes warning detected by PVS-Studio - Fixes #4374 - -- imap: merged two case-branches performing the same action + Added test 490, 491 and 492 to verify the functionality. - Fixes warning detected by PVS-Studio - Fixes #4374 - -- multi: value '2L' is assigned to a boolean + Reported-by: Kamil Dudka + Reported-by: Anderson Sasaki - Fixes warning detected by PVS-Studio - Fixes #4374 + Fixes #4588 + Closes #4591 -- easy: part of conditional expression is always true: !result - - Fixes warning detected by PVS-Studio - Fixes #4374 +- HISTORY: added cmake, HTTP/3 and parallel downloads with curl -- netrc: part of conditional expression is always true: !done +- quiche: reject headers in the wrong order - Fixes warning detected by PVS-Studio - Fixes #4374 - -- version: Expression 'left > 1' is always true + Pseudo header MUST come before regular headers or cause an error. - Fixes warning detected by PVS-Studio - Fixes #4374 + Reported-by: Cynthia Coan + Fixes #4571 + Closes #4584 -- url: remove dead code +- openssl: prevent recursive function calls from ctx callbacks - Fixes warning detected by PVS-Studio - Fixes #4374 - -- url: part of expression is always true: (bundle->multiuse == 0) + Follow the pattern of many other callbacks. - Fixes warning detected by PVS-Studio - Fixes #4374 + Ref: #4546 + Closes #4585 -- ftp: the conditional expression is always true +- CURL-DISABLE: initial docs for the CURL_DISABLE_* defines - ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! + The disable-scan script used in test 1165 is extended to also verify + that the docs cover all used defines and all defines offered by + configure. - Fixes warning detected by PVS-Studio - Fixes #4374 + Reported-by: SLDiggie on github + Fixes #4545 + Closes #4587 -- ftp: Expression 'ftpc->wait_data_conn' is always false +- remove_handle: clear expire timers after multi_done() - Fixes warning detected by PVS-Studio - Fixes #4374 - -- ftp: Expression 'ftpc->wait_data_conn' is always true + Since 59041f0, a new timer might be set in multi_done() so the clearing + of the timers need to happen afterwards! - Fixes warning detected by PVS-Studio - Fixes #4374 + Reported-by: Max Kellermann + Fixes #4575 + Closes #4583 -- ftp: part of conditional expression is always true: !result +Marcel Raad (10 Nov 2019) +- test1558: use double slash after file: - Fixes warning detected by PVS-Studio - Fixes #4374 - -- http: fix Expression 'http->postdata' is always false + Classic MinGW / MSYS 1 doesn't support `MSYS2_ARG_CONV_EXCL`, so this + test unnecessarily failed when using `file:/` instead of `file:///`. - Fixes warning detected by PVS-Studio - Fixes #4374 - Reported-by: Valerii Zapodovnikov - -- [Niall O'Reilly brought this change] + Closes https://github.com/curl/curl/pull/4554 - doh: avoid truncating DNS QTYPE to lower octet +Daniel Stenberg (10 Nov 2019) +- pause: avoid updating socket if done was already called - Closes #4381 - -- [Jens Finkhaeuser brought this change] + ... avoids unnecesary recursive risk when the transfer is already done. + + Reported-by: Richard Bowker + Fixes #4563 + Closes #4574 - urlapi: CURLU_NO_AUTHORITY allows empty authority/host part +Jay Satiro (9 Nov 2019) +- strerror: Fix an error looking up some Windows error strings - CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not - "file:///") to override cURL's default demand that an authority exists. + - Use FORMAT_MESSAGE_IGNORE_INSERTS to ignore format specifiers in + Windows error strings. - Closes #4349 - -- version: next release will be 7.67.0 + Since we are not in control of the error code we don't know what + information may be needed by the error string's format specifiers. + + Prior to this change Windows API error strings which contain specifiers + (think specifiers like similar to printf specifiers) would not be shown. + The FormatMessage Windows API call which turns a Windows error code into + a string could fail and set error ERROR_INVALID_PARAMETER if that error + string contained a format specifier. FormatMessage expects a va_list for + the specifiers, unless inserts are ignored in which case no substitution + is attempted. + + Ref: https://devblogs.microsoft.com/oldnewthing/20071128-00/?p=24353 -- RELEASE-NOTES: synced +- [r-a-sattarov brought this change] -- url: only reuse TLS connections with matching pinning + system.h: fix for MCST lcc compiler - If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the - connection should not be reused. + Fixed build by MCST lcc compiler on MCST Elbrus 2000 architecture and do + some code cleanup. - Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html - Reported-by: Sebastian Haglund + e2k (Elbrus 2000) - this is VLIW/EPIC architecture, like Intel Itanium + architecture. - Closes #4347 - -- README: add OSS-Fuzz badge [skip ci] + Ref: https://en.wikipedia.org/wiki/Elbrus_2000 - Closes #4380 + Closes https://github.com/curl/curl/pull/4576 -Michael Kaufmann (18 Sep 2019) -- http: merge two "case" statements +Daniel Stenberg (8 Nov 2019) +- TODO: curl_multi_unblock + + Closes #4418 -Daniel Stenberg (18 Sep 2019) -- [Zenju brought this change] +- TODO: Run web-platform-tests url tests + + Closes #4477 - FTP: remove trailing slash from path for LIST/MLSD +- TODO: 1.4 alt-svc sharing - Closes #4348 + Closes #4476 -- mime: when disabled, avoid C99 macro +- test1560: require IPv6 for IPv6 aware URL parsing - Closes #4368 + The URL parser function can't reject a bad IPv6 address properly when + curl was built without IPv6 support. + + Reported-by: Marcel Raad + Fixes #4556 + Closes #4572 -- url: cleanup dangling DOH request headers too +- checksrc: repair the copyrightyear check - Follow-up to 9bc44ff64d9081 + - Consider a modified file to be committed this year. - Credit to OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/17269 + - Make the travis CHECKSRC also do COPYRIGHTYEAR scan in examples and + includes - Closes #4372 - -- [Christoph M. Becker brought this change] - - http2: relax verification of :authority in push promise requests + - Ignore 0 parents when getting latest commit date of file. - If the :authority pseudo header field doesn't contain an explicit port, - we assume it is valid for the default port, instead of rejecting the - request for all ports. + since in the CI we're dealing with a truncated repo of last 50 commits, + the file's most recent commit may not be available. when this happens + git log and rev-list show the initial commit (ie first commit not to be + truncated) but that's incorrect so ignore it. - Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html + Ref: https://github.com/curl/curl/pull/4547 - Closes #4365 + Closes https://github.com/curl/curl/pull/4549 + + Co-authored-by: Jay Satiro -- doh: clean up dangling DOH handles and memory on easy close +- copyrights: fix copyright year range - If you set the same URL for target as for DoH (and it isn't a DoH - server), like "https://example.com" in both, the easy handles used for - the DoH requests could be left "dangling" and end up not getting freed. + .. because checksrc's copyright year check stopped working. - Reported-by: Paul Dreik - Closes #4366 - -- unit1655: make it C90 compliant + Ref: https://github.com/curl/curl/pull/4547 - Unclear why this was not detected in the CI. - - Follow-up to b7666027296a + Closes https://github.com/curl/curl/pull/4549 -- smb: check for full size message before reading message details - - To avoid reading of uninitialized data. - - Assisted-by: Max Dymond - Bug: https://crbug.com/oss-fuzz/16907 - Closes #4363 +- RELEASE-NOTES: synced -- quiche: persist connection details - - ... like we do for other protocols at connect time. This makes "curl -I" - and other things work. - - Reported-by: George Liu - Fixes #4358 - Closes #4360 +- curlver: bump to 7.67.1 -- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version +- mailmap: fixup Massimiliano Fantuzzi + +- scripts/contributors: make committers get included too - Follow-up to ffe34b7b59 - Closes #4359 + in addition to authors -- [Paul Dreik brought this change] +Jay Satiro (8 Nov 2019) +- [Massimiliano Fantuzzi brought this change] - doh: fix undefined behaviour and open up for gcc and clang optimization - - The undefined behaviour is annoying when running fuzzing with - sanitizers. The codegen is the same, but the meaning is now not up for - dispute. See https://cppinsights.io/s/516a2ff4 - - By incrementing the pointer first, both gcc and clang recognize this as - a bswap and optimizes it to a single instruction. See - https://godbolt.org/z/994Zpx + configure: fix typo in help text - Closes #4350 + Closes https://github.com/curl/curl/pull/4570 -- [Paul Dreik brought this change] +Daniel Stenberg (7 Nov 2019) +- [Christian Schmitz brought this change] - doh: fix (harmless) buffer overrun + ntlm: USE_WIN32_CRYPTO check removed to get USE_NTLM2SESSION set - Added unit test case 1655 to verify. - Close #4352 + Closes #3704 + +Jay Satiro (6 Nov 2019) +- [Wyatt O'Day brought this change] + + build: fix for CURL_DISABLE_DOH - the code correctly finds the flaws in the old code, - if one temporarily restores doh.c to the old version. + Fixes https://github.com/curl/curl/issues/4565 + Closes https://github.com/curl/curl/pull/4566 -Alessandro Ghedini (15 Sep 2019) -- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man +- [Leonardo Taccari brought this change] -- docs: fix typo in CURLOPT_HTTP_VERSION man + configure: avoid unportable `==' test(1) operator + + Closes https://github.com/curl/curl/pull/4567 -GitHub (14 Sep 2019) -- [Daniel Stenberg brought this change] +Version 7.67.0 (5 Nov 2019) - CI: inintial github action job +Daniel Stenberg (5 Nov 2019) +- RELEASE-NOTES: synced - First shot at a CI build on github actions + The 7.67.0 release -Daniel Stenberg (13 Sep 2019) -- appveyor: add a winbuild +- THANKS: add new names from 7.67.0 + +- configure: only say ipv6 enabled when the variable is set - Assisted-by: Marcel Raad - Assisted-by: Jay Satiro + Previously it could say "IPv6: enabled" at the end of the configure run + but the define wasn't set because of a missing getaddrinfo(). - Closes #4324 + Reported-by: Marcel Raad + Fixes #4555 + Closes #4560 -- FTP: allow "rubbish" prepended to the SIZE response +Marcel Raad (2 Nov 2019) +- certs/Server-localhost-lastSAN-sv: regenerate with sha256 - This is a protocol violation but apparently there are legacy proprietary - servers doing this. + All other certificates were regenerated in commit ba782baac30, but + this one was missed. + Fixes test3001 on modern systems. - Added test 336 and 337 to verify. + Closes https://github.com/curl/curl/pull/4551 + +Daniel Stenberg (2 Nov 2019) +- [Vilhelm Prytz brought this change] + + copyrights: update all copyright notices to 2019 on files changed this year - Reported-by: Philippe Marguinaud - Closes #4339 + Closes #4547 -- [Zenju brought this change] +- [Bastien Bouclet brought this change] - FTP: skip CWD to entry dir when target is absolute + mbedtls: add error message for cert validity starting in the future - Closes #4332 + Closes #4552 -Kamil Dudka (13 Sep 2019) -- curl: fix memory leaked by parse_metalink() +Jay Satiro (1 Nov 2019) +- schannel_verify: Fix concurrent openings of CA file - This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. - Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind - and libmetalink enabled. + - Open the CA file using FILE_SHARE_READ mode so that others can read + from it as well. - Closes #4326 + Prior to this change our schannel code opened the CA file without + sharing which meant concurrent openings (eg an attempt from another + thread or process) would fail during the time it was open without + sharing, which in curl's case would cause error: + "schannel: failed to open CA file". + + Bug: https://curl.haxx.se/mail/lib-2019-10/0104.html + Reported-by: Richard Alcock -Daniel Stenberg (13 Sep 2019) -- parsedate: still provide the name arrays when disabled +Daniel Stenberg (31 Oct 2019) +- gtls: make gnutls_bye() not wait for response on shutdown - If FILE or FTP are enabled, since they also use them! + ... as it can make it wait there for a long time for no good purpose. - Reported-by: Roland Hieber - Fixes #4325 - Closes #4343 + Patched-by: Jay Satiro + Reported-by: Bylon2 on github + Adviced-by: Nikos Mavrogiannopoulos + + Fixes #4487 + Closes #4541 -- [Gilles Vollant brought this change] +- [Michał Janiszewski brought this change] - curl:file2string: load large files much faster + appveyor: publish artifacts on appveyor - ... by using a more efficient realloc scheme. + This allows obtaining upstream builds of curl directly from appveyor for + all the available configurations - Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html - Closes #4336 + Closes #4509 -- openssl: close_notify on the FTP data connection doesn't mean closure +- url: make Curl_close() NULLify the pointer too - For FTPS transfers, curl gets close_notify on the data connection - without that being a signal to close the control connection! + This is the common pattern used in the code and by a unified approach we + avoid mistakes. - Regression since 3f5da4e59a556fc (7.65.0) + Closes #4534 + +- [Trivikram Kamat brought this change] + + INSTALL: add missing space for configure commands - Reported-by: Zenju on github - Reviewed-by: Jay Satiro - Fixes #4329 - Closes #4340 + Closes #4539 -- [Jimmy Gaussen brought this change] +- url: Curl_free_request_state() should also free doh handles + + ... or risk DoH memory leaks. + + Reported-by: Paul Dreik + Fixes #4463 + Closes #4527 - docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag +- examples: remove the "this exact code has not been verified" - Closes #4338 + ... as really confuses the reader to not know what to believe! -- RELEASE-NOTES: synced +- [Trivikram Kamat brought this change] -- curlver: bump to 7.66.1 + HTTP3: fix typo somehere1 > somewhere1 + + Closes #4535 -- [Zenju brought this change] +Jay Satiro (28 Oct 2019) +- [Javier Blazquez brought this change] - setopt: make it easier to add new enum values + HTTP3: fix invalid use of sendto for connected UDP socket - ... by using the *_LAST define names better. + On macOS/BSD, trying to call sendto on a connected UDP socket fails + with a EISCONN error. Because the singleipconnect has already called + connect on the socket when we're trying to use it for QUIC transfers + we need to use plain send instead. - Closes #4321 + Fixes #4529 + Closes https://github.com/curl/curl/pull/4533 -- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris - - Reported-by: Dagobert Michelsen - Fixes #4328 - Closes #4333 +Daniel Stenberg (28 Oct 2019) +- RELEASE-NOTES: synced -- [Bernhard Walle brought this change] +- [Javier Blazquez brought this change] - winbuild/MakefileBuild.vc: Add vssh + HTTP3: fix Windows build - Without that modification, the Windows build using the makefiles doesn't - work. + The ngtcp2 QUIC backend was using the MSG_DONTWAIT flag for send/recv + in order to perform nonblocking operations. On Windows this flag does + not exist. Instead, the socket must be set to nonblocking mode via + ioctlsocket. - Signed-off-by: Bernhard Walle + This change sets the nonblocking flag on UDP sockets used for QUIC on + all platforms so the use of MSG_DONTWAIT is not needed. - Fixes #4322 - Closes #4323 + Fixes #4531 + Closes #4532 -Bernhard Walle (11 Sep 2019) -- winbuild/MakefileBuild.vc: Fix line endings +Marcel Raad (27 Oct 2019) +- appveyor: add --disable-proxy autotools build - The file had mixed line endings. + This would have caught issue #3926. - Signed-off-by: Bernhard Walle - -Jay Satiro (11 Sep 2019) -- ldap: Stop using wide char version of ldapp_err2string + Also make formatting more consistent. - Despite ldapp_err2string being documented by MS as returning a - PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and - returns PWCHAR (wchar_t *). + Closes https://github.com/curl/curl/pull/4526 + +Daniel Stenberg (25 Oct 2019) +- appveyor: make winbuilds with DEBUG=no/yes and VS 2015/2017 - We have lots of code that expects ldap_err2string to return char *, - most of it failf used like this: + ... and invoke "curl -V" once done - failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); + Co-Authored-By: Jay Satiro - Closes https://github.com/curl/curl/pull/4272 - -Version 7.66.0 (10 Sep 2019) + Closes #4523 -Daniel Stenberg (10 Sep 2019) -- RELEASE-NOTES: curl 7.66.0 +- [Francois Rivard brought this change] -- THANKS: from the 7.66.0 release + schannel: reverse the order of certinfo insertions + + Fixes #4518 + Closes #4519 -- curl: make sure the parallel transfers do them all +Marcel Raad (24 Oct 2019) +- test1591: fix spelling of http feature - The logic could erroneously break the loop too early before all - transfers had been transferred. + The test never got run because the feature name is `http` in lowercase. - Reported-by: Tom van der Woerdt - Fixes #4316 - Closes #4317 + Closes https://github.com/curl/curl/pull/4520 -- urlapi: one colon is enough for the strspn() input (typo) +Daniel Stenberg (23 Oct 2019) +- [Michał Janiszewski brought this change] -- urlapi: verify the IPv6 numerical address + appveyor: Use two parallel compilation on appveyor with CMake - It needs to parse correctly. Otherwise it could be tricked into letting - through a-f using host names that libcurl would then resolve. Like - '[ab.be]'. + Appveyor provides 2 CPUs for each builder[1], make sure to use parallel + compilation, when running with CMake. CMake learned this new option in + version 3.12[2] and the version provided by appveyor is fresh enough. - Reported-by: Thomas Vegas - Closes #4315 - -- [Clément Notin brought this change] - - openssl: use SSL_CTX_set__proto_version() when available + Curl doesn't really take that long to build and it is using the slowest + builder available, msbuild, so expect only a moderate improvement in + build times. - OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use - when available. Existing code is preserved for older versions of - OpenSSL. + [1] https://www.appveyor.com/docs/build-environment/ + [2] https://cmake.org/cmake/help/v3.12/release/3.12.html - Closes #4304 + Closes #4508 -- [Clément Notin brought this change] +- conn-reuse: requests wanting NTLM can reuse non-NTLM connections + + Added test case 338 to verify. + + Reported-by: Daniel Silverstone + Fixes #4499 + Closes #4514 - openssl: indent, re-organize and add comments +Marcel Raad (23 Oct 2019) +- tests: add missing proxy features -- [migueljcrum brought this change] +Daniel Stenberg (22 Oct 2019) +- RELEASE-NOTES: synced - sspi: fix memory leaks +Marcel Raad (21 Oct 2019) +- tests: use %FILE_PWD for file:// URLs - Closes #4299 + This way, we always have exactly one slash after the host name, making + the tests pass when curl is compiled with the MSYS GCC. + + Closes https://github.com/curl/curl/pull/4512 -- travis: disable ngtcp2 builds (again) +- tests: add `connect to non-listen` keywords + + These tests try to connect to ports nothing is listening on. + + Closes https://github.com/curl/curl/pull/4511 -- Curl_fillreadbuffer: avoid double-free trailer buf on error +- runtests: get textaware info from curl instead of perl - Reviewed-by: Jay Satiro - Reported-by: Thomas Vegas + The MSYS system on Windows can run the test suite for curl built with + any toolset. When built with the MSYS GCC, curl uses Unix line endings, + while it uses Windows line endings when built with the MinGW GCC, and + `^O` reports 'msys' in both cases. Use the curl executable itself to + determine the line endings instead, which reports 'x86_64-pc-msys' when + built with the MSYS GCC. - Closes #4307 + Closes https://github.com/curl/curl/pull/4506 -- tool_setopt: handle a libcurl build without netrc support +Daniel Stenberg (20 Oct 2019) +- [Michał Janiszewski brought this change] + + appveyor: Add MSVC ARM64 build - Reported-by: codesniffer13 on github - Fixes #4302 - Closes #4305 + Closes #4507 -- security:read_data fix bad realloc() +- http2_recv: a closed stream trumps pause state - ... that could end up a double-free + ... and thus should return 0, not EAGAIN. - CVE-2019-5481 - Bug: https://curl.haxx.se/docs/CVE-2019-5481.html - -- [Thomas Vegas brought this change] + Reported-by: Tom van der Woerdt + Fixes #4496 + Closes #4505 - tftp: Alloc maximum blksize, and use default unless OACK is received +- http2: expire a timeout at end of stream - Fixes potential buffer overflow from 'recvfrom()', should the server - return an OACK without blksize. + To make sure that transfer is being dealt with. Streams without + Content-Length need a final read to notice the end-of-stream state. - Bug: https://curl.haxx.se/docs/CVE-2019-5482.html - CVE-2019-5482 + Reported-by: Tom van der Woerdt + Fixes #4496 -- [Thomas Vegas brought this change] +Dan Fandrich (18 Oct 2019) +- travis: Add an ARM64 build + + Test 323 is failing for some reason, so disable it there for now. - tftp: return error when packet is too small for options +Marcel Raad (18 Oct 2019) +- examples/sslbackend: fix -Wchar-subscripts warning + + With the `isdigit` implementation that comes with MSYS2, the argument + is used as an array subscript, resulting in a -Wchar-subscripts + warning. `isdigit`'s behavior is undefined if the argument is negative + and not EOF [0]. As done in lib/curl_ctype.h, cast the `char` variable + to `unsigned char` to avoid that. + + [0] https://en.cppreference.com/w/c/string/byte/isdigit + + Closes https://github.com/curl/curl/pull/4503 -- KNOWN_BUGS/TODO: cleanup and remove outdated issues +Daniel Stenberg (18 Oct 2019) +- configure: remove all cyassl references + + In particular, this removes the case where configure would find an old + cyall installation rather than a wolfssl one if present. The library is + named wolfssl in modern days so there's no real need to keep support for + the former. + + Reported-by: Jacob Barthelmeh + Closes #4502 + +Marcel Raad (17 Oct 2019) +- test1162: disable MSYS2's POSIX path conversion + + This avoids MSYS2 converting the backslasb in the URL to a slash, + causing the test to fail. +Daniel Stenberg (17 Oct 2019) - RELEASE-NOTES: synced -- netrc: free 'home' on error +Jay Satiro (16 Oct 2019) +- CURLOPT_TIMEOUT.3: Clarify transfer timeout time includes queue time - Follow-up to f9c7ba9096ec2 + Prior to this change some users did not understand that the "request" + starts when the handle is added to the multi handle, or probably they + did not understand that some of those transfers may be queued and that + time is included in timeout. - Coverity CID 1453474 + Reported-by: Jeroen Ooms - Closes #4291 + Fixes https://github.com/curl/curl/issues/4486 + Closes https://github.com/curl/curl/pull/4489 -- urldata: avoid 'generic', use dedicated pointers +- [Stian Soiland-Reyes brought this change] + + tool_operate: Fix retry sleep time shown to user when Retry-After - For the 'proto' union within the connectdata struct. + - If server header Retry-After is being used for retry sleep time then + show that value to the user instead of the normal retry sleep time. - Closes #4290 - -- cleanup: move functions out of url.c and make them static + This is a follow-up to 640b973 (7.66.0) which changed curl tool so that + the value from Retry-After header overrides other retry timing options. - Closes #4289 + Closes https://github.com/curl/curl/pull/4498 -- smtp: check for and bail out on too short EHLO response +Daniel Stenberg (16 Oct 2019) +- url: normalize CURLINFO_EFFECTIVE_URL - Otherwise, a three byte response would make the smtp_state_ehlo_resp() - function misbehave. + The URL extracted with CURLINFO_EFFECTIVE_URL was returned as given as + input in most cases, which made it not get a scheme prefixed like before + if the URL was given without one, and it didn't remove dotdot sequences + etc. - Credit to OSS-Fuzz - Bug: https://crbug.com/oss-fuzz/16918 + Added test case 1907 to verify that this now works as intended and as + before 7.62.0. - Assisted-by: Max Dymond + Regression introduced in 7.62.0 - Closes #4287 + Reported-by: Christophe Dervieux + Fixes #4491 + Closes #4493 -- smb: init *msg to NULL in smb_send_and_recv() - - ... it might otherwise return OK from this function leaving that pointer - uninitialized. +Marcel Raad (16 Oct 2019) +- tests: line ending fixes for Windows - Bug: https://crbug.com/oss-fuzz/16907 + Mark some files as text. - Closes #4286 + Closes https://github.com/curl/curl/pull/4490 -- ROADMAP: updated after recent user poll +- tests: use proxy feature - In rough prio order - -- THANKS: remove duplicate - -- Curl_addr2string: take an addrlen argument too + This makes the tests succeed when using --disable-proxy. - This allows the function to figure out if a unix domain socket has a - file name or not associated with it! When a socket is created with - socketpair(), as done in the fuzzer testing, the path struct member is - uninitialized and must not be accessed. + Closes https://github.com/curl/curl/pull/4488 + +- smbserver: fix Python 3 compatibility - Bug: https://crbug.com/oss-fuzz/16699 + Python 2's `ConfigParser` module is spelled `configparser` in Python 3. - Closes #4283 + Closes https://github.com/curl/curl/pull/4484 -- [Rolf Eike Beer brought this change] +- security: silence conversion warning + + With MinGW-w64, `curl_socket_t` is is a 32 or 64 bit unsigned integer, + while `read` expects a 32 bit signed integer. + Use `sread` instead of `read` to use the correct parameter type. + + Closes https://github.com/curl/curl/pull/4483 - CMake: remove needless newlines at end of gss variables +- connect: silence sign-compare warning + + With MinGW-w64 using WinSock, `curl_socklen_t` is signed, while the + result of `sizeof` is unsigned. + + Closes https://github.com/curl/curl/pull/4483 -- [Rolf Eike Beer brought this change] +Daniel Stenberg (13 Oct 2019) +- TODO: Handle growing SFTP files + + Closes #4344 - CI: remove duplicate configure flag for LGTM.com +- KNOWN_BUGS: remove "CURLFORM_CONTENTLEN in an array" + + The curl_formadd() function is deprecated and shouldn't be used so the + real fix for applications is to switch to the curl_mime_* API. -- [Rolf Eike Beer brought this change] +- KNOWN_BUGS: "LDAP on Windows does authentication wrong" + + Closes #3116 - CMake: use platform dependent name for dlopen() library +- appveyor: add a winbuild that uses VS2017 - Closes #4279 + Closes #4482 -- quiche: expire when poll returned data +- [Harry Sintonen brought this change] + + socketpair: fix include and define for older TCP header systems - ... to make sure we continue draining the queue until empty + fixed build for systems that need netinet/in.h for IPPROTO_TCP and are + missing INADDR_LOOPBACK - Closes #4281 + Closes #4480 -- quiche: decrease available buffer size, don't assign it! +- socketpair: fix double-close in error case - Found-by: Jeremy Lainé + Follow-up to bc2dbef0afc08 -- RELEASE-NOTES: synced +- gskit: use the generic Curl_socketpair -- [Kyohei Kadota brought this change] +- asyn-thread: make use of Curl_socketpair() where available - curl: fix include conditions +- socketpair: an implemention for Windows and more + + Curl_socketpair() is designed to be used and work everywhere if there's + no native version or the native version isn't good enough. + + Closes #4466 -- [Kyohei Kadota brought this change] +- RELEASE-NOTES: synced - plan9: fix installation instructions +- connect: return CURLE_OPERATION_TIMEDOUT for errno == ETIMEDOUT - Closes #4276 - -- ngtcp2: on h3 stream close, call expire + Previosly all connect() failures would return CURLE_COULDNT_CONNECT, no + matter what errno said. - ... to trigger a new read to detect the stream close! + This makes for example --retry work on these transfer failures. - Closes #4275 + Reported-by: Nathaniel J. Smith + Fixes #4461 + Clsoes #4462 -- [Tatsuhiro Tsujikawa brought this change] +- cirrus: switch off blackhole status on the freebsd CI machines - ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl +- tests: use port 2 instead of 60000 for a safer non-listening port - Closes #4278 + ... when the tests want "connection refused". -- ngtcp2: set flow control window to stream buffer size +- KNOWN_BUGS: IDN tests failing on Windows - Closes #4274 - -- [Christopher Head brought this change] + Closes #3747 - CURLOPT_HEADERFUNCTION.3: clarify +Dan Fandrich (9 Oct 2019) +- cirrus: Increase the git clone depth. - Closes #4273 + If more commits are submitted to master between the time of triggering + the first Cirrus build and the time the final build gets started, the + desired commit is no longer at HEAD and the build will error out. + [skip ci] -- CURLINFO docs: mention that in redirects times are added - - Suggested-by: Brandon Dong - Fixes #4250 - Closes #4269 +Daniel Stenberg (9 Oct 2019) +- docs: make sure the --no-progress-meter docs file is in dist too -- travis: enable ngtcp2 builds again +- docs: document it as --no-progress-meter instead of the reverse - Switched to the openssl-quic-draft-22 openssl branch. + Follow-up to 93373a960c3bb4 - Closes #4271 - -- HTTP3: switched openssl branch to use - -- [Tatsuhiro Tsujikawa brought this change] + Reported-by: infinnovation-dev on github + Fixes #4474 + Closes #4475 - ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl +Dan Fandrich (9 Oct 2019) +- cirrus: Switch the FreeBSD 11.x build to 11.3 and add a 13.0 build. - Closes #4270 + Also, select the images using image_family to get the latest snapshots + automatically. + [skip ci] -- http2: when marked for closure and wanted to close == OK +Daniel Stenberg (8 Oct 2019) +- curl: --no-progress-meter - It could otherwise return an error even when closed correctly if GOAWAY - had been received previously. + New option that allows a user to ONLY switch off curl's progress meter + and leave everything else in "talkative" mode. - Reported-by: Tom van der Woerdt - Fixes #4267 - Closes #4268 - -- RELEASE-NOTES: synced + Reported-by: Piotr Komborski + Fixes #4422 + Closes #4470 -- build-openssl: fix build with Visual Studio 2019 +- TODO: Consult %APPDATA% also for .netrc - Reviewed-by: Marcel Raad - Contributed-by: osabc on github - Fixes #4188 - Closes #4266 + Closes #4016 -Kamil Dudka (26 Aug 2019) -- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure +- CURLOPT_TIMEOUT.3: remove the mention of "minutes" - This is a follow-up to https://github.com/curl/curl/pull/3864 . + ... just say that limiting operations risk aborting otherwise fine + working transfers. If that means seconds, minutes or hours, we leave to + the user. - Closes #4224 + Reported-by: Martin Gartner + Closes #4469 -Daniel Stenberg (26 Aug 2019) -- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows - - Closes #4040 +- [Andrei Valeriu BICA brought this change] -- quiche: send the HTTP body correctly on callback uploads + docs: added multi-event.c example - Closes #4265 + Similar to multi-uv.c but using libevent 2. This is a simpler libevent + integration example then hiperfifo.c. + + Closes #4471 -- travis: disable ngtcp2 builds (temporarily) +Jay Satiro (5 Oct 2019) +- [Nicolas brought this change] + + ldap: fix OOM error on missing query string - Just too many API changes right now + - Allow missing queries, don't return NO_MEMORY error in such a case. - Closes #4264 - -- ngtcp2: add support for SSLKEYLOGFILE + It is acceptable for there to be no specified query string, for example: - Closes #4260 - -- ngtcp2: improve h3 response receiving + curl ldap://ldap.forumsys.com - Closes #4259 + A regression bug in 1b443a7 caused this issue. + + This is a partial fix for #4261. + + Bug: https://github.com/curl/curl/issues/4261#issuecomment-525543077 + Reported-by: Jojojov@users.noreply.github.com + Analyzed-by: Samuel Surtees + + Closes https://github.com/curl/curl/pull/4467 -- ngtcp2: use nghttp3_version() +- [Paul B. Omta brought this change] -- ngtcp2: sync with upstream API changes + build: Remove unused HAVE_LIBSSL and HAVE_LIBCRYPTO defines - Assisted-by: Tatsuhiro Tsujikawa + Closes https://github.com/curl/curl/pull/4460 -- [Kyle Abramowitz brought this change] +Daniel Stenberg (5 Oct 2019) +- RELEASE-NOTES: synced - scp: fix directory name length used in memcpy - - Fix read off end of array due to bad pointer math in getworkingpath for - SCP home directory case. - - Closes #4258 +- [Stian Soiland-Reyes brought this change] -- http: the 'closed' struct field is used by both ngh2 and ngh3 + curl: ensure HTTP 429 triggers --retry - and remove 'header_recvbuf', not used for anything + This completes #3794. - Reported-by: Jeremy Lainé + Also make sure the new tests from #4195 are enabled - Closes #4257 + Closes #4465 -- ngtcp2: accept upload via callback - - Closes #4256 +Marcel Raad (4 Oct 2019) +- [apique brought this change] -- defines: avoid underscore-prefixed defines + winbuild: add ENABLE_UNICODE option - Double-underscored or underscore plus uppercase letter at least. + Fixes https://github.com/curl/curl/issues/4308 + Closes https://github.com/curl/curl/pull/4309 + +Daniel Stenberg (4 Oct 2019) +- ngtcp2: adapt to API change - ... as they're claimed to be reserved. + Closes #4457 + +- cookies: change argument type for Curl_flush_cookies - Reported-by: patnyb on github + The second argument is really a 'bool' so use that and pass in TRUE/FALSE + to make it clear. - Fixes #4254 - Closes #4255 + Closes #4455 -- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) +- http2: move state-init from creation to pre-transfer - Runs no tests + To make sure that the HTTP/2 state is initialized correctly for + duplicated handles. It would otherwise easily generate "spurious" + PRIORITY frames to get sent over HTTP/2 connections when duplicated easy + handles were used. - Closes #4253 + Reported-by: Daniel Silverstone + Fixes #4303 + Closes #4442 -- travis: bump to using nghttp2 version 1.39.2 +- urlapi: fix use-after-free bug - Closes #4252 - -- [Gisle Vanem brought this change] - - docs/examples/curlx: fix errors + Follow-up from 2c20109a9b5d04 - Initialise 'mimetype' and require the -p12 arg. + Added test 663 to verify. - Closes #4248 - -- cleanup: remove DOT_CHAR completely + Reported by OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17954 - Follow-up to f9c7ba9096ec + Closes #4453 + +- [Paul Dreik brought this change] + + cookie: avoid harmless use after free - The use of DOT_CHAR for ".ssh" was probably a mistake and is removed - now. + This fix removes a use after free which can be triggered by + the internal cookie fuzzer, but otherwise is probably + impossible to trigger from an ordinary application. - Pointed-out-by: Gisle Vanem - Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 + The following program reproduces it: - Closes #4247 - -- spnego_sspi: add typecast to fix build warning + curl_global_init(CURL_GLOBAL_DEFAULT); + CURL* handle=curl_easy_init(); + CookieInfo* info=Curl_cookie_init(handle,NULL,NULL,false); + curl_easy_setopt(handle, CURLOPT_COOKIEJAR, "/dev/null"); + Curl_flush_cookies(handle, true); + Curl_cookie_cleanup(info); + curl_easy_cleanup(handle); + curl_global_cleanup(); - Reported in build "Win32 target on Debian Stretch (64-bit) - - i686-w64-mingw32 - gcc-20170516" + This was found through fuzzing. - Closes #4245 + Closes #4454 -- openssl: build warning free with boringssl - - Closes #4244 +- [Denis Chaplygin brought this change] -- curl: make --libcurl use CURL_HTTP_VERSION_3 + docs: add note on failed handles not being counted by curl_multi_perform - Closes #4243 + Closes #4446 -- ngtcp2: make postfields-set posts work - - Closes #4242 +- CURLMOPT_MAX_CONCURRENT_STREAMS.3: fix SEE ALSO typo -- http: remove chunked-encoding and expect header use for HTTP/3 +- [Niall O'Reilly brought this change] -- [Alessandro Ghedini brought this change] - - configure: use pkg-config to detect quiche + ESNI: initial build/setup - This removes the need to hard-code the quiche target path in - configure.ac. + Closes #4011 + +- RELEASE-NOTES: synced + +- redirect: when following redirects to an absolute URL, URL encode it - This depends on https://github.com/cloudflare/quiche/pull/128 + ... to make it handle for example (RFC violating) embeded spaces. - Closes #4237 + Reported-by: momala454 on github + Fixes #4445 + Closes #4447 -- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 +- urlapi: fix URL encoding when setting a full URL + +- tool_operate: rename functions to make more sense + +- curl: create easy handles on-demand and not ahead of time - For a long time (since 7.28.1) we've returned error when setting the - value to 1 to make applications notice that we stopped supported the old - behavior for 1. Starting now, we treat 1 and 2 exactly the same. + This should again enable crazy-large download ranges of the style + [1-10000000] that otherwise easily ran out of memory starting in 7.66.0 + when this new handle allocating scheme was introduced. - Closes #4241 + Reported-by: Peter Sumatra + Fixes #4393 + Closes #4438 -- curl: use .curlrc (with a dot) on Windows as well +- [Kunal Ekawde brought this change] + + CURLMOPT_MAX_CONCURRENT_STREAMS: new setopt - Fall-back to _curlrc if the dot-version is missing. + Closes #4410 + +- chunked-encoding: stop hiding the CURLE_BAD_CONTENT_ENCODING error - Co-Authored-By: Steve Holme + Unknown content-encoding would get returned as CURLE_WRITE_ERROR if the + response is chunked-encoded. - Closes #4230 + Reported-by: Ilya Kosarev + Fixes #4310 + Closes #4449 -- netrc: make the code try ".netrc" on Windows as well +Marcel Raad (1 Oct 2019) +- checksrc: fix uninitialized variable warning - ... but fall back and try "_netrc" too if the dot version didn't work. + The loop doesn't need to be executed without a file argument. - Co-Authored-By: Steve Holme + Closes https://github.com/curl/curl/pull/4444 -- ngtcp2: use ngtcp2_version() to get the run-time version +- urlapi: fix unused variable warning - ... which of course doesn't have to be the same used at build-time. + `dest` is only used with `ENABLE_IPV6`. - Function just recently merged in ngtcp2. + Closes https://github.com/curl/curl/pull/4444 -- ngtcp2: move the h3 initing to immediately after the rx key - - To fix a segfault and to better deal with 0-RTT +- lib: silence conversion warnings - Assisted-by: Tatsuhiro Tsujikawa + Closes https://github.com/curl/curl/pull/4444 -- [Alessandro Ghedini brought this change] +- AppVeyor: add 32-bit MinGW-w64 build + + With WinSSL and testing enabled so that it would have detected most of + the warnings fixed in [0] and [1]. + + [0] https://github.com/curl/curl/pull/4398 + [1] https://github.com/curl/curl/pull/4415 + + Closes https://github.com/curl/curl/pull/4433 - quiche: register debug callback once and earlier +- AppVeyor: remove MSYS2_ARG_CONV_EXCL for winbuild - The quiche debug callback is global and can only be initialized once, so - make sure we don't do it multiple times (e.g. if multiple requests are - executed). + It's only used for MSYS2 with MinGW. - In addition this initializes the callback before the connection is - created, so we get logs for the handshake as well. + Closes + +Daniel Stenberg (30 Sep 2019) +- [Emil Engler brought this change] + + git: add tests/server/disabled to .gitignore - Closes #4236 + Closes #4441 -- ssh: add a generic Curl_ssh_version function for SSH backends +- altsvc: accept quoted ma and persist values - Closes #4235 + As mandated by the spec. Test 1654 is extended to verify. + + Closes #4443 -- base64: check for SSH, not specific SSH backends +- mailmap: a Lucas fix -- vssh: move ssh init/cleanup functions into backend code +Alessandro Ghedini (29 Sep 2019) +- [Lucas Pardue brought this change] -- vssh: create directory for SSH backend code + quiche: update HTTP/3 config creation to new API -- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - - HTTP3 is now already in full progress +Daniel Stenberg (29 Sep 2019) +- BINDINGS: PureBasic, Net::Curl for perl and Nim + +- BINDINGS: Kapito is an Erlang library, basically a binding + +- BINDINGS: added clj-curl - Downgrade redirects can be achived almost exactly like that by setting - CURLOPT_REDIR_PROTOCOLS. + Reported-by: Lucas Severo -- RELEASE-NOTES: synced +- [Jay Satiro brought this change] -- travis: add a quiche build + docs: disambiguate CURLUPART_HOST is for host name (ie no port) - Closes #4207 + Closes #4424 -- http: fix use of credentials from URL when using HTTP proxy +- cookies: using a share with cookies shouldn't enable the cookie engine - When a username and password are provided in the URL, they were wrongly - removed from the stored URL so that subsequent uses of the same URL - wouldn't find the crendentials. This made doing HTTP auth with multiple - connections (like Digest) mishave. + The 'share object' only sets the storage area for cookies. The "cookie + engine" still needs to be enabled or activated using the normal cookie + options. - Regression from 46e164069d1a5230 (7.62.0) + This caused the curl command line tool to accidentally use cookies + without having been told to, since curl switched to using shared cookies + in 7.66.0. - Test case 335 added to verify. + Test 1166 verifies - Reported-by: Mike Crowe + Updated test 506 - Fixes #4228 - Closes #4229 + Fixes #4429 + Closes #4434 -- [Mike Crowe brought this change] +- setopt: handle ALTSVC set to NULL - tests: Replace outdated test case numbering documentation - - Tests are no longer grouped by numeric range[1]. Let's stop saying that - and provide some alternative advice for numbering tests. - - [1] https://curl.haxx.se/mail/lib-2019-08/0043.html +- RELEASE-NOTES: synced + +- [grdowns brought this change] + + INSTALL: add vcpkg installation instructions - Closes #4227 + Closes #4435 -- travis: reduce number of torture tests in 'coverage' +- [Zenju brought this change] + + FTP: add test for FTPFILE_NOCWD: Avoid redundant CWDs - ... to make it complete in time. This cut seems not almost not affect - the coverage percentage and yet completes within 35 minutes on travis - where the previous runs recently always timed out after 50. + Add libtest 661 - Closes #4223 + Closes #4417 -- [Igor Makarov brought this change] +- [Zenju brought this change] - configure: use -lquiche to link to quiche + FTP: url-decode path before evaluation - Closes #4226 + Closes #4428 -- ngtcp2: provide the callbacks as a static struct +Marcel Raad (27 Sep 2019) +- tests: fix narrowing conversion warnings - ... instead of having them in quicsocket - -- [Tatsuhiro Tsujikawa brought this change] - - ngtcp2: add missing nghttp3_conn_add_write_offset call + `timediff_t` is 64 bits wide also on 32-bit systems since + commit b1616dad8f0. - Closes #4225 + Closes https://github.com/curl/curl/pull/4415 -- [Tatsuhiro Tsujikawa brought this change] +Jay Satiro (27 Sep 2019) +- [julian brought this change] - ngtcp2: deal with stream close + vtls: Fix comment typo about macosx-version-min compiler flag + + Closes https://github.com/curl/curl/pull/4425 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (26 Sep 2019) +- [Yechiel Kalmenson brought this change] - ngtcp2: Consume QUIC STREAM data properly + README: minor grammar fix + + Closes #4431 -- [Tatsuhiro Tsujikawa brought this change] +- [Spezifant brought this change] - ngtcp2: don't reinitialize SSL on Retry + HTTP3: fix prefix parameter for ngtcp2 build + + Closes #4430 -- multi: getsock improvements for QUIC connecting +- quiche: don't close connection at end of stream! -- connect: connections are persistent by default for HTTP/3 +- quiche: set 'drain' when returning without having drained the queues -- quiche: happy eyeballs +- Revert "FTP: url-decode path before evaluation" - Closes #4220 + This reverts commit 2f036a72d543e96128bd75cb0fedd88815fd42e2. -- ngtcp2: do QUIC connections happy-eyeballs friendly +- HTTP3: merged and simplified the two 'running' sections -- curl_version: bump string buffer size to 250 - - With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which - causes a truncated output). +- HTTP3: show an --alt-svc using example too -- CURLOPT_ALTSVC.3: use a "" file name to not load from a file +- [Zenju brought this change] -Jay Satiro (14 Aug 2019) -- vauth: Use CURLE_AUTH_ERROR for auth function errors - - - Add new error code CURLE_AUTH_ERROR. - - Prior to this change auth function errors were signaled by - CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was - technically correct. - - Ref: https://github.com/curl/curl/pull/3848 - - Co-authored-by: Dominik Hölzl + FTP: url-decode path before evaluation - Closes https://github.com/curl/curl/pull/3864 + Closes #4423 -Daniel Stenberg (13 Aug 2019) -- curl_version_info: make the quic_version a const +- openssl: use strerror on SSL_ERROR_SYSCALL - Follow-up from 1a2df1518ad8653f + Instead of showing the somewhat nonsensical errno number, use strerror() + to provide a more relatable error message. - Closes #4222 + Closes #4411 -- examples: add http3.c, altsvc.c and http3-present.c +- HTTP3: update quic.aiortc.org + add link to server list - Closes #4221 + Reported-by: Jeremy Lainé -Peter Wu (13 Aug 2019) -- nss: use TLSv1.3 as default if supported +Jay Satiro (26 Sep 2019) +- url: don't set appconnect time for non-ssl/non-ssh connections - SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported - range in NSS 3.45. It looks like the intention is to raise the minimum - version rather than lowering the maximum, so adjust accordingly. Note - that the caller (nss_setup_connect) initializes the version range to - (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. + Prior to this change non-ssl/non-ssh connections that were reused set + TIMER_APPCONNECT [1]. Arguably that was incorrect since no SSL/SSH + handshake took place. - Closes #4187 - Reviewed-by: Daniel Stenberg - Reviewed-by: Kamil Dudka - -Daniel Stenberg (13 Aug 2019) -- quic.h: remove unused proto - -- curl_version_info.3: mentioned ALTSVC and HTTP3 + [1]: TIMER_APPCONNECT is publicly known as CURLINFO_APPCONNECT_TIME in + libcurl and %{time_appconnect} in the curl tool. It is documented as + "the time until the SSL/SSH handshake is completed". - ... and sorted the list alphabetically - -- lib/quic.c: unused - removed - -- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED + Reported-by: Marcel Hernandez - Follow-up to 98c3f148 that removed it from the header file - -- [Junho Choi brought this change] + Ref: https://github.com/curl/curl/issues/3760 + + Closes https://github.com/curl/curl/pull/3773 - docs/HTTP3: simplify quiche build instruction +Daniel Stenberg (25 Sep 2019) +- ngtcp2: remove fprintf() calls - Use --recursive to get boringssl in one line + - convert some of them to H3BUF() calls to infof() + - remove some of them completely + - made DEBUG_HTTP3 defined only if CURLDEBUG is set for now - Closes #4219 + Closes #4421 -- altsvc: make it use h3-22 with ngtcp2 as well +- [Jay Satiro brought this change] -- ngtcp2: initial h3 request work + url: fix the NULL hostname compiler warning case - Closes #4217 + Closes #4403 -- curl_version_info: offer quic (and h3) library info - - Closes #4216 +- [Jay Satiro brought this change] -- HTTP3: use ngtcp2's draft-22 branch + travis: move the go install to linux-only + + ... to repair the build again + Closes #4403 -- RELEASE-NOTES: synced +- altsvc: correct the #ifdef for the ngtcp2 backend -- CURLOPT_READFUNCTION.3: provide inline example +- altsvc: save h3 as h3-23 - ... instead of mentioning one in another place - -- [Tatsuhiro Tsujikawa brought this change] + Follow-up to d176a2c7e5 - ngtcp2: send HTTP/3 request with nghttp3 +- urlapi: question mark within fragment is still fragment - This commit makes sending HTTP/3 request with nghttp3 work. It - minimally receives HTTP response and calls nghttp3 callbacks, but no - processing is made at the moment. + The parser would check for a query part before fragment, which caused it + to do wrong when the fragment contains a question mark. - Closes #4215 + Extended test 1560 to verify. + + Reported-by: Alex Konev + Fixes #4412 + Closes #4413 -- nghttp3: initial h3 template code added +- [Alex Samorukov brought this change] -- nghttp3: required when ngtcp2 is used for QUIC + HTTP3.md: move -p for mkdir, remove -j for make - - checked for by configure - - updated docs/HTTP3.md - - shown in the version string + - mkdir on OSX/Darwin requires `-p` argument before dir - Closes #4210 - -- [Eric Wong brought this change] - - asyn-thread: issue CURL_POLL_REMOVE before closing socket + - portabbly figuring out number of cores is an exercise for somewhere + else - This avoids EBADF errors from EPOLL_CTL_DEL operations in the - ephiperfifo.c example. EBADF is dangerous in multi-threaded - applications where I rely on epoll_ctl to operate on the same - epoll description from different threads. + Closes #4407 + +Patrick Monnerat (24 Sep 2019) +- os400: getpeername() and getsockname() return ebcdic AF_UNIX sockaddr, - Follow-up to eb9a604f8d7db8 + As libcurl now uses these 2 system functions, wrappers are needed on os400 + to convert returned AF_UNIX sockaddrs to ascii. - Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html - Closes #4211 + This is a follow-up to commit 7fb54ef. + See also #4037. + Closes #4214 -- [Carlo Marcelo Arenas Belón brought this change] +Jay Satiro (24 Sep 2019) +- [Lucas Pardue brought this change] - configure: avoid undefined check_for_ca_bundle + strcase: fix raw lowercasing the letter X - instead of using a "greater than 0" test, check for variable being - set, as it is always set to 1, and could be left unset if non of - OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. + Casing mistake in Curl_raw_tolower 'X' wasn't lowercased as 'x' prior to + this change. - Closes #4213 + Follow-up to 0023fce which added the function several days ago. + + Ref: https://github.com/curl/curl/pull/4401#discussion_r327396546 + + Closes https://github.com/curl/curl/pull/4408 -- [Tatsuhiro Tsujikawa brought this change] +Daniel Stenberg (23 Sep 2019) +- http2: Expression 'stream->stream_id != - 1' is always true + + PVS-Studio warning + Fixes #4402 - ngtcp2: Send ALPN h3-22 +- http2: A value is being subtracted from the unsigned variable - Closes #4212 + PVS-Studio warning + Fixes #4402 -- [Tatsuhiro Tsujikawa brought this change] +- libssh: part of conditional expression is always true: !result + + PVS-Studio warning + Fixed #4402 - ngtcp2: use ngtcp2_settings_default and specify initial_ts +- libssh: part of conditional expression is always true + + PVS-Studio warning + Fixes #4402 -- curl_global_init_mem.3: mention it was added in 7.12.0 +- libssh: The expression is excessive or contains a misprint + + PVS-Studio warning + Fixes #4402 -- [Tatsuhiro Tsujikawa brought this change] +- quiche: The expression must be surrounded by parentheses + + PVS-Studio warning + Fixes #4402 - ngtcp2: make the QUIC handshake work +- vauth: The parameter 'status' must be surrounded by parentheses - Closes #4209 + PVS-Studio warning + Fixes #4402 -- [Alex Mayorga brought this change] +- [Paul Dreik brought this change] - HTTP3.md: Update quiche build instructions - - Added cloning for quiche and BoringSSL and modified the build - instructions so they work on a clean folder. + doh: allow only http and https in debug mode - Closes #4208 - -- CURLOPT_H3: removed + Otherwise curl may be told to use for instance pop3 to + communicate with the doh server, which most likely + is not what you want. - There's no use for this anymore and it was never in a release. + Found through fuzzing. - Closes #4206 + Closes #4406 -- http3: make connection reuse work +- [Paul Dreik brought this change] + + doh: return early if there is no time left - Closes #4204 + Closes #4406 -- quiche: add SSLKEYLOGFILE support +- [Barry Pollard brought this change] -- cleanup: s/curl_debug/curl_dbg_debug in comments and docs + http: lowercase headernames for HTTP/2 and HTTP/3 - Leftovers from the function rename back in 76b63489495 + Closes #4401 + Fixes #4400 + +Marcel Raad (23 Sep 2019) +- vtls: fix narrowing conversion warnings - Reported-by: Gisle Vanem - Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com - mitcomment-34601751 + Curl_timeleft returns `timediff_t`, which is 64 bits wide also on + 32-bit systems since commit b1616dad8f0. - Closes #4203 + Closes https://github.com/curl/curl/pull/4398 -- RELEASE-NOTES: synced +Daniel Stenberg (23 Sep 2019) +- [Joel Depooter brought this change] -- alt-svc: add protocol version selection masking - - So that users can mask in/out specific HTTP versions when Alt-Svc is - used. + winbuild: Add manifest to curl.exe for proper OS version detection - - Removed "h2c" and updated test case accordingly - - Changed how the altsvc struct is laid out - - Added ifdefs to make the unittest run even in a quiche-tree + This is a small fix to commit ebd213270a017a6830928ee2e1f4a9cabc799898 + in pull request #1221. That commit added the CURL_EMBED_MANIFEST flag to + CURL_RC_FLAGS. However, later in the file CURL_RC_FLAGS is + overwritten. The fix is to append values to CURL_RC_FLAGS instead of + overwriting - Closes #4201 + Closes #4399 -- http3: fix the HTTP/3 in the request, make alt-svc set right versions - - Closes #4200 +- RELEASE-NOTES: synced -- alt-svc: send Alt-Used: in redirected requests +Marcel Raad (22 Sep 2019) +- openssl: fix compiler warning with LibreSSL - RFC 7838 section 5: + It was already fixed for BoringSSL in commit a0f8fccb1e0. + LibreSSL has had the second argument to SSL_CTX_set_min_proto_version + as uint16_t ever since the function was added in [0]. - When using an alternative service, clients SHOULD include an Alt-Used - header field in all requests. + [0] https://github.com/libressl-portable/openbsd/commit/56f107201baefb5533486d665a58d8f57fd3aeda - Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus - this is deemed ok). + Closes https://github.com/curl/curl/pull/4397 + +Daniel Stenberg (22 Sep 2019) +- curl: exit the create_transfers loop on errors - You can disable sending this header just like you disable any other HTTP - header in libcurl. + When looping around the ranges and given URLs to create transfers, all + errors should exit the loop and return. Previously it would keep + looping. - Closes #4199 + Reported-by: SumatraPeter on github + Bug: #4393 + Closes #4396 -- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - - Even though it cannot fall-back to a lower HTTP version automatically. The - safer way to upgrade remains via CURLOPT_ALTSVC. +Jay Satiro (21 Sep 2019) +- socks: Fix destination host shown on SOCKS5 error - CURLOPT_H3 no longer has any bits that do anything and might be removed - before we remove the experimental label. + Prior to this change when a server returned a socks5 connect error then + curl would parse the destination address:port from that data and show it + to the user as the destination: - Updated the curl tool accordingly to use "--http3". + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.12.206 (locally resolved) + * Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) + curl: (7) Can't complete SOCKS5 connection to 253.127.0.0:26673. (1) - Closes #4197 - -- docs/ALTSVC: remove what works and the experimental explanation + That's incorrect because the address:port included in the connect error + is actually a bind address:port (typically unused) and not the + destination address:port. This fix changes curl to show the destination + information that curl sent to the server instead: - Also, put the TODO items at the bottom. + curld -v --socks5 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to IPv4 172.217.7.14:99 (locally resolved) + * Can't complete SOCKS5 connection to 172.217.7.14:99. (1) + curl: (7) Can't complete SOCKS5 connection to 172.217.7.14:99. (1) - Closes #4198 - -- docs/EXPERIMENTAL: explain what it means and what's experimental now - -- curl: make use of CURLINFO_RETRY_AFTER when retrying + curld -v --socks5-hostname 10.0.3.1:1080 http://google.com:99 + * SOCKS5 communication to google.com:99 + * SOCKS5 connect to google.com:99 (remotely resolved) + * Can't complete SOCKS5 connection to google.com:99. (1) + curl: (7) Can't complete SOCKS5 connection to google.com:99. (1) - If a Retry-After: header was used in the response, that value overrides - other retry timing options. + Ref: https://tools.ietf.org/html/rfc1928#section-6 - Fixes #3794 - Closes #4195 + Closes https://github.com/curl/curl/pull/4394 -- curl: use CURLINFO_PROTOCOL to check for HTTP(s) - - ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. +Daniel Stenberg (21 Sep 2019) +- travis: enable ngtcp2 h3-23 builds -- CURLINFO_RETRY_AFTER: parse the Retry-After header value - - This is only the libcurl part that provides the information. There's no - user of the parsed value. This change includes three new tests for the - parser. +- altsvc: both backends run h3-23 now - Ref: #3794 - -- docs/ALTSVC.md: first basic file format description + Closes #4395 -- curl: have -w's 'http_version' show '3' for HTTP/3 +- http: fix warning on conversion from int to bit - Closes #4196 + Follow-up from 03ebe66d70 -- curl.h: add CURL_HTTP_VERSION_3 to the version enum +- urldata: use 'bool' for the bit type on MSVC compilers - It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with - CURLINFO_HTTP_VERSION. - -- quiche: make use of the connection timeout API properly + Closes #4387 + Fixes #4379 -- quiche: make POSTFIELDS posts work +- appveyor: upgrade VS2017 to VS2019 + + Closes #4383 -- quiche: improved error handling and memory cleanups +- [Zenju brought this change] -- quiche: flush egress in h3_stream_recv() too + FTP: FTPFILE_NOCWD: avoid redundant CWDs + + Closes #4382 -- RELEASE-NOTES: synced +- cookie: pass in the correct cookie amount to qsort() + + As the loop discards cookies without domain set. This bug would lead to + qsort() trying to sort uninitialized pointers. We have however not found + it a security problem. + + Reported-by: Paul Dreik + Closes #4386 -Jay Satiro (6 Aug 2019) -- [Patrick Monnerat brought this change] +- [Paul Dreik brought this change] - os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). + urlapi: avoid index underflow for short ipv6 hostnames - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + If the input hostname is "[", hlen will underflow to max of size_t when + it is subtracted with 2. - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + hostname[hlen] will then cause a warning by ubsanitizer: - Closes https://github.com/curl/curl/pull/4186 - -- tests: Fix the line endings for the SASL alt-auth tests + runtime error: addition of unsigned offset to 0x overflowed to + 0x - - Change data and protocol sections to CRLF line endings. + I think that in practice, the generated code will work, and the output + of hostname[hlen] will be the first character "[". - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. + This can be demonstrated by the following program (tested in both clang + and gcc, with -O3) - Follow-up to grandparent commit which added the tests. + int main() { + char* hostname=strdup("["); + size_t hlen = strlen(hostname); - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 + hlen-=2; + hostname++; + printf("character is %d\n",+hostname[hlen]); + free(hostname-1); + } - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + I found this through fuzzing, and even if it seems harmless, the proper + thing is to return early with an error. - Closes https://github.com/curl/curl/pull/4186 + Closes #4389 -- [Steve Holme brought this change] +- [Tatsuhiro Tsujikawa brought this change] - examples: Added SASL PLAIN authorisation identity (authzid) examples - - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 - - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + ngtcp2: compile with latest ngtcp2 + nghttp3 draft-23 - Closes https://github.com/curl/curl/pull/4186 + Closes #4392 -- [Steve Holme brought this change] +- THANKS-filter: deal with my typos 'Jat' => 'Jay' - curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - - Ref: https://github.com/curl/curl/issues/3653 - Ref: https://github.com/curl/curl/pull/3790 +- travis: use go master - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + ... as the boringssl builds needs a very recent version - Closes https://github.com/curl/curl/pull/4186 - -- [Steve Holme brought this change] + Co-authored-by: Jat Satiro + Closes #4361 - sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID +- tool_operate: removed unused variable 'done' - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- tool_operate: Expression 'config->resume_from' is always true - Fixes #3653 - Closes #3790 + Fixes warning detected by PVS-Studio + Fixes #4374 + +- tool_getparam: remove duplicate switch case - NOTE: This commit was cherry-picked and is part of a series of commits - that added the authzid feature for upcoming 7.66.0. The series was - temporarily reverted in db8ec1f so that it would not ship in a 7.65.x - patch release. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- libssh2: part of conditional expression is always true: !result - Closes https://github.com/curl/curl/pull/4186 + Fixes warning detected by PVS-Studio + Fixes #4374 -Daniel Stenberg (6 Aug 2019) -- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested +- urlapi: Expression 'storep' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 -- [Yiming Jing brought this change] +- urlapi: 'scheme' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 - mesalink: implement client authentication +- urlapi: part of conditional expression is always true: (relurl[0] == '/') - Closes #4184 + Fixes warning detected by PVS-Studio + Fixes #4374 -- curl_multi_poll: a sister to curl_multi_wait() that waits more +- setopt: store CURLOPT_RTSP_SERVER_CSEQ correctly - Repeatedly we see problems where using curl_multi_wait() is difficult or - just awkward because if it has no file descriptor to wait for - internally, it returns immediately and leaves it to the caller to wait - for a small amount of time in order to avoid occasional busy-looping. + Fixes bug detected by PVS-Studio + Fixes #4374 + +- mime: make Curl_mime_duppart() assert if called without valid dst - This is often missed or misunderstood, leading to underperforming - applications. