diff options
| author | robot-contrib <robot-contrib@yandex-team.ru> | 2022-05-15 13:30:59 +0300 |
|---|---|---|
| committer | robot-contrib <robot-contrib@yandex-team.ru> | 2022-05-15 13:30:59 +0300 |
| commit | 00e5165677c67bdda88ef5b51216688eac357a3a (patch) | |
| tree | 230fc76cb76d47655f8481f9ae231c3590f55bfa | |
| parent | 7a146619b8d5b192fddae23c34605f0494256956 (diff) | |
| download | ydb-00e5165677c67bdda88ef5b51216688eac357a3a.tar.gz | |
Update contrib/libs/curl to 7.83.1
ref:e0fbfbe6faf65e15f45ef0f846e92356916e91cf
28 files changed, 382 insertions, 435 deletions
diff --git a/contrib/libs/curl/.yandex_meta/devtools.copyrights.report b/contrib/libs/curl/.yandex_meta/devtools.copyrights.report index daec7ba599..fad315d562 100644 --- a/contrib/libs/curl/.yandex_meta/devtools.copyrights.report +++ b/contrib/libs/curl/.yandex_meta/devtools.copyrights.report @@ -186,7 +186,6 @@ BELONGS ya.make lib/md4.c [8:8] lib/memdebug.c [8:8] lib/multihandle.h [10:10] - lib/multiif.h [10:10] lib/netrc.c [8:8] lib/pingpong.h [10:10] lib/progress.c [8:8] @@ -204,7 +203,6 @@ BELONGS ya.make lib/vauth/cram.c [8:8] lib/vauth/ntlm_sspi.c [8:8] lib/vauth/oauth2.c [8:8] - lib/vssh/ssh.h [10:10] lib/vtls/gtls.h [10:10] KEEP COPYRIGHT_SERVICE_LABEL 1b9e8d9d7c9588e9a9cbcbd17572b2e4 @@ -503,6 +501,7 @@ BELONGS ya.make lib/mime.c [8:8] lib/mime.h [10:10] lib/multi.c [8:8] + lib/multiif.h [10:10] lib/nonblock.c [8:8] lib/pingpong.c [8:8] lib/pop3.c [8:8] @@ -540,6 +539,7 @@ BELONGS ya.make lib/vquic/quiche.c [8:8] lib/vquic/vquic.c [8:8] lib/vssh/libssh2.c [8:8] + lib/vssh/ssh.h [10:10] lib/vtls/gskit.c [8:8] lib/vtls/gtls.c [8:8] lib/vtls/hostcheck.c [8:8] diff --git a/contrib/libs/curl/RELEASE-NOTES b/contrib/libs/curl/RELEASE-NOTES index 2a42846769..53514245b6 100644 --- a/contrib/libs/curl/RELEASE-NOTES +++ b/contrib/libs/curl/RELEASE-NOTES @@ -1,147 +1,54 @@ -curl and libcurl 7.83.0 +curl and libcurl 7.83.1 - Public curl releases: 207 + Public curl releases: 208 Command line options: 247 curl_easy_setopt() options: 295 Public functions in libcurl: 88 - Contributors: 2625 - -This release includes the following changes: - - o curl: add %header{name} experimental support in -w handling - o curl: add %{header_json} experimental support in -w handling - o curl: add --no-clobber [28] - o curl: add --remove-on-error [11] - o header api: add curl_easy_header and curl_easy_nextheader [56] - o msh3: add support for QUIC and HTTP/3 using msh3 [84] + Contributors: 2632 This release includes the following bugfixes: - o appveyor: add Cygwin build [77] - o appveyor: only add MSYS2 to PATH where required [78] - o BearSSL: add CURLOPT_SSL_CIPHER_LIST support [27] - o BearSSL: add CURLOPT_SSL_CTX_FUNCTION support [26] - o BINDINGS.md: add Hollywood binding [34] - o CI: Do not use buildconf. Instead, just use: autoreconf -fi [42] - o CI: install Python package impacket to run SMB test 1451 [5] - o configure.ac: move -pthread CFLAGS setting back where it used to be [14] - o configure: bump the copyright year range int the generated output - o conncache: include the zone id in the "bundle" hashkey [112] - o connecache: remove duplicate connc->closure_handle check [90] - o connect: make Curl_getconnectinfo work with conn cache from share handle [22] - o connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined [6] - o cookie.d: clarify when cookies are sent - o cookies: improve errorhandling for reading cookiefile [123] - o curl/system.h: update ifdef condition for MCST-LCC compiler [4] - o curl: error out if -T and -d are used for the same URL [99] - o curl: error out when options need features not present in libcurl [18] - o curl: escape '?' in generated --libcurl code [117] - o curl: fix segmentation fault for empty output file names. [60] - o curl_easy_header: fix typos in documentation [74] - o CURLINFO_PRIMARY_PORT.3: clarify which port this is [126] - o CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS [105] - o CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL - o CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs [79] - o CURLOPT_PROGRESSFUNCTION.3: fix typo in example [63] - o CURLOPT_UNRESTRICTED_AUTH.3: extended explanation [127] - o CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype [9] - o docs/HYPER.md: updated to reflect current hyper build needs - o docs/opts: Mention Schannel client cert type is P12 [50] - o docs: Fix missing semicolon in example code [102] - o docs: lots of minor language polish [51] - o English: use American spelling consistently [95] - o fail.d: tweak the description [101] - o firefox-db2pem.sh: make the shell script safer [47] - o ftp: fix error message for partial file upload [61] - o gen.pl: change wording for mutexed options [98] - o GHA: add openssl3 jobs moved over from zuul [88] - o GHA: build hyper with nightly rustc [7] - o GHA: move bearssl jobs over from zuul [85] - o gha: move the event-based test over from Zuul [59] - o gtls: fix build for disabled TLS-SRP [48] - o http2: handle DONE called for the paused stream [69] - o http2: RST the stream if we stop it on our own will [67] - o http: avoid auth/cookie on redirects same host diff port [110] - o http: close the stream (not connection) on time condition abort [68] - o http: reject header contents with nul bytes [41] - o http: return error on colon-less HTTP headers [31] - o http: streamclose "already downloaded" [57] - o hyper: fix status_line() return code [13] - o hyper: fix tests 580 and 581 for hyper [107] - o hyper: no h2c support [33] - o infof: consistent capitalization of warning messages [103] - o ipv4/6.d: clarify that they are about using IP addresses [3] - o json.d: fix typo (overriden -> overridden) [24] - o keepalive-time.d: It takes many probes to detect brokenness [29] - o lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 [45] - o lib670: avoid double check result [71] - o lib: #ifdef on USE_HTTP2 better [65] - o lib: fix some misuse of curlx_convert_wchar_to_UTF8 [38] - o lib: remove exclamation marks [100] - o libssh2: compare sha256 strings case sensitively [114] - o libssh2: make the md5 comparison fail if wrong length [111] - o libssh: fix build with old libssh versions [12] - o libssh: fix double close [124] - o libssh: Improve fix for missing SSH_S_ stat macros [10] - o libssh: unstick SFTP transfers when done event-based [58] - o macos: set .plist version in autoconf [122] - o mbedtls: remove 'protocols' array from backend when ALPN is not used [66] - o mbedtls: remove server_fd from backend [91] - o mk-ca-bundle.pl: Use stricter logic to process the certificates [39] - o mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl [8] - o mlc_config.json: add file to ignore known troublesome URLs [35] - o mqtt: better handling of TCP disconnect mid-message [55] - o ngtcp2: add client certificate authentication for OpenSSL [15] - o ngtcp2: avoid busy loop in low CWND situation [119] - o ngtcp2: deal with sub-millisecond timeout [116] - o ngtcp2: disconnect the QUIC connection proper [19] - o ngtcp2: enlarge H3_SEND_SIZE [82] - o ngtcp2: fix HTTP/3 upload stall and avoid busy loop [83] - o ngtcp2: fix memory leak [80] - o ngtcp2: fix QUIC_IDLE_TIMEOUT [94] - o ngtcp2: make curl 1ms faster [93] - o ngtcp2: remove remote_addr which is not used in a meaningful way [81] - o ngtcp2: update to work after recent ngtcp2 updates [62] - o ngtcp2: use token when detecting :status header field [92] - o nonblock: restore setsockopt method to curlx_nonblock [20] - o openssl: check SSL_get_peer_cert_chain return value [1] - o openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL [23] - o openssl: fix CN check error code [21] - o options: remove mistaken space before paren in prototype - o perl: removed a double semicolon at end of line [64] - o pop3/smtp: return *WEIRD_SERVER_REPLY when not understood [43] - o projects/README: converted to markdown [76] - o projects: Update VC version names for VS2017, VS2022 [52] - o rtsp: don't let CSeq error override earlier errors [37] - o runtests: add 'bearssl' as testable feature [87] - o runtests: make 'oldlibssh' be before 0.9.4 [2] - o schannel: remove dead code that will never run [89] - o scripts/copyright.pl: ignore the new mlc_config.json file - o scripts: move three scripts from lib/ to scripts/ [44] - o test1135: sync with recent API updates [54] - o test1459: disable for oldlibssh [53] - o test375: fix line endings on Windows [40] - o test386: Fix an incorrect test markup tag - o test718: edited slightly to return better HTTP [32] - o tests/server/util.h: align WIN32 condition with util.c [46] - o tests: refactor server/socksd.c to support --unix-socket [96] - o timediff.