- tunnel https proxy used for http: transfers does
no check if proxy-ssl configuration matches
- test cases added, test_10_12 fails on 8.4.0
Closes#12255
- Add these revocation errors to sspi error list:
CRYPT_E_NO_REVOCATION_DLL, CRYPT_E_NO_REVOCATION_CHECK,
CRYPT_E_REVOCATION_OFFLINE and CRYPT_E_NOT_IN_REVOCATION_DATABASE.
Prior to this change those error codes were not matched to their macro
name and instead shown as "unknown error".
Before:
schannel: next InitializeSecurityContext failed:
Unknown error (0x80092013) - The revocation function was
unable to check revocation because the revocation server was offline.
After:
schannel: next InitializeSecurityContext failed:
CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was
unable to check revocation because the revocation server was offline.
Bug: https://github.com/curl/curl/issues/12239
Reported-by: Niracler Li
Closes https://github.com/curl/curl/pull/12241
- Use malloc + strncpy instead of Curl_memdup to dupe the string before
null terminating it.
Prior to this change if Curl_strndup was passed a length longer than
the allocated string then it could copy out of bounds.
This change is for posterity. Curl_strndup was added in the parent
commit and currently none of the calls to it pass a length that would
cause it to read past the allocated length of the input.
Follow-up to d3b3ba35.
Closes https://github.com/curl/curl/pull/12254
- perform connection cache matching against `data->set.ssl.primary`
and proxy counterpart
- fully clone connection ssl config only when connection is used
Closes#12237
- disable HTTPS-proxy as well, since it can't work without HTTP
- curl_setup: when HTTP is disabled, also disable all features that are
HTTP-only
- version: HTTPS-proxy only exists if HTTP support exists
Closes#12223
Finding a 'Content-Range:' in the response changed the handling.
Add test case 1475 to verify -C - with 416 and Content-Range: header,
which is almost exactly like test 194 which instead uses a fixed -C
offset. Adjusted test 194 to also be considered fine.
Fixes#10521
Reported-by: Smackd0wn
Fixes#12174
Reported-by: Anubhav Rai
Closes#12176
After this patch we assume availability of `getaddrinfo` and
`freeaddrinfo`, first introduced in Windows XP. Meaning curl
now requires building for Windows XP as a minimum.
TODO: assume these also in autotools.
Ref: https://github.com/curl/curl/pull/12221#issuecomment-1783761806Closes#12225
Use 3.1 with the modern runner image.
We still use 1.1.1 in 8 jobs.
1.1.1 is EOL since 2023-09-11:
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
Also:
- add missing SSL-backend to job descriptions.
- tidy up CPU in job descriptions.
Closes#12226
- On Windows if IPv6 is enabled but getaddrinfo is missing then #error
the build.
curl can be built with IPv6 support (ENABLE_IPV6) but without the
ability to resolve hosts to IPv6 addresses (HAVE_GETADDRINFO). On
Windows this is highly unlikely and should be considered a bad build
configuration.
Such a bad configuration has already given us a bug that was hard to
diagnose. See #12134 and #12136 for discussion.
Ref: https://github.com/curl/curl/issues/12134
Ref: https://github.com/curl/curl/pull/12136
Closes https://github.com/curl/curl/pull/12221
- If CURLSSLOPT_NATIVE_CA on Windows then import from intermediate CA
"CA" store after importing from root CA "ROOT" store.
This change allows curl to work in situations where a server does not
send all intermediate certs and they are present in the "CA" store (the
store with intermediate CAs). This is already allowed by the Schannel
backend.
Also this change makes partial chain verification possible for those
certs since we allow partial chain verification by default for OpenSSL
(unless CURLSSLOPT_NO_PARTIALCHAIN). This is not allowed by the Schannel
backend.
Prior to this change CURLSSLOPT_NATIVE_CA only imported "ROOT" certs.
Fixes https://github.com/curl/curl/issues/12155
Closes https://github.com/curl/curl/pull/12185
In 8.4.0 we deleted `_mingw.h` as part of purging old-mingw support.
Turns out `_mingw.h` had the side-effect of setting a default
`_WIN32_WINNT` value expected by `lib/config-win32.h` to enable
`getaddrinfo` support in `Makefile.mk` mingw-w64 builds. This caused
disabling support for this unless specifying the value manually.
Restore this header and update its comment to tell why we continue
to need it.
This triggered a regression in official Windows curl builds starting
with 8.4.0_1. Fixed in 8.4.0_6. (8.5.0 will be using CMake.)
Regression from 38029101e2#11625
Reported-by: zhengqwe on github
Helped-by: Nico Rieck
Fixes#12134Fixes#12136Closes#12217
- fixed libssh.c workaround for a socket being closed by
the library
- eliminate the terrible hack in cf-socket.c to guess when
this happened and try not closing the socket again.
- fixes race in eyeballing when socket could have failed to
be closed for a discarded connect attempt
Closes#12207
Win32 threads are always available. We enabled them unconditionally
(with `ENABLE_THREADED_RESOLVER`). CMake built-in thread detection
logic has this condition hard-coded for Windows as well (since at least
2007).
Instead of doing all the work of detecting pthread combinations on
Windows, then discarding those results, skip these efforts and assume
built-in thread support when building for Windows.
This saves 1-3 slow CMake configuration steps.
Reviewed-by: Daniel Stenberg
Closes#12202