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- http_proxy: part of conditional expression is always true: !error - This change introduces curl_multi_poll() as a replacement drop-in - function that accepts the exact same set of arguments. This function - works identically to curl_multi_wait() - EXCEPT - for the case when - there's nothing to wait for internally, as then this function will by - itself wait for a "suitable" short time before it returns. This - effectiely avoids all risks of busy-looping and should also make it less - likely that apps "over-wait". + Fixes warning detected by PVS-Studio + Fixes #4374 + +- imap: merged two case-branches performing the same action - This also changes the curl tool to use this funtion internally when - doing parallel transfers and changes curl_easy_perform() to use it - internally. + Fixes warning detected by PVS-Studio + Fixes #4374 + +- multi: value '2L' is assigned to a boolean - Closes #4163 + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche:h3_stream_recv return 0 at end of stream +- easy: part of conditional expression is always true: !result - ... and remove some verbose messages we don't need. Made transfers from - facebook.com work better. + Fixes warning detected by PVS-Studio + Fixes #4374 -- altsvc: make quiche use h3-22 now +- netrc: part of conditional expression is always true: !done + + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche: show the actual version number +- version: Expression 'left > 1' is always true + + Fixes warning detected by PVS-Studio + Fixes #4374 -- quiche: first working HTTP/3 request +- url: remove dead code - - enable debug log - - fix use of quiche API - - use download buffer - - separate header/body + Fixes warning detected by PVS-Studio + Fixes #4374 + +- url: part of expression is always true: (bundle->multiuse == 0) - Closes #4193 + Fixes warning detected by PVS-Studio + Fixes #4374 -- http09: disable HTTP/0.9 by default in both tool and library +- ftp: the conditional expression is always true - As the plan has been laid out in DEPRECATED. Update docs accordingly and - verify in test 1174. Now requires the option to be set to allow HTTP/0.9 - responses. + ... both !result and (ftp->transfer != FTPTRANSFER_BODY)! - Closes #4191 - -- quiche: initial h3 request send/receive - -- lib/Makefile.am: make checksrc run in vquic too + Fixes warning detected by PVS-Studio + Fixes #4374 -- altsvc: fix removal of expired cache entry +- ftp: Expression 'ftpc->wait_data_conn' is always false - Closes #4192 - -- RELEASE-NOTES: synced + Fixes warning detected by PVS-Studio + Fixes #4374 -Steve Holme (4 Aug 2019) -- md4: Use our own MD4 implementation when no crypto libraries are available +- ftp: Expression 'ftpc->wait_data_conn' is always true - Closes #3780 + Fixes warning detected by PVS-Studio + Fixes #4374 -- md4: No need to include Curl_md4.h for each TLS library +- ftp: part of conditional expression is always true: !result + + Fixes warning detected by PVS-Studio + Fixes #4374 -- md4: No need for the NTLM code to call Curl_md4it() for each TLS library +- http: fix Expression 'http->postdata' is always false - As the NTLM code no longer calls any of TLS libraries' specific MD4 - functions, there is no need to call this function for each #ifdef. + Fixes warning detected by PVS-Studio + Fixes #4374 + Reported-by: Valerii Zapodovnikov -- md4: Move the mbed TLS MD4 implementation out of the NTLM code +- [Niall O'Reilly brought this change] -- md4: Move the WinCrypt implementation out of the NTLM code + doh: avoid truncating DNS QTYPE to lower octet + + Closes #4381 -- md4: Move the SecureTransport implementation out of the NTLM code +- [Jens Finkhaeuser brought this change] -- md4: Use the Curl_md4it() function for OpenSSL based NTLM + urlapi: CURLU_NO_AUTHORITY allows empty authority/host part + + CURLU_NO_AUTHORITY is intended for use with unknown schemes (i.e. not + "file:///") to override cURL's default demand that an authority exists. + + Closes #4349 -- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code +- version: next release will be 7.67.0 -- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code +- RELEASE-NOTES: synced -Jay Satiro (4 Aug 2019) -- OS400: Add CURLOPT_H3 symbols +- url: only reuse TLS connections with matching pinning - Follow-up to 3af0e76 which added experimental H3 support. + If the requests have different CURLOPT_PINNEDPUBLICKEY strings set, the + connection should not be reused. - Closes https://github.com/curl/curl/pull/4185 + Bug: https://curl.haxx.se/mail/lib-2019-09/0061.html + Reported-by: Sebastian Haglund + + Closes #4347 -Daniel Stenberg (3 Aug 2019) -- url: make use of new HTTP version if alt-svc has one +- README: add OSS-Fuzz badge [skip ci] + + Closes #4380 -- url: set conn->transport to default TCP at init time +Michael Kaufmann (18 Sep 2019) +- http: merge two "case" statements -- altsvc: with quiche, use the quiche h3 alpn string - - Closes #4183 +Daniel Stenberg (18 Sep 2019) +- [Zenju brought this change] -- alt-svc: more liberal ALPN name parsing - - Allow pretty much anything to be part of the ALPN identifier. In - particular minus, which is used for "h3-20" (in-progress HTTP/3 - versions) etc. + FTP: remove trailing slash from path for LIST/MLSD - Updated test 356. - Closes #4182 + Closes #4348 -- quiche: use the proper HTTP/3 ALPN +- mime: when disabled, avoid C99 macro + + Closes #4368 -- quiche: add failf() calls for two error cases +- url: cleanup dangling DOH request headers too - To aid debugging + Follow-up to 9bc44ff64d9081 - Closes #4181 + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/17269 + + Closes #4372 -- mailmap: added Kyohei Kadota +- [Christoph M. Becker brought this change] -Kamil Dudka (1 Aug 2019) -- http_negotiate: improve handling of gss_init_sec_context() failures + http2: relax verification of :authority in push promise requests - If HTTPAUTH_GSSNEGOTIATE was used for a POST request and - gss_init_sec_context() failed, the POST request was sent - with empty body. This commit also restores the original - behavior of `curl --fail --negotiate`, which was changed - by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. + If the :authority pseudo header field doesn't contain an explicit port, + we assume it is valid for the default port, instead of rejecting the + request for all ports. - Add regression tests 2077 and 2078 to cover this. + Ref: https://curl.haxx.se/mail/lib-2019-09/0041.html - Fixes #3992 - Closes #4171 + Closes #4365 -Daniel Stenberg (1 Aug 2019) -- mailmap: added 4 more names +- doh: clean up dangling DOH handles and memory on easy close - Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli - -- mailmap: add Giorgos Oikonomou + If you set the same URL for target as for DoH (and it isn't a DoH + server), like "https://example.com" in both, the easy handles used for + the DoH requests could be left "dangling" and end up not getting freed. + + Reported-by: Paul Dreik + Closes #4366 -- src/makefile: fix uncompressed hugehelp.c generation +- unit1655: make it C90 compliant - Regression from 5cf5d57ab9 (7.64.1) + Unclear why this was not detected in the CI. - Fixed-by: Lance Ware - Fixes #4176 - Closes #4177 - -- appveyor: pass on -k to make + Follow-up to b7666027296a -- timediff: make it 64 bit (if possible) even with 32 bit time_t +- smb: check for full size message before reading message details - ... to make it hold microseconds too. + To avoid reading of uninitialized data. - Fixes #4165 - Closes #4168 - -- ROADMAP: parallel transfers are merged now + Assisted-by: Max Dymond + Bug: https://crbug.com/oss-fuzz/16907 + Closes #4363 -- getenv: support up to 4K environment variable contents on windows +- quiche: persist connection details - Reported-by: Michal Čaplygin - Fixes #4174 - Closes #4175 - -- [Kyohei Kadota brought this change] - - plan9: add support for running on Plan 9 + ... like we do for other protocols at connect time. This makes "curl -I" + and other things work. - Closes #3701 - -- [Kyohei Kadota brought this change] + Reported-by: George Liu + Fixes #4358 + Closes #4360 - ntlm: explicit type casting +- openssl: fix warning with boringssl and SSL_CTX_set_min_proto_version + + Follow-up to ffe34b7b59 + Closes #4359 -- [Justin brought this change] +- [Paul Dreik brought this change] - curl.h: fix outdated comment + doh: fix undefined behaviour and open up for gcc and clang optimization - Closes #4167 - -- curl: remove outdated comment + The undefined behaviour is annoying when running fuzzing with + sanitizers. The codegen is the same, but the meaning is now not up for + dispute. See https://cppinsights.io/s/516a2ff4 - Turned bad with commit b8894085000 + By incrementing the pointer first, both gcc and clang recognize this as + a bswap and optimizes it to a single instruction. See + https://godbolt.org/z/994Zpx - Reported-by: niallor on github - Fixes #4172 - Closes #4173 + Closes #4350 -- cleanup: remove the 'numsocks' argument used in many places - - It was used (intended) to pass in the size of the 'socks' array that is - also passed to these functions, but was rarely actually checked/used and - the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries - that should be used instead. - - Closes #4169 +- [Paul Dreik brought this change] -- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - - Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) + doh: fix (harmless) buffer overrun - Reported-by: Jonathan Cardoso Machado - Assisted-by: Jay Satiro + Added unit test case 1655 to verify. + Close #4352 - Fixes #4136 - Closes #4162 - -- mailmap: Amit Katyal + the code correctly finds the flaws in the old code, + if one temporarily restores doh.c to the old version. -- asyn-thread: removed unused variable - - Follow-up to eb9a604f. Mistake caused by me when I edited the commit - before push... +Alessandro Ghedini (15 Sep 2019) +- docs: remove trailing ':' from section names in CURLOPT_TRAILER* man -- RELEASE-NOTES: synced +- docs: fix typo in CURLOPT_HTTP_VERSION man -- [Amit Katyal brought this change] +GitHub (14 Sep 2019) +- [Daniel Stenberg brought this change] - asyn-thread: create a socketpair to wait on + CI: inintial github action job - Closes #4157 + First shot at a CI build on github actions -- curl: cap the maximum allowed values for retry time arguments - - ... to avoid integer overflows later when multiplying with 1000 to - convert seconds to milliseconds. +Daniel Stenberg (13 Sep 2019) +- appveyor: add a winbuild - Added test 1269 to verify. + Assisted-by: Marcel Raad + Assisted-by: Jay Satiro - Reported-by: Jason Lee - Closes #4166 + Closes #4324 -- progress: reset download/uploaded counter +- FTP: allow "rubbish" prepended to the SIZE response - ... to make CURLOPT_MAX_RECV_SPEED_LARGE and - CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that - reuse the same handle. + This is a protocol violation but apparently there are legacy proprietary + servers doing this. - Fixed-by: Ironbars13 on github - Fixes #4084 - Closes #4161 - -- http2_recv: trigger another read when the last data is returned + Added test 336 and 337 to verify. - ... so that end-of-stream is detected properly. + Reported-by: Philippe Marguinaud + Closes #4339 + +- [Zenju brought this change] + + FTP: skip CWD to entry dir when target is absolute - Reported-by: Tom van der Woerdt - Fixes #4043 - Closes #4160 + Closes #4332 -- curl: avoid uncessary libcurl timeouts (in parallel mode) +Kamil Dudka (13 Sep 2019) +- curl: fix memory leaked by parse_metalink() - When curl_multi_wait() returns OK without file descriptors to wait for, - it might already have done a long timeout. + This commit fixes a regression introduced by curl-7_65_3-5-gb88940850. + Detected by tests 2005, 2008, 2009, 2010, 2011, and 2012 with valgrind + and libmetalink enabled. - Closes #4159 - -- [Balazs Kovacsics brought this change] + Closes #4326 - HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown +Daniel Stenberg (13 Sep 2019) +- parsedate: still provide the name arrays when disabled - If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, - automatically add a Transfer-Encoding: chunked header, same as it is - already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update - test 1514 according to the new behaviour. + If FILE or FTP are enabled, since they also use them! - Closes #4138 + Reported-by: Roland Hieber + Fixes #4325 + Closes #4343 -Jay Satiro (29 Jul 2019) -- [Daniel Stenberg brought this change] +- [Gilles Vollant brought this change] - winbuild: add vquic to list of build directories - - This fixes the winbuild build method which broke several days ago - when experimental quic support was added in 3af0e76. + curl:file2string: load large files much faster - Reported-by: Michael Lee + ... by using a more efficient realloc scheme. - Fixes https://github.com/curl/curl/issues/4158 + Bug: https://curl.haxx.se/mail/lib-2019-09/0045.html + Closes #4336 -- easy: resize receive buffer on easy handle reset - - - In curl_easy_reset attempt to resize the receive buffer to its default - size. If realloc fails then continue using the previous size. +- openssl: close_notify on the FTP data connection doesn't mean closure - Prior to this change curl_easy_reset did not properly handle resetting - the receive buffer (data->state.buffer). It reset the variable holding - its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) - but then did not actually resize the buffer. If a user resized the - buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the - default, later called curl_easy_reset and attempted to reuse the handle - then a heap overflow would very likely occur during that handle's next - transfer. + For FTPS transfers, curl gets close_notify on the data connection + without that being a signal to close the control connection! - Reported-by: Felix Hädicke + Regression since 3f5da4e59a556fc (7.65.0) - Fixes https://github.com/curl/curl/issues/4143 - Closes https://github.com/curl/curl/pull/4145 + Reported-by: Zenju on github + Reviewed-by: Jay Satiro + Fixes #4329 + Closes #4340 -- [Brad Spencer brought this change] +- [Jimmy Gaussen brought this change] - examples: Avoid reserved names in hiperfifo examples - - - Trade in __attribute__((unused)) for the classic (void)x to silence - unused symbols. - - Because the classic way is not gcc specific. Also because the prior - method mapped to symbol _Unused, which starts with _ and a capital - letter which is reserved. - - Assisted-by: The Infinnovation team - - Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 + docs/HTTP3: fix `--with-ssl` ngtcp2 configure flag - Closes https://github.com/curl/curl/pull/4153 + Closes #4338 -Daniel Stenberg (25 Jul 2019) - RELEASE-NOTES: synced -- [Felix Hädicke brought this change] +- curlver: bump to 7.66.1 - ssh-libssh: do not specify O_APPEND when not in append mode +- [Zenju brought this change] + + setopt: make it easier to add new enum values - Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not - make much sense. And this combination of flags is not accepted by all - SFTP servers (at least not Apache SSHD). + ... by using the *_LAST define names better. - Fixes #4147 - Closes #4148 - -- [Gergely Nagy brought this change] + Closes #4321 - multi: call detach_connection before Curl_disconnect - - Curl_disconnect bails out if conn->easyq is not empty, detach_connection - needs to be called first to remove the current easy from the queue. +- asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris - Fixes #4144 - Closes #4151 + Reported-by: Dagobert Michelsen + Fixes #4328 + Closes #4333 -Jay Satiro (23 Jul 2019) -- tool_operate: fix implicit call to easysrc_cleanup +- [Bernhard Walle brought this change] + + winbuild/MakefileBuild.vc: Add vssh - easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not - defined, and prior to this change would be called regardless. + Without that modification, the Windows build using the makefiles doesn't + work. - Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 - Reported-by: Marcel Raad + Signed-off-by: Bernhard Walle - Closes https://github.com/curl/curl/pull/4142 + Fixes #4322 + Closes #4323 -Daniel Stenberg (22 Jul 2019) -- curl:create_transfers check return code from curl_easy_setopt - - From commit b8894085 +Bernhard Walle (11 Sep 2019) +- winbuild/MakefileBuild.vc: Fix line endings - Pointed out by Coverity CID 1451703 + The file had mixed line endings. - Closes #4134 + Signed-off-by: Bernhard Walle -- HTTP3: initial (experimental) support - - USe configure --with-ngtcp2 or --with-quiche +Jay Satiro (11 Sep 2019) +- ldap: Stop using wide char version of ldapp_err2string - Using either option will enable a HTTP3 build. - Co-authored-by: Alessandro Ghedini + Despite ldapp_err2string being documented by MS as returning a + PCHAR (char *), when UNICODE it is mapped to ldap_err2stringW and + returns PWCHAR (wchar_t *). - Closes #3500 - -- curl: remove dead code + We have lots of code that expects ldap_err2string to return char *, + most of it failf used like this: - The loop never loops (since b889408500), pointed out by Coverity (CID - 1451702) + failf(data, "LDAP local: Some error: %s", ldap_err2string(rc)); - Closes #4133 + Closes https://github.com/curl/curl/pull/4272 -- docs/PARALLEL-TRANSFERS: correct the version number +Version 7.66.0 (10 Sep 2019) -- docs/PARALLEL-TRANSFERS: added +Daniel Stenberg (10 Sep 2019) +- RELEASE-NOTES: curl 7.66.0 -- curl: support parallel transfers - - This is done by making sure each individual transfer is first added to a - linked list as then they can be performed serially, or at will, in - parallel. - - Closes #3804 +- THANKS: from the 7.66.0 release -- docs/MANUAL.md: converted to markdown from plain text +- curl: make sure the parallel transfers do them all - ... will make it render as a nicer web page. + The logic could erroneously break the loop too early before all + transfers had been transferred. - Closes #4131 + Reported-by: Tom van der Woerdt + Fixes #4316 + Closes #4317 -- curl_version_info: provide nghttp2 details +- urlapi: one colon is enough for the strspn() input (typo) + +- urlapi: verify the IPv6 numerical address - Introducing CURLVERSION_SIXTH with nghttp2 info. + It needs to parse correctly. Otherwise it could be tricked into letting + through a-f using host names that libcurl would then resolve. Like + '[ab.be]'. - Closes #4121 + Reported-by: Thomas Vegas + Closes #4315 -- bump: start working on 7.66.0 +- [Clément Notin brought this change] -- source: remove names from source comments - - Several reasons: + openssl: use SSL_CTX_set__proto_version() when available - - we can't add everyone who's helping out so its unfair to just a few - selected ones. - - we already list all helpers in THANKS and in RELEASE-NOTES for each - release - - we don't want to give the impression that some parts of the code is - "owned" or "controlled" by specific persons + OpenSSL 1.1.0 adds SSL_CTX_set__proto_version() that we now use + when available. Existing code is preserved for older versions of + OpenSSL. - Assisted-by: Daniel Gustafsson - Closes #4129 + Closes #4304 -Version 7.65.3 (19 Jul 2019) +- [Clément Notin brought this change] -Daniel Stenberg (19 Jul 2019) -- RELEASE-NOTES: 7.65.3 + openssl: indent, re-organize and add comments -- THANKS: 7.65.3 status +- [migueljcrum brought this change] -- progress: make the progress meter appear again - - Fix regression caused by 21080e1 + sspi: fix memory leaks - Reported-by: Chih-Hsuan Yen - Fixes #4122 - Closes #4124 - -- version: bump to 7.65.3 - -- RELEASE-NOTES: Contributors or now 1990 + Closes #4299 -Version 7.65.2 (17 Jul 2019) +- travis: disable ngtcp2 builds (again) -Daniel Stenberg (17 Jul 2019) -- RELEASE-NOTES: 7.65.2 +- Curl_fillreadbuffer: avoid double-free trailer buf on error + + Reviewed-by: Jay Satiro + Reported-by: Thomas Vegas + + Closes #4307 -- THANKS: add contributors from 7.65.2 +- tool_setopt: handle a libcurl build without netrc support + + Reported-by: codesniffer13 on github + Fixes #4302 + Closes #4305 -Jay Satiro (17 Jul 2019) -- [aasivov brought this change] - - cmake: Fix finding Brotli on case-sensitive file systems +- security:read_data fix bad realloc() - - Find package "Brotli" instead of "BROTLI" since the former is the - casing used for CMake/FindBrotli.cmake, and otherwise find_package - may fail on a case-sensitive file system. + ... that could end up a double-free - Fixes https://github.com/curl/curl/issues/4117 + CVE-2019-5481 + Bug: https://curl.haxx.se/docs/CVE-2019-5481.html -- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - - AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've - cautioned against using it for that purpose and included a workaround. +- [Thomas Vegas brought this change] + + tftp: Alloc maximum blksize, and use default unless OACK is received - Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html - Reported-by: Christopher Head + Fixes potential buffer overflow from 'recvfrom()', should the server + return an OACK without blksize. - Closes https://github.com/curl/curl/issues/3814 - -- [Stefano Simonelli brought this change] + Bug: https://curl.haxx.se/docs/CVE-2019-5482.html + CVE-2019-5482 - CURLOPT_SEEKDATA.3: fix variable name - - Closes https://github.com/curl/curl/pull/4118 +- [Thomas Vegas brought this change] -- [Giorgos Oikonomou brought this change] + tftp: return error when packet is too small for options - CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - - If the SSL backend is Schannel and the user specifies an Schannel CALG_ - that is not supported by the protocol or the server then curl returns - CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. - - Fixes https://github.com/curl/curl/issues/3389 - Closes https://github.com/curl/curl/pull/4106 +- KNOWN_BUGS/TODO: cleanup and remove outdated issues -- [Daniel Gustafsson brought this change] +- RELEASE-NOTES: synced - nss: inspect returnvalue of token check - - PK11_IsPresent() checks for the token for the given slot is available, - and sets needlogin flags for the PK11_Authenticate() call. Should it - return false, we should however treat it as an error and bail out. +- netrc: free 'home' on error - Closes https://github.com/curl/curl/pull/4110 - -- docs: Explain behavior change in --tlsv1. options since 7.54 + Follow-up to f9c7ba9096ec2 - Since 7.54 --tlsv1. options use the specified version or later, however - older versions of curl documented it as using just the specified version - which may or may not have happened depending on the TLS library. - Document this discrepancy to allay confusion for users familiar with the - old documentation that expect just the specified version. + Coverity CID 1453474 - Fixes https://github.com/curl/curl/issues/4097 - Closes https://github.com/curl/curl/pull/4119 + Closes #4291 -- libcurl: Restrict redirect schemes (follow-up) +- urldata: avoid 'generic', use dedicated pointers - - Allow FTPS on redirect. + For the 'proto' union within the connectdata struct. - - Update default allowed redirect protocols in documentation. + Closes #4290 + +- cleanup: move functions out of url.c and make them static - Follow-up to 6080ea0. + Closes #4289 + +- smtp: check for and bail out on too short EHLO response - Ref: https://github.com/curl/curl/pull/4094 + Otherwise, a three byte response would make the smtp_state_ehlo_resp() + function misbehave. - Closes https://github.com/curl/curl/pull/4115 - -Daniel Stenberg (16 Jul 2019) -- test1173: make it also check all libcurl option man pages + Credit to OSS-Fuzz + Bug: https://crbug.com/oss-fuzz/16918 - ... and adjust those that cause errors + Assisted-by: Max Dymond - Closes #4116 + Closes #4287 -- curl: only accept COLUMNS less than 10000 +- smb: init *msg to NULL in smb_send_and_recv() - ... as larger values would rather indicate something silly (and could - potentially cause buffer problems). + ... it might otherwise return OK from this function leaving that pointer + uninitialized. - Reported-by: pendrek at hackerone - Closes #4114 - -- dist: add manpage-syntax.pl + Bug: https://crbug.com/oss-fuzz/16907 - follow-up to 7fb66c403 + Closes #4286 -- test1173: detect some basic man page format mistakes - - Triggered by PR #4111 +- ROADMAP: updated after recent user poll - Closes #4113 + In rough prio order -Jay Satiro (15 Jul 2019) -- [Bjarni Ingi Gislason brought this change] +- THANKS: remove duplicate - docs: Fix missing lines caused by undefined macros +- Curl_addr2string: take an addrlen argument too - - Escape apostrophes at line start. + This allows the function to figure out if a unix domain socket has a + file name or not associated with it! When a socket is created with + socketpair(), as done in the fuzzer testing, the path struct member is + uninitialized and must not be accessed. - Some lines begin with a "'" (apostrophe, single quote), which is then - interpreted as a control character in *roff. + Bug: https://crbug.com/oss-fuzz/16699 - Such lines are interpreted as being a call to a macro, and if - undefined, the lines are removed from the output. + Closes #4283 + +- [Rolf Eike Beer brought this change] + + CMake: remove needless newlines at end of gss variables + +- [Rolf Eike Beer brought this change] + + CI: remove duplicate configure flag for LGTM.com + +- [Rolf Eike Beer brought this change] + + CMake: use platform dependent name for dlopen() library - Bug: https://bugs.debian.org/926352 - Signed-off-by: Bjarni Ingi Gislason + Closes #4279 + +- quiche: expire when poll returned data - Submitted-by: Alessandro Ghedini + ... to make sure we continue draining the queue until empty - Closes https://github.com/curl/curl/pull/4111 + Closes #4281 -Daniel Stenberg (14 Jul 2019) -- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults +- quiche: decrease available buffer size, don't assign it! - follow-up to 6080ea098 + Found-by: Jeremy Lainé -- [Linos Giannopoulos brought this change] +- RELEASE-NOTES: synced - libcurl: Add testcase for gopher redirects - - The testcase ensures that redirects to CURLPROTO_GOPHER won't be - allowed, by default, in the future. Also, curl is being used - for convenience while keeping the testcases DRY. - - The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is - redirected to CURLPROTO_GOPHER - - Signed-off-by: Linos Giannopoulos +- [Kyohei Kadota brought this change] -- [Linos Giannopoulos brought this change] + curl: fix include conditions - libcurl: Restrict redirect schemes - - All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS - counterpart were allowed for redirect. This vastly broadens the - exploitation surface in case of a vulnerability such as SSRF [1], where - libcurl-based clients are forced to make requests to arbitrary hosts. +- [Kyohei Kadota brought this change] + + plan9: fix installation instructions - For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based - protocol by URL-encoding a payload in the URI. Gopher will open a TCP - connection and send the payload. + Closes #4276 + +- ngtcp2: on h3 stream close, call expire - Only HTTP/HTTPS and FTP are allowed. All other protocols have to be - explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. + ... to trigger a new read to detect the stream close! - [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ + Closes #4275 + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: build latest ngtcp2 and ngtcp2_crypto_openssl - Signed-off-by: Linos Giannopoulos + Closes #4278 + +- ngtcp2: set flow control window to stream buffer size - Closes #4094 + Closes #4274 -- [Zenju brought this change] +- [Christopher Head brought this change] - openssl: define HAVE_SSL_GET_SHUTDOWN based on version number + CURLOPT_HEADERFUNCTION.3: clarify - Closes #4100 + Closes #4273 -- [Peter Simonyi brought this change] +- CURLINFO docs: mention that in redirects times are added + + Suggested-by: Brandon Dong + Fixes #4250 + Closes #4269 - http: allow overriding timecond with custom header +- travis: enable ngtcp2 builds again - With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. - If-Modified-Since). Allow this to be replaced or suppressed with - CURLOPT_HTTPHEADER. + Switched to the openssl-quic-draft-22 openssl branch. - Fixes #4103 - Closes #4109 + Closes #4271 -Jay Satiro (11 Jul 2019) -- [Juergen Hoetzel brought this change] +- HTTP3: switched openssl branch to use - smb: Use the correct error code for access denied on file open +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Build with latest ngtcp2 and ngtcp2_crypto_openssl - - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. + Closes #4270 + +- http2: when marked for closure and wanted to close == OK - Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. + It could otherwise return an error even when closed correctly if GOAWAY + had been received previously. - Closes https://github.com/curl/curl/pull/4095 + Reported-by: Tom van der Woerdt + Fixes #4267 + Closes #4268 -- [Daniel Gustafsson brought this change] +- RELEASE-NOTES: synced - DEPRECATE: fixup versions and spelling - - Correctly set the July 17 version to 7.65.2, and update spelling to - be consistent. Also fix a typo. +- build-openssl: fix build with Visual Studio 2019 - Closes https://github.com/curl/curl/pull/4107 - -- [Gisle Vanem brought this change] + Reviewed-by: Marcel Raad + Contributed-by: osabc on github + Fixes #4188 + Closes #4266 - system_win32: fix clang warning +Kamil Dudka (26 Aug 2019) +- vauth: return CURLE_AUTH_ERROR on gss_init_sec_context() failure - - Declare variable in header as extern. + This is a follow-up to https://github.com/curl/curl/pull/3864 . - Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 + Closes #4224 -Daniel Gustafsson (10 Jul 2019) -- headers: Remove no longer exported functions +Daniel Stenberg (26 Aug 2019) +- KNOWN_BUGS: USE_UNIX_SOCKETS on Windows - There were a leftover few prototypes of Curl_ functions that we used to - export but no longer do, this removes those prototypes and cleans up any - comments still referring to them. + Closes #4040 + +- quiche: send the HTTP body correctly on callback uploads - Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() - Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() - were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. - Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. + Closes #4265 + +- travis: disable ngtcp2 builds (temporarily) - For the remainder, I didn't trawl the Git logs hard enough to capture - their exact time of deletion, but they were all gone: Curl_splayprint(), - Curl_http2_send_request(), Curl_global_host_cache_dtor(), - Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), - Curl_http_auth_stage() and Curl_close_connections(). + Just too many API changes right now - Closes #4096 - Reviewed-by: Daniel Stenberg + Closes #4264 -- CMake: fix typos and spelling +- ngtcp2: add support for SSLKEYLOGFILE + + Closes #4260 -- [Kyle Edwards brought this change] +- ngtcp2: improve h3 response receiving + + Closes #4259 - CMake: Convert errant elseif() to else() +- ngtcp2: use nghttp3_version() + +- ngtcp2: sync with upstream API changes - CMake interprets an elseif() with no arguments as elseif(FALSE), - resulting in the elseif() block not being executed. That is not what - was intended here. Change the empty elseif() to an else() as it was - intended. + Assisted-by: Tatsuhiro Tsujikawa + +- [Kyle Abramowitz brought this change] + + scp: fix directory name length used in memcpy - Closes #4101 - Reported-by: Artalus - Reviewed-by: Daniel Gustafsson + Fix read off end of array due to bad pointer math in getworkingpath for + SCP home directory case. + + Closes #4258 -- buildconf: fix header filename +- http: the 'closed' struct field is used by both ngh2 and ngh3 - The header file inclusion had a typo, it should be .h and not .hd. - Fix by renaming. + and remove 'header_recvbuf', not used for anything - Fixes #4102 - Reported-by: AceCrow on Github + Reported-by: Jeremy Lainé + + Closes #4257 -- [Jan Chren brought this change] +- ngtcp2: accept upload via callback + + Closes #4256 - configure: fix --disable-code-coverage +- defines: avoid underscore-prefixed defines - This fixes the case when --disable-code-coverage supplied to ./configure - would result in coverage="yes" being set. + Double-underscored or underscore plus uppercase letter at least. - Closes #4099 - Reviewed-by: Daniel Gustafsson + ... as they're claimed to be reserved. + + Reported-by: patnyb on github + + Fixes #4254 + Closes #4255 -- cleanup: fix typo in comment +- travis: add a build using ngtcp2 + nghttp3 (and a patched OpenSSL) + + Runs no tests + + Closes #4253 -- RELEASE-NOTES: synced +- travis: bump to using nghttp2 version 1.39.2 + + Closes #4252 -Jay Satiro (6 Jul 2019) -- [Daniel Gustafsson brought this change] +- [Gisle Vanem brought this change] - nss: support using libnss on macOS + docs/examples/curlx: fix errors - The file suffix for dynamically loadable objects on macOS is .dylib, - which need to be added for the module definitions in order to get the - NSS TLS backend to work properly on macOS. + Initialise 'mimetype' and require the -p12 arg. - Closes https://github.com/curl/curl/pull/4046 - -- [Daniel Gustafsson brought this change] + Closes #4248 - nss: don't set unused parameter +- cleanup: remove DOT_CHAR completely - The value of the maxPTDs parameter to PR_Init() has since at least - NSPR 2.1, which was released sometime in 1998, been marked ignored - as is accordingly not used in the initialization code. Setting it - to a value when calling PR_Init() is thus benign, but indicates an - intent which may be misleading. Reset the value to zero to improve - clarity. + Follow-up to f9c7ba9096ec - Closes https://github.com/curl/curl/pull/4054 - -- [Daniel Gustafsson brought this change] - - nss: only cache valid CRL entries + The use of DOT_CHAR for ".ssh" was probably a mistake and is removed + now. - Change the logic around such that we only keep CRLs that NSS actually - ended up caching around for later deletion. If CERT_CacheCRL() fails - then there is little point in delaying the freeing of the CRL as it - is not used. + Pointed-out-by: Gisle Vanem + Bug: https://github.com/curl/curl/pull/4230#issuecomment-522960638 - Closes https://github.com/curl/curl/pull/4053 - -- [Gergely Nagy brought this change] + Closes #4247 - lib: Use UTF-8 encoding in comments +- spnego_sspi: add typecast to fix build warning - Some editors and IDEs assume that source files use UTF-8 file encodings. - It also fixes the build with MSVC when /utf-8 command line option is - used (this option is mandatory for some other open-source projects, this - is useful when using the same options is desired for building all - libraries of a project). + Reported in build "Win32 target on Debian Stretch (64-bit) - + i686-w64-mingw32 - gcc-20170516" - Closes https://github.com/curl/curl/pull/4087 + Closes #4245 -- [Caleb Raitto brought this change] +- openssl: build warning free with boringssl + + Closes #4244 - CURLOPT_HEADEROPT.3: Fix example +- curl: make --libcurl use CURL_HTTP_VERSION_3 - Fix an issue where example builds a curl_slist, but fails to actually - use it, or free it. + Closes #4243 + +- ngtcp2: make postfields-set posts work - Closes https://github.com/curl/curl/pull/4090 + Closes #4242 -- [Shankar Jadhavar brought this change] +- http: remove chunked-encoding and expect header use for HTTP/3 - winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - - - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. +- [Alessandro Ghedini brought this change] + + configure: use pkg-config to detect quiche - - Also removed some ^M chars from file. + This removes the need to hard-code the quiche target path in + configure.ac. - Prior to this change while building on Windows platform even if we pass - the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does - not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. + This depends on https://github.com/cloudflare/quiche/pull/128 - Closes https://github.com/curl/curl/pull/4086 - -Daniel Stenberg (4 Jul 2019) -- doh-url.d: added in 7.62.0 + Closes #4237 -Jay Satiro (30 Jun 2019) -- docs: Fix links to OpenSSL docs +- CURLOPT_SSL_VERIFYHOST: treat the value 1 as 2 - OpenSSL changed their manual locations and does not redirect to the new - locations. + For a long time (since 7.28.1) we've returned error when setting the + value to 1 to make applications notice that we stopped supported the old + behavior for 1. Starting now, we treat 1 and 2 exactly the same. - Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html - Reported-by: Daniel Stenberg - -Daniel Stenberg (26 Jun 2019) -- [Gaël PORTAY brought this change] + Closes #4241 - curl_multi_wait.3: escape backslash in example +- curl: use .curlrc (with a dot) on Windows as well - The backslash in the character Line Feed must be escaped. + Fall-back to _curlrc if the dot-version is missing. - The current man-page outputs the code as following: + Co-Authored-By: Steve Holme - fprintf(stderr, "curl_multi failed, code %d.0, mc); + Closes #4230 + +- netrc: make the code try ".netrc" on Windows as well - The commit fixes it as follow: + ... but fall back and try "_netrc" too if the dot version didn't work. - fprintf(stderr, "curl_multi failed, code %d\n", mc); + Co-Authored-By: Steve Holme + +- ngtcp2: use ngtcp2_version() to get the run-time version - Closes #4079 + ... which of course doesn't have to be the same used at build-time. + + Function just recently merged in ngtcp2. -- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined +- ngtcp2: move the h3 initing to immediately after the rx key - ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is - built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for - UWP (with "VC-WIN32-UWP"). + To fix a segfault and to better deal with 0-RTT - Reported-by: Vasily Lobaskin - Fixes #4073 - Closes #4077 + Assisted-by: Tatsuhiro Tsujikawa -- test1521: adapt to SLISTPOINT +- [Alessandro Ghedini brought this change] + + quiche: register debug callback once and earlier - The header now has the slist-using options marked as SLISTPOINT so this - makes sure test 1521 understands that. + The quiche debug callback is global and can only be initialized once, so + make sure we don't do it multiple times (e.g. if multiple requests are + executed). - Follow-up to ae99b4de1c443ae989 + In addition this initializes the callback before the connection is + created, so we get logs for the handshake as well. - Closes #4074 + Closes #4236 -- win32: make DLL loading a no-op for UWP +- ssh: add a generic Curl_ssh_version function for SSH backends - Reported-by: Michael Brehm - Fixes #4060 - Closes #4072 + Closes #4235 -- [1ocalhost brought this change] +- base64: check for SSH, not specific SSH backends - configure: fix typo '--disable-http-uath' - - Closes #4076 +- vssh: move ssh init/cleanup functions into backend code -- [Niklas Hambüchen brought this change] +- vssh: create directory for SSH backend code - docs: fix string suggesting HTTP/2 is not the default - - Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the - man page that new default is mentioned, but the section at the top - contradicted it until now. +- TODO/ROADMAP: remove "refuse downgrade redirects" and HTTP/3 - Also remove claim that setting the HTTP version is not sensible. + HTTP3 is now already in full progress - Closes #4075 + Downgrade redirects can be achived almost exactly like that by setting + CURLOPT_REDIR_PROTOCOLS. - RELEASE-NOTES: synced -- [Stephan Szabo brought this change] +- travis: add a quiche build + + Closes #4207 - tests: update fixed IP for hostip/clientip split +- http: fix use of credentials from URL when using HTTP proxy - These tests give differences for me on linux when using a hostip - pointing to the external ip address for the local machine. + When a username and password are provided in the URL, they were wrongly + removed from the stored URL so that subsequent uses of the same URL + wouldn't find the crendentials. This made doing HTTP auth with multiple + connections (like Digest) mishave. - Closes #4070 - -Daniel Gustafsson (24 Jun 2019) -- http: clarify header buffer size calculation + Regression from 46e164069d1a5230 (7.62.0) - The header buffer size calculation can from static analysis seem to - overlow as it performs an addition between two size_t variables and - stores the result in a size_t variable. Overflow is however guarded - against elsewhere since the input to the addition is regulated by - the maximum read buffer size. Clarify this with a comment since the - question was asked. + Test case 335 added to verify. - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (24 Jun 2019) -- KNOWN_BUGS: Don't clear digest for single realm + Reported-by: Mike Crowe - Closes #3267 + Fixes #4228 + Closes #4229 -- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - - Closes #3284 +- [Mike Crowe brought this change] -- http2: call done_sending on end of upload + tests: Replace outdated test case numbering documentation - To make sure a HTTP/2 stream registers the end of stream. + Tests are no longer grouped by numeric range[1]. Let's stop saying that + and provide some alternative advice for numbering tests. - Bug #4043 made me find this problem but this fix doesn't correct the - reported issue. + [1] https://curl.haxx.se/mail/lib-2019-08/0043.html - Closes #4068 - -- [James Brown brought this change] + Closes #4227 - c-ares: honor port numbers in CURLOPT_DNS_SERVERS +- travis: reduce number of torture tests in 'coverage' - By using ares_set_servers_ports_csv on new enough c-ares. + ... to make it complete in time. This cut seems not almost not affect + the coverage percentage and yet completes within 35 minutes on travis + where the previous runs recently always timed out after 50. - Fixes #4066 - Closes #4067 - -Daniel Gustafsson (24 Jun 2019) -- CURLMOPT_SOCKETFUNCTION.3: fix typo + Closes #4223 -Daniel Stenberg (24 Jun 2019) -- [Koen Dergent brought this change] +- [Igor Makarov brought this change] - curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds + configure: use -lquiche to link to quiche - Closes #4061 + Closes #4226 -- test153: fix content-length to avoid occasional hang +- ngtcp2: provide the callbacks as a static struct - Closes #4065 + ... instead of having them in quicsocket -- RELEASE-NOTES: synced +- [Tatsuhiro Tsujikawa brought this change] -- multi: enable multiplexing by default (again) - - It was originally made default in d7c4213bd0c (7.62.0) but mistakenly - reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. + ngtcp2: add missing nghttp3_conn_add_write_offset call - Closes #4051 + Closes #4225 -- typecheck: add 3 missing strings and a callback data pointer - - Closes #4050 +- [Tatsuhiro Tsujikawa brought this change] -- tests: add disable-scan.pl to dist - - follow-up from 29177f422a5 - - Closes #4059 + ngtcp2: deal with stream close -- http2: don't call stream-close on already closed streams +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: Consume QUIC STREAM data properly + +- [Tatsuhiro Tsujikawa brought this change] + + ngtcp2: don't reinitialize SSL on Retry + +- multi: getsock improvements for QUIC connecting + +- connect: connections are persistent by default for HTTP/3 + +- quiche: happy eyeballs - Closes #4055 + Closes #4220 -Marcel Raad (20 Jun 2019) -- travis: enable alt-svc for coverage build +- ngtcp2: do QUIC connections happy-eyeballs friendly + +- curl_version: bump string buffer size to 250 - Closes + With HTTP/3 libs and plenty TLS libs, I manged to hit the limit (which + causes a truncated output). -- travis: enable libssh2 for coverage build +- CURLOPT_ALTSVC.3: use a "" file name to not load from a file + +Jay Satiro (14 Aug 2019) +- vauth: Use CURLE_AUTH_ERROR for auth function errors - It was enabled by default before commit c92d2e14cfb. + - Add new error code CURLE_AUTH_ERROR. - Disable torture tests 600 and 601 because of - https://github.com/curl/curl/issues/1678. + Prior to this change auth function errors were signaled by + CURLE_OUT_OF_MEMORY and CURLE_RECV_ERROR, and neither one was + technically correct. - Closes - -- travis: disable threaded resolver for coverage build + Ref: https://github.com/curl/curl/pull/3848 - This enables more tests. + Co-authored-by: Dominik Hölzl - Closes + Closes https://github.com/curl/curl/pull/3864 -- travis: enable brotli for all xenial jobs +Daniel Stenberg (13 Aug 2019) +- curl_version_info: make the quic_version a const - There's no need for a separate job, and no need to build it from source - with Xenial. + Follow-up from 1a2df1518ad8653f - Closes + Closes #4222 -- travis: enable warnings-as-errors for coverage build +- examples: add http3.c, altsvc.c and http3-present.c - Closes - -GitHub (20 Jun 2019) -- [Gisle Vanem brought this change] - - system_win32: fix typo + Closes #4221 -Daniel Stenberg (20 Jun 2019) -- typecheck: CURLOPT_CONNECT_TO takes an slist too +Peter Wu (13 Aug 2019) +- nss: use TLSv1.3 as default if supported - Additionally, add an alias in curl.h for slist-using options so that - we can grep/parse those out at will. + SSL_VersionRangeGetDefault returns (TLSv1.0, TLSv1.2) as supported + range in NSS 3.45. It looks like the intention is to raise the minimum + version rather than lowering the maximum, so adjust accordingly. Note + that the caller (nss_setup_connect) initializes the version range to + (TLSv1.0, TLSv1.3), so there is no need to check for >= TLSv1.0 again. - Closes #4042 + Closes #4187 + Reviewed-by: Daniel Stenberg + Reviewed-by: Kamil Dudka -- [Stephan Szabo brought this change] +Daniel Stenberg (13 Aug 2019) +- quic.h: remove unused proto - tests: support non-localhost HOSTIP for dict/smb servers - - smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for - binding the server which when we were running the tests with a separate - HOSTIP and CLIENTIP had failures verifying the server from the device we - were testing. - - This changes them to take the address from runtests.py and default to - localhost/127.0.0.1 if none is given. +- curl_version_info.3: mentioned ALTSVC and HTTP3 - Closes #4048 + ... and sorted the list alphabetically -- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT +- lib/quic.c: unused - removed -- configure: --disable-progress-meter - - Builds libcurl without support for the built-in progress meter. +- CURLOPT_ALTSVC_CTRL.3: remove CURLALTSVC_ALTUSED - Closes #4023 + Follow-up to 98c3f148 that removed it from the header file -- curl: improved skip-setopt-options when built with disabled features - - Reduces #ifdefs in src/tool_operate.c - - Follow-up from 4e86f2fc4e6 - Closes #3936 +- [Junho Choi brought this change] -Steve Holme (18 Jun 2019) -- netrc: Return the correct error code when out of memory + docs/HTTP3: simplify quiche build instruction - Introduced in 763c5178. + Use --recursive to get boringssl in one line - Closes #4036 + Closes #4219 -Daniel Stenberg (18 Jun 2019) -- config-os400: add getpeername and getsockname defines - - Reported-by: jonrumsey on github - Fixes #4037 - Closes #4039 +- altsvc: make it use h3-22 with ngtcp2 as well -- runtests: keep logfiles around by default +- ngtcp2: initial h3 request work - Make '-k' a no-op. The singletest function now clears the log directory - BEFORE each individual test and not after, which makes it possible to - always keep the logfiles around after a test has been run. No need to - specify -k anymore. Keeping the option parsing around to work with users - of old habits. + Closes #4217 + +- curl_version_info: offer quic (and h3) library info - Some tests also didn't work properly when -k was used (since the old - logs would be kep when a new test starts) which this change also fixes. + Closes #4216 + +- HTTP3: use ngtcp2's draft-22 branch + +- RELEASE-NOTES: synced + +- CURLOPT_READFUNCTION.3: provide inline example - Closes #4035 + ... instead of mentioning one in another place -- [Gergely Nagy brought this change] +- [Tatsuhiro Tsujikawa brought this change] - openssl: fix pubkey/signature algorithm detection in certinfo + ngtcp2: send HTTP/3 request with nghttp3 - Certinfo gives the same result for all OpenSSL versions. - Also made printing RSA pubkeys consistent with older versions. + This commit makes sending HTTP/3 request with nghttp3 work. It + minimally receives HTTP response and calls nghttp3 callbacks, but no + processing is made at the moment. - Reported-by: Michael Wallner - Fixes #3706 - Closes #4030 + Closes #4215 -- conn_maxage: move the check to prune_dead_connections() +- nghttp3: initial h3 template code added + +- nghttp3: required when ngtcp2 is used for QUIC - ... and avoid the locking issue. + - checked for by configure + - updated docs/HTTP3.md + - shown in the version string - Reported-by: Kunal Ekawde - Fixes #4029 - Closes #4032 + Closes #4210 -- tests: have runtests figure out disabled features +- [Eric Wong brought this change] + + asyn-thread: issue CURL_POLL_REMOVE before closing socket - ... so that runtests can skip individual test cases that test features - that are explicitly disabled in this build. This new logic is intended - for disabled features that aren't otherwise easily visible through the - curl_version_info() or other API calls. + This avoids EBADF errors from EPOLL_CTL_DEL operations in the + ephiperfifo.c example. EBADF is dangerous in multi-threaded + applications where I rely on epoll_ctl to operate on the same + epoll description from different threads. - tests/server/disabled is a newly built executable that will output a - list of disabled features. Outputs nothing for a default build. + Follow-up to eb9a604f8d7db8 - Closes #3950 + Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html + Closes #4211 -- test188/189: fix Content-Length +- [Carlo Marcelo Arenas Belón brought this change] + + configure: avoid undefined check_for_ca_bundle - This cures the flaky test results + instead of using a "greater than 0" test, check for variable being + set, as it is always set to 1, and could be left unset if non of + OPENSSL MBEDTLS GNUTLS WOLFSSL is being configured for. - Closes #4034 + Closes #4213 -- [Thomas Gamper brought this change] +- [Tatsuhiro Tsujikawa brought this change] - winbuild: use WITH_PREFIX if given + ngtcp2: Send ALPN h3-22 - Closes #4031 + Closes #4212 -Daniel Gustafsson (17 Jun 2019) -- openssl: remove outdated comment - - OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), - which is why we switched to CONF_modules_load_file() and introduced - a comment stating why. This behavior was however changed in OpenSSL - commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now - outdated and incorrect comment. The mentioned commit also declares - OPENSSL_config() deprecated so keep the current coding. - - Closes #4033 - Reviewed-by: Daniel Stenberg +- [Tatsuhiro Tsujikawa brought this change] -Daniel Stenberg (16 Jun 2019) -- RELEASE-NOTES: synced + ngtcp2: use ngtcp2_settings_default and specify initial_ts -Patrick Monnerat (16 Jun 2019) -- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. - - Use it in curl_easy_setopt_ccsid(). - - Reported-by: jonrumsey on github - Fixes #3833 - Closes #4028 +- curl_global_init_mem.3: mention it was added in 7.12.0 -Daniel Stenberg (15 Jun 2019) -- runtests: report single test time + total duration - - ... after each successful test. - - Closes #4027 +- [Tatsuhiro Tsujikawa brought this change] -- multi: fix the transfer hash function - - Follow-up from 8b987cc7eb + ngtcp2: make the QUIC handshake work - Reported-by: Tom van der Woerdt - Fixes #4018 - Closes #4024 + Closes #4209 -- unit1654: cleanup on memory failure +- [Alex Mayorga brought this change] + + HTTP3.md: Update quiche build instructions - ... to make it handle torture tests properly. + Added cloning for quiche and BoringSSL and modified the build + instructions so they work on a clean folder. - Reported-by: Marcel Raad - Fixes #4021 - Closes #4022 + Closes #4208 -Marcel Raad (13 Jun 2019) -- krb5: fix compiler warning - - Even though the variable was used in a DEBUGASSERT, GCC 8 warned in - debug mode: - krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] +- CURLOPT_H3: removed - Just suppress the warning and declare the variable unconditionally - instead of only for DEBUGBUILD (which also missed the check for - HAVE_ASSERT_H). + There's no use for this anymore and it was never in a release. - Closes https://github.com/curl/curl/pull/4020 + Closes #4206 -Daniel Stenberg (13 Jun 2019) -- quote.d: asterisk prefix works for SFTP as well +- http3: make connection reuse work - Reported-by: Ben Voris - Fixes #4017 - Closes #4019 + Closes #4204 -- multi: fix the transfer hashes in the socket hash entries +- quiche: add SSLKEYLOGFILE support + +- cleanup: s/curl_debug/curl_dbg_debug in comments and docs - - The transfer hashes weren't using the correct keys so removing entries - failed. + Leftovers from the function rename back in 76b63489495 - - Simplified the iteration logic over transfers sharing the same socket and - they now simply are set to expire and thus get handled in the "regular" - timer loop instead. + Reported-by: Gisle Vanem + Bug: https://github.com/curl/curl/commit/f3e0f071b14fcb46a453f69bdf4e062bcaacf362#com + mitcomment-34601751 - Reported-by: Tom van der Woerdt - Fixes #4012 - Closes #4014 + Closes #4203 -Jay Satiro (12 Jun 2019) -- [Cliff Crosland brought this change] +- RELEASE-NOTES: synced - url: Fix CURLOPT_MAXAGE_CONN time comparison +- alt-svc: add protocol version selection masking - Old connections are meant to expire from the connection cache after - CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x - that value. This occurs because a time value measured in milliseconds is - accidentally divided by 1M instead of by 1,000. + So that users can mask in/out specific HTTP versions when Alt-Svc is + used. - Closes https://github.com/curl/curl/pull/4013 + - Removed "h2c" and updated test case accordingly + - Changed how the altsvc struct is laid out + - Added ifdefs to make the unittest run even in a quiche-tree + + Closes #4201 -Daniel Stenberg (11 Jun 2019) -- test1165: verify that CURL_DISABLE_ symbols are in sync +- http3: fix the HTTP/3 in the request, make alt-svc set right versions - between configure.ac and source code. They should be possible to switch - on/off in configure AND be used in source code. + Closes #4200 -- configure: remove CURL_DISABLE_TLS_SRP +- alt-svc: send Alt-Used: in redirected requests - It isn't used by code so stop providing the define. + RFC 7838 section 5: - Closes #4010 - -- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" + When using an alternative service, clients SHOULD include an Alt-Used + header field in all requests. - This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. + Removed CURLALTSVC_ALTUSED again (feature is still EXPERIMENTAL thus + this is deemed ok). - Apparently several of the appveyor windows builds broke. - -- [sergey-raevskiy brought this change] - - cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified + You can disable sending this header just like you disable any other HTTP + header in libcurl. - Reviewed-by: Jakub Zakrzewski - Closes #3770 - -- RELEASE-NOTES: synced + Closes #4199 -- http2: remove CURL_DISABLE_TYPECHECK define +- CURLOPT_HTTP_VERSION: seting this to 3 forces HTTP/3 use directly - ... in http2-less builds as it served no use. - -- configure: more --disable switches to toggle off individual features + Even though it cannot fall-back to a lower HTTP version automatically. The + safer way to upgrade remains via CURLOPT_ALTSVC. - ... actual support in the code for disabling these has already landed. + CURLOPT_H3 no longer has any bits that do anything and might be removed + before we remove the experimental label. - Closes #4009 - -- wolfssl: fix key pinning build error + Updated the curl tool accordingly to use "--http3". - follow-up from deb9462ff2de8 + Closes #4197 -- CURLMOPT_SOCKETFUNCTION.3: clarified +- docs/ALTSVC: remove what works and the experimental explanation - Moved away the callback explanation from curl_multi_socket_action.3 and - expanded it somewhat. + Also, put the TODO items at the bottom. - Closes #4006 + Closes #4198 -- wolfssl: fixup for SNI use +- docs/EXPERIMENTAL: explain what it means and what's experimental now + +- curl: make use of CURLINFO_RETRY_AFTER when retrying - follow-up from deb9462ff2de8 + If a Retry-After: header was used in the response, that value overrides + other retry timing options. - Closes #4007 + Fixes #3794 + Closes #4195 -- CURLOPT_CAINFO.3: polished wording +- curl: use CURLINFO_PROTOCOL to check for HTTP(s) - Clarify the functionality when built to use Schannel and Secure - Transport and stop calling it the "recommended" or "preferred" way and - instead rather call it the default. + ... instead of CURLINFO_EFFECTIVE_URL to avoid string operations. + +- CURLINFO_RETRY_AFTER: parse the Retry-After header value - Removed the reference to the ssl comparison table as it isn't necessary. + This is only the libcurl part that provides the information. There's no + user of the parsed value. This change includes three new tests for the + parser. - Reported-by: Richard Alcock - Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html - Closes #4005 + Ref: #3794 -GitHub (10 Jun 2019) -- [Daniel Stenberg brought this change] +- docs/ALTSVC.md: first basic file format description - SECURITY.md: created +- curl: have -w's 'http_version' show '3' for HTTP/3 - Brief security policy description for use/display on github. + Closes #4196 -Daniel Gustafsson (10 Jun 2019) -- tool_cb_prg: Fix integer overflow in progress bar - - Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar - width calculation to avoid integer overflow, but failed to account for - the fact that initial_size is initialized to -1 when the file size is - retrieved from the remote on an upload, causing another signed integer - overflow. Fix by separately checking for this case before the width - calculation. +- curl.h: add CURL_HTTP_VERSION_3 to the version enum - Closes #3984 - Reported-by: Brian Carpenter (Geeknik Labs) - Reviewed-by: Daniel Stenberg + It can't be set for CURLOPT_HTTP_VERSION, but it can be extracted with + CURLINFO_HTTP_VERSION. -Daniel Stenberg (10 Jun 2019) -- wolfssl: refer to it as wolfSSL only - - Remove support for, references to and use of "cyaSSL" from the source - and docs. wolfSSL is the current name and there's no point in keeping - references to ancient history. - - Assisted-by: Daniel Gustafsson - - Closes #3903 +- quiche: make use of the connection timeout API properly -- RELEASE-NOTES: synced +- quiche: make POSTFIELDS posts work -- bindlocal: detect and avoid IP version mismatches in bind() - - Reported-by: Alex Grebenschikov - Fixes #3993 - Closes #4002 +- quiche: improved error handling and memory cleanups -- multi: make sure 'data' can present in several sockhash entries +- quiche: flush egress in h3_stream_recv() too + +- RELEASE-NOTES: synced + +Jay Satiro (6 Aug 2019) +- [Patrick Monnerat brought this change] + + os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). - Since more than one socket can be used by each transfer at a given time, - each sockhash entry how has its own hash table with transfers using that - socket. + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - In addition, the sockhash entry can now be marked 'blocked = TRUE'" - which then makes the delete function just set 'removed = TRUE' instead - of removing it "for real", as a way to not rip out the carpet under the - feet of a parent function that iterates over the transfers of that same - sockhash entry. + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Reported-by: Tom van der Woerdt - Fixes #3961 - Fixes #3986 - Fixes #3995 - Fixes #4004 - Closes #3997 - -- [Sorcus brought this change] + Closes https://github.com/curl/curl/pull/4186 - libcurl-tutorial.3: Fix small typo (mutipart -> multipart) +- tests: Fix the line endings for the SASL alt-auth tests - Fixed-by: MrSorcus on github - Closes #4000 - -- unpause: trigger a timeout for event-based transfers + - Change data and protocol sections to CRLF line endings. - ... so that timeouts or other state machine actions get going again - after a changing pause state. For example, if the last delivery was - paused there's no pending socket activity. + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. - Reported-by: sstruchtrup on github - Fixes #3994 - Closes #4001 - -Marcel Raad (9 Jun 2019) -- travis: use xenial LLVM package for scan-build + Follow-up to grandparent commit which added the tests. - I missed that in commit 99a49d6. - -- travis: update scan-build job to xenial + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Closes https://github.com/curl/curl/pull/3999 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (8 Jun 2019) -- bump: start working on 7.65.2 +- [Steve Holme brought this change] -Marcel Raad (5 Jun 2019) -- examples/htmltitle: use C++ casts between pointer types + examples: Added SASL PLAIN authorisation identity (authzid) examples - Compilers and static analyzers warn about using C-style casts here. + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Closes https://github.com/curl/curl/pull/3975 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -- examples/fopen: fix comparison +- [Steve Holme brought this change] + + curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool - As want is size_t, (file->buffer_pos - want) is unsigned, so checking - if it's less than zero makes no sense. - Check if file->buffer_pos is less than want instead to avoid the - unsigned integer wraparound. + Ref: https://github.com/curl/curl/issues/3653 + Ref: https://github.com/curl/curl/pull/3790 - Closes https://github.com/curl/curl/pull/3975 + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. + + Closes https://github.com/curl/curl/pull/4186 -- build: fix Codacy warnings +- [Steve Holme brought this change] + + sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - Reduce variable scopes and remove redundant variable stores. + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. - Closes https://github.com/curl/curl/pull/3975 - -- sws: remove unused variables + Fixes #3653 + Closes #3790 - Unused since commit 2f44e94. + NOTE: This commit was cherry-picked and is part of a series of commits + that added the authzid feature for upcoming 7.66.0. The series was + temporarily reverted in db8ec1f so that it would not ship in a 7.65.x + patch release. - Closes https://github.com/curl/curl/pull/3975 - -Version 7.65.1 (4 Jun 2019) + Closes https://github.com/curl/curl/pull/4186 -Daniel Stenberg (4 Jun 2019) -- RELEASE-NOTES: 7.65.1 +Daniel Stenberg (6 Aug 2019) +- docs/HTTP3: refreshed as it is now in master and HTTP/3 can be tested -- THANKS: new contributors from 7.65.1 +- [Yiming Jing brought this change] -Steve Holme (4 Jun 2019) -- [Frank Gevaerts brought this change] + mesalink: implement client authentication + + Closes #4184 - ssl: Update outdated "openssl-only" comments for supported backends +- curl_multi_poll: a sister to curl_multi_wait() that waits more - These are for features that used to be openssl-only but were expanded - over time to support other SSL backends. + Repeatedly we see problems where using curl_multi_wait() is difficult or + just awkward because if it has no file descriptor to wait for + internally, it returns immediately and leaves it to the caller to wait + for a small amount of time in order to avoid occasional busy-looping. - Closes #3985 - -Daniel Stenberg (4 Jun 2019) -- curl_share_setopt.3: improve wording [ci ship] + This is often missed or misunderstood, leading to underperforming + applications. - Reported-by: Carlos ORyan - -Steve Holme (4 Jun 