[ch]: add curlx helper functions for timeval conversions [86] - o tls: make mbedtls and NSS check for h2, not nghttp2 [70] - o tool and tests: force flush of all buffers at end of program [17] - o tool_cb_hdr: Turn the Location: into a terminal hyperlink [30] - o tool_getparam: error out on missing -K file [115] - o tool_listhelp.c: uppercase URL - o tool_operate: fix a scan-build warning [16] - o tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) [97] - o transfer: redirects to other protocols or ports clear auth [109] - o unit1620: call global_init before calling Curl_open [125] - o url: check sasl additional parameters for connection reuse. [113] - o vtls: provide a unified APLN-disagree string for all backends [75] - o vtls: use a backend standard message for "ALPN: offers %s" [73] - o vtls: use a generic "ALPN, server accepted" message [72] - o winbuild/README.md: fixup dead link [36] - o winbuild: Add a Visual Studio example to the README [49] - o wolfssl: fix compiler error without IPv6 [25] + o altsvc: fix host name matching for trailing dots [31] + o cirrus: Update to FreeBSD 12.3 [24] + o cirrus: Use pip for Python packages on FreeBSD [23] + o conn: fix typo 'connnection' -> 'connection' in two function names [1] + o cookies: make bad_domain() not consider a trailing dot fine [26] + o curl: free resource in error path [3] + o curl: guard against size_t wraparound in no-clobber code [4] + o CURLOPT_DOH_URL.3: mention the known bug [19] + o CURLOPT_HSTS*FUNCTION.3: document the involved structs as well [20] + o CURLOPT_SSH_AUTH_TYPES.3: fix the default [18] + o data/test376: set a proper name + o GHA/mbedtls: enabled nghttp2 in the build [11] + o gha: build msh3 [5] + o gskit: fixed bogus setsockopt calls [17] + o gskit: remove unused function set_callback [2] + o hsts: ignore trailing dots when comparing hosts names [28] + o HTTP-COOKIES: add missing CURLOPT_COOKIESESSION [40] + o http: move Curl_allow_auth_to_host() [9] + o http_proxy/hyper: handle closed connections [34] + o hyper: fix test 357 [32] + o Makefile: fix "make ca-firefox" [37] + o mbedtls: bail out if rng init fails [14] + o mbedtls: fix compile when h2-enabled [12] + o mbedtls: fix some error messages + o misc: use "autoreconf -fi" instead buildconf [22] + o msh3: get msh3 version from MsH3Version [6] + o msh3: print boolean value as text representation [10] + o msh3: psss remote_port to MsH3ConnectionOpen [7] + o ngtcp2: add ca-fallback support for OpenSSL backend [35] + o nss: return error if seemingly stuck in a cert loop [30] + o openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl [8] + o post_per_transfer: remove the updated file name [27] + o sectransp: bail out if SSLSetPeerDomainName fails [33] + o tests/server: declare variable 'reqlogfile' static [39] + o tests: fix markdown formatting in README [38] + o test{898,974,976}: add 'HTTP proxy' keywords [16] + o tls: check more TLS details for connection reuse [25] + o url: check SSH config match on connection reuse [21] + o urlapi: address (harmless) UndefinedBehavior sanitizer warning [15] + o urlapi: reject percent-decoding host name into separator bytes [29] + o x509asn1: make do_pubkey handle EC public keys [13] This release includes the following known bugs: @@ -150,143 +57,51 @@ This release includes the following known bugs: This release would not have looked like this without help, code, reports and advice from friends like these: - Alejandro R. Sedeño, Andreas Falkenhahn, Andrey Alifanov, - anon00000000 on github, Balakrishnan Balasubramanian, Boris Verkhovskiy, - Brad Spencer, Christian Schmitz, Christopher Degawa, Colin Leroy, - Dan Fandrich, Daniel Gustafsson, Daniel Stenberg, Daniel Valenzuela, - Don J Olmstead, Emanuele Torre, Evangelos Foutras, Francisco Olarte, - Frank Meier, Gisle Vanem, Harry Sintonen, Ian Blanes, Jan Venekamp, - Jay Dommaschk, Jean-Philippe Menil, Jenny Heino, Joseph Chen, - jurisuk on github, Kristoffer Gleditsch, Kushal Das, Leandro Coutinho, - Liam Warfield, Marcel Raad, Marc Hörsken, Matteo Baccan, - Median Median Stride, mehatzri on github, Michael Kaufmann, Michał Antoniak, - Nick Banks, Nick Coghlan, Nick Zitzmann, Patrick Monnerat, Paul Howarth, - Paweł Kowalski, Peter Korsgaard, pheiduck on github, r-a-sattarov on github, - Ray Satiro, Rianov Viacheslav, Robert Brose, Robert Charles Muir, - Robin A. Meade, Samuel Henrique, Sascha Zengler, Taras Kushnir, - Tatsuhiro Tsujikawa, Timothe Litt, Viktor Szakats, HexTheDragon - (60 contributors) + Adam Rosenfield, Axel Chong, Christian Weisgerber, Daniel Gustafsson, + Daniel Stenberg, Fabian Keil, Florian Kohnhäuser, Garrett Squire, + Harry Sintonen, LigH-de on github, Michael Olbrich, Nick Banks, + Patrick Monnerat, Philip H, Prithvi MK, Ray Satiro, Ryan Schmidt, + Sergey Markelov, Tatsuhiro Tsujikawa, Yusuke Nakamura + (20 contributors) References to bug reports and discussions on issues: - [1] = https://curl.se/bug/?i=8579 - [2] = https://curl.se/bug/?i=8548 - [3] = https://curl.se/bug/?i=8543 - [4] = https://curl.se/bug/?i=8546 - [5] = https://curl.se/bug/?i=8544 - [6] = https://curl.se/bug/?i=8539 - [7] = https://curl.se/bug/?i=8545 - [8] = https://curl.se/bug/?i=8412 - [9] = https://curl.se/bug/?i=8573 - [10] = https://curl.se/bug/?i=8588 - [11] = https://curl.se/bug/?i=8503 - [12] = https://curl.se/bug/?i=8574 - [13] = https://curl.se/bug/?i=8572 - [14] = https://curl.se/bug/?i=8541 - [15] = https://curl.se/bug/?i=8522 - [16] = https://curl.se/bug/?i=8565 - [17] = https://curl.se/bug/?i=8516 - [18] = https://curl.se/bug/?i=8565 - [19] = https://curl.se/bug/?i=8534 - [20] = https://curl.se/bug/?i=8562 - [21] = https://curl.se/bug/?i=8559 - [22] = https://curl.se/bug/?i=8524 - [23] = https://curl.se/bug/?i=8553 - [24] = https://curl.se/bug/?i=8557 - [25] = https://curl.se/bug/?i=8550 - [26] = https://curl.se/bug/?i=8478 - [27] = https://curl.se/bug/?i=8477 - [28] = https://curl.se/bug/?i=7708 - [29] = https://curl.se/bug/?i=8570 - [30] = https://curl.se/bug/?i=7963 - [31] = https://curl.se/bug/?i=8610 - [32] = https://github.com/hyperium/hyper/issues/2783 - [33] = https://curl.se/bug/?i=8605 - [34] = https://curl.se/bug/?i=8609 - [35] = https://curl.se/bug/?i=8597 - [36] = https://curl.se/bug/?i=8597 - [37] = https://curl.se/bug/?i=8525 - [38] = https://curl.se/bug/?i=8521 - [39] = https://curl.se/bug/?i=8411 - [40] = https://curl.se/bug/?i=8599 - [41] = https://curl.se/bug/?i=8601 - [42] = https://curl.se/bug/?i=8596 - [43] = https://curl.se/bug/?i=8506 - [44] = https://curl.se/bug/?i=8625 - [45] = https://curl.se/bug/?i=8594 - [46] = https://curl.se/bug/?i=8594 - [47] = https://curl.se/bug/?i=8616 - [48] = https://curl.se/mail/lib-2022-03/0046.html - [49] = https://curl.se/bug/?i=8592 - [50] = https://curl.se/bug/?i=8587 - [51] = https://curl.se/bug/?i=8646 - [52] = https://curl.se/bug/?i=8447 - [53] = https://curl.se/bug/?i=8622 - [54] = https://curl.se/bug/?i=8620 - [55] = https://hackerone.com/reports/1521610 - [56] = https://curl.se/bug/?i=8593 - [57] = https://curl.se/bug/?i=8665 - [58] = https://curl.se/bug/?i=8490 - [59] = https://curl.se/bug/?i=8490 - [60] = https://curl.se/bug/?i=8606 - [61] = https://curl.se/bug/?i=8637 - [62] = https://curl.se/bug/?i=8638 - [63] = https://curl.se/bug/?i=8636 - [64] = https://curl.se/bug/?i=8709 - [65] = https://curl.se/bug/?i=8661 - [66] = https://curl.se/bug/?i=8663 - [67] = https://curl.se/bug/?i=8664 - [68] = https://curl.se/bug/?i=8664 - [69] = https://curl.se/bug/?i=8626 - [70] = https://curl.se/bug/?i=8656 - [71] = https://curl.se/bug/?i=8660 - [72] = https://curl.se/bug/?i=8657 - [73] = https://curl.se/bug/?i=8657 - [74] = https://curl.se/bug/?i=8694 - [75] = https://curl.se/bug/?i=8643 - [76] = https://curl.se/bug/?i=8652 - [77] = https://curl.se/bug/?i=8693 - [78] = https://curl.se/bug/?i=8693 - [79] = https://curl.se/bug/?i=8602 - [80] = https://curl.se/bug/?i=8691 - [81] = https://curl.se/bug/?i=8689 - [82] = https://curl.se/bug/?i=8690 - [83] = https://curl.se/bug/?i=8688 - [84] = https://curl.se/bug/?i=8517 - [85] = https://curl.se/bug/?i=8684 - [86] = https://curl.se/bug/?i=8595 - [87] = https://curl.se/bug/?i=8684 - [88] = https://curl.se/bug/?i=8683 - [89] = https://curl.se/bug/?i=8677 - [90] = https://curl.se/bug/?i=8676 - [91] = https://curl.se/bug/?i=8682 - [92] = https://curl.se/bug/?i=8679 - [93] = https://curl.se/bug/?i=8678 - [94] = https://curl.se/bug/?i=8678 - [95] = https://curl.se/bug/?i=8673 - [96] = https://curl.se/bug/?i=8687 - [97] = https://curl.se/bug/?i=8701 - [98] = https://curl.se/bug/?i=8716 - [99] = https://curl.se/bug/?i=8704 - [100] = https://curl.se/bug/?i=8713 - [101] = https://curl.se/bug/?i=8714 - [102] = https://curl.se/bug/?i=8697 - [103] = https://curl.se/bug/?i=8711 - [105] = https://curl.se/bug/?i=8753 - [107] = https://curl.se/bug/?i=8707 - [109] = https://curl.se/docs/CVE-2022-27774.html - [110] = https://curl.se/docs/CVE-2022-27776.html - [111] = https://hackerone.com/reports/1549461 - [112] = https://curl.se/docs/CVE-2022-27775.html - [113] = https://curl.se/docs/CVE-2022-22576.html - [114] = https://hackerone.com/reports/1549435 - [115] = https://hackerone.com/reports/1542881 - [116] = https://curl.se/bug/?i=8738 - [117] = https://hackerone.com/reports/1548535 - [119] = https://curl.se/bug/?i=8739 - [122] = https://curl.se/bug/?i=8692 - [123] = https://curl.se/bug/?i=8699 - [124] = https://curl.se/bug/?i=8708 - [125] = https://curl.se/bug/?i=8719 - [126] = https://curl.se/bug/?i=8725 - [127] = https://curl.se/bug/?i=8724 + [1] = https://curl.se/bug/?i=8759 + [2] = https://curl.se/bug/?i=8782 + [3] = https://curl.se/bug/?i=8770 + [4] = https://curl.se/bug/?i=8771 + [5] = https://curl.se/bug/?i=8779 + [6] = https://curl.se/bug/?i=8762 + [7] = https://curl.se/bug/?i=8762 + [8] = https://curl.se/mail/lib-2022-04/0059.html + [9] = https://curl.se/bug/?i=8772 + [10] = https://curl.se/bug/?i=8763 + [11] = https://curl.se/bug/?i=8767 + [12] = https://curl.se/bug/?i=8766 + [13] = https://curl.se/bug/?i=8757 + [14] = https://curl.se/bug/?i=8796 + [15] = https://curl.se/bug/?i=8797 + [16] = https://curl.se/bug/?i=8791 + [17] = https://curl.se/bug/?i=8793 + [18] = https://curl.se/bug/?i=8792 + [19] = https://curl.se/bug/?i=8790 + [20] = https://curl.se/bug/?i=8788 + [21] = https://curl.se/docs/CVE-2022-27782.html + [22] = https://curl.se/bug/?i=8777 + [23] = https://curl.se/bug/?i=8783 + [24] = https://curl.se/bug/?i=8783 + [25] = https://curl.se/docs/CVE-2022-27782.html + [26] = https://curl.se/docs/CVE-2022-27779.html + [27] = https://curl.se/docs/CVE-2022-27778.html + [28] = https://curl.se/docs/CVE-2022-30115.html + [29] = https://curl.se/docs/CVE-2022-27780.html + [30] = https://curl.se/docs/CVE-2022-27781.html + [31] = https://curl.se/bug/?i=8819 + [32] = https://curl.se/bug/?i=8811 + [33] = https://curl.se/bug/?i=8798 + [34] = https://curl.se/bug/?i=8700 + [35] = https://curl.se/bug/?i=8828 + [37] = https://curl.se/bug/?i=8804 + [38] = https://curl.se/bug/?i=8802 + [39] = https://curl.se/bug/?i=8799 + [40] = https://curl.se/bug/?i=8795 diff --git a/contrib/libs/curl/include/curl/curlver.h b/contrib/libs/curl/include/curl/curlver.h index cb1745110f..fdd8e3f8f3 100644 --- a/contrib/libs/curl/include/curl/curlver.h +++ b/contrib/libs/curl/include/curl/curlver.h @@ -30,13 +30,13 @@ /* This is the version number of the libcurl package from which this header file origins: */ -#define LIBCURL_VERSION "7.83.0" +#define LIBCURL_VERSION "7.83.1" /* The numeric version number is also available "in parts" by using these defines: */ #define LIBCURL_VERSION_MAJOR 7 #define LIBCURL_VERSION_MINOR 83 -#define LIBCURL_VERSION_PATCH 0 +#define LIBCURL_VERSION_PATCH 1 /* This is the numeric version of the libcurl version number, meant for easier parsing and comparisons by programs. The LIBCURL_VERSION_NUM define will @@ -57,7 +57,7 @@ CURL_VERSION_BITS() macro since curl's own configure script greps for it and needs it to contain the full number. */ -#define LIBCURL_VERSION_NUM 0x075300 +#define LIBCURL_VERSION_NUM 0x075301 /* * This is the date and time when the full source package was created. The @@ -68,7 +68,7 @@ * * "2007-11-23" */ -#define LIBCURL_TIMESTAMP "2022-04-27" +#define LIBCURL_TIMESTAMP "2022-05-11" #define CURL_VERSION_BITS(x,y,z) ((x)<<16|(y)<<8|(z)) #define CURL_AT_LEAST_VERSION(x,y,z) \ diff --git a/contrib/libs/curl/lib/altsvc.c b/contrib/libs/curl/lib/altsvc.c index 45929a5df7..dd2d0ebed6 100644 --- a/contrib/libs/curl/lib/altsvc.c +++ b/contrib/libs/curl/lib/altsvc.c @@ -102,12 +102,17 @@ static struct altsvc *altsvc_createid(const char *srchost, unsigned int dstport) { struct altsvc *as = calloc(sizeof(struct altsvc), 1); + size_t hlen; if(!as) return NULL; - + hlen = strlen(srchost); + DEBUGASSERT(hlen); as->src.host = strdup(srchost); if(!as->src.host) goto error; + if(hlen && (srchost[hlen - 1] == '.')) + /* strip off trailing any dot */ + as->src.host[--hlen] = 0; as->dst.host = strdup(dsthost); if(!as->dst.host) goto error; @@ -398,6 +403,22 @@ static CURLcode getalnum(const char **ptr, char *alpnbuf, size_t buflen) return CURLE_OK; } +/* hostcompare() returns true if 'host' matches 'check'. The first host + * argument may have a trailing dot present that will be ignored. + */ +static bool hostcompare(const char *host, const char *check) +{ + size_t hlen = strlen(host); + size_t clen = strlen(check); + + if(hlen && (host[hlen - 1] == '.')) + hlen--; + if(hlen != clen) + /* they can't match if they have different lengths */ + return FALSE; + return strncasecompare(host, check, hlen); +} + /* altsvc_flush() removes all alternatives for this source origin from the list */ static void altsvc_flush(struct altsvcinfo *asi, enum alpnid srcalpnid, @@ -410,7 +431,7 @@ static void altsvc_flush(struct altsvcinfo *asi, enum alpnid srcalpnid, n = e->next; if((srcalpnid == as->src.alpnid) && (srcport == as->src.port) && - strcasecompare(srchost, as->src.host)) { + hostcompare(srchost, as->src.host)) { Curl_llist_remove(&asi->list, e, NULL); altsvc_free(as); } @@ -635,7 +656,7 @@ bool Curl_altsvc_lookup(struct altsvcinfo *asi, continue; } if((as->src.alpnid == srcalpnid) && - strcasecompare(as->src.host, srchost) && + hostcompare(srchost, as->src.host) && (as->src.port == srcport) && (versions & as->dst.alpnid)) { /* match */ diff --git a/contrib/libs/curl/lib/c-hyper.c b/contrib/libs/curl/lib/c-hyper.c index 08722ff65d..15e7ec0bb9 100644 --- a/contrib/libs/curl/lib/c-hyper.c +++ b/contrib/libs/curl/lib/c-hyper.c @@ -439,6 +439,13 @@ CURLcode Curl_hyper_stream(struct Curl_easy *data, reasonp = hyper_response_reason_phrase(resp); reason_len = hyper_response_reason_phrase_len(resp); + if(http_status == 417 && data->state.expect100header) { + infof(data, "Got 