To contain the logic of checking for both `EWOULDBLOCK` and/or `EAGAIN`
depending on platform/availability. Also to avoid checking for both if
they mapp to the same value, and to avoid PP guards around use.
This also ensures `EAGAIN` is consistently not checked on Windows, where
headers defined it, but `SOCKERRNO` never returns it, because curl maps
it to `WSAGetLastError()`.
If they map to the same value, checking them both in an `if` expression
trips GCC warning `-Wlogical-op` (the same way it triggers duplicate
case value error in `switch`).
Also:
- replace two `switch()` statements with the new macro.
- tests/server/sws: make two outliers use the new macro that were only
checking for `EWOULDBLOCK` before this patch, in `connect_to()`.
- move variables to the left-side of expressions, where missing.
- rustls: use a variant of this macro that uses raw `EWOULDBLOCK`.
Tried tracing it back to the origins, but I couldn't figure out if
this is working as expected on all supported Windows versions in
Rust. It seems to be using `GetLastError()`, according to
https://docs.rs/system_error/0.2.0/system_error/, which would be
probably incorrect.
Notes:
- it's probably a good idea to assign `SOCKERRNO` to a variable before
passing it to this macro.
Cherry-picked from #21893Closes#21992
When schannel operates in front of a proxy, it needs to use the proxy
ssl configs, not the transfers ones. Choose the configs as it is done in
other TLS backends.
Prior to this change the client cert for the destination was mistakenly
also used as the client cert for the proxy.
Prior to this change the proxy server certificate info was mistakenly
saved as the destination cert info. However, if the destination was a
TLS connection, the real destination cert info would overwrite the
proxy cert info. libcurl currently does not support proxy server cert
info AFAICT (see discussion in #21986).
Closes https://github.com/curl/curl/pull/21986
Adjust code to avoid `-Wformat-signedness` warnings, while making sure
that enums are always cast to a known type when passing them to `printf`
functions, to support compilers and compiler settings where enums are
not default-size signed ints.
- cast integers printed as hex to `unsigned`. (63 times, 20 of them in
`mbedtls.c`)
- cast misc enums to `int` for printing. (31 times)
- cast `CURL_LOCK_DATA_*` enums to `int`. (4 times)
- cast `CURL_FORMADD_*` enums to `int`. (13 times)
- cast `CURLSHE_*` enums to `int`. (3 times)
- cast `CURLUE_*` enums to `int`. (33 times)
- cast `CURLMSG_*` enums to `int`. (6 times)
- cast `CURLE_*` enums to `int`. (~380 times)
- unit1675: fix mask.
Follow-up to 7c34365cce#21879
Ref: #18343 (initial attempt)
Closes#20848
Share common functions/structs between ngtcp2 HTTP/3 and the proxy
version.
Fix bugs in proxy implementation when it comes to stream and pollset
handling and transfer lifetimes.
Curl_multi_xfer_sockbuf_borrow: work without multi
When a connection gets shutdown by a share, the easy handle used is
share->admin and it does not have a multi handle. In that case let
Curl_multi_xfer_sockbuf_borrow() allocate a buffer to be freed on
release.
This happens when a TLS filter sends its last notify through a HTTP/3
proxy tunnel.
Closes#21871
Add bit `native_ca_store_opt` to keep the setting of
CURLOPT_(PROXY_)SSL_OPTIONS and use that to calculate every easy
transfer if a native CA store shall be used or not.
This avoids `native_ca_store` getting stuck on TRUE after being set
once.
Closes#21902
- Specify that the content is base64 encoded, rather than rely on
auto-detect.
- Remove unnecessary sanity check of the returned content type.
Closes https://github.com/curl/curl/pull/21760
- fix GnuTLS function name reference in `Curl_gtls_shared_creds_create()`
error message.
Spotted by GitHub Code Quality.
- unfold a line.
- in `Curl_gtls_verifyserver()`:
- report the failure of `gnutls_x509_crt_import()`.
Spotted by GitHub Code Quality.
- fix a minor inconsistency in error strings.
- drop redundant NULL checks for `config->issuercert`.
Closes#21850
Since aeb1a281ca ("gtls: fix OCSP stapling management"), the function
parses the stapled OCSP response and reads the certificate status via
gnutls_ocsp_resp_get_single(), but never calls gnutls_ocsp_resp_verify()
or gnutls_ocsp_resp_verify_direct(). A response with a forged or
corrupted signature is accepted without question.