2019) -- tool_parsecfg: Use correct return type for GetModuleFileName() + This change introduces curl_multi_poll() as a replacement drop-in + function that accepts the exact same set of arguments. This function + works identically to curl_multi_wait() - EXCEPT - for the case when + there's nothing to wait for internally, as then this function will by + itself wait for a "suitable" short time before it returns. This + effectiely avoids all risks of busy-looping and should also make it less + likely that apps "over-wait". - GetModuleFileName() returns a DWORD which is a typedef of an unsigned - long and not an int. + This also changes the curl tool to use this funtion internally when + doing parallel transfers and changes curl_easy_perform() to use it + internally. - Closes #3980 + Closes #4163 -Daniel Stenberg (3 Jun 2019) -- TODO: "at least N milliseconds between requests" [ci skip] +- quiche:h3_stream_recv return 0 at end of stream - Suggested-by: dkwolfe4 on github - Closes #3920 + ... and remove some verbose messages we don't need. Made transfers from + facebook.com work better. -Steve Holme (2 Jun 2019) -- tests/server/.gitignore: Add socksd to the ignore list +- altsvc: make quiche use h3-22 now + +- quiche: show the actual version number + +- quiche: first working HTTP/3 request - Missed in 04fd6755. + - enable debug log + - fix use of quiche API + - use download buffer + - separate header/body - Closes #3978 + Closes #4193 -- tool_parsecfg: Fix control flow issue (DEADCODE) +- http09: disable HTTP/0.9 by default in both tool and library - Follow-up to 8144ba38. + As the plan has been laid out in DEPRECATED. Update docs accordingly and + verify in test 1174. Now requires the option to be set to allow HTTP/0.9 + responses. - Detected by Coverity CID 1445663 - Closes #3976 + Closes #4191 -Daniel Stenberg (2 Jun 2019) -- [Sergey Ogryzkov brought this change] +- quiche: initial h3 request send/receive - NTLM: reset proxy "multipass" state when CONNECT request is done - - Closes #3972 +- lib/Makefile.am: make checksrc run in vquic too -- test334: verify HTTP 204 response with chunked coding header +- altsvc: fix removal of expired cache entry - Verifies that a bodyless response don't parse this content-related - header. + Closes #4192 -- [Michael Kaufmann brought this change] +- RELEASE-NOTES: synced - http: don't parse body-related headers bodyless responses - - Responses with status codes 1xx, 204 or 304 don't have a response body. For - these, don't parse these headers: - - - Content-Encoding - - Content-Length - - Content-Range - - Last-Modified - - Transfer-Encoding - - This change ensures that HTTP/2 upgrades work even if a - "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. +Steve Holme (4 Aug 2019) +- md4: Use our own MD4 implementation when no crypto libraries are available - Co-authored-by: Daniel Stenberg - Closes #3702 - Fixes #3968 - Closes #3977 + Closes #3780 -- tls13-docs: mention it is only for OpenSSL >= 1.1.1 - - Reported-by: Jay Satiro - Co-authored-by: Jay Satiro - Fixes #3938 - Closes #3946 +- md4: No need to include Curl_md4.h for each TLS library -- dump-header.d: spell out that no headers == empty file [ci skip] +- md4: No need for the NTLM code to call Curl_md4it() for each TLS library - Reported-by: wesinator at github - Fixes #3964 - Closes #3974 + As the NTLM code no longer calls any of TLS libraries' specific MD4 + functions, there is no need to call this function for each #ifdef. -- singlesocket: use separate variable for inner loop - - An inner loop within the singlesocket() function wrongly re-used the - variable for the outer loop which then could cause an infinite - loop. Change to using a separate variable! - - Reported-by: Eric Wu - Fixes #3970 - Closes #3973 +- md4: Move the mbed TLS MD4 implementation out of the NTLM code -- RELEASE-NOTES: synced +- md4: Move the WinCrypt implementation out of the NTLM code -- [Josie Huddleston brought this change] +- md4: Move the SecureTransport implementation out of the NTLM code - http2: Stop drain from being permanently set on - - Various functions called within Curl_http2_done() can have the - side-effect of setting the Easy connection into drain mode (by calling - drain_this()). However, the last time we unset this for a transfer (by - calling drained_transfer()) is at the beginning of Curl_http2_done(). - If the Curl_easy is reused for another transfer, it is then stuck in - drain mode permanently, which in practice makes it unable to write any - data in the new transfer. - - This fix moves the last call to drained_transfer() to later in - Curl_http2_done(), after the functions that could potentially call for a - drain. - - Fixes #3966 - Closes #3967 - Reported-by: Josie-H +- md4: Use the Curl_md4it() function for OpenSSL based NTLM -Steve Holme (29 May 2019) -- conncache: Remove the DEBUGASSERT on length check - - We trust the calling code as this is an internal function. - - Closes #3962 +- md4: Move the GNU TLS gcrypt MD4 implementation out of the NTLM code -Jay Satiro (29 May 2019) -- [Gisle Vanem brought this change] +- md4: Move the GNU TLS Nettle MD4 implementation out of the NTLM code - system_win32: fix function prototype - - - Change if_nametoindex parameter type from char * to const char *. +Jay Satiro (4 Aug 2019) +- OS400: Add CURLOPT_H3 symbols - Follow-up to 09eef8af from this morning. + Follow-up to 3af0e76 which added experimental H3 support. - Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + Closes https://github.com/curl/curl/pull/4185 -Marcel Raad (29 May 2019) -- appveyor: add Visual Studio solution build - - Closes https://github.com/curl/curl/pull/3941 +Daniel Stenberg (3 Aug 2019) +- url: make use of new HTTP version if alt-svc has one -- appveyor: add support for other build systems - - Introduce BUILD_SYSTEM variable, which is currently always CMake. - - Closes https://github.com/curl/curl/pull/3941 +- url: set conn->transport to default TCP at init time -Steve Holme (29 May 2019) -- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows +- altsvc: with quiche, use the quiche h3 alpn string - This fixes the static dependency on iphlpapi.lib and allows curl to - build for targets prior to Windows Vista. + Closes #4183 + +- alt-svc: more liberal ALPN name parsing - This partially reverts 170bd047. + Allow pretty much anything to be part of the ALPN identifier. In + particular minus, which is used for "h3-20" (in-progress HTTP/3 + versions) etc. - Fixes #3960 - Closes #3958 + Updated test 356. + Closes #4182 -Daniel Stenberg (29 May 2019) -- http: fix "error: equality comparison with extraneous parentheses" +- quiche: use the proper HTTP/3 ALPN -- parse_proxy: make sure portptr is initialized +- quiche: add failf() calls for two error cases - Reported-by: Benbuck Nason + To aid debugging - fixes #3959 + Closes #4181 -- url: default conn->port to the same as conn->remote_port - - ... so that it has a sensible value when ConnectionExists() is called which - needs it set to differentiate host "bundles" correctly on port number! +- mailmap: added Kyohei Kadota + +Kamil Dudka (1 Aug 2019) +- http_negotiate: improve handling of gss_init_sec_context() failures - Also, make conncache:hashkey() use correct port for bundles that are proxy vs - host connections. + If HTTPAUTH_GSSNEGOTIATE was used for a POST request and + gss_init_sec_context() failed, the POST request was sent + with empty body. This commit also restores the original + behavior of `curl --fail --negotiate`, which was changed + by commit 6c6035532383e300c712e4c1cd9fdd749ed5cf59. - Probably a regression from 7.62.0 + Add regression tests 2077 and 2078 to cover this. - Reported-by: Tom van der Woerdt - Fixes #3956 - Closes #3957 + Fixes #3992 + Closes #4171 -- conncache: make "bundles" per host name when doing proxy tunnels - - Only HTTP proxy use where multiple host names can be used over the same - connection should use the proxy host name for bundles. +Daniel Stenberg (1 Aug 2019) +- mailmap: added 4 more names - Reported-by: Tom van der Woerdt - Fixes #3951 - Closes #3955 + Evgeny Grin, Peter Pih, Anton Malov and Marquis de Muesli -- multi: track users of a socket better +- mailmap: add Giorgos Oikonomou + +- src/makefile: fix uncompressed hugehelp.c generation - They need to be removed from the socket hash linked list with more care. + Regression from 5cf5d57ab9 (7.64.1) - When sh_delentry() is called to remove a sockethash entry, remove all - individual transfers from the list first. To enable this, each Curl_easy struct - now stores a pointer to the sockethash entry to know how to remove itself. + Fixed-by: Lance Ware + Fixes #4176 + Closes #4177 + +- appveyor: pass on -k to make + +- timediff: make it 64 bit (if possible) even with 32 bit time_t - Reported-by: Tom van der Woerdt and Kunal Ekawde + ... to make it hold microseconds too. - Fixes #3952 - Fixes #3904 - Closes #3953 + Fixes #4165 + Closes #4168 -Steve Holme (28 May 2019) -- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version +- ROADMAP: parallel transfers are merged now + +- getenv: support up to 4K environment variable contents on windows - Microsoft added support for Unix Domain Sockets in Windows 10 1803 - (RS4). Rather than expect the user to enable Unix Domain Sockets by - uncommenting the #define that was added in 0fd6221f we use the RS4 - pre-processor variable that is present in newer versions of the - Windows SDK. + Reported-by: Michal Čaplygin + Fixes #4174 + Closes #4175 + +- [Kyohei Kadota brought this change] + + plan9: add support for running on Plan 9 - Closes #3939 + Closes #3701 -Daniel Stenberg (28 May 2019) -- [Jonas Vautherin brought this change] +- [Kyohei Kadota brought this change] - cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + ntlm: explicit type casting + +- [Justin brought this change] + + curl.h: fix outdated comment - Closes #3945 + Closes #4167 -Marcel Raad (27 May 2019) -- HAProxy tests: add keywords +- curl: remove outdated comment - Add the proxy and haproxy keywords in order to be able to exclude or - run these specific tests. + Turned bad with commit b8894085000 - Closes https://github.com/curl/curl/pull/3949 + Reported-by: niallor on github + Fixes #4172 + Closes #4173 -Daniel Stenberg (27 May 2019) -- [Maksim Stsepanenka brought this change] +- cleanup: remove the 'numsocks' argument used in many places + + It was used (intended) to pass in the size of the 'socks' array that is + also passed to these functions, but was rarely actually checked/used and + the array is defined to a fixed size of MAX_SOCKSPEREASYHANDLE entries + that should be used instead. + + Closes #4169 - tests: make test 1420 and 1406 work with rtsp-disabled libcurl +- readwrite_data: repair setting the TIMER_STARTTRANSFER stamp - Closes #3948 + Regression, broken in commit 65eb65fde64bd5f (curl 7.64.1) + + Reported-by: Jonathan Cardoso Machado + Assisted-by: Jay Satiro + + Fixes #4136 + Closes #4162 -Kamil Dudka (27 May 2019) -- [Hubert Kario brought this change] +- mailmap: Amit Katyal - nss: allow to specify TLS 1.3 ciphers if supported by NSS +- asyn-thread: removed unused variable - Closes #3916 + Follow-up to eb9a604f. Mistake caused by me when I edited the commit + before push... -Daniel Stenberg (26 May 2019) - RELEASE-NOTES: synced -- [Jay Satiro brought this change] +- [Amit Katyal brought this change] - Revert all SASL authzid (new feature) commits - - - Revert all commits related to the SASL authzid feature since the next - release will be a patch release, 7.65.1. + asyn-thread: create a socketpair to wait on - Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined - for the next release, assuming it would be a feature release 7.66.0. - However instead the next release will be a patch release, 7.65.1 and - will not contain any new features. + Closes #4157 + +- curl: cap the maximum allowed values for retry time arguments - After the patch release after the reverted commits can be restored by - using cherry-pick: + ... to avoid integer overflows later when multiplying with 1000 to + convert seconds to milliseconds. - git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 + Added test 1269 to verify. - Details for all reverted commits: + Reported-by: Jason Lee + Closes #4166 + +- progress: reset download/uploaded counter - Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." + ... to make CURLOPT_MAX_RECV_SPEED_LARGE and + CURLOPT_MAX_SEND_SPEED_LARGE work correctly on subsequent transfers that + reuse the same handle. - This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + Fixed-by: Ironbars13 on github + Fixes #4084 + Closes #4161 + +- http2_recv: trigger another read when the last data is returned - Revert "tests: Fix the line endings for the SASL alt-auth tests" + ... so that end-of-stream is detected properly. - This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + Reported-by: Tom van der Woerdt + Fixes #4043 + Closes #4160 + +- curl: avoid uncessary libcurl timeouts (in parallel mode) - Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + When curl_multi_wait() returns OK without file descriptors to wait for, + it might already have done a long timeout. - This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + Closes #4159 + +- [Balazs Kovacsics brought this change] + + HTTP: use chunked Transfer-Encoding for HTTP_POST if size unknown - Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + If using the read callback for HTTP_POST, and POSTFIELDSIZE is not set, + automatically add a Transfer-Encoding: chunked header, same as it is + already done for HTTP_PUT, HTTP_POST_FORM and HTTP_POST_MIME. Update + test 1514 according to the new behaviour. - This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. - - Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" - - This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. - -- [dbrowndan brought this change] - - FAQ: more minor updates and spelling fixes - - Closes #3937 + Closes #4138 -- RELEASE-NOTES: synced +Jay Satiro (29 Jul 2019) +- [Daniel Stenberg brought this change] -- sectransp: handle errSSLPeerAuthCompleted from SSLRead() + winbuild: add vquic to list of build directories - Reported-by: smuellerDD on github - Fixes #3932 - Closes #3933 - -GitHub (24 May 2019) -- [Gisle Vanem brought this change] - - Fix typo. - -Daniel Stenberg (23 May 2019) -- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + This fixes the winbuild build method which broke several days ago + when experimental quic support was added in 3af0e76. - Reported-by: Marcel Raad - Fixes #3926 - Closes #3929 - -Steve Holme (23 May 2019) -- winbuild: Use two space indentation + Reported-by: Michael Lee - Closes #3930 - -GitHub (23 May 2019) -- [Gisle Vanem brought this change] + Fixes https://github.com/curl/curl/issues/4158 - tool_parse_cfg: Avoid 2 fopen() for WIN32 +- easy: resize receive buffer on easy handle reset - Using the memdebug.h mem-leak feature, I noticed 2 calls like: - FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") - FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + - In curl_easy_reset attempt to resize the receive buffer to its default + size. If realloc fails then continue using the previous size. - No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. - -Daniel Stenberg (23 May 2019) -- md4: include the mbedtls config.h to get the MD4 info - -- md4: build correctly with openssl without MD4 + Prior to this change curl_easy_reset did not properly handle resetting + the receive buffer (data->state.buffer). It reset the variable holding + its size (data->set.buffer_size) to the default size (READBUFFER_SIZE) + but then did not actually resize the buffer. If a user resized the + buffer by using CURLOPT_BUFFERSIZE to set the size smaller than the + default, later called curl_easy_reset and attempted to reuse the handle + then a heap overflow would very likely occur during that handle's next + transfer. - Reported-by: elsamuko at github - Fixes #3921 - Closes #3922 - -Patrick Monnerat (23 May 2019) -- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). - -Daniel Stenberg (23 May 2019) -- .github/FUNDING: mention our opencollective "home" [ci skip] - -Marcel Raad (23 May 2019) -- [Zenju brought this change] - - config-win32: add support for if_nametoindex and getsockname + Reported-by: Felix Hädicke - Closes https://github.com/curl/curl/pull/3923 + Fixes https://github.com/curl/curl/issues/4143 + Closes https://github.com/curl/curl/pull/4145 -Jay Satiro (23 May 2019) -- tests: Fix the line endings for the SASL alt-auth tests - - - Change data and protocol sections to CRLF line endings. - - Prior to this change the tests would fail or hang, which is because - certain sections such as protocol require CRLF line endings. - - Follow-up to a9499ff from today which added the tests. - - Ref: https://github.com/curl/curl/pull/3790 +- [Brad Spencer brought this change] -Daniel Stenberg (23 May 2019) -- url: fix bad #ifdef - - Regression since e91e48161235272ff485. + examples: Avoid reserved names in hiperfifo examples - Reported-by: Tom Greenslade - Fixes #3924 - Closes #3925 - -- Revert "progress: CURL_DISABLE_PROGRESS_METER" + - Trade in __attribute__((unused)) for the classic (void)x to silence + unused symbols. - This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + Because the classic way is not gcc specific. Also because the prior + method mapped to symbol _Unused, which starts with _ and a capital + letter which is reserved. - Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + - CURLOPT_LOW_SPEED_TIME + Assisted-by: The Infinnovation team - Reported-by: Dave Reisner + Bug: https://github.com/curl/curl/issues/4120#issuecomment-512542108 - Fixes #3927 - Closes #3928 + Closes https://github.com/curl/curl/pull/4153 -Steve Holme (22 May 2019) -- examples: Added SASL PLAIN authorisation identity (authzid) examples +Daniel Stenberg (25 Jul 2019) +- RELEASE-NOTES: synced -- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool +- [Felix Hädicke brought this change] -- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID - - Added the ability for the calling program to specify the authorisation - identity (authzid), the identity to act as, in addition to the - authentication identity (authcid) and password when using SASL PLAIN - authentication. + ssh-libssh: do not specify O_APPEND when not in append mode - Fixed #3653 - Closes #3790 - -Marc Hoersken (22 May 2019) -- tests: add support to test against OpenSSH for Windows + Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not + make much sense. And this combination of flags is not accepted by all + SFTP servers (at least not Apache SSHD). - Testing against OpenSSH for Windows requires v7.7.0.0 or newer - due to the use of AllowUsers and DenyUsers. For more info see: - https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config + Fixes #4147 + Closes #4148 -Daniel Stenberg (22 May 2019) -- bump: start on the next release +- [Gergely Nagy brought this change] -Marcel Raad (22 May 2019) -- examples: fix "clarify calculation precedence" warnings + multi: call detach_connection before Curl_disconnect - Closes https://github.com/curl/curl/pull/3919 - -- hiperfifo: remove unused variable + Curl_disconnect bails out if conn->easyq is not empty, detach_connection + needs to be called first to remove the current easy from the queue. - Closes https://github.com/curl/curl/pull/3919 + Fixes #4144 + Closes #4151 -- examples: remove dead variable stores +Jay Satiro (23 Jul 2019) +- tool_operate: fix implicit call to easysrc_cleanup - Closes https://github.com/curl/curl/pull/3919 - -- examples: reduce variable scopes + easysrc_cleanup is only defined when CURL_DISABLE_LIBCURL_OPTION is not + defined, and prior to this change would be called regardless. - Closes https://github.com/curl/curl/pull/3919 - -- http2-download: fix format specifier + Bug: https://github.com/curl/curl/pull/3804#issuecomment-513922637 + Reported-by: Marcel Raad - Closes https://github.com/curl/curl/pull/3919 + Closes https://github.com/curl/curl/pull/4142 -Daniel Stenberg (22 May 2019) -- PolarSSL: deprecate support step 1. Removed from configure. +Daniel Stenberg (22 Jul 2019) +- curl:create_transfers check return code from curl_easy_setopt - Also removed mentions from most docs. + From commit b8894085 - Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + Pointed out by Coverity CID 1451703 - Closes #3888 + Closes #4134 -- configure/cmake: check for if_nametoindex() +- HTTP3: initial (experimental) support - - adds the check to cmake + USe configure --with-ngtcp2 or --with-quiche - - fixes the configure check to work for cross-compiled windows builds + Using either option will enable a HTTP3 build. + Co-authored-by: Alessandro Ghedini - Closes #3917 + Closes #3500 -- parse_proxy: use the IPv6 zone id if given - - If the proxy string is given as an IPv6 numerical address with a zone - id, make sure to use that for the connect to the proxy. +- curl: remove dead code - Reported-by: Edmond Yu + The loop never loops (since b889408500), pointed out by Coverity (CID + 1451702) - Fixes #3482 - Closes #3918 - -Version 7.65.0 (22 May 2019) - -Daniel Stenberg (22 May 2019) -- RELEASE-NOTES: 7.65.0 release + Closes #4133 -- THANKS: from the 7.65.0 release-notes +- docs/PARALLEL-TRANSFERS: correct the version number -- url: convert the zone id from a IPv6 URL to correct scope id - - Reported-by: GitYuanQu on github - Fixes #3902 - Closes #3914 +- docs/PARALLEL-TRANSFERS: added -- configure: detect getsockname and getpeername on windows too - - Made detection macros for these two functions in the same style as other - functions possibly in winsock in the hope this will work better to - detect these functions when cross-compiling for Windows. +- curl: support parallel transfers - Follow-up to e91e4816123 + This is done by making sure each individual transfer is first added to a + linked list as then they can be performed serially, or at will, in + parallel. - Fixes #3913 - Closes #3915 + Closes #3804 -Marcel Raad (21 May 2019) -- examples: remove unused variables +- docs/MANUAL.md: converted to markdown from plain text - Fixes Codacy/CppCheck warnings. + ... will make it render as a nicer web page. - Closes + Closes #4131 -Daniel Gustafsson (21 May 2019) -- udpateconninfo: mark variable unused +- curl_version_info: provide nghttp2 details - When compiling without getpeername() or getsockname(), the sockfd - paramter to Curl_udpateconninfo() became unused after commit e91e481612 - added ifdef guards. + Introducing CURLVERSION_SIXTH with nghttp2 info. - Closes #3910 - Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 - Reviewed-by: Marcel Raad, Daniel Stenberg + Closes #4121 -- ftp: move ftp_ccc in under featureflag +- bump: start working on 7.66.0 + +- source: remove names from source comments - Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under - the FTP featureflag in the UserDefined struct, but vtls callsites were - still using it unprotected. + Several reasons: - Closes #3912 - Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 - Reviewed-by: Daniel Stenberg, Marcel Raad - -Daniel Stenberg (20 May 2019) -- curl: report error for "--no-" on non-boolean options + - we can't add everyone who's helping out so its unfair to just a few + selected ones. + - we already list all helpers in THANKS and in RELEASE-NOTES for each + release + - we don't want to give the impression that some parts of the code is + "owned" or "controlled" by specific persons - Reported-by: Olen Andoni - Fixes #3906 - Closes #3907 - -- [Guy Poizat brought this change] + Assisted-by: Daniel Gustafsson + Closes #4129 - mbedtls: enable use of EC keys - - Closes #3892 +Version 7.65.3 (19 Jul 2019) -- lib1560: add tests for parsing URL with too long scheme - - Ref: #3905 +Daniel Stenberg (19 Jul 2019) +- RELEASE-NOTES: 7.65.3 -- [Omar Ramadan brought this change] +- THANKS: 7.65.3 status - urlapi: increase supported scheme length to 40 bytes +- progress: make the progress meter appear again - The longest currently registered URI scheme at IANA is 36 bytes long. + Fix regression caused by 21080e1 - Closes #3905 - Closes #3900 + Reported-by: Chih-Hsuan Yen + Fixes #4122 + Closes #4124 -Marcel Raad (20 May 2019) -- lib: reduce variable scopes - - Fixes Codacy/CppCheck warnings. - - Closes https://github.com/curl/curl/pull/3872 +- version: bump to 7.65.3 -- tool_formparse: remove redundant assignment - - Just initialize word_begin with the correct value. - - Closes https://github.com/curl/curl/pull/3873 +- RELEASE-NOTES: Contributors or now 1990 -- ssh: move variable declaration to where it's used - - This way, we need only one call to free. - - Closes https://github.com/curl/curl/pull/3873 +Version 7.65.2 (17 Jul 2019) -- ssh-libssh: remove unused variable - - sock was only used to be assigned to fd_read. - - Closes https://github.com/curl/curl/pull/3873 +Daniel Stenberg (17 Jul 2019) +- RELEASE-NOTES: 7.65.2 -Daniel Stenberg (20 May 2019) -- test332: verify the blksize fix +- THANKS: add contributors from 7.65.2 -- tftp: use the current blksize for recvfrom() - - bug: https://curl.haxx.se/docs/CVE-2019-5436.html - Reported-by: l00p3r on hackerone - CVE-2019-5436 +Jay Satiro (17 Jul 2019) +- [aasivov brought this change] -Daniel Gustafsson (19 May 2019) -- version: make ssl_version buffer match for multi_ssl + cmake: Fix finding Brotli on case-sensitive file systems - When running a multi TLS backend build the version string needs more - buffer space. Make the internal ssl_buffer stack buffer match the one - in Curl_multissl_version() to allow for the longer string. For single - TLS backend builds there is no use in extended to buffer. This is a - fallout from #3863 which fixes up the multi_ssl string generation to - avoid a buffer overflow when the buffer is too small. + - Find package "Brotli" instead of "BROTLI" since the former is the + casing used for CMake/FindBrotli.cmake, and otherwise find_package + may fail on a case-sensitive file system. - Closes #3875 - Reviewed-by: Daniel Stenberg + Fixes https://github.com/curl/curl/issues/4117 -Steve Holme (18 May 2019) -- http_ntlm_wb: Handle auth for only a single request - - Currently when the server responds with 401 on NTLM authenticated - connection (re-used) we consider it to have failed. However this is - legitimate and may happen when for example IIS is set configured to - 'authPersistSingleRequest' or when the request goes thru a proxy (with - 'via' header). +- CURLOPT_RANGE.3: Caution against using it for HTTP PUT - Implemented by imploying an additional state once a connection is - re-used to indicate that if we receive 401 we need to restart - authentication. + AFAICT CURLOPT_RANGE does not support ranged HTTP PUT uploads so I've + cautioned against using it for that purpose and included a workaround. - Missed in fe6049f0. - -- http_ntlm_wb: Cleanup handshake after clean NTLM failure + Bug: https://curl.haxx.se/mail/lib-2019-04/0075.html + Reported-by: Christopher Head - Missed in 50b87c4e. + Closes https://github.com/curl/curl/issues/3814 -- http_ntlm_wb: Return the correct error on receiving an empty auth message - - Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. - - Closes #3894 +- [Stefano Simonelli brought this change] -Daniel Stenberg (18 May 2019) -- curl: make code work with protocol-disabled libcurl + CURLOPT_SEEKDATA.3: fix variable name - Closes #3844 - -- libcurl: #ifdef away more code for disabled features/protocols - -- progress: CURL_DISABLE_PROGRESS_METER - -- hostip: CURL_DISABLE_SHUFFLE_DNS + Closes https://github.com/curl/curl/pull/4118 -- netrc: CURL_DISABLE_NETRC +- [Giorgos Oikonomou brought this change] -Viktor Szakats (16 May 2019) -- docs: Markdown and misc improvements [ci skip] + CIPHERS.md: Explain Schannel error SEC_E_ALGORITHM_MISMATCH - Approved-by: Daniel Stenberg - Closes #3896 - -- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] + If the SSL backend is Schannel and the user specifies an Schannel CALG_ + that is not supported by the protocol or the server then curl returns + CURLE_SSL_CONNECT_ERROR (35) SEC_E_ALGORITHM_MISMATCH. - Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 - Approved-by: Daniel Stenberg - Closes #3895 + Fixes https://github.com/curl/curl/issues/3389 + Closes https://github.com/curl/curl/pull/4106 -Daniel Stenberg (16 May 2019) -- travis: add an osx http-only build - - Closes #3887 +- [Daniel Gustafsson brought this change] -- cleanup: remove FIXME and TODO comments + nss: inspect returnvalue of token check - They serve very little purpose and mostly just add noise. Most of them - have been around for a very long time. I read them all before removing - or rephrasing them. + PK11_IsPresent() checks for the token for the given slot is available, + and sets needlogin flags for the PK11_Authenticate() call. Should it + return false, we should however treat it as an error and bail out. - Ref: #3876 - Closes #3883 + Closes https://github.com/curl/curl/pull/4110 -- curl: don't set FTP options for FTP-disabled builds - - ... since libcurl has started to be totally unaware of options for - disabled protocols they now return error. +- docs: Explain behavior change in --tlsv1. options since 7.54 - Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 + Since 7.54 --tlsv1. options use the specified version or later, however + older versions of curl documented it as using just the specified version + which may or may not have happened depending on the TLS library. + Document this discrepancy to allay confusion for users familiar with the + old documentation that expect just the specified version. - Reported-by: Marcel Raad - Closes #3886 + Fixes https://github.com/curl/curl/issues/4097 + Closes https://github.com/curl/curl/pull/4119 -Steve Holme (16 May 2019) -- http_ntlm_wb: Move the type-2 message processing into a dedicated function +- libcurl: Restrict redirect schemes (follow-up) - This brings the code inline with the other HTTP authentication mechanisms. + - Allow FTPS on redirect. - Closes #3890 - -Daniel Stenberg (15 May 2019) -- RELEASE-NOTES: synced - -- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] - -- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] + - Update default allowed redirect protocols in documentation. - Reported-by: Roy Bellingan - Bug: #3885 - -- parse_proxy: use the URL parser API + Follow-up to 6080ea0. - As we treat a given proxy as a URL we should use the unified URL parser - to extract the parts out of it. + Ref: https://github.com/curl/curl/pull/4094 - Closes #3878 + Closes https://github.com/curl/curl/pull/4115 -Steve Holme (15 May 2019) -- http_negotiate: Move the Negotiate state out of the negotiatedata structure - - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. +Daniel Stenberg (16 Jul 2019) +- test1173: make it also check all libcurl option man pages - Closes #3882 - -- http_ntlm: Move the NTLM state out of the ntlmdata structure + ... and adjust those that cause errors - Given that this member variable is not used by the SASL based protocols - there is no need to have it here. - -- url: Move the negotiate state type into a dedicated enum + Closes #4116 -- url: Remove duplicate clean up of the winbind variables in conn_shutdown() +- curl: only accept COLUMNS less than 10000 - Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior - to calling conn_shutdown() and it in turn performs this, there is no - need to perform the same action in conn_shutdown(). + ... as larger values would rather indicate something silly (and could + potentially cause buffer problems). - Closes #3881 + Reported-by: pendrek at hackerone + Closes #4114 -Daniel Stenberg (14 May 2019) -- urlapi: require a non-zero host name length when parsing URL - - Updated test 1560 to verify. +- dist: add manpage-syntax.pl - Closes #3880 + follow-up to 7fb66c403 -- configure: error out if OpenSSL wasn't detected when asked for +- test1173: detect some basic man page format mistakes - If --with-ssl is used and configure still couldn't enable SSL this - creates an error instead of just silently ignoring the fact. + Triggered by PR #4111 - Suggested-by: Isaiah Norton - Fixes #3824 - Closes #3830 + Closes #4113 -Daniel Gustafsson (14 May 2019) -- imap: Fix typo in comment +Jay Satiro (15 Jul 2019) +- [Bjarni Ingi Gislason brought this change] -Steve Holme (14 May 2019) -- url: Remove unnecessary initialisation from allocate_conn() + docs: Fix missing lines caused by undefined macros - No need to set variables to zero as calloc() does this for us. + - Escape apostrophes at line start. - Closes #3879 - -Daniel Stenberg (14 May 2019) -- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] + Some lines begin with a "'" (apostrophe, single quote), which is then + interpreted as a control character in *roff. - Clues-provided-by: Jay Satiro - Clues-provided-by: Jeroen Ooms - Fixes #3711 - Closes #3874 - -Daniel Gustafsson (13 May 2019) -- vtls: fix potential ssl_buffer stack overflow + Such lines are interpreted as being a call to a macro, and if + undefined, the lines are removed from the output. - In Curl_multissl_version() it was possible to overflow the passed in - buffer if the generated version string exceeded the size of the buffer. - Fix by inverting the logic, and also make sure to not exceed the local - buffer during the string generation. + Bug: https://bugs.debian.org/926352 + Signed-off-by: Bjarni Ingi Gislason - Closes #3863 - Reported-by: nevv on HackerOne/curl - Reviewed-by: Jay Satiro - Reviewed-by: Daniel Stenberg - -Daniel Stenberg (13 May 2019) -- RELEASE-NOTES: synced - -- appveyor: also build "/ci" branches like travis - -- pingpong: disable more when no pingpong enabled - -- proxy: acknowledge DISABLE_PROXY more - -- parsedate: CURL_DISABLE_PARSEDATE - -- sasl: only enable if there's a protocol enabled using it - -- mime: acknowledge CURL_DISABLE_MIME - -- wildcard: disable from build when FTP isn't present - -- http: CURL_DISABLE_HTTP_AUTH + Submitted-by: Alessandro Ghedini + + Closes https://github.com/curl/curl/pull/4111 -- base64: build conditionally if there are users +Daniel Stenberg (14 Jul 2019) +- libcurl-security.3: update to new CURLOPT_REDIR_PROTOCOLS defaults + + follow-up to 6080ea098 -- doh: CURL_DISABLE_DOH +- [Linos Giannopoulos brought this change] -Steve Holme (12 May 2019) -- auth: Rename the various authentication clean up functions + libcurl: Add testcase for gopher redirects - For consistency and to a avoid confusion. + The testcase ensures that redirects to CURLPROTO_GOPHER won't be + allowed, by default, in the future. Also, curl is being used + for convenience while keeping the testcases DRY. - Closes #3869 - -Daniel Stenberg (12 May 2019) -- [Jay Satiro brought this change] - - docs/INSTALL: fix broken link [ci skip] + The expected error code is CURLE_UNSUPPORTED_PROTOCOL when the client is + redirected to CURLPROTO_GOPHER - Reported-by: Joombalaya on github - Fixes #3818 + Signed-off-by: Linos Giannopoulos -Marcel Raad (12 May 2019) -- easy: fix another "clarify calculation precedence" warning - - I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. +- [Linos Giannopoulos brought this change] -- build: fix "clarify calculation precedence" warnings + libcurl: Restrict redirect schemes - Codacy/CppCheck warns about this. Consistently use parentheses as we - already do in some places to silence the warning. + All protocols except for CURLPROTO_FILE/CURLPROTO_SMB and their TLS + counterpart were allowed for redirect. This vastly broadens the + exploitation surface in case of a vulnerability such as SSRF [1], where + libcurl-based clients are forced to make requests to arbitrary hosts. - Closes https://github.com/curl/curl/pull/3866 - -- cmake: restore C89 compatibility of CurlTests.c + For instance, CURLPROTO_GOPHER can be used to smuggle any TCP-based + protocol by URL-encoding a payload in the URI. Gopher will open a TCP + connection and send the payload. - I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and - 97de97daefc2ed084c91eff34af2426f2e55e134. + Only HTTP/HTTPS and FTP are allowed. All other protocols have to be + explicitly enabled for redirects through CURLOPT_REDIR_PROTOCOLS. - Reported-by: Viktor Szakats - Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 - Closes https://github.com/curl/curl/pull/3868 - -Steve Holme (11 May 2019) -- http_ntlm: Corrected the name of the include guard + [1]: https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/ - Missed in f0bdd72c. + Signed-off-by: Linos Giannopoulos - Closes #3867 + Closes #4094 -- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - - Closes #3861 +- [Zenju brought this change] -- http_negotiate: Don't expose functions when HTTP is disabled + openssl: define HAVE_SSL_GET_SHUTDOWN based on version number + + Closes #4100 -Daniel Stenberg (11 May 2019) -- SECURITY-PROCESS: fix links [ci skip] +- [Peter Simonyi brought this change] -Marcel Raad (11 May 2019) -- CMake: suppress unused variable warnings + http: allow overriding timecond with custom header - I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. + With CURLOPT_TIMECONDITION set, a header is automatically added (e.g. + If-Modified-Since). Allow this to be replaced or suppressed with + CURLOPT_HTTPHEADER. + + Fixes #4103 + Closes #4109 -Daniel Stenberg (11 May 2019) -- doh: disable DOH for the cases it doesn't work +Jay Satiro (11 Jul 2019) +- [Juergen Hoetzel brought this change] + + smb: Use the correct error code for access denied on file open - Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for - DOH resolves. This fix disables DOH for those. + - Return CURLE_REMOTE_ACCESS_DENIED for SMB access denied on file open. - Limitation added to KNOWN_BUGS. + Prior to this change CURLE_REMOTE_FILE_NOT_FOUND was returned instead. - Fixes #3850 - Closes #3857 + Closes https://github.com/curl/curl/pull/4095 -Jay Satiro (11 May 2019) -- checksrc.bat: Ignore snprintf warnings in docs/examples +- [Daniel Gustafsson brought this change] + + DEPRECATE: fixup versions and spelling - .. because we allow snprintf use in docs/examples. + Correctly set the July 17 version to 7.65.2, and update spelling to + be consistent. Also fix a typo. - Closes https://github.com/curl/curl/pull/3862 + Closes https://github.com/curl/curl/pull/4107 -Steve Holme (10 May 2019) -- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() +- [Gisle Vanem brought this change] + + system_win32: fix clang warning - ...and misalignment of these comments. From a78c61a4. + - Declare variable in header as extern. - Closes #3860 + Bug: https://github.com/curl/curl/commit/48b9ea4#commitcomment-34084597 -Jay Satiro (10 May 2019) -- Revert "multi: support verbose conncache closure handle" - - This reverts commit b0972bc. +Daniel Gustafsson (10 Jul 2019) +- headers: Remove no longer exported functions - - No longer show verbose output for the conncache closure handle. + There were a leftover few prototypes of Curl_ functions that we used to + export but no longer do, this removes those prototypes and cleans up any + comments still referring to them. - The offending commit was added so that the conncache closure handle - would inherit verbose mode from the user's easy handle. (Note there is - no way for the user to set options for the closure handle which is why - that was necessary.) Other debug settings such as the debug function - were not also inherited since we determined that could lead to crashes - if the user's per-handle private data was used on an unexpected handle. + Curl_write32_le(), Curl_strcpy_url(), Curl_strlen_url(), Curl_up_free() + Curl_concat_url(), Curl_detach_connnection(), Curl_http_setup_conn() + were made static in 05b100aee247bb9bec8e9a1b0166496aa4248d1c. + Curl_http_perhapsrewind() made static in 574aecee208f79d391f10d57520b3. - The reporter here says he has a debug function to capture the verbose - output, and does not expect or want any output to stderr; however - because the conncache closure handle does not inherit the debug function - the verbose output for that handle does go to stderr. + For the remainder, I didn't trawl the Git logs hard enough to capture + their exact time of deletion, but they were all gone: Curl_splayprint(), + Curl_http2_send_request(), Curl_global_host_cache_dtor(), + Curl_scan_cache_used(), Curl_hostcache_destroy(), Curl_second_connect(), + Curl_http_auth_stage() and Curl_close_connections(). - There are other plausible scenarios as well such as the user redirects - stderr on their handle, which is also not inherited since it could lead - to crashes when used on an unexpected handle. + Closes #4096 + Reviewed-by: Daniel Stenberg + +- CMake: fix typos and spelling + +- [Kyle Edwards brought this change] + + CMake: Convert errant elseif() to else() - Short of allowing the user to set options for the conncache closure - handle I don't think there's much we can safely do except no longer - inherit the verbose setting. + CMake interprets an elseif() with no arguments as elseif(FALSE), + resulting in the elseif() block not being executed. That is not what + was intended here. Change the empty elseif() to an else() as it was + intended. - Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html - Reported-by: Kristoffer Gleditsch + Closes #4101 + Reported-by: Artalus + Reviewed-by: Daniel Gustafsson + +- buildconf: fix header filename - Ref: https://github.com/curl/curl/pull/3598 - Ref: https://github.com/curl/curl/pull/3618 + The header file inclusion had a typo, it should be .h and not .hd. + Fix by renaming. - Closes https://github.com/curl/curl/pull/3856 + Fixes #4102 + Reported-by: AceCrow on Github -Steve Holme (10 May 2019) -- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() +- [Jan Chren brought this change] + + configure: fix --disable-code-coverage - From 6012fa5a. + This fixes the case when --disable-code-coverage supplied to ./configure + would result in coverage="yes" being set. - Closes #3858 + Closes #4099 + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (9 May 2019) -- BUG-BOUNTY: minor formatting fixes [ci skip] +- cleanup: fix typo in comment - RELEASE-NOTES: synced -- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - - Closes #3839 +Jay Satiro (6 Jul 2019) +- [Daniel Gustafsson brought this change] -Kamil Dudka (9 May 2019) -- http_negotiate: do not treat failure of gss_init_sec_context() as fatal + nss: support using libnss on macOS - Fixes #3726 - Closes #3849 - -- spnego_gssapi: fix return code on gss_init_sec_context() failure + The file suffix for dynamically loadable objects on macOS is .dylib, + which need to be added for the module definitions in order to get the + NSS TLS backend to work properly on macOS. - Fixes #3726 - Closes #3849 + Closes https://github.com/curl/curl/pull/4046 -Steve Holme (9 May 2019) -- gen_resp_file.bat: Removed unnecessary @ from all but the first command - - There is need to use @ on every command once echo has been turned off. - - Closes #3854 +- [Daniel Gustafsson brought this change] -Jay Satiro (8 May 2019) -- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + nss: don't set unused parameter - - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to - the destination host. - - We already do something similar for HTTPS proxies by not sending h2. [1] - - Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would - incorrectly use HTTP/2 to talk to the proxy, which is not something we - support (yet?). Also it's debatable whether or not that setting should - apply to HTTP/2 proxies. - - [1]: https://github.com/curl/curl/commit/17c5d05 - - Bug: https://github.com/curl/curl/issues/3570 - Bug: https://github.com/curl/curl/issues/3832 - - Closes https://github.com/curl/curl/pull/3853 - -Marcel Raad (8 May 2019) -- travis: update mesalink build to xenial + The value of the maxPTDs parameter to PR_Init() has since at least + NSPR 2.1, which was released sometime in 1998, been marked ignored + as is accordingly not used in the initialization code. Setting it + to a value when calling PR_Init() is thus benign, but indicates an + intent which may be misleading. Reset the value to zero to improve + clarity. - Closes https://github.com/curl/curl/pull/3842 + Closes https://github.com/curl/curl/pull/4054 -Daniel Stenberg (8 May 2019) -- [Ricky Leverence brought this change] +- [Daniel Gustafsson brought this change] - OpenSSL: Report -fips in version if OpenSSL is built with FIPS + nss: only cache valid CRL entries - Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS - define. It uses this define to determine whether to publish -fips at - the end of the version displayed. Applications that utilize the version - reported by OpenSSL will see a mismatch if they compare it to what curl - reports, as curl is not modifying the version in the same way. This - change simply adds a check to see if OPENSSL_FIPS is defined, and will - alter the reported version to match what OpenSSL itself provides. This - only appears to be applicable in versions of OpenSSL <1.1.1 + Change the logic around such that we only keep CRLs that NSS actually + ended up caching around for later deletion. If CERT_CacheCRL() fails + then there is little point in delaying the freeing of the CRL as it + is not used. - Closes #3771 + Closes https://github.com/curl/curl/pull/4053 -Kamil Dudka (7 May 2019) -- [Frank Gevaerts brought this change] +- [Gergely Nagy brought this change] - nss: allow fifos and character devices for certificates. - - Currently you can do things like --cert <(cat ./cert.crt) with (at least) the - openssl backend, but that doesn't work for nss because is_file rejects fifos. + lib: Use UTF-8 encoding in comments - I don't actually know if this is sufficient, nss might do things internally - (like seeking back) that make this not work, so actual testing is needed. + Some editors and IDEs assume that source files use UTF-8 file encodings. + It also fixes the build with MSVC when /utf-8 command line option is + used (this option is mandatory for some other open-source projects, this + is useful when using the same options is desired for building all + libraries of a project). - Closes #3807 + Closes https://github.com/curl/curl/pull/4087 -Daniel Gustafsson (6 May 2019) -- test2100: Fix typos in test description +- [Caleb Raitto brought this change] -Daniel Stenberg (6 May 2019) -- ssh: define USE_SSH if SSH is enabled (any backend) + CURLOPT_HEADEROPT.3: Fix example - Closes #3846 + Fix an issue where example builds a curl_slist, but fails to actually + use it, or free it. + + Closes https://github.com/curl/curl/pull/4090 -Steve Holme (5 May 2019) -- winbuild: Add our standard copyright header to the winbuild batch files +- [Shankar Jadhavar brought this change] -- makedebug: Fix ERRORLEVEL detection after running where.exe + winbuild: Change Makefile to honor ENABLE_OPENSSL_AUTO_LOAD_CONFIG - Closes #3838 - -Daniel Stenberg (5 May 2019) -- urlapi: add CURLUPART_ZONEID to set and get + - Made changes so that ENABLE_OPENSSL_AUTO_LOAD_CONFIG will be honored. - The zoneid can be used with IPv6 numerical addresses. + - Also removed some ^M chars from file. - Updated test 1560 to verify. + Prior to this change while building on Windows platform even if we pass + the ENABLE_OPENSSL_AUTO_LOAD_CONFIG option with value as "no" it does + not set the CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG flag. - Closes #3834 + Closes https://github.com/curl/curl/pull/4086 -- [Taiyu Len brought this change] +Daniel Stenberg (4 Jul 2019) +- doh-url.d: added in 7.62.0 - WRITEFUNCTION: add missing set_in_callback around callback +Jay Satiro (30 Jun 2019) +- docs: Fix links to OpenSSL docs - Closes #3837 + OpenSSL changed their manual locations and does not redirect to the new + locations. + + Bug: https://curl.haxx.se/mail/lib-2019-06/0056.html + Reported-by: Daniel Stenberg -- RELEASE-NOTES: synced +Daniel Stenberg (26 Jun 2019) +- [Gaël PORTAY brought this change] -- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] + curl_multi_wait.3: escape backslash in example - Reported-by: Ricardo Gomes + The backslash in the character Line Feed must be escaped. - Bug: #3537 - Closes #3836 - -- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value + The current man-page outputs the code as following: - The time field in the curl_fileinfo struct will always be zero. No code - was ever implemented to actually convert the date string to a time_t. + fprintf(stderr, "curl_multi failed, code %d.0, mc); - Fixes #3829 - Closes #3835 - -- OS400/ccsidcurl.c: code style fixes + The commit fixes it as follow: + + fprintf(stderr, "curl_multi failed, code %d\n", mc); + + Closes #4079 -- OS400/ccsidcurl: replace use of Curl_vsetopt +- openssl: disable engine if OPENSSL_NO_UI_CONSOLE is defined - (and make the code style comply) + ... since that needs UI_OpenSSL() which isn't provided when OpenSSL is + built with OPENSSL_NO_UI_CONSOLE which happens when OpenSSL is built for + UWP (with "VC-WIN32-UWP"). - Fixes #3833 + Reported-by: Vasily Lobaskin + Fixes #4073 + Closes #4077 -- urlapi: strip off scope id from numerical IPv6 addresses +- test1521: adapt to SLISTPOINT - ... to make the host name "usable". Store the scope id and put it back - when extracting a URL out of it. + The header now has the slist-using options marked as SLISTPOINT so this + makes sure test 1521 understands that. - Also makes curl_url_set() syntax check CURLUPART_HOST. + Follow-up to ae99b4de1c443ae989 - Fixes #3817 - Closes #3822 - -- RELEASE-NOTES: synced + Closes #4074 -- multiif.h: remove unused protos - - ... for functions related to pipelining. Those functions were removed in - 2f44e94efb3df. +- win32: make DLL loading a no-op for UWP - Closes #3828 + Reported-by: Michael Brehm + Fixes #4060 + Closes #4072 -- [Yiming Jing brought this change] +- [1ocalhost brought this change] - travis: mesalink: temporarily disable test 3001 + configure: fix typo '--disable-http-uath' - ... due to SHA-1 signatures in test certs + Closes #4076 -- [Yiming Jing brought this change] +- [Niklas Hambüchen brought this change] - travis: upgrade the MesaLink TLS backend to v1.0.0 + docs: fix string suggesting HTTP/2 is not the default - Closes #3823 - Closes #3776 - -- ConnectionExists: improve non-multiplexing use case + Commit 25fd1057c9c86e3 made HTTP2 the default, and further down in the + man page that new default is mentioned, but the section at the top + contradicted it until now. - - better log output + Also remove claim that setting the HTTP version is not sensible. - - make sure multiplex is enabled for it to be used + Closes #4075 -- multi: provide Curl_multiuse_state to update information - - As soon as a TLS backend gets ALPN conformation about the specific HTTP - version it can now set the multiplex situation for the "bundle" and - trigger moving potentially queued up transfers to the CONNECT state. +- RELEASE-NOTES: synced -- process_pending_handles: mark queued transfers as previously pending - - With transfers being queued up, we only move one at a a time back to the - CONNECT state but now we mark moved transfers so that when a moved - transfer is confirmed "successful" (it connected) it will trigger the - move of another pending transfer. Previously, it would otherwise wait - until the transfer was done before doing this. This makes queued up - pending transfers get processed (much) faster. +- [Stephan Szabo brought this change] -- http: mark bundle as not for multiuse on < HTTP/2 response + tests: update fixed IP for hostip/clientip split - Fixes #3813 - Closes #3815 + These tests give differences for me on linux when using a hostip + pointing to the external ip address for the local machine. + + Closes #4070 -Daniel Gustafsson (1 May 2019) -- cookie: Guard against possible NULL ptr deref +Daniel Gustafsson (24 Jun 2019) +- http: clarify header buffer size calculation - In case the name pointer isn't set (due to memory pressure most likely) - we need to skip the prefix matching and reject with a badcookie to avoid - a possible NULL pointer dereference. + The header buffer size calculation can from static analysis seem to + overlow as it performs an addition between two size_t variables and + stores the result in a size_t variable. Overflow is however guarded + against elsewhere since the input to the addition is regulated by + the maximum read buffer size. Clarify this with a comment since the + question was asked. - Closes #3820 #3821 - Reported-by: Jonathan Moerman Reviewed-by: Daniel Stenberg -Patrick Monnerat (30 Apr 2019) -- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings - -Kamil Dudka (29 Apr 2019) -- nss: provide more specific error messages on failed init +Daniel Stenberg (24 Jun 2019) +- KNOWN_BUGS: Don't clear digest for single realm - Closes #3808 - -Daniel Stenberg (29 Apr 2019) -- [Reed Loden brought this change] + Closes #3267 - docs: minor polish to the bug bounty / security docs +- KNOWN_BUGS: Schannel disable CURLOPT_SSL_VERIFYPEER and verify hostname - Closes #3811 + Closes #3284 -- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - - This limits all accepted input strings passed to libcurl to be less than - CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: - curl_easy_setopt() and curl_url_set(). - - The 8000000 number is arbitrary picked and is meant to detect mistakes - or abuse, not to limit actual practical use cases. By limiting the - acceptable string lengths we also reduce the risk of integer overflows - all over. +- http2: call done_sending on end of upload - NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + To make sure a HTTP/2 stream registers the end of stream. - Test 1559 verifies. + Bug #4043 made me find this problem but this fix doesn't correct the + reported issue. - Closes #3805 + Closes #4068 -- [Tseng Jun brought this change] +- [James Brown brought this change] - curlver.h: use parenthesis in CURL_VERSION_BITS macro + c-ares: honor port numbers in CURLOPT_DNS_SERVERS - Closes #3809 - -Marcel Raad (27 Apr 2019) -- [Simon Warta brought this change] - - cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP + By using ares_set_servers_ports_csv on new enough c-ares. - Closes https://github.com/curl/curl/pull/3769 + Fixes #4066 + Closes #4067 -Steve Holme (23 Apr 2019) -- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 +Daniel Gustafsson (24 Jun 2019) +- CURLMOPT_SOCKETFUNCTION.3: fix typo -- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 +Daniel Stenberg (24 Jun 2019) +- [Koen Dergent brought this change] + + curl: skip CURLOPT_PROXY_CAPATH for disabled-proxy builds - Just like we do for mbed TLS, use our local implementation of MD4 when - OpenSSL doesn't support it. This allows a type-3 message to include the - NT response. + Closes #4061 -Daniel Gustafsson (23 Apr 2019) -- INTERNALS: fix misindentation of ToC item +- test153: fix content-length to avoid occasional hang - Kerberos was incorrectly indented as a subsection under FTP, which is - incorrect as they are both top level sections. A fix for this was first - attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that - was a few paddles short of being complete. + Closes #4065 -- [Aron Bergman brought this change] +- RELEASE-NOTES: synced - INTERNALS: Add structs to ToC +- multi: enable multiplexing by default (again) - Add the subsections under "Structs in libcurl" to the table of contents. + It was originally made default in d7c4213bd0c (7.62.0) but mistakenly + reverted in commit 2f44e94efb3d (7.65.0). Now enabled again. - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Closes #4051 -- [Aron Bergman brought this change] +- typecheck: add 3 missing strings and a callback data pointer + + Closes #4050 - INTERNALS: Add code highlighting +- tests: add disable-scan.pl to dist - Make all struct members under the Curl_handler section - print in monospace font. + follow-up from 29177f422a5 - Closes #3801 - Reviewed-by: Daniel Stenberg - Reviewed-by: Daniel Gustafsson + Closes #4059 -Daniel Stenberg (22 Apr 2019) -- docs/BUG-BOUNTY: bug bounty time [skip ci] - - Introducing the curl bug bounty program on hackerone. We now recommend - filing security issues directly in the hackerone ticket system which - only is readable to curl security team members. +- http2: don't call stream-close on already closed streams - Assisted-by: Daniel Gustafsson + Closes #4055 + +Marcel Raad (20 Jun 2019) +- travis: enable alt-svc for coverage build - Closes #3488 + Closes -Steve Holme (22 Apr 2019) -- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 +- travis: enable libssh2 for coverage build - RFC 4616 specifies the authzid is optional in the client authentication - message and that the server will derive the authorisation identity - (authzid) from the authentication identity (authcid) when not specified - by the client. + It was enabled by default before commit c92d2e14cfb. + + Disable torture tests 600 and 601 because of + https://github.com/curl/curl/issues/1678. + + Closes -Jay Satiro (22 Apr 2019) -- [Gisle Vanem brought this change] +- travis: disable threaded resolver for coverage build + + This enables more tests. + + Closes - memdebug: fix variable name +- travis: enable brotli for all xenial jobs - Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. + There's no need for a separate job, and no need to build it from source + with Xenial. - Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + Closes -Steve Holme (21 Apr 2019) -- vauth/cleartext: Don't send the authzid if it is empty +- travis: enable warnings-as-errors for coverage build - Follow up to 762a292f. + Closes -Daniel Stenberg (21 Apr 2019) -- test 196,197,198: add 'retry' keyword [skip ci] +GitHub (20 Jun 2019) +- [Gisle Vanem brought this change] -- RELEASE-NOTES: synced + system_win32: fix typo -- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - - ... and disconnect too old ones instead of trying to reuse. +Daniel Stenberg (20 Jun 2019) +- typecheck: CURLOPT_CONNECT_TO takes an slist too - Default max age is set to 118 seconds. + Additionally, add an alias in curl.h for slist-using options so that + we can grep/parse those out at will. - Ref: #3722 - Closes #3782 + Closes #4042 -Daniel Gustafsson (20 Apr 2019) -- [Po-Chuan Hsieh brought this change] +- [Stephan Szabo brought this change] - altsvc: Fix building with cookies disables + tests: support non-localhost HOSTIP for dict/smb servers - ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if - check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is - disabled. Fix by splitting out the function into a separate file which can - be included where needed. + smbserver.py/dictserver.py were explicitly using localhost/127.0.0.1 for + binding the server which when we were running the tests with a separate + HOSTIP and CLIENTIP had failures verifying the server from the device we + were testing. - Closes #3717 - Reviewed-by: Daniel Gustafsson - Reviewed-by: Marcel Raad + This changes them to take the address from runtests.py and default to + localhost/127.0.0.1 if none is given. + + Closes #4048 -Daniel Stenberg (20 Apr 2019) -- test1002: correct the name [skip ci] +- test1523: basic test of CURLOPT_LOW_SPEED_LIMIT -- test660: verify CONNECT_ONLY with IMAP +- configure: --disable-progress-meter - which basically just makes sure LOGOUT is *not* issued on disconnect - -- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" + Builds libcurl without support for the built-in progress meter. - Since the connection has been used by the "outside" we don't know the - state of it anymore and curl should not use it anymore. + Closes #4023 + +- curl: improved skip-setopt-options when built with disabled features - Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html + Reduces #ifdefs in src/tool_operate.c - Closes #3795 + Follow-up from 4e86f2fc4e6 + Closes #3936 -- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) +Steve Holme (18 Jun 2019) +- netrc: Return the correct error code when out of memory - The list of names must be in sync with the defined states in the header - file! - -Steve Holme (16 Apr 2019) -- openvms: Remove pre-processors for Windows as VMS cannot support them - -- openvms: Remove pre-processor for SecureTransport as VMS cannot support it + Introduced in 763c5178. - Fixes #3768 - Closes #3785 - -Jay Satiro (16 Apr 2019) -- TODO: Add issue link to an existing entry - -Daniel Stenberg (16 Apr 2019) -- RELEASE-NOTES: synced + Closes #4036 -Jay Satiro (16 Apr 2019) -- tool_help: Warn if curl and libcurl versions do not match +Daniel Stenberg (18 Jun 2019) +- config-os400: add getpeername and getsockname defines - .. because functionality may be affected if the versions differ. + Reported-by: jonrumsey on github + Fixes #4037 + Closes #4039 + +- runtests: keep logfiles around by default - This commit implements TODO 18.7 "warning if curl version is not in sync - with libcurl version". + Make '-k' a no-op. The singletest function now clears the log directory + BEFORE each individual test and not after, which makes it possible to + always keep the logfiles around after a test has been run. No need to + specify -k anymore. Keeping the option parsing around to work with users + of old habits. - Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 + Some tests also didn't work properly when -k was used (since the old + logs would be kep when a new test starts) which this change also fixes. - Closes https://github.com/curl/curl/pull/3774 + Closes #4035 -Steve Holme (16 Apr 2019) -- md5: Update the function signature following d84da52d +- [Gergely Nagy brought this change] -- md5: Forgot to update the code alignment in d84da52d + openssl: fix pubkey/signature algorithm detection in certinfo + + Certinfo gives the same result for all OpenSSL versions. + Also made printing RSA pubkeys consistent with older versions. + + Reported-by: Michael Wallner + Fixes #3706 + Closes #4030 -- md5: Return CURLcode from the internally accessible functions +- conn_maxage: move the check to prune_dead_connections() - Following 28f826b3 to return CURLE_OK instead of numeric 0. + ... and avoid the locking issue. + + Reported-by: Kunal Ekawde + Fixes #4029 + Closes #4032 -Daniel Gustafsson (15 Apr 2019) -- tests: Run global cleanup at end of tests +- tests: have runtests figure out disabled features - Make sure to run curl_global_cleanup() when shutting down the test - suite to release any resources allocated in the SSL setup. This is - clearly visible when running tests with PolarSSL where the thread - lock calloc() memory which isn't released when not running cleanup. - Below is an excerpt from the autobuild logs: + ... so that runtests can skip individual test cases that test features + that are explicitly disabled in this build. This new logic is intended + for disabled features that aren't otherwise easily visible through the + curl_version_info() or other API calls. - ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 - ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) - ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) - ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup - (polarssl_threadlock.c:54) - ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) - ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) - ==12368== by 0x118B4C: global_init (easy.c:158) - ==12368== by 0x118BF5: curl_global_init (easy.c:221) - ==12368== by 0x118D0B: curl_easy_init (easy.c:299) - ==12368== by 0x114E96: test (lib1906.c:32) - ==12368== by 0x115495: main (first.c:174) + tests/server/disabled is a newly built executable that will output a + list of disabled features. Outputs nothing for a default build. - Closes #3783 - Reviewed-by: Marcel Raad - Reviewed-by: Daniel Stenberg + Closes #3950 -Marcel Raad (15 Apr 2019) -- travis: use mbedtls from Xenial +- test188/189: fix Content-Length - No need to build it from source anymore. + This cures the flaky test results - Closes https://github.com/curl/curl/pull/3779 + Closes #4034 -- travis: use libpsl from Xenial - - This makes building libpsl and libidn2 from source unnecessary and - removes the need for the autopoint and libunistring-dev packages. - - Closes https://github.com/curl/curl/pull/3779 - -Daniel Stenberg (15 Apr 2019) -- runtests: start socksd like other servers - - ... without a $srcdir prefix. Triggered by the failures in several - autobuilds. - - Closes #3781 +- [Thomas Gamper brought this change] -Daniel Gustafsson (14 Apr 2019) -- socksd: Fix typos + winbuild: use WITH_PREFIX if given - Reviewed-by: Daniel Stenberg + Closes #4031 -- socksd: Properly decorate static variables +Daniel Gustafsson (17 Jun 2019) +- openssl: remove outdated comment - Mark global variables static to avoid compiler warning in Clang when - using -Wmissing-variable-declarations. + OpenSSL used to call exit(1) on syntax errors in OPENSSL_config(), + which is why we switched to CONF_modules_load_file() and introduced + a comment stating why. This behavior was however changed in OpenSSL + commit abdd677125f3a9e3082f8c5692203590fdb9b860, so remove the now + outdated and incorrect comment. The mentioned commit also declares + OPENSSL_config() deprecated so keep the current coding. - Closes #3778 + Closes #4033 Reviewed-by: Daniel Stenberg -Steve Holme (14 Apr 2019) -- md(4|5): Fixed indentation oddities with the importation of replacement code - - The indentation from 211d5329 and 57d6d253 was a little strange as - parts didn't align correctly, uses 4 spaces rather than 2. Checked - the indentation of the original source so it aligns, albeit, using - curl style. - -- md5: Code style to return CURLE_OK rather than numeric 0 - -- md5: Corrected code style for some pointer arguments +Daniel Stenberg (16 Jun 2019) +- RELEASE-NOTES: synced -Marcel Raad (13 Apr 2019) -- travis: update some builds to xenial +Patrick Monnerat (16 Jun 2019) +- os400: make vsetopt() non-static as Curl_vsetopt() for os400 support. - Xenial comes with more up-to-date software versions and more available - packages, some of which we currently build from source. Unfortunately, - some builds would fail with Xenial because of assertion failures in - Valgrind when using OpenSSL, so leave these at Trusty. + Use it in curl_easy_setopt_ccsid(). - Closes https://github.com/curl/curl/pull/3777 + Reported-by: jonrumsey on github + Fixes #3833 + Closes #4028 -Daniel Stenberg (13 Apr 2019) -- test: make tests and test scripts use socksd for SOCKS +Daniel Stenberg (15 Jun 2019) +- runtests: report single test time + total duration - Make all SOCKS tests use socksd instead of ssh. - -- socksd: new SOCKS 4+5 server for tests + ... after each successful test. - Closes #3752 + Closes #4027 -- singleipconnect: show port in the verbose "Trying ..." message +- multi: fix the transfer hash function - To aid debugging better. - -- [tmilburn brought this change] + Follow-up from 8b987cc7eb + + Reported-by: Tom van der Woerdt + Fixes #4018 + Closes #4024 - CURLOPT_ADDRESS_SCOPE: fix range check and more +- unit1654: cleanup on memory failure - Commit 9081014 fixed most of the confusing issues between scope id and - scope however 844896d added bad limits checking assuming that the scope - is being set and not the scope id. + ... to make it handle torture tests properly. - I have fixed the documentation so it all refers to scope ids. + Reported-by: Marcel Raad + Fixes #4021 + Closes #4022 + +Marcel Raad (13 Jun 2019) +- krb5: fix compiler warning - In addition Curl_if2ip refered to the scope id as remote_scope_id which - is incorrect, so I renamed it to local_scope_id. + Even though the variable was used in a DEBUGASSERT, GCC 8 warned in + debug mode: + krb5.c:324:17: error: unused variable 'maj' [-Werror=unused-variable] - Adjusted-by: Daniel Stenberg + Just suppress the warning and declare the variable unconditionally + instead of only for DEBUGBUILD (which also missed the check for + HAVE_ASSERT_H). - Closes #3655 - Closes #3765 - Fixes #3713 + Closes https://github.com/curl/curl/pull/4020 -- urlapi: stricter CURLUPART_PORT parsing +Daniel Stenberg (13 Jun 2019) +- quote.d: asterisk prefix works for SFTP as well - Only allow well formed decimal numbers in the input. + Reported-by: Ben Voris + Fixes #4017 + Closes #4019 + +- multi: fix the transfer hashes in the socket hash entries - Document that the number MUST be between 1 and 65535. + - The transfer hashes weren't using the correct keys so removing entries + failed. - Add tests to test 1560 to verify the above. + - Simplified the iteration logic over transfers sharing the same socket and + they now simply are set to expire and thus get handled in the "regular" + timer loop instead. - Ref: https://github.com/curl/curl/issues/3753 - Closes #3762 + Reported-by: Tom van der Woerdt + Fixes #4012 + Closes #4014 -Jay Satiro (13 Apr 2019) -- [Jan Ehrhardt brought this change] +Jay Satiro (12 Jun 2019) +- [Cliff Crosland brought this change] - winbuild: Support MultiSSL builds + url: Fix CURLOPT_MAXAGE_CONN time comparison - - Remove the lines in winbuild/Makefile.vc that generate an error with - multiple SSL backends. + Old connections are meant to expire from the connection cache after + CURLOPT_MAXAGE_CONN seconds. However, they actually expire after 1000x + that value. This occurs because a time value measured in milliseconds is + accidentally divided by 1M instead of by 1,000. - - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL - backends are set. + Closes https://github.com/curl/curl/pull/4013 + +Daniel Stenberg (11 Jun 2019) +- test1165: verify that CURL_DISABLE_ symbols are in sync - Closes https://github.com/curl/curl/pull/3772 + between configure.ac and source code. They should be possible to switch + on/off in configure AND be used in source code. -Daniel Stenberg (12 Apr 2019) -- travis: remove mesalink builds (temporarily?) +- configure: remove CURL_DISABLE_TLS_SRP - Since the mesalink build started to fail on travis, even though we build - a fixed release version, we disable it to prevent it from blocking - progress. + It isn't used by code so stop providing the define. - Closes #3767 + Closes #4010 -- openssl: mark connection for close on TLS close_notify +- Revert "cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified" - Without this, detecting and avoid reusing a closed TLS connection - (without a previous GOAWAY) when doing HTTP/2 is tricky. + This reverts commit 36738caeb78603ce24e3ea089a167b8c216fb938. - Reported-by: Tom van der Woerdt - Fixes #3750 - Closes #3763 + Apparently several of the appveyor windows builds broke. -- RELEASE-NOTES: synced +- [sergey-raevskiy brought this change] -Steve Holme (11 Apr 2019) -- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - - Functionally this doesn't change anything as we still use the username - for both the authorisation identity and the authentication identity. + cmake: add SMB to list of disabled protocols if HTTP_ONLY is specified - Closes #3757 + Reviewed-by: Jakub Zakrzewski + Closes #3770 -Daniel Stenberg (11 Apr 2019) -- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - - Based-on-code-by: Poul T Lomholt +- RELEASE-NOTES: synced -- url: always clone the CUROPT_CURLU handle - - Since a few code paths actually update that data. - - Fixes #3753 - Closes #3761 +- http2: remove CURL_DISABLE_TYPECHECK define - Reported-by: Poul T Lomholt + ... in http2-less builds as it served no use. -- CURLOPT_DNS_USE_GLOBAL_CACHE: remove +- configure: more --disable switches to toggle off individual features - Remove the code too. The functionality has been disabled in code since - 7.62.0. Setting this option will from now on simply be ignored and have - no function. + ... actual support in the code for disabling these has already landed. - Closes #3654 + Closes #4009 -Marcel Raad (11 Apr 2019) -- travis: install libgnutls28-dev only for --with-gnutls build - - Reduces the time needed for the other jobs a little. +- wolfssl: fix key pinning build error - Closes https://github.com/curl/curl/pull/3721 + follow-up from deb9462ff2de8 -- travis: install libnss3-dev only for --with-nss build +- CURLMOPT_SOCKETFUNCTION.3: clarified - Reduces the time needed for the other jobs a little. + Moved away the callback explanation from curl_multi_socket_action.3 and + expanded it somewhat. - Closes https://github.com/curl/curl/pull/3721 + Closes #4006 -- travis: install libssh2-dev only for --with-libssh2 build +- wolfssl: fixup for SNI use - Reduces the time needed for the other jobs a little. + follow-up from deb9462ff2de8 - Closes https://github.com/curl/curl/pull/3721 + Closes #4007 -- travis: install libssh-dev only for --with-libssh build +- CURLOPT_CAINFO.3: polished wording - Reduces the time needed for the other jobs a little. + Clarify the functionality when built to use Schannel and Secure + Transport and stop calling it the "recommended" or "preferred" way and + instead rather call it the default. - Closes https://github.com/curl/curl/pull/3721 - -- travis: install krb5-user only for --with-gssapi build + Removed the reference to the ssl comparison table as it isn't necessary. - Reduces the time needed for the other jobs a little. + Reported-by: Richard Alcock + Bug: https://curl.haxx.se/mail/lib-2019-06/0019.html + Closes #4005 + +GitHub (10 Jun 2019) +- [Daniel Stenberg brought this change] + + SECURITY.md: created - Closes https://github.com/curl/curl/pull/3721 + Brief security policy description for use/display on github. -- travis: install lcov only for the coverage job +Daniel Gustafsson (10 Jun 2019) +- tool_cb_prg: Fix integer overflow in progress bar - Reduces the time needed for the other jobs a little. + Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar + width calculation to avoid integer overflow, but failed to account for + the fact that initial_size is initialized to -1 when the file size is + retrieved from the remote on an upload, causing another signed integer + overflow. Fix by separately checking for this case before the width + calculation. - Closes https://github.com/curl/curl/pull/3721 + Closes #3984 + Reported-by: Brian Carpenter (Geeknik Labs) + Reviewed-by: Daniel Stenberg -- travis: install clang only when needed +Daniel Stenberg (10 Jun 2019) +- wolfssl: refer to it as wolfSSL only - This reduces the GCC job runtimes a little and it's needed to - selectively update clang builds to xenial. + Remove support for, references to and use of "cyaSSL" from the source + and docs. wolfSSL is the current name and there's no point in keeping + references to ancient history. - Closes https://github.com/curl/curl/pull/3721 - -- AppVeyor: enable testing for WinSSL build + Assisted-by: Daniel Gustafsson - Closes https://github.com/curl/curl/pull/3725 + Closes #3903 -- build: fix Codacy/CppCheck warnings - - - remove unused variables - - declare conditionally used variables conditionally - - suppress unused variable warnings in the CMake tests - - remove dead variable stores - - consistently use WIN32 macro to detect Windows +- RELEASE-NOTES: synced + +- bindlocal: detect and avoid IP version mismatches in bind() - Closes https://github.com/curl/curl/pull/3739 + Reported-by: Alex Grebenschikov + Fixes #3993 + Closes #4002 -- polarssl_threadlock: remove conditionally unused code +- multi: make sure 'data' can present in several sockhash entries - Make functions no-ops if neither both USE_THREADS_POSIX and - HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are - defined. Previously, if only one of them was defined, there was either - code compiled that did nothing useful or the wrong header included for - the functions used. + Since more than one socket can be used by each transfer at a given time, + each sockhash entry how has its own hash table with transfers using that + socket. - Also, move POLARSSL_MUTEX_T define to implementation file as it's not - used externally. + In addition, the sockhash entry can now be marked 'blocked = TRUE'" + which then makes the delete function just set 'removed = TRUE' instead + of removing it "for real", as a way to not rip out the carpet under the + feet of a parent function that iterates over the transfers of that same + sockhash entry. - Closes https://github.com/curl/curl/pull/3739 + Reported-by: Tom van der Woerdt + Fixes #3961 + Fixes #3986 + Fixes #3995 + Fixes #4004 + Closes #3997 -- lib557: initialize variables - - These variables are only conditionally initialized. - - Closes https://github.com/curl/curl/pull/3739 +- [Sorcus brought this change] -- lib509: add missing include for strdup + libcurl-tutorial.3: Fix small typo (mutipart -> multipart) - Closes https://github.com/curl/curl/pull/3739 + Fixed-by: MrSorcus on github + Closes #4000 -- README.md: fix no-consecutive-blank-lines Codacy warning +- unpause: trigger a timeout for event-based transfers - Consistently use one blank line between blocks. + ... so that timeouts or other state machine actions get going again + after a changing pause state. For example, if the last delivery was + paused there's no pending socket activity. - Closes https://github.com/curl/curl/pull/3739 + Reported-by: sstruchtrup on github + Fixes #3994 + Closes #4001 -- tests/server/util: fix Windows Unicode build - - Always use the ANSI version of FormatMessage as we don't have the - curl_multibyte gear available here. +Marcel Raad (9 Jun 2019) +- travis: use xenial LLVM package for scan-build - Closes https://github.com/curl/curl/pull/3758 - -Daniel Stenberg (11 Apr 2019) -- curl_easy_getinfo.3: fix minor formatting mistake + I missed that in commit 99a49d6. -Daniel Gustafsson (11 Apr 2019) -- xattr: skip unittest on unsupported platforms - - The stripcredentials unittest fails to compile on platforms without - xattr support, for example the Solaris member in the buildfarm which - fails with the following: - - CC unit1621-unit1621.o - CC ../libtest/unit1621-first.o - CCLD unit1621 - Undefined first referenced - symbol in file - stripcredentials unit1621-unit1621.o - goto problem 2 - ld: fatal: symbol referencing errors. No output written to .libs/unit1621 - collect2: error: ld returned 1 exit status - gmake[2]: *** [Makefile:996: unit1621] Error 1 - - Fix by excluding the test on such platforms by using the reverse - logic from where stripcredentials() is defined. +- travis: update scan-build job to xenial - Closes #3759 - Reviewed-by: Daniel Stenberg - -Steve Holme (11 Apr 2019) -- emailL Added reference to RFC8314 for implicit TLS + Closes https://github.com/curl/curl/pull/3999 -- README: Schannel, stop calling it "winssl" - - Stick to "Schannel" everywhere - follow up to 180501cb. +Daniel Stenberg (8 Jun 2019) +- bump: start working on 7.65.2 -Jakub Zakrzewski (10 Apr 2019) -- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use +Marcel Raad (5 Jun 2019) +- examples/htmltitle: use C++ casts between pointer types - This fixes GSSAPI builds with the libraries in a non-standard location. - The testing for recv() were failing because it failed to link - the Kerberos libraries, which are not needed for this or subsequent - tests. + Compilers and static analyzers warn about using C-style casts here. - fixes #3743 - closes #3744 + Closes https://github.com/curl/curl/pull/3975 -- cmake: avoid linking executable for some tests with cmake 3.6+ - - With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() - (which is used by check_c_source_compiles()) will build static library - instead of executable. This avoids linking additional libraries in and thus - speeds up those checks a little. +- examples/fopen: fix comparison - This commit also avoids #3743 (GSSAPI build errors) on itself with cmake - 3.6 or above. That issue was fixed separately for all versions. + As want is size_t, (file->buffer_pos - want) is unsigned, so checking + if it's less than zero makes no sense. + Check if file->buffer_pos is less than want instead to avoid the + unsigned integer wraparound. - Ref: #3744 + Closes https://github.com/curl/curl/pull/3975 -- cmake: minor cleanup +- build: fix Codacy warnings - - Remove nneeded include_regular_expression. - It was setting what is already a default. + Reduce variable scopes and remove redundant variable stores. - - Remove duplicated include. + Closes https://github.com/curl/curl/pull/3975 + +- sws: remove unused variables - - Don't check for pre-3.0.0 CMake version. - We already require at least 3.0.0, so it's just clutter. + Unused since commit 2f44e94. - Ref: #3744 - -Steve Holme (8 Apr 2019) -- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ - -- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) - -- build-openssl.bat: Perform the install for each build type directly after the build - -- build-openssl.bat: Split the install of static and shared build types + Closes https://github.com/curl/curl/pull/3975 -- build-openssl.bat: Split the building of static and shared build types +Version 7.65.1 (4 Jun 2019) -- build-openssl.bat: Move the installation into a separate function +Daniel Stenberg (4 Jun 2019) +- RELEASE-NOTES: 7.65.1 -- build-openssl.bat: Move the build step into a separate function +- THANKS: new contributors from 7.65.1 -- build-openssl.bat: Move the OpenSSL configuration into a separate function +Steve Holme (4 Jun 2019) +- [Frank Gevaerts brought this change] -- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised + ssl: Update outdated "openssl-only" comments for supported backends - Should the parent environment set this variable then the build might - not be performed as the user intended. + These are for features that used to be openssl-only but were expanded + over time to support other SSL backends. + + Closes #3985 -Daniel Stenberg (8 Apr 2019) -- socks: fix error message +Daniel Stenberg (4 Jun 2019) +- curl_share_setopt.3: improve wording [ci ship] + + Reported-by: Carlos ORyan -- config.d: clarify that initial : and = might need quoting [skip ci] +Steve Holme (4 Jun 2019) +- tool_parsecfg: Use correct return type for GetModuleFileName() - Fixes #3738 - Closes #3749 + GetModuleFileName() returns a DWORD which is a typedef of an unsigned + long and not an int. + + Closes #3980 -- RELEASE-NOTES: synced +Daniel Stenberg (3 Jun 2019) +- TODO: "at least N milliseconds between requests" [ci skip] - bumped to 7.65.0 for next release + Suggested-by: dkwolfe4 on github + Closes #3920 -- socks5: user name and passwords must be shorter than 256 +Steve Holme (2 Jun 2019) +- tests/server/.gitignore: Add socksd to the ignore list - bytes... since the protocol needs to store the length in a single byte field. + Missed in 04fd6755. - Reported-by: XmiliaH on github - Fixes #3737 - Closes #3740 + Closes #3978 -- [Jakub Zakrzewski brought this change] +- tool_parsecfg: Fix control flow issue (DEADCODE) + + Follow-up to 8144ba38. + + Detected by Coverity CID 1445663 + Closes #3976 - test: urlapi: urlencode characters above 0x7f correctly +Daniel Stenberg (2 Jun 2019) +- [Sergey Ogryzkov brought this change] -- [Jakub Zakrzewski brought this change] + NTLM: reset proxy "multipass" state when CONNECT request is done + + Closes #3972 - urlapi: urlencode characters above 0x7f correctly +- test334: verify HTTP 204 response with chunked coding header - fixes #3741 - Closes #3742 + Verifies that a bodyless response don't parse this content-related + header. -- [Even Rouault brought this change] +- [Michael Kaufmann brought this change] - multi_runsingle(): fix use-after-free + http: don't parse body-related headers bodyless responses - Fixes #3745 - Closes #3746 + Responses with status codes 1xx, 204 or 304 don't have a response body. For + these, don't parse these headers: - The following snippet - ``` + - Content-Encoding + - Content-Length + - Content-Range + - Last-Modified + - Transfer-Encoding - int main() - { - CURL* hCurlHandle = curl_easy_init(); - curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); - curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); - curl_easy_perform(hCurlHandle); - curl_easy_cleanup(hCurlHandle); - return 0; - } - ``` - triggers the following Valgrind warning + This change ensures that HTTP/2 upgrades work even if a + "Content-Length: 0" or a "Transfer-Encoding: chunked" header is present. + + Co-authored-by: Daniel Stenberg + Closes #3702 + Fixes #3968 + Closes #3977 + +- tls13-docs: mention it is only for OpenSSL >= 1.1.1 + + Reported-by: Jay Satiro + Co-authored-by: Jay Satiro + Fixes #3938 + Closes #3946 + +- dump-header.d: spell out that no headers == empty file [ci skip] + + Reported-by: wesinator at github + Fixes #3964 + Closes #3974 + +- singlesocket: use separate variable for inner loop + + An inner loop within the singlesocket() function wrongly re-used the + variable for the outer loop which then could cause an infinite + loop. Change to using a separate variable! + + Reported-by: Eric Wu + Fixes #3970 + Closes #3973 + +- RELEASE-NOTES: synced + +- [Josie Huddleston brought this change] + + http2: Stop drain from being permanently set on + + Various functions called within Curl_http2_done() can have the + side-effect of setting the Easy connection into drain mode (by calling + drain_this()). However, the last time we unset this for a transfer (by + calling drained_transfer()) is at the beginning of Curl_http2_done(). + If the Curl_easy is reused for another transfer, it is then stuck in + drain mode permanently, which in practice makes it unable to write any + data in the new transfer. + + This fix moves the last call to drained_transfer() to later in + Curl_http2_done(), after the functions that could potentially call for a + drain. + + Fixes #3966 + Closes #3967 + Reported-by: Josie-H + +Steve Holme (29 May 2019) +- conncache: Remove the DEBUGASSERT on length check + + We trust the calling code as this is an internal function. + + Closes #3962 + +Jay Satiro (29 May 2019) +- [Gisle Vanem brought this change] + + system_win32: fix function prototype + + - Change if_nametoindex parameter type from char * to const char *. + + Follow-up to 09eef8af from this morning. + + Bug: https://github.com/curl/curl/commit/09eef8af#r33716067 + +Marcel Raad (29 May 2019) +- appveyor: add Visual Studio solution build + + Closes https://github.com/curl/curl/pull/3941 + +- appveyor: add support for other build systems + + Introduce BUILD_SYSTEM variable, which is currently always CMake. + + Closes https://github.com/curl/curl/pull/3941 + +Steve Holme (29 May 2019) +- url: Load if_nametoindex() dynamically from iphlpapi.dll on Windows + + This fixes the static dependency on iphlpapi.lib and allows curl to + build for targets prior to Windows Vista. + + This partially reverts 170bd047. + + Fixes #3960 + Closes #3958 + +Daniel Stenberg (29 May 2019) +- http: fix "error: equality comparison with extraneous parentheses" + +- parse_proxy: make sure portptr is initialized + + Reported-by: Benbuck Nason + + fixes #3959 + +- url: default conn->port to the same as conn->remote_port + + ... so that it has a sensible value when ConnectionExists() is called which + needs it set to differentiate host "bundles" correctly on port number! + + Also, make conncache:hashkey() use correct port for bundles that are proxy vs + host connections. + + Probably a regression from 7.62.0 + + Reported-by: Tom van der Woerdt + Fixes #3956 + Closes #3957 + +- conncache: make "bundles" per host name when doing proxy tunnels + + Only HTTP proxy use where multiple host names can be used over the same + connection should use the proxy host name for bundles. + + Reported-by: Tom van der Woerdt + Fixes #3951 + Closes #3955 + +- multi: track users of a socket better + + They need to be removed from the socket hash linked list with more care. + + When sh_delentry() is called to remove a sockethash entry, remove all + individual transfers from the list first. To enable this, each Curl_easy struct + now stores a pointer to the sockethash entry to know how to remove itself. + + Reported-by: Tom van der Woerdt and Kunal Ekawde + + Fixes #3952 + Fixes #3904 + Closes #3953 + +Steve Holme (28 May 2019) +- curl-win32.h: Enable Unix Domain Sockets based on the Windows SDK version + + Microsoft added support for Unix Domain Sockets in Windows 10 1803 + (RS4). Rather than expect the user to enable Unix Domain Sockets by + uncommenting the #define that was added in 0fd6221f we use the RS4 + pre-processor variable that is present in newer versions of the + Windows SDK. + + Closes #3939 + +Daniel Stenberg (28 May 2019) +- [Jonas Vautherin brought this change] + + cmake: support CMAKE_OSX_ARCHITECTURES when detecting SIZEOF variables + + Closes #3945 + +Marcel Raad (27 May 2019) +- HAProxy tests: add keywords + + Add the proxy and haproxy keywords in order to be able to exclude or + run these specific tests. + + Closes https://github.com/curl/curl/pull/3949 + +Daniel Stenberg (27 May 2019) +- [Maksim Stsepanenka brought this change] + + tests: make test 1420 and 1406 work with rtsp-disabled libcurl + + Closes #3948 + +Kamil Dudka (27 May 2019) +- [Hubert Kario brought this change] + + nss: allow to specify TLS 1.3 ciphers if supported by NSS + + Closes #3916 + +Daniel Stenberg (26 May 2019) +- RELEASE-NOTES: synced + +- [Jay Satiro brought this change] + + Revert all SASL authzid (new feature) commits + + - Revert all commits related to the SASL authzid feature since the next + release will be a patch release, 7.65.1. + + Prior to this change CURLOPT_SASL_AUTHZID / --sasl-authzid was destined + for the next release, assuming it would be a feature release 7.66.0. + However instead the next release will be a patch release, 7.65.1 and + will not contain any new features. + + After the patch release after the reverted commits can be restored by + using cherry-pick: + + git cherry-pick a14d72c a9499ff 8c1cc36 c2a8d52 0edf690 + + Details for all reverted commits: + + Revert "os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid()." + + This reverts commit 0edf6907ae37e2020722e6f61229d8ec64095b0a. + + Revert "tests: Fix the line endings for the SASL alt-auth tests" + + This reverts commit c2a8d52a1356a722ff9f4aeb983cd4eaf80ef221. + + Revert "examples: Added SASL PLAIN authorisation identity (authzid) examples" + + This reverts commit 8c1cc369d0c7163c6dcc91fd38edfea1f509ae75. + + Revert "curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool" + + This reverts commit a9499ff136d89987af885e2d7dff0a066a3e5817. + + Revert "sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID" + + This reverts commit a14d72ca2fec5d4eb5a043936e4f7ce08015c177. + +- [dbrowndan brought this change] + + FAQ: more minor updates and spelling fixes + + Closes #3937 + +- RELEASE-NOTES: synced + +- sectransp: handle errSSLPeerAuthCompleted from SSLRead() + + Reported-by: smuellerDD on github + Fixes #3932 + Closes #3933 + +GitHub (24 May 2019) +- [Gisle Vanem brought this change] + + Fix typo. + +Daniel Stenberg (23 May 2019) +- tool_setopt: for builds with disabled-proxy, skip all proxy setopts() + + Reported-by: Marcel Raad + Fixes #3926 + Closes #3929 + +Steve Holme (23 May 2019) +- winbuild: Use two space indentation + + Closes #3930 + +GitHub (23 May 2019) +- [Gisle Vanem brought this change] + + tool_parse_cfg: Avoid 2 fopen() for WIN32 + + Using the memdebug.h mem-leak feature, I noticed 2 calls like: + FILE tool_parsecfg.c:70 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + FILE tool_parsecfg.c:114 fopen("c:\Users\Gisle\AppData\Roaming\_curlrc","rt") + + No need for 'fopen(), 'fclose()' and a 'fopen()' yet again. + +Daniel Stenberg (23 May 2019) +- md4: include the mbedtls config.h to get the MD4 info + +- md4: build correctly with openssl without MD4 + + Reported-by: elsamuko at github + Fixes #3921 + Closes #3922 + +Patrick Monnerat (23 May 2019) +- os400: take care of CURLOPT_SASL_AUTHZID in curl_easy_setopt_ccsid(). + +Daniel Stenberg (23 May 2019) +- .github/FUNDING: mention our opencollective "home" [ci skip] + +Marcel Raad (23 May 2019) +- [Zenju brought this change] + + config-win32: add support for if_nametoindex and getsockname + + Closes https://github.com/curl/curl/pull/3923 + +Jay Satiro (23 May 2019) +- tests: Fix the line endings for the SASL alt-auth tests + + - Change data and protocol sections to CRLF line endings. + + Prior to this change the tests would fail or hang, which is because + certain sections such as protocol require CRLF line endings. + + Follow-up to a9499ff from today which added the tests. + + Ref: https://github.com/curl/curl/pull/3790 + +Daniel Stenberg (23 May 2019) +- url: fix bad #ifdef + + Regression since e91e48161235272ff485. + + Reported-by: Tom Greenslade + Fixes #3924 + Closes #3925 + +- Revert "progress: CURL_DISABLE_PROGRESS_METER" + + This reverts commit 3b06e68b7734cb10a555f9d7e804dd5d808236a4. + + Clearly this change wasn't good enough as it broke CURLOPT_LOW_SPEED_LIMIT + + CURLOPT_LOW_SPEED_TIME + + Reported-by: Dave Reisner + + Fixes #3927 + Closes #3928 + +Steve Holme (22 May 2019) +- examples: Added SASL PLAIN authorisation identity (authzid) examples + +- curl: --sasl-authzid added to support CURLOPT_SASL_AUTHZID from the tool + +- sasl: Implement SASL authorisation identity via CURLOPT_SASL_AUTHZID + + Added the ability for the calling program to specify the authorisation + identity (authzid), the identity to act as, in addition to the + authentication identity (authcid) and password when using SASL PLAIN + authentication. + + Fixed #3653 + Closes #3790 + +Marc Hoersken (22 May 2019) +- tests: add support to test against OpenSSH for Windows + + Testing against OpenSSH for Windows requires v7.7.0.0 or newer + due to the use of AllowUsers and DenyUsers. For more info see: + https://github.com/PowerShell/Win32-OpenSSH/wiki/sshd_config + +Daniel Stenberg (22 May 2019) +- bump: start on the next release + +Marcel Raad (22 May 2019) +- examples: fix "clarify calculation precedence" warnings + + Closes https://github.com/curl/curl/pull/3919 + +- hiperfifo: remove unused variable + + Closes https://github.com/curl/curl/pull/3919 + +- examples: remove dead variable stores + + Closes https://github.com/curl/curl/pull/3919 + +- examples: reduce variable scopes + + Closes https://github.com/curl/curl/pull/3919 + +- http2-download: fix format specifier + + Closes https://github.com/curl/curl/pull/3919 + +Daniel Stenberg (22 May 2019) +- PolarSSL: deprecate support step 1. Removed from configure. + + Also removed mentions from most docs. + + Discussed: https://curl.haxx.se/mail/lib-2019-05/0045.html + + Closes #3888 + +- configure/cmake: check for if_nametoindex() - ``` - ==4125== Invalid read of size 8 - ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) - ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) - ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd - ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) - ==4125== by 0x4E62C36: conn_free (url.c:756) - ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) - ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) - ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ==4125== Block was alloc'd at - ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) - ==4125== by 0x4E6438E: allocate_conn (url.c:1654) - ==4125== by 0x4E685B4: create_conn (url.c:3496) - ==4125== by 0x4E6968F: Curl_connect (url.c:4023) - ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) - ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) - ==4125== by 0x4E766A0: easy_transfer (easy.c:625) - ==4125== by 0x4E76915: easy_perform (easy.c:719) - ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) - ==4125== by 0x4008BE: main (in /home/even/curl/test) - ``` + - adds the check to cmake - This has been bisected to commit 2f44e94 + - fixes the configure check to work for cross-compiled windows builds - Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 - Credit to OSS Fuzz + Closes #3917 -- pipelining: removed +- parse_proxy: use the IPv6 zone id if given - As previously planned and documented in DEPRECATE.md, all pipelining - code is removed. + If the proxy string is given as an IPv6 numerical address with a zone + id, make sure to use that for the connect to the proxy. - Closes #3651 + Reported-by: Edmond Yu + + Fixes #3482 + Closes #3918 -- [cclauss brought this change] +Version 7.65.0 (22 May 2019) - tests: make Impacket (SMB server) Python 3 compatible +Daniel Stenberg (22 May 2019) +- RELEASE-NOTES: 7.65.0 release + +- THANKS: from the 7.65.0 release-notes + +- url: convert the zone id from a IPv6 URL to correct scope id - Closes #3731 - Fixes #3289 + Reported-by: GitYuanQu on github + Fixes #3902 + Closes #3914 -Marcel Raad (6 Apr 2019) -- [Simon Warta brought this change] +- configure: detect getsockname and getpeername on windows too + + Made detection macros for these two functions in the same style as other + functions possibly in winsock in the hope this will work better to + detect these functions when cross-compiling for Windows. + + Follow-up to e91e4816123 + + Fixes #3913 + Closes #3915 - cmake: set SSL_BACKENDS +Marcel Raad (21 May 2019) +- examples: remove unused variables - This groups all SSL backends into the feature "SSL" and sets the - SSL_BACKENDS analogue to configure.ac + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3736 + Closes -- [Simon Warta brought this change] +Daniel Gustafsson (21 May 2019) +- udpateconninfo: mark variable unused + + When compiling without getpeername() or getsockname(), the sockfd + paramter to Curl_udpateconninfo() became unused after commit e91e481612 + added ifdef guards. + + Closes #3910 + Fixes https://curl.haxx.se/dev/log.cgi?id=20190520172441-32196 + Reviewed-by: Marcel Raad, Daniel Stenberg - cmake: don't run SORT on empty list +- ftp: move ftp_ccc in under featureflag - In case of an empty list, SORTing leads to the cmake error "list - sub-command SORT requires list to be present." + Commit e91e48161235272ff485ff32bd048c53af731f43 moved ftp_ccc in under + the FTP featureflag in the UserDefined struct, but vtls callsites were + still using it unprotected. - Closes https://github.com/curl/curl/pull/3736 + Closes #3912 + Fixes: https://curl.haxx.se/dev/log.cgi?id=20190520044705-29865 + Reviewed-by: Daniel Stenberg, Marcel Raad -Daniel Gustafsson (5 Apr 2019) -- [Eli Schwartz brought this change] +Daniel Stenberg (20 May 2019) +- curl: report error for "--no-" on non-boolean options + + Reported-by: Olen Andoni + Fixes #3906 + Closes #3907 - configure: fix default location for fish completions +- [Guy Poizat brought this change] + + mbedtls: enable use of EC keys - Fish defines a vendor completions directory for completions that are not - installed as part of the fish project itself, and the vendor completions - are preferred if they exist. This prevents trying to overwrite the - builtin curl.fish completion (or creating file conflicts in distro - packaging). + Closes #3892 + +- lib1560: add tests for parsing URL with too long scheme - Prefer the pkg-config defined location exported by fish, if it can be - found, and fall back to the correct directory defined by most systems. + Ref: #3905 + +- [Omar Ramadan brought this change] + + urlapi: increase supported scheme length to 40 bytes - Closes #3723 - Reviewed-by: Daniel Gustafsson + The longest currently registered URI scheme at IANA is 36 bytes long. + + Closes #3905 + Closes #3900 -Marcel Raad (5 Apr 2019) -- ftplistparser: fix LGTM alert "Empty block without comment" +Marcel Raad (20 May 2019) +- lib: reduce variable scopes - Removing the block is consistent with line 954/957. + Fixes Codacy/CppCheck warnings. - Closes https://github.com/curl/curl/pull/3732 + Closes https://github.com/curl/curl/pull/3872 -- transfer: fix LGTM alert "Comparison is always true" +- tool_formparse: remove redundant assignment - Just remove the redundant condition, which also makes it clear that - k->buf is always 0-terminated if this break is not hit. + Just initialize word_begin with the correct value. - Closes https://github.com/curl/curl/pull/3732 + Closes https://github.com/curl/curl/pull/3873 -Jay Satiro (4 Apr 2019) -- [Rikard Falkeborn brought this change] +- ssh: move variable declaration to where it's used + + This way, we need only one call to free. + + Closes https://github.com/curl/curl/pull/3873 - smtp: fix compiler warning +- ssh-libssh: remove unused variable - - Fix clang string-plus-int warning. + sock was only used to be assigned to fd_read. - Clang 8 warns about adding a string to an int does not append to the - string. Indeed it doesn't, but that was not the intention either. Use - array indexing as suggested to silence the warning. There should be no - functional changes. + Closes https://github.com/curl/curl/pull/3873 + +Daniel Stenberg (20 May 2019) +- test332: verify the blksize fix + +- tftp: use the current blksize for recvfrom() + + bug: https://curl.haxx.se/docs/CVE-2019-5436.html + Reported-by: l00p3r on hackerone + CVE-2019-5436 + +Daniel Gustafsson (19 May 2019) +- version: make ssl_version buffer match for multi_ssl + + When running a multi TLS backend build the version string needs more + buffer space. Make the internal ssl_buffer stack buffer match the one + in Curl_multissl_version() to allow for the longer string. For single + TLS backend builds there is no use in extended to buffer. This is a + fallout from #3863 which fixes up the multi_ssl string generation to + avoid a buffer overflow when the buffer is too small. + + Closes #3875 + Reviewed-by: Daniel Stenberg + +Steve Holme (18 May 2019) +- http_ntlm_wb: Handle auth for only a single request + + Currently when the server responds with 401 on NTLM authenticated + connection (re-used) we consider it to have failed. However this is + legitimate and may happen when for example IIS is set configured to + 'authPersistSingleRequest' or when the request goes thru a proxy (with + 'via' header). + + Implemented by imploying an additional state once a connection is + re-used to indicate that if we receive 401 we need to restart + authentication. + + Missed in fe6049f0. + +- http_ntlm_wb: Cleanup handshake after clean NTLM failure + + Missed in 50b87c4e. + +- http_ntlm_wb: Return the correct error on receiving an empty auth message + + Missed in fe20826b as it wasn't implemented in http.c in b4d6db83. + + Closes #3894 + +Daniel Stenberg (18 May 2019) +- curl: make code work with protocol-disabled libcurl + + Closes #3844 + +- libcurl: #ifdef away more code for disabled features/protocols + +- progress: CURL_DISABLE_PROGRESS_METER + +- hostip: CURL_DISABLE_SHUFFLE_DNS + +- netrc: CURL_DISABLE_NETRC + +Viktor Szakats (16 May 2019) +- docs: Markdown and misc improvements [ci skip] + + Approved-by: Daniel Stenberg + Closes #3896 + +- docs/RELEASE-PROCEDURE: link to live iCalendar [ci skip] + + Ref: https://github.com/curl/curl/commit/0af41b40b2c7bd379b2251cbe7cd618e21fa0ea1#commitcomment-33563135 + Approved-by: Daniel Stenberg + Closes #3895 + +Daniel Stenberg (16 May 2019) +- travis: add an osx http-only build + + Closes #3887 + +- cleanup: remove FIXME and TODO comments + + They serve very little purpose and mostly just add noise. Most of them + have been around for a very long time. I read them all before removing + or rephrasing them. + + Ref: #3876 + Closes #3883 + +- curl: don't set FTP options for FTP-disabled builds - (In other words clang warns about "foo"+2 but not &"foo"[2] so use the - latter.) + ... since libcurl has started to be totally unaware of options for + disabled protocols they now return error. - smtp.c:1221:29: warning: adding 'int' to a string does not append to the - string [-Wstring-plus-int] - eob = strdup(SMTP_EOB + 2); - ~~~~~~~~~~~~~~~~^~~~ + Bug: https://github.com/curl/curl/commit/c9c5304dd4747cbe75d2f24be85920d572fcb5b8#commitcomment-33533937 - Closes https://github.com/curl/curl/pull/3729 + Reported-by: Marcel Raad + Closes #3886 -Marcel Raad (4 Apr 2019) -- VS projects: use Unicode for VC10+ - - All Windows APIs have been natively UTF-16 since Windows 2000 and the - non-Unicode variants are just wrappers around them. Only Windows 9x - doesn't understand Unicode without the UnicoWS DLL. As later Visual - Studio versions cannot target Windows 9x anyway, using the ANSI API - doesn't really have any benefit there. +Steve Holme (16 May 2019) +- http_ntlm_wb: Move the type-2 message processing into a dedicated function - This avoids issues like KNOWN_BUGS 6.5. + This brings the code inline with the other HTTP authentication mechanisms. - Ref: https://github.com/curl/curl/issues/2120 - Closes https://github.com/curl/curl/pull/3720 + Closes #3890 -Daniel Gustafsson (3 Apr 2019) +Daniel Stenberg (15 May 2019) - RELEASE-NOTES: synced - - Bump the version in progress to 7.64.2, if we merge any "change" - before the cut-off date we can update the version. -- [Tim Rühsen brought this change] +- docs/RELEASE-PROCEDURE: updated coming releases dates [ci skip] - documentation: Fix several typos +- CURLOPT_READFUNCTION.3: see also CURLOPT_UPLOAD_BUFFERSIZE [ci skip] - Closes #3724 - Reviewed-by: Jakub Zakrzewski - Reviewed-by: Daniel Gustafsson + Reported-by: Roy Bellingan + Bug: #3885 -Jay Satiro (2 Apr 2019) -- [Mert Yazıcıoğlu brought this change] +- parse_proxy: use the URL parser API + + As we treat a given proxy as a URL we should use the unified URL parser + to extract the parts out of it. + + Closes #3878 - vauth/oauth2: Fix OAUTHBEARER token generation +Steve Holme (15 May 2019) +- http_negotiate: Move the Negotiate state out of the negotiatedata structure - OAUTHBEARER tokens were incorrectly generated in a format similar to - XOAUTH2 tokens. These changes make OAUTHBEARER tokens conform to the - RFC7628. + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. - Fixes: #2487 - Reported-by: Paolo Mossino + Closes #3882 + +- http_ntlm: Move the NTLM state out of the ntlmdata structure - Closes https://github.com/curl/curl/pull/3377 + Given that this member variable is not used by the SASL based protocols + there is no need to have it here. -Marcel Raad (2 Apr 2019) -- tool_cb_wrt: fix bad-function-cast warning +- url: Move the negotiate state type into a dedicated enum + +- url: Remove duplicate clean up of the winbind variables in conn_shutdown() - Commit f5bc578f4cdfdc6c708211dfc2962a0e9d79352d reintroduced the - warning fixed in commit 2f5f31bb57d68b54e03bffcd9648aece1fe564f8. - Extend fhnd's scope and reuse that variable instead of calling - _get_osfhandle a second time to fix the warning again. + Given that Curl_disconnect() calls Curl_http_auth_cleanup_ntlm() prior + to calling conn_shutdown() and it in turn performs this, there is no + need to perform the same action in conn_shutdown(). - Closes https://github.com/curl/curl/pull/3718 + Closes #3881 -- VC15 project: remove MinimalRebuild +Daniel Stenberg (14 May 2019) +- urlapi: require a non-zero host name length when parsing URL - Already done in commit d5cfefd0ea8e331b884186bff484210fad36e345 for the - library project, but I forgot the tool project template. Now also - removed for that. - -Dan Fandrich (1 Apr 2019) -- cirrus: Customize the disabled tests per FreeBSD version + Updated test 1560 to verify. - Try to run as many test cases as possible on each OS version. - 12.0 passes 13 more tests than the older versions, so we might as well - run them. + Closes #3880 -Daniel Stenberg (1 Apr 2019) -- tool_help: include for strcasecmp +- configure: error out if OpenSSL wasn't detected when asked for + + If --with-ssl is used and configure still couldn't enable SSL this + creates an error instead of just silently ignoring the fact. - Reported-by: Wyatt O'Day - Fixes #3715 - Closes #3716 + Suggested-by: Isaiah Norton + Fixes #3824 + Closes #3830 -Daniel Gustafsson (31 Mar 2019) -- scripts: fix typos +Daniel Gustafsson (14 May 2019) +- imap: Fix typo in comment -Dan Fandrich (28 Mar 2019) -- travis: allow builds on branches named "ci" +Steve Holme (14 May 2019) +- url: Remove unnecessary initialisation from allocate_conn() - This allows a way to test changes other than through PRs. - -Daniel Stenberg (27 Mar 2019) -- [Brad Spencer brought this change] + No need to set variables to zero as calloc() does this for us. + + Closes #3879 - resolve: apply Happy Eyeballs philosophy to parallel c-ares queries +Daniel Stenberg (14 May 2019) +- CURLOPT_CAINFO.3: with Schannel, you want Windows 8 or later [ci skip] - Closes #3699 + Clues-provided-by: Jay Satiro + Clues-provided-by: Jeroen Ooms + Fixes #3711 + Closes #3874 -- multi: improved HTTP_1_1_REQUIRED handling +Daniel Gustafsson (13 May 2019) +- vtls: fix potential ssl_buffer stack overflow - Make sure to downgrade to 1.1 even when we get this HTTP/2 stream error - on first flight. + In Curl_multissl_version() it was possible to overflow the passed in + buffer if the generated version string exceeded the size of the buffer. + Fix by inverting the logic, and also make sure to not exceed the local + buffer during the string generation. - Reported-by: niner on github - Fixes #3696 - Closes #3707 + Closes #3863 + Reported-by: nevv on HackerOne/curl + Reviewed-by: Jay Satiro + Reviewed-by: Daniel Stenberg -- [Leonardo Taccari brought this change] +Daniel Stenberg (13 May 2019) +- RELEASE-NOTES: synced - configure: avoid unportable `==' test(1) operator - - Closes #3709 +- appveyor: also build "/ci" branches like travis + +- pingpong: disable more when no pingpong enabled -Version 7.64.1 (27 Mar 2019) +- proxy: acknowledge DISABLE_PROXY more -Daniel Stenberg (27 Mar 2019) -- RELEASE: 7.64.1 +- parsedate: CURL_DISABLE_PARSEDATE -- Revert "ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set" - - This reverts commit 9130ead9fcabdb6b8fbdb37c0b38be2d326adb00. - - Fixes #3708 +- sasl: only enable if there's a protocol enabled using it -- [Christian Schmitz brought this change] +- mime: acknowledge CURL_DISABLE_MIME - ntlm: remove USE_WIN32_CRYPTO check to get USE_NTLM2SESSION set - - Closes #3704 +- wildcard: disable from build when FTP isn't present -Jay Satiro (26 Mar 2019) -- tool_cb_wrt: fix writing to Windows null device NUL - - - Improve console detection. - - Prior to this change WriteConsole could be called to write to a handle - that may not be a console, which would cause an error. This issue is - limited to character devices that are not also consoles such as the null - device NUL. - - Bug: https://github.com/curl/curl/issues/3175#issuecomment-439068724 - Reported-by: Gisle Vanem +- http: CURL_DISABLE_HTTP_AUTH -- CURLMOPT_PIPELINING.3: fix typo +- base64: build conditionally if there are users -Daniel Stenberg (25 Mar 2019) -- TODO: config file parsing - - Closes #3698 +- doh: CURL_DISABLE_DOH -Jay Satiro (24 Mar 2019) -- os400: Disable Alt-Svc by default since it's experimental - - Follow-up to 520f0b4 which added Alt-Svc support and enabled it by - default for OS400. Since the feature is experimental, it should be - disabled by default. +Steve Holme (12 May 2019) +- auth: Rename the various authentication clean up functions - Ref: https://github.com/curl/curl/commit/520f0b4#commitcomment-32792332 - Ref: https://curl.haxx.se/mail/lib-2019-02/0008.html + For consistency and to a avoid confusion. - Closes https://github.com/curl/curl/pull/3688 + Closes #3869 -Dan Fandrich (24 Mar 2019) -- tests: Fixed XML validation errors in some test files. +Daniel Stenberg (12 May 2019) +- [Jay Satiro brought this change] -- tests: Fix some incorrect precheck error messages. + docs/INSTALL: fix broken link [ci skip] - [ci skip] - -Daniel Stenberg (22 Mar 2019) -- curl_url.3: this is not experimental anymore + Reported-by: Joombalaya on github + Fixes #3818 -- travis: bump the used wolfSSL version to 4.0.0 +Marcel Raad (12 May 2019) +- easy: fix another "clarify calculation precedence" warning - Test 311 is now fine, leaving only 313 (CRL) disabled. + I missed this one in commit 6b3dde7fe62ea5a557fd1fd323fac2bcd0c2e9be. + +- build: fix "clarify calculation precedence" warnings - Test 313 details can be found here: - https://github.com/wolfSSL/wolfssl/issues/1546 + Codacy/CppCheck warns about this. Consistently use parentheses as we + already do in some places to silence the warning. - Closes #3697 - -Daniel Gustafsson (22 Mar 2019) -- lib: Fix typos in comments + Closes https://github.com/curl/curl/pull/3866 -David Woodhouse (20 Mar 2019) -- openssl: if cert type is ENG and no key specified, key is ENG too +- cmake: restore C89 compatibility of CurlTests.c - Fixes #3692 - Closes #3692 - -Daniel Stenberg (20 Mar 2019) -- sectransp: tvOS 11 is required for ALPN support + I broke it in d1b5cf830bfe169745721b21245d2217d2c2453e and + 97de97daefc2ed084c91eff34af2426f2e55e134. - Reported-by: nianxuejie on github - Assisted-by: Nick Zitzmann - Assisted-by: Jay Satiro - Fixes #3689 - Closes #3690 + Reported-by: Viktor Szakats + Ref: https://github.com/curl/curl/commit/97de97daefc2ed084c91eff34af2426f2e55e134#commitcomment-33499044 + Closes https://github.com/curl/curl/pull/3868 -- test1541: threaded connection sharing +Steve Holme (11 May 2019) +- http_ntlm: Corrected the name of the include guard - The threaded-shared-conn.c example turned into test case. Only works if - pthread was detected. + Missed in f0bdd72c. - An attempt to detect future regressions such as e3a53e3efb942a5 + Closes #3867 + +- http_digest: Don't expose functions when HTTP and Crypto Auth are disabled - Closes #3687 + Closes #3861 + +- http_negotiate: Don't expose functions when HTTP is disabled + +Daniel Stenberg (11 May 2019) +- SECURITY-PROCESS: fix links [ci skip] -Patrick Monnerat (17 Mar 2019) -- os400: alt-svc support. +Marcel Raad (11 May 2019) +- CMake: suppress unused variable warnings - Although experimental, enable it in the platform config file. - Upgrade ILE/RPG binding. + I missed these in commit d1b5cf830bfe169745721b21245d2217d2c2453e. -Daniel Stenberg (17 Mar 2019) -- conncache: use conn->data to know if a transfer owns it +Daniel Stenberg (11 May 2019) +- doh: disable DOH for the cases it doesn't work - - make sure an already "owned" connection isn't returned unless - multiplexed. + Due to limitations in Curl_resolver_wait_resolv(), it doesn't work for + DOH resolves. This fix disables DOH for those. - - clear ->data when returning the connection to the cache again + Limitation added to KNOWN_BUGS. - Regression since 7.62.0 (probably in commit 1b76c38904f0) + Fixes #3850 + Closes #3857 + +Jay Satiro (11 May 2019) +- checksrc.bat: Ignore snprintf warnings in docs/examples - Bug: https://curl.haxx.se/mail/lib-2019-03/0064.html + .. because we allow snprintf use in docs/examples. - Closes #3686 - -- RELEASE-NOTES: synced - -- [Chris Young brought this change] + Closes https://github.com/curl/curl/pull/3862 - configure: add --with-amissl +Steve Holme (10 May 2019) +- vauth: Fix incorrect function description for Curl_auth_user_contains_domain() - AmiSSL is an Amiga native library which provides a wrapper over OpenSSL. - It also requires all programs using it to use bsdsocket.library - directly, rather than accessing socket functions through clib, which - libcurl was not necessarily doing previously. Configure will now check - for the headers and ensure they are included if found. + ...and misalignment of these comments. From a78c61a4. - Closes #3677 - -- [Chris Young brought this change] + Closes #3860 - vtls: rename some of the SSL functions +Jay Satiro (10 May 2019) +- Revert "multi: support verbose conncache closure handle" - ... in the SSL structure as AmiSSL is using macros for the socket API - functions. - -- [Chris Young brought this change] - - tool_getpass: termios.h is present on AmigaOS 3, but no tcgetattr/tcsetattr - -- [Chris Young brought this change] - - tool_operate: build on AmigaOS - -- makefile: make checksrc and hugefile commands "silent" + This reverts commit b0972bc. - ... to match the style already used for compiling, linking - etc. Acknowledges 'make V=1' to enable verbose. + - No longer show verbose output for the conncache closure handle. - Closes #3681 - -- curl.1: --user and --proxy-user are hidden from ps output + The offending commit was added so that the conncache closure handle + would inherit verbose mode from the user's easy handle. (Note there is + no way for the user to set options for the closure handle which is why + that was necessary.) Other debug settings such as the debug function + were not also inherited since we determined that could lead to crashes + if the user's per-handle private data was used on an unexpected handle. - Suggested-by: Eric Curtin - Improved-by: Dan Fandrich - Ref: #3680 + The reporter here says he has a debug function to capture the verbose + output, and does not expect or want any output to stderr; however + because the conncache closure handle does not inherit the debug function + the verbose output for that handle does go to stderr. - Closes #3683 - -- curl.1: mark the argument to --cookie as + There are other plausible scenarios as well such as the user redirects + stderr on their handle, which is also not inherited since it could lead + to crashes when used on an unexpected handle. - From a discussion in #3676 + Short of allowing the user to set options for the conncache closure + handle I don't think there's much we can safely do except no longer + inherit the verbose setting. - Suggested-by: Tim Rühsen + Bug: https://curl.haxx.se/mail/lib-2019-05/0021.html + Reported-by: Kristoffer Gleditsch - Closes #3682 - -Dan Fandrich (14 Mar 2019) -- fuzzer: Only clone the latest fuzzer code, for speed. - -Daniel Stenberg (14 Mar 2019) -- [Dominik Hölzl brought this change] + Ref: https://github.com/curl/curl/pull/3598 + Ref: https://github.com/curl/curl/pull/3618 + + Closes https://github.com/curl/curl/pull/3856 - Negotiate: fix for HTTP POST with Negotiate +Steve Holme (10 May 2019) +- ntlm: Fix misaligned function comments for Curl_auth_ntlm_cleanup() - * Adjusted unit tests 2056, 2057 - * do not generally close connections with CURLAUTH_NEGOTIATE after every request - * moved negotiatedata from UrlState to connectdata - * Added stream rewind logic for CURLAUTH_NEGOTIATE - * introduced negotiatedata::GSS_AUTHDONE and negotiatedata::GSS_AUTHSUCC - * Consider authproblem state for CURLAUTH_NEGOTIATE - * Consider reuse_forbid for CURLAUTH_NEGOTIATE - * moved and adjusted negotiate authentication state handling from - output_auth_headers into Curl_output_negotiate - * Curl_output_negotiate: ensure auth done is always set - * Curl_output_negotiate: Set auth done also if result code is - GSS_S_CONTINUE_NEEDED/SEC_I_CONTINUE_NEEDED as this result code may - also indicate the last challenge request (only works with disabled - Expect: 100-continue and CURLOPT_KEEP_SENDING_ON_ERROR -> 1) - * Consider "Persistent-Auth" header, detect if not present; - Reset/Cleanup negotiate after authentication if no persistent - authentication - * apply changes introduced with #2546 for negotiate rewind logic + From 6012fa5a. - Fixes #1261 - Closes #1975 + Closes #3858 -- [Marc Schlatter brought this change] +Daniel Stenberg (9 May 2019) +- BUG-BOUNTY: minor formatting fixes [ci skip] - http: send payload when (proxy) authentication is done - - The check that prevents payload from sending in case of authentication - doesn't check properly if the authentication is done or not. - - They're cases where the proxy respond "200 OK" before sending - authentication challenge. This change takes care of that. - - Fixes #2431 - Closes #3669 +- RELEASE-NOTES: synced -- file: fix "Checking if unsigned variable 'readcount' is less than zero." - - Pointed out by codacy +- BUG-BOUNTY.md: add the Dropbox "bonus" extra payout ability [ci skip] - Closes #3672 + Closes #3839 -- memdebug: log pointer before freeing its data +Kamil Dudka (9 May 2019) +- http_negotiate: do not treat failure of gss_init_sec_context() as fatal - Coverity warned for two potentional "Use after free" cases. Both are false - positives because the memory wasn't used, it was only the actual pointer - value that was logged. + Fixes #3726 + Closes #3849 + +- spnego_gssapi: fix return code on gss_init_sec_context() failure - The fix still changes the order of execution to avoid the warnings. + Fixes #3726 + Closes #3849 + +Steve Holme (9 May 2019) +- gen_resp_file.bat: Removed unnecessary @ from all but the first command - Coverity CID 1443033 and 1443034 + There is need to use @ on every command once echo has been turned off. - Closes #3671 - -- RELEASE-NOTES: synced + Closes #3854 -Marcel Raad (12 Mar 2019) -- travis: actually use updated compiler versions +Jay Satiro (8 May 2019) +- http: Ignore HTTP/2 prior knowledge setting for HTTP proxies + + - Do not switch to HTTP/2 for an HTTP proxy that is not tunnelling to + the destination host. - For the Linux builds, GCC 8 and 7 and clang 7 were installed, but the - new GCC versions were only used for the coverage build and for building - nghttp2, while the new clang version was not used at all. + We already do something similar for HTTPS proxies by not sending h2. [1] - BoringSSL needs to use the default GCC as it respects CC, but not CXX, - so it would otherwise pass gcc 8 options to g++ 4.8 and fail. + Prior to this change setting CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE would + incorrectly use HTTP/2 to talk to the proxy, which is not something we + support (yet?). Also it's debatable whether or not that setting should + apply to HTTP/2 proxies. - Also remove GCC 7, it's not needed anymore. + [1]: https://github.com/curl/curl/commit/17c5d05 - Ref: https://docs.travis-ci.com/user/languages/c/#c11c11-and-beyond-and-toolchain-versioning + Bug: https://github.com/curl/curl/issues/3570 + Bug: https://github.com/curl/curl/issues/3832 - Closes https://github.com/curl/curl/pull/3670 + Closes https://github.com/curl/curl/pull/3853 -- travis: update clang to version 7 +Marcel Raad (8 May 2019) +- travis: update mesalink build to xenial - Closes https://github.com/curl/curl/pull/3670 + Closes https://github.com/curl/curl/pull/3842 -Jay Satiro (11 Mar 2019) -- [Andre Guibert de Bruet brought this change] +Daniel Stenberg (8 May 2019) +- [Ricky Leverence brought this change] - examples/externalsocket: add missing close socket calls - - .. and for Windows also call WSACleanup since we call WSAStartup. + OpenSSL: Report -fips in version if OpenSSL is built with FIPS - The example is to demonstrate handling the socket independently of - libcurl. In this case libcurl is not responsible for creating, opening - or closing the socket, it is handled by the application (our example). + Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS + define. It uses this define to determine whether to publish -fips at + the end of the version displayed. Applications that utilize the version + reported by OpenSSL will see a mismatch if they compare it to what curl + reports, as curl is not modifying the version in the same way. This + change simply adds a check to see if OPENSSL_FIPS is defined, and will + alter the reported version to match what OpenSSL itself provides. This + only appears to be applicable in versions of OpenSSL <1.1.1 - Fixes https://github.com/curl/curl/pull/3663 + Closes #3771 -Daniel Stenberg (11 Mar 2019) -- multi: removed unused code for request retries - - This code was once used for the non multi-interface using code path, but - ever since easy_perform was turned into a wrapper around the multi - interface, this code path never runs. - - Closes #3666 +Kamil Dudka (7 May 2019) +- [Frank Gevaerts brought this change] -Jay Satiro (11 Mar 2019) -- doh: inherit some SSL options from user's easy handle - - - Inherit SSL options for the doh handle but not SSL client certs, - SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, - SSL pinned public key, SSL ciphers, SSL id cache setting, - SSL kerberos or SSL gss-api settings. - - - Fix inheritance of verbose setting. - - - Inherit NOSIGNAL. - - There is no way for the user to set options for the doh (DNS-over-HTTPS) - handles and instead we inherit some options from the user's easy handle. + nss: allow fifos and character devices for certificates. - My thinking for the SSL options not inherited is they are most likely - not intended by the user for the DOH transfer. I did inherit insecure - because I think that should still be in control of the user. + Currently you can do things like --cert <(cat ./cert.crt) with (at least) the + openssl backend, but that doesn't work for nss because is_file rejects fifos. - Prior to this change doh did not work for me because CAINFO was not - inherited. Also verbose was set always which AFAICT was a bug (#3660). + I don't actually know if this is sufficient, nss might do things internally + (like seeking back) that make this not work, so actual testing is needed. - Fixes https://github.com/curl/curl/issues/3660 - Closes https://github.com/curl/curl/pull/3661 + Closes #3807 -Daniel Stenberg (9 Mar 2019) -- test331: verify set-cookie for dotless host name - - Reproduced bug #3649 - Closes #3659 +Daniel Gustafsson (6 May 2019) +- test2100: Fix typos in test description -- Revert "cookies: extend domain checks to non psl builds" - - This reverts commit 3773de378d48b06c09931e44dca4d274d0bfdce0. +Daniel Stenberg (6 May 2019) +- ssh: define USE_SSH if SSH is enabled (any backend) - Regression shipped in 7.64.0 - Fixes #3649 + Closes #3846 -- memdebug: make debug-specific functions use curl_dbg_ prefix - - To not "collide" or use up the regular curl_ name space. Also makes them - easier to detect in helper scripts. +Steve Holme (5 May 2019) +- winbuild: Add our standard copyright header to the winbuild batch files + +- makedebug: Fix ERRORLEVEL detection after running where.exe - Closes #3656 + Closes #3838 -- cmdline-opts/proxytunnel.d: the option tunnnels all protocols +Daniel Stenberg (5 May 2019) +- urlapi: add CURLUPART_ZONEID to set and get - Clarify the language and simplify. + The zoneid can be used with IPv6 numerical addresses. - Reported-by: Daniel Lublin - Closes #3658 - -- KNOWN_BUGS: Client cert (MTLS) issues with Schannel + Updated test 1560 to verify. - Closes #3145 + Closes #3834 -- ROADMAP: updated to some more current things to work on +- [Taiyu Len brought this change] -- tests: fix multiple may be used uninitialized warnings + WRITEFUNCTION: add missing set_in_callback around callback + + Closes #3837 - RELEASE-NOTES: synced -- source: fix two 'nread' may be used uninitialized warnings +- CURLMOPT_TIMERFUNCTION.3: warn about the recursive risk [ci skip] - Both seem to be false positives but we don't like warnings. + Reported-by: Ricardo Gomes - Closes #3646 + Bug: #3537 + Closes #3836 -- gopher: remove check for path == NULL - - Since it can't be NULL and it makes Coverity believe we lack proper NULL - checks. Verified by test 659, landed in commit 15401fa886b. +- CURLOPT_CHUNK_BGN_FUNCTION.3: document the struct and time value - Pointed out by Coverity CID 1442746. + The time field in the curl_fileinfo struct will always be zero. No code + was ever implemented to actually convert the date string to a time_t. - Assisted-by: Dan Fandrich - Fixes #3617 - Closes #3642 + Fixes #3829 + Closes #3835 -- examples: only include - - That's the only public curl header we should encourage use of. - - Reviewed-by: Marcel Raad - Closes #3645 +- OS400/ccsidcurl.c: code style fixes -- ssh: loop the state machine if not done and not blocking - - If the state machine isn't complete, didn't fail and it didn't return - due to blocking it can just as well loop again. +- OS400/ccsidcurl: replace use of Curl_vsetopt - This addresses the problem with SFTP directory listings where we would - otherwise return back to the parent and as the multi state machine - doesn't have any code for using CURLM_CALL_MULTI_PERFORM for as long the - doing phase isn't complete, it would return out when in reality there - was more data to deal with. + (and make the code style comply) - Fixes #3506 - Closes #3644 + Fixes #3833 -Jay Satiro (5 Mar 2019) -- multi: support verbose conncache closure handle - - - Change closure handle to receive verbose setting from the easy handle - most recently added via curl_multi_add_handle. - - The closure handle is a special easy handle used for closing cached - connections. It receives limited settings from the easy handle most - recently added to the multi handle. Prior to this change that did not - include verbose which was a problem because on connection shutdown - verbose mode was not acknowledged. +- urlapi: strip off scope id from numerical IPv6 addresses - Ref: https://github.com/curl/curl/pull/3598 + ... to make the host name "usable". Store the scope id and put it back + when extracting a URL out of it. - Co-authored-by: Daniel Stenberg + Also makes curl_url_set() syntax check CURLUPART_HOST. - Closes https://github.com/curl/curl/pull/3618 + Fixes #3817 + Closes #3822 -Daniel Stenberg (4 Mar 2019) -- CURLU: fix NULL dereference when used over proxy - - Test 659 verifies - - Also fixed the test 658 name - - Closes #3641 +- RELEASE-NOTES: synced -- altsvc_out: check the return code from Curl_gmtime - - Pointed out by Coverity, CID 1442956. +- multiif.h: remove unused protos - Closes #3640 - -- docs/ALTSVC.md: docs describing the approach + ... for functions related to pipelining. Those functions were removed in + 2f44e94efb3df. - Closes #3498 - -- alt-svc: add a travis build - -- alt-svc: add test 355 and 356 to verify with command line curl - -- alt-svc: the curl command line bits + Closes #3828 -- alt-svc: the libcurl bits +- [Yiming Jing brought this change] -- travis: add build using gnutls + travis: mesalink: temporarily disable test 3001 - Closes #3637 - -- RELEASE-NOTES: synced + ... due to SHA-1 signatures in test certs -- [Simon Legner brought this change] +- [Yiming Jing brought this change] - scripts/completion.pl: also generate fish completion file - - This is the renamed script formerly known as zsh.pl + travis: upgrade the MesaLink TLS backend to v1.0.0 - Closes #3545 + Closes #3823 + Closes #3776 -- gnutls: remove call to deprecated gnutls_compression_get_name - - It has been deprecated by GnuTLS since a year ago and now causes build - warnings. +- ConnectionExists: improve non-multiplexing use case - Ref: https://gitlab.com/gnutls/gnutls/commit/b0041897d2846737f5fb0f - Docs: https://www.gnutls.org/manual/html_node/Compatibility-API.html + - better log output - Closes #3636 + - make sure multiplex is enabled for it to be used -Jay Satiro (2 Mar 2019) -- system_win32: move win32_init here from easy.c +- multi: provide Curl_multiuse_state to update information - .. since system_win32 is a more appropriate location for the functions - and to extern the globals. + As soon as a TLS backend gets ALPN conformation about the specific HTTP + version it can now set the multiplex situation for the "bundle" and + trigger moving potentially queued up transfers to the CONNECT state. + +- process_pending_handles: mark queued transfers as previously pending - Ref: https://github.com/curl/curl/commit/ca597ad#r32446578 - Reported-by: Gisle Vanem + With transfers being queued up, we only move one at a a time back to the + CONNECT state but now we mark moved transfers so that when a moved + transfer is confirmed "successful" (it connected) it will trigger the + move of another pending transfer. Previously, it would otherwise wait + until the transfer was done before doing this. This makes queued up + pending transfers get processed (much) faster. + +- http: mark bundle as not for multiuse on < HTTP/2 response - Closes https://github.com/curl/curl/pull/3625 + Fixes #3813 + Closes #3815 -Daniel Stenberg (1 Mar 2019) -- curl_easy_duphandle.3: clarify that a duped handle has no shares +Daniel Gustafsson (1 May 2019) +- cookie: Guard against possible NULL ptr deref - Reported-by: Sara Golemon + In case the name pointer isn't set (due to memory pressure most likely) + we need to skip the prefix matching and reject with a badcookie to avoid + a possible NULL pointer dereference. - Fixes #3592 - Closes #3634 - -- 10-at-a-time.c: fix too long line + Closes #3820 #3821 + Reported-by: Jonathan Moerman + Reviewed-by: Daniel Stenberg -- [Arnaud Rebillout brought this change] +Patrick Monnerat (30 Apr 2019) +- os400: Add CURLOPT_MAXAGE_CONN to ILE/RPG bindings - examples: various fixes in ephiperfifo.c - - The main change here is the timer value that was wrong, it was given in - usecs (ms * 1000), while the itimerspec struct wants nsecs (ms * 1000 * - 1000). This resulted in the callback being invoked WAY TOO OFTEN. - - As a quick check you can run this command before and after applying this - commit: - - # shell 1 - ./ephiperfifo 2>&1 | tee ephiperfifo.log - # shell 2 - echo http://hacking.elboulangero.com > hiper.fifo +Kamil Dudka (29 Apr 2019) +- nss: provide more specific error messages on failed init - Then just compare the size of the logs files. + Closes #3808 + +Daniel Stenberg (29 Apr 2019) +- [Reed Loden brought this change] + + docs: minor polish to the bug bounty / security docs - Closes #3633 - Fixes #3632 - Signed-off-by: Arnaud Rebillout + Closes #3811 -- urldata: simplify bytecounters +- CURL_MAX_INPUT_LENGTH: largest acceptable string input size - - no need to have them protocol specific + This limits all accepted input strings passed to libcurl to be less than + CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: + curl_easy_setopt() and curl_url_set(). - - no need to set pointers to them with the Curl_setup_transfer() call + The 8000000 number is arbitrary picked and is meant to detect mistakes + or abuse, not to limit actual practical use cases. By limiting the + acceptable string lengths we also reduce the risk of integer overflows + all over. - - make Curl_setup_transfer() operate on a transfer pointer, not - connection + NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - - switch some counters from long to the more proper curl_off_t type + Test 1559 verifies. - Closes #3627 + Closes #3805 -- examples/10-at-a-time.c: improve readability and simplify - - - use better variable names to explain their purposes - - convert logic to curl_multi_wait() +- [Tseng Jun brought this change] -- threaded-resolver: shutdown the resolver thread without error message - - When a transfer is done, the resolver thread will be brought down. That - could accidentally generate an error message in the error buffer even - though this is not an error situationand the transfer would still return - OK. An application that still reads the error buffer could find a - "Could not resolve host: [host name]" message there and get confused. + curlver.h: use parenthesis in CURL_VERSION_BITS macro - Reported-by: Michael Schmid - Fixes #3629 - Closes #3630 - -- [Ԝеѕ brought this change] + Closes #3809 - docs: update max-redirs.d phrasing - - clarify redir - "in absurdum" doesn't seem to make sense in this context - - Closes #3631 +Marcel Raad (27 Apr 2019) +- [Simon Warta brought this change] -- ssh: fix Condition '!status' is always true - - in the same sftp_done function in both SSH backends. Simplify them - somewhat. - - Pointed out by Codacy. + cmake: rename CMAKE_USE_DARWINSSL to CMAKE_USE_SECTRANSP - Closes #3628 + Closes https://github.com/curl/curl/pull/3769 -- test578: make it read data from the correct test +Steve Holme (23 Apr 2019) +- ntlm: Missed pre-processor || (or) during rebase for cd15acd0 -- Curl_easy: remove req.maxfd - never used! - - Introduced in 8b6314ccfb, but not used anymore in current code. Unclear - since when. +- ntlm: Support the NT response in the type-3 when OpenSSL doesn't include MD4 - Closes #3626 + Just like we do for mbed TLS, use our local implementation of MD4 when + OpenSSL doesn't support it. This allows a type-3 message to include the + NT response. -- http: set state.infilesize when sending formposts - - Without it set, we would unwillingly triger the "HTTP error before end - of send, stop sending" condition even if the entire POST body had been - sent (since it wouldn't know the expected size) which would - unnecessarily log that message and close the connection when it didn't - have to. +Daniel Gustafsson (23 Apr 2019) +- INTERNALS: fix misindentation of ToC item - Reported-by: Matt McClure - Bug: https://curl.haxx.se/mail/archive-2019-02/0023.html - Closes #3624 - -- INSTALL: refer to the current TLS library names and configure options - -- FAQ: minor updates and spelling fixes + Kerberos was incorrectly indented as a subsection under FTP, which is + incorrect as they are both top level sections. A fix for this was first + attempted in commit fef38a0898322f285401c5ff2f5e7c90dbf3be63 but that + was a few paddles short of being complete. -- GOVERNANCE.md: minor spelling fixes +- [Aron Bergman brought this change] -- Secure Transport: no more "darwinssl" - - Everyone calls it Secure Transport, now we do too. + INTERNALS: Add structs to ToC - Reviewed-by: Nick Zitzmann + Add the subsections under "Structs in libcurl" to the table of contents. - Closes #3619 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -Marcel Raad (27 Feb 2019) -- AppVeyor: add classic MinGW build - - But use the MSYS2 shell rather than the default MSYS shell because of - POSIX path conversion issues. Classic MinGW is only available on the - Visual Studio 2015 image. - - Closes https://github.com/curl/curl/pull/3623 +- [Aron Bergman brought this change] -- AppVeyor: add MinGW-w64 build + INTERNALS: Add code highlighting - Add a MinGW-w64 build using CMake's MSYS Makefiles generator. - Use the Visual Studio 2015 image as it has GCC 8, while the - Visual Studio 2017 image only has GCC 7.2. + Make all struct members under the Curl_handler section + print in monospace font. - Closes https://github.com/curl/curl/pull/3623 + Closes #3801 + Reviewed-by: Daniel Stenberg + Reviewed-by: Daniel Gustafsson -Daniel Stenberg (27 Feb 2019) -- cookies: only save the cookie file if the engine is enabled - - Follow-up to 8eddb8f4259. - - If the cookieinfo pointer is NULL there really is nothing to save. - - Without this fix, we got a problem when a handle was using shared object - with cookies and is told to "FLUSH" it to file (which worked) and then - the share object was removed and when the easy handle was closed just - afterwards it has no cookieinfo and no cookies so it decided to save an - empty jar (overwriting the file just flushed). +Daniel Stenberg (22 Apr 2019) +- docs/BUG-BOUNTY: bug bounty time [skip ci] - Test 1905 now verifies that this works. + Introducing the curl bug bounty program on hackerone. We now recommend + filing security issues directly in the hackerone ticket system which + only is readable to curl security team members. - Assisted-by: Michael Wallner - Assisted-by: Marcel Raad + Assisted-by: Daniel Gustafsson - Closes #3621 - -- [DaVieS brought this change] + Closes #3488 - cacertinmem.c: use multiple certificates for loading CA-chain +Steve Holme (22 Apr 2019) +- sasl: Don't send authcid as authzid for the PLAIN mechanism as per RFC 4616 - Closes #3421 + RFC 4616 specifies the authzid is optional in the client authentication + message and that the server will derive the authorisation identity + (authzid) from the authentication identity (authcid) when not specified + by the client. -- urldata: convert bools to bitfields and move to end - - This allows the compiler to pack and align the structs better in - memory. For a rather feature-complete build on x86_64 Linux, gcc 8.1.2 - makes the Curl_easy struct 4.9% smaller. From 6312 bytes to 6000. +Jay Satiro (22 Apr 2019) +- [Gisle Vanem brought this change] + + memdebug: fix variable name - Removed an unused struct field. + Follow-up to 76b6348 which renamed logfile as curl_dbg_logfile. - No functionality changes. + Ref: https://github.com/curl/curl/commit/76b6348#r33259088 + +Steve Holme (21 Apr 2019) +- vauth/cleartext: Don't send the authzid if it is empty - Closes #3610 + Follow up to 762a292f. -- [Don J Olmstead brought this change] +Daniel Stenberg (21 Apr 2019) +- test 196,197,198: add 'retry' keyword [skip ci] - curl.h: use __has_declspec_attribute for shared builds - - Closes #3616 +- RELEASE-NOTES: synced -- curl: display --version features sorted alphabetically +- CURLOPT_MAXAGE_CONN: set the maximum allowed age for conn reuse - Closes #3611 - -- runtests: detect "schannel" as an alias for "winssl" + ... and disconnect too old ones instead of trying to reuse. - Follow-up to 180501cb02 + Default max age is set to 118 seconds. - Reported-by: Marcel Raad - Fixes #3609 - Closes #3620 + Ref: #3722 + Closes #3782 -Marcel Raad (26 Feb 2019) -- AppVeyor: update to Visual Studio 2017 - - Switch all Visual Studio 2015 builds to Visual Studio 2017. It's not a - moving target anymore as the last update, Update 9, has been released. - - Closes https://github.com/curl/curl/pull/3606 +Daniel Gustafsson (20 Apr 2019) +- [Po-Chuan Hsieh brought this change] -- AppVeyor: switch VS 2015 builds to VS 2017 image + altsvc: Fix building with cookies disables - The Visual Studio 2017 image has Visual Studio 2015 and 2017 installed. + ALTSVC requires Curl_get_line which is defined in lib/cookie.c inside a #if + check of HTTP and COOKIES. That makes Curl_get_line undefined if COOKIES is + disabled. Fix by splitting out the function into a separate file which can + be included where needed. - Closes https://github.com/curl/curl/pull/3606 + Closes #3717 + Reviewed-by: Daniel Gustafsson + Reviewed-by: Marcel Raad + +Daniel Stenberg (20 Apr 2019) +- test1002: correct the name [skip ci] -- AppVeyor: explicitly select worker image - - Currently, we're using the default Visual Studio 2015 image for - everything. +- test660: verify CONNECT_ONLY with IMAP - Closes https://github.com/curl/curl/pull/3606 + which basically just makes sure LOGOUT is *not* issued on disconnect -Daniel Stenberg (26 Feb 2019) -- strerror: make the strerror function use local buffers - - Instead of using a fixed 256 byte buffer in the connectdata struct. +- Curl_disconnect: treat all CONNECT_ONLY connections as "dead" - In my build, this reduces the size of the connectdata struct by 11.8%, - from 2160 to 1904 bytes with no functionality or performance loss. + Since the connection has been used by the "outside" we don't know the + state of it anymore and curl should not use it anymore. - This also fixes a bug in schannel's Curl_verify_certificate where it - called Curl_sspi_strerror when it should have called Curl_strerror for - string from GetLastError. the only effect would have been no text or the - wrong text being shown for the error. + Bug: https://curl.haxx.se/mail/lib-2019-04/0052.html - Co-authored-by: Jay Satiro + Closes #3795 + +- multi: fix the statenames (follow-up fix from 2f44e94efb3df8e) - Closes #3612 + The list of names must be in sync with the defined states in the header + file! -- [Michael Wallner brought this change] +Steve Holme (16 Apr 2019) +- openvms: Remove pre-processors for Windows as VMS cannot support them - cookies: fix NULL dereference if flushing cookies with no CookieInfo set - - Regression brought by a52e46f3900fb0 (shipped in 7.63.0) +- openvms: Remove pre-processor for SecureTransport as VMS cannot support it - Closes #3613 + Fixes #3768 + Closes #3785 + +Jay Satiro (16 Apr 2019) +- TODO: Add issue link to an existing entry + +Daniel Stenberg (16 Apr 2019) +- RELEASE-NOTES: synced -Marcel Raad (26 Feb 2019) -- AppVeyor: re-enable test 500 +Jay Satiro (16 Apr 2019) +- tool_help: Warn if curl and libcurl versions do not match - It's passing now. + .. because functionality may be affected if the versions differ. - Closes https://github.com/curl/curl/pull/3615 - -- AppVeyor: remove redundant builds + This commit implements TODO 18.7 "warning if curl version is not in sync + with libcurl version". - Remove the Visual Studio 2012 and 2013 builds as they add little value. + Ref: https://github.com/curl/curl/blob/curl-7_64_1/docs/TODO#L1028-L1033 - Ref: https://github.com/curl/curl/pull/3606 - Closes https://github.com/curl/curl/pull/3614 + Closes https://github.com/curl/curl/pull/3774 -Daniel Stenberg (25 Feb 2019) -- RELEASE-NOTES: synced +Steve Holme (16 Apr 2019) +- md5: Update the function signature following d84da52d -- [Bernd Mueller brought this change] +- md5: Forgot to update the code alignment in d84da52d - OpenSSL: add support for TLS ASYNC state +- md5: Return CURLcode from the internally accessible functions - Closes #3591 - -Jay Satiro (25 Feb 2019) -- [Michael Felt brought this change] + Following 28f826b3 to return CURLE_OK instead of numeric 0. - acinclude: add additional libraries to check for LDAP support - - - Add an additional check for LDAP that also checks for OpenSSL since - on AIX those libraries may be required to link LDAP properly. +Daniel Gustafsson (15 Apr 2019) +- tests: Run global cleanup at end of tests - Fixes https://github.com/curl/curl/issues/3595 - Closes https://github.com/curl/curl/pull/3596 - -- [Giorgos Oikonomou brought this change] - - schannel: support CALG_ECDH_EPHEM algorithm + Make sure to run curl_global_cleanup() when shutting down the test + suite to release any resources allocated in the SSL setup. This is + clearly visible when running tests with PolarSSL where the thread + lock calloc() memory which isn't released when not running cleanup. + Below is an excerpt from the autobuild logs: - Add support for Ephemeral elliptic curve Diffie-Hellman key exchange - algorithm option when selecting ciphers. This became available on the - Win10 SDK. + ==12368== 96 bytes in 1 blocks are possibly lost in loss record 1 of 2 + ==12368== at 0x4837B65: calloc (vg_replace_malloc.c:752) + ==12368== by 0x11A76E: curl_dbg_calloc (memdebug.c:205) + ==12368== by 0x145CDF: Curl_polarsslthreadlock_thread_setup + (polarssl_threadlock.c:54) + ==12368== by 0x145B37: Curl_polarssl_init (polarssl.c:865) + ==12368== by 0x14129D: Curl_ssl_init (vtls.c:171) + ==12368== by 0x118B4C: global_init (easy.c:158) + ==12368== by 0x118BF5: curl_global_init (easy.c:221) + ==12368== by 0x118D0B: curl_easy_init (easy.c:299) + ==12368== by 0x114E96: test (lib1906.c:32) + ==12368== by 0x115495: main (first.c:174) - Closes https://github.com/curl/curl/pull/3608 + Closes #3783 + Reviewed-by: Marcel Raad + Reviewed-by: Daniel Stenberg -Daniel Stenberg (24 Feb 2019) -- multi: call multi_done on connect timeouts +Marcel Raad (15 Apr 2019) +- travis: use mbedtls from Xenial - Failing to do so would make the CURLINFO_TOTAL_TIME timeout to not get - updated correctly and could end up getting reported to the application - completely wrong (way too small). + No need to build it from source anymore. - Reported-by: accountantM on github - Fixes #3602 - Closes #3605 + Closes https://github.com/curl/curl/pull/3779 -- examples: remove recursive calls to curl_multi_socket_action +- travis: use libpsl from Xenial - From within the timer callbacks. Recursive is problematic for several - reasons. They should still work, but this way the examples and the - documentation becomes simpler. I don't think we need to encourage - recursive calls. + This makes building libpsl and libidn2 from source unnecessary and + removes the need for the autopoint and libunistring-dev packages. - Discussed in #3537 - Closes #3601 + Closes https://github.com/curl/curl/pull/3779 -Marcel Raad (23 Feb 2019) -- configure: remove CURL_CHECK_FUNC_FDOPEN call +Daniel Stenberg (15 Apr 2019) +- runtests: start socksd like other servers - The macro itself has been removed in commit - 11974ac859c5d82def59e837e0db56fef7f6794e. + ... without a $srcdir prefix. Triggered by the failures in several + autobuilds. - Closes https://github.com/curl/curl/pull/3604 + Closes #3781 -Daniel Stenberg (23 Feb 2019) -- wolfssl: stop custom-adding curves - - since wolfSSL PR https://github.com/wolfSSL/wolfssl/pull/717 (shipped in - wolfSSL 3.10.2 and later) it sends these curves by default already. - - Pointed-out-by: David Garske +Daniel Gustafsson (14 Apr 2019) +- socksd: Fix typos - Closes #3599 + Reviewed-by: Daniel Stenberg -- configure: remove the unused fdopen macro +- socksd: Properly decorate static variables - and the two remaining #ifdefs for it + Mark global variables static to avoid compiler warning in Clang when + using -Wmissing-variable-declarations. - Closes #3600 + Closes #3778 + Reviewed-by: Daniel Stenberg -Jay Satiro (22 Feb 2019) -- url: change conn shutdown order to unlink data as last step - - - Split off connection shutdown procedure from Curl_disconnect into new - function conn_shutdown. - - - Change the shutdown procedure to close the sockets before - disassociating the transfer. +Steve Holme (14 Apr 2019) +- md(4|5): Fixed indentation oddities with the importation of replacement code - Prior to this change the sockets were closed after disassociating the - transfer so SOCKETFUNCTION wasn't called since the transfer was already - disassociated. That likely came about from recent work started in - Jan 2019 (#3442) to separate transfers from connections. + The indentation from 211d5329 and 57d6d253 was a little strange as + parts didn't align correctly, uses 4 spaces rather than 2. Checked + the indentation of the original source so it aligns, albeit, using + curl style. + +- md5: Code style to return CURLE_OK rather than numeric 0 + +- md5: Corrected code style for some pointer arguments + +Marcel Raad (13 Apr 2019) +- travis: update some builds to xenial - Bug: https://curl.haxx.se/mail/lib-2019-02/0101.html - Reported-by: Pavel Löbl + Xenial comes with more up-to-date software versions and more available + packages, some of which we currently build from source. Unfortunately, + some builds would fail with Xenial because of assertion failures in + Valgrind when using OpenSSL, so leave these at Trusty. - Closes https://github.com/curl/curl/issues/3597 - Closes https://github.com/curl/curl/pull/3598 + Closes https://github.com/curl/curl/pull/3777 -Marcel Raad (22 Feb 2019) -- Fix strict-prototypes GCC warning +Daniel Stenberg (13 Apr 2019) +- test: make tests and test scripts use socksd for SOCKS - As seen in the MinGW autobuilds. Caused by commit - f26bc29cfec0be84c67cf74065cf8e5e78fd68b7. + Make all SOCKS tests use socksd instead of ssh. -Dan Fandrich (21 Feb 2019) -- tests: Fixed XML validation errors in some test files. +- socksd: new SOCKS 4+5 server for tests + + Closes #3752 -Daniel Stenberg (20 Feb 2019) -- TODO: Allow SAN names in HTTP/2 server push +- singleipconnect: show port in the verbose "Trying ..." message - Suggested-by: Nicolas Grekas + To aid debugging better. -- RELEASE-NOTES: synced +- [tmilburn brought this change] -- curl: remove MANUAL from -M output - - ... and remove it from the dist tarball. It has served its time, it - barely gets updated anymore and "everything curl" is now convering all - this document once tried to include, and does it more and better. + CURLOPT_ADDRESS_SCOPE: fix range check and more - In the compressed scenario, this removes ~15K data from the binary, - which is 25% of the -M output. + Commit 9081014 fixed most of the confusing issues between scope id and + scope however 844896d added bad limits checking assuming that the scope + is being set and not the scope id. - It remains in the git repo for now for as long as the web site builds a - page using that as source. It renders poorly on the site (especially for - mobile users) so its not even good there. + I have fixed the documentation so it all refers to scope ids. - Closes #3587 - -- http2: verify :athority in push promise requests + In addition Curl_if2ip refered to the scope id as remote_scope_id which + is incorrect, so I renamed it to local_scope_id. - RFC 7540 says we should verify that the push is for an "authoritative" - server. We make sure of this by only allowing push with an :athority - header that matches the host that was asked for in the URL. + Adjusted-by: Daniel Stenberg - Fixes #3577 - Reported-by: Nicolas Grekas - Bug: https://curl.haxx.se/mail/lib-2019-02/0057.html - Closes #3581 + Closes #3655 + Closes #3765 + Fixes #3713 -- singlesocket: fix the 'sincebefore' placement - - The variable wasn't properly reset within the loop and thus could remain - set for sockets that hadn't been set before and miss notifying the app. +- urlapi: stricter CURLUPART_PORT parsing - This is a follow-up to 4c35574 (shipped in curl 7.64.0) + Only allow well formed decimal numbers in the input. - Reported-by: buzo-ffm on github - Detected-by: Jan Alexander Steffens - Fixes #3585 - Closes #3589 - -- connection: never reuse CONNECT_ONLY conections + Document that the number MUST be between 1 and 65535. - and make CONNECT_ONLY conections never reuse any existing ones either. + Add tests to test 1560 to verify the above. - Reported-by: Pavel Löbl - Bug: https://curl.haxx.se/mail/lib-2019-02/0064.html - Closes #3586 + Ref: https://github.com/curl/curl/issues/3753 + Closes #3762 -Patrick Monnerat (19 Feb 2019) -- cli tool: fix mime post with --disable-libcurl-option configure option - - Reported-by: Marcel Raad - Fixes #3576 - Closes #3583 +Jay Satiro (13 Apr 2019) +- [Jan Ehrhardt brought this change] -Daniel Stenberg (19 Feb 2019) -- x509asn1: cleanup and unify code layout - - - rename 'n' to buflen in functions, and use size_t for them. Don't pass - in negative buffer lengths. + winbuild: Support MultiSSL builds - - move most function comments to above the function starts like we use - to + - Remove the lines in winbuild/Makefile.vc that generate an error with + multiple SSL backends. - - remove several unnecessary typecasts (especially of NULL) + - Add /DCURL_WITH_MULTI_SSL in winbuild/MakefileBuild.vc if multiple SSL + backends are set. - Reviewed-by: Patrick Monnerat - Closes #3582 + Closes https://github.com/curl/curl/pull/3772 -- curl_multi_remove_handle.3: use at any time, just not from within callbacks +Daniel Stenberg (12 Apr 2019) +- travis: remove mesalink builds (temporarily?) - [ci skip] - -- http: make adding a blank header thread-safe + Since the mesalink build started to fail on travis, even though we build + a fixed release version, we disable it to prevent it from blocking + progress. - Previously the function would edit the provided header in-place when a - semicolon is used to signify an empty header. This made it impossible to - use the same set of custom headers in multiple threads simultaneously. + Closes #3767 + +- openssl: mark connection for close on TLS close_notify - This approach now makes a local copy when it needs to edit the string. + Without this, detecting and avoid reusing a closed TLS connection + (without a previous GOAWAY) when doing HTTP/2 is tricky. - Reported-by: d912e3 on github - Fixes #3578 - Closes #3579 - -- unit1651: survive curl_easy_init() fails - -- [Frank Gevaerts brought this change] + Reported-by: Tom van der Woerdt + Fixes #3750 + Closes #3763 - rand: Fix a mismatch between comments in source and header. - - Reported-by: Björn Stenberg - Closes #3584 +- RELEASE-NOTES: synced -Patrick Monnerat (18 Feb 2019) -- x509asn1: replace single char with an array +Steve Holme (11 Apr 2019) +- vauth/cleartext: Update the PLAIN login function signature to match RFC 4616 - Although safe in this context, using a single char as an array may - cause invalid accesses to adjacent memory locations. + Functionally this doesn't change anything as we still use the username + for both the authorisation identity and the authentication identity. - Detected by Coverity. + Closes #3757 -Daniel Stenberg (18 Feb 2019) -- examples/http2-serverpush: add some sensible error checks - - To avoid NULL pointer dereferences etc in the case of problems. +Daniel Stenberg (11 Apr 2019) +- test1906: verify CURLOPT_CURLU + CURLOPT_PORT usage - Closes #3580 + Based-on-code-by: Poul T Lomholt -Jay Satiro (18 Feb 2019) -- easy: fix win32 init to work without CURL_GLOBAL_WIN32 - - - Change the behavior of win32_init so that the required initialization - procedures are not affected by CURL_GLOBAL_WIN32 flag. - - libcurl via curl_global_init supports initializing for win32 with an - optional flag CURL_GLOBAL_WIN32, which if omitted was meant to stop - Winsock initialization. It did so internally by skipping win32_init() - when that flag was set. Since then win32_init() has been expanded to - include required initialization routines that are separate from - Winsock and therefore must be called in all cases. This commit fixes - it so that CURL_GLOBAL_WIN32 only controls the optional win32 - initialization (which is Winsock initialization, according to our doc). +- url: always clone the CUROPT_CURLU handle - The only users affected by this change are those that don't pass - CURL_GLOBAL_WIN32 to curl_global_init. For them this commit removes the - risk of a potential crash. + Since a few code paths actually update that data. - Ref: https://github.com/curl/curl/pull/3573 + Fixes #3753 + Closes #3761 - Fixes https://github.com/curl/curl/issues/3313 - Closes https://github.com/curl/curl/pull/3575 + Reported-by: Poul T Lomholt -Daniel Gustafsson (17 Feb 2019) -- cookie: Add support for cookie prefixes +- CURLOPT_DNS_USE_GLOBAL_CACHE: remove - The draft-ietf-httpbis-rfc6265bis-02 draft, specify a set of prefixes - and how they should affect cookie initialization, which has been - adopted by the major browsers. This adds support for the two prefixes - defined, __Host- and __Secure, and updates the testcase with the - supplied examples from the draft. + Remove the code too. The functionality has been disabled in code since + 7.62.0. Setting this option will from now on simply be ignored and have + no function. - Closes #3554 - Reviewed-by: Daniel Stenberg + Closes #3654 -- mbedtls: release sessionid resources on error +Marcel Raad (11 Apr 2019) +- travis: install libgnutls28-dev only for --with-gnutls build - If mbedtls_ssl_get_session() fails, it may still have allocated - memory that needs to be freed to avoid leaking. Call the library - API function to release session resources on this errorpath as - well as on Curl_ssl_addsessionid() errors. + Reduces the time needed for the other jobs a little. - Closes: #3574 - Reported-by: Michał Antoniak - Reviewed-by: Daniel Stenberg - -Patrick Monnerat (16 Feb 2019) -- cli tool: refactor encoding conversion sequence for switch case fallthrough. - -- version.c: silent scan-build even when librtmp is not enabled - -Daniel Stenberg (15 Feb 2019) -- RELEASE-NOTES: synced + Closes https://github.com/curl/curl/pull/3721 -- Curl_now: figure out windows version in win32_init - - ... and avoid use of static variables that aren't thread safe. +- travis: install libnss3-dev only for --with-nss build - Fixes regression from e9ababd4f5a (present in the 7.64.0 release) + Reduces the time needed for the other jobs a little. - Reported-by: Paul Groke - Fixes #3572 - Closes #3573 + Closes https://github.com/curl/curl/pull/3721 -Marcel Raad (15 Feb 2019) -- unit1307: just fail without FTP support - - I missed to check this in with commit - 71786c0505926aaf7e9b2477b2fb7ee16a915ec6, which only disabled the test. - This fixes the actual linker error. +- travis: install libssh2-dev only for --with-libssh2 build - Closes https://github.com/curl/curl/pull/3568 - -Daniel Stenberg (15 Feb 2019) -- travis: enable valgrind for the iconv tests too + Reduces the time needed for the other jobs a little. - Closes #3571 + Closes https://github.com/curl/curl/pull/3721 -- travis: add scan-build +- travis: install libssh-dev only for --with-libssh build - Closes #3564 - -- examples/sftpuploadresume: Value stored to 'result' is never read + Reduces the time needed for the other jobs a little. - Detected by scan-build + Closes https://github.com/curl/curl/pull/3721 -- examples/http2-upload: cleaned up +- travis: install krb5-user only for --with-gssapi build - Fix scan-build warnings, no globals, no silly handle scan. Also remove - handles from the multi before cleaning up. - -- examples/http2-download: cleaned up + Reduces the time needed for the other jobs a little. - To avoid scan-build warnings and global variables. + Closes https://github.com/curl/curl/pull/3721 -- examples/postinmemory: Potential leak of memory pointed to by 'chunk.memory' +- travis: install lcov only for the coverage job - Detected by scan-build - -- examples/httpcustomheader: Value stored to 'res' is never read + Reduces the time needed for the other jobs a little. - Detected by scan-build + Closes https://github.com/curl/curl/pull/3721 -- examples: remove superfluous null-pointer checks +- travis: install clang only when needed - in ftpget, ftpsget and sftpget, so that scan-build stops warning for - potential NULL pointer dereference below! + This reduces the GCC job runtimes a little and it's needed to + selectively update clang builds to xenial. - Detected by scan-build + Closes https://github.com/curl/curl/pull/3721 -- strip_trailing_dot: make sure NULL is never used for strlen +- AppVeyor: enable testing for WinSSL build - scan-build warning: Null pointer passed as an argument to a 'nonnull' - parameter - -- [Jay Satiro brought this change] + Closes https://github.com/curl/curl/pull/3725 - connection_check: restore original conn->data after the check - - - Save the original conn->data before it's changed to the specified - data transfer for the connection check and then restore it afterwards. - - This is a follow-up to 38d8e1b 2019-02-11. - - History: - - It was discovered a month ago that before checking whether to extract a - dead connection that that connection should be associated with a "live" - transfer for the check (ie original conn->data ignored and set to the - passed in data). A fix was landed in 54b201b which did that and also - cleared conn->data after the check. The original conn->data was not - restored, so presumably it was thought that a valid conn->data was no - longer needed. +- build: fix Codacy/CppCheck warnings - Several days later it was discovered that a valid conn->data was needed - after the check and follow-up fix was landed in bbae24c which partially - reverted the original fix and attempted to limit the scope of when - conn->data was changed to only when pruning dead connections. In that - case conn->data was not cleared and the original conn->data not - restored. + - remove unused variables + - declare conditionally used variables conditionally + - suppress unused variable warnings in the CMake tests + - remove dead variable stores + - consistently use WIN32 macro to detect Windows - A month later it was discovered that the original fix was somewhat - correct; a "live" transfer is needed for the check in all cases - because original conn->data could be null which could cause a bad deref - at arbitrary points in the check. A fix was landed in 38d8e1b which - expanded the scope to all cases. conn->data was not cleared and the - original conn->data not restored. + Closes https://github.com/curl/curl/pull/3739 + +- polarssl_threadlock: remove conditionally unused code - A day later it was discovered that not restoring the original conn->data - may lead to busy loops in applications that use the event interface, and - given this observation it's a pretty safe assumption that there is some - code path that still needs the original conn->data. This commit is the - follow-up fix for that, it restores the original conn->data after the - connection check. + Make functions no-ops if neither both USE_THREADS_POSIX and + HAVE_PTHREAD_H nor both USE_THREADS_WIN32 and HAVE_PROCESS_H are + defined. Previously, if only one of them was defined, there was either + code compiled that did nothing useful or the wrong header included for + the functions used. - Assisted-by: tholin@users.noreply.github.com - Reported-by: tholin@users.noreply.github.com + Also, move POLARSSL_MUTEX_T define to implementation file as it's not + used externally. - Fixes https://github.com/curl/curl/issues/3542 - Closes #3559 + Closes https://github.com/curl/curl/pull/3739 -- memdebug: bring back curl_mark_sclose +- lib557: initialize variables - Used by debug builds with NSS. + These variables are only conditionally initialized. - Reverted from 05b100aee247bb + Closes https://github.com/curl/curl/pull/3739 -Patrick Monnerat (14 Feb 2019) -- transfer.c: do not compute length of undefined hex buffer. - - On non-ascii platforms, the chunked hex header was measured for char code - conversion length, even for chunked trailers that do not have an hex header. - In addition, the efective length is already known: use it. - Since the hex length can be zero, only convert if needed. +- lib509: add missing include for strdup - Reported by valgrind. + Closes https://github.com/curl/curl/pull/3739 -Daniel Stenberg (14 Feb 2019) -- KNOWN_BUGS: Cannot compile against a static build of OpenLDAP +- README.md: fix no-consecutive-blank-lines Codacy warning - Closes #2367 - -Patrick Monnerat (14 Feb 2019) -- x509asn1: "Dereference of null pointer" + Consistently use one blank line between blocks. - Detected by scan-build (false positive). + Closes https://github.com/curl/curl/pull/3739 -Daniel Stenberg (14 Feb 2019) -- configure: show features as well in the final summary +- tests/server/util: fix Windows Unicode build - Closes #3569 - -- KNOWN_BUGS: curl compiled on OSX 10.13 failed to run on OSX 10.10 + Always use the ANSI version of FormatMessage as we don't have the + curl_multibyte gear available here. - Closes #2905 + Closes https://github.com/curl/curl/pull/3758 -- KNOWN_BUGS: Deflate error after all content was received - - Closes #2719 +Daniel Stenberg (11 Apr 2019) +- curl_easy_getinfo.3: fix minor formatting mistake -- gssapi: fix deprecated header warnings +Daniel Gustafsson (11 Apr 2019) +- xattr: skip unittest on unsupported platforms - Heimdal includes on FreeBSD spewed out lots of them. Less so now. + The stripcredentials unittest fails to compile on platforms without + xattr support, for example the Solaris member in the buildfarm which + fails with the following: - Closes #3566 - -- TODO: Upgrade to websockets + CC unit1621-unit1621.o + CC ../libtest/unit1621-first.o + CCLD unit1621 + Undefined first referenced + symbol in file + stripcredentials unit1621-unit1621.o + goto problem 2 + ld: fatal: symbol referencing errors. No output written to .libs/unit1621 + collect2: error: ld returned 1 exit status + gmake[2]: *** [Makefile:996: unit1621] Error 1 - Closes #3523 - -- TODO: cmake test suite improvements + Fix by excluding the test on such platforms by using the reverse + logic from where stripcredentials() is defined. - Closes #3109 + Closes #3759 + Reviewed-by: Daniel Stenberg -Patrick Monnerat (13 Feb 2019) -- curl: "Dereference of null pointer" - - Rephrase to satisfy scan-build. +Steve Holme (11 Apr 2019) +- emailL Added reference to RFC8314 for implicit TLS -Marcel Raad (13 Feb 2019) -- unit1307: require FTP support - - This test doesn't link without FTP support after - fc7ab4835b5fd09d0a6f57000633bb6bb6edfda1, which made Curl_fnmatch - unavailable without FTP support. +- README: Schannel, stop calling it "winssl" - Closes https://github.com/curl/curl/pull/3565 + Stick to "Schannel" everywhere - follow up to 180501cb. -Daniel Stenberg (13 Feb 2019) -- TODO: TFO support on Windows +Jakub Zakrzewski (10 Apr 2019) +- cmake: clear CMAKE_REQUIRED_LIBRARIES after each use - Nobody works on this now. + This fixes GSSAPI builds with the libraries in a non-standard location. + The testing for recv() were failing because it failed to link + the Kerberos libraries, which are not needed for this or subsequent + tests. - Closes #3378 + fixes #3743 + closes #3744 -- multi: Dereference of null pointer - - Mostly a false positive, but this makes the code easier to read anyway. +- cmake: avoid linking executable for some tests with cmake 3.6+ - Detected by scan-build. + With CMAKE_TRY_COMPILE_TARGET_TYPE set to STATIC_LIBRARY, the try_compile() + (which is used by check_c_source_compiles()) will build static library + instead of executable. This avoids linking additional libraries in and thus + speeds up those checks a little. - Closes #3563 - -- urlglob: Argument with 'nonnull' attribute passed null + This commit also avoids #3743 (GSSAPI build errors) on itself with cmake + 3.6 or above. That issue was fixed separately for all versions. - Detected by scan-build. + Ref: #3744 -Jay Satiro (12 Feb 2019) -- schannel: restore some debug output but only for debug builds +- cmake: minor cleanup - Follow-up to 84c10dc from earlier today which wrapped a lot of the noisy - debug output in DEBUGF but omitted a few lines. + - Remove nneeded include_regular_expression. + It was setting what is already a default. - Ref: https://github.com/curl/curl/commit/84c10dc#r32292900 - -- examples/crawler: Fix the Accept-Encoding setting + - Remove duplicated include. - - Pass an empty string to CURLOPT_ACCEPT_ENCODING to use the default - supported encodings. + - Don't check for pre-3.0.0 CMake version. + We already require at least 3.0.0, so it's just clutter. - Prior to this change the specific encodings of gzip and deflate were set - but there's no guarantee they'd be supported by the user's libcurl. + Ref: #3744 -Daniel Stenberg (12 Feb 2019) -- mime: put the boundary buffer into the curl_mime struct - - ... instead of allocating it separately and point to it. It is - fixed-size and always used for each part. - - Closes #3561 +Steve Holme (8 Apr 2019) +- build-openssl.bat: Fixed support for OpenSSL v1.1.0+ -- schannel: be quiet - - Convert numerous infof() calls into debug-build only messages since they - are annoyingly verbose for regular applications. Removed a few. - - Bug: https://curl.haxx.se/mail/lib-2019-02/0027.html - Reported-by: Volker Schmid - Closes #3552 +- build-openssl.bat: Perfer the use of if statements rather than goto (where possible) + +- build-openssl.bat: Perform the install for each build type directly after the build -- [Romain Geissler brought this change] +- build-openssl.bat: Split the install of static and shared build types - Curl_resolv: fix a gcc -Werror=maybe-uninitialized warning - - Closes #3562 +- build-openssl.bat: Split the building of static and shared build types -- http2: multi_connchanged() moved from multi.c, only used for h2 - - Closes #3557 +- build-openssl.bat: Move the installation into a separate function -- curl: "Function call argument is an uninitialized value" - - Follow-up to cac0e4a6ad14b42471eb - - Detected by scan-build - Closes #3560 +- build-openssl.bat: Move the build step into a separate function -- pretransfer: don't strlen() POSTFIELDS set for GET requests - - ... since that data won't be used in the request anyway. - - Fixes #3548 - Reported-by: Renaud Allard - Close #3549 +- build-openssl.bat: Move the OpenSSL configuration into a separate function -- multi: remove verbose "Expire in" ... messages +- build-openssl.bat: Fixed the BUILD_CONFIG variable not being initialised - Reported-by: James Brown - Bug: https://curl.haxx.se/mail/archive-2019-02/0013.html - Closes #3558 + Should the parent environment set this variable then the build might + not be performed as the user intended. + +Daniel Stenberg (8 Apr 2019) +- socks: fix error message -- mbedtls: make it build even if MBEDTLS_VERSION_C isn't set +- config.d: clarify that initial : and = might need quoting [skip ci] - Reported-by: MAntoniak on github - Fixes #3553 - Closes #3556 + Fixes #3738 + Closes #3749 -Daniel Gustafsson (12 Feb 2019) -- non-ascii.c: fix typos in comments +- RELEASE-NOTES: synced - Fix two occurrences of s/convers/converts/ spotted while reading code. + bumped to 7.65.0 for next release -Daniel Stenberg (12 Feb 2019) -- fnmatch: disable if FTP is disabled +- socks5: user name and passwords must be shorter than 256 - Closes #3551 + bytes... since the protocol needs to store the length in a single byte field. + + Reported-by: XmiliaH on github + Fixes #3737 + Closes #3740 -- curl_path: only enabled for SSH builds +- [Jakub Zakrzewski brought this change] -- [Frank Gevaerts brought this change] + test: urlapi: urlencode characters above 0x7f correctly - tests: add stderr comparison to the test suite - - The code is more or less copied from the stdout comparison code, maybe - some better reuse is possible. - - test 1457 is adjusted to make the output actually match (by using --silent) - test 506 used without actually needing it, so that block is removed - - Closes #3536 +- [Jakub Zakrzewski brought this change] -Patrick Monnerat (11 Feb 2019) -- cli tool: do not use mime.h private structures. - - Option -F generates an intermediate representation of the mime structure - that is used later to create the libcurl mime structure and generate - the --libcurl statements. + urlapi: urlencode characters above 0x7f correctly - Reported-by: Daniel Stenberg - Fixes #3532 - Closes #3546 + fixes #3741 + Closes #3742 -Daniel Stenberg (11 Feb 2019) -- curlver: bump to 7.64.1-dev +- [Even Rouault brought this change] -- RELEASE-NOTES: synced + multi_runsingle(): fix use-after-free - and bump the version in progress to 7.64.1. If we merge any "change" - before the cut-off date, we update again. - -Daniel Gustafsson (11 Feb 2019) -- curl: follow-up to 3f16990ec84 + Fixes #3745 + Closes #3746 + + The following snippet + ``` - Commit 3f16990ec84cc4b followed-up a bug in b49652ac66cc0 but was - inadvertently introducing a new bug in the ternary expression. + int main() + { + CURL* hCurlHandle = curl_easy_init(); + curl_easy_setopt(hCurlHandle, CURLOPT_URL, "http://example.com"); + curl_easy_setopt(hCurlHandle, CURLOPT_PROXY, "1"); + curl_easy_perform(hCurlHandle); + curl_easy_cleanup(hCurlHandle); + return 0; + } + ``` + triggers the following Valgrind warning - Close #3555 - Reviewed-by: Daniel Stenberg - -- dns: release sharelock as soon as possible + ``` + ==4125== Invalid read of size 8 + ==4125== at 0x4E7D1EE: Curl_llist_remove (llist.c:97) + ==4125== by 0x4E7EF5C: detach_connnection (multi.c:798) + ==4125== by 0x4E80545: multi_runsingle (multi.c:1451) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Address 0x9b3d1d0 is 1,120 bytes inside a block of size 1,600 free'd + ==4125== at 0x4C2ECF0: free (vg_replace_malloc.c:530) + ==4125== by 0x4E62C36: conn_free (url.c:756) + ==4125== by 0x4E62D34: Curl_disconnect (url.c:818) + ==4125== by 0x4E48DF9: Curl_once_resolved (hostip.c:1097) + ==4125== by 0x4E8052D: multi_runsingle (multi.c:1446) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ==4125== Block was alloc'd at + ==4125== at 0x4C2F988: calloc (vg_replace_malloc.c:711) + ==4125== by 0x4E6438E: allocate_conn (url.c:1654) + ==4125== by 0x4E685B4: create_conn (url.c:3496) + ==4125== by 0x4E6968F: Curl_connect (url.c:4023) + ==4125== by 0x4E802E7: multi_runsingle (multi.c:1368) + ==4125== by 0x4E8197C: curl_multi_perform (multi.c:2072) + ==4125== by 0x4E766A0: easy_transfer (easy.c:625) + ==4125== by 0x4E76915: easy_perform (easy.c:719) + ==4125== by 0x4E7697C: curl_easy_perform (easy.c:738) + ==4125== by 0x4008BE: main (in /home/even/curl/test) + ``` - There is no benefit to holding the data sharelock when freeing the - addrinfo in case it fails, so ensure releaseing it as soon as we can - rather than holding on to it. This also aligns the code with other - consumers of sharelocks. + This has been bisected to commit 2f44e94 - Closes #3516 - Reviewed-by: Daniel Stenberg + Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14109 + Credit to OSS Fuzz -Daniel Stenberg (11 Feb 2019) -- curl: follow-up to b49652ac66cc0 +- pipelining: removed - On FreeBSD, return non-zero on error otherwise zero. + As previously planned and documented in DEPRECATE.md, all pipelining + code is removed. - Reported-by: Marcel Raad + Closes #3651 -- multi: (void)-prefix when ignoring return values - - ... and added braces to two function calls which fixes warnings if they - are replace by empty macros at build-time. +- [cclauss brought this change] -- curl: fix FreeBSD compiler warning in the --xattr code + tests: make Impacket (SMB server) Python 3 compatible - Closes #3550 + Closes #3731 + Fixes #3289 + +Marcel Raad (6 Apr 2019) +- [Simon Warta brought this change] -- connection_check: set ->data to the transfer doing the check + cmake: set SSL_BACKENDS - The http2 code for connection checking needs a transfer to use. Make - sure a working one is set before handler->connection_check() is called. + This groups all SSL backends into the feature "SSL" and sets the + SSL_BACKENDS analogue to configure.ac - Reported-by: jnbr on github - Fixes #3541 - Closes #3547 + Closes https://github.com/curl/curl/pull/3736 -- hostip: make create_hostcache_id avoid alloc + free - - Closes #3544 +- [Simon Warta brought this change] -- scripts/singleuse: script to use to track single-use functions - - That is functions that are declared global but are not used from outside - of the file in which it is declared. Such functions should be made - static or even at times be removed. + cmake: don't run SORT on empty list - It also verifies that all used curl_ prefixed functions are "blessed" + In case of an empty list, SORTing leads to the cmake error "list + sub-command SORT requires list to be present." - Closes #3538 + Closes https://github.com/curl/curl/pull/3736 -- cleanup: make local functions static - - urlapi: turn three local-only functions into statics - - conncache: make conncache_find_first_connection static - - multi: make detach_connnection static - - connect: make getaddressinfo static - - curl_ntlm_core: make hmac_md5 static - - http2: make two functions static - - http: make http_setup_conn static - - connect: make tcpnodelay static - - tests: make UNITTEST a thing to mark functions with, so they can be static for - normal builds and non-static for unit test builds - - ... and mark Curl_shuffle_addr accordingly. - - url: make up_free static - - setopt: make vsetopt static - - curl_endian: make write32_le static +Daniel Gustafsson (5 Apr 2019) +- [Eli Schwartz brought this change] + + configure: fix default location for fish completions - rtsp: make rtsp_connisdead static + Fish defines a vendor completions directory for completions that are not + installed as part of the fish project itself, and the vendor completions + are preferred if they exist. This prevents trying to overwrite the + builtin curl.fish completion (or creating file conflicts in distro + packaging). - warnless: remove unused functions + Prefer the pkg-config defined location exported by fish, if it can be + found, and fall back to the correct directory defined by most systems. - memdebug: remove one unused function, made another static + Closes #3723 + Reviewed-by: Daniel Gustafsson -Dan Fandrich (10 Feb 2019) -- cirrus: Added FreeBSD builds using Cirrus CI. +Marcel Raad (5 Apr 2019) +- ftplistparser: fix LGTM alert "Empty block without comment" - The build logs will be at https://cirrus-ci.com/github/curl/curl + Removing the block is consistent with line 954/957. - Some tests are currently failing and so disabled for now. The SSH server - isn't starting for the SSH tests due to unsupported options used in its - config file. The DICT server also is failing on startup. + Closes https://github.com/curl/curl/pull/3732 -Daniel Stenberg (9 Feb 2019) -- url/idnconvert: remove scan for <= 32 ascii values +- transfer: fix LGTM alert "Comparison is always true" - The check was added back in fa939220df before the URL parser would catch - these problems and therefore these will never trigger now. + Just remove the redundant condition, which also makes it clear that + k->buf is always 0-terminated if this break is not hit. - Closes #3539 + Closes https://github.com/curl/curl/pull/3732 -- urlapi: reduce variable scope, remove unreachable 'break' - - Both nits pointed out by codacy.com - - Closes #3540 +Jay Satiro (4 Apr 2019) +- [Rikard Falkeborn brought this change] -Alessandro Ghedini (7 Feb 2019) -- zsh.pl: escape ':' character + smtp: fix compiler warning + + - Fix clang string-plus-int warning. - ':' is interpreted as separator by zsh, so if used as part of the argument - or option's description it needs to be escaped. + Clang 8 warns about adding a string to an int does not append to the + string. Indeed it doesn't, but that was not the intention either. Use + array indexing as suggested to silence the warning. There should be no + functional changes. - The problem can be reproduced as follows: + (In other words clang warns about "foo"+2 but not &"foo"[2] so use the + latter.) - % curl --reso - % curl -E + smtp.c:1221:29: warning: adding 'int' to a string does not append to the + string [-Wstring-plus-int] + eob = strdup(SMTP_EOB + 2); + ~~~~~~~~~~~~~~~~^~~~ - Bug: https://bugs.debian.org/921452 + Closes https://github.com/curl/curl/pull/3729 diff --git a/libs/libcurl/docs/COPYING b/libs/libcurl/docs/COPYING index 3528bd7566..9d9e4af8d8 100644 --- a/libs/libcurl/docs/COPYING +++ b/libs/libcurl/docs/COPYING @@ -1,6 +1,6 @@ COPYRIGHT AND PERMISSION NOTICE -Copyright (c) 1996 - 2019, Daniel Stenberg, , and many +Copyright (c) 1996 - 2020, Daniel Stenberg, , and many contributors, see the THANKS file. All rights reserved. diff --git a/libs/libcurl/docs/THANKS b/libs/libcurl/docs/THANKS index 884906ae26..af74c0bd6a 100644 --- a/libs/libcurl/docs/THANKS +++ b/libs/libcurl/docs/THANKS @@ -7,6 +7,7 @@ "Captain Basil" "Spoon Man" 1ocalhost on github +3dyd on github Aaro Koskinen Aaron Oneal Aaron Orenstein @@ -96,11 +97,13 @@ Anders Bakken Anders Gustafsson Anders Havn Anders Roxell +Anderson Sasaki Anderson Toshiyuki Sasaki Andi Jahja Andre Guibert de Bruet Andre Heinecke Andreas Damm +Andreas Falkenhahn Andreas Farber Andreas Kostyrka Andreas Malzahn @@ -126,6 +129,7 @@ Andrew Biggs Andrew Bushnell Andrew Francis Andrew Fuller +Andrew Ishchuk Andrew Krieger Andrew Kurushin Andrew Lambert @@ -221,6 +225,7 @@ Bill Middlecamp Bill Nagel Bill Pyne Bjarni Ingi Gislason +Bjoern Franke Bjoern Sikora Bjorn Augustsson Bjorn Reese @@ -318,6 +323,7 @@ Christopher Conroy Christopher Head Christopher Palow Christopher R. Palmer +Christopher Reid Christopher Stone Chungtsun Li Ciprian Badescu @@ -347,6 +353,7 @@ Craig de Stigter Cris Bailiff Cristian Rodríguez Curt Bogmine +Cynthia Coan Cyril B Cyrill Osterwalder Cédric Connes @@ -792,6 +799,7 @@ Jan Kunder Jan Schaumann Jan Schmidt Jan Van Boghout +JanB on github Janne Johansson Jared Jennings Jared Lundell @@ -826,6 +834,7 @@ Jeff Hodges Jeff Johnson Jeff King Jeff Lawson +Jeff Mears Jeff Phillips Jeff Pohlmeyer Jeff Weber @@ -901,6 +910,7 @@ John Marino John Marshall John McGowan John P. McCaskey +John Schroeder John Starks John Suprock John V. Chow @@ -1165,6 +1175,7 @@ Markus Koetter Markus Moeller Markus Oberhumer Markus Westerlind +Maros Priputen Marquis de Muesli Martijn Koster Martin Ankerl @@ -1186,6 +1197,7 @@ Martin Storsjö Martin Vejnár Marty Kuhrt Maruko +Massimiliano Fantuzzi Massimiliano Ziccardi Massimo Callegari Mateusz Loskot @@ -1215,6 +1227,7 @@ Mauro Iorio Mauro Rappa Max Dymond Max Katsev +Max Kellermann Max Khon Max Savenkov Maxim Ivanov @@ -1235,6 +1248,7 @@ Michael Cronenworth Michael Curtis Michael Day Michael Felt +Michael Forney Michael Gmelin Michael Goffioul Michael Jahn @@ -1254,6 +1268,7 @@ Michael Smith Michael Stapelberg Michael Steuer Michael Stillwell +Michael Vittiglio Michael Wallner Michal Bonino Michal Marek @@ -1293,6 +1308,7 @@ Miroslav Spousta Mitz Wark Mohamed Lrhazi Mohammad AlSaleh +Mohammad Hasbini Mohun Biswas Mostyn Bramley-Moore Moti Avrahami @@ -1401,6 +1417,7 @@ Paul Dreik Paul Groke Paul Harrington Paul Harris +Paul Hoffman Paul Howarth Paul Joyce Paul Marks @@ -1410,6 +1427,7 @@ Paul Nolan Paul Oliver Paul Querna Paul Saab +Paulo Roberto Tomasi Pavel Cenek Pavel Gushchin Pavel Löbl @@ -1504,6 +1522,7 @@ Rajkumar Mandal Ralf S. Engelschall Ralph Beckmann Ralph Mitchell +Ram Krushna Mishra Ran Mozes Randall S. Becker Randy Armstrong @@ -1541,6 +1560,7 @@ Richard Adams Richard Alcock Richard Archer Richard Atterer +Richard Bowker Richard Bramante Richard Clayton Richard Cooper @@ -1558,6 +1578,7 @@ Rick Deist Rick Jones Rick Richardson Rick Welykochy +Rickard Hallerbäck Ricki Hirner Ricky Leverence Ricky-Tigg on github @@ -1626,6 +1647,7 @@ Ryuichi KAWAMATA Rémy Léone S. Moonesamy SBKarr on github +SLDiggie on github Salah-Eddin Shaban Salvador Dávila Salvatore Sorrentino @@ -1641,6 +1663,7 @@ Samuel Thibault Sander Gates Sandor Feldi Santhana Todatry +Santino Keupp Saqib Ali Sara Golemon Saran Neti @@ -1677,6 +1700,7 @@ Seth Mos Sevan Janiyan Sh Diao Shachaf Ben-Kiki +Shailesh Kapse Shankar Jadhavar Shao Shuchao Sharad Gupta @@ -1883,6 +1907,7 @@ Vasy Okhin Venkat Akella Venkataramana Mokkapati Vicente Garcia +Victor Magierski Victor Snezhko Vijay Panghal Vikram Saxena @@ -1901,6 +1926,7 @@ Vlad Ureche Vladimir Grishchenko Vladimir Kotal Vladimir Lazarenko +Vlastimil Ovčáčík Vojtech Janota Vojtech Minarik Vojtěch Král @@ -1930,7 +1956,9 @@ Wu Yongzheng Wyatt O'Day Xavier Bouchoux XhstormR on github +Xiang Xiao Xiangbin Li +Xiaoyin Liu XmiliaH on github Yaakov Selkowitz Yang Tse @@ -1971,9 +1999,11 @@ anshnd on github arainchik on github asavah on github baumanj on github +bdry on github bobmitchell1956 on github bsammon on github buzo-ffm on github +bxac on github cbartl on github cclauss on github clbr on github @@ -2007,6 +2037,7 @@ jungle-boogie on github jveazey on github jzinn on github ka7 on github +kouzhudong on github kreshano on github l00p3r on Hackerone lijian996 on github @@ -2037,6 +2068,7 @@ patelvivekv1993 on github patnyb on github pendrek at hackerone pszemus on github +sayrer on github silveja1 on github smuellerDD on github sstruchtrup on github diff --git a/libs/libcurl/include/curl/curl.h b/libs/libcurl/include/curl/curl.h index dcbe8995cb..a9754fd648 100644 --- a/libs/libcurl/include/curl/curl.h +++ b/libs/libcurl/include/curl/curl.h @@ -154,7 +154,8 @@ typedef enum { CURLSSLBACKEND_SECURETRANSPORT = 9, CURLSSLBACKEND_AXTLS = 10, /* never used since 7.63.0 */ CURLSSLBACKEND_MBEDTLS = 11, - CURLSSLBACKEND_MESALINK = 12 + CURLSSLBACKEND_MESALINK = 12, + CURLSSLBACKEND_BEARSSL = 13 } curl_sslbackend; /* aliases for library clones and renames */ @@ -209,6 +210,11 @@ struct curl_httppost { set. Added in 7.46.0 */ }; + +/* This is a return code for the progress callback that, when returned, will + signal libcurl to continue executing the default progress function */ +#define CURL_PROGRESSFUNC_CONTINUE 0x10000001 + /* This is the CURLOPT_PROGRESSFUNCTION callback prototype. It is now considered deprecated but was the only choice up until 7.31.0 */ typedef int (*curl_progress_callback)(void *clientp, @@ -602,6 +608,7 @@ typedef enum { inside a callback */ CURLE_AUTH_ERROR, /* 94 - an authentication function returned an error */ + CURLE_HTTP3, /* 95 - An HTTP/3 layer problem */ CURL_LAST /* never use! */ } CURLcode; @@ -821,6 +828,10 @@ typedef enum { SSL backends where such behavior is present. */ #define CURLSSLOPT_NO_REVOKE (1<<1) +/* - NO_PARTIALCHAIN tells libcurl to *NOT* accept a partial certificate chain + if possible. The OpenSSL backend has this ability. */ +#define CURLSSLOPT_NO_PARTIALCHAIN (1<<2) + /* The default connection attempt delay in milliseconds for happy eyeballs. CURLOPT_HAPPY_EYEBALLS_TIMEOUT_MS.3 and happy-eyeballs-timeout-ms.d document this value, keep them in sync. */ @@ -945,6 +956,8 @@ typedef enum { /* The macro "##" is ISO C, we assume pre-ISO C doesn't support it. */ #define LONG CURLOPTTYPE_LONG #define OBJECTPOINT CURLOPTTYPE_OBJECTPOINT +#define STRINGPOINT CURLOPTTYPE_OBJECTPOINT +#define SLISTPOINT CURLOPTTYPE_OBJECTPOINT #define FUNCTIONPOINT CURLOPTTYPE_FUNCTIONPOINT #define OFF_T CURLOPTTYPE_OFF_T #define CINIT(name,type,number) CURLOPT_/**/name = type + number diff --git a/libs/libcurl/include/curl/curlver.h b/libs/libcurl/include/curl/curlver.h index cab09eebda..85b93553ca 100644 --- a/libs/libcurl/include/curl/curlver.h +++ b/libs/libcurl/include/curl/curlver.h @@ -30,12 +30,12 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.67.0" +#define LIBCURL_VERSION "7.68.0" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 -#define LIBCURL_VERSION_MINOR 67 +#define LIBCURL_VERSION_MINOR 68 #define LIBCURL_VERSION_PATCH 0 /* This is the numeric version of the libcurl version number, meant for easier @@ -57,7 +57,7 @@ CURL_VERSION_BITS() macro since curl's own configure script greps for it and needs it to contain the full number. */ -#define LIBCURL_VERSION_NUM 0x074300 +#define LIBCURL_VERSION_NUM 0x074400 /* * This is the date and time when the full source package was created. The @@ -68,7 +68,7 @@ * * "2007-11-23" */ -#define LIBCURL_TIMESTAMP "2019-11-06" +#define LIBCURL_TIMESTAMP "2020-01-08" #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z)) #define CURL_AT_LEAST_VERSION(x,y,z) \ diff --git a/libs/libcurl/include/curl/multi.h b/libs/libcurl/include/curl/multi.h index b392183954..04996ffcaf 100644 --- a/libs/libcurl/include/curl/multi.h +++ b/libs/libcurl/include/curl/multi.