luna - curl/lib/url.c

   1/***************************************************************************
   2 *                                  _   _ ____  _
   3 *  Project                     ___| | | |  _ \| |
   4 *                             / __| | | | |_) | |
   5 *                            | (__| |_| |  _ <| |___
   6 *                             \___|\___/|_| \_\_____|
   7 *
   8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
   9 *
  10 * This software is licensed as described in the file COPYING, which
  11 * you should have received as part of this distribution. The terms
  12 * are also available at https://curl.se/docs/copyright.html.
  13 *
  14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15 * copies of the Software, and permit persons to whom the Software is
  16 * furnished to do so, under the terms of the COPYING file.
  17 *
  18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19 * KIND, either express or implied.
  20 *
  21 * SPDX-License-Identifier: curl
  22 *
  23 ***************************************************************************/
  24#include "curl_setup.h"
  25
  26#ifdef HAVE_NETINET_IN_H
  27#include <netinet/in.h>
  28#endif
  29#ifdef HAVE_NETDB_H
  30#include <netdb.h>
  31#endif
  32#ifdef HAVE_ARPA_INET_H
  33#include <arpa/inet.h>
  34#endif
  35#ifdef HAVE_NET_IF