Fix by calling gnutls_ocsp_resp_verify() against the trust list obtained
from the session credentials immediately after gnutls_ocsp_resp_import().
This handles both directly-signed responses and delegated OCSP responders
without requiring the issuer certificate to be present in the peer chain.
The missing check only affects the CURLOPT_SSL_VERIFYSTATUS code path
when CURLOPT_SSL_VERIFYPEER is disabled. With peer verification enabled,
gnutls_certificate_verify_peers2() independently catches the invalid
response via GNUTLS_CERT_INVALID_OCSP_STATUS before
gtls_verify_ocsp_status() is reached. As a result, no attack is possible
that is not already trivially achievable without OCSP stapling when peer
verification is off. This is a correctness and consistency fix, not a
security vulnerability.
Reported-by: Joshua Rogers
Closes#21677
closing a filter chain and reconnecting it again is a complication
that only the HTTP/1.x proxy filter used. Remove it from all filters.
Instead, a filter can return CURLE_AGAIN during the connect phase
and the cf-setup filter will tear down all "sub filters" and restart
over.
With this, a filter never resets to the initial phase but progresses
through connect -> connected -> shutdown -> destroy once.
Closes#21831
When a transfer goes against another origin than the initial one, do not
add the following to the ssl configuration: client cert, client key, srp
user/pass, pinned key.
Closes#21695
- H3 proxy: re-sync code with original source `curl_ngtcp2.c` to reduce
differences, and to apply missed minor fixes. Also apply clang-format.
Drop redundant `#undef`s, casts, `#endif` comments, includes, drop
intermediate variables, sync include and macro order.
Follow-up to e78b1b3ecc#21153
- INSTALL-CMAKE.md: move `CURL_ENABLE_SMB` to the enable section.
- tests/http/env: rename `tcpdmp` to `tcpdump` to match object variable.
- mbedtls: drop incorrect `mbedTLS 4+` comments.
(features are also supported by 3+, meaning it's always supported.)
- lib1648: rename a variable to match purpose.
- CIPHERS.md: alpha-sort link list.
- replace rare `X''` hex markup with `0x`.
- `IP v4/6` -> `IPv4/6`.
- 'version X.Y' -> 'vX.Y', where sensible.
- 'VX.Y' -> 'vX.Y', where sensible.
- fix indents, casing, newlines, typos.
Closes#21772
gnutls_ocsp_resp_get_single() was called with (void) discarding its
return value, so a failure (e.g. an OCSP response with no
SingleResponse entries) went undetected. The following switch() then
read an uninitialized gnutls_ocsp_cert_status_t, which is undefined
behaviour and could yield GNUTLS_OCSP_CERT_GOOD (0) depending on
stack contents, causing gtls_verify_ocsp_status to return CURLE_OK for
a response that was never successfully parsed.
Fix by initializing status to GNUTLS_OCSP_CERT_UNKNOWN and treating a
negative return from gnutls_ocsp_resp_get_single as an error.
Closes#21679
This patch adds two major proxy capabilities to curl (ngtcp2 QUIC):
- HTTP/3 Proxy CONNECT: Tunnel HTTP/1.1 or HTTP/2 traffic through an
HTTPS proxy that speaks HTTP/3 (QUIC) using the standard CONNECT
method over an HTTP/3 connection.
- MASQUE CONNECT-UDP: Tunnel HTTP/3 (QUIC) traffic through an HTTP
proxy (speaking HTTP/1.1, HTTP/2, or HTTP/3) using the extended
CONNECT method with the CONNECT-UDP protocol (RFC9297 & RFC9298).
Public API additions:
- `CURLPROXY_HTTPS3`: new proxy type constant for HTTP/3 proxy
- `--proxy-http3`: new CLI flag to negotiate HTTP/3 with HTTPS proxy
The implementation adds two new filters:
- `H3-PROXY` - enables negotiating HTTP/3 (QUIC) to the proxy and
running CONNECT/CONNECT-UDP through that proxy transport.
- `CAPSULE` - dedicated filter inserted between QUIC transport and
HTTP-PROXY to handle datagram capsule encapsulation/decapsulation.
