- When done, if an error has already occurred then don't check the
sequence numbers for mismatch.
A sequence number may not have been received if an error occurred.
Prior to this change a sequence mismatch error would override earlier
errors. For example, a server that returns nothing would cause error
CURLE_GOT_NOTHING in Curl_http_done which was then overridden by
CURLE_RTSP_CSEQ_ERROR in rtsp_done.
Closes https://github.com/curl/curl/pull/8525
.. and bump version to 1.29.
This change makes the script properly ignore unknown blocks and
otherwise fail when Mozilla changes the certdata format in ways we
don't expect. Though this is less flexible behavior it makes it far less
likely that an invalid certificate can slip through.
Prior to this change the state machine did not always properly reset,
and it was possible that a certificate marked as invalid could then
later be marked as valid when there was conflicting trust info or
an unknown block was erroneously processed as part of the certificate.
Ref: https://github.com/curl/curl/pull/7801#pullrequestreview-768384569
Closes https://github.com/curl/curl/pull/8411
They are not allowed by the protocol and allowing them risk that curl
misbehaves somewhere where C functions are used but won't work on the
full contents. Further, they are not supported by hyper and they cause
problems for the new coming headers API work.
Updated test 262 to verify and enabled it for hyper as well
Closes#8601
- If building libcurl against an old libssh version missing SSH_S_IFMT
and SSH_S_IFLNK then use the values from a supported version.
Prior to this change if libssh did not define SSH_S_IFMT and SSH_S_IFLNK
then S_IFMT and S_IFLNK, respectively, were used instead. The problem
with that is the user's S_ stat macros don't have the same values across
platforms. For example Windows has values different from Linux.
Follow-up to 7b0fd39.
Ref: https://github.com/curl/curl/pull/8511#discussion_r815292391
Ref: https://github.com/curl/curl/pull/8574
Closes https://github.com/curl/curl/pull/8588
mk-ca-bundle.vbs is a Windows-specific script for Mozilla certificate
extraction, similar to mk-ca-bundle.pl which runs on any platform. The
vbs version has not been maintained while the perl version has been
maintained with improvements and security fixes. I don't think it's
worth the work to maintain both versions. Windows users should be able
to use mk-ca-bundle.pl without any problems, as long as they have perl.
Closes#8412
The implementation using setsockopt was removed when BeOS support was
purged. However this functionality wasn't BeOS specific, it is still
used by for example Orbis OS (Playstation 4/5 OS).
Closes#8562
The CURLOPT_SSL_EC_CURVES option (used by the '--curves' flag) in
libcurl was ignored when compiling with BoringSSL because
HAVE_SSL_CTX_SET_EC_CURVES was explicitly disabled if BoringSSL was
detected. However, this feature is supported in BoringSSL since
5fd1807d. This commit enables it, and also reduces the required minimal
OpenSSL version to 1.0.2 as per OpenSSL's official documentation.
Fixes#8553Closes#8556
When built without DNS-over-HTTP and without asynchronous resolvers,
neither the dns nor the data parameters are used.
That is Curl_resolv_check appears to call
Curl_resolver_is_resolved(data, dns). But,
with CURL_DISABLE_DOH without CURLRES_ASYNCH, the call is actually
elided via a macro definition.
This fix resolves the resultant: "unused parameter 'data'" error.
Closes#8505
Ideally, Curl_ssl_getsessionid should not be called unless sessionid
caching is enabled. There is a debug assertion in the function to help
ensure that. Therefore, the pattern in all vtls is basically:
if(primary.sessionid) {lock(); Curl_ssl_getsessionid(...); unlock();}
There was one instance in openssl.c where sessionid was not checked
beforehand and this change fixes that.
Prior to this change an assertion would occur in openssl debug builds
during connection stage if session caching was disabled.
Reported-by: Jim Beveridge
Fixes https://github.com/curl/curl/issues/8472
Closes https://github.com/curl/curl/pull/8484
Several years ago a change was made to block user callbacks from calling
back into the API when not supported (recursive calls). One of the calls
blocked was curl_multi_assign. Recently the blocking was extended to the
multi interface API, however curl_multi_assign may need to be called
from within those user callbacks (eg CURLMOPT_SOCKETFUNCTION).
I can't think of any callback where it would be unsafe to call
curl_multi_assign so I removed the restriction entirely.
Reported-by: Michael Wallner
Ref: https://github.com/curl/curl/commit/b46cfbc
Ref: https://github.com/curl/curl/commit/340bb19
Fixes https://github.com/curl/curl/issues/8480
Closes https://github.com/curl/curl/pull/8483
- Change TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA strength to weak.
All other 3DES ciphers are already marked as weak.
Closes https://github.com/curl/curl/pull/8479
- Do not create trust anchor object for a CA certificate until after it
is processed.
Prior to this change the object was created at state BR_PEM_BEGIN_OBJ
(certificate processing begin state). An incomplete certificate (for
example missing a newline at the end) never reaches BR_PEM_END_OBJ
(certificate processing end state) and therefore the trust anchor data
was not set in those objects, which caused EXC_BAD_ACCESS.
Ref: https://github.com/curl/curl/pull/8106
Closes https://github.com/curl/curl/pull/8476
- When peer verification is disabled use the x509_decode engine instead
of the x509_minimal engine to parse and extract the public key from
the first cert of the chain.
Prior to this change in such a case no key was extracted and that caused
CURLE_SSL_CONNECT_ERROR. The x509_minimal engine will stop parsing if
any validity check fails but the x509_decode won't.
Ref: https://github.com/curl/curl/pull/8106
Closes https://github.com/curl/curl/pull/8475
This array is only used by the SCHANNEL_CRED struct in the
schannel_acquire_credential_handle function. It can therefore be kept as
a local variable. This is a minor update to
bbb71507b7.
This change also updates the NUM_CIPHERS value to accurately count the
number of ciphers options listed in schannel.c, which is 47 instead of
45. It is unlikely that anyone tries to set all 47 values, but if they
had tried, the last two would not have been set.
Closes#8469
When `USE_OPENSSL` was defined but OpenSSL had no DES support and a
different crypto library was used for that, `Curl_des_set_odd_parity`
was called but not defined. This could for example happen on Windows
and macOS when using OpenSSL v3 with deprecated features disabled.
Use the same condition for the function definition as used at the
caller side, but leaving out the OpenSSL part to avoid including
OpenSSL headers.
Closes https://github.com/curl/curl/pull/8459
- Change the minimum OpenSSL version for using their SHA256
implementation from 0.9.7 to 0.9.8.
EVP_sha256() does not appear in the OpenSSL source before 0.9.7h, and
does not get built by default until 0.9.8, so trying to use it for all
0.9.7 is wrong, and before 0.9.8 is unreliable.
Closes https://github.com/curl/curl/pull/8464
As mentioned in 32766cb, gskit was the last user of Curl_select which is
now gone. Convert to using Curl_poll to allow build to work on IBM i.
Closes#8454
In c30bf22, Curl_ssl_getsock was factored out in to a member of
struct Curl_ssl but the gskit initialization was not updated to reflect
this new member.
Closes#8454
2f0bb864c1 replaced sterror with Curl_strerror, but the strerror buffer
shadows the set_buffer "buffer" parameter. To keep consistency with the
other functions that use Curl_strerror, rename the parameter.
In addition, strerror.h is needed for the definition of STRERROR_LEN.
Closes#8454