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -72,6 +72,7 @@ typedef enum { attempted to get added - again */ CURLM_RECURSIVE_API_CALL, /* an api function was called from inside a callback */ + CURLM_WAKEUP_FAILURE, /* wakeup is unavailable or failed */ CURLM_LAST } CURLMcode; @@ -187,6 +188,15 @@ CURL_EXTERN CURLMcode curl_multi_poll(CURLM *multi_handle, int timeout_ms, int *ret); +/* + * Name: curl_multi_wakeup() + * + * Desc: wakes up a sleeping curl_multi_poll call. + * + * Returns: CURLMcode type, general multi error code. + */ +CURL_EXTERN CURLMcode curl_multi_wakeup(CURLM *multi_handle); + /* * Name: curl_multi_perform() * @@ -451,9 +461,6 @@ typedef int (*curl_push_callback)(CURL *parent, struct curl_pushheaders *headers, void *userp); -/* value for MAXIMUM CONCURRENT STREAMS upper limit */ -#define INITIAL_MAX_CONCURRENT_STREAMS ((1U << 31) - 1) - #ifdef __cplusplus } /* end of extern "C" */ #endif diff --git a/libs/libcurl/include/curl/system.h b/libs/libcurl/include/curl/system.h index cd37c2bf54..867af61418 100644 --- a/libs/libcurl/include/curl/system.h +++ b/libs/libcurl/include/curl/system.h @@ -137,15 +137,26 @@ # define CURL_TYPEOF_CURL_SOCKLEN_T int #elif defined(__LCC__) -# define CURL_TYPEOF_CURL_OFF_T long -# define CURL_FORMAT_CURL_OFF_T "ld" -# define CURL_FORMAT_CURL_OFF_TU "lu" -# define CURL_SUFFIX_CURL_OFF_T L -# define CURL_SUFFIX_CURL_OFF_TU UL -# define CURL_TYPEOF_CURL_SOCKLEN_T int +# if defined(__e2k__) /* MCST eLbrus C Compiler */ +# define CURL_TYPEOF_CURL_OFF_T long +# define CURL_FORMAT_CURL_OFF_T "ld" +# define CURL_FORMAT_CURL_OFF_TU "lu" +# define CURL_SUFFIX_CURL_OFF_T L +# define CURL_SUFFIX_CURL_OFF_TU UL +# define CURL_TYPEOF_CURL_SOCKLEN_T socklen_t +# define CURL_PULL_SYS_TYPES_H 1 +# define CURL_PULL_SYS_SOCKET_H 1 +# else /* Local (or Little) C Compiler */ +# define CURL_TYPEOF_CURL_OFF_T long +# define CURL_FORMAT_CURL_OFF_T "ld" +# define CURL_FORMAT_CURL_OFF_TU "lu" +# define CURL_SUFFIX_CURL_OFF_T L +# define CURL_SUFFIX_CURL_OFF_TU UL +# define CURL_TYPEOF_CURL_SOCKLEN_T int +# endif #elif defined(__SYMBIAN32__) -# if defined(__EABI__) /* Treat all ARM compilers equally */ +# if defined(__EABI__) /* Treat all ARM compilers equally */ # define CURL_TYPEOF_CURL_OFF_T long long # define CURL_FORMAT_CURL_OFF_T "lld" # define CURL_FORMAT_CURL_OFF_TU "llu" @@ -288,7 +299,6 @@ # define CURL_TYPEOF_CURL_SOCKLEN_T int #elif defined(__TINYC__) /* also known as tcc */ - # define CURL_TYPEOF_CURL_OFF_T long long # define CURL_FORMAT_CURL_OFF_T "lld" # define CURL_FORMAT_CURL_OFF_TU "llu" @@ -377,6 +387,7 @@ # define CURL_SUFFIX_CURL_OFF_TU ULL # elif defined(__LP64__) || \ defined(__x86_64__) || defined(__ppc64__) || defined(__sparc64__) || \ + defined(__e2k__) || \ (defined(__SIZEOF_LONG__) && __SIZEOF_LONG__ == 8) || \ (defined(__LONG_MAX__) && __LONG_MAX__ == 9223372036854775807L) # define CURL_TYPEOF_CURL_OFF_T long diff --git a/libs/libcurl/src/CMakeLists.txt b/libs/libcurl/src/CMakeLists.txt index eca9a8af93..a9c90b6650 100644 --- a/libs/libcurl/src/CMakeLists.txt +++ b/libs/libcurl/src/CMakeLists.txt @@ -20,7 +20,6 @@ list(APPEND HHEADERS if(MSVC) list(APPEND CSOURCES libcurl.rc) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /wd4127") endif() # SET(CSOURCES diff --git a/libs/libcurl/src/Makefile.in b/libs/libcurl/src/Makefile.in index 27101a8eea..9259841744 100644 --- a/libs/libcurl/src/Makefile.in +++ b/libs/libcurl/src/Makefile.in @@ -245,14 +245,15 @@ am__objects_3 = vtls/libcurl_la-openssl.lo vtls/libcurl_la-gtls.lo \ vtls/libcurl_la-wolfssl.lo vtls/libcurl_la-schannel.lo \ vtls/libcurl_la-schannel_verify.lo \ vtls/libcurl_la-sectransp.lo vtls/libcurl_la-gskit.lo \ - vtls/libcurl_la-mbedtls.lo vtls/libcurl_la-mesalink.lo + vtls/libcurl_la-mbedtls.lo vtls/libcurl_la-mesalink.lo \ + vtls/libcurl_la-bearssl.lo am__objects_4 = vquic/libcurl_la-ngtcp2.lo vquic/libcurl_la-quiche.lo am__objects_5 = vssh/libcurl_la-libssh2.lo vssh/libcurl_la-libssh.lo am__objects_6 = $(am__objects_1) $(am__objects_2) $(am__objects_3) \ $(am__objects_4) $(am__objects_5) am__objects_7 = am__objects_8 = $(am__objects_7) $(am__objects_7) $(am__objects_7) \ - $(am__objects_7) + $(am__objects_7) $(am__objects_7) am_libcurl_la_OBJECTS = $(am__objects_6) $(am__objects_8) libcurl_la_OBJECTS = $(am_libcurl_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) @@ -332,7 +333,8 @@ am__objects_11 = vtls/libcurlu_la-openssl.lo vtls/libcurlu_la-gtls.lo \ vtls/libcurlu_la-wolfssl.lo vtls/libcurlu_la-schannel.lo \ vtls/libcurlu_la-schannel_verify.lo \ vtls/libcurlu_la-sectransp.lo vtls/libcurlu_la-gskit.lo \ - vtls/libcurlu_la-mbedtls.lo vtls/libcurlu_la-mesalink.lo + vtls/libcurlu_la-mbedtls.lo vtls/libcurlu_la-mesalink.lo \ + vtls/libcurlu_la-bearssl.lo am__objects_12 = vquic/libcurlu_la-ngtcp2.lo \ vquic/libcurlu_la-quiche.lo am__objects_13 = vssh/libcurlu_la-libssh2.lo \ @@ -610,6 +612,7 @@ am__depfiles_remade = ./$(DEPDIR)/libcurl_la-altsvc.Plo \ vssh/$(DEPDIR)/libcurl_la-libssh2.Plo \ vssh/$(DEPDIR)/libcurlu_la-libssh.Plo \ vssh/$(DEPDIR)/libcurlu_la-libssh2.Plo \ + vtls/$(DEPDIR)/libcurl_la-bearssl.Plo \ vtls/$(DEPDIR)/libcurl_la-gskit.Plo \ vtls/$(DEPDIR)/libcurl_la-gtls.Plo \ vtls/$(DEPDIR)/libcurl_la-mbedtls.Plo \ @@ -623,6 +626,7 @@ am__depfiles_remade = ./$(DEPDIR)/libcurl_la-altsvc.Plo \ vtls/$(DEPDIR)/libcurl_la-sectransp.Plo \ vtls/$(DEPDIR)/libcurl_la-vtls.Plo \ vtls/$(DEPDIR)/libcurl_la-wolfssl.Plo \ + vtls/$(DEPDIR)/libcurlu_la-bearssl.Plo \ vtls/$(DEPDIR)/libcurlu_la-gskit.Plo \ vtls/$(DEPDIR)/libcurlu_la-gtls.Plo \ vtls/$(DEPDIR)/libcurlu_la-mbedtls.Plo \ @@ -815,6 +819,7 @@ STRIP = @STRIP@ SUPPORT_FEATURES = @SUPPORT_FEATURES@ SUPPORT_PROTOCOLS = @SUPPORT_PROTOCOLS@ USE_ARES = @USE_ARES@ +USE_BEARSSL = @USE_BEARSSL@ USE_GNUTLS = @USE_GNUTLS@ USE_GNUTLS_NETTLE = @USE_GNUTLS_NETTLE@ USE_LIBRTMP = @USE_LIBRTMP@ @@ -975,16 +980,18 @@ LIB_VAUTH_HFILES = vauth/vauth.h vauth/digest.h vauth/ntlm.h LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \ vtls/polarssl.c vtls/polarssl_threadlock.c \ vtls/wolfssl.c vtls/schannel.c vtls/schannel_verify.c \ - vtls/sectransp.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c + vtls/sectransp.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c \ + vtls/bearssl.c LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h \ vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h \ vtls/wolfssl.h vtls/schannel.h vtls/sectransp.h vtls/gskit.h \ - vtls/mbedtls.h vtls/mesalink.h + vtls/mbedtls.h vtls/mesalink.h vtls/bearssl.h LIB_VQUIC_CFILES = vquic/ngtcp2.c vquic/quiche.c LIB_VQUIC_HFILES = vquic/ngtcp2.h vquic/quiche.h LIB_VSSH_CFILES = vssh/libssh2.c vssh/libssh.c +LIB_VSSH_HFILES = vssh/ssh.h LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c \ ldap.c version.c getenv.c escape.c mprintf.c telnet.c netrc.c \ @@ -1014,7 +1021,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ http_negotiate.h inet_pton.h amigaos.h strtoofft.h strerror.h \ inet_ntop.h curlx.h curl_memory.h curl_setup.h transfer.h select.h \ easyif.h multiif.h parsedate.h tftp.h sockaddr.h splay.h strdup.h \ - socks.h ssh.h curl_base64.h curl_addrinfo.h curl_sspi.h \ + socks.h curl_base64.h curl_addrinfo.h curl_sspi.h \ slist.h nonblock.h curl_memrchr.h imap.h pop3.h smtp.h pingpong.h \ rtsp.h curl_threads.h warnless.h curl_hmac.h curl_rtmp.h \ curl_gethostname.h gopher.h http_proxy.h non-ascii.h asyn.h \ @@ -1031,7 +1038,7 @@ CSOURCES = $(LIB_CFILES) $(LIB_VAUTH_CFILES) $(LIB_VTLS_CFILES) \ $(LIB_VQUIC_CFILES) $(LIB_VSSH_CFILES) HHEADERS = $(LIB_HFILES) $(LIB_VAUTH_HFILES) $(LIB_VTLS_HFILES) \ - $(LIB_VQUIC_HFILES) + $(LIB_VQUIC_HFILES) $(LIB_VSSH_HFILES) # Makefile.inc provides the CSOURCES and HHEADERS defines @@ -1205,6 +1212,8 @@ vtls/libcurl_la-mbedtls.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) vtls/libcurl_la-mesalink.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurl_la-bearssl.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) vquic/$(am__dirstamp): @$(MKDIR_P) vquic @: > vquic/$(am__dirstamp) @@ -1278,6 +1287,8 @@ vtls/libcurlu_la-mbedtls.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) vtls/libcurlu_la-mesalink.lo: vtls/$(am__dirstamp) \ vtls/$(DEPDIR)/$(am__dirstamp) +vtls/libcurlu_la-bearssl.lo: vtls/$(am__dirstamp) \ + vtls/$(DEPDIR)/$(am__dirstamp) vquic/libcurlu_la-ngtcp2.lo: vquic/$(am__dirstamp) \ vquic/$(DEPDIR)/$(am__dirstamp) vquic/libcurlu_la-quiche.lo: vquic/$(am__dirstamp) \ @@ -1558,6 +1569,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@vssh/$(DEPDIR)/libcurl_la-libssh2.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vssh/$(DEPDIR)/libcurlu_la-libssh.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vssh/$(DEPDIR)/libcurlu_la-libssh2.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-bearssl.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-gskit.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-gtls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-mbedtls.Plo@am__quote@ # am--include-marker @@ -1571,6 +1583,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-sectransp.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-vtls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurl_la-wolfssl.Plo@am__quote@ # am--include-marker +@AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-bearssl.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-gskit.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-gtls.Plo@am__quote@ # am--include-marker @AMDEP_TRUE@@am__include@ @am__quote@vtls/$(DEPDIR)/libcurlu_la-mbedtls.Plo@am__quote@ # am--include-marker @@ -2567,6 +2580,13 @@ vtls/libcurl_la-mesalink.lo: vtls/mesalink.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurl_la-mesalink.lo `test -f 'vtls/mesalink.c' || echo '$(srcdir)/'`vtls/mesalink.c +vtls/libcurl_la-bearssl.lo: vtls/bearssl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -MT vtls/libcurl_la-bearssl.lo -MD -MP -MF vtls/$(DEPDIR)/libcurl_la-bearssl.Tpo -c -o vtls/libcurl_la-bearssl.lo `test -f 'vtls/bearssl.c' || echo '$(srcdir)/'`vtls/bearssl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurl_la-bearssl.Tpo vtls/$(DEPDIR)/libcurl_la-bearssl.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/bearssl.c' object='vtls/libcurl_la-bearssl.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurl_la-bearssl.lo `test -f 'vtls/bearssl.c' || echo '$(srcdir)/'`vtls/bearssl.c + vquic/libcurl_la-ngtcp2.lo: vquic/ngtcp2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurl_la_CPPFLAGS) $(CPPFLAGS) $(libcurl_la_CFLAGS) $(CFLAGS) -MT vquic/libcurl_la-ngtcp2.lo -MD -MP -MF vquic/$(DEPDIR)/libcurl_la-ngtcp2.Tpo -c -o vquic/libcurl_la-ngtcp2.lo `test -f 'vquic/ngtcp2.c' || echo '$(srcdir)/'`vquic/ngtcp2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vquic/$(DEPDIR)/libcurl_la-ngtcp2.Tpo vquic/$(DEPDIR)/libcurl_la-ngtcp2.Plo @@ -3547,6 +3567,13 @@ vtls/libcurlu_la-mesalink.lo: vtls/mesalink.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurlu_la-mesalink.lo `test -f 'vtls/mesalink.c' || echo '$(srcdir)/'`vtls/mesalink.c +vtls/libcurlu_la-bearssl.lo: vtls/bearssl.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -MT vtls/libcurlu_la-bearssl.lo -MD -MP -MF vtls/$(DEPDIR)/libcurlu_la-bearssl.Tpo -c -o vtls/libcurlu_la-bearssl.lo `test -f 'vtls/bearssl.c' || echo '$(srcdir)/'`vtls/bearssl.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vtls/$(DEPDIR)/libcurlu_la-bearssl.Tpo vtls/$(DEPDIR)/libcurlu_la-bearssl.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='vtls/bearssl.c' object='vtls/libcurlu_la-bearssl.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -c -o vtls/libcurlu_la-bearssl.lo `test -f 'vtls/bearssl.c' || echo '$(srcdir)/'`vtls/bearssl.c + vquic/libcurlu_la-ngtcp2.lo: vquic/ngtcp2.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(libcurlu_la_CFLAGS) $(CFLAGS) -MT vquic/libcurlu_la-ngtcp2.lo -MD -MP -MF vquic/$(DEPDIR)/libcurlu_la-ngtcp2.Tpo -c -o vquic/libcurlu_la-ngtcp2.lo `test -f 'vquic/ngtcp2.c' || echo '$(srcdir)/'`vquic/ngtcp2.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) vquic/$(DEPDIR)/libcurlu_la-ngtcp2.Tpo vquic/$(DEPDIR)/libcurlu_la-ngtcp2.Plo @@ -3976,6 +4003,7 @@ distclean: distclean-am -rm -f vssh/$(DEPDIR)/libcurl_la-libssh2.Plo -rm -f vssh/$(DEPDIR)/libcurlu_la-libssh.Plo -rm -f vssh/$(DEPDIR)/libcurlu_la-libssh2.Plo + -rm -f vtls/$(DEPDIR)/libcurl_la-bearssl.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-gskit.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-gtls.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-mbedtls.Plo @@ -3989,6 +4017,7 @@ distclean: distclean-am -rm -f vtls/$(DEPDIR)/libcurl_la-sectransp.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-vtls.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-wolfssl.Plo + -rm -f vtls/$(DEPDIR)/libcurlu_la-bearssl.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-gskit.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-gtls.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-mbedtls.Plo @@ -4301,6 +4330,7 @@ maintainer-clean: maintainer-clean-am -rm -f vssh/$(DEPDIR)/libcurl_la-libssh2.Plo -rm -f vssh/$(DEPDIR)/libcurlu_la-libssh.Plo -rm -f vssh/$(DEPDIR)/libcurlu_la-libssh2.Plo + -rm -f vtls/$(DEPDIR)/libcurl_la-bearssl.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-gskit.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-gtls.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-mbedtls.Plo @@ -4314,6 +4344,7 @@ maintainer-clean: maintainer-clean-am -rm -f vtls/$(DEPDIR)/libcurl_la-sectransp.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-vtls.Plo -rm -f vtls/$(DEPDIR)/libcurl_la-wolfssl.Plo + -rm -f vtls/$(DEPDIR)/libcurlu_la-bearssl.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-gskit.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-gtls.Plo -rm -f vtls/$(DEPDIR)/libcurlu_la-mbedtls.Plo diff --git a/libs/libcurl/src/Makefile.inc b/libs/libcurl/src/Makefile.inc index 72ef428ee6..6c90c26752 100644 --- a/libs/libcurl/src/Makefile.inc +++ b/libs/libcurl/src/Makefile.inc @@ -30,12 +30,13 @@ LIB_VAUTH_HFILES = vauth/vauth.h vauth/digest.h vauth/ntlm.h LIB_VTLS_CFILES = vtls/openssl.c vtls/gtls.c vtls/vtls.c vtls/nss.c \ vtls/polarssl.c vtls/polarssl_threadlock.c \ vtls/wolfssl.c vtls/schannel.c vtls/schannel_verify.c \ - vtls/sectransp.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c + vtls/sectransp.c vtls/gskit.c vtls/mbedtls.c vtls/mesalink.c \ + vtls/bearssl.c LIB_VTLS_HFILES = vtls/openssl.h vtls/vtls.h vtls/gtls.h \ vtls/nssg.h vtls/polarssl.h vtls/polarssl_threadlock.h \ vtls/wolfssl.h vtls/schannel.h vtls/sectransp.h vtls/gskit.h \ - vtls/mbedtls.h vtls/mesalink.h + vtls/mbedtls.h vtls/mesalink.h vtls/bearssl.h LIB_VQUIC_CFILES = vquic/ngtcp2.c vquic/quiche.c @@ -43,6 +44,8 @@ LIB_VQUIC_HFILES = vquic/ngtcp2.h vquic/quiche.h LIB_VSSH_CFILES = vssh/libssh2.c vssh/libssh.c +LIB_VSSH_HFILES = vssh/ssh.h + LIB_CFILES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ cookie.c http.c sendf.c ftp.c url.c dict.c if2ip.c speedcheck.c \ ldap.c version.c getenv.c escape.c mprintf.c telnet.c netrc.c \ @@ -72,7 +75,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \ http_negotiate.h inet_pton.h amigaos.h strtoofft.h strerror.h \ inet_ntop.h curlx.h curl_memory.h curl_setup.h transfer.h select.h \ easyif.h multiif.h parsedate.h tftp.h sockaddr.h splay.h strdup.h \ - socks.h ssh.h curl_base64.h curl_addrinfo.h curl_sspi.h \ + socks.h curl_base64.h curl_addrinfo.h curl_sspi.h \ slist.h nonblock.h curl_memrchr.h imap.h pop3.h smtp.h pingpong.h \ rtsp.h curl_threads.h warnless.h curl_hmac.h curl_rtmp.h \ curl_gethostname.h gopher.h http_proxy.h non-ascii.h asyn.h \ @@ -89,4 +92,4 @@ LIB_RCFILES = libcurl.rc CSOURCES = $(LIB_CFILES) $(LIB_VAUTH_CFILES) $(LIB_VTLS_CFILES) \ $(LIB_VQUIC_CFILES) $(LIB_VSSH_CFILES) HHEADERS = $(LIB_HFILES) $(LIB_VAUTH_HFILES) $(LIB_VTLS_HFILES) \ - $(LIB_VQUIC_HFILES) + $(LIB_VQUIC_HFILES) $(LIB_VSSH_HFILES) diff --git a/libs/libcurl/src/Makefile.m32 b/libs/libcurl/src/Makefile.m32 index ae88f4dced..b6ef0a5cbd 100644 --- a/libs/libcurl/src/Makefile.m32 +++ b/libs/libcurl/src/Makefile.m32 @@ -5,7 +5,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 1999 - 2017, Daniel Stenberg, , et al. +# Copyright (C) 1999 - 2019, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -271,7 +271,7 @@ ifdef SSL endif INCLUDES += -I"$(OPENSSL_INCLUDE)" CFLAGS += -DUSE_OPENSSL -DHAVE_OPENSSL_ENGINE_H -DHAVE_OPENSSL_PKCS12_H \ - -DHAVE_ENGINE_LOAD_BUILTIN_ENGINES -DOPENSSL_NO_KRB5 + -DOPENSSL_NO_KRB5 DLL_LIBS += -L"$(OPENSSL_LIBPATH)" $(OPENSSL_LIBS) ifdef SRP ifeq "$(wildcard $(OPENSSL_INCLUDE)/openssl/srp.h)" "$(OPENSSL_INCLUDE)/openssl/srp.h" diff --git a/libs/libcurl/src/altsvc.c b/libs/libcurl/src/altsvc.c index 64971a9f0f..bf869c37a5 100644 --- a/libs/libcurl/src/altsvc.c +++ b/libs/libcurl/src/altsvc.c @@ -55,7 +55,7 @@ static enum alpnid alpn2alpnid(char *name) if(strcasecompare(name, "h2")) return ALPN_h2; #if (defined(USE_QUICHE) || defined(USE_NGTCP2)) && !defined(UNITTESTS) - if(strcasecompare(name, "h3-23")) + if(strcasecompare(name, "h3-24")) return ALPN_h3; #else if(strcasecompare(name, "h3")) @@ -74,7 +74,7 @@ const char *Curl_alpnid2str(enum alpnid id) return "h2"; case ALPN_h3: #if (defined(USE_QUICHE) || defined(USE_NGTCP2)) && !defined(UNITTESTS) - return "h3-23"; + return "h3-24"; #else return "h3"; #endif @@ -161,7 +161,7 @@ static CURLcode altsvc_add(struct altsvcinfo *asi, char *line) date, &persist, &prio); if(9 == rc) { struct altsvc *as; - time_t expires = curl_getdate(date, NULL); + time_t expires = Curl_getdate_capped(date); as = altsvc_create(srchost, dsthost, srcalpn, dstalpn, srcport, dstport); if(as) { as->expires = expires; @@ -320,8 +320,8 @@ CURLcode Curl_altsvc_save(struct altsvcinfo *altsvc, const char *file) /* no cache activated */ return CURLE_OK; - if((altsvc->flags & CURLALTSVC_READONLYFILE) || !file[0]) - /* marked as read-only or zero length file name */ + if((altsvc->flags & CURLALTSVC_READONLYFILE) || !file || !file[0]) + /* marked as read-only, no file or zero length file name */ return CURLE_OK; out = fopen(file, FOPEN_WRITETEXT); if(!out) diff --git a/libs/libcurl/src/asyn-thread.c b/libs/libcurl/src/asyn-thread.c index 8c552baa9a..b08497aaa0 100644 --- a/libs/libcurl/src/asyn-thread.c +++ b/libs/libcurl/src/asyn-thread.c @@ -698,6 +698,16 @@ Curl_addrinfo *Curl_resolver_getaddrinfo(struct connectdata *conn, *waitp = 0; /* default to synchronous response */ +#ifdef ENABLE_IPV6 + { + struct in6_addr in6; + /* check if this is an IPv6 address string */ + if(Curl_inet_pton(AF_INET6, hostname, &in6) > 0) + /* This is an IPv6 address literal */ + return Curl_ip2addr(AF_INET6, &in6, hostname, port); + } +#endif /* ENABLE_IPV6 */ + if(Curl_inet_pton(AF_INET, hostname, &in) > 0) /* This is a dotted IP address 123.123.123.123-style */ return Curl_ip2addr(AF_INET, &in, hostname, port); @@ -741,7 +751,7 @@ Curl_addrinfo *Curl_resolver_getaddrinfo(struct connectdata *conn, /* This is a dotted IP address 123.123.123.123-style */ return Curl_ip2addr(AF_INET, &in, hostname, port); } -#ifdef CURLRES_IPV6 +#ifdef ENABLE_IPV6 { struct in6_addr in6; /* check if this is an IPv6 address string */ @@ -749,7 +759,7 @@ Curl_addrinfo *Curl_resolver_getaddrinfo(struct connectdata *conn, /* This is an IPv6 address literal */ return Curl_ip2addr(AF_INET6, &in6, hostname, port); } -#endif /* CURLRES_IPV6 */ +#endif /* ENABLE_IPV6 */ #endif /* !USE_RESOLVE_ON_IPS */ #ifdef CURLRES_IPV6 diff --git a/libs/libcurl/src/checksrc.pl b/libs/libcurl/src/checksrc.pl index b2cfa83559..8343645610 100644 --- a/libs/libcurl/src/checksrc.pl +++ b/libs/libcurl/src/checksrc.pl @@ -6,7 +6,7 @@ # | (__| |_| | _ <| |___ # \___|\___/|_| \_\_____| # -# Copyright (C) 2011 - 2018, Daniel Stenberg, , et al. +# Copyright (C) 2011 - 2019, Daniel Stenberg, , et al. # # This software is licensed as described in the file COPYING, which # you should have received as part of this distribution. The terms @@ -717,12 +717,17 @@ sub scanfile { my $commityear = undef; @copyright = sort {$$b{year} cmp $$a{year}} @copyright; + # if the file is modified, assume commit year this year if(`git status -s -- $file` =~ /^ [MARCU]/) { $commityear = (localtime(time))[5] + 1900; } - elsif (`git rev-list --count origin/master..HEAD -- $file` !~ /^0/) { - my $grl = `git rev-list --max-count=1 --timestamp HEAD -- $file`; - $commityear = (localtime((split(/ /, $grl))[0]))[5] + 1900; + else { + # min-parents=1 to ignore wrong initial commit in truncated repos + my $grl = `git rev-list --max-count=1 --min-parents=1 --timestamp HEAD -- $file`; + if($grl) { + chomp $grl; + $commityear = (localtime((split(/ /, $grl))[0]))[5] + 1900; + } } if(defined($commityear) && scalar(@copyright) && diff --git a/libs/libcurl/src/config-dos.h b/libs/libcurl/src/config-dos.h index 3e973de0b4..25f751eb56 100644 --- a/libs/libcurl/src/config-dos.h +++ b/libs/libcurl/src/config-dos.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/config-mac.h b/libs/libcurl/src/config-mac.h index 3c12bdfacc..14b98fe572 100644 --- a/libs/libcurl/src/config-mac.h +++ b/libs/libcurl/src/config-mac.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/config-plan9.h b/libs/libcurl/src/config-plan9.h index 64bfbdea05..4063d4bbd6 100644 --- a/libs/libcurl/src/config-plan9.h +++ b/libs/libcurl/src/config-plan9.h @@ -102,7 +102,6 @@ #define HAVE_BASENAME 1 #define HAVE_BOOL_T 1 #define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1 -#define HAVE_ENGINE_LOAD_BUILTIN_ENGINES 1 #define HAVE_ERRNO_H 1 #define HAVE_FCNTL 1 #define HAVE_FCNTL_H 1 diff --git a/libs/libcurl/src/config-symbian.h b/libs/libcurl/src/config-symbian.h index cb2e96d5d1..c01e1bfab8 100644 --- a/libs/libcurl/src/config-symbian.h +++ b/libs/libcurl/src/config-symbian.h @@ -128,9 +128,6 @@ /* Define to 1 if you have the header file. */ #define HAVE_DLFCN_H 1 -/* Define to 1 if you have the `ENGINE_load_builtin_engines' function. */ -/*#define HAVE_ENGINE_LOAD_BUILTIN_ENGINES 1*/ - /* Define to 1 if you have the header file. */ #define HAVE_ERRNO_H 1 diff --git a/libs/libcurl/src/config-tpf.h b/libs/libcurl/src/config-tpf.h index f0c095bb04..85b634f9d4 100644 --- a/libs/libcurl/src/config-tpf.h +++ b/libs/libcurl/src/config-tpf.h @@ -119,10 +119,6 @@ /* #undef HAVE_DES_H */ #define HAVE_DES_H 1 -/* Define to 1 if you have the `ENGINE_load_builtin_engines' function. */ -/* #undef HAVE_ENGINE_LOAD_BUILTIN_ENGINES */ -#define HAVE_ENGINE_LOAD_BUILTIN_ENGINES 1 - /* Define to 1 if you have the header file. */ #define HAVE_ERRNO_H 1 diff --git a/libs/libcurl/src/config-vxworks.h b/libs/libcurl/src/config-vxworks.h index d352578e33..004fd4e800 100644 --- a/libs/libcurl/src/config-vxworks.h +++ b/libs/libcurl/src/config-vxworks.h @@ -143,9 +143,6 @@ /* Define to 1 if you have the header file. */ #define HAVE_DLFCN_H 1 -/* Define to 1 if you have the `ENGINE_load_builtin_engines' function. */ -#define HAVE_ENGINE_LOAD_BUILTIN_ENGINES 1 - /* Define to 1 if you have the header file. */ #define HAVE_ERRNO_H 1 diff --git a/libs/libcurl/src/config-win32.h b/libs/libcurl/src/config-win32.h index 5b028f193f..1dcce0db41 100644 --- a/libs/libcurl/src/config-win32.h +++ b/libs/libcurl/src/config-win32.h @@ -246,10 +246,6 @@ /* Define if you have the socket function. */ #define HAVE_SOCKET 1 -/* Define if libSSH2 is in use */ -#define USE_LIBSSH2 1 -#define HAVE_LIBSSH2_H 1 - /* Define if you have the strcasecmp function. */ /* #define HAVE_STRCASECMP 1 */ @@ -739,8 +735,12 @@ Vista #define OS "i386-pc-win32" #elif defined(_M_X64) || defined(__x86_64__) /* x86_64 (MSVC >=2005 or gcc) */ #define OS "x86_64-pc-win32" -#elif defined(_M_IA64) /* Itanium */ +#elif defined(_M_IA64) || defined(__ia64__) /* Itanium */ #define OS "ia64-pc-win32" +#elif defined(_M_ARM_NT) || defined(__arm__) /* ARMv7-Thumb2 (Windows RT) */ +#define OS "thumbv7a-pc-win32" +#elif defined(_M_ARM64) || defined(__aarch64__) /* ARM64 (Windows 10) */ +#define OS "aarch64-pc-win32" #else #define OS "unknown-pc-win32" #endif diff --git a/libs/libcurl/src/config-win32ce.h b/libs/libcurl/src/config-win32ce.h index 182052290e..5eb1c18f6f 100644 --- a/libs/libcurl/src/config-win32ce.h +++ b/libs/libcurl/src/config-win32ce.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/conncache.c b/libs/libcurl/src/conncache.c index 57d6061fda..28044644bf 100644 --- a/libs/libcurl/src/conncache.c +++ b/libs/libcurl/src/conncache.c @@ -40,27 +40,6 @@ #include "curl_memory.h" #include "memdebug.h" -#ifdef CURLDEBUG -/* the debug versions of these macros make extra certain that the lock is - never doubly locked or unlocked */ -#define CONN_LOCK(x) if((x)->share) { \ - Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE); \ - DEBUGASSERT(!(x)->state.conncache_lock); \ - (x)->state.conncache_lock = TRUE; \ - } - -#define CONN_UNLOCK(x) if((x)->share) { \ - DEBUGASSERT((x)->state.conncache_lock); \ - (x)->state.conncache_lock = FALSE; \ - Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT); \ - } -#else -#define CONN_LOCK(x) if((x)->share) \ - Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE) -#define CONN_UNLOCK(x) if((x)->share) \ - Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT) -#endif - #define HASHKEY_SIZE 128 static void conn_llist_dtor(void *user, void *element) @@ -122,6 +101,7 @@ static int bundle_remove_conn(struct connectbundle *cb_ptr, } curr = curr->next; } + DEBUGASSERT(0); return 0; } @@ -428,17 +408,15 @@ conncache_find_first_connection(struct conncache *connc) * * Return TRUE if stored, FALSE if closed. */ -bool Curl_conncache_return_conn(struct connectdata *conn) +bool Curl_conncache_return_conn(struct Curl_easy *data, + struct connectdata *conn) { - struct Curl_easy *data = conn->data; - /* data->multi->maxconnects can be negative, deal with it. */ size_t maxconnects = (data->multi->maxconnects < 0) ? data->multi->num_easy * 4: data->multi->maxconnects; struct connectdata *conn_candidate = NULL; - conn->data = NULL; /* no owner anymore */ conn->lastused = Curl_now(); /* it was used up until now */ if(maxconnects > 0 && Curl_conncache_size(data) > maxconnects) { @@ -541,7 +519,8 @@ Curl_conncache_extract_oldest(struct Curl_easy *data) while(curr) { conn = curr->ptr; - if(!CONN_INUSE(conn) && !conn->data) { + if(!CONN_INUSE(conn) && !conn->data && !conn->bits.close && + !conn->bits.connect_only) { /* Set higher score for the age passed since the connection was used */ score = Curl_timediff(now, conn->lastused); diff --git a/libs/libcurl/src/conncache.h b/libs/libcurl/src/conncache.h index 58f9024093..5fe80b4c8d 100644 --- a/libs/libcurl/src/conncache.h +++ b/libs/libcurl/src/conncache.h @@ -42,6 +42,27 @@ struct conncache { #define BUNDLE_UNKNOWN 0 /* initial value */ #define BUNDLE_MULTIPLEX 2 +#ifdef CURLDEBUG +/* the debug versions of these macros make extra certain that the lock is + never doubly locked or unlocked */ +#define CONN_LOCK(x) if((x)->share) { \ + Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE); \ + DEBUGASSERT(!(x)->state.conncache_lock); \ + (x)->state.conncache_lock = TRUE; \ + } + +#define CONN_UNLOCK(x) if((x)->share) { \ + DEBUGASSERT((x)->state.conncache_lock); \ + (x)->state.conncache_lock = FALSE; \ + Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT); \ + } +#else +#define CONN_LOCK(x) if((x)->share) \ + Curl_share_lock((x), CURL_LOCK_DATA_CONNECT, CURL_LOCK_ACCESS_SINGLE) +#define CONN_UNLOCK(x) if((x)->share) \ + Curl_share_unlock((x), CURL_LOCK_DATA_CONNECT) +#endif + struct connectbundle { int multiuse; /* supports multi-use */ size_t num_connections; /* Number of connections in the bundle */ @@ -61,7 +82,8 @@ void Curl_conncache_unlock(struct Curl_easy *data); size_t Curl_conncache_size(struct Curl_easy *data); size_t Curl_conncache_bundle_size(struct connectdata *conn); -bool Curl_conncache_return_conn(struct connectdata *conn); +bool Curl_conncache_return_conn(struct Curl_easy *data, + struct connectdata *conn); CURLcode Curl_conncache_add_conn(struct conncache *connc, struct connectdata *conn) WARN_UNUSED_RESULT; void Curl_conncache_remove_conn(struct Curl_easy *data, diff --git a/libs/libcurl/src/connect.c b/libs/libcurl/src/connect.c index 3b88a59623..611d6d2f02 100644 --- a/libs/libcurl/src/connect.c +++ b/libs/libcurl/src/connect.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -932,9 +932,11 @@ CURLcode Curl_is_connected(struct connectdata *conn, SET_SOCKERRNO(error); if(conn->tempaddr[i]) { CURLcode status; +#ifndef CURL_DISABLE_VERBOSE_STRINGS char ipaddress[MAX_IPADR_LEN]; char buffer[STRERROR_LEN]; Curl_printable_address(conn->tempaddr[i], ipaddress, MAX_IPADR_LEN); +#endif infof(data, "connect to %s port %ld failed: %s\n", ipaddress, conn->port, Curl_strerror(error, buffer, sizeof(buffer))); @@ -992,14 +994,12 @@ CURLcode Curl_is_connected(struct connectdata *conn, static void tcpnodelay(struct connectdata *conn, curl_socket_t sockfd) { #if defined(TCP_NODELAY) -#if !defined(CURL_DISABLE_VERBOSE_STRINGS) - struct Curl_easy *data = conn->data; -#endif curl_socklen_t onoff = (curl_socklen_t) 1; int level = IPPROTO_TCP; +#if !defined(CURL_DISABLE_VERBOSE_STRINGS) + struct Curl_easy *data = conn->data; char buffer[STRERROR_LEN]; - -#if defined(CURL_DISABLE_VERBOSE_STRINGS) +#else (void) conn; #endif diff --git a/libs/libcurl/src/cookie.c b/libs/libcurl/src/cookie.c index f56bd85a93..0091132aa3 100644 --- a/libs/libcurl/src/cookie.c +++ b/libs/libcurl/src/cookie.c @@ -96,6 +96,7 @@ Example set of cookies: #include "curl_get_line.h" #include "curl_memrchr.h" #include "inet_pton.h" +#include "parsedate.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -715,7 +716,7 @@ Curl_cookie_add(struct Curl_easy *data, else if(co->expirestr) { /* Note that if the date couldn't get parsed for whatever reason, the cookie will be treated as a session cookie */ - co->expires = curl_getdate(co->expirestr, NULL); + co->expires = Curl_getdate_capped(co->expirestr); /* Session cookies have expires set to 0 so if we get that back from the date parser let's add a second to make it a diff --git a/libs/libcurl/src/curl_base64.h b/libs/libcurl/src/curl_base64.h index 7e9fc26062..cfb6ee75b2 100644 --- a/libs/libcurl/src/curl_base64.h +++ b/libs/libcurl/src/curl_base64.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_config.h.cmake b/libs/libcurl/src/curl_config.h.cmake index e0793a7ee4..2c3b6562d4 100644 --- a/libs/libcurl/src/curl_config.h.cmake +++ b/libs/libcurl/src/curl_config.h.cmake @@ -148,9 +148,6 @@ /* Define to 1 if you have the header file. */ #cmakedefine HAVE_DLFCN_H 1 -/* Define to 1 if you have the `ENGINE_load_builtin_engines' function. */ -#cmakedefine HAVE_ENGINE_LOAD_BUILTIN_ENGINES 1 - /* Define to 1 if you have the header file. */ #cmakedefine HAVE_ERRNO_H 1 @@ -948,6 +945,9 @@ ${SIZEOF_TIME_T_CODE} /* if mbedTLS is enabled */ #cmakedefine USE_MBEDTLS 1 +/* if BearSSL is enabled */ +#cmakedefine USE_BEARSSL 1 + /* if libSSH2 is in use */ #cmakedefine USE_LIBSSH2 1 @@ -957,6 +957,9 @@ ${SIZEOF_TIME_T_CODE} /* if NSS is enabled */ #cmakedefine USE_NSS 1 +/* if you have the PK11_CreateManagedGenericObject function */ +#cmakedefine HAVE_PK11_CREATEMANAGEDGENERICOBJECT 1 + /* if you want to use OpenLDAP code instead of legacy ldap implementation */ #cmakedefine USE_OPENLDAP 1 diff --git a/libs/libcurl/src/curl_config.h.in b/libs/libcurl/src/curl_config.h.in index 32a87bd293..bb7f4e3402 100644 --- a/libs/libcurl/src/curl_config.h.in +++ b/libs/libcurl/src/curl_config.h.in @@ -955,6 +955,9 @@ /* Define to enable c-ares support */ #undef USE_ARES +/* if BearSSL is enabled */ +#undef USE_BEARSSL + /* if ESNI support is available */ #undef USE_ESNI diff --git a/libs/libcurl/src/curl_des.c b/libs/libcurl/src/curl_des.c index b123a00f01..39c0f35ee6 100644 --- a/libs/libcurl/src/curl_des.c +++ b/libs/libcurl/src/curl_des.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2015, Steve Holme, . + * Copyright (C) 2015 - 2019, Steve Holme, . * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_des.h b/libs/libcurl/src/curl_des.h index 129060ff7d..a42eeb53f3 100644 --- a/libs/libcurl/src/curl_des.h +++ b/libs/libcurl/src/curl_des.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2015, Steve Holme, . + * Copyright (C) 2015 - 2019, Steve Holme, . * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_endian.c b/libs/libcurl/src/curl_endian.c index b7563b3ded..a774d136e4 100644 --- a/libs/libcurl/src/curl_endian.c +++ b/libs/libcurl/src/curl_endian.c @@ -81,6 +81,7 @@ unsigned short Curl_read16_be(const unsigned char *buf) ((unsigned short)buf[1])); } +#if (CURL_SIZEOF_CURL_OFF_T > 4) /* * write32_le() * @@ -100,7 +101,6 @@ static void write32_le(const int value, unsigned char *buffer) buffer[3] = (char)((value & 0xFF000000) >> 24); } -#if (CURL_SIZEOF_CURL_OFF_T > 4) /* * Curl_write64_le() * diff --git a/libs/libcurl/src/curl_fnmatch.h b/libs/libcurl/src/curl_fnmatch.h index 69ffe392fd..34fccae488 100644 --- a/libs/libcurl/src/curl_fnmatch.h +++ b/libs/libcurl/src/curl_fnmatch.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_gethostname.h b/libs/libcurl/src/curl_gethostname.h index 07517c5359..8ae15e6c19 100644 --- a/libs/libcurl/src/curl_gethostname.h +++ b/libs/libcurl/src/curl_gethostname.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_ldap.h b/libs/libcurl/src/curl_ldap.h index 94c002948c..912e13107c 100644 --- a/libs/libcurl/src/curl_ldap.h +++ b/libs/libcurl/src/curl_ldap.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_memrchr.h b/libs/libcurl/src/curl_memrchr.h index 747509c45a..90a8a07cce 100644 --- a/libs/libcurl/src/curl_memrchr.h +++ b/libs/libcurl/src/curl_memrchr.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_multibyte.c b/libs/libcurl/src/curl_multibyte.c index e48334faff..e3843449bb 100644 --- a/libs/libcurl/src/curl_multibyte.c +++ b/libs/libcurl/src/curl_multibyte.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_multibyte.h b/libs/libcurl/src/curl_multibyte.h index 615f5c086c..3becf41cfa 100644 --- a/libs/libcurl/src/curl_multibyte.h +++ b/libs/libcurl/src/curl_multibyte.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -61,8 +61,13 @@ char *Curl_convert_wchar_to_UTF8(const wchar_t *str_w); #define Curl_convert_UTF8_to_tchar(ptr) Curl_convert_UTF8_to_wchar((ptr)) #define Curl_convert_tchar_to_UTF8(ptr) Curl_convert_wchar_to_UTF8((ptr)) -#define Curl_unicodefree(ptr) \ - do {if((ptr)) {free((ptr)); (ptr) = NULL;}} WHILE_FALSE +#define Curl_unicodefree(ptr) \ + do { \ + if(ptr) { \ + free(ptr); \ + (ptr) = NULL; \ + } \ + } while(0) typedef union { unsigned short *tchar_ptr; @@ -76,7 +81,7 @@ typedef union { #define Curl_convert_UTF8_to_tchar(ptr) (ptr) #define Curl_convert_tchar_to_UTF8(ptr) (ptr) #define Curl_unicodefree(ptr) \ - do {(ptr) = NULL;} WHILE_FALSE + do {(ptr) = NULL;} while(0) typedef union { char *tchar_ptr; diff --git a/libs/libcurl/src/curl_ntlm_core.h b/libs/libcurl/src/curl_ntlm_core.h index 3b4b8053c3..392a1b81de 100644 --- a/libs/libcurl/src/curl_ntlm_core.h +++ b/libs/libcurl/src/curl_ntlm_core.h @@ -48,7 +48,9 @@ /* Define USE_NTLM2SESSION in order to make the type-3 message include the NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and a Crypto engine that we have curl_ssl_md5sum() for. */ -#if defined(USE_NTRESPONSES) && !defined(USE_WIN32_CRYPTO) +#if defined(USE_NTRESPONSES) && \ + (!defined(USE_WIN32_CRYPTO) || \ + (defined(USE_SSL) && !defined(CURL_DISABLE_CRYPTO_AUTH))) #define USE_NTLM2SESSION #endif diff --git a/libs/libcurl/src/curl_ntlm_wb.c b/libs/libcurl/src/curl_ntlm_wb.c index 80266e2a45..30b54de444 100644 --- a/libs/libcurl/src/curl_ntlm_wb.c +++ b/libs/libcurl/src/curl_ntlm_wb.c @@ -108,10 +108,8 @@ void Curl_http_auth_cleanup_ntlm_wb(struct connectdata *conn) conn->ntlm_auth_hlpr_pid = 0; } - free(conn->challenge_header); - conn->challenge_header = NULL; - free(conn->response_header); - conn->response_header = NULL; + Curl_safefree(conn->challenge_header); + Curl_safefree(conn->response_header); } static CURLcode ntlm_wb_init(struct connectdata *conn, const char *userp) @@ -393,7 +391,6 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, struct auth *authp; CURLcode res = CURLE_OK; - char *input; DEBUGASSERT(conn); DEBUGASSERT(conn->data); @@ -444,19 +441,17 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, proxy ? "Proxy-" : "", conn->response_header); DEBUG_OUT(fprintf(stderr, "**** Header %s\n ", *allocuserpwd)); - free(conn->response_header); + Curl_safefree(conn->response_header); if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; - conn->response_header = NULL; break; - case NTLMSTATE_TYPE2: - input = aprintf("TT %s\n", conn->challenge_header); + case NTLMSTATE_TYPE2: { + char *input = aprintf("TT %s\n", conn->challenge_header); if(!input) return CURLE_OUT_OF_MEMORY; res = ntlm_wb_response(conn, input, *state); free(input); - input = NULL; if(res) return res; @@ -471,7 +466,7 @@ CURLcode Curl_output_ntlm_wb(struct connectdata *conn, if(!*allocuserpwd) return CURLE_OUT_OF_MEMORY; break; - + } case NTLMSTATE_TYPE3: /* connection is already authenticated, * don't send a header in future requests */ diff --git a/libs/libcurl/src/curl_rtmp.h b/libs/libcurl/src/curl_rtmp.h index 3306e22005..86a01382da 100644 --- a/libs/libcurl/src/curl_rtmp.h +++ b/libs/libcurl/src/curl_rtmp.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2010, Howard Chu, + * Copyright (C) 2010 - 2019, Howard Chu, * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_setup.h b/libs/libcurl/src/curl_setup.h index 13af8cdec9..4ecda6a9b4 100644 --- a/libs/libcurl/src/curl_setup.h +++ b/libs/libcurl/src/curl_setup.h @@ -26,6 +26,14 @@ #define CURL_NO_OLDIES #endif +/* + * Disable Visual Studio warnings: + * 4127 "conditional expression is constant" + */ +#ifdef _MSC_VER +#pragma warning(disable:4127) +#endif + /* * Define WIN32 when build target is Win32 API */ @@ -563,6 +571,12 @@ * Mutually exclusive CURLRES_* definitions. */ +#if defined(ENABLE_IPV6) && defined(HAVE_GETADDRINFO) +# define CURLRES_IPV6 +#else +# define CURLRES_IPV4 +#endif + #ifdef USE_ARES # define CURLRES_ASYNCH # define CURLRES_ARES @@ -577,12 +591,6 @@ # define CURLRES_SYNCH #endif -#ifdef ENABLE_IPV6 -# define CURLRES_IPV6 -#else -# define CURLRES_IPV4 -#endif - /* ---------------------------------------------------------------- */ /* @@ -644,7 +652,8 @@ int netware_init(void); #if defined(USE_GNUTLS) || defined(USE_OPENSSL) || defined(USE_NSS) || \ defined(USE_MBEDTLS) || \ defined(USE_WOLFSSL) || defined(USE_SCHANNEL) || \ - defined(USE_SECTRANSP) || defined(USE_GSKIT) || defined(USE_MESALINK) + defined(USE_SECTRANSP) || defined(USE_GSKIT) || defined(USE_MESALINK) || \ + defined(USE_BEARSSL) #define USE_SSL /* SSL support has been enabled */ #endif @@ -713,7 +722,7 @@ int netware_init(void); */ #ifndef Curl_nop_stmt -# define Curl_nop_stmt do { } WHILE_FALSE +# define Curl_nop_stmt do { } while(0) #endif /* diff --git a/libs/libcurl/src/curl_setup_once.h b/libs/libcurl/src/curl_setup_once.h index 413ccea917..8890f3890d 100644 --- a/libs/libcurl/src/curl_setup_once.h +++ b/libs/libcurl/src/curl_setup_once.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -329,27 +329,6 @@ struct timeval { #include "curl_ctype.h" -/* - * Macro WHILE_FALSE may be used to build single-iteration do-while loops, - * avoiding compiler warnings. Mostly intended for other macro definitions. - */ - -#define WHILE_FALSE while(0) - -#if defined(_MSC_VER) && !defined(__POCC__) -# undef WHILE_FALSE -# if (_MSC_VER < 1500) -# define WHILE_FALSE while(1, 0) -# else -# define WHILE_FALSE \ -__pragma(warning(push)) \ -__pragma(warning(disable:4127)) \ -while(0) \ -__pragma(warning(pop)) -# endif -#endif - - /* * Typedef to 'int' if sig_atomic_t is not an available 'typedefed' type. */ @@ -387,7 +366,7 @@ typedef int sig_atomic_t; #ifdef DEBUGBUILD #define DEBUGF(x) x #else -#define DEBUGF(x) do { } WHILE_FALSE +#define DEBUGF(x) do { } while(0) #endif @@ -395,10 +374,11 @@ typedef int sig_atomic_t; * Macro used to include assertion code only in debug builds. */ +#undef DEBUGASSERT #if defined(DEBUGBUILD) && defined(HAVE_ASSERT_H) #define DEBUGASSERT(x) assert(x) #else -#define DEBUGASSERT(x) do { } WHILE_FALSE +#define DEBUGASSERT(x) do { } while(0) #endif diff --git a/libs/libcurl/src/curl_sha256.h b/libs/libcurl/src/curl_sha256.h index 6db4b04dbb..14b6414ea0 100644 --- a/libs/libcurl/src/curl_sha256.h +++ b/libs/libcurl/src/curl_sha256.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Florin Petriuc, + * Copyright (C) 1998 - 2019, Florin Petriuc, * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_sspi.c b/libs/libcurl/src/curl_sspi.c index 1d0de4ed33..f7cc10f804 100644 --- a/libs/libcurl/src/curl_sspi.c +++ b/libs/libcurl/src/curl_sspi.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_sspi.h b/libs/libcurl/src/curl_sspi.h index 2bbf9477bb..c09026ebbb 100644 --- a/libs/libcurl/src/curl_sspi.h +++ b/libs/libcurl/src/curl_sspi.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_threads.c b/libs/libcurl/src/curl_threads.c index 8e5937aa0b..064c075d0e 100644 --- a/libs/libcurl/src/curl_threads.c +++ b/libs/libcurl/src/curl_threads.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/curl_threads.h b/libs/libcurl/src/curl_threads.h index 2a93644c56..65d1a790c1 100644 --- a/libs/libcurl/src/curl_threads.h +++ b/libs/libcurl/src/curl_threads.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/dict.h b/libs/libcurl/src/dict.h index 12c0f3394d..38a55ac0de 100644 --- a/libs/libcurl/src/dict.h +++ b/libs/libcurl/src/dict.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/doh.c b/libs/libcurl/src/doh.c index d1795789e5..7f4eee5d81 100644 --- a/libs/libcurl/src/doh.c +++ b/libs/libcurl/src/doh.c @@ -86,12 +86,36 @@ UNITTEST DOHcode doh_encode(const char *host, unsigned char *orig = dnsp; const char *hostp = host; - /* The expected output length does not depend on the number of dots within - * the host name. It will always be two more than the length of the host - * name, one for the size and one trailing null. In case there are dots, - * each dot adds one size but removes the need to store the dot, net zero. + /* The expected output length is 16 bytes more than the length of + * the QNAME-encoding of the host name. + * + * A valid DNS name may not contain a zero-length label, except at + * the end. For this reason, a name beginning with a dot, or + * containing a sequence of two or more consecutive dots, is invalid + * and cannot be encoded as a QNAME. + * + * If the host name ends with a trailing dot, the corresponding + * QNAME-encoding is one byte longer than the host name. If (as is + * also valid) the hostname is shortened by the omission of the + * trailing dot, then its QNAME-encoding will be two bytes longer + * than the host name. + * + * Each [ label, dot ] pair is encoded as [ length, label ], + * preserving overall length. A final [ label ] without a dot is + * also encoded as [ length, label ], increasing overall length + * by one. The encoding is completed by appending a zero byte, + * representing the zero-length root label, again increasing + * the overall length by one. */ - const size_t expected_len = 12 + ( 1 + hostlen + 1) + 4; + + size_t expected_len; + DEBUGASSERT(hostlen); + expected_len = 12 + 1 + hostlen + 4; + if(host[hostlen-1]!='.') + expected_len++; + + if(expected_len > (256 + 16)) /* RFCs 1034, 1035 */ + return DOH_DNS_NAME_TOO_LONG; if(len < expected_len) return DOH_TOO_SMALL_BUFFER; @@ -109,31 +133,30 @@ UNITTEST DOHcode doh_encode(const char *host, *dnsp++ = '\0'; *dnsp++ = '\0'; /* ARCOUNT */ - /* store a QNAME */ - do { - char *dot = strchr(hostp, '.'); + /* encode each label and store it in the QNAME */ + while(*hostp) { size_t labellen; - bool found = false; - if(dot) { - found = true; + char *dot = strchr(hostp, '.'); + if(dot) labellen = dot - hostp; - } else labellen = strlen(hostp); - if(labellen > 63) { - /* too long label, error out */ + if((labellen > 63) || (!labellen)) { + /* label is too long or too short, error out */ *olen = 0; return DOH_DNS_BAD_LABEL; } + /* label is non-empty, process it */ *dnsp++ = (unsigned char)labellen; memcpy(dnsp, hostp, labellen); dnsp += labellen; - hostp += labellen + 1; - if(!found) { - *dnsp++ = 0; /* terminating zero */ - break; - } - } while(1); + hostp += labellen; + /* advance past dot, but only if there is one */ + if(dot) + hostp++; + } /* next label */ + + *dnsp++ = 0; /* append zero-length label for root */ /* There are assigned TYPE codes beyond 255: use range [1..65535] */ *dnsp++ = (unsigned char)(255 & (dnstype>>8)); /* upper 8 bit TYPE */ @@ -144,8 +167,8 @@ UNITTEST DOHcode doh_encode(const char *host, *olen = dnsp - orig; - /* verify that our assumption of length is valid, since - * this has lead to buffer overflows in this function */ + /* verify that our estimation of length is valid, since + * this has led to buffer overflows in this function */ DEBUGASSERT(*olen == expected_len); return DOH_OK; } @@ -195,7 +218,7 @@ do { \ result = curl_easy_setopt(doh, x, y); \ if(result) \ goto error; \ -} WHILE_FALSE +} while(0) static CURLcode dohprobe(struct Curl_easy *data, struct dnsprobe *p, DNStype dnstype, @@ -280,38 +303,42 @@ static CURLcode dohprobe(struct Curl_easy *data, ERROR_CHECK_SETOPT(CURLOPT_SSL_FALSESTART, 1L); if(data->set.ssl.primary.verifyhost) ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 2L); +#ifndef CURL_DISABLE_PROXY if(data->set.proxy_ssl.primary.verifyhost) ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 2L); - if(data->set.ssl.primary.verifypeer) - ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L); if(data->set.proxy_ssl.primary.verifypeer) ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 1L); + if(data->set.str[STRING_SSL_CAFILE_PROXY]) { + ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAINFO, + data->set.str[STRING_SSL_CAFILE_PROXY]); + } + if(data->set.str[STRING_SSL_CRLFILE_PROXY]) { + ERROR_CHECK_SETOPT(CURLOPT_PROXY_CRLFILE, + data->set.str[STRING_SSL_CRLFILE_PROXY]); + } + if(data->set.proxy_ssl.no_revoke) + ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE); + if(data->set.str[STRING_SSL_CAPATH_PROXY]) { + ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAPATH, + data->set.str[STRING_SSL_CAPATH_PROXY]); + } +#endif + if(data->set.ssl.primary.verifypeer) + ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L); if(data->set.ssl.primary.verifystatus) ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L); if(data->set.str[STRING_SSL_CAFILE_ORIG]) { ERROR_CHECK_SETOPT(CURLOPT_CAINFO, data->set.str[STRING_SSL_CAFILE_ORIG]); } - if(data->set.str[STRING_SSL_CAFILE_PROXY]) { - ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAINFO, - data->set.str[STRING_SSL_CAFILE_PROXY]); - } if(data->set.str[STRING_SSL_CAPATH_ORIG]) { ERROR_CHECK_SETOPT(CURLOPT_CAPATH, data->set.str[STRING_SSL_CAPATH_ORIG]); } - if(data->set.str[STRING_SSL_CAPATH_PROXY]) { - ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAPATH, - data->set.str[STRING_SSL_CAPATH_PROXY]); - } if(data->set.str[STRING_SSL_CRLFILE_ORIG]) { ERROR_CHECK_SETOPT(CURLOPT_CRLFILE, data->set.str[STRING_SSL_CRLFILE_ORIG]); } - if(data->set.str[STRING_SSL_CRLFILE_PROXY]) { - ERROR_CHECK_SETOPT(CURLOPT_PROXY_CRLFILE, - data->set.str[STRING_SSL_CRLFILE_PROXY]); - } if(data->set.ssl.certinfo) ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L); if(data->set.str[STRING_SSL_RANDOM_FILE]) { @@ -324,8 +351,6 @@ static CURLcode dohprobe(struct Curl_easy *data, } if(data->set.ssl.no_revoke) ERROR_CHECK_SETOPT(CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE); - if(data->set.proxy_ssl.no_revoke) - ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE); if(data->set.ssl.fsslctx) ERROR_CHECK_SETOPT(CURLOPT_SSL_CTX_FUNCTION, data->set.ssl.fsslctx); if(data->set.ssl.fsslctxp) @@ -362,6 +387,7 @@ Curl_addrinfo *Curl_doh(struct connectdata *conn, { struct Curl_easy *data = conn->data; CURLcode result = CURLE_OK; + int slot; *waitp = TRUE; /* this never returns synchronously */ (void)conn; (void)hostname; @@ -380,8 +406,8 @@ Curl_addrinfo *Curl_doh(struct connectdata *conn, if(conn->ip_version != CURL_IPRESOLVE_V6) { /* create IPv4 DOH request */ - result = dohprobe(data, &data->req.doh.probe[0], DNS_TYPE_A, - hostname, data->set.str[STRING_DOH], + result = dohprobe(data, &data->req.doh.probe[DOH_PROBE_SLOT_IPADDR_V4], + DNS_TYPE_A, hostname, data->set.str[STRING_DOH], data->multi, data->req.doh.headers); if(result) goto error; @@ -390,8 +416,8 @@ Curl_addrinfo *Curl_doh(struct connectdata *conn, if(conn->ip_version != CURL_IPRESOLVE_V4) { /* create IPv6 DOH request */ - result = dohprobe(data, &data->req.doh.probe[1], DNS_TYPE_AAAA, - hostname, data->set.str[STRING_DOH], + result = dohprobe(data, &data->req.doh.probe[DOH_PROBE_SLOT_IPADDR_V6], + DNS_TYPE_AAAA, hostname, data->set.str[STRING_DOH], data->multi, data->req.doh.headers); if(result) goto error; @@ -402,8 +428,9 @@ Curl_addrinfo *Curl_doh(struct connectdata *conn, error: curl_slist_free_all(data->req.doh.headers); data->req.doh.headers = NULL; - Curl_close(&data->req.doh.probe[0].easy); - Curl_close(&data->req.doh.probe[1].easy); + for(slot = 0; slot < DOH_PROBE_SLOTS; slot++) { + Curl_close(&data->req.doh.probe[slot].easy); + } return NULL; } @@ -586,6 +613,9 @@ static DOHcode rdata(unsigned char *doh, if(rc) return rc; break; + case DNS_TYPE_DNAME: + /* explicit for clarity; just skip; rely on synthesized CNAME */ + break; default: /* unsupported type, just skip it */ break; @@ -647,8 +677,10 @@ UNITTEST DOHcode doh_decode(unsigned char *doh, return DOH_DNS_OUT_OF_RANGE; type = get16bit(doh, index); - if((type != DNS_TYPE_CNAME) && (type != dnstype)) - /* Not the same type as was asked for nor CNAME */ + if((type != DNS_TYPE_CNAME) /* may be synthesized from DNAME */ + && (type != DNS_TYPE_DNAME) /* if present, accept and ignore */ + && (type != dnstype)) + /* Not the same type as was asked for nor CNAME nor DNAME */ return DOH_DNS_UNEXPECTED_TYPE; index += 2; @@ -909,46 +941,43 @@ UNITTEST void de_cleanup(struct dohentry *d) CURLcode Curl_doh_is_resolved(struct connectdata *conn, struct Curl_dns_entry **dnsp) { + CURLcode result; struct Curl_easy *data = conn->data; *dnsp = NULL; /* defaults to no response */ - if(!data->req.doh.probe[0].easy && !data->req.doh.probe[1].easy) { + if(!data->req.doh.probe[DOH_PROBE_SLOT_IPADDR_V4].easy && + !data->req.doh.probe[DOH_PROBE_SLOT_IPADDR_V6].easy) { failf(data, "Could not DOH-resolve: %s", conn->async.hostname); return conn->bits.proxy?CURLE_COULDNT_RESOLVE_PROXY: CURLE_COULDNT_RESOLVE_HOST; } else if(!data->req.doh.pending) { - DOHcode rc; - DOHcode rc2; + DOHcode rc[DOH_PROBE_SLOTS]; struct dohentry de; + int slot; /* remove DOH handles from multi handle and close them */ - curl_multi_remove_handle(data->multi, data->req.doh.probe[0].easy); - Curl_close(&data->req.doh.probe[0].easy); - curl_multi_remove_handle(data->multi, data->req.doh.probe[1].easy); - Curl_close(&data->req.doh.probe[1].easy); + for(slot = 0; slot < DOH_PROBE_SLOTS; slot++) { + curl_multi_remove_handle(data->multi, data->req.doh.probe[slot].easy); + Curl_close(&data->req.doh.probe[slot].easy); + } /* parse the responses, create the struct and return it! */ init_dohentry(&de); - rc = doh_decode(data->req.doh.probe[0].serverdoh.memory, - data->req.doh.probe[0].serverdoh.size, - data->req.doh.probe[0].dnstype, - &de); - Curl_safefree(data->req.doh.probe[0].serverdoh.memory); - if(rc) { - infof(data, "DOH: %s type %s for %s\n", doh_strerror(rc), - type2name(data->req.doh.probe[0].dnstype), - data->req.doh.host); - } - rc2 = doh_decode(data->req.doh.probe[1].serverdoh.memory, - data->req.doh.probe[1].serverdoh.size, - data->req.doh.probe[1].dnstype, - &de); - Curl_safefree(data->req.doh.probe[1].serverdoh.memory); - if(rc2) { - infof(data, "DOH: %s type %s for %s\n", doh_strerror(rc2), - type2name(data->req.doh.probe[1].dnstype), - data->req.doh.host); - } - if(!rc || !rc2) { + for(slot = 0; slot < DOH_PROBE_SLOTS; slot++) { + rc[slot] = doh_decode(data->req.doh.probe[slot].serverdoh.memory, + data->req.doh.probe[slot].serverdoh.size, + data->req.doh.probe[slot].dnstype, + &de); + Curl_safefree(data->req.doh.probe[slot].serverdoh.memory); + if(rc[slot]) { + infof(data, "DOH: %s type %s for %s\n", doh_strerror(rc[slot]), + type2name(data->req.doh.probe[slot].dnstype), + data->req.doh.host); + } + } /* next slot */ + + result = CURLE_COULDNT_RESOLVE_HOST; /* until we know better */ + if(!rc[DOH_PROBE_SLOT_IPADDR_V4] || !rc[DOH_PROBE_SLOT_IPADDR_V6]) { + /* we have an address, of one kind or other */ struct Curl_dns_entry *dns; struct Curl_addrinfo *ai; @@ -970,21 +999,26 @@ CURLcode Curl_doh_is_resolved(struct connectdata *conn, if(data->share) Curl_share_unlock(data, CURL_LOCK_DATA_DNS); - de_cleanup(&de); - if(!dns) + if(!dns) { /* returned failure, bail out nicely */ Curl_freeaddrinfo(ai); + } else { conn->async.dns = dns; *dnsp = dns; - return CURLE_OK; + result = CURLE_OK; /* address resolution OK */ } - } + } /* address processing done */ + + /* Now process any build-specific attributes retrieved from DNS */ + + /* All done */ de_cleanup(&de); + return result; - return CURLE_COULDNT_RESOLVE_HOST; - } + } /* !data->req.doh.pending */ + /* else wait for pending DOH transactions to complete */ return CURLE_OK; } diff --git a/libs/libcurl/src/doh.h b/libs/libcurl/src/doh.h index f522d33085..fc053eddf9 100644 --- a/libs/libcurl/src/doh.h +++ b/libs/libcurl/src/doh.h @@ -55,14 +55,16 @@ typedef enum { DOH_DNS_UNEXPECTED_TYPE, /* 9 */ DOH_DNS_UNEXPECTED_CLASS, /* 10 */ DOH_NO_CONTENT, /* 11 */ - DOH_DNS_BAD_ID /* 12 */ + DOH_DNS_BAD_ID, /* 12 */ + DOH_DNS_NAME_TOO_LONG /* 13 */ } DOHcode; typedef enum { DNS_TYPE_A = 1, DNS_TYPE_NS = 2, DNS_TYPE_CNAME = 5, - DNS_TYPE_AAAA = 28 + DNS_TYPE_AAAA = 28, + DNS_TYPE_DNAME = 39 /* RFC6672 */ } DNStype; #define DOH_MAX_ADDR 24 diff --git a/libs/libcurl/src/dotdot.c b/libs/libcurl/src/dotdot.c index 2c6177aead..fe4f4971f1 100644 --- a/libs/libcurl/src/dotdot.c +++ b/libs/libcurl/src/dotdot.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/dotdot.h b/libs/libcurl/src/dotdot.h index 125af43671..f70b1db3fe 100644 --- a/libs/libcurl/src/dotdot.h +++ b/libs/libcurl/src/dotdot.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/easy.c b/libs/libcurl/src/easy.c index 001648d49b..6382cee3d5 100644 --- a/libs/libcurl/src/easy.c +++ b/libs/libcurl/src/easy.c @@ -72,7 +72,7 @@ #include "warnless.h" #include "multiif.h" #include "sigpipe.h" -#include "ssh.h" +#include "vssh/ssh.h" #include "setopt.h" #include "http_digest.h" #include "system_win32.h" @@ -157,20 +157,20 @@ static CURLcode global_init(long flags, bool memoryfuncs) if(!Curl_ssl_init()) { DEBUGF(fprintf(stderr, "Error: Curl_ssl_init failed\n")); - return CURLE_FAILED_INIT; + goto fail; } #ifdef WIN32 if(Curl_win32_init(flags)) { DEBUGF(fprintf(stderr, "Error: win32_init failed\n")); - return CURLE_FAILED_INIT; + goto fail; } #endif #ifdef __AMIGA__ if(!Curl_amiga_init()) { DEBUGF(fprintf(stderr, "Error: Curl_amiga_init failed\n")); - return CURLE_FAILED_INIT; + goto fail; } #endif @@ -182,14 +182,14 @@ static CURLcode global_init(long flags, bool memoryfuncs) if(Curl_resolver_global_init()) { DEBUGF(fprintf(stderr, "Error: resolver_global_init failed\n")); - return CURLE_FAILED_INIT; + goto fail; } (void)Curl_ipv6works(); #if defined(USE_SSH) if(Curl_ssh_init()) { - return CURLE_FAILED_INIT; + goto fail; } #endif @@ -201,6 +201,10 @@ static CURLcode global_init(long flags, bool memoryfuncs) Curl_version_init(); return CURLE_OK; + + fail: + initialized--; /* undo the increase */ + return CURLE_FAILED_INIT; } @@ -1027,9 +1031,10 @@ CURLcode curl_easy_pause(struct Curl_easy *data, int action) Curl_update_timer(data->multi); } - /* This transfer may have been moved in or out of the bundle, update - the corresponding socket callback, if used */ - Curl_updatesocket(data); + if(!data->state.done) + /* This transfer may have been moved in or out of the bundle, update the + corresponding socket callback, if used */ + Curl_updatesocket(data); return result; } diff --git a/libs/libcurl/src/easyif.h b/libs/libcurl/src/easyif.h index 6ba7e549d7..8a309c55b6 100644 --- a/libs/libcurl/src/easyif.h +++ b/libs/libcurl/src/easyif.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/file.c b/libs/libcurl/src/file.c index d349cd9241..249237073f 100644 --- a/libs/libcurl/src/file.c +++ b/libs/libcurl/src/file.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) struct Curl_easy *data = conn->data; char *real_path; struct FILEPROTO *file = data->req.protop; - int fd; + int fd = -1; #ifdef DOS_FILESYSTEM size_t i; char *actual_path; @@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) return CURLE_URL_MALFORMAT; } - fd = open_readonly(actual_path, O_RDONLY|O_BINARY); + if(strncmp("\\\\", actual_path, 2)) + /* refuse to open path that starts with two backslashes */ + fd = open_readonly(actual_path, O_RDONLY|O_BINARY); file->path = actual_path; #else if(memchr(real_path, 0, real_path_len)) { diff --git a/libs/libcurl/src/file.h b/libs/libcurl/src/file.h index 20828ad4a9..f6b74a7f72 100644 --- a/libs/libcurl/src/file.h +++ b/libs/libcurl/src/file.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/ftp.c b/libs/libcurl/src/ftp.c index 8072a33d5d..469096f0f6 100644 --- a/libs/libcurl/src/ftp.c +++ b/libs/libcurl/src/ftp.c @@ -2039,13 +2039,11 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, &year, &month, &day, &hour, &minute, &second)) { /* we have a time, reformat it */ char timebuf[24]; - time_t secs = time(NULL); - msnprintf(timebuf, sizeof(timebuf), "%04d%02d%02d %02d:%02d:%02d GMT", year, month, day, hour, minute, second); /* now, convert this into a time() value: */ - data->info.filetime = curl_getdate(timebuf, &secs); + data->info.filetime = Curl_getdate_capped(timebuf); } #ifdef CURL_FTP_HTTPSTYLE_HEAD diff --git a/libs/libcurl/src/ftplistparser.h b/libs/libcurl/src/ftplistparser.h index 8128887c0b..b34ae9b63a 100644 --- a/libs/libcurl/src/ftplistparser.h +++ b/libs/libcurl/src/ftplistparser.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/getinfo.h b/libs/libcurl/src/getinfo.h index aecf717f75..8d2af4266d 100644 --- a/libs/libcurl/src/getinfo.h +++ b/libs/libcurl/src/getinfo.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/gopher.h b/libs/libcurl/src/gopher.h index 501c990a85..dec2557fc6 100644 --- a/libs/libcurl/src/gopher.h +++ b/libs/libcurl/src/gopher.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/hostcheck.h b/libs/libcurl/src/hostcheck.h index f562df9ae7..9c180856ad 100644 --- a/libs/libcurl/src/hostcheck.h +++ b/libs/libcurl/src/hostcheck.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/hostip.c b/libs/libcurl/src/hostip.c index d4e8f9366a..b434b390a2 100644 --- a/libs/libcurl/src/hostip.c +++ b/libs/libcurl/src/hostip.c @@ -1021,6 +1021,10 @@ CURLcode Curl_loadhostpairs(struct Curl_easy *data) CURLcode Curl_resolv_check(struct connectdata *conn, struct Curl_dns_entry **dns) { +#if defined(CURL_DISABLE_DOH) && !defined(CURLRES_ASYNCH) + (void)dns; +#endif + if(conn->data->set.doh) return Curl_doh_is_resolved(conn, dns); return Curl_resolver_is_resolved(conn, dns); diff --git a/libs/libcurl/src/hostip4.c b/libs/libcurl/src/hostip4.c index e6ba710d83..2636851e68 100644 --- a/libs/libcurl/src/hostip4.c +++ b/libs/libcurl/src/hostip4.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -131,6 +131,16 @@ Curl_addrinfo *Curl_ipv4_resolve_r(const char *hostname, struct in_addr in; struct hostent *buf = NULL; +#ifdef ENABLE_IPV6 + { + struct in6_addr in6; + /* check if this is an IPv6 address string */ + if(Curl_inet_pton(AF_INET6, hostname, &in6) > 0) + /* This is an IPv6 address literal */ + return Curl_ip2addr(AF_INET6, &in6, hostname, port); + } +#endif /* ENABLE_IPV6 */ + if(Curl_inet_pton(AF_INET, hostname, &in) > 0) /* This is a dotted IP address 123.123.123.123-style */ return Curl_ip2addr(AF_INET, &in, hostname, port); diff --git a/libs/libcurl/src/hostsyn.c b/libs/libcurl/src/hostsyn.c index 3de6746f52..9e31008d2c 100644 --- a/libs/libcurl/src/hostsyn.c +++ b/libs/libcurl/src/hostsyn.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/http.c b/libs/libcurl/src/http.c index 4631a7f36b..837f53c415 100644 --- a/libs/libcurl/src/http.c +++ b/libs/libcurl/src/http.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -641,7 +641,7 @@ output_auth_headers(struct connectdata *conn, { const char *auth = NULL; CURLcode result = CURLE_OK; -#if !defined(CURL_DISABLE_VERBOSE_STRINGS) || defined(USE_SPNEGO) +#if !defined(CURL_DISABLE_VERBOSE_STRINGS) struct Curl_easy *data = conn->data; #endif @@ -1617,7 +1617,8 @@ CURLcode Curl_http_done(struct connectdata *conn, Curl_add_buffer_free(&http->send_buffer); } - Curl_http2_done(conn, premature); + Curl_http2_done(data, premature); + Curl_quic_done(data, premature); Curl_mime_cleanpart(&http->form); @@ -3973,7 +3974,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, else if(checkprefix("Retry-After:", k->p)) { /* Retry-After = HTTP-date / delay-seconds */ curl_off_t retry_after = 0; /* zero for unknown or "now" */ - time_t date = curl_getdate(&k->p[12], NULL); + time_t date = Curl_getdate_capped(&k->p[12]); if(-1 == date) { /* not a date, try it as a decimal number */ (void)curlx_strtoofft(&k->p[12], NULL, 10, &retry_after); @@ -4031,9 +4032,7 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, #endif else if(!k->http_bodyless && checkprefix("Last-Modified:", k->p) && (data->set.timecondition || data->set.get_filetime) ) { - time_t secs = time(NULL); - k->timeofdoc = curl_getdate(k->p + strlen("Last-Modified:"), - &secs); + k->timeofdoc = Curl_getdate_capped(k->p + strlen("Last-Modified:")); if(data->set.get_filetime) data->info.filetime = k->timeofdoc; } diff --git a/libs/libcurl/src/http.h b/libs/libcurl/src/http.h index a3a2757025..70d5dccec6 100644 --- a/libs/libcurl/src/http.h +++ b/libs/libcurl/src/http.h @@ -193,12 +193,17 @@ struct HTTP { #ifdef ENABLE_QUIC /*********** for HTTP/3 we store stream-local data here *************/ int64_t stream3_id; /* stream we are interested in */ + bool firstheader; /* FALSE until headers arrive */ bool firstbody; /* FALSE until body arrives */ bool h3req; /* FALSE until request is issued */ bool upload_done; #endif #ifdef USE_NGHTTP3 + size_t unacked_window; struct h3out *h3out; /* per-stream buffers for upload */ + char *overflow_buf; /* excess data received during a single Curl_read */ + size_t overflow_buflen; /* amount of data currently in overflow_buf */ + size_t overflow_bufsize; /* size of the overflow_buf allocation */ #endif }; diff --git a/libs/libcurl/src/http2.c b/libs/libcurl/src/http2.c index 6315fc4014..65f3513ee5 100644 --- a/libs/libcurl/src/http2.c +++ b/libs/libcurl/src/http2.c @@ -68,7 +68,7 @@ #ifdef DEBUG_HTTP2 #define H2BUGF(x) x #else -#define H2BUGF(x) do { } WHILE_FALSE +#define H2BUGF(x) do { } while(0) #endif @@ -1169,11 +1169,10 @@ static void populate_settings(struct connectdata *conn, httpc->local_settings_num = 3; } -void Curl_http2_done(struct connectdata *conn, bool premature) +void Curl_http2_done(struct Curl_easy *data, bool premature) { - struct Curl_easy *data = conn->data; struct HTTP *http = data->req.protop; - struct http_conn *httpc = &conn->proto.httpc; + struct http_conn *httpc = &data->conn->proto.httpc; /* there might be allocated resources done before this got the 'h2' pointer setup */ diff --git a/libs/libcurl/src/http2.h b/libs/libcurl/src/http2.h index 93058ccb31..12d36eef9b 100644 --- a/libs/libcurl/src/http2.h +++ b/libs/libcurl/src/http2.h @@ -50,7 +50,7 @@ CURLcode Curl_http2_switched(struct connectdata *conn, /* called from http_setup_conn */ void Curl_http2_setup_conn(struct connectdata *conn); void Curl_http2_setup_req(struct Curl_easy *data); -void Curl_http2_done(struct connectdata *conn, bool premature); +void Curl_http2_done(struct Curl_easy *data, bool premature); CURLcode Curl_http2_done_sending(struct connectdata *conn); CURLcode Curl_http2_add_child(struct Curl_easy *parent, struct Curl_easy *child, diff --git a/libs/libcurl/src/http_ntlm.c b/libs/libcurl/src/http_ntlm.c index e4a4fe05d0..342b2424f3 100644 --- a/libs/libcurl/src/http_ntlm.c +++ b/libs/libcurl/src/http_ntlm.c @@ -44,9 +44,7 @@ /* SSL backend-specific #if branches in this file must be kept in the order documented in curl_ntlm_core. */ -#if defined(NTLM_NEEDS_NSS_INIT) -#include "vtls/nssg.h" -#elif defined(USE_WINDOWS_SSPI) +#if defined(USE_WINDOWS_SSPI) #include "curl_sspi.h" #endif @@ -137,11 +135,6 @@ CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy) DEBUGASSERT(conn); DEBUGASSERT(conn->data); -#if defined(NTLM_NEEDS_NSS_INIT) - if(CURLE_OK != Curl_nss_force_init(conn->data)) - return CURLE_OUT_OF_MEMORY; -#endif - if(proxy) { allocuserpwd = &conn->allocptr.proxyuserpwd; userp = conn->http_proxy.user; diff --git a/libs/libcurl/src/http_proxy.c b/libs/libcurl/src/http_proxy.c index f095455a51..75c7a60c35 100644 --- a/libs/libcurl/src/http_proxy.c +++ b/libs/libcurl/src/http_proxy.c @@ -58,8 +58,9 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex) Curl_ssl_connect_nonblocking(conn, sockindex, &conn->bits.proxy_ssl_connected[sockindex]); if(result) - conn->bits.close = TRUE; /* a failed connection is marked for closure to - prevent (bad) re-use or similar */ + /* a failed connection is marked for closure to prevent (bad) re-use or + similar */ + connclose(conn, "TLS handshake failed"); } return result; #else diff --git a/libs/libcurl/src/imap.h b/libs/libcurl/src/imap.h index 0efcfd293c..4786f56241 100644 --- a/libs/libcurl/src/imap.h +++ b/libs/libcurl/src/imap.