Here is how the curl filter chaining looks in different scenarios:
- HTTP/3 Proxy CONNECT (tunneling TCP protocols over QUIC proxy):
conn -> HTTP/1.1 or HTTP/2 -> SSL -> HTTP-PROXY ->
H3-PROXY -> HAPPY-EYEBALLS -> UDP
- MASQUE CONNECT-UDP (tunneling QUIC over any proxy):
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H3-PROXY ->
HAPPY-EYEBALLS -> UDP
conn -> HTTP/3 -> CAPSULE -> HTTP-PROXY -> H1-PROXY or H2-PROXY ->
SSL -> HAPPY-EYEBALLS -> TCP
- Both features currently require the ngtcp2 QUIC backend.
- Both features are experimental (disabled by default). Enable with
`--enable-proxy-http3`(autotools) or `-DUSE_PROXY_HTTP3=ON`(CMake).
Tests:
- tests/unit/unit3400.c: Unit tests for capsule protocol encode/decode
- tests/http/test_60_h3_proxy.py: Comprehensive pytest integration suite
- tests/http/testenv/h2o.py: Managing h2o instances with HTTP/1.1, HTTP/2,
and HTTP/3 (QUIC) listeners, proxy.connect and proxy.connect-udp enabled.
References:
RFC 9297 - HTTP Datagrams and the Capsule Protocol
RFC 9298 - Proxying UDP in HTTP
RFC 9000 §16 — Variable-Length Integer Encoding
Signed-off-by: Aritra Basu <aritrbas+gh@cisco.com>
Closes#21153
Since all API features we need for TLSv1.3 earlydata support do exist
only from version 3.7.2 onwards, make that the minimal version required.
Fixes#21750
Reported-by: Johannes Schlatow
Closes#21751
- Fix revoke_best_effort reading wrong ssl config.
Prior to this change the revoke_best_effort setting for the proxy was
wrongly ignored in favor of the same setting for the destination host.
In other words, CURLSSLOPT_REVOKE_BEST_EFFORT set via
CURLOPT_PROXY_SSL_OPTIONS did not apply to the proxy and
CURLSSLOPT_REVOKE_BEST_EFFORT set via CURLOPT_SSL_OPTIONS wrongly
applied to the proxy.
Closes https://github.com/curl/curl/pull/21683
cert_type, key, key_type, key_passwd and key_blob lived in
ssl_config_data but not in ssl_primary_config, so they were invisible to
match_ssl_primary_config() and to the TLS session cache peer key.
Two easy handles sharing a connection pool could reuse each other's
authenticated connections when they differed only on SSLKEY, SSLKEYTYPE,
KEYPASSWD, SSLCERTTYPE or SSLKEYBLOB. The second handle would silently
inherit the first handle's authenticated identity.
Promote all five fields into ssl_primary_config so the conn-reuse
predicate and session cache key cover the complete client credential
set. Also replace the fixed ":CCERT" session cache marker with the
actual clientcert path so sessions are not shared across different
client certificates.
Verified by test 3303 and 3304
Reported-By: Joshua Rogers (AISLE Research)
Closes#21667
Both are filesystem paths (or case-sensitive hash strings for
pinned_key). curl_strequal is case-insensitive and would treat
/etc/ssl/Crl.pem and /etc/ssl/crl.pem as the same file, unlike the other
path fields (CApath, CAfile, issuercert, clientcert) which already use
Curl_safecmp.
Closes#21668
Curl_ssl_peer_key_make() omitted ssl->signature_algorithms, although
match_ssl_primary_config() compares the field. Two handles differing
only in CURLOPT_SSL_SIGNATURE_ALGORITHMS therefore shared a peer key and
could resume each other's sessions across a shared CURLSH SSL session
cache.
Add :SIGALGS-%s next to the other ssl_primary_config fields.
Closes#21651
The dh(g) parameter was read from param->beg instead of from the
cursor p returned by parsing dh(p). This caused dh(g) to always
report the same value as dh(p) when inspecting DH certificates
via CURLOPT_CERTINFO on non-OpenSSL backends.
The DSA branch correctly advances the cursor; the DH branch lost
this during what appears to be a copy-paste.
Add unit1676 to verify that dh(p) and dh(g) report distinct values
using a hand-crafted minimal DER certificate.
Assisted by: Claude Opus 4.6
Signed-off-by: Sergio Correia <scorreia@redhat.com>
Closes#21595