417 while waiting for a 100"); + data->state.disableexpect = TRUE; + data->req.newurl = strdup(data->state.url); + Curl_done_sending(data, k); + } + result = status_line(data, conn, http_status, http_version, reasonp, reason_len); if(result) @@ -951,6 +958,11 @@ CURLcode Curl_http(struct Curl_easy *data, bool *done) goto error; } } + else { + if(!h2 && !data->state.disableexpect) { + data->state.expect100header = TRUE; + } + } if(hyper_request_set_method(req, (uint8_t *)method, strlen(method))) { failf(data, "error setting method"); diff --git a/contrib/libs/curl/lib/cookie.c b/contrib/libs/curl/lib/cookie.c index 451881f578..0c2d49b478 100644 --- a/contrib/libs/curl/lib/cookie.c +++ b/contrib/libs/curl/lib/cookie.c @@ -427,7 +427,15 @@ static void remove_expired(struct CookieInfo *cookies) /* Make sure domain contains a dot or is localhost. */ static bool bad_domain(const char *domain) { - return !strchr(domain, '.') && !strcasecompare(domain, "localhost"); + if(strcasecompare(domain, "localhost")) + return FALSE; + else { + /* there must be a dot present, but that dot must not be a trailing dot */ + char *dot = strchr(domain, '.'); + if(dot) + return dot[1] ? FALSE : TRUE; + } + return TRUE; } /* diff --git a/contrib/libs/curl/lib/easy.c b/contrib/libs/curl/lib/easy.c index 65d74646ae..bd9d695bb5 100644 --- a/contrib/libs/curl/lib/easy.c +++ b/contrib/libs/curl/lib/easy.c @@ -1139,7 +1139,7 @@ CURLcode curl_easy_recv(struct Curl_easy *data, void *buffer, size_t buflen, if(!data->conn) /* on first invoke, the transfer has been detached from the connection and needs to be reattached */ - Curl_attach_connnection(data, c); + Curl_attach_connection(data, c); *n = 0; result = Curl_read(data, sfd, buffer, buflen, &n1); @@ -1175,7 +1175,7 @@ CURLcode curl_easy_send(struct Curl_easy *data, const void *buffer, if(!data->conn) /* on first invoke, the transfer has been detached from the connection and needs to be reattached */ - Curl_attach_connnection(data, c); + Curl_attach_connection(data, c); *n = 0; sigpipe_ignore(data, &pipe_st); @@ -1209,12 +1209,12 @@ static int conn_upkeep(struct Curl_easy *data, if(conn->handler->connection_check) { /* briefly attach the connection to this transfer for the purpose of checking it */ - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); /* Do a protocol-specific keepalive check on the connection. */ conn->handler->connection_check(data, conn, CONNCHECK_KEEPALIVE); /* detach the connection again */ - Curl_detach_connnection(data); + Curl_detach_connection(data); } return 0; /* continue iteration */ diff --git a/contrib/libs/curl/lib/hostip.c b/contrib/libs/curl/lib/hostip.c index d37eff17d9..6fca2a5ff8 100644 --- a/contrib/libs/curl/lib/hostip.c +++ b/contrib/libs/curl/lib/hostip.c @@ -1268,7 +1268,7 @@ CURLcode Curl_once_resolved(struct Curl_easy *data, bool *protocol_done) result = Curl_setup_conn(data, protocol_done); if(result) { - Curl_detach_connnection(data); + Curl_detach_connection(data); Curl_conncache_remove_conn(data, conn, TRUE); Curl_disconnect(data, conn, TRUE); } diff --git a/contrib/libs/curl/lib/hsts.c b/contrib/libs/curl/lib/hsts.c index 03fcc9e425..b9fa6f7af5 100644 --- a/contrib/libs/curl/lib/hsts.c +++ b/contrib/libs/curl/lib/hsts.c @@ -114,16 +114,25 @@ static CURLcode hsts_create(struct hsts *h, curl_off_t expires) { struct stsentry *sts = hsts_entry(); + char *duphost; + size_t hlen; if(!sts) return CURLE_OUT_OF_MEMORY; - sts->expires = expires; - sts->includeSubDomains = subdomains; - sts->host = strdup(hostname); - if(!sts->host) { + duphost = strdup(hostname); + if(!duphost) { free(sts); return CURLE_OUT_OF_MEMORY; } + + hlen = strlen(duphost); + if(duphost[hlen - 1] == '.') + /* strip off trailing any dot */ + duphost[--hlen] = 0; + + sts->host = duphost; + sts->expires = expires; + sts->includeSubDomains = subdomains; Curl_llist_insert_next(&h->list, h->list.tail, sts, &sts->node); return CURLE_OK; } @@ -238,10 +247,21 @@ struct stsentry *Curl_hsts(struct hsts *h, const char *hostname, bool subdomain) { if(h) { + char buffer[MAX_HSTS_HOSTLEN + 1]; time_t now = time(NULL); size_t hlen = strlen(hostname); struct Curl_llist_element *e; struct Curl_llist_element *n; + + if((hlen > MAX_HSTS_HOSTLEN) || !hlen) + return NULL; + memcpy(buffer, hostname, hlen); + if(hostname[hlen-1] == '.') + /* remove the trailing dot */ + --hlen; + buffer[hlen] = 0; + hostname = buffer; + for(e = h->list.head; e; e = n) { struct stsentry *sts = e->ptr; n = e->next; @@ -440,7 +460,7 @@ static CURLcode hsts_pull(struct Curl_easy *data, struct hsts *h) CURLSTScode sc; DEBUGASSERT(h); do { - char buffer[257]; + char buffer[MAX_HSTS_HOSTLEN + 1]; struct curl_hstsentry e; e.name = buffer; e.namelen = sizeof(buffer)-1; diff --git a/contrib/libs/curl/lib/http.c b/contrib/libs/curl/lib/http.c index 7cf30bdebd..458ff1d781 100644 --- a/contrib/libs/curl/lib/http.c +++ b/contrib/libs/curl/lib/http.c @@ -651,6 +651,21 @@ CURLcode Curl_http_auth_act(struct Curl_easy *data) return result; } +/* + * Curl_allow_auth_to_host() tells if authentication, cookies or other + * "sensitive data" can (still) be sent to this host. + */ +bool Curl_allow_auth_to_host(struct Curl_easy *data) +{ + struct connectdata *conn = data->conn; + return (!data->state.this_is_a_follow || + data->set.allow_auth_to_other_hosts || + (data->state.first_host && + strcasecompare(data->state.first_host, conn->host.name) && + (data->state.first_remote_port == conn->remote_port) && + (data->state.first_remote_protocol == conn->handler->protocol))); +} + #ifndef CURL_DISABLE_HTTP_AUTH /* * Output the correct authentication header depending on the auth type @@ -775,21 +790,6 @@ output_auth_headers(struct Curl_easy *data, return CURLE_OK; } -/* - * Curl_allow_auth_to_host() tells if authentication, cookies or other - * "sensitive data" can (still) be sent to this host. - */ -bool Curl_allow_auth_to_host(struct Curl_easy *data) -{ - struct connectdata *conn = data->conn; - return (!data->state.this_is_a_follow || - data->set.allow_auth_to_other_hosts || - (data->state.first_host && - strcasecompare(data->state.first_host, conn->host.name) && - (data->state.first_remote_port == conn->remote_port) && - (data->state.first_remote_protocol == conn->handler->protocol))); -} - /** * Curl_http_output_auth() setups the authentication headers for the * host/proxy and the correct authentication diff --git a/contrib/libs/curl/lib/http_proxy.c b/contrib/libs/curl/lib/http_proxy.c index 98473c68fb..82389d11ff 100644 --- a/contrib/libs/curl/lib/http_proxy.c +++ b/contrib/libs/curl/lib/http_proxy.c @@ -967,6 +967,13 @@ static CURLcode CONNECT(struct Curl_easy *data, break; } + if(conn->bits.close && data->req.newurl) { + /* Connection closed by server. Don't use it anymore */ + Curl_closesocket(data, conn, conn->sock[sockindex]); + conn->sock[sockindex] = CURL_SOCKET_BAD; + break; + } + /* If we are supposed to continue and request a new URL, which basically * means the HTTP authentication is still going on so if the tunnel * is complete we start over in INIT state */ diff --git a/contrib/libs/curl/lib/multi.c b/contrib/libs/curl/lib/multi.c index 4179d4b278..2e471bf9b4 100644 --- a/contrib/libs/curl/lib/multi.c +++ b/contrib/libs/curl/lib/multi.c @@ -118,7 +118,7 @@ static void init_completed(struct Curl_easy *data) /* Important: reset the conn pointer so that we don't point to memory that could be freed anytime */ - Curl_detach_connnection(data); + Curl_detach_connection(data); Curl_expire_clear(data); /* stop all timers */ } @@ -637,7 +637,7 @@ static CURLcode multi_done(struct Curl_easy *data, process_pending_handles(data->multi); /* connection / multiplex */ CONNCACHE_LOCK(data); - Curl_detach_connnection(data); + Curl_detach_connection(data); if(CONN_INUSE(conn)) { /* Stop if still used. */ CONNCACHE_UNLOCK(data); @@ -826,7 +826,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, that vanish with this handle */ /* Remove the association between the connection and the handle */ - Curl_detach_connnection(data); + Curl_detach_connection(data); if(data->state.lastconnect_id != -1) { /* Mark any connect-only connection for closure */ @@ -901,12 +901,12 @@ bool Curl_multiplex_wanted(const struct Curl_multi *multi) } /* - * Curl_detach_connnection() removes the given transfer from the connection. + * Curl_detach_connection() removes the given transfer from the connection. * * This is the only function that should clear data->conn. This will * occasionally be called with the data->conn pointer already cleared. */ -void Curl_detach_connnection(struct Curl_easy *data) +void Curl_detach_connection(struct Curl_easy *data) { struct connectdata *conn = data->conn; if(conn) { @@ -918,11 +918,11 @@ void Curl_detach_connnection(struct Curl_easy *data) } /* - * Curl_attach_connnection() attaches this transfer to this connection. + * Curl_attach_connection() attaches this transfer to this connection. * * This is the only function that should assign data->conn */ -void Curl_attach_connnection(struct Curl_easy *data, +void Curl_attach_connection(struct Curl_easy *data, struct connectdata *conn) { DEBUGASSERT(!data->conn); @@ -1542,7 +1542,7 @@ CURLMcode Curl_multi_add_perform(struct Curl_multi *multi, /* take this handle to the perform state right away */ multistate(data, MSTATE_PERFORMING); - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); k->keepon |= KEEP_RECV; /* setup to receive! */ } return rc; @@ -2560,7 +2560,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, /* This is where we make sure that the conn pointer is reset. We don't have to do this in every case block above where a failure is detected */ - Curl_detach_connnection(data); + Curl_detach_connection(data); /* remove connection from cache */ Curl_conncache_remove_conn(data, conn, TRUE); diff --git a/contrib/libs/curl/lib/multiif.h b/contrib/libs/curl/lib/multiif.h index f4d0ada8e8..5a8c358bc4 100644 --- a/contrib/libs/curl/lib/multiif.h +++ b/contrib/libs/curl/lib/multiif.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -31,9 +31,9 @@ void Curl_expire(struct Curl_easy *data, timediff_t milli, expire_id); void Curl_expire_clear(struct Curl_easy *data); void Curl_expire_done(struct Curl_easy *data, expire_id id); CURLMcode Curl_update_timer(struct Curl_multi *multi) WARN_UNUSED_RESULT; -void Curl_attach_connnection(struct Curl_easy *data, +void Curl_attach_connection(struct Curl_easy *data, struct connectdata *conn); -void Curl_detach_connnection(struct Curl_easy *data); +void Curl_detach_connection(struct Curl_easy *data); bool Curl_multiplex_wanted(const struct Curl_multi *multi); void Curl_set_in_callback(struct Curl_easy *data, bool value); bool Curl_is_in_callback(struct Curl_easy *easy); diff --git a/contrib/libs/curl/lib/setopt.c b/contrib/libs/curl/lib/setopt.c index 0df1afa614..05e1a544df 100644 --- a/contrib/libs/curl/lib/setopt.c +++ b/contrib/libs/curl/lib/setopt.c @@ -2294,6 +2294,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_SSL_OPTIONS: arg = va_arg(param, long); + data->set.ssl.primary.ssl_options = (unsigned char)(arg & 0xff); data->set.ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); data->set.ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); data->set.ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); @@ -2307,6 +2308,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_SSL_OPTIONS: arg = va_arg(param, long); + data->set.proxy_ssl.primary.ssl_options = (unsigned char)(arg & 0xff); data->set.proxy_ssl.enable_beast = !!(arg & CURLSSLOPT_ALLOW_BEAST); data->set.proxy_ssl.no_revoke = !!(arg & CURLSSLOPT_NO_REVOKE); data->set.proxy_ssl.no_partialchain = !!(arg & CURLSSLOPT_NO_PARTIALCHAIN); @@ -2745,49 +2747,52 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + if(data->set.str[STRING_TLSAUTH_USERNAME] && + !data->set.ssl.primary.authtype) + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], va_arg(param, char *)); if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + !data->set.proxy_ssl.primary.authtype) + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to + SRP */ break; #endif case CURLOPT_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + if(data->set.str[STRING_TLSAUTH_USERNAME] && + !data->set.ssl.primary.authtype) + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], va_arg(param, char *)); if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.authtype) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ + !data->set.proxy_ssl.primary.authtype) + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; #endif case CURLOPT_TLSAUTH_TYPE: argptr = va_arg(param, char *); if(!argptr || strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; + data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; else - data->set.ssl.authtype = CURL_TLSAUTH_NONE; + data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_TYPE: argptr = va_arg(param, char *); if(!argptr || strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; else - data->set.proxy_ssl.authtype = CURL_TLSAUTH_NONE; + data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; break; #endif #endif diff --git a/contrib/libs/curl/lib/url.c b/contrib/libs/curl/lib/url.c index 5b6bd2b866..4a75b4da9c 100644 --- a/contrib/libs/curl/lib/url.c +++ b/contrib/libs/curl/lib/url.c @@ -372,7 +372,7 @@ CURLcode Curl_close(struct Curl_easy **datap) /* Detach connection if any is left. This should not be normal, but can be the case for example with CONNECT_ONLY + recv/send (test 556) */ - Curl_detach_connnection(data); + Curl_detach_connection(data); m = data->multi; if(m) /* This handle is still part of a multi handle, take care of this first @@ -542,7 +542,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) set->ssl.primary.verifypeer = TRUE; set->ssl.primary.verifyhost = TRUE; #ifdef USE_TLS_SRP - set->ssl.authtype = CURL_TLSAUTH_NONE; + set->ssl.primary.authtype = CURL_TLSAUTH_NONE; #endif set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth type */ @@ -859,7 +859,7 @@ void Curl_disconnect(struct Curl_easy *data, /* temporarily attach the connection to this transfer handle for the disconnect and shutdown */ - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); if(conn->handler->disconnect) /* This is set if protocol-specific cleanups should be made */ @@ -868,7 +868,7 @@ void Curl_disconnect(struct Curl_easy *data, conn_shutdown(data, conn); /* detach it again */ - Curl_detach_connnection(data); + Curl_detach_connection(data); conn_free(conn); } @@ -1020,12 +1020,12 @@ static bool extract_if_dead(struct connectdata *conn, /* briefly attach the connection to this transfer for the purpose of checking it */ - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); state = conn->handler->connection_check(data, conn, CONNCHECK_ISDEAD); dead = (state & CONNRESULT_DEAD); /* detach the connection again */ - Curl_detach_connnection(data); + Curl_detach_connection(data); } else { @@ -1100,6 +1100,12 @@ static void prune_dead_connections(struct Curl_easy *data) } } +static bool ssh_config_matches(struct connectdata *one, + struct connectdata *two) +{ + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); +} /* * Given one filled in connection struct (named needle), this function should * detect if there already is one that has all the significant details @@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, (data->state.httpwant < CURL_HTTP_VERSION_2_0)) continue; + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } + if((needle->handler->flags&PROTOPT_SSL) #ifndef CURL_DISABLE_PROXY || !needle->bits.httpproxy || needle->bits.tunnel_proxy @@ -1508,7 +1519,7 @@ ConnectionExists(struct