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2009 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 2009 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/inet_ntop.c b/libs/libcurl/src/inet_ntop.c index 855981c666..9a5af7f421 100644 --- a/libs/libcurl/src/inet_ntop.c +++ b/libs/libcurl/src/inet_ntop.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 1996-2001 Internet Software Consortium. + * Copyright (C) 1996-2019 Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/libs/libcurl/src/inet_ntop.h b/libs/libcurl/src/inet_ntop.h index d150bb6937..9d3f237f37 100644 --- a/libs/libcurl/src/inet_ntop.h +++ b/libs/libcurl/src/inet_ntop.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/inet_pton.c b/libs/libcurl/src/inet_pton.c index 0d65ae0ec7..9c87a05620 100644 --- a/libs/libcurl/src/inet_pton.c +++ b/libs/libcurl/src/inet_pton.c @@ -1,6 +1,6 @@ /* This is from the BIND 4.9.4 release, modified to compile by itself */ -/* Copyright (c) 1996 by Internet Software Consortium. +/* Copyright (c) 1996 - 2019 by Internet Software Consortium. * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/libs/libcurl/src/inet_pton.h b/libs/libcurl/src/inet_pton.h index 0209b9b7b7..e695af9c66 100644 --- a/libs/libcurl/src/inet_pton.h +++ b/libs/libcurl/src/inet_pton.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/krb5.c b/libs/libcurl/src/krb5.c index 5a47d481b4..f50287aec6 100644 --- a/libs/libcurl/src/krb5.c +++ b/libs/libcurl/src/krb5.c @@ -2,7 +2,7 @@ * * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). - * Copyright (c) 2004 - 2017 Daniel Stenberg + * Copyright (c) 2004 - 2019 Daniel Stenberg * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/libs/libcurl/src/ldap.c b/libs/libcurl/src/ldap.c index af3d61c57e..771edb4e98 100644 --- a/libs/libcurl/src/ldap.c +++ b/libs/libcurl/src/ldap.c @@ -112,7 +112,7 @@ static void _ldap_free_urldesc(LDAPURLDesc *ludp); #define LDAP_TRACE(x) do { \ _ldap_trace("%u: ", __LINE__); \ _ldap_trace x; \ - } WHILE_FALSE + } while(0) static void _ldap_trace(const char *fmt, ...); #else diff --git a/libs/libcurl/src/libcurl.plist b/libs/libcurl/src/libcurl.plist index 55c2ed494d..236ec4279b 100644 --- a/libs/libcurl/src/libcurl.plist +++ b/libs/libcurl/src/libcurl.plist @@ -15,7 +15,7 @@ se.haxx.curl.libcurl CFBundleVersion - 7.67.0 + 7.68.0 CFBundleName libcurl @@ -27,9 +27,9 @@ ???? CFBundleShortVersionString - libcurl 7.67.0 + libcurl 7.68.0 CFBundleGetInfoString - libcurl.plist 7.67.0 + libcurl.plist 7.68.0 diff --git a/libs/libcurl/src/llist.h b/libs/libcurl/src/llist.h index b9d4c89a98..a5e2ecbfb4 100644 --- a/libs/libcurl/src/llist.h +++ b/libs/libcurl/src/llist.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/memdebug.h b/libs/libcurl/src/memdebug.h index 5236f60fa5..7ca4426269 100644 --- a/libs/libcurl/src/memdebug.h +++ b/libs/libcurl/src/memdebug.h @@ -169,6 +169,6 @@ CURL_EXTERN int curl_dbg_fclose(FILE *file, int line, const char *source); */ #define Curl_safefree(ptr) \ - do { free((ptr)); (ptr) = NULL;} WHILE_FALSE + do { free((ptr)); (ptr) = NULL;} while(0) #endif /* HEADER_CURL_MEMDEBUG_H */ diff --git a/libs/libcurl/src/mprintf.c b/libs/libcurl/src/mprintf.c index e190936782..bc0091351d 100644 --- a/libs/libcurl/src/mprintf.c +++ b/libs/libcurl/src/mprintf.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1999 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1999 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -104,7 +104,7 @@ static const char upper_digits[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"; done++; \ else \ return done; /* return immediately on failure */ \ - } WHILE_FALSE + } while(0) /* Data type to read from the arglist */ typedef enum { diff --git a/libs/libcurl/src/multi.c b/libs/libcurl/src/multi.c index 6dfe8842e7..6d819b4aaa 100644 --- a/libs/libcurl/src/multi.c +++ b/libs/libcurl/src/multi.c @@ -46,6 +46,7 @@ #include "connect.h" #include "http_proxy.h" #include "http2.h" +#include "socketpair.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" #include "curl_memory.h" @@ -259,6 +260,7 @@ static struct Curl_sh_entry *sh_addentry(struct curl_hash *sh, /* make/add new hash entry */ if(!Curl_hash_add(sh, (char *)&s, sizeof(curl_socket_t), check)) { + Curl_hash_destroy(&check->transfers); free(check); return NULL; /* major failure */ } @@ -367,6 +369,21 @@ struct Curl_multi *Curl_multi_handle(int hashsize, /* socket hash */ /* -1 means it not set by user, use the default value */ multi->maxconnects = -1; + +#ifdef ENABLE_WAKEUP + if(Curl_socketpair(AF_UNIX, SOCK_STREAM, 0, multi->wakeup_pair) < 0) { + multi->wakeup_pair[0] = CURL_SOCKET_BAD; + multi->wakeup_pair[1] = CURL_SOCKET_BAD; + } + else if(curlx_nonblock(multi->wakeup_pair[0], TRUE) < 0 || + curlx_nonblock(multi->wakeup_pair[1], TRUE) < 0) { + sclose(multi->wakeup_pair[0]); + sclose(multi->wakeup_pair[1]); + multi->wakeup_pair[0] = CURL_SOCKET_BAD; + multi->wakeup_pair[1] = CURL_SOCKET_BAD; + } +#endif + return multi; error: @@ -531,6 +548,8 @@ static CURLcode multi_done(struct Curl_easy *data, /* Stop if multi_done() has already been called */ return CURLE_OK; + conn->data = data; /* ensure the connection uses this transfer now */ + /* Stop the resolver and free its own resources (but not dns_entry yet). */ Curl_resolver_kill(conn); @@ -567,15 +586,17 @@ static CURLcode multi_done(struct Curl_easy *data, process_pending_handles(data->multi); /* connection / multiplex */ + CONN_LOCK(data); detach_connnection(data); if(CONN_INUSE(conn)) { /* Stop if still used. */ + CONN_UNLOCK(data); DEBUGF(infof(data, "Connection still in use %zu, " "no more multi_done now!\n", conn->easyq.size)); return CURLE_OK; } - + conn->data = NULL; /* the connection now has no owner */ data->state.done = TRUE; /* called just now! */ if(conn->dns_entry) { @@ -618,7 +639,10 @@ static CURLcode multi_done(struct Curl_easy *data, #endif ) || conn->bits.close || (premature && !(conn->handler->flags & PROTOPT_STREAM))) { - CURLcode res2 = Curl_disconnect(data, conn, premature); + CURLcode res2; + connclose(conn, "disconnecting"); + CONN_UNLOCK(data); + res2 = Curl_disconnect(data, conn, premature); /* If we had an error already, make sure we return that one. But if we got a new error, return that. */ @@ -635,9 +659,9 @@ static CURLcode multi_done(struct Curl_easy *data, conn->bits.httpproxy ? conn->http_proxy.host.dispname : conn->bits.conn_to_host ? conn->conn_to_host.dispname : conn->host.dispname); - /* the connection is no longer in use by this transfer */ - if(Curl_conncache_return_conn(conn)) { + CONN_UNLOCK(data); + if(Curl_conncache_return_conn(data, conn)) { /* remember the most recently used connection */ data->state.lastconnect = conn; infof(data, "%s\n", buffer); @@ -695,11 +719,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, easy_owns_conn = TRUE; } - /* The timer must be shut down before data->multi is set to NULL, - else the timenode will remain in the splay tree after - curl_easy_cleanup is called. */ - Curl_expire_clear(data); - if(data->conn) { /* we must call multi_done() here (if we still own the connection) so that @@ -715,6 +734,11 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, } } + /* The timer must be shut down before data->multi is set to NULL, else the + timenode will remain in the splay tree after curl_easy_cleanup is + called. Do it after multi_done() in case that sets another time! */ + Curl_expire_clear(data); + if(data->connect_queue.ptr) /* the handle was in the pending list waiting for an available connection, so go ahead and remove it */ @@ -744,10 +768,8 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, vanish with this handle */ /* Remove the association between the connection and the handle */ - if(data->conn) { - data->conn->data = NULL; + if(data->conn) detach_connnection(data); - } #ifdef USE_LIBPSL /* Remove the PSL association. */ @@ -1005,7 +1027,8 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, unsigned int extra_nfds, int timeout_ms, int *ret, - bool extrawait) /* when no socket, wait */ + bool extrawait, /* when no socket, wait */ + bool use_wakeup) { struct Curl_easy *data; curl_socket_t sockbunch[MAX_SOCKSPEREASYHANDLE]; @@ -1059,6 +1082,12 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, curlfds = nfds; /* number of internal file descriptors */ nfds += extra_nfds; /* add the externally provided ones */ +#ifdef ENABLE_WAKEUP + if(use_wakeup && multi->wakeup_pair[0] != CURL_SOCKET_BAD) { + ++nfds; + } +#endif + if(nfds > NUM_POLLS_ON_STACK) { /* 'nfds' is a 32 bit value and 'struct pollfd' is typically 8 bytes big, so at 2^29 sockets this value might wrap. When a process gets @@ -1117,6 +1146,14 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, ++nfds; } +#ifdef ENABLE_WAKEUP + if(use_wakeup && multi->wakeup_pair[0] != CURL_SOCKET_BAD) { + ufds[nfds].fd = multi->wakeup_pair[0]; + ufds[nfds].events = POLLIN; + ++nfds; + } +#endif + if(nfds) { int pollrc; /* wait... */ @@ -1140,6 +1177,29 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, extra_fds[i].revents = mask; } + +#ifdef ENABLE_WAKEUP + if(use_wakeup && multi->wakeup_pair[0] != CURL_SOCKET_BAD) { + if(ufds[curlfds + extra_nfds].revents & POLLIN) { + char buf[64]; + while(1) { + /* the reading socket is non-blocking, try to read + data from it until it receives an error (except EINTR). + In normal cases it will get EAGAIN or EWOULDBLOCK + when there is no more data, breaking the loop. */ + if(sread(multi->wakeup_pair[0], buf, sizeof(buf)) < 0) { +#ifndef USE_WINSOCK + if(EINTR == SOCKERRNO) + continue; +#endif + break; + } + } + /* do not count the wakeup socket into the returned value */ + retcode--; + } + } +#endif } } @@ -1147,7 +1207,7 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, free(ufds); if(ret) *ret = retcode; - if(!extrawait || extra_fds || curlfds) + if(!extrawait || nfds) /* if any socket was checked */ ; else { @@ -1157,6 +1217,10 @@ static CURLMcode Curl_multi_wait(struct Curl_multi *multi, if(!curl_multi_timeout(multi, &sleep_ms) && sleep_ms) { if(sleep_ms > timeout_ms) sleep_ms = timeout_ms; + /* when there are no easy handles in the multi, this holds a -1 + timeout */ + else if((sleep_ms < 0) && extrawait) + sleep_ms = timeout_ms; Curl_wait_ms((int)sleep_ms); } } @@ -1170,7 +1234,8 @@ CURLMcode curl_multi_wait(struct Curl_multi *multi, int timeout_ms, int *ret) { - return Curl_multi_wait(multi, extra_fds, extra_nfds, timeout_ms, ret, FALSE); + return Curl_multi_wait(multi, extra_fds, extra_nfds, timeout_ms, ret, FALSE, + FALSE); } CURLMcode curl_multi_poll(struct Curl_multi *multi, @@ -1179,7 +1244,55 @@ CURLMcode curl_multi_poll(struct Curl_multi *multi, int timeout_ms, int *ret) { - return Curl_multi_wait(multi, extra_fds, extra_nfds, timeout_ms, ret, TRUE); + return Curl_multi_wait(multi, extra_fds, extra_nfds, timeout_ms, ret, TRUE, + TRUE); +} + +CURLMcode curl_multi_wakeup(struct Curl_multi *multi) +{ + /* this function is usually called from another thread, + it has to be careful only to access parts of the + Curl_multi struct that are constant */ + + /* GOOD_MULTI_HANDLE can be safely called */ + if(!GOOD_MULTI_HANDLE(multi)) + return CURLM_BAD_HANDLE; + +#ifdef ENABLE_WAKEUP + /* the wakeup_pair variable is only written during init and cleanup, + making it safe to access from another thread after the init part + and before cleanup */ + if(multi->wakeup_pair[1] != CURL_SOCKET_BAD) { + char buf[1]; + buf[0] = 1; + while(1) { + /* swrite() is not thread-safe in general, because concurrent calls + can have their messages interleaved, but in this case the content + of the messages does not matter, which makes it ok to call. + + The write socket is set to non-blocking, this way this function + cannot block, making it safe to call even from the same thread + that will call Curl_multi_wait(). If swrite() returns that it + would block, it's considered successful because it means that + previous calls to this function will wake up the poll(). */ + if(swrite(multi->wakeup_pair[1], buf, sizeof(buf)) < 0) { + int err = SOCKERRNO; + int return_success; +#ifdef USE_WINSOCK + return_success = WSAEWOULDBLOCK == err; +#else + if(EINTR == err) + continue; + return_success = EWOULDBLOCK == err || EAGAIN == err; +#endif + if(!return_success) + return CURLM_WAKEUP_FAILURE; + } + return CURLM_OK; + } + } +#endif + return CURLM_WAKEUP_FAILURE; } /* @@ -1242,6 +1355,7 @@ static CURLcode multi_do(struct Curl_easy *data, bool *done) DEBUGASSERT(conn); DEBUGASSERT(conn->handler); + DEBUGASSERT(conn->data == data); if(conn->handler->do_it) { /* generic protocol-specific function pointer set in curl_connect() */ @@ -2305,6 +2419,11 @@ CURLMcode curl_multi_cleanup(struct Curl_multi *multi) Curl_hash_destroy(&multi->hostcache); Curl_psl_destroy(&multi->psl); + +#ifdef ENABLE_WAKEUP + sclose(multi->wakeup_pair[0]); + sclose(multi->wakeup_pair[1]); +#endif free(multi); return CURLM_OK; diff --git a/libs/libcurl/src/multihandle.h b/libs/libcurl/src/multihandle.h index b65bd96386..0bf09e6bb5 100644 --- a/libs/libcurl/src/multihandle.h +++ b/libs/libcurl/src/multihandle.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -24,6 +24,7 @@ #include "conncache.h" #include "psl.h" +#include "socketpair.h" struct Curl_message { struct curl_llist_element list; @@ -66,6 +67,14 @@ typedef enum { #define CURLPIPE_ANY (CURLPIPE_MULTIPLEX) +#if defined(USE_SOCKETPAIR) && !defined(USE_BLOCKING_SOCKETS) +#define ENABLE_WAKEUP +#endif + + +/* value for MAXIMUM CONCURRENT STREAMS upper limit */ +#define INITIAL_MAX_CONCURRENT_STREAMS ((1U << 31) - 1) + /* This is the struct known as CURLM on the outside */ struct Curl_multi { /* First a simple identifier to easier detect if a user mix up @@ -134,6 +143,11 @@ struct Curl_multi { previous callback */ bool in_callback; /* true while executing a callback */ long max_concurrent_streams; /* max concurrent streams client to support */ + +#ifdef ENABLE_WAKEUP + curl_socket_t wakeup_pair[2]; /* socketpair() used for wakeup + 0 is used for read, 1 is used for write */ +#endif }; #endif /* HEADER_CURL_MULTIHANDLE_H */ diff --git a/libs/libcurl/src/nonblock.c b/libs/libcurl/src/nonblock.c index 4d105c1fea..abeb6598c2 100644 --- a/libs/libcurl/src/nonblock.c +++ b/libs/libcurl/src/nonblock.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/nonblock.h b/libs/libcurl/src/nonblock.h index eb18ea1c34..d50d315944 100644 --- a/libs/libcurl/src/nonblock.h +++ b/libs/libcurl/src/nonblock.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/parsedate.c b/libs/libcurl/src/parsedate.c index f4b18d091a..585d7ea404 100644 --- a/libs/libcurl/src/parsedate.c +++ b/libs/libcurl/src/parsedate.c @@ -587,6 +587,30 @@ time_t curl_getdate(const char *p, const time_t *now) return -1; } +/* Curl_getdate_capped() differs from curl_getdate() in that this will return + TIME_T_MAX in case the parsed time value was too big, instead of an + error. */ + +time_t Curl_getdate_capped(const char *p) +{ + time_t parsed = -1; + int rc = parsedate(p, &parsed); + + switch(rc) { + case PARSEDATE_OK: + if(parsed == -1) + /* avoid returning -1 for a working scenario */ + parsed++; + return parsed; + case PARSEDATE_LATER: + /* this returns the maximum time value */ + return parsed; + default: + return -1; /* everything else is fail */ + } + /* UNREACHABLE */ +} + /* * Curl_gmtime() is a gmtime() replacement for portability. Do not use the * gmtime_r() or gmtime() functions anywhere else but here. diff --git a/libs/libcurl/src/parsedate.h b/libs/libcurl/src/parsedate.h index 8dc3b90ec7..8c7ae94e43 100644 --- a/libs/libcurl/src/parsedate.h +++ b/libs/libcurl/src/parsedate.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -27,4 +27,10 @@ extern const char * const Curl_month[12]; CURLcode Curl_gmtime(time_t intime, struct tm *store); +/* Curl_getdate_capped() differs from curl_getdate() in that this will return + TIME_T_MAX in case the parsed time value was too big, instead of an + error. */ + +time_t Curl_getdate_capped(const char *p); + #endif /* HEADER_CURL_PARSEDATE_H */ diff --git a/libs/libcurl/src/pop3.h b/libs/libcurl/src/pop3.h index a8e697cde2..3ba7999771 100644 --- a/libs/libcurl/src/pop3.h +++ b/libs/libcurl/src/pop3.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2009 - 2015, Daniel Stenberg, , et al. + * Copyright (C) 2009 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/progress.c b/libs/libcurl/src/progress.c index 2aa9295993..60a941ab2d 100644 --- a/libs/libcurl/src/progress.c +++ b/libs/libcurl/src/progress.c @@ -594,11 +594,13 @@ int Curl_pgrsUpdate(struct connectdata *conn) data->progress.size_ul, data->progress.uploaded); Curl_set_in_callback(data, false); - if(result) - failf(data, "Callback aborted"); - return result; + if(result != CURL_PROGRESSFUNC_CONTINUE) { + if(result) + failf(data, "Callback aborted"); + return result; + } } - if(data->set.fprogress) { + else if(data->set.fprogress) { int result; /* The older deprecated callback is set, call that */ Curl_set_in_callback(data, true); @@ -608,9 +610,11 @@ int Curl_pgrsUpdate(struct connectdata *conn) (double)data->progress.size_ul, (double)data->progress.uploaded); Curl_set_in_callback(data, false); - if(result) - failf(data, "Callback aborted"); - return result; + if(result != CURL_PROGRESSFUNC_CONTINUE) { + if(result) + failf(data, "Callback aborted"); + return result; + } } if(showprogress) diff --git a/libs/libcurl/src/quic.h b/libs/libcurl/src/quic.h index 6c132a3247..1eb23e9766 100644 --- a/libs/libcurl/src/quic.h +++ b/libs/libcurl/src/quic.h @@ -45,9 +45,13 @@ CURLcode Curl_quic_is_connected(struct connectdata *conn, bool *connected); int Curl_quic_ver(char *p, size_t len); CURLcode Curl_quic_done_sending(struct connectdata *conn); +void Curl_quic_done(struct Curl_easy *data, bool premature); +bool Curl_quic_data_pending(const struct Curl_easy *data); #else /* ENABLE_QUIC */ #define Curl_quic_done_sending(x) +#define Curl_quic_done(x,y) +#define Curl_quic_data_pending(x) #endif /* !ENABLE_QUIC */ #endif /* HEADER_CURL_QUIC_H */ diff --git a/libs/libcurl/src/rtsp.h b/libs/libcurl/src/rtsp.h index 2f9cc32c8e..1aae86456d 100644 --- a/libs/libcurl/src/rtsp.h +++ b/libs/libcurl/src/rtsp.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/select.c b/libs/libcurl/src/select.c index 8cd9eb2add..2de503d370 100644 --- a/libs/libcurl/src/select.c +++ b/libs/libcurl/src/select.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/select.h b/libs/libcurl/src/select.h index f5652a74f7..687ab164c4 100644 --- a/libs/libcurl/src/select.h +++ b/libs/libcurl/src/select.h @@ -109,7 +109,7 @@ int tpf_select_libcurl(int maxfds, fd_set* reads, fd_set* writes, SET_SOCKERRNO(EINVAL); \ return -1; \ } \ -} WHILE_FALSE +} while(0) #endif #endif /* HEADER_CURL_SELECT_H */ diff --git a/libs/libcurl/src/sendf.c b/libs/libcurl/src/sendf.c index 5913ea4060..6c38b04b23 100644 --- a/libs/libcurl/src/sendf.c +++ b/libs/libcurl/src/sendf.c @@ -36,7 +36,7 @@ #include "sendf.h" #include "connect.h" #include "vtls/vtls.h" -#include "ssh.h" +#include "vssh/ssh.h" #include "easyif.h" #include "multiif.h" #include "non-ascii.h" @@ -224,7 +224,7 @@ bool Curl_recv_has_postponed_data(struct connectdata *conn, int sockindex) (void)sockindex; return false; } -#define pre_receive_plain(c,n) do {} WHILE_FALSE +#define pre_receive_plain(c,n) do {} while(0) #define get_pre_recved(c,n,b,l) 0 #endif /* ! USE_RECV_BEFORE_SEND_WORKAROUND */ diff --git a/libs/libcurl/src/setopt.c b/libs/libcurl/src/setopt.c index 64c29e3336..5f88ad3afd 100644 --- a/libs/libcurl/src/setopt.c +++ b/libs/libcurl/src/setopt.c @@ -2133,6 +2133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.ssl.enable_beast = (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); break; #ifndef CURL_DISABLE_PROXY @@ -2141,6 +2142,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.proxy_ssl.enable_beast = (bool)((arg&CURLSSLOPT_ALLOW_BEAST) ? TRUE : FALSE); data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); + data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); break; #endif @@ -2612,14 +2614,12 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) result = CURLE_NOT_BUILT_IN; #endif break; -#ifdef USE_NGHTTP2 case CURLOPT_SSL_ENABLE_NPN: data->set.ssl_enable_npn = (0 != va_arg(param, long)) ? TRUE : FALSE; break; case CURLOPT_SSL_ENABLE_ALPN: data->set.ssl_enable_alpn = (0 != va_arg(param, long)) ? TRUE : FALSE; break; -#endif #ifdef USE_UNIX_SOCKETS case CURLOPT_UNIX_SOCKET_PATH: data->set.abstract_unix_socket = FALSE; diff --git a/libs/libcurl/src/sha256.c b/libs/libcurl/src/sha256.c index f9287af232..bcaaeae308 100644 --- a/libs/libcurl/src/sha256.c +++ b/libs/libcurl/src/sha256.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2018, Florin Petriuc, + * Copyright (C) 1998 - 2019, Florin Petriuc, * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/slist.c b/libs/libcurl/src/slist.c index 392b84d13a..d27fbe19bc 100644 --- a/libs/libcurl/src/slist.c +++ b/libs/libcurl/src/slist.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/slist.h b/libs/libcurl/src/slist.h index d73dbf672d..799b3c060f 100644 --- a/libs/libcurl/src/slist.h +++ b/libs/libcurl/src/slist.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/smtp.h b/libs/libcurl/src/smtp.h index b67340a40c..20fc081190 100644 --- a/libs/libcurl/src/smtp.h +++ b/libs/libcurl/src/smtp.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2009 - 2014, Daniel Stenberg, , et al. + * Copyright (C) 2009 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/sockaddr.h b/libs/libcurl/src/sockaddr.h index db146803ab..b037ee06c2 100644 --- a/libs/libcurl/src/sockaddr.h +++ b/libs/libcurl/src/sockaddr.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/socketpair.c b/libs/libcurl/src/socketpair.c index 1f0e2e4a4f..1ec0d75a46 100644 --- a/libs/libcurl/src/socketpair.c +++ b/libs/libcurl/src/socketpair.c @@ -40,6 +40,9 @@ #ifdef HAVE_NETINET_IN_H #include /* IPPROTO_TCP */ #endif +#ifdef HAVE_ARPA_INET_H +#include +#endif #ifndef INADDR_LOOPBACK #define INADDR_LOOPBACK 0x7f000001 #endif /* !INADDR_LOOPBACK */ diff --git a/libs/libcurl/src/socks.h b/libs/libcurl/src/socks.h index daa07c1275..3b319a6ef1 100644 --- a/libs/libcurl/src/socks.h +++ b/libs/libcurl/src/socks.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/ssh.h b/libs/libcurl/src/ssh.h deleted file mode 100644 index 3213c5a52e..0000000000 --- a/libs/libcurl/src/ssh.h +++ /dev/null @@ -1,254 +0,0 @@ -#ifndef HEADER_CURL_SSH_H -#define HEADER_CURL_SSH_H -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at https://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -#include "curl_setup.h" - -#if defined(HAVE_LIBSSH2_H) -#include -#include -#elif defined(HAVE_LIBSSH_LIBSSH_H) -#include -#include -#endif /* HAVE_LIBSSH2_H */ - -/**************************************************************************** - * SSH unique setup - ***************************************************************************/ -typedef enum { - SSH_NO_STATE = -1, /* Used for "nextState" so say there is none */ - SSH_STOP = 0, /* do nothing state, stops the state machine */ - - SSH_INIT, /* First state in SSH-CONNECT */ - SSH_S_STARTUP, /* Session startup */ - SSH_HOSTKEY, /* verify hostkey */ - SSH_AUTHLIST, - SSH_AUTH_PKEY_INIT, - SSH_AUTH_PKEY, - SSH_AUTH_PASS_INIT, - SSH_AUTH_PASS, - SSH_AUTH_AGENT_INIT, /* initialize then wait for connection to agent */ - SSH_AUTH_AGENT_LIST, /* ask for list then wait for entire list to come */ - SSH_AUTH_AGENT, /* attempt one key at a time */ - SSH_AUTH_HOST_INIT, - SSH_AUTH_HOST, - SSH_AUTH_KEY_INIT, - SSH_AUTH_KEY, - SSH_AUTH_GSSAPI, - SSH_AUTH_DONE, - SSH_SFTP_INIT, - SSH_SFTP_REALPATH, /* Last state in SSH-CONNECT */ - - SSH_SFTP_QUOTE_INIT, /* First state in SFTP-DO */ - SSH_SFTP_POSTQUOTE_INIT, /* (Possibly) First state in SFTP-DONE */ - SSH_SFTP_QUOTE, - SSH_SFTP_NEXT_QUOTE, - SSH_SFTP_QUOTE_STAT, - SSH_SFTP_QUOTE_SETSTAT, - SSH_SFTP_QUOTE_SYMLINK, - SSH_SFTP_QUOTE_MKDIR, - SSH_SFTP_QUOTE_RENAME, - SSH_SFTP_QUOTE_RMDIR, - SSH_SFTP_QUOTE_UNLINK, - SSH_SFTP_QUOTE_STATVFS, - SSH_SFTP_GETINFO, - SSH_SFTP_FILETIME, - SSH_SFTP_TRANS_INIT, - SSH_SFTP_UPLOAD_INIT, - SSH_SFTP_CREATE_DIRS_INIT, - SSH_SFTP_CREATE_DIRS, - SSH_SFTP_CREATE_DIRS_MKDIR, - SSH_SFTP_READDIR_INIT, - SSH_SFTP_READDIR, - SSH_SFTP_READDIR_LINK, - SSH_SFTP_READDIR_BOTTOM, - SSH_SFTP_READDIR_DONE, - SSH_SFTP_DOWNLOAD_INIT, - SSH_SFTP_DOWNLOAD_STAT, /* Last state in SFTP-DO */ - SSH_SFTP_CLOSE, /* Last state in SFTP-DONE */ - SSH_SFTP_SHUTDOWN, /* First state in SFTP-DISCONNECT */ - SSH_SCP_TRANS_INIT, /* First state in SCP-DO */ - SSH_SCP_UPLOAD_INIT, - SSH_SCP_DOWNLOAD_INIT, - SSH_SCP_DOWNLOAD, - SSH_SCP_DONE, - SSH_SCP_SEND_EOF, - SSH_SCP_WAIT_EOF, - SSH_SCP_WAIT_CLOSE, - SSH_SCP_CHANNEL_FREE, /* Last state in SCP-DONE */ - SSH_SESSION_DISCONNECT, /* First state in SCP-DISCONNECT */ - SSH_SESSION_FREE, /* Last state in SCP/SFTP-DISCONNECT */ - SSH_QUIT, - SSH_LAST /* never used */ -} sshstate; - -/* this struct is used in the HandleData struct which is part of the - Curl_easy, which means this is used on a per-easy handle basis. - Everything that is strictly related to a connection is banned from this - struct. */ -struct SSHPROTO { - char *path; /* the path we operate on */ -}; - -/* ssh_conn is used for struct connection-oriented data in the connectdata - struct */ -struct ssh_conn { - const char *authlist; /* List of auth. methods, managed by libssh2 */ - - /* common */ - const char *passphrase; /* pass-phrase to use */ - char *rsa_pub; /* path name */ - char *rsa; /* path name */ - bool authed; /* the connection has been authenticated fine */ - sshstate state; /* always use ssh.c:state() to change state! */ - sshstate nextstate; /* the state to goto after stopping */ - CURLcode actualcode; /* the actual error code */ - struct curl_slist *quote_item; /* for the quote option */ - char *quote_path1; /* two generic pointers for the QUOTE stuff */ - char *quote_path2; - - bool acceptfail; /* used by the SFTP_QUOTE (continue if - quote command fails) */ - char *homedir; /* when doing SFTP we figure out home dir in the - connect phase */ - size_t readdir_len, readdir_totalLen, readdir_currLen; - char *readdir_line; - char *readdir_linkPath; - /* end of READDIR stuff */ - - int secondCreateDirs; /* counter use by the code to see if the - second attempt has been made to change - to/create a directory */ - char *slash_pos; /* used by the SFTP_CREATE_DIRS state */ - - int orig_waitfor; /* default READ/WRITE bits wait for */ - -#if defined(USE_LIBSSH) -/* our variables */ - unsigned kbd_state; /* 0 or 1 */ - ssh_key privkey; - ssh_key pubkey; - int auth_methods; - ssh_session ssh_session; - ssh_scp scp_session; - sftp_session sftp_session; - sftp_file sftp_file; - sftp_dir sftp_dir; - - unsigned sftp_recv_state; /* 0 or 1 */ - int sftp_file_index; /* for async read */ - sftp_attributes readdir_attrs; /* used by the SFTP readdir actions */ - sftp_attributes readdir_link_attrs; /* used by the SFTP readdir actions */ - sftp_attributes quote_attrs; /* used by the SFTP_QUOTE state */ - - const char *readdir_filename; /* points within readdir_attrs */ - const char *readdir_longentry; - char *readdir_tmp; -#elif defined(USE_LIBSSH2) - char *readdir_filename; - char *readdir_longentry; - - LIBSSH2_SFTP_ATTRIBUTES quote_attrs; /* used by the SFTP_QUOTE state */ - - /* Here's a set of struct members used by the SFTP_READDIR state */ - LIBSSH2_SFTP_ATTRIBUTES readdir_attrs; - LIBSSH2_SESSION *ssh_session; /* Secure Shell session */ - LIBSSH2_CHANNEL *ssh_channel; /* Secure Shell channel handle */ - LIBSSH2_SFTP *sftp_session; /* SFTP handle */ - LIBSSH2_SFTP_HANDLE *sftp_handle; - -#ifdef HAVE_LIBSSH2_AGENT_API - LIBSSH2_AGENT *ssh_agent; /* proxy to ssh-agent/pageant */ - struct libssh2_agent_publickey *sshagent_identity, - *sshagent_prev_identity; -#endif - - /* note that HAVE_LIBSSH2_KNOWNHOST_API is a define set in the libssh2.h - header */ -#ifdef HAVE_LIBSSH2_KNOWNHOST_API - LIBSSH2_KNOWNHOSTS *kh; -#endif -#endif /* USE_LIBSSH */ -}; - -#if defined(USE_LIBSSH) - -#define CURL_LIBSSH_VERSION ssh_version(0) - -extern const struct Curl_handler Curl_handler_scp; -extern const struct Curl_handler Curl_handler_sftp; - -#elif defined(USE_LIBSSH2) - -/* Feature detection based on version numbers to better work with - non-configure platforms */ - -#if !defined(LIBSSH2_VERSION_NUM) || (LIBSSH2_VERSION_NUM < 0x001000) -# error "SCP/SFTP protocols require libssh2 0.16 or later" -#endif - -#if LIBSSH2_VERSION_NUM >= 0x010000 -#define HAVE_LIBSSH2_SFTP_SEEK64 1 -#endif - -#if LIBSSH2_VERSION_NUM >= 0x010100 -#define HAVE_LIBSSH2_VERSION 1 -#endif - -#if LIBSSH2_VERSION_NUM >= 0x010205 -#define HAVE_LIBSSH2_INIT 1 -#define HAVE_LIBSSH2_EXIT 1 -#endif - -#if LIBSSH2_VERSION_NUM >= 0x010206 -#define HAVE_LIBSSH2_KNOWNHOST_CHECKP 1 -#define HAVE_LIBSSH2_SCP_SEND64 1 -#endif - -#if LIBSSH2_VERSION_NUM >= 0x010208 -#define HAVE_LIBSSH2_SESSION_HANDSHAKE 1 -#endif - -#ifdef HAVE_LIBSSH2_VERSION -/* get it run-time if possible */ -#define CURL_LIBSSH2_VERSION libssh2_version(0) -#else -/* use build-time if run-time not possible */ -#define CURL_LIBSSH2_VERSION LIBSSH2_VERSION -#endif - -extern const struct Curl_handler Curl_handler_scp; -extern const struct Curl_handler Curl_handler_sftp; -#endif /* USE_LIBSSH2 */ - -#ifdef USE_SSH -/* generic SSH backend functions */ -CURLcode Curl_ssh_init(void); -void Curl_ssh_cleanup(void); -size_t Curl_ssh_version(char *buffer, size_t buflen); -#else -/* for non-SSH builds */ -#define Curl_ssh_cleanup() -#endif - -#endif /* HEADER_CURL_SSH_H */ diff --git a/libs/libcurl/src/strdup.c b/libs/libcurl/src/strdup.c index 51e7978b7f..1ab10fd644 100644 --- a/libs/libcurl/src/strdup.c +++ b/libs/libcurl/src/strdup.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/strerror.c b/libs/libcurl/src/strerror.c index d0650d80c5..29df5aa55a 100644 --- a/libs/libcurl/src/strerror.c +++ b/libs/libcurl/src/strerror.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2004 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 2004 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -314,6 +314,9 @@ curl_easy_strerror(CURLcode error) case CURLE_AUTH_ERROR: return "An authentication function returned an error"; + case CURLE_HTTP3: + return "HTTP/3 error"; + /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: @@ -386,6 +389,9 @@ curl_multi_strerror(CURLMcode error) case CURLM_RECURSIVE_API_CALL: return "API function called from within callback"; + case CURLM_WAKEUP_FAILURE: + return "Wakeup is unavailable or failed"; + case CURLM_LAST: break; } @@ -436,19 +442,26 @@ curl_share_strerror(CURLSHcode error) } #ifdef USE_WINSOCK - -/* This function handles most / all (?) Winsock errors curl is able to produce. +/* This is a helper function for Curl_strerror that converts Winsock error + * codes (WSAGetLastError) to error messages. + * Returns NULL if no error message was found for error code. */ static const char * get_winsock_error (int err, char *buf, size_t len) { -#ifdef PRESERVE_WINDOWS_ERROR_CODE - DWORD old_win_err = GetLastError(); -#endif - int old_errno = errno; +#ifndef CURL_DISABLE_VERBOSE_STRINGS const char *p; +#endif -#ifndef CURL_DISABLE_VERBOSE_STRINGS + if(!len) + return NULL; + + *buf = '\0'; + +#ifdef CURL_DISABLE_VERBOSE_STRINGS + (void)err; + return NULL; +#else switch(err) { case WSAEINTR: p = "Call interrupted"; @@ -617,26 +630,63 @@ get_winsock_error (int err, char *buf, size_t len) default: return NULL; } -#else - if(!err) - return NULL; - else - p = "error"; -#endif strncpy(buf, p, len); buf [len-1] = '\0'; + return buf; +#endif +} +#endif /* USE_WINSOCK */ - if(errno != old_errno) - errno = old_errno; +#if defined(WIN32) || defined(_WIN32_WCE) +/* This is a helper function for Curl_strerror that converts Windows API error + * codes (GetLastError) to error messages. + * Returns NULL if no error message was found for error code. + */ +static const char * +get_winapi_error(int err, char *buf, size_t buflen) +{ + char *p; -#ifdef PRESERVE_WINDOWS_ERROR_CODE - if(old_win_err != GetLastError()) - SetLastError(old_win_err); + if(!buflen) + return NULL; + + *buf = '\0'; + +#ifdef _WIN32_WCE + { + wchar_t wbuf[256]; + wbuf[0] = L'\0'; + + if(FormatMessage((FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS), NULL, err, + LANG_NEUTRAL, wbuf, sizeof(wbuf)/sizeof(wchar_t), NULL)) { + size_t written = wcstombs(buf, wbuf, buflen - 1); + if(written != (size_t)-1) + buf[written] = '\0'; + else + *buf = '\0'; + } + } +#else + if(!FormatMessageA((FORMAT_MESSAGE_FROM_SYSTEM | + FORMAT_MESSAGE_IGNORE_INSERTS), NULL, err, + LANG_NEUTRAL, buf, (DWORD)buflen, NULL)) { + *buf = '\0'; + } #endif - return buf; + /* Truncate multiple lines */ + p = strchr(buf, '\n'); + if(p) { + if(p > buf && *(p-1) == '\r') + *(p-1) = '\0'; + else + *p = '\0'; + } + + return (*buf ? buf : NULL); } -#endif /* USE_WINSOCK */ +#endif /* WIN32 || _WIN32_WCE */ /* * Our thread-safe and smart strerror() replacement. @@ -648,6 +698,14 @@ get_winsock_error (int err, char *buf, size_t len) * * We don't do range checking (on systems other than Windows) since there is * no good reliable and portable way to do it. + * + * On Windows different types of error codes overlap. This function has an + * order of preference when trying to match error codes: + * CRT (errno), Winsock (WSAGetLastError), Windows API (GetLastError). + * + * It may be more correct to call one of the variant functions instead: + * Call Curl_sspi_strerror if the error code is definitely Windows SSPI. + * Call Curl_winapi_strerror if the error code is definitely Windows API. */ const char *Curl_strerror(int err, char *buf, size_t buflen) { @@ -658,35 +716,30 @@ const char *Curl_strerror(int err, char *buf, size_t buflen) char *p; size_t max; + if(!buflen) + return NULL; + DEBUGASSERT(err >= 0); max = buflen - 1; *buf = '\0'; -#ifdef USE_WINSOCK - -#ifdef _WIN32_WCE - { - wchar_t wbuf[256]; - wbuf[0] = L'\0'; - - FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM, NULL, err, - LANG_NEUTRAL, wbuf, sizeof(wbuf)/sizeof(wchar_t), NULL); - wcstombs(buf, wbuf, max); - } -#else +#if defined(WIN32) || defined(_WIN32_WCE) +#if defined(WIN32) /* 'sys_nerr' is the maximum errno number, it is not widely portable */ if(err >= 0 && err < sys_nerr) strncpy(buf, strerror(err), max); - else { - if(!get_winsock_error(err, buf, max) && - !FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, err, - LANG_NEUTRAL, buf, (DWORD)max, NULL)) + else +#endif + { + if( +#ifdef USE_WINSOCK + !get_winsock_error(err, buf, max) && +#endif + !get_winapi_error((DWORD)err, buf, max)) msnprintf(buf, max, "Unknown error %d (%#x)", err, err); } -#endif - -#else /* not USE_WINSOCK coming up */ +#else /* not Windows coming up */ #if defined(HAVE_STRERROR_R) && defined(HAVE_POSIX_STRERROR_R) /* @@ -734,7 +787,7 @@ const char *Curl_strerror(int err, char *buf, size_t buflen) } #endif -#endif /* end of ! USE_WINSOCK */ +#endif /* end of not Windows */ buf[max] = '\0'; /* make sure the string is zero terminated */ @@ -757,7 +810,52 @@ const char *Curl_strerror(int err, char *buf, size_t buflen) return buf; } +/* + * Curl_winapi_strerror: + * Variant of Curl_strerror if the error code is definitely Windows API. + */ +#if defined(WIN32) || defined(_WIN32_WCE) +const char *Curl_winapi_strerror(DWORD err, char *buf, size_t buflen) +{ +#ifdef PRESERVE_WINDOWS_ERROR_CODE + DWORD old_win_err = GetLastError(); +#endif + int old_errno = errno; + + if(!buflen) + return NULL; + + *buf = '\0'; + +#ifndef CURL_DISABLE_VERBOSE_STRINGS + if(!get_winapi_error(err, buf, buflen)) { + msnprintf(buf, buflen, "Unknown error %u (0x%08X)", err, err); + } +#else + { + const char *txt = (err == ERROR_SUCCESS) ? "No error" : "Error"; + strncpy(buf, txt, buflen); + buf[buflen - 1] = '\0'; + } +#endif + + if(errno != old_errno) + errno = old_errno; + +#ifdef PRESERVE_WINDOWS_ERROR_CODE + if(old_win_err != GetLastError()) + SetLastError(old_win_err); +#endif + + return buf; +} +#endif /* WIN32 || _WIN32_WCE */ + #ifdef USE_WINDOWS_SSPI +/* + * Curl_sspi_strerror: + * Variant of Curl_strerror if the error code is definitely Windows SSPI. + */ const char *Curl_sspi_strerror(int err, char *buf, size_t buflen) { #ifdef PRESERVE_WINDOWS_ERROR_CODE @@ -765,18 +863,11 @@ const char *Curl_sspi_strerror(int err, char *buf, size_t buflen) #endif int old_errno = errno; const char *txt; - char *outbuf; - size_t outmax; -#ifndef CURL_DISABLE_VERBOSE_STRINGS - char txtbuf[80]; - char msgbuf[256]; - char *p, *str, *msg = NULL; - bool msg_formatted = FALSE; -#endif - outbuf = buf; - outmax = buflen - 1; - *outbuf = '\0'; + if(!buflen) + return NULL; + + *buf = '\0'; #ifndef CURL_DISABLE_VERBOSE_STRINGS @@ -784,314 +875,121 @@ const char *Curl_sspi_strerror(int err, char *buf, size_t buflen) case SEC_E_OK: txt = "No error"; break; - case CRYPT_E_REVOKED: - txt = "CRYPT_E_REVOKED"; - break; - case SEC_E_ALGORITHM_MISMATCH: - txt = "SEC_E_ALGORITHM_MISMATCH"; - break; - case SEC_E_BAD_BINDINGS: - txt = "SEC_E_BAD_BINDINGS"; - break; - case SEC_E_BAD_PKGID: - txt = "SEC_E_BAD_PKGID"; - break; - case SEC_E_BUFFER_TOO_SMALL: - txt = "SEC_E_BUFFER_TOO_SMALL"; - break; - case SEC_E_CANNOT_INSTALL: - txt = "SEC_E_CANNOT_INSTALL"; - break; - case SEC_E_CANNOT_PACK: - txt = "SEC_E_CANNOT_PACK"; - break; - case SEC_E_CERT_EXPIRED: - txt = "SEC_E_CERT_EXPIRED"; - break; - case SEC_E_CERT_UNKNOWN: - txt = "SEC_E_CERT_UNKNOWN"; - break; - case SEC_E_CERT_WRONG_USAGE: - txt = "SEC_E_CERT_WRONG_USAGE"; - break; - case SEC_E_CONTEXT_EXPIRED: - txt = "SEC_E_CONTEXT_EXPIRED"; - break; - case SEC_E_CROSSREALM_DELEGATION_FAILURE: - txt = "SEC_E_CROSSREALM_DELEGATION_FAILURE"; - break; - case SEC_E_CRYPTO_SYSTEM_INVALID: - txt = "SEC_E_CRYPTO_SYSTEM_INVALID"; - break; - case SEC_E_DECRYPT_FAILURE: - txt = "SEC_E_DECRYPT_FAILURE"; - break; - case SEC_E_DELEGATION_POLICY: - txt = "SEC_E_DELEGATION_POLICY"; - break; - case SEC_E_DELEGATION_REQUIRED: - txt = "SEC_E_DELEGATION_REQUIRED"; - break; - case SEC_E_DOWNGRADE_DETECTED: - txt = "SEC_E_DOWNGRADE_DETECTED"; - break; - case SEC_E_ENCRYPT_FAILURE: - txt = "SEC_E_ENCRYPT_FAILURE"; - break; - case SEC_E_ILLEGAL_MESSAGE: - txt = "SEC_E_ILLEGAL_MESSAGE"; - break; - case SEC_E_INCOMPLETE_CREDENTIALS: - txt = "SEC_E_INCOMPLETE_CREDENTIALS"; - break; - case SEC_E_INCOMPLETE_MESSAGE: - txt = "SEC_E_INCOMPLETE_MESSAGE"; - break; - case SEC_E_INSUFFICIENT_MEMORY: - txt = "SEC_E_INSUFFICIENT_MEMORY"; - break; - case SEC_E_INTERNAL_ERROR: - txt = "SEC_E_INTERNAL_ERROR"; - break; - case SEC_E_INVALID_HANDLE: - txt = "SEC_E_INVALID_HANDLE"; - break; - case SEC_E_INVALID_PARAMETER: - txt = "SEC_E_INVALID_PARAMETER"; - break; - case SEC_E_INVALID_TOKEN: - txt = "SEC_E_INVALID_TOKEN"; - break; - case SEC_E_ISSUING_CA_UNTRUSTED: - txt = "SEC_E_ISSUING_CA_UNTRUSTED"; - break; - case SEC_E_ISSUING_CA_UNTRUSTED_KDC: - txt = "SEC_E_ISSUING_CA_UNTRUSTED_KDC"; - break; - case SEC_E_KDC_CERT_EXPIRED: - txt = "SEC_E_KDC_CERT_EXPIRED"; - break; - case SEC_E_KDC_CERT_REVOKED: - txt = "SEC_E_KDC_CERT_REVOKED"; - break; - case SEC_E_KDC_INVALID_REQUEST: - txt = "SEC_E_KDC_INVALID_REQUEST"; - break; - case SEC_E_KDC_UNABLE_TO_REFER: - txt = "SEC_E_KDC_UNABLE_TO_REFER"; - break; - case SEC_E_KDC_UNKNOWN_ETYPE: - txt = "SEC_E_KDC_UNKNOWN_ETYPE"; - break; - case SEC_E_LOGON_DENIED: - txt = "SEC_E_LOGON_DENIED"; - break; - case SEC_E_MAX_REFERRALS_EXCEEDED: - txt = "SEC_E_MAX_REFERRALS_EXCEEDED"; - break; - case SEC_E_MESSAGE_ALTERED: - txt = "SEC_E_MESSAGE_ALTERED"; - break; - case SEC_E_MULTIPLE_ACCOUNTS: - txt = "SEC_E_MULTIPLE_ACCOUNTS"; - break; - case SEC_E_MUST_BE_KDC: - txt = "SEC_E_MUST_BE_KDC"; - break; - case SEC_E_NOT_OWNER: - txt = "SEC_E_NOT_OWNER"; - break; - case SEC_E_NO_AUTHENTICATING_AUTHORITY: - txt = "SEC_E_NO_AUTHENTICATING_AUTHORITY"; - break; - case SEC_E_NO_CREDENTIALS: - txt = "SEC_E_NO_CREDENTIALS"; - break; - case SEC_E_NO_IMPERSONATION: - txt = "SEC_E_NO_IMPERSONATION"; - break; - case SEC_E_NO_IP_ADDRESSES: - txt = "SEC_E_NO_IP_ADDRESSES"; - break; - case SEC_E_NO_KERB_KEY: - txt = "SEC_E_NO_KERB_KEY"; - break; - case SEC_E_NO_PA_DATA: - txt = "SEC_E_NO_PA_DATA"; - break; - case SEC_E_NO_S4U_PROT_SUPPORT: - txt = "SEC_E_NO_S4U_PROT_SUPPORT"; - break; - case SEC_E_NO_TGT_REPLY: - txt = "SEC_E_NO_TGT_REPLY"; - break; - case SEC_E_OUT_OF_SEQUENCE: - txt = "SEC_E_OUT_OF_SEQUENCE"; - break; - case SEC_E_PKINIT_CLIENT_FAILURE: - txt = "SEC_E_PKINIT_CLIENT_FAILURE"; - break; - case SEC_E_PKINIT_NAME_MISMATCH: - txt = "SEC_E_PKINIT_NAME_MISMATCH"; - break; - case SEC_E_POLICY_NLTM_ONLY: - txt = "SEC_E_POLICY_NLTM_ONLY"; - break; - case SEC_E_QOP_NOT_SUPPORTED: - txt = "SEC_E_QOP_NOT_SUPPORTED"; - break; - case SEC_E_REVOCATION_OFFLINE_C: - txt = "SEC_E_REVOCATION_OFFLINE_C"; - break; - case SEC_E_REVOCATION_OFFLINE_KDC: - txt = "SEC_E_REVOCATION_OFFLINE_KDC"; - break; - case SEC_E_SECPKG_NOT_FOUND: - txt = "SEC_E_SECPKG_NOT_FOUND"; - break; - case SEC_E_SECURITY_QOS_FAILED: - txt = "SEC_E_SECURITY_QOS_FAILED"; - break; - case SEC_E_SHUTDOWN_IN_PROGRESS: - txt = "SEC_E_SHUTDOWN_IN_PROGRESS"; - break; - case SEC_E_SMARTCARD_CERT_EXPIRED: - txt = "SEC_E_SMARTCARD_CERT_EXPIRED"; - break; - case SEC_E_SMARTCARD_CERT_REVOKED: - txt = "SEC_E_SMARTCARD_CERT_REVOKED"; - break; - case SEC_E_SMARTCARD_LOGON_REQUIRED: - txt = "SEC_E_SMARTCARD_LOGON_REQUIRED"; - break; - case SEC_E_STRONG_CRYPTO_NOT_SUPPORTED: - txt = "SEC_E_STRONG_CRYPTO_NOT_SUPPORTED"; - break; - case SEC_E_TARGET_UNKNOWN: - txt = "SEC_E_TARGET_UNKNOWN"; - break; - case SEC_E_TIME_SKEW: - txt = "SEC_E_TIME_SKEW"; - break; - case SEC_E_TOO_MANY_PRINCIPALS: - txt = "SEC_E_TOO_MANY_PRINCIPALS"; - break; - case SEC_E_UNFINISHED_CONTEXT_DELETED: - txt = "SEC_E_UNFINISHED_CONTEXT_DELETED"; - break; - case SEC_E_UNKNOWN_CREDENTIALS: - txt = "SEC_E_UNKNOWN_CREDENTIALS"; - break; - case SEC_E_UNSUPPORTED_FUNCTION: - txt = "SEC_E_UNSUPPORTED_FUNCTION"; - break; - case SEC_E_UNSUPPORTED_PREAUTH: - txt = "SEC_E_UNSUPPORTED_PREAUTH"; - break; - case SEC_E_UNTRUSTED_ROOT: - txt = "SEC_E_UNTRUSTED_ROOT"; - break; - case SEC_E_WRONG_CREDENTIAL_HANDLE: - txt = "SEC_E_WRONG_CREDENTIAL_HANDLE"; - break; - case SEC_E_WRONG_PRINCIPAL: - txt = "SEC_E_WRONG_PRINCIPAL"; - break; - case SEC_I_COMPLETE_AND_CONTINUE: - txt = "SEC_I_COMPLETE_AND_CONTINUE"; - break; - case SEC_I_COMPLETE_NEEDED: - txt = "SEC_I_COMPLETE_NEEDED"; - break; - case SEC_I_CONTEXT_EXPIRED: - txt = "SEC_I_CONTEXT_EXPIRED"; - break; - case SEC_I_CONTINUE_NEEDED: - txt = "SEC_I_CONTINUE_NEEDED"; - break; - case SEC_I_INCOMPLETE_CREDENTIALS: - txt = "SEC_I_INCOMPLETE_CREDENTIALS"; - break; - case SEC_I_LOCAL_LOGON: - txt = "SEC_I_LOCAL_LOGON"; - break; - case SEC_I_NO_LSA_CONTEXT: - txt = "SEC_I_NO_LSA_CONTEXT"; - break; - case SEC_I_RENEGOTIATE: - txt = "SEC_I_RENEGOTIATE"; - break; - case SEC_I_SIGNATURE_NEEDED: - txt = "SEC_I_SIGNATURE_NEEDED"; - break; +#define SEC2TXT(sec) case sec: txt = #sec; break + SEC2TXT(CRYPT_E_REVOKED); + SEC2TXT(SEC_E_ALGORITHM_MISMATCH); + SEC2TXT(SEC_E_BAD_BINDINGS); + SEC2TXT(SEC_E_BAD_PKGID); + SEC2TXT(SEC_E_BUFFER_TOO_SMALL); + SEC2TXT(SEC_E_CANNOT_INSTALL); + SEC2TXT(SEC_E_CANNOT_PACK); + SEC2TXT(SEC_E_CERT_EXPIRED); + SEC2TXT(SEC_E_CERT_UNKNOWN); + SEC2TXT(SEC_E_CERT_WRONG_USAGE); + SEC2TXT(SEC_E_CONTEXT_EXPIRED); + SEC2TXT(SEC_E_CROSSREALM_DELEGATION_FAILURE); + SEC2TXT(SEC_E_CRYPTO_SYSTEM_INVALID); + SEC2TXT(SEC_E_DECRYPT_FAILURE); + SEC2TXT(SEC_E_DELEGATION_POLICY); + SEC2TXT(SEC_E_DELEGATION_REQUIRED); + SEC2TXT(SEC_E_DOWNGRADE_DETECTED); + SEC2TXT(SEC_E_ENCRYPT_FAILURE); + SEC2TXT(SEC_E_ILLEGAL_MESSAGE); + SEC2TXT(SEC_E_INCOMPLETE_CREDENTIALS); + SEC2TXT(SEC_E_INCOMPLETE_MESSAGE); + SEC2TXT(SEC_E_INSUFFICIENT_MEMORY); + SEC2TXT(SEC_E_INTERNAL_ERROR); + SEC2TXT(SEC_E_INVALID_HANDLE); + SEC2TXT(SEC_E_INVALID_PARAMETER); + SEC2TXT(SEC_E_INVALID_TOKEN); + SEC2TXT(SEC_E_ISSUING_CA_UNTRUSTED); + SEC2TXT(SEC_E_ISSUING_CA_UNTRUSTED_KDC); + SEC2TXT(SEC_E_KDC_CERT_EXPIRED); + SEC2TXT(SEC_E_KDC_CERT_REVOKED); + SEC2TXT(SEC_E_KDC_INVALID_REQUEST); + SEC2TXT(SEC_E_KDC_UNABLE_TO_REFER); + SEC2TXT(SEC_E_KDC_UNKNOWN_ETYPE); + SEC2TXT(SEC_E_LOGON_DENIED); + SEC2TXT(SEC_E_MAX_REFERRALS_EXCEEDED); + SEC2TXT(SEC_E_MESSAGE_ALTERED); + SEC2TXT(SEC_E_MULTIPLE_ACCOUNTS); + SEC2TXT(SEC_E_MUST_BE_KDC); + SEC2TXT(SEC_E_NOT_OWNER); + SEC2TXT(SEC_E_NO_AUTHENTICATING_AUTHORITY); + SEC2TXT(SEC_E_NO_CREDENTIALS); + SEC2TXT(SEC_E_NO_IMPERSONATION); + SEC2TXT(SEC_E_NO_IP_ADDRESSES); + SEC2TXT(SEC_E_NO_KERB_KEY); + SEC2TXT(SEC_E_NO_PA_DATA); + SEC2TXT(SEC_E_NO_S4U_PROT_SUPPORT); + SEC2TXT(SEC_E_NO_TGT_REPLY); + SEC2TXT(SEC_E_OUT_OF_SEQUENCE); + SEC2TXT(SEC_E_PKINIT_CLIENT_FAILURE); + SEC2TXT(SEC_E_PKINIT_NAME_MISMATCH); + SEC2TXT(SEC_E_POLICY_NLTM_ONLY); + SEC2TXT(SEC_E_QOP_NOT_SUPPORTED); + SEC2TXT(SEC_E_REVOCATION_OFFLINE_C); + SEC2TXT(SEC_E_REVOCATION_OFFLINE_KDC); + SEC2TXT(SEC_E_SECPKG_NOT_FOUND); + SEC2TXT(SEC_E_SECURITY_QOS_FAILED); + SEC2TXT(SEC_E_SHUTDOWN_IN_PROGRESS); + SEC2TXT(SEC_E_SMARTCARD_CERT_EXPIRED); + SEC2TXT(SEC_E_SMARTCARD_CERT_REVOKED); + SEC2TXT(SEC_E_SMARTCARD_LOGON_REQUIRED); + SEC2TXT(SEC_E_STRONG_CRYPTO_NOT_SUPPORTED); + SEC2TXT(SEC_E_TARGET_UNKNOWN); + SEC2TXT(SEC_E_TIME_SKEW); + SEC2TXT(SEC_E_TOO_MANY_PRINCIPALS); + SEC2TXT(SEC_E_UNFINISHED_CONTEXT_DELETED); + SEC2TXT(SEC_E_UNKNOWN_CREDENTIALS); + SEC2TXT(SEC_E_UNSUPPORTED_FUNCTION); + SEC2TXT(SEC_E_UNSUPPORTED_PREAUTH); + SEC2TXT(SEC_E_UNTRUSTED_ROOT); + SEC2TXT(SEC_E_WRONG_CREDENTIAL_HANDLE); + SEC2TXT(SEC_E_WRONG_PRINCIPAL); + SEC2TXT(SEC_I_COMPLETE_AND_CONTINUE); + SEC2TXT(SEC_I_COMPLETE_NEEDED); + SEC2TXT(SEC_I_CONTEXT_EXPIRED); + SEC2TXT(SEC_I_CONTINUE_NEEDED); + SEC2TXT(SEC_I_INCOMPLETE_CREDENTIALS); + SEC2TXT(SEC_I_LOCAL_LOGON); + SEC2TXT(SEC_I_NO_LSA_CONTEXT); + SEC2TXT(SEC_I_RENEGOTIATE); + SEC2TXT(SEC_I_SIGNATURE_NEEDED); default: txt = "Unknown error"; } - if(err == SEC_E_OK) - strncpy(outbuf, txt, outmax); - else if(err == SEC_E_ILLEGAL_MESSAGE) - msnprintf(outbuf, outmax, + if(err == SEC_E_ILLEGAL_MESSAGE) { + msnprintf(buf, buflen, "SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs " "when a fatal SSL/TLS alert is received (e.g. handshake failed)." " More detail may be available in the Windows System event log.", err); + } else { - str = txtbuf; + char txtbuf[80]; + char msgbuf[256]; + msnprintf(txtbuf, sizeof(txtbuf), "%s (0x%08X)", txt, err); - txtbuf[sizeof(txtbuf)-1] = '\0'; -#ifdef _WIN32_WCE - { - wchar_t wbuf[256]; - wbuf[0] = L'\0'; - - if(FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, err, LANG_NEUTRAL, - wbuf, sizeof(wbuf)/sizeof(wchar_t), NULL)) { - wcstombs(msgbuf, wbuf, sizeof(msgbuf)-1); - msg_formatted = TRUE; - } - } -#else - if(FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM | - FORMAT_MESSAGE_IGNORE_INSERTS, - NULL, err, LANG_NEUTRAL, - msgbuf, sizeof(msgbuf)-1, NULL)) { - msg_formatted = TRUE; + if(get_winapi_error(err, msgbuf, sizeof(msgbuf))) + msnprintf(buf, buflen, "%s - %s", txtbuf, msgbuf); + else { + strncpy(buf, txtbuf, buflen); + buf[buflen - 1] = '\0'; } -#endif - if(msg_formatted) { - msgbuf[sizeof(msgbuf)-1] = '\0'; - /* strip trailing '\r\n' or '\n' */ - p = strrchr(msgbuf, '\n'); - if(p && (p - msgbuf) >= 2) - *p = '\0'; - p = strrchr(msgbuf, '\r'); - if(p && (p - msgbuf) >= 1) - *p = '\0'; - msg = msgbuf; - } - if(msg) - msnprintf(outbuf, outmax, "%s - %s", str, msg); - else - strncpy(outbuf, str, outmax); } #else - if(err == SEC_E_OK) txt = "No error"; else txt = "Error"; - - strncpy(outbuf, txt, outmax); - + strncpy(buf, txt, buflen); + buf[buflen - 1] = '\0'; #endif - outbuf[outmax] = '\0'; - if(errno != old_errno) errno = old_errno; @@ -1100,6 +998,6 @@ const char *Curl_sspi_strerror(int err, char *buf, size_t buflen) SetLastError(old_win_err); #endif - return outbuf; + return buf; } #endif /* USE_WINDOWS_SSPI */ diff --git a/libs/libcurl/src/strerror.h b/libs/libcurl/src/strerror.h index 683b5b4a3a..278c1082f0 100644 --- a/libs/libcurl/src/strerror.h +++ b/libs/libcurl/src/strerror.h @@ -27,6 +27,9 @@ #define STRERROR_LEN 128 /* a suitable length */ const char *Curl_strerror(int err, char *buf, size_t buflen); +#if defined(WIN32) || defined(_WIN32_WCE) +const char *Curl_winapi_strerror(DWORD err, char *buf, size_t buflen); +#endif #ifdef USE_WINDOWS_SSPI const char *Curl_sspi_strerror(int err, char *buf, size_t buflen); #endif diff --git a/libs/libcurl/src/strtok.c b/libs/libcurl/src/strtok.c index 460eb87e51..be8f481282 100644 --- a/libs/libcurl/src/strtok.c +++ b/libs/libcurl/src/strtok.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/strtok.h b/libs/libcurl/src/strtok.h index 90b831eb67..e221fa680f 100644 --- a/libs/libcurl/src/strtok.h +++ b/libs/libcurl/src/strtok.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/strtoofft.c b/libs/libcurl/src/strtoofft.c index 546a3ff75d..96e3820600 100644 --- a/libs/libcurl/src/strtoofft.c +++ b/libs/libcurl/src/strtoofft.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/telnet.c b/libs/libcurl/src/telnet.c index 955255c36c..4bf4c652c2 100644 --- a/libs/libcurl/src/telnet.c +++ b/libs/libcurl/src/telnet.c @@ -69,12 +69,12 @@ do { \ x->subend = x->subpointer; \ CURL_SB_CLEAR(x); \ - } WHILE_FALSE + } while(0) #define CURL_SB_ACCUM(x,c) \ do { \ if(x->subpointer < (x->subbuffer + sizeof(x->subbuffer))) \ *x->subpointer++ = (c); \ - } WHILE_FALSE + } while(0) #define CURL_SB_GET(x) ((*x->subpointer++)&0xff) #define CURL_SB_LEN(x) (x->subend - x->subpointer) diff --git a/libs/libcurl/src/telnet.h b/libs/libcurl/src/telnet.h index 668a78a133..431427f395 100644 --- a/libs/libcurl/src/telnet.h +++ b/libs/libcurl/src/telnet.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/tftp.h b/libs/libcurl/src/tftp.h index 1335f64bd1..33348300fe 100644 --- a/libs/libcurl/src/tftp.h +++ b/libs/libcurl/src/tftp.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/transfer.c b/libs/libcurl/src/transfer.c index d0d4aeb500..ead8b36db9 100644 --- a/libs/libcurl/src/transfer.c +++ b/libs/libcurl/src/transfer.c @@ -484,8 +484,9 @@ CURLcode Curl_readrewind(struct connectdata *conn) return CURLE_OK; } -static int data_pending(const struct connectdata *conn) +static int data_pending(const struct Curl_easy *data) { + struct connectdata *conn = data->conn; /* in the case of libssh2, we can never be really sure that we have emptied its internal buffers so we MUST always try until we get EAGAIN back */ return conn->handler->protocol&(CURLPROTO_SCP|CURLPROTO_SFTP) || @@ -499,6 +500,8 @@ static int data_pending(const struct connectdata *conn) be called and we cannot signal the HTTP/2 stream has closed. As a workaround, we return nonzero here to call http2_recv. */ ((conn->handler->protocol&PROTO_FAMILY_HTTP) && conn->httpversion >= 20); +#elif defined(ENABLE_QUIC) + Curl_ssl_data_pending(conn, FIRSTSOCKET) || Curl_quic_data_pending(data); #else Curl_ssl_data_pending(conn, FIRSTSOCKET); #endif @@ -918,7 +921,7 @@ static CURLcode readwrite_data(struct Curl_easy *data, break; } - } while(data_pending(conn) && maxloops--); + } while(data_pending(data) && maxloops--); if(maxloops <= 0) { /* we mark it as read-again-please */ @@ -1174,7 +1177,7 @@ static CURLcode readwrite_upload(struct Curl_easy *data, } - } WHILE_FALSE; /* just to break out from! */ + } while(0); /* just to break out from! */ return CURLE_OK; } diff --git a/libs/libcurl/src/url.c b/libs/libcurl/src/url.c index 8285474fd7..56fb736368 100644 --- a/libs/libcurl/src/url.c +++ b/libs/libcurl/src/url.c @@ -106,7 +106,7 @@ bool curl_win32_idn_to_ascii(const char *in, char **out); #include "http2.h" #include "file.h" #include "curl_ldap.h" -#include "ssh.h" +#include "vssh/ssh.h" #include "imap.h" #include "url.h" #include "connect.h" @@ -403,9 +403,11 @@ CURLcode Curl_close(struct Curl_easy **datap) Curl_share_unlock(data, CURL_LOCK_DATA_SHARE); } +#ifndef CURL_DISABLE_DOH free(data->req.doh.probe[0].serverdoh.memory); free(data->req.doh.probe[1].serverdoh.memory); curl_slist_free_all(data->req.doh.headers); +#endif /* destruct wildcard structures if it is needed */ Curl_wildcard_dtor(&data->wildcard); @@ -672,7 +674,7 @@ static void conn_reset_all_postponed_data(struct connectdata *conn) } #else /* ! USE_RECV_BEFORE_SEND_WORKAROUND */ /* Use "do-nothing" macro instead of function when workaround not used */ -#define conn_reset_all_postponed_data(c) do {} WHILE_FALSE +#define conn_reset_all_postponed_data(c) do {} while(0) #endif /* ! USE_RECV_BEFORE_SEND_WORKAROUND */ @@ -1080,16 +1082,15 @@ ConnectionExists(struct Curl_easy *data, check = curr->ptr; curr = curr->next; - if(check->bits.connect_only) - /* connect-only connections will not be reused */ + if(check->bits.connect_only || check->bits.close) + /* connect-only or to-be-closed connections will not be reused */ continue; multiplexed = CONN_INUSE(check) && (bundle->multiuse == BUNDLE_MULTIPLEX); if(canmultiplex) { - if(check->bits.protoconnstart && check->bits.close) - continue; + ; } else { if(multiplexed) { @@ -1109,12 +1110,9 @@ ConnectionExists(struct Curl_easy *data, } } - if((check->sock[FIRSTSOCKET] == CURL_SOCKET_BAD) || - check->bits.close) { - if(!check->bits.close) - foundPendingCandidate = TRUE; - /* Don't pick a connection that hasn't connected yet or that is going - to get closed. */ + if(check->sock[FIRSTSOCKET] == CURL_SOCKET_BAD) { + foundPendingCandidate = TRUE; + /* Don't pick a connection that hasn't connected yet */ infof(data, "Connection #%ld isn't open enough, can't reuse\n", check->connection_id); continue; @@ -1192,8 +1190,7 @@ ConnectionExists(struct Curl_easy *data, already in use so we skip it */ continue; - if(CONN_INUSE(check) && check->data && - (check->data->multi != needle->data->multi)) + if(check->data && (check->data->multi != needle->data->multi)) /* this could be subject for multiplex use, but only if they belong to * the same multi handle */ continue; @@ -1641,6 +1638,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) it may live on without (this specific) Curl_easy */ conn->fclosesocket = data->set.fclosesocket; conn->closesocket_client = data->set.closesocket_client; + conn->lastused = Curl_now(); /* used now */ return conn; error: @@ -1987,8 +1985,11 @@ void Curl_free_request_state(struct Curl_easy *data) { Curl_safefree(data->req.protop); Curl_safefree(data->req.newurl); + +#ifndef CURL_DISABLE_DOH Curl_close(&data->req.doh.probe[0].easy); Curl_close(&data->req.doh.probe[1].easy); +#endif } @@ -3593,25 +3594,6 @@ static CURLcode create_conn(struct Curl_easy *data, else reuse = ConnectionExists(data, conn, &conn_temp, &force_reuse, &waitpipe); - /* If we found a reusable connection that is now marked as in use, we may - still want to open a new connection if we are multiplexing. */ - if(reuse && !force_reuse && IsMultiplexingPossible(data, conn_temp)) { - size_t multiplexed = CONN_INUSE(conn_temp); - if(multiplexed > 0) { - infof(data, "Found connection %ld, with %zu requests on it\n", - conn_temp->connection_id, multiplexed); - - if(Curl_conncache_bundle_size(conn_temp) < max_host_connections && - Curl_conncache_size(data) < max_total_connections) { - /* We want a new connection anyway */ - reuse = FALSE; - - infof(data, "We can reuse, but we want a new connection anyway\n"); - Curl_conncache_return_conn(conn_temp); - } - } - } - if(reuse) { /* * We already have a connection for this, we got the former connection diff --git a/libs/libcurl/src/urldata.h b/libs/libcurl/src/urldata.h index f9365b2e68..3effb1626f 100644 --- a/libs/libcurl/src/urldata.h +++ b/libs/libcurl/src/urldata.h @@ -124,7 +124,7 @@ typedef ssize_t (Curl_recv)(struct connectdata *conn, /* connection data */ #include "smtp.h" #include "ftp.h" #include "file.h" -#include "ssh.h" +#include "vssh/ssh.h" #include "http.h" #include "rtsp.h" #include "smb.h" @@ -257,6 +257,7 @@ struct ssl_config_data { BIT(falsestart); BIT(enable_beast); /* allow this flaw for interoperability's sake*/ BIT(no_revoke); /* disable SSL certificate revocation checks */ + BIT(no_partialchain); /* don't accept partial certificate chains */ }; struct ssl_general_config { @@ -528,6 +529,24 @@ enum upgrade101 { UPGR101_WORKING /* talking upgraded protocol */ }; +enum doh_slots { + /* Explicit values for first two symbols so as to match hard-coded + * constants in existing code + */ + DOH_PROBE_SLOT_IPADDR_V4 = 0, /* make 'V4' stand out for readability */ + DOH_PROBE_SLOT_IPADDR_V6 = 1, /* 'V6' likewise */ + + /* Space here for (possibly build-specific) additional slot definitions */ + + /* for example */ + /* #ifdef WANT_DOH_FOOBAR_TXT */ + /* DOH_PROBE_SLOT_FOOBAR_TXT, */ + /* #endif */ + + /* AFTER all slot definitions, establish how many we have */ + DOH_PROBE_SLOTS +}; + struct dohresponse { unsigned char *memory; size_t size; @@ -544,7 +563,7 @@ struct dnsprobe { struct dohdata { struct curl_slist *headers; - struct dnsprobe probe[2]; + struct dnsprobe probe[DOH_PROBE_SLOTS]; unsigned int pending; /* still outstanding requests */ const char *host; int port; diff --git a/libs/libcurl/src/vauth/cram.c b/libs/libcurl/src/vauth/cram.c index d148618b0d..04438fa740 100644 --- a/libs/libcurl/src/vauth/cram.c +++ b/libs/libcurl/src/vauth/cram.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/vauth/digest.h b/libs/libcurl/src/vauth/digest.h index 8686c44a42..cc05fdb769 100644 --- a/libs/libcurl/src/vauth/digest.h +++ b/libs/libcurl/src/vauth/digest.