Any 1xx response before the CONNECT final one can be dropped as no one
uses those in the HTTP/2 proxy filter. This eliminates a potential
memory exhaustion by the famous malicious server on the internet.
Closes#21626
If the hostname is specified as an IPv4 numerical address and it is
followed by a single dot, acccept that as a valid IPv4 and remove the
dot when normalizing.
This prevents otherwise legitimate IPv4 hostnames to have trailing dots.
Seems to match what browsers do.
Extended test 1560 to verify.
Closes#21635
When asked to parse for a string with max zero bytes, it will always
return error and no longer trigger an assert. This saves the caller from
having to check for this condition.
Closes#21600
Or consisting of just a single dot.
Such names cannot be resolved with DNS.
While they *can* still be resolved with /etc/hosts or --resolve tricks,
they easily cause internal problems because their trailing dots.
Let's not allow them anymore.
Closes#21622
To make them more accurate.
Also:
- show Visual Studio version, where missing.
- ease the formatting.
- schannel_int.h: clang-tidy fallback code.
Used: `rg -l --sort=path CERT_FIND_HAS_PRIVATE_KEY`
Closes#21621
CURLOPT_GSSAPI_DELEGATION exposes distinct modes:
CURLGSSAPI_DELEGATION_POLICY_FLAG is documented as delegating only when
OK-AS-DELEGATE policy permits it, while CURLGSSAPI_DELEGATION_FLAG is
unconditional. The new SSPI implementation checks for either bit and
sets ISC_REQ_DELEGATE, so a caller requesting policy-limited delegation
is put on the same SSPI path as unconditional delegation.
In addition, curl's existing protection that avoids reusing a connection
when the GSS delegation setting differs was guarded only by HAVE_GSSAPI;
SSPI-only builds now have an effective delegation option, but the
connection's delegation setting was neither copied nor compared. This
would cause Windows SSPI Negotiate/Kerberos authentication to delegate
credentials contrary to the caller's selected policy or reuse an
already-delegated authenticated connection for a transfer that requested
no delegation.
Follow-up to cc6777d939
Reported by Codex Security
Closes#21583
The SASL service name, used in authentication, is part of curl's credentials
when authenticating to a server/proxy. Make it part of `struct Curl_creds`.
Change code to use `creds` to obtain a service name. By tying creds used
to the connection, connection reuse is also only allowed when the service
name matches.
Closes#21585
Authorizdation credentials are kept in `struct Curl_creds`. This contains:
* `user`: the username, maybe the empty string
* `passwd`: the password, maybe the empty string
* `sasl_authzid`: the SASL authz value, maybe the empty string
* `oauth_bearer`: the OAUTH bearer token, maybe the empty string
* `source`: where the credentials from from
* `refcount`: a reference counter to link/unkink creds
A `creds` with all values empty is equivalent to NULL, e.g. no `creds`
instance. With reference counting, `creds` can be linked/unlinked
in several places.
See docs/internals/CREDENTIALS.md for use.
Closes#21548
Make CURLOPT_GSSAPI_DELEGATION effective on Windows builds that use SSPI
(instead of a native GSS-API implementation), so Kerberos delegation can
be requested during SPNEGO/Negotiate authentication.
Closes#21528
Previously, the use of checkprefix() alone allowed the code to match not
only on "blksize" but also (mistakenly) on "blksizeFOO" etc.
Reported-by: Andrew Nesbit
Closes#21560
The events on a multi wakeup socketpair were only consumed via
curl_multi_poll()/curl_multi_wait() but not in event based processing on
a curl_multi_socket() call. That led to busy loops as reported in
Fixes#21547
Reported-by: Earnestly on github
Closes#21549
- disable DES with nettle 4. It no longer supports it.
```
lib/curl_ntlm_core.c:67:12: fatal error: 'nettle/des.h' file not found
67 | # include <nettle/des.h>
| ^~~~~~~~~~~~~~
```
- fix MD4 support with nettle 4.
```
lib/md4.c:178:36: error: too many arguments to function call, expected 2, have 3
178 | md4_digest(ctx, MD4_DIGEST_SIZE, digest);
| ~~~~~~~~~~ ^~~~~~
```
- fix unused argument compiler warning:
```
lib/vtls/gtls.c:2267:39: error: unused parameter 'sha256len' [clang-diagnostic-unused-parameter,-warnings-as-errors]
2267 | size_t sha256len)
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970143?pr=21557
- GHA/macos: stop enabling NTLM in the GnuTLS job.
It no longer builds due to missing DES support in nettle 4.
```
lib/curl_ntlm_core.c:90:4: error: "cannot compile NTLM support without a crypto library with DES."
90 | # error "cannot compile NTLM support without a crypto library with DES."
| ^
```
Ref: https://github.com/curl/curl/actions/runs/25710321195/job/75488970170?pr=21557
Follow-up to cfadbaa133#21169Closes#21557
These macros are leftovers from when DNS caching was moved out of
hostip.c into its own source file. Both are still defined and used in
lib/dnscache.c; the copies in lib/hostip.c are unreferenced.
Detected with clang -Wunused-macros.
Follow-up to 96d5b5c688Closes#21550
This bit was used to do Digest authentication like Internet Explorer
before version 7 (released on October 18, 2006). Presumably no one uses
this anymore and since it is hard to use and does broken auth, starting
in 8.21.0 this bit does nothing (except setting the actual Digest bit).
Closes#21486
The code would previously read one byte past the provided
CURLOPT_CAINFO_BLOB if the blob ends exactly with -----BEGIN
CERTIFICATE-----
Reported-by: Andrew Nesbit
Closes#21543
- passing an unknown string to CURLOPT_ECH now returns error
To properly allow applications to spot if they pass in a typo or
something to libcurl.
- CURLECH_DISABLE is now a plain zero internally, not a dedicated bit which
simplifies checks for when ECH is enabled
- Dropped the CURLECH_CLA_CFG bit, and just check STRING_ECH_CONFIG
- Turn grease/enable/hard into three different numerical values, no bitmask
needed
- Convert the struct field 'tls_ech' from an int to a byte.
Closes#21532
The 'ber' pointer could remain allocated in the exit path if the write
callback returned error for one of the Curl_client_write() calls.
Reported-by: Andrew Nesbit
Closes#21530
When a connection is tested for reuse in a transfer that *may* upgrade
to TLS (commonly via STARTTLS), the SSL configuration must match the
existing connection.
Reported-by: Andrew Nesbit
Closes#21522
- rename `req->proxyuserpwd` to `req->hd_proxy_auth`
- rename `req->userpwd` to `req->hd_auth`
- rename parameter `proxytunnel` to `is_connect` for Curl_http_output_auth()
- move path+query concatenation into Curl_http_output_auth(), saving an alloc when no auth is in play
- rename `H1_HD_USER_AUTH` into `H1_HD_AUTH`
Closes#21513