Curl_easy *data, if(chosen) { /* mark it as used before releasing the lock */ - Curl_attach_connnection(data, chosen); + Curl_attach_connection(data, chosen); CONNCACHE_UNLOCK(data); *usethis = chosen; return TRUE; /* yes, we found one to use! */ @@ -1758,11 +1769,17 @@ static struct connectdata *allocate_conn(struct Curl_easy *data) conn->ssl_config.verifystatus = data->set.ssl.primary.verifystatus; conn->ssl_config.verifypeer = data->set.ssl.primary.verifypeer; conn->ssl_config.verifyhost = data->set.ssl.primary.verifyhost; + conn->ssl_config.ssl_options = data->set.ssl.primary.ssl_options; +#ifdef USE_TLS_SRP +#endif #ifndef CURL_DISABLE_PROXY conn->proxy_ssl_config.verifystatus = data->set.proxy_ssl.primary.verifystatus; conn->proxy_ssl_config.verifypeer = data->set.proxy_ssl.primary.verifypeer; conn->proxy_ssl_config.verifyhost = data->set.proxy_ssl.primary.verifyhost; + conn->proxy_ssl_config.ssl_options = data->set.proxy_ssl.primary.ssl_options; +#ifdef USE_TLS_SRP +#endif #endif conn->ip_version = data->set.ipver; conn->bits.connect_only = data->set.connect_only; @@ -3779,7 +3796,7 @@ static CURLcode create_conn(struct Curl_easy *data, if(!result) { conn->bits.tcpconnect[FIRSTSOCKET] = TRUE; /* we are "connected */ - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); result = Curl_conncache_add_conn(data); if(result) goto out; @@ -3848,7 +3865,8 @@ static CURLcode create_conn(struct Curl_easy *data, data->set.str[STRING_SSL_ISSUERCERT_PROXY]; data->set.proxy_ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; + data->set.proxy_ssl.primary.CRLfile = + data->set.str[STRING_SSL_CRLFILE_PROXY]; data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; @@ -3856,18 +3874,20 @@ static CURLcode create_conn(struct Curl_easy *data, data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; #endif - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; + data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE]; data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; data->set.ssl.key = data->set.str[STRING_KEY]; data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; #ifdef USE_TLS_SRP - data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; - data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; + data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME]; + data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD]; #ifndef CURL_DISABLE_PROXY - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; + data->set.proxy_ssl.primary.username = + data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; + data->set.proxy_ssl.primary.password = + data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; #endif #endif data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; @@ -4006,7 +4026,7 @@ static CURLcode create_conn(struct Curl_easy *data, * This is a brand new connection, so let's store it in the connection * cache of ours! */ - Curl_attach_connnection(data, conn); + Curl_attach_connection(data, conn); result = Curl_conncache_add_conn(data); if(result) goto out; @@ -4153,7 +4173,7 @@ CURLcode Curl_connect(struct Curl_easy *data, else if(result && conn) { /* We're not allowed to return failure with memory left allocated in the connectdata struct, free those here */ - Curl_detach_connnection(data); + Curl_detach_connection(data); Curl_conncache_remove_conn(data, conn, TRUE); Curl_disconnect(data, conn, TRUE); } diff --git a/contrib/libs/curl/lib/urlapi.c b/contrib/libs/curl/lib/urlapi.c index 99a0f69282..2a36de6a58 100644 --- a/contrib/libs/curl/lib/urlapi.c +++ b/contrib/libs/curl/lib/urlapi.c @@ -228,7 +228,7 @@ static void strcpy_url(char *output, const char *url, bool relative) */ bool Curl_is_absolute_url(const char *url, char *buf, size_t buflen) { - size_t i; + int i; DEBUGASSERT(!buf || (buflen > MAX_SCHEME_LEN)); (void)buflen; /* only used in debug-builds */ if(buf) @@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) #endif } else { - /* letters from the second string is not ok */ - len = strcspn(hostname, " \r\n"); + /* letters from the second string are not ok */ + len = strcspn(hostname, " \r\n\t/:#?!@"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME; diff --git a/contrib/libs/curl/lib/urldata.h b/contrib/libs/curl/lib/urldata.h index 9249c9c60e..3da36624cf 100644 --- a/contrib/libs/curl/lib/urldata.h +++ b/contrib/libs/curl/lib/urldata.h @@ -253,10 +253,17 @@ struct ssl_primary_config { char *cipher_list; /* list of ciphers to use */ char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ char *pinned_key; + char *CRLfile; /* CRL to check certificate revocation */ struct curl_blob *cert_blob; struct curl_blob *ca_info_blob; struct curl_blob *issuercert_blob; +#ifdef USE_TLS_SRP + char *username; /* TLS username (for, e.g., SRP) */ + char *password; /* TLS password (for, e.g., SRP) */ + enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ +#endif char *curves; /* list of curves to use */ + unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ BIT(verifypeer); /* set TRUE if this is desired */ BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ BIT(verifystatus); /* set TRUE if certificate status must be checked */ @@ -266,7 +273,6 @@ struct ssl_primary_config { struct ssl_config_data { struct ssl_primary_config primary; long certverifyresult; /* result from the certificate verification */ - char *CRLfile; /* CRL to check certificate revocation */ curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ void *fsslctxp; /* parameter for call back */ char *cert_type; /* format for certificate (default: PEM)*/ @@ -274,11 +280,6 @@ struct ssl_config_data { struct curl_blob *key_blob; char *key_type; /* format for private key (default: PEM) */ char *key_passwd; /* plain text private key password */ -#ifdef USE_TLS_SRP - char *username; /* TLS username (for, e.g., SRP) */ - char *password; /* TLS password (for, e.g., SRP) */ - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ -#endif BIT(certinfo); /* gather lots of certificate info */ BIT(falsestart); BIT(enable_beast); /* allow this flaw for interoperability's sake*/ diff --git a/contrib/libs/curl/lib/vquic/msh3.c b/contrib/libs/curl/lib/vquic/msh3.c index 071f13e1fc..47279bd2b2 100644 --- a/contrib/libs/curl/lib/vquic/msh3.c +++ b/contrib/libs/curl/lib/vquic/msh3.c @@ -95,7 +95,9 @@ static const MSH3_REQUEST_IF msh3_request_if = { void Curl_quic_ver(char *p, size_t len) { - (void)msnprintf(p, len, "msh3/%s", "0.0.1"); + uint32_t v[4]; + MsH3Version(v); + (void)msnprintf(p, len, "msh3/%d.%d.%d.%d", v[0], v[1], v[2], v[3]); } CURLcode Curl_quic_connect(struct Curl_easy *data, @@ -121,7 +123,10 @@ CURLcode Curl_quic_connect(struct Curl_easy *data, return CURLE_FAILED_INIT; } - qs->conn = MsH3ConnectionOpen(qs->api, conn->host.name, unsecure); + qs->conn = MsH3ConnectionOpen(qs->api, + conn->host.name, + (uint16_t)conn->remote_port, + unsecure); if(!qs->conn) { failf(data, "can't create msh3 connection"); if(qs->api) { @@ -357,7 +362,7 @@ static void MSH3_CALL msh3_complete(MSH3_REQUEST *Request, void *IfContext, struct HTTP *stream = IfContext; (void)Request; (void)AbortError; - H3BUGF(printf("* msh3_complete, aborted=%hhu\n", Aborted)); + H3BUGF(printf("* msh3_complete, aborted=%s\n", Aborted ? "true" : "false")); msh3_lock_acquire(&stream->recv_lock); if(Aborted) { stream->recv_error = CURLE_HTTP3; /* TODO - how do we pass AbortError? */ diff --git a/contrib/libs/curl/lib/vquic/ngtcp2.c b/contrib/libs/curl/lib/vquic/ngtcp2.c index 233d7e2e4f..2636985597 100644 --- a/contrib/libs/curl/lib/vquic/ngtcp2.c +++ b/contrib/libs/curl/lib/vquic/ngtcp2.c @@ -264,6 +264,7 @@ static SSL_QUIC_METHOD quic_method = {quic_set_encryption_secrets, static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) { + struct connectdata *conn = data->conn; SSL_CTX *ssl_ctx = SSL_CTX_new(TLS_method()); SSL_CTX_set_min_proto_version(ssl_ctx, TLS1_3_VERSION); @@ -291,12 +292,11 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback); } - { - struct connectdata *conn = data->conn; + if(conn->ssl_config.verifypeer) { const char * const ssl_cafile = conn->ssl_config.CAfile; const char * const ssl_capath = conn->ssl_config.CApath; - if(conn->ssl_config.verifypeer) { + if(ssl_cafile || ssl_capath) { SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL); /* tell OpenSSL where to find CA certificates that are used to verify the server's certificate. */ @@ -311,6 +311,13 @@ static SSL_CTX *quic_ssl_ctx(struct Curl_easy *data) infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none"); infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none"); } +#ifdef CURL_CA_FALLBACK + else { + /* verifying the peer without any CA certificates won't work so + use openssl's built-in default as fallback */ + SSL_CTX_set_default_verify_paths(ssl_ctx); + } +#endif } return ssl_ctx; } diff --git a/contrib/libs/curl/lib/vssh/ssh.h b/contrib/libs/curl/lib/vssh/ssh.h index 7f50e76b04..e7174f0986 100644 --- a/contrib/libs/curl/lib/vssh/ssh.h +++ b/contrib/libs/curl/lib/vssh/ssh.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -131,8 +131,8 @@ struct ssh_conn { /* common */ const char *passphrase; /* pass-phrase to use */ - char *rsa_pub; /* path name */ - char *rsa; /* path name */ + char *rsa_pub; /* strdup'ed public key file */ + char *rsa; /* strdup'ed private key file */ bool authed; /* the connection has been authenticated fine */ bool acceptfail; /* used by the SFTP_QUOTE (continue if quote command fails) */ diff --git a/contrib/libs/curl/lib/vtls/gskit.c b/contrib/libs/curl/lib/vtls/gskit.c index 9b5fbe4dd6..7a65f92f20 100644 --- a/contrib/libs/curl/lib/vtls/gskit.c +++ b/contrib/libs/curl/lib/vtls/gskit.c @@ -293,27 +293,6 @@ static CURLcode set_numeric(struct Curl_easy *data, } -static CURLcode set_callback(struct Curl_easy *data, - gsk_handle h, GSK_CALLBACK_ID id, void *info) -{ - char buffer[STRERROR_LEN]; - int rc = gsk_attribute_set_callback(h, id, info); - - switch(rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_callback() I/O error: %s", - Curl_strerror(errno, buffer, sizeof(buffer))); - break; - default: - failf(data, "gsk_attribute_set_callback(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - static CURLcode set_ciphers(struct Curl_easy *data, gsk_handle h, unsigned int *protoflags) { @@ -796,13 +775,13 @@ static CURLcode gskit_connect_step1(struct Curl_easy *data, BACKEND->localfd = sockpair[0]; BACKEND->remotefd = sockpair[1]; setsockopt(BACKEND->localfd, SOL_SOCKET, SO_RCVBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->remotefd, SOL_SOCKET, SO_RCVBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->localfd, SOL_SOCKET, SO_SNDBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); setsockopt(BACKEND->remotefd, SOL_SOCKET, SO_SNDBUF, - (void *) sobufsize, sizeof(sobufsize)); + (void *) &sobufsize, sizeof(sobufsize)); curlx_nonblock(BACKEND->localfd, TRUE); curlx_nonblock(BACKEND->remotefd, TRUE); } diff --git a/contrib/libs/curl/lib/vtls/gtls.c b/contrib/libs/curl/lib/vtls/gtls.c index 0535011911..dd82755852 100644 --- a/contrib/libs/curl/lib/vtls/gtls.c +++ b/contrib/libs/curl/lib/vtls/gtls.c @@ -445,9 +445,10 @@ gtls_connect_step1(struct Curl_easy *data, } #ifdef USE_GNUTLS_SRP - if((SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) && + if((SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) && Curl_allow_auth_to_host(data)) { - infof(data, "Using TLS-SRP username: %s", SSL_SET_OPTION(username)); + infof(data, "Using TLS-SRP username: %s", + SSL_SET_OPTION(primary.username)); rc = gnutls_srp_allocate_client_credentials(&backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -457,8 +458,8 @@ gtls_connect_step1(struct Curl_easy *data, } rc = gnutls_srp_set_client_credentials(backend->srp_client_cred, - SSL_SET_OPTION(username), - SSL_SET_OPTION(password)); + SSL_SET_OPTION(primary.username), + SSL_SET_OPTION(primary.password)); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_set_client_cred() failed: %s", gnutls_strerror(rc)); @@ -515,19 +516,19 @@ gtls_connect_step1(struct Curl_easy *data, } #endif - if(SSL_SET_OPTION(CRLfile)) { + if(SSL_SET_OPTION(primary.CRLfile)) { /* set the CRL list file */ rc = gnutls_certificate_set_x509_crl_file(backend->cred, - SSL_SET_OPTION(CRLfile), + SSL_SET_OPTION(primary.CRLfile), GNUTLS_X509_FMT_PEM); if(rc < 0) { failf(data, "error reading crl file %s (%s)", - SSL_SET_OPTION(CRLfile), gnutls_strerror(rc)); + SSL_SET_OPTION(primary.CRLfile), gnutls_strerror(rc)); return CURLE_SSL_CRL_BADFILE; } else infof(data, "found %d CRL in %s", - rc, SSL_SET_OPTION(CRLfile)); + rc, SSL_SET_OPTION(primary.CRLfile)); } /* Initialize TLS session as a client */ @@ -598,7 +599,7 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); @@ -693,7 +694,7 @@ gtls_connect_step1(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, backend->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -875,8 +876,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, SSL_CONN_CONFIG(verifyhost) || SSL_CONN_CONFIG(issuercert)) { #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) && !SSL_CONN_CONFIG(verifypeer) && gnutls_cipher_get(session)) { /* no peer cert, but auth is ok if we have SRP user and cipher and no @@ -934,7 +935,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, failf(data, "server certificate verification failed. CAfile: %s " "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", - SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); + SSL_SET_OPTION(primary.CRLfile) ? + SSL_SET_OPTION(primary.CRLfile) : "none"); return CURLE_PEER_FAILED_VERIFICATION; } else @@ -1564,8 +1566,8 @@ static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, gnutls_certificate_free_credentials(backend->cred); #ifdef USE_GNUTLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL) + if(SSL_SET_OPTION(primary.authtype) == CURL_TLSAUTH_SRP + && SSL_SET_OPTION(primary.username) != NULL) gnutls_srp_free_client_credentials(backend->srp_client_cred); #endif diff --git a/contrib/libs/curl/lib/vtls/mbedtls.c b/contrib/libs/curl/lib/vtls/mbedtls.c index a1ab6b42c9..70b51b8bdd 100644 --- a/contrib/libs/curl/lib/vtls/mbedtls.c +++ b/contrib/libs/curl/lib/vtls/mbedtls.c @@ -279,7 +279,7 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, const char * const ssl_capath = SSL_CONN_CONFIG(CApath); char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); const char * const hostname = SSL_HOST_NAME(); #ifndef CURL_DISABLE_VERBOSE_STRINGS const long int port = SSL_HOST_PORT(); @@ -303,8 +303,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, &ts_entropy, NULL, 0); if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); + return CURLE_FAILED_INIT; } #else mbedtls_entropy_init(&backend->entropy); @@ -314,8 +315,9 @@ mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, &backend->entropy, NULL, 0); if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); + return CURLE_FAILED_INIT; } #endif /* THREADING_SUPPORT */ @@ -815,8 +817,8 @@ mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, if(next_protocol) { infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol); #ifdef USE_HTTP2 - if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LEN) && - !next_protocol[ALPN_H2_LEN]) { + if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) && + !next_protocol[ALPN_H2_LENGTH]) { conn->negnpn = CURL_HTTP_VERSION_2; } else @@ -1015,7 +1017,7 @@ static CURLcode mbedtls_random(struct Curl_easy *data, if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "Failed - mbedTLS: ctr_drbg_seed returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); } else { @@ -1023,7 +1025,7 @@ static CURLcode mbedtls_random(struct Curl_easy *data, if(ret) { mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); - failf(data, "mbedTLS: ctr_drbg_init returned (-0x%04X) %s", + failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s", -ret, errorbuf); } } diff --git a/contrib/libs/curl/lib/vtls/nss.c b/contrib/libs/curl/lib/vtls/nss.c index 5b7de9f818..cb0509ff5b 100644 --- a/contrib/libs/curl/lib/vtls/nss.c +++ b/contrib/libs/curl/lib/vtls/nss.c @@ -983,6 +983,9 @@ static void display_cert_info(struct Curl_easy *data, PR_Free(common_name); } +/* A number of certs that will never occur in a real server handshake */ +#define TOO_MANY_CERTS 300 + static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) { CURLcode result = CURLE_OK; @@ -1018,6 +1021,11 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA); while(cert2) { i++; + if(i >= TOO_MANY_CERTS) { + CERT_DestroyCertificate(cert2); + failf(data, "certificate loop"); + return CURLE_SSL_CERTPROBLEM; + } if(cert2->isRoot) { CERT_DestroyCertificate(cert2); break; @@ -2027,13 +2035,13 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } } - if(SSL_SET_OPTION(CRLfile)) { - const CURLcode rv = nss_load_crl(SSL_SET_OPTION(CRLfile)); + if(SSL_SET_OPTION(primary.CRLfile)) { + const CURLcode rv = nss_load_crl(SSL_SET_OPTION(primary.CRLfile)); if(rv) { result = rv; goto error; } - infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); + infof(data, " CRLfile: %s", SSL_SET_OPTION(primary.CRLfile)); } if(SSL_SET_OPTION(primary.clientcert)) { diff --git a/contrib/libs/curl/lib/vtls/openssl.c b/contrib/libs/curl/lib/vtls/openssl.c index f15ac28a76..0db21b728d 100644 --- a/contrib/libs/curl/lib/vtls/openssl.c +++ b/contrib/libs/curl/lib/vtls/openssl.c @@ -215,11 +215,10 @@ * OpenSSL: supported since 1.0.2, see * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30) - * LibreSSL: not tested. + * LibreSSL: since 2.5.3 (April 12, 2017) */ -#if ((OPENSSL_VERSION_NUMBER >= 0x10002000L) && \ - !defined(LIBRESSL_VERSION_NUMBER)) || \ - defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \ + defined(OPENSSL_IS_BORINGSSL) #define HAVE_SSL_CTX_SET_EC_CURVES #endif @@ -2663,7 +2662,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #endif const long int ssl_version = SSL_CONN_CONFIG(version); #ifdef USE_OPENSSL_SRP - const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); + const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype); #endif char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); @@ -2674,7 +2673,7 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile); char error_buffer[256]; struct ssl_backend_data *backend = connssl->backend; bool imported_native_ca = false; @@ -2926,15 +2925,15 @@ static CURLcode ossl_connect_step1(struct Curl_easy *data, #ifdef USE_OPENSSL_SRP if((ssl_authtype == CURL_TLSAUTH_SRP) && Curl_allow_auth_to_host(data)) { - char * const ssl_username = SSL_SET_OPTION(username); - + char * const ssl_username = SSL_SET_OPTION(primary.username); + char * const ssl_password = SSL_SET_OPTION(primary.password); infof(data, "Using TLS-SRP username: %s", ssl_username); if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) { failf(data, "Unable to set SRP user name"); return CURLE_BAD_FUNCTION_ARGUMENT; } - if(!SSL_CTX_set_srp_password(backend->ctx, SSL_SET_OPTION(password))) { + if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) { failf(data, "failed setting SRP password"); return CURLE_BAD_FUNCTION_ARGUMENT; } diff --git a/contrib/libs/curl/lib/vtls/sectransp.c b/contrib/libs/curl/lib/vtls/sectransp.c index 8ee8fe997f..2e57d83785 100644 --- a/contrib/libs/curl/lib/vtls/sectransp.c +++ b/contrib/libs/curl/lib/vtls/sectransp.c @@ -2045,8 +2045,9 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data, err = SSLSetPeerDomainName(backend->ssl_ctx, snihost, snilen); if(err != noErr) { - infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d", + failf(data, "SSL: SSLSetPeerDomainName() failed: OSStatus %d", err); + return CURLE_SSL_CONNECT_ERROR; } if((Curl_inet_pton(AF_INET, hostname, &addr)) diff --git a/contrib/libs/curl/lib/vtls/vtls.c b/contrib/libs/curl/lib/vtls/vtls.c index a40ac06f68..e2d34388cc 100644 --- a/contrib/libs/curl/lib/vtls/vtls.c +++ b/contrib/libs/curl/lib/vtls/vtls.c @@ -132,6 +132,7 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, { if((data->version == needle->version) && (data->version_max == needle->version_max) && + (data->ssl_options == needle->ssl_options) && (data->verifypeer == needle->verifypeer) && (data->verifyhost == needle->verifyhost) && (data->verifystatus == needle->verifystatus) && @@ -144,9 +145,15 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, Curl_safecmp(data->clientcert, needle->clientcert) && Curl_safecmp(data->random_file, needle->random_file) && Curl_safecmp(data->egdsocket, needle->egdsocket) && +#ifdef USE_TLS_SRP + Curl_safecmp(data->username, needle->username) && + Curl_safecmp(data->password, needle->password) && + (data->authtype == needle->authtype) && +#endif Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && Curl_safe_strcasecompare(data->curves, needle->curves) && + Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) && Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) return TRUE; @@ -163,6 +170,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, dest->verifyhost = source->verifyhost; dest->verifystatus = source->verifystatus; dest->sessionid = source->sessionid; + dest->ssl_options = source->ssl_options; +#ifdef USE_TLS_SRP + dest->authtype = source->authtype; +#endif CLONE_BLOB(cert_blob); CLONE_BLOB(ca_info_blob); @@ -177,6 +188,11 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, CLONE_STRING(cipher_list13); CLONE_STRING(pinned_key); CLONE_STRING(curves); + CLONE_STRING(CRLfile); +#ifdef USE_TLS_SRP + CLONE_STRING(username); + CLONE_STRING(password); +#endif return TRUE; } @@ -196,6 +212,11 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) Curl_safefree(sslc->ca_info_blob); Curl_safefree(sslc->issuercert_blob); Curl_safefree(sslc->curves); + Curl_safefree(sslc->CRLfile); +#ifdef USE_TLS_SRP + Curl_safefree(sslc->username); + Curl_safefree(sslc->password); +#endif } #ifdef USE_SSL diff --git a/contrib/libs/curl/lib/vtls/x509asn1.c b/contrib/libs/curl/lib/vtls/x509asn1.c index f64acb83c9..dfb938621c 100644 --- a/contrib/libs/curl/lib/vtls/x509asn1.c +++ b/contrib/libs/curl/lib/vtls/x509asn1.c @@ -945,6 +945,24 @@ static int do_pubkey(struct Curl_easy *data, int certnum, /* Generate all information records for the public key. */ + if(strcasecompare(algo, "ecPublicKey")) { + /* + * ECC public key is all the data, a value of type BIT STRING mapped to + * OCTET STRING and should not be parsed as an ASN.1 value. + */ + const unsigned long len = + (unsigned long)((pubkey->end - pubkey->beg - 2) * 4); + if(!certnum) + infof(data, " ECC Public Key (%lu bits)", len); + if(data->set.ssl.certinfo) { + char q[sizeof(len) * 8 / 3 + 1]; + msnprintf(q, sizeof(q), "%lu", len); + if(Curl_ssl_push_certinfo(data, certnum, "ECC Public Key", q)) + return 1; + } + return do_pubkey_field(data, certnum, "ecPublicKey", pubkey); + } + /* Get the public key (single element). */ if(!getASN1Element(&pk, pubkey->beg + 1, pubkey->end)) return 1; @@ -971,14 +989,10 @@ static int do_pubkey(struct Curl_easy *data, int certnum, if(!certnum) infof(data, " RSA Public Key (%lu bits)", len); if(data->set.ssl.certinfo) { - q = curl_maprintf("%lu", len); - if(q) { - CURLcode result = - Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", q); - free((char *) q); - if(result) - return 1; - } + char r[sizeof(len) * 8 / 3 + 1]; + msnprintf(r, sizeof(r), "%lu", len); + if(Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", r)) + return 1; } /* Generate coefficients. */ if(do_pubkey_field(data, certnum, "rsa(n)", &elem)) |