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/version.c b/libs/libcurl/src/version.c index cfd09e36d7..6405d369d7 100644 --- a/libs/libcurl/src/version.c +++ b/libs/libcurl/src/version.c @@ -26,7 +26,7 @@ #include "urldata.h" #include "vtls/vtls.h" #include "http2.h" -#include "ssh.h" +#include "vssh/ssh.h" #include "quic.h" #include "curl_printf.h" diff --git a/libs/libcurl/src/vquic/ngtcp2.c b/libs/libcurl/src/vquic/ngtcp2.c index c0f9b16e38..e97e9e871b 100644 --- a/libs/libcurl/src/vquic/ngtcp2.c +++ b/libs/libcurl/src/vquic/ngtcp2.c @@ -49,7 +49,7 @@ #ifdef DEBUG_HTTP3 #define H3BUGF(x) x #else -#define H3BUGF(x) do { } WHILE_FALSE +#define H3BUGF(x) do { } while(0) #endif /* @@ -174,8 +174,10 @@ static int quic_set_encryption_secrets(SSL *ssl, tx_secret, secretlen, NGTCP2_CRYPTO_SIDE_CLIENT) != 0) return 0; - if(level == NGTCP2_CRYPTO_LEVEL_APP && init_ngh3_conn(qs) != CURLE_OK) - return 0; + if(level == NGTCP2_CRYPTO_LEVEL_APP) { + if(init_ngh3_conn(qs) != CURLE_OK) + return 0; + } return 1; } @@ -188,11 +190,12 @@ static int quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level, ngtcp2_crypto_level level = quic_from_ossl_level(ossl_level); int rv; - crypto_data = &qs->client_crypto_data[level]; + crypto_data = &qs->crypto_data[level]; if(crypto_data->buf == NULL) { crypto_data->buf = malloc(4096); + if(!crypto_data->buf) + return 0; crypto_data->alloclen = 4096; - /* TODO Explode if malloc failed */ } /* TODO Just pretend that handshake does not grow more than 4KiB for @@ -203,8 +206,8 @@ static int quic_add_handshake_data(SSL *ssl, OSSL_ENCRYPTION_LEVEL ossl_level, crypto_data->len += len; rv = ngtcp2_conn_submit_crypto_data( - qs->qconn, level, (uint8_t *)(&crypto_data->buf[crypto_data->len] - len), - len); + qs->qconn, level, (uint8_t *)(&crypto_data->buf[crypto_data->len] - len), + len); if(rv) { H3BUGF(fprintf(stderr, "write_client_handshake failed\n")); } @@ -244,8 +247,9 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) SSL_CTX_set_default_verify_paths(ssl_ctx); if(SSL_CTX_set_ciphersuites(ssl_ctx, QUIC_CIPHERS) != 1) { - failf(data, "SSL_CTX_set_ciphersuites: %s", - ERR_error_string(ERR_get_error(), NULL)); + char error_buffer[256]; + ERR_error_string_n(ERR_get_error(), error_buffer, sizeof(error_buffer)); + failf(data, "SSL_CTX_set_ciphersuites: %s", error_buffer); return NULL; } @@ -305,7 +309,7 @@ static int cb_initial(ngtcp2_conn *quic, void *user_data) struct quicsocket *qs = (struct quicsocket *)user_data; if(ngtcp2_crypto_read_write_crypto_data( - quic, qs->ssl, NGTCP2_CRYPTO_LEVEL_INITIAL, NULL, 0) != 0) + quic, qs->ssl, NGTCP2_CRYPTO_LEVEL_INITIAL, NULL, 0) != 0) return NGTCP2_ERR_CALLBACK_FAILURE; return 0; @@ -336,6 +340,16 @@ static int cb_handshake_completed(ngtcp2_conn *tconn, void *user_data) return 0; } +static void extend_stream_window(ngtcp2_conn *tconn, + struct HTTP *stream) +{ + size_t thismuch = stream->unacked_window; + ngtcp2_conn_extend_max_stream_offset(tconn, stream->stream3_id, thismuch); + ngtcp2_conn_extend_max_offset(tconn, thismuch); + stream->unacked_window = 0; +} + + static int cb_recv_stream_data(ngtcp2_conn *tconn, int64_t stream_id, int fin, uint64_t offset, const uint8_t *buf, size_t buflen, @@ -346,9 +360,6 @@ static int cb_recv_stream_data(ngtcp2_conn *tconn, int64_t stream_id, (void)offset; (void)stream_user_data; - infof(qs->conn->data, "Received %ld bytes data on stream %u\n", - buflen, stream_id); - nconsumed = nghttp3_conn_read_stream(qs->h3conn, stream_id, buf, buflen, fin); if(nconsumed < 0) { @@ -357,6 +368,9 @@ static int cb_recv_stream_data(ngtcp2_conn *tconn, int64_t stream_id, return NGTCP2_ERR_CALLBACK_FAILURE; } + /* number of bytes inside buflen which consists of framing overhead + * including QPACK HEADERS. In other words, it does not consume payload of + * DATA frame. */ ngtcp2_conn_extend_max_stream_offset(tconn, stream_id, nconsumed); ngtcp2_conn_extend_max_offset(tconn, nconsumed); @@ -514,7 +528,7 @@ static ngtcp2_conn_callbacks ng_callbacks = { NULL, /* rand */ cb_get_new_connection_id, NULL, /* remove_connection_id */ - NULL, /* update_key */ + ngtcp2_crypto_update_key_cb, /* update_key */ NULL, /* path_validation */ NULL, /* select_preferred_addr */ cb_stream_reset, @@ -656,8 +670,16 @@ static int ng_perform_getsock(const struct connectdata *conn, static CURLcode ng_disconnect(struct connectdata *conn, bool dead_connection) { - (void)conn; + int i; + struct quicsocket *qs = &conn->hequic[0]; (void)dead_connection; + if(qs->ssl) + SSL_free(qs->ssl); + for(i = 0; i < 3; i++) + free(qs->crypto_data[i].buf); + nghttp3_conn_del(qs->h3conn); + ngtcp2_conn_del(qs->qconn); + SSL_CTX_free(qs->sslctx); return CURLE_OK; } @@ -704,42 +726,121 @@ static int cb_h3_stream_close(nghttp3_conn *conn, int64_t stream_id, stream->closed = TRUE; Curl_expire(data, 0, EXPIRE_QUIC); + /* make sure that ngh3_stream_recv is called again to complete the transfer + even if there are no more packets to be received from the server. */ + data->state.drain = 1; return 0; } -static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream_id, - const uint8_t *buf, size_t buflen, - void *user_data, void *stream_user_data) -{ - struct quicsocket *qs = user_data; - size_t ncopy; - struct Curl_easy *data = stream_user_data; - struct HTTP *stream = data->req.protop; - (void)conn; - H3BUGF(infof(data, "cb_h3_recv_data CALLED with %d bytes\n", buflen)); +/* Minimum size of the overflow buffer */ +#define OVERFLOWSIZE 1024 - /* TODO: this needs to be handled properly */ - DEBUGASSERT(buflen <= stream->len); +/* + * allocate_overflow() ensures that there is room for incoming data in the + * overflow buffer, growing it to accommodate the new data if necessary. We + * may need to use the overflow buffer because we can't precisely limit the + * amount of HTTP/3 header data we receive using QUIC flow control mechanisms. + */ +static CURLcode allocate_overflow(struct Curl_easy *data, + struct HTTP *stream, + size_t length) +{ + size_t maxleft; + size_t newsize; + /* length can be arbitrarily large, so take care not to overflow newsize */ + maxleft = CURL_MAX_READ_SIZE - stream->overflow_buflen; + if(length > maxleft) { + /* The reason to have a max limit for this is to avoid the risk of a bad + server feeding libcurl with a highly compressed list of headers that + will cause our overflow buffer to grow too large */ + failf(data, "Rejected %zu bytes of overflow data (max is %d)!", + stream->overflow_buflen + length, CURL_MAX_READ_SIZE); + return CURLE_OUT_OF_MEMORY; + } + newsize = stream->overflow_buflen + length; + if(newsize > stream->overflow_bufsize) { + /* We enlarge the overflow buffer as it is too small */ + char *newbuff; + newsize = CURLMAX(newsize * 3 / 2, stream->overflow_bufsize*2); + newsize = CURLMIN(CURLMAX(OVERFLOWSIZE, newsize), CURL_MAX_READ_SIZE); + newbuff = realloc(stream->overflow_buf, newsize); + if(!newbuff) { + failf(data, "Failed to alloc memory for overflow buffer!"); + return CURLE_OUT_OF_MEMORY; + } + stream->overflow_buf = newbuff; + stream->overflow_bufsize = newsize; + infof(data, "Grew HTTP/3 overflow buffer to %zu bytes\n", newsize); + } + return CURLE_OK; +} - ncopy = CURLMIN(stream->len, buflen); - memcpy(stream->mem, buf, ncopy); - stream->len -= ncopy; - stream->memlen += ncopy; +/* + * write_data() copies data to the stream's receive buffer. If not enough + * space is available in the receive buffer, it copies the rest to the + * stream's overflow buffer. + */ +static CURLcode write_data(struct Curl_easy *data, + struct HTTP *stream, + const void *mem, size_t memlen) +{ + CURLcode result = CURLE_OK; + const char *buf = mem; + size_t ncopy = memlen; + /* copy as much as possible to the receive buffer */ + if(stream->len) { + size_t len = CURLMIN(ncopy, stream->len); +#if 0 /* extra debugging of incoming h3 data */ + fprintf(stderr, "!! Copies %zd bytes to %p (total %zd)\n", + len, stream->mem, stream->memlen); +#endif + memcpy(stream->mem, buf, len); + stream->len -= len; + stream->memlen += len; + stream->mem += len; + buf += len; + ncopy -= len; + } + /* copy the rest to the overflow buffer */ + if(ncopy) { + result = allocate_overflow(data, stream, ncopy); + if(result) { + return result; + } +#if 0 /* extra debugging of incoming h3 data */ + fprintf(stderr, "!! Copies %zd overflow bytes to %p (total %zd)\n", + ncopy, stream->overflow_buf, stream->overflow_buflen); +#endif + memcpy(stream->overflow_buf + stream->overflow_buflen, buf, ncopy); + stream->overflow_buflen += ncopy; + } #if 0 /* extra debugging of incoming h3 data */ - fprintf(stderr, "!! Copies %zd bytes to %p (total %zd)\n", - ncopy, stream->mem, stream->memlen); { size_t i; - for(i = 0; i < ncopy; i++) { + for(i = 0; i < memlen; i++) { fprintf(stderr, "!! data[%d]: %02x '%c'\n", i, buf[i], buf[i]); } } #endif - stream->mem += ncopy; + return result; +} - ngtcp2_conn_extend_max_stream_offset(qs->qconn, stream_id, buflen); - ngtcp2_conn_extend_max_offset(qs->qconn, buflen); +static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream_id, + const uint8_t *buf, size_t buflen, + void *user_data, void *stream_user_data) +{ + struct Curl_easy *data = stream_user_data; + struct HTTP *stream = data->req.protop; + CURLcode result = CURLE_OK; + (void)conn; + result = write_data(data, stream, buf, buflen); + if(result) { + return -1; + } + stream->unacked_window += buflen; + (void)stream_id; + (void)user_data; return 0; } @@ -750,10 +851,10 @@ static int cb_h3_deferred_consume(nghttp3_conn *conn, int64_t stream_id, struct quicsocket *qs = user_data; (void)conn; (void)stream_user_data; + (void)stream_id; ngtcp2_conn_extend_max_stream_offset(qs->qconn, stream_id, consumed); ngtcp2_conn_extend_max_offset(qs->qconn, consumed); - return 0; } @@ -789,15 +890,17 @@ static int cb_h3_end_headers(nghttp3_conn *conn, int64_t stream_id, { struct Curl_easy *data = stream_user_data; struct HTTP *stream = data->req.protop; + CURLcode result = CURLE_OK; (void)conn; (void)stream_id; (void)user_data; - if(stream->memlen >= 2) { - memcpy(stream->mem, "\r\n", 2); - stream->len -= 2; - stream->memlen += 2; - stream->mem += 2; + /* add a CRLF only if we've received some headers */ + if(stream->firstheader) { + result = write_data(data, stream, "\r\n", 2); + if(result) { + return -1; + } } return 0; } @@ -811,7 +914,7 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id, nghttp3_vec h3val = nghttp3_rcbuf_get_buf(value); struct Curl_easy *data = stream_user_data; struct HTTP *stream = data->req.protop; - size_t ncopy; + CURLcode result = CURLE_OK; (void)conn; (void)stream_id; (void)token; @@ -820,20 +923,37 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id, if(h3name.len == sizeof(":status") - 1 && !memcmp(":status", h3name.base, h3name.len)) { + char line[14]; /* status line is always 13 characters long */ + size_t ncopy; int status = decode_status_code(h3val.base, h3val.len); DEBUGASSERT(status != -1); - msnprintf(stream->mem, stream->len, "HTTP/3 %03d \r\n", status); + ncopy = msnprintf(line, sizeof(line), "HTTP/3 %03d \r\n", status); + result = write_data(data, stream, line, ncopy); + if(result) { + return -1; + } } else { /* store as a HTTP1-style header */ - msnprintf(stream->mem, stream->len, "%.*s: %.*s\n", - h3name.len, h3name.base, h3val.len, h3val.base); + result = write_data(data, stream, h3name.base, h3name.len); + if(result) { + return -1; + } + result = write_data(data, stream, ": ", 2); + if(result) { + return -1; + } + result = write_data(data, stream, h3val.base, h3val.len); + if(result) { + return -1; + } + result = write_data(data, stream, "\r\n", 2); + if(result) { + return -1; + } } - ncopy = strlen(stream->mem); - stream->len -= ncopy; - stream->memlen += ncopy; - stream->mem += ncopy; + stream->firstheader = TRUE; return 0; } @@ -933,6 +1053,21 @@ static int init_ngh3_conn(struct quicsocket *qs) static Curl_recv ngh3_stream_recv; static Curl_send ngh3_stream_send; +static size_t drain_overflow_buffer(struct HTTP *stream) +{ + size_t ncopy = CURLMIN(stream->overflow_buflen, stream->len); + if(ncopy > 0) { + memcpy(stream->mem, stream->overflow_buf, ncopy); + stream->len -= ncopy; + stream->mem += ncopy; + stream->memlen += ncopy; + stream->overflow_buflen -= ncopy; + memmove(stream->overflow_buf, stream->overflow_buf + ncopy, + stream->overflow_buflen); + } + return ncopy; +} + /* incoming data frames on the h3 stream */ static ssize_t ngh3_stream_recv(struct connectdata *conn, int sockindex, @@ -952,6 +1087,10 @@ static ssize_t ngh3_stream_recv(struct connectdata *conn, } /* else, there's data in the buffer already */ + /* if there's data in the overflow buffer from a previous call, copy as much + as possible to the receive buffer before receiving more */ + drain_overflow_buffer(stream); + if(ng_process_ingress(conn, sockfd, qs)) { *curlcode = CURLE_RECV_ERROR; return -1; @@ -969,8 +1108,13 @@ static ssize_t ngh3_stream_recv(struct connectdata *conn, stream->memlen = 0; stream->mem = buf; stream->len = buffersize; - H3BUGF(infof(conn->data, "!! ngh3_stream_recv returns %zd bytes at %p\n", - memlen, buf)); + /* extend the stream window with the data we're consuming and send out + any additional packets to tell the server that we can receive more */ + extend_stream_window(qs->qconn, stream); + if(ng_flush_egress(conn, sockfd, qs)) { + *curlcode = CURLE_SEND_ERROR; + return -1; + } return memlen; } @@ -1590,4 +1734,32 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) return CURLE_OK; } + +/* + * Called from http.c:Curl_http_done when a request completes. + */ +void Curl_quic_done(struct Curl_easy *data, bool premature) +{ + (void)premature; + if(data->conn->handler == &Curl_handler_http3) { + /* only for HTTP/3 transfers */ + struct HTTP *stream = data->req.protop; + Curl_safefree(stream->overflow_buf); + } +} + +/* + * Called from transfer.c:data_pending to know if we should keep looping + * to receive more data from the connection. + */ +bool Curl_quic_data_pending(const struct Curl_easy *data) +{ + /* We may have received more data than we're able to hold in the receive + buffer and allocated an overflow buffer. Since it's possible that + there's no more data coming on the socket, we need to keep reading + until the overflow buffer is empty. */ + const struct HTTP *stream = data->req.protop; + return stream->overflow_buflen > 0; +} + #endif diff --git a/libs/libcurl/src/vquic/ngtcp2.h b/libs/libcurl/src/vquic/ngtcp2.h index 5570fc7e78..30d442fdde 100644 --- a/libs/libcurl/src/vquic/ngtcp2.h +++ b/libs/libcurl/src/vquic/ngtcp2.h @@ -46,7 +46,7 @@ struct quicsocket { ngtcp2_settings settings; SSL_CTX *sslctx; SSL *ssl; - struct quic_handshake client_crypto_data[3]; + struct quic_handshake crypto_data[3]; /* the last TLS alert description generated by the local endpoint */ uint8_t tls_alert; struct sockaddr_storage local_addr; diff --git a/libs/libcurl/src/vquic/quiche.c b/libs/libcurl/src/vquic/quiche.c index 0ee360d07f..e2f43237fa 100644 --- a/libs/libcurl/src/vquic/quiche.c +++ b/libs/libcurl/src/vquic/quiche.c @@ -45,7 +45,7 @@ #ifdef DEBUG_HTTP3 #define H3BUGF(x) x #else -#define H3BUGF(x) do { } WHILE_FALSE +#define H3BUGF(x) do { } while(0) #endif #define QUIC_MAX_STREAMS (256*1024) @@ -379,6 +379,9 @@ static int cb_each_header(uint8_t *name, size_t name_len, headers->destlen, "HTTP/3 %.*s\n", (int) value_len, value); } + else if(!headers->nlen) { + return CURLE_HTTP3; + } else { msnprintf(headers->dest, headers->destlen, "%.*s: %.*s\n", @@ -433,7 +436,9 @@ static ssize_t h3_stream_recv(struct connectdata *conn, case QUICHE_H3_EVENT_HEADERS: rc = quiche_h3_event_for_each_header(ev, cb_each_header, &headers); if(rc) { - /* what do we do about this? */ + *curlcode = rc; + failf(data, "Error in HTTP/3 response header"); + break; } recvd = headers.nlen; break; @@ -780,4 +785,23 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) return CURLE_OK; } +/* + * Called from http.c:Curl_http_done when a request completes. + */ +void Curl_quic_done(struct Curl_easy *data, bool premature) +{ + (void)data; + (void)premature; +} + +/* + * Called from transfer.c:data_pending to know if we should keep looping + * to receive more data from the connection. + */ +bool Curl_quic_data_pending(const struct Curl_easy *data) +{ + (void)data; + return FALSE; +} + #endif diff --git a/libs/libcurl/src/vssh/libssh.c b/libs/libcurl/src/vssh/libssh.c index cad8b37864..62a7f1960c 100644 --- a/libs/libcurl/src/vssh/libssh.c +++ b/libs/libcurl/src/vssh/libssh.c @@ -97,9 +97,13 @@ /* A recent macro provided by libssh. Or make our own. */ #ifndef SSH_STRING_FREE_CHAR -/* !checksrc! disable ASSIGNWITHINCONDITION 1 */ -#define SSH_STRING_FREE_CHAR(x) \ - do { if((x) != NULL) { ssh_string_free_char(x); x = NULL; } } while(0) +#define SSH_STRING_FREE_CHAR(x) \ + do { \ + if(x) { \ + ssh_string_free_char(x); \ + x = NULL; \ + } \ + } while(0) #endif /* Local functions: */ diff --git a/libs/libcurl/src/vssh/libssh2.c b/libs/libcurl/src/vssh/libssh2.c index c71cfbc9fd..063f3d2ae6 100644 --- a/libs/libcurl/src/vssh/libssh2.c +++ b/libs/libcurl/src/vssh/libssh2.c @@ -466,61 +466,95 @@ static CURLcode ssh_knownhost(struct connectdata *conn) struct curl_khkey *knownkeyp = NULL; struct curl_khkey foundkey; - keybit = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)? - LIBSSH2_KNOWNHOST_KEY_SSHRSA:LIBSSH2_KNOWNHOST_KEY_SSHDSS; - + switch(keytype) { + case LIBSSH2_HOSTKEY_TYPE_RSA: + keybit = LIBSSH2_KNOWNHOST_KEY_SSHRSA; + break; + case LIBSSH2_HOSTKEY_TYPE_DSS: + keybit = LIBSSH2_KNOWNHOST_KEY_SSHDSS; + break; +#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256 + case LIBSSH2_HOSTKEY_TYPE_ECDSA_256: + keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_256; + break; +#endif +#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_384 + case LIBSSH2_HOSTKEY_TYPE_ECDSA_384: + keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_384; + break; +#endif +#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_521 + case LIBSSH2_HOSTKEY_TYPE_ECDSA_521: + keybit = LIBSSH2_KNOWNHOST_KEY_ECDSA_521; + break; +#endif +#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519 + case LIBSSH2_HOSTKEY_TYPE_ED25519: + keybit = LIBSSH2_KNOWNHOST_KEY_ED25519; + break; +#endif + default: + infof(data, "unsupported key type, can't check knownhosts!\n"); + keybit = 0; + break; + } + if(!keybit) + /* no check means failure! */ + rc = CURLKHSTAT_REJECT; + else { #ifdef HAVE_LIBSSH2_KNOWNHOST_CHECKP - keycheck = libssh2_knownhost_checkp(sshc->kh, - conn->host.name, - (conn->remote_port != PORT_SSH)? - conn->remote_port:-1, - remotekey, keylen, - LIBSSH2_KNOWNHOST_TYPE_PLAIN| - LIBSSH2_KNOWNHOST_KEYENC_RAW| - keybit, - &host); + keycheck = libssh2_knownhost_checkp(sshc->kh, + conn->host.name, + (conn->remote_port != PORT_SSH)? + conn->remote_port:-1, + remotekey, keylen, + LIBSSH2_KNOWNHOST_TYPE_PLAIN| + LIBSSH2_KNOWNHOST_KEYENC_RAW| + keybit, + &host); #else - keycheck = libssh2_knownhost_check(sshc->kh, - conn->host.name, - remotekey, keylen, - LIBSSH2_KNOWNHOST_TYPE_PLAIN| - LIBSSH2_KNOWNHOST_KEYENC_RAW| - keybit, - &host); + keycheck = libssh2_knownhost_check(sshc->kh, + conn->host.name, + remotekey, keylen, + LIBSSH2_KNOWNHOST_TYPE_PLAIN| + LIBSSH2_KNOWNHOST_KEYENC_RAW| + keybit, + &host); #endif - infof(data, "SSH host check: %d, key: %s\n", keycheck, - (keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH)? - host->key:""); + infof(data, "SSH host check: %d, key: %s\n", keycheck, + (keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH)? + host->key:""); + + /* setup 'knownkey' */ + if(keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH) { + knownkey.key = host->key; + knownkey.len = 0; + knownkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)? + CURLKHTYPE_RSA : CURLKHTYPE_DSS; + knownkeyp = &knownkey; + } - /* setup 'knownkey' */ - if(keycheck <= LIBSSH2_KNOWNHOST_CHECK_MISMATCH) { - knownkey.key = host->key; - knownkey.len = 0; - knownkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)? + /* setup 'foundkey' */ + foundkey.key = remotekey; + foundkey.len = keylen; + foundkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)? CURLKHTYPE_RSA : CURLKHTYPE_DSS; - knownkeyp = &knownkey; - } - /* setup 'foundkey' */ - foundkey.key = remotekey; - foundkey.len = keylen; - foundkey.keytype = (keytype == LIBSSH2_HOSTKEY_TYPE_RSA)? - CURLKHTYPE_RSA : CURLKHTYPE_DSS; + /* + * if any of the LIBSSH2_KNOWNHOST_CHECK_* defines and the + * curl_khmatch enum are ever modified, we need to introduce a + * translation table here! + */ + keymatch = (enum curl_khmatch)keycheck; - /* - * if any of the LIBSSH2_KNOWNHOST_CHECK_* defines and the - * curl_khmatch enum are ever modified, we need to introduce a - * translation table here! - */ - keymatch = (enum curl_khmatch)keycheck; - - /* Ask the callback how to behave */ - Curl_set_in_callback(data, true); - rc = func(data, knownkeyp, /* from the knownhosts file */ - &foundkey, /* from the remote host */ - keymatch, data->set.ssh_keyfunc_userp); - Curl_set_in_callback(data, false); + /* Ask the callback how to behave */ + Curl_set_in_callback(data, true); + rc = func(data, knownkeyp, /* from the knownhosts file */ + &foundkey, /* from the remote host */ + keymatch, data->set.ssh_keyfunc_userp); + Curl_set_in_callback(data, false); + } } else /* no remotekey means failure! */ diff --git a/libs/libcurl/src/vssh/ssh.h b/libs/libcurl/src/vssh/ssh.h new file mode 100644 index 0000000000..3213c5a52e --- /dev/null +++ b/libs/libcurl/src/vssh/ssh.h @@ -0,0 +1,254 @@ +#ifndef HEADER_CURL_SSH_H +#define HEADER_CURL_SSH_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ + +#include "curl_setup.h" + +#if defined(HAVE_LIBSSH2_H) +#include +#include +#elif defined(HAVE_LIBSSH_LIBSSH_H) +#include +#include +#endif /* HAVE_LIBSSH2_H */ + +/**************************************************************************** + * SSH unique setup + ***************************************************************************/ +typedef enum { + SSH_NO_STATE = -1, /* Used for "nextState" so say there is none */ + SSH_STOP = 0, /* do nothing state, stops the state machine */ + + SSH_INIT, /* First state in SSH-CONNECT */ + SSH_S_STARTUP, /* Session startup */ + SSH_HOSTKEY, /* verify hostkey */ + SSH_AUTHLIST, + SSH_AUTH_PKEY_INIT, + SSH_AUTH_PKEY, + SSH_AUTH_PASS_INIT, + SSH_AUTH_PASS, + SSH_AUTH_AGENT_INIT, /* initialize then wait for connection to agent */ + SSH_AUTH_AGENT_LIST, /* ask for list then wait for entire list to come */ + SSH_AUTH_AGENT, /* attempt one key at a time */ + SSH_AUTH_HOST_INIT, + SSH_AUTH_HOST, + SSH_AUTH_KEY_INIT, + SSH_AUTH_KEY, + SSH_AUTH_GSSAPI, + SSH_AUTH_DONE, + SSH_SFTP_INIT, + SSH_SFTP_REALPATH, /* Last state in SSH-CONNECT */ + + SSH_SFTP_QUOTE_INIT, /* First state in SFTP-DO */ + SSH_SFTP_POSTQUOTE_INIT, /* (Possibly) First state in SFTP-DONE */ + SSH_SFTP_QUOTE, + SSH_SFTP_NEXT_QUOTE, + SSH_SFTP_QUOTE_STAT, + SSH_SFTP_QUOTE_SETSTAT, + SSH_SFTP_QUOTE_SYMLINK, + SSH_SFTP_QUOTE_MKDIR, + SSH_SFTP_QUOTE_RENAME, + SSH_SFTP_QUOTE_RMDIR, + SSH_SFTP_QUOTE_UNLINK, + SSH_SFTP_QUOTE_STATVFS, + SSH_SFTP_GETINFO, + SSH_SFTP_FILETIME, + SSH_SFTP_TRANS_INIT, + SSH_SFTP_UPLOAD_INIT, + SSH_SFTP_CREATE_DIRS_INIT, + SSH_SFTP_CREATE_DIRS, + SSH_SFTP_CREATE_DIRS_MKDIR, + SSH_SFTP_READDIR_INIT, + SSH_SFTP_READDIR, + SSH_SFTP_READDIR_LINK, + SSH_SFTP_READDIR_BOTTOM, + SSH_SFTP_READDIR_DONE, + SSH_SFTP_DOWNLOAD_INIT, + SSH_SFTP_DOWNLOAD_STAT, /* Last state in SFTP-DO */ + SSH_SFTP_CLOSE, /* Last state in SFTP-DONE */ + SSH_SFTP_SHUTDOWN, /* First state in SFTP-DISCONNECT */ + SSH_SCP_TRANS_INIT, /* First state in SCP-DO */ + SSH_SCP_UPLOAD_INIT, + SSH_SCP_DOWNLOAD_INIT, + SSH_SCP_DOWNLOAD, + SSH_SCP_DONE, + SSH_SCP_SEND_EOF, + SSH_SCP_WAIT_EOF, + SSH_SCP_WAIT_CLOSE, + SSH_SCP_CHANNEL_FREE, /* Last state in SCP-DONE */ + SSH_SESSION_DISCONNECT, /* First state in SCP-DISCONNECT */ + SSH_SESSION_FREE, /* Last state in SCP/SFTP-DISCONNECT */ + SSH_QUIT, + SSH_LAST /* never used */ +} sshstate; + +/* this struct is used in the HandleData struct which is part of the + Curl_easy, which means this is used on a per-easy handle basis. + Everything that is strictly related to a connection is banned from this + struct. */ +struct SSHPROTO { + char *path; /* the path we operate on */ +}; + +/* ssh_conn is used for struct connection-oriented data in the connectdata + struct */ +struct ssh_conn { + const char *authlist; /* List of auth. methods, managed by libssh2 */ + + /* common */ + const char *passphrase; /* pass-phrase to use */ + char *rsa_pub; /* path name */ + char *rsa; /* path name */ + bool authed; /* the connection has been authenticated fine */ + sshstate state; /* always use ssh.c:state() to change state! */ + sshstate nextstate; /* the state to goto after stopping */ + CURLcode actualcode; /* the actual error code */ + struct curl_slist *quote_item; /* for the quote option */ + char *quote_path1; /* two generic pointers for the QUOTE stuff */ + char *quote_path2; + + bool acceptfail; /* used by the SFTP_QUOTE (continue if + quote command fails) */ + char *homedir; /* when doing SFTP we figure out home dir in the + connect phase */ + size_t readdir_len, readdir_totalLen, readdir_currLen; + char *readdir_line; + char *readdir_linkPath; + /* end of READDIR stuff */ + + int secondCreateDirs; /* counter use by the code to see if the + second attempt has been made to change + to/create a directory */ + char *slash_pos; /* used by the SFTP_CREATE_DIRS state */ + + int orig_waitfor; /* default READ/WRITE bits wait for */ + +#if defined(USE_LIBSSH) +/* our variables */ + unsigned kbd_state; /* 0 or 1 */ + ssh_key privkey; + ssh_key pubkey; + int auth_methods; + ssh_session ssh_session; + ssh_scp scp_session; + sftp_session sftp_session; + sftp_file sftp_file; + sftp_dir sftp_dir; + + unsigned sftp_recv_state; /* 0 or 1 */ + int sftp_file_index; /* for async read */ + sftp_attributes readdir_attrs; /* used by the SFTP readdir actions */ + sftp_attributes readdir_link_attrs; /* used by the SFTP readdir actions */ + sftp_attributes quote_attrs; /* used by the SFTP_QUOTE state */ + + const char *readdir_filename; /* points within readdir_attrs */ + const char *readdir_longentry; + char *readdir_tmp; +#elif defined(USE_LIBSSH2) + char *readdir_filename; + char *readdir_longentry; + + LIBSSH2_SFTP_ATTRIBUTES quote_attrs; /* used by the SFTP_QUOTE state */ + + /* Here's a set of struct members used by the SFTP_READDIR state */ + LIBSSH2_SFTP_ATTRIBUTES readdir_attrs; + LIBSSH2_SESSION *ssh_session; /* Secure Shell session */ + LIBSSH2_CHANNEL *ssh_channel; /* Secure Shell channel handle */ + LIBSSH2_SFTP *sftp_session; /* SFTP handle */ + LIBSSH2_SFTP_HANDLE *sftp_handle; + +#ifdef HAVE_LIBSSH2_AGENT_API + LIBSSH2_AGENT *ssh_agent; /* proxy to ssh-agent/pageant */ + struct libssh2_agent_publickey *sshagent_identity, + *sshagent_prev_identity; +#endif + + /* note that HAVE_LIBSSH2_KNOWNHOST_API is a define set in the libssh2.h + header */ +#ifdef HAVE_LIBSSH2_KNOWNHOST_API + LIBSSH2_KNOWNHOSTS *kh; +#endif +#endif /* USE_LIBSSH */ +}; + +#if defined(USE_LIBSSH) + +#define CURL_LIBSSH_VERSION ssh_version(0) + +extern const struct Curl_handler Curl_handler_scp; +extern const struct Curl_handler Curl_handler_sftp; + +#elif defined(USE_LIBSSH2) + +/* Feature detection based on version numbers to better work with + non-configure platforms */ + +#if !defined(LIBSSH2_VERSION_NUM) || (LIBSSH2_VERSION_NUM < 0x001000) +# error "SCP/SFTP protocols require libssh2 0.16 or later" +#endif + +#if LIBSSH2_VERSION_NUM >= 0x010000 +#define HAVE_LIBSSH2_SFTP_SEEK64 1 +#endif + +#if LIBSSH2_VERSION_NUM >= 0x010100 +#define HAVE_LIBSSH2_VERSION 1 +#endif + +#if LIBSSH2_VERSION_NUM >= 0x010205 +#define HAVE_LIBSSH2_INIT 1 +#define HAVE_LIBSSH2_EXIT 1 +#endif + +#if LIBSSH2_VERSION_NUM >= 0x010206 +#define HAVE_LIBSSH2_KNOWNHOST_CHECKP 1 +#define HAVE_LIBSSH2_SCP_SEND64 1 +#endif + +#if LIBSSH2_VERSION_NUM >= 0x010208 +#define HAVE_LIBSSH2_SESSION_HANDSHAKE 1 +#endif + +#ifdef HAVE_LIBSSH2_VERSION +/* get it run-time if possible */ +#define CURL_LIBSSH2_VERSION libssh2_version(0) +#else +/* use build-time if run-time not possible */ +#define CURL_LIBSSH2_VERSION LIBSSH2_VERSION +#endif + +extern const struct Curl_handler Curl_handler_scp; +extern const struct Curl_handler Curl_handler_sftp; +#endif /* USE_LIBSSH2 */ + +#ifdef USE_SSH +/* generic SSH backend functions */ +CURLcode Curl_ssh_init(void); +void Curl_ssh_cleanup(void); +size_t Curl_ssh_version(char *buffer, size_t buflen); +#else +/* for non-SSH builds */ +#define Curl_ssh_cleanup() +#endif + +#endif /* HEADER_CURL_SSH_H */ diff --git a/libs/libcurl/src/vtls/bearssl.c b/libs/libcurl/src/vtls/bearssl.c new file mode 100644 index 0000000000..67f945831c --- /dev/null +++ b/libs/libcurl/src/vtls/bearssl.c @@ -0,0 +1,866 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 2019, Michael Forney, + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ +#include "curl_setup.h" + +#ifdef USE_BEARSSL + +#include + +#include "bearssl.h" +#include "urldata.h" +#include "sendf.h" +#include "inet_pton.h" +#include "vtls.h" +#include "connect.h" +#include "select.h" +#include "multiif.h" +#include "curl_printf.h" +#include "curl_memory.h" + +struct x509_context { + const br_x509_class *vtable; + br_x509_minimal_context minimal; + bool verifyhost; + bool verifypeer; +}; + +struct ssl_backend_data { + br_ssl_client_context ctx; + struct x509_context x509; + unsigned char buf[BR_SSL_BUFSIZE_BIDI]; + br_x509_trust_anchor *anchors; + size_t anchors_len; + const char *protocols[2]; + /* SSL client context is active */ + bool active; + /* size of pending write, yet to be flushed */ + size_t pending_write; +}; + +#define BACKEND connssl->backend + +struct cafile_parser { + CURLcode err; + bool in_cert; + br_x509_decoder_context xc; + /* array of trust anchors loaded from CAfile */ + br_x509_trust_anchor *anchors; + size_t anchors_len; + /* buffer for DN data */ + unsigned char dn[1024]; + size_t dn_len; +}; + +static void append_dn(void *ctx, const void *buf, size_t len) +{ + struct cafile_parser *ca = ctx; + + if(ca->err != CURLE_OK || !ca->in_cert) + return; + if(sizeof(ca->dn) - ca->dn_len < len) { + ca->err = CURLE_FAILED_INIT; + return; + } + memcpy(ca->dn + ca->dn_len, buf, len); + ca->dn_len += len; +} + +static void x509_push(void *ctx, const void *buf, size_t len) +{ + struct cafile_parser *ca = ctx; + + if(ca->in_cert) + br_x509_decoder_push(&ca->xc, buf, len); +} + +static CURLcode load_cafile(const char *path, br_x509_trust_anchor **anchors, + size_t *anchors_len) +{ + struct cafile_parser ca; + br_pem_decoder_context pc; + br_x509_trust_anchor *ta; + size_t ta_size; + br_x509_trust_anchor *new_anchors; + size_t new_anchors_len; + br_x509_pkey *pkey; + FILE *fp; + unsigned char buf[BUFSIZ], *p; + const char *name; + size_t n, i, pushed; + + fp = fopen(path, "rb"); + if(!fp) + return CURLE_SSL_CACERT_BADFILE; + + ca.err = CURLE_OK; + ca.in_cert = FALSE; + ca.anchors = NULL; + ca.anchors_len = 0; + br_pem_decoder_init(&pc); + br_pem_decoder_setdest(&pc, x509_push, &ca); + for(;;) { + n = fread(buf, 1, sizeof(buf), fp); + if(n == 0) + break; + p = buf; + while(n) { + pushed = br_pem_decoder_push(&pc, p, n); + if(ca.err) + goto fail; + p += pushed; + n -= pushed; + + switch(br_pem_decoder_event(&pc)) { + case 0: + break; + case BR_PEM_BEGIN_OBJ: + name = br_pem_decoder_name(&pc); + if(strcmp(name, "CERTIFICATE") && strcmp(name, "X509 CERTIFICATE")) + break; + br_x509_decoder_init(&ca.xc, append_dn, &ca); + if(ca.anchors_len == SIZE_MAX / sizeof(ca.anchors[0])) { + ca.err = CURLE_OUT_OF_MEMORY; + goto fail; + } + new_anchors_len = ca.anchors_len + 1; + new_anchors = realloc(ca.anchors, + new_anchors_len * sizeof(ca.anchors[0])); + if(!new_anchors) { + ca.err = CURLE_OUT_OF_MEMORY; + goto fail; + } + ca.anchors = new_anchors; + ca.anchors_len = new_anchors_len; + ca.in_cert = TRUE; + ca.dn_len = 0; + ta = &ca.anchors[ca.anchors_len - 1]; + ta->dn.data = NULL; + break; + case BR_PEM_END_OBJ: + if(!ca.in_cert) + break; + ca.in_cert = FALSE; + if(br_x509_decoder_last_error(&ca.xc)) { + ca.err = CURLE_SSL_CACERT_BADFILE; + goto fail; + } + ta->flags = 0; + if(br_x509_decoder_isCA(&ca.xc)) + ta->flags |= BR_X509_TA_CA; + pkey = br_x509_decoder_get_pkey(&ca.xc); + if(!pkey) { + ca.err = CURLE_SSL_CACERT_BADFILE; + goto fail; + } + ta->pkey = *pkey; + + /* calculate space needed for trust anchor data */ + ta_size = ca.dn_len; + switch(pkey->key_type) { + case BR_KEYTYPE_RSA: + ta_size += pkey->key.rsa.nlen + pkey->key.rsa.elen; + break; + case BR_KEYTYPE_EC: + ta_size += pkey->key.ec.qlen; + break; + default: + ca.err = CURLE_FAILED_INIT; + goto fail; + } + + /* fill in trust anchor DN and public key data */ + ta->dn.data = malloc(ta_size); + if(!ta->dn.data) { + ca.err = CURLE_OUT_OF_MEMORY; + goto fail; + } + memcpy(ta->dn.data, ca.dn, ca.dn_len); + ta->dn.len = ca.dn_len; + switch(pkey->key_type) { + case BR_KEYTYPE_RSA: + ta->pkey.key.rsa.n = ta->dn.data + ta->dn.len; + memcpy(ta->pkey.key.rsa.n, pkey->key.rsa.n, pkey->key.rsa.nlen); + ta->pkey.key.rsa.e = ta->pkey.key.rsa.n + ta->pkey.key.rsa.nlen; + memcpy(ta->pkey.key.rsa.e, pkey->key.rsa.e, pkey->key.rsa.elen); + break; + case BR_KEYTYPE_EC: + ta->pkey.key.ec.q = ta->dn.data + ta->dn.len; + memcpy(ta->pkey.key.ec.q, pkey->key.ec.q, pkey->key.ec.qlen); + break; + } + break; + default: + ca.err = CURLE_SSL_CACERT_BADFILE; + goto fail; + } + } + } + if(ferror(fp)) + ca.err = CURLE_READ_ERROR; + +fail: + fclose(fp); + if(ca.err == CURLE_OK) { + *anchors = ca.anchors; + *anchors_len = ca.anchors_len; + } + else { + for(i = 0; i < ca.anchors_len; ++i) + free(ca.anchors[i].dn.data); + free(ca.anchors); + } + + return ca.err; +} + +static void x509_start_chain(const br_x509_class **ctx, + const char *server_name) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + + if(!x509->verifyhost) + server_name = NULL; + x509->minimal.vtable->start_chain(&x509->minimal.vtable, server_name); +} + +static void x509_start_cert(const br_x509_class **ctx, uint32_t length) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + + x509->minimal.vtable->start_cert(&x509->minimal.vtable, length); +} + +static void x509_append(const br_x509_class **ctx, const unsigned char *buf, + size_t len) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + + x509->minimal.vtable->append(&x509->minimal.vtable, buf, len); +} + +static void x509_end_cert(const br_x509_class **ctx) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + + x509->minimal.vtable->end_cert(&x509->minimal.vtable); +} + +static unsigned x509_end_chain(const br_x509_class **ctx) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + unsigned err; + + err = x509->minimal.vtable->end_chain(&x509->minimal.vtable); + if(err && !x509->verifypeer) { + /* ignore any X.509 errors */ + err = BR_ERR_OK; + } + + return err; +} + +static const br_x509_pkey *x509_get_pkey(const br_x509_class *const *ctx, + unsigned *usages) +{ + struct x509_context *x509 = (struct x509_context *)ctx; + + return x509->minimal.vtable->get_pkey(&x509->minimal.vtable, usages); +} + +static const br_x509_class x509_vtable = { + sizeof(struct x509_context), + x509_start_chain, + x509_start_cert, + x509_append, + x509_end_cert, + x509_end_chain, + x509_get_pkey +}; + +static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) +{ + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const bool verifyhost = SSL_CONN_CONFIG(verifyhost); + CURLcode ret; + unsigned version_min, version_max; +#ifdef ENABLE_IPV6 + struct in6_addr addr; +#else + struct in_addr addr; +#endif + + switch(SSL_CONN_CONFIG(version)) { + case CURL_SSLVERSION_SSLv2: + failf(data, "BearSSL does not support SSLv2"); + return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_SSLv3: + failf(data, "BearSSL does not support SSLv3"); + return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_TLSv1_0: + version_min = BR_TLS10; + version_max = BR_TLS10; + break; + case CURL_SSLVERSION_TLSv1_1: + version_min = BR_TLS11; + version_max = BR_TLS11; + break; + case CURL_SSLVERSION_TLSv1_2: + version_min = BR_TLS12; + version_max = BR_TLS12; + break; + case CURL_SSLVERSION_DEFAULT: + case CURL_SSLVERSION_TLSv1: + version_min = BR_TLS10; + version_max = BR_TLS12; + break; + default: + failf(data, "BearSSL: unknown CURLOPT_SSLVERSION"); + return CURLE_SSL_CONNECT_ERROR; + } + + if(ssl_cafile) { + ret = load_cafile(ssl_cafile, &BACKEND->anchors, &BACKEND->anchors_len); + if(ret != CURLE_OK) { + if(verifypeer) { + failf(data, "error setting certificate verify locations:\n" + " CAfile: %s\n", ssl_cafile); + return ret; + } + infof(data, "error setting certificate verify locations," + " continuing anyway:\n"); + } + } + + /* initialize SSL context */ + br_ssl_client_init_full(&BACKEND->ctx, &BACKEND->x509.minimal, + BACKEND->anchors, BACKEND->anchors_len); + br_ssl_engine_set_versions(&BACKEND->ctx.eng, version_min, version_max); + br_ssl_engine_set_buffer(&BACKEND->ctx.eng, BACKEND->buf, + sizeof(BACKEND->buf), 1); + + /* initialize X.509 context */ + BACKEND->x509.vtable = &x509_vtable; + BACKEND->x509.verifypeer = verifypeer; + BACKEND->x509.verifyhost = verifyhost; + br_ssl_engine_set_x509(&BACKEND->ctx.eng, &BACKEND->x509.vtable); + + if(SSL_SET_OPTION(primary.sessionid)) { + void *session; + + Curl_ssl_sessionid_lock(conn); + if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { + br_ssl_engine_set_session_parameters(&BACKEND->ctx.eng, session); + infof(data, "BearSSL: re-using session ID\n"); + } + Curl_ssl_sessionid_unlock(conn); + } + + if(conn->bits.tls_enable_alpn) { + int cur = 0; + + /* NOTE: when adding more protocols here, increase the size of the + * protocols array in `struct ssl_backend_data`. + */ + +#ifdef USE_NGHTTP2 + if(data->set.httpversion >= CURL_HTTP_VERSION_2 && + (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) { + BACKEND->protocols[cur++] = NGHTTP2_PROTO_VERSION_ID; + infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID); + } +#endif + + BACKEND->protocols[cur++] = ALPN_HTTP_1_1; + infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1); + + br_ssl_engine_set_protocol_names(&BACKEND->ctx.eng, + BACKEND->protocols, cur); + } + + if((1 == Curl_inet_pton(AF_INET, hostname, &addr)) +#ifdef ENABLE_IPV6 + || (1 == Curl_inet_pton(AF_INET6, hostname, &addr)) +#endif + ) { + if(verifyhost) { + failf(data, "BearSSL: " + "host verification of IP address is not supported"); + return CURLE_PEER_FAILED_VERIFICATION; + } + hostname = NULL; + } + + if(!br_ssl_client_reset(&BACKEND->ctx, hostname, 0)) + return CURLE_FAILED_INIT; + BACKEND->active = TRUE; + + connssl->connecting_state = ssl_connect_2; + + return CURLE_OK; +} + +static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex, + unsigned target) +{ + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + curl_socket_t sockfd = conn->sock[sockindex]; + unsigned state; + unsigned char *buf; + size_t len; + ssize_t ret; + int err; + + for(;;) { + state = br_ssl_engine_current_state(&BACKEND->ctx.eng); + if(state & BR_SSL_CLOSED) { + err = br_ssl_engine_last_error(&BACKEND->ctx.eng); + switch(err) { + case BR_ERR_OK: + /* TLS close notify */ + if(connssl->state != ssl_connection_complete) { + failf(data, "SSL: connection closed during handshake"); + return CURLE_SSL_CONNECT_ERROR; + } + return CURLE_OK; + case BR_ERR_X509_EXPIRED: + failf(data, "SSL: X.509 verification: " + "certificate is expired or not yet valid"); + return CURLE_PEER_FAILED_VERIFICATION; + case BR_ERR_X509_BAD_SERVER_NAME: + failf(data, "SSL: X.509 verification: " + "expected server name was not found in the chain"); + return CURLE_PEER_FAILED_VERIFICATION; + case BR_ERR_X509_NOT_TRUSTED: + failf(data, "SSL: X.509 verification: " + "chain could not be linked to a trust anchor"); + return CURLE_PEER_FAILED_VERIFICATION; + } + /* X.509 errors are documented to have the range 32..63 */ + if(err >= 32 && err < 64) + return CURLE_PEER_FAILED_VERIFICATION; + return CURLE_SSL_CONNECT_ERROR; + } + if(state & target) + return CURLE_OK; + if(state & BR_SSL_SENDREC) { + buf = br_ssl_engine_sendrec_buf(&BACKEND->ctx.eng, &len); + ret = swrite(sockfd, buf, len); + if(ret == -1) { + if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { + if(connssl->state != ssl_connection_complete) + connssl->connecting_state = ssl_connect_2_writing; + return CURLE_AGAIN; + } + return CURLE_WRITE_ERROR; + } + br_ssl_engine_sendrec_ack(&BACKEND->ctx.eng, ret); + } + else if(state & BR_SSL_RECVREC) { + buf = br_ssl_engine_recvrec_buf(&BACKEND->ctx.eng, &len); + ret = sread(sockfd, buf, len); + if(ret == 0) { + failf(data, "SSL: EOF without close notify"); + return CURLE_READ_ERROR; + } + if(ret == -1) { + if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { + if(connssl->state != ssl_connection_complete) + connssl->connecting_state = ssl_connect_2_reading; + return CURLE_AGAIN; + } + return CURLE_READ_ERROR; + } + br_ssl_engine_recvrec_ack(&BACKEND->ctx.eng, ret); + } + } +} + +static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex) +{ + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + CURLcode ret; + + ret = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP | BR_SSL_RECVAPP); + if(ret == CURLE_AGAIN) + return CURLE_OK; + if(ret == CURLE_OK) { + if(br_ssl_engine_current_state(&BACKEND->ctx.eng) == BR_SSL_CLOSED) { + failf(data, "SSL: connection closed during handshake"); + return CURLE_SSL_CONNECT_ERROR; + } + connssl->connecting_state = ssl_connect_3; + } + return ret; +} + +static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) +{ + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + CURLcode ret; + + DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); + + if(conn->bits.tls_enable_alpn) { + const char *protocol; + + protocol = br_ssl_engine_get_selected_protocol(&BACKEND->ctx.eng); + if(protocol) { + infof(data, "ALPN, server accepted to use %s\n", protocol); + +#ifdef USE_NGHTTP2 + if(!strcmp(protocol, NGHTTP2_PROTO_VERSION_ID)) + conn->negnpn = CURL_HTTP_VERSION_2; + else +#endif + if(!strcmp(protocol, ALPN_HTTP_1_1)) + conn->negnpn = CURL_HTTP_VERSION_1_1; + else + infof(data, "ALPN, unrecognized protocol %s\n", protocol); + Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); + } + else + infof(data, "ALPN, server did not agree to a protocol\n"); + } + + if(SSL_SET_OPTION(primary.sessionid)) { + bool incache; + void *oldsession; + br_ssl_session_parameters *session; + + session = malloc(sizeof(*session)); + if(!session) + return CURLE_OUT_OF_MEMORY; + br_ssl_engine_get_session_parameters(&BACKEND->ctx.eng, session); + Curl_ssl_sessionid_lock(conn); + incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); + if(incache) + Curl_ssl_delsessionid(conn, oldsession); + ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); + Curl_ssl_sessionid_unlock(conn); + if(ret) { + free(session); + return CURLE_OUT_OF_MEMORY; + } + } + + connssl->connecting_state = ssl_connect_done; + + return CURLE_OK; +} + +static ssize_t bearssl_send(struct connectdata *conn, int sockindex, + const void *buf, size_t len, CURLcode *err) +{ + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + unsigned char *app; + size_t applen; + + for(;;) { + *err = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP); + if (*err != CURLE_OK) + return -1; + app = br_ssl_engine_sendapp_buf(&BACKEND->ctx.eng, &applen); + if(!app) { + failf(data, "SSL: connection closed during write"); + *err = CURLE_SEND_ERROR; + return -1; + } + if(BACKEND->pending_write) { + applen = BACKEND->pending_write; + BACKEND->pending_write = 0; + return applen; + } + if(applen > len) + applen = len; + memcpy(app, buf, applen); + br_ssl_engine_sendapp_ack(&BACKEND->ctx.eng, applen); + br_ssl_engine_flush(&BACKEND->ctx.eng, 0); + BACKEND->pending_write = applen; + } +} + +static ssize_t bearssl_recv(struct connectdata *conn, int sockindex, + char *buf, size_t len, CURLcode *err) +{ + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + unsigned char *app; + size_t applen; + + *err = bearssl_run_until(conn, sockindex, BR_SSL_RECVAPP); + if(*err != CURLE_OK) + return -1; + app = br_ssl_engine_recvapp_buf(&BACKEND->ctx.eng, &applen); + if(!app) + return 0; + if(applen > len) + applen = len; + memcpy(buf, app, applen); + br_ssl_engine_recvapp_ack(&BACKEND->ctx.eng, applen); + + return applen; +} + +static CURLcode bearssl_connect_common(struct connectdata *conn, + int sockindex, + bool nonblocking, + bool *done) +{ + CURLcode ret; + struct Curl_easy *data = conn->data; + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + curl_socket_t sockfd = conn->sock[sockindex]; + time_t timeout_ms; + int what; + + /* check if the connection has already been established */ + if(ssl_connection_complete == connssl->state) { + *done = TRUE; + return CURLE_OK; + } + + if(ssl_connect_1 == connssl->connecting_state) { + ret = bearssl_connect_step1(conn, sockindex); + if(ret) + return ret; + } + + while(ssl_connect_2 == connssl->connecting_state || + ssl_connect_2_reading == connssl->connecting_state || + ssl_connect_2_writing == connssl->connecting_state) { + /* check allowed time left */ + timeout_ms = Curl_timeleft(data, NULL, TRUE); + + if(timeout_ms < 0) { + /* no need to continue if time already is up */ + failf(data, "SSL connection timeout"); + return CURLE_OPERATION_TIMEDOUT; + } + + /* if ssl is expecting something, check if it's available. */ + if(ssl_connect_2_reading == connssl->connecting_state || + ssl_connect_2_writing == connssl->connecting_state) { + + curl_socket_t writefd = ssl_connect_2_writing == + connssl->connecting_state?sockfd:CURL_SOCKET_BAD; + curl_socket_t readfd = ssl_connect_2_reading == + connssl->connecting_state?sockfd:CURL_SOCKET_BAD; + + what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd, + nonblocking?0:timeout_ms); + if(what < 0) { + /* fatal error */ + failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); + return CURLE_SSL_CONNECT_ERROR; + } + else if(0 == what) { + if(nonblocking) { + *done = FALSE; + return CURLE_OK; + } + else { + /* timeout */ + failf(data, "SSL connection timeout"); + return CURLE_OPERATION_TIMEDOUT; + } + } + /* socket is readable or writable */ + } + + /* Run transaction, and return to the caller if it failed or if this + * connection is done nonblocking and this loop would execute again. This + * permits the owner of a multi handle to abort a connection attempt + * before step2 has completed while ensuring that a client using select() + * or epoll() will always have a valid fdset to wait on. + */ + ret = bearssl_connect_step2(conn, sockindex); + if(ret || (nonblocking && + (ssl_connect_2 == connssl->connecting_state || + ssl_connect_2_reading == connssl->connecting_state || + ssl_connect_2_writing == connssl->connecting_state))) + return ret; + } + + if(ssl_connect_3 == connssl->connecting_state) { + ret = bearssl_connect_step3(conn, sockindex); + if(ret) + return ret; + } + + if(ssl_connect_done == connssl->connecting_state) { + connssl->state = ssl_connection_complete; + conn->recv[sockindex] = bearssl_recv; + conn->send[sockindex] = bearssl_send; + *done = TRUE; + } + else + *done = FALSE; + + /* Reset our connect state machine */ + connssl->connecting_state = ssl_connect_1; + + return CURLE_OK; +} + +static size_t Curl_bearssl_version(char *buffer, size_t size) +{ + return msnprintf(buffer, size, "BearSSL"); +} + +static bool Curl_bearssl_data_pending(const struct connectdata *conn, + int connindex) +{ + const struct ssl_connect_data *connssl = &conn->ssl[connindex]; + + return br_ssl_engine_current_state(&BACKEND->ctx.eng) & BR_SSL_RECVAPP; +} + +static CURLcode Curl_bearssl_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) +{ + static br_hmac_drbg_context ctx; + static bool seeded = FALSE; + + if(!seeded) { + br_prng_seeder seeder; + + br_hmac_drbg_init(&ctx, &br_sha256_vtable, NULL, 0); + seeder = br_prng_seeder_system(NULL); + if(!seeder || !seeder(&ctx.vtable)) + return CURLE_FAILED_INIT; + seeded = TRUE; + } + br_hmac_drbg_generate(&ctx, entropy, length); + + return CURLE_OK; +} + +static CURLcode Curl_bearssl_connect(struct connectdata *conn, int sockindex) +{ + CURLcode ret; + bool done = FALSE; + + ret = bearssl_connect_common(conn, sockindex, FALSE, &done); + if(ret) + return ret; + + DEBUGASSERT(done); + + return CURLE_OK; +} + +static CURLcode Curl_bearssl_connect_nonblocking(struct connectdata *conn, + int sockindex, bool *done) +{ + return bearssl_connect_common(conn, sockindex, TRUE, done); +} + +static void *Curl_bearssl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) +{ + return &BACKEND->ctx; +} + +static void Curl_bearssl_close(struct connectdata *conn, int sockindex) +{ + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + size_t i; + + if(BACKEND->active) { + br_ssl_engine_close(&BACKEND->ctx.eng); + (void)bearssl_run_until(conn, sockindex, BR_SSL_CLOSED); + } + for(i = 0; i < BACKEND->anchors_len; ++i) + free(BACKEND->anchors[i].dn.data); + free(BACKEND->anchors); +} + +static void Curl_bearssl_session_free(void *ptr) +{ + free(ptr); +} + +static CURLcode Curl_bearssl_md5sum(unsigned char *input, + size_t inputlen, + unsigned char *md5sum, + size_t md5len UNUSED_PARAM) +{ + br_md5_context ctx; + + br_md5_init(&ctx); + br_md5_update(&ctx, input, inputlen); + br_md5_out(&ctx, md5sum); + return CURLE_OK; +} + +static CURLcode Curl_bearssl_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) +{ + br_sha256_context ctx; + + br_sha256_init(&ctx); + br_sha256_update(&ctx, input, inputlen); + br_sha256_out(&ctx, sha256sum); + return CURLE_OK; +} + +const struct Curl_ssl Curl_ssl_bearssl = { + { CURLSSLBACKEND_BEARSSL, "bearssl" }, + + 0, + + sizeof(struct ssl_backend_data), + + Curl_none_init, + Curl_none_cleanup, + Curl_bearssl_version, + Curl_none_check_cxn, + Curl_none_shutdown, + Curl_bearssl_data_pending, + Curl_bearssl_random, + Curl_none_cert_status_request, + Curl_bearssl_connect, + Curl_bearssl_connect_nonblocking, + Curl_bearssl_get_internals, + Curl_bearssl_close, + Curl_none_close_all, + Curl_bearssl_session_free, + Curl_none_set_engine, + Curl_none_set_engine_default, + Curl_none_engines_list, + Curl_none_false_start, + Curl_bearssl_md5sum, + Curl_bearssl_sha256sum +}; + +#endif /* USE_BEARSSL */ diff --git a/libs/libcurl/src/vtls/bearssl.h b/libs/libcurl/src/vtls/bearssl.h new file mode 100644 index 0000000000..5f94922b92 --- /dev/null +++ b/libs/libcurl/src/vtls/bearssl.h @@ -0,0 +1,32 @@ +#ifndef HEADER_CURL_BEARSSL_H +#define HEADER_CURL_BEARSSL_H +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 2019, Michael Forney, + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at https://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + ***************************************************************************/ + +#include "curl_setup.h" + +#ifdef USE_BEARSSL + +extern const struct Curl_ssl Curl_ssl_bearssl; + +#endif /* USE_BEARSSL */ +#endif /* HEADER_CURL_BEARSSL_H */ diff --git a/libs/libcurl/src/vtls/gskit.h b/libs/libcurl/src/vtls/gskit.h index 466ee4d9de..b06b5e17d3 100644 --- a/libs/libcurl/src/vtls/gskit.h +++ b/libs/libcurl/src/vtls/gskit.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2019, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms diff --git a/libs/libcurl/src/vtls/mbedtls.h b/libs/libcurl/src/vtls/mbedtls.h index 4a938605bd..0cc64b3991 100644 --- a/libs/libcurl/src/vtls/mbedtls.h +++ b/libs/libcurl/src/vtls/mbedtls.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 2012 - 2019, Daniel Stenberg, , et al. * Copyright (C) 2010, Hoi-Ho Chan, * * This software is licensed as described in the file COPYING, which diff --git a/libs/libcurl/src/vtls/nss.c b/libs/libcurl/src/vtls/nss.c index a375f00da2..ef51b0d912 100644 --- a/libs/libcurl/src/vtls/nss.c +++ b/libs/libcurl/src/vtls/nss.c @@ -113,7 +113,7 @@ typedef struct { ptr->type = (_type); \ ptr->pValue = (_val); \ ptr->ulValueLen = (_len); \ -} WHILE_FALSE +} while(0) #define CERT_NewTempCertificate __CERT_NewTempCertificate diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index 760758d234..726ff6e7ca 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -142,10 +142,6 @@ #endif #endif -#ifdef LIBRESSL_VERSION_NUMBER -#define OpenSSL_version_num() LIBRESSL_VERSION_NUMBER -#endif - #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \ !(defined(LIBRESSL_VERSION_NUMBER) && \ LIBRESSL_VERSION_NUMBER < 0x20700000L) @@ -392,11 +388,20 @@ static const char *SSL_ERROR_to_str(int err) */ static char *ossl_strerror(unsigned long error, char *buf, size_t size) { + if(size) + *buf = '\0'; + #ifdef OPENSSL_IS_BORINGSSL ERR_error_string_n((uint32_t)error, buf, size); #else ERR_error_string_n(error, buf, size); #endif + + if(size > 1 && !*buf) { + strncpy(buf, (error ? "Unknown error" : "No error"), size); + buf[size - 1] = '\0'; + } + return buf; } @@ -2768,19 +2773,29 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) infof(data, " CRLfile: %s\n", ssl_crlfile); } - /* Try building a chain using issuers in the trusted store first to avoid - problems with server-sent legacy intermediates. Newer versions of - OpenSSL do alternate chain checking by default which gives us the same - fix without as much of a performance hit (slight), so we prefer that if - available. - https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest - */ -#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) if(verifypeer) { + /* Try building a chain using issuers in the trusted store first to avoid + problems with server-sent legacy intermediates. Newer versions of + OpenSSL do alternate chain checking by default which gives us the same + fix without as much of a performance hit (slight), so we prefer that if + available. + https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest + */ +#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), X509_V_FLAG_TRUSTED_FIRST); - } #endif +#ifdef X509_V_FLAG_PARTIAL_CHAIN + if(!SSL_SET_OPTION(no_partialchain)) { + /* Have intermediate certificates in the trust store be treated as + trust-anchors, in the same way as self-signed root CA certificates + are. This allows users to verify servers using the intermediate cert + only, instead of needing the whole chain. */ + X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx), + X509_V_FLAG_PARTIAL_CHAIN); + } +#endif + } /* SSL always tries to verify the peer, this only says whether it should * fail to connect if the verification fails, or if it should continue @@ -2806,8 +2821,10 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* give application a chance to interfere with SSL set up. */ if(data->set.ssl.fsslctx) { + Curl_set_in_callback(data, true); result = (*data->set.ssl.fsslctx)(data, BACKEND->ctx, data->set.ssl.fsslctxp); + Curl_set_in_callback(data, false); if(result) { failf(data, "error signaled by ssl ctx callback"); return result; @@ -2988,8 +3005,13 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; + char extramsg[80]=""; + int sockerr = SOCKERRNO; + if(sockerr && detail == SSL_ERROR_SYSCALL) + Curl_strerror(sockerr, extramsg, sizeof(extramsg)); failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ", - SSL_ERROR_to_str(detail), hostname, port); + extramsg[0] ? extramsg : SSL_ERROR_to_str(detail), + hostname, port); return result; } @@ -3065,7 +3087,7 @@ do { \ Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \ if(1 != BIO_reset(mem)) \ break; \ -} WHILE_FALSE +} while(0) static void pubkey_show(struct Curl_easy *data, BIO *mem, @@ -3097,7 +3119,7 @@ do { \ if(_type->_name) { \ pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \ } \ -} WHILE_FALSE +} while(0) #endif static int X509V3_ext(struct Curl_easy *data, @@ -3826,10 +3848,22 @@ static ssize_t ossl_send(struct connectdata *conn, *curlcode = CURLE_AGAIN; return -1; case SSL_ERROR_SYSCALL: - Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer)); - failf(conn->data, OSSL_PACKAGE " SSL_write: %s", error_buffer); - *curlcode = CURLE_SEND_ERROR; - return -1; + { + int sockerr = SOCKERRNO; + sslerror = ERR_get_error(); + if(sslerror) + ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)); + else if(sockerr) + Curl_strerror(sockerr, error_buffer, sizeof(error_buffer)); + else { + strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); + error_buffer[sizeof(error_buffer) - 1] = '\0'; + } + failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d", + error_buffer, sockerr); + *curlcode = CURLE_SEND_ERROR; + return -1; + } case SSL_ERROR_SSL: /* A failure in the SSL library occurred, usually a protocol error. The OpenSSL error queue contains more information on the error. */ @@ -3894,11 +3928,6 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ /* there's data pending, re-invoke SSL_read() */ *curlcode = CURLE_AGAIN; return -1; - case SSL_ERROR_SYSCALL: - Curl_strerror(SOCKERRNO, error_buffer, sizeof(error_buffer)); - failf(conn->data, OSSL_PACKAGE " SSL_read: %s", error_buffer); - *curlcode = CURLE_RECV_ERROR; - return -1; default: /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return value/errno" */ @@ -3907,14 +3936,44 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ if((nread < 0) || sslerror) { /* If the return code was negative or there actually is an error in the queue */ + int sockerr = SOCKERRNO; + if(sslerror) + ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)); + else if(sockerr && err == SSL_ERROR_SYSCALL) + Curl_strerror(sockerr, error_buffer, sizeof(error_buffer)); + else { + strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); + error_buffer[sizeof(error_buffer) - 1] = '\0'; + } failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d", - (sslerror ? - ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)) : - SSL_ERROR_to_str(err)), - SOCKERRNO); + error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; return -1; } + /* For debug builds be a little stricter and error on any + SSL_ERROR_SYSCALL. For example a server may have closed the connection + abruptly without a close_notify alert. For compatibility with older + peers we don't do this by default. #4624 + + We can use this to gauge how many users may be affected, and + if it goes ok eventually transition to allow in dev and release with + the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */ +#ifdef DEBUGBUILD + if(err == SSL_ERROR_SYSCALL) { + int sockerr = SOCKERRNO; + if(sockerr) + Curl_strerror(sockerr, error_buffer, sizeof(error_buffer)); + else { + msnprintf(error_buffer, sizeof(error_buffer), + "Connection closed abruptly"); + } + failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d" + " (Fatal because this is a curl debug build)", + error_buffer, sockerr); + *curlcode = CURLE_RECV_ERROR; + return -1; + } +#endif } } return nread; @@ -3922,13 +3981,35 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ static size_t Curl_ossl_version(char *buffer, size_t size) { -#ifdef OPENSSL_IS_BORINGSSL +#ifdef LIBRESSL_VERSION_NUMBER +#if LIBRESSL_VERSION_NUMBER < 0x2070100fL + return msnprintf(buffer, size, "%s/%lx.%lx.%lx", + OSSL_PACKAGE, + (LIBRESSL_VERSION_NUMBER>>28)&0xf, + (LIBRESSL_VERSION_NUMBER>>20)&0xff, + (LIBRESSL_VERSION_NUMBER>>12)&0xff); +#else /* OpenSSL_version() first appeared in LibreSSL 2.7.1 */ + char *p; + int count; + const char *ver = OpenSSL_version(OPENSSL_VERSION); + const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */ + if(Curl_strncasecompare(ver, expected, sizeof(expected) - 1)) { + ver += sizeof(expected) - 1; + } + count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver); + for(p = buffer; *p; ++p) { + if(ISSPACE(*p)) + *p = '_'; + } + return count; +#endif +#elif defined(OPENSSL_IS_BORINGSSL) return msnprintf(buffer, size, OSSL_PACKAGE); #elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING) return msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING)); #else - /* not BoringSSL and not using OpenSSL_version */ + /* not LibreSSL, BoringSSL and not using OpenSSL_version */ char sub[3]; unsigned long ssleay_value; diff --git a/libs/libcurl/src/vtls/polarssl.h b/libs/libcurl/src/vtls/polarssl.h index 23c3636ee6..f36f24f8df 100644 --- a/libs/libcurl/src/vtls/polarssl.h +++ b/libs/libcurl/src/vtls/polarssl.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 2012 - 2019, Daniel Stenberg, , et al. * Copyright (C) 2010, Hoi-Ho Chan, * * This software is licensed as described in the file COPYING, which diff --git a/libs/libcurl/src/vtls/polarssl_threadlock.c b/libs/libcurl/src/vtls/polarssl_threadlock.c index 27c94b11e2..4e269c8e6a 100644 --- a/libs/libcurl/src/vtls/polarssl_threadlock.c +++ b/libs/libcurl/src/vtls/polarssl_threadlock.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2013-2017, Daniel Stenberg, , et al. + * Copyright (C) 2013 - 2019, Daniel Stenberg, , et al. * Copyright (C) 2010, 2011, Hoi-Ho Chan, * * This software is licensed as described in the file COPYING, which diff --git a/libs/libcurl/src/vtls/polarssl_threadlock.h b/libs/libcurl/src/vtls/polarssl_threadlock.h index 122647528d..c1900bfe81 100644 --- a/libs/libcurl/src/vtls/polarssl_threadlock.h +++ b/libs/libcurl/src/vtls/polarssl_threadlock.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2013-2015, Daniel Stenberg, , et al. + * Copyright (C) 2013 - 2019, Daniel Stenberg, , et al. * Copyright (C) 2010, Hoi-Ho Chan, * * This software is licensed as described in the file COPYING, which diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c index bbd2fe921c..dc58ed0d3b 100644 --- a/libs/libcurl/src/vtls/schannel.c +++ b/libs/libcurl/src/vtls/schannel.c @@ -7,7 +7,7 @@ * * Copyright (C) 2012 - 2016, Marc Hoersken, * Copyright (C) 2012, Mark Salisbury, - * Copyright (C) 2012 - 2019, Daniel Stenberg, , et al. + * Copyright (C) 2012 - 2020, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -554,10 +554,6 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) switch(conn->ssl_config.version) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: - schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT | - SP_PROT_TLS1_1_CLIENT | - SP_PROT_TLS1_2_CLIENT; - break; case CURL_SSLVERSION_TLSv1_0: case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_2: @@ -1859,7 +1855,9 @@ schannel_recv(struct connectdata *conn, int sockindex, goto cleanup; } else { +#ifndef CURL_DISABLE_VERBOSE_STRINGS char buffer[STRERROR_LEN]; +#endif *err = CURLE_RECV_ERROR; infof(data, "schannel: failed to read data from server: %s\n", Curl_sspi_strerror(sspi_status, buffer, sizeof(buffer))); diff --git a/libs/libcurl/src/vtls/schannel_verify.c b/libs/libcurl/src/vtls/schannel_verify.c index 1bdf50a55c..3a668adc76 100644 --- a/libs/libcurl/src/vtls/schannel_verify.c +++ b/libs/libcurl/src/vtls/schannel_verify.c @@ -99,7 +99,8 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, char buffer[STRERROR_LEN]; failf(data, "schannel: invalid path name for CA file '%s': %s", - ca_file, Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + ca_file, + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; goto cleanup; } @@ -120,7 +121,8 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, char buffer[STRERROR_LEN]; failf(data, "schannel: failed to open CA file '%s': %s", - ca_file, Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + ca_file, + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; goto cleanup; } @@ -129,7 +131,8 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, char buffer[STRERROR_LEN]; failf(data, "schannel: failed to determine size of CA file '%s': %s", - ca_file, Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + ca_file, + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; goto cleanup; } @@ -159,7 +162,8 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, char buffer[STRERROR_LEN]; failf(data, "schannel: failed to read from CA file '%s': %s", - ca_file, Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + ca_file, + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; goto cleanup; } @@ -223,7 +227,7 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, "schannel: failed to extract certificate from CA file " "'%s': %s", ca_file, - Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; more_certs = 0; } @@ -252,7 +256,8 @@ static CURLcode add_certs_to_store(HCERTSTORE trust_store, "schannel: failed to add certificate from CA file '%s' " "to certificate store: %s", ca_file, - Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + Curl_winapi_strerror(GetLastError(), buffer, + sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; more_certs = 0; } @@ -460,7 +465,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) if(!trust_store) { char buffer[STRERROR_LEN]; failf(data, "schannel: failed to create certificate store: %s", - Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; } else { @@ -489,7 +494,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) char buffer[STRERROR_LEN]; failf(data, "schannel: failed to create certificate chain engine: %s", - Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); result = CURLE_SSL_CACERT_BADFILE; } } @@ -512,7 +517,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) &pChainContext)) { char buffer[STRERROR_LEN]; failf(data, "schannel: CertGetCertificateChain failed: %s", - Curl_strerror(GetLastError(), buffer, sizeof(buffer))); + Curl_winapi_strerror(GetLastError(), buffer, sizeof(buffer))); pChainContext = NULL; result = CURLE_PEER_FAILED_VERIFICATION; } diff --git a/libs/libcurl/src/vtls/vtls.c b/libs/libcurl/src/vtls/vtls.c index e6d7562254..c493b15169 100644 --- a/libs/libcurl/src/vtls/vtls.c +++ b/libs/libcurl/src/vtls/vtls.c @@ -517,7 +517,7 @@ void Curl_ssl_close_all(struct Curl_easy *data) #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \ defined(USE_SECTRANSP) || defined(USE_POLARSSL) || defined(USE_NSS) || \ - defined(USE_MBEDTLS) || defined(USE_WOLFSSL) + defined(USE_MBEDTLS) || defined(USE_WOLFSSL) || defined(USE_BEARSSL) int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks) { struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; @@ -1189,6 +1189,8 @@ const struct Curl_ssl *Curl_ssl = &Curl_ssl_schannel; #elif defined(USE_MESALINK) &Curl_ssl_mesalink; +#elif defined(USE_BEARSSL) + &Curl_ssl_bearssl; #else #error "Missing struct Curl_ssl for selected SSL backend" #endif @@ -1223,6 +1225,9 @@ static const struct Curl_ssl *available_backends[] = { #endif #if defined(USE_MESALINK) &Curl_ssl_mesalink, +#endif +#if defined(USE_BEARSSL) + &Curl_ssl_bearssl, #endif NULL }; diff --git a/libs/libcurl/src/vtls/vtls.h b/libs/libcurl/src/vtls/vtls.h index 61d8416c29..976cc43601 100644 --- a/libs/libcurl/src/vtls/vtls.h +++ b/libs/libcurl/src/vtls/vtls.h @@ -108,6 +108,7 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, #include "sectransp.h" /* SecureTransport (Darwin) version */ #include "mbedtls.h" /* mbedTLS versions */ #include "mesalink.h" /* MesaLink versions */ +#include "bearssl.h" /* BearSSL versions */ #ifndef MAX_PINNED_PUBKEY_SIZE #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */ -- cgit v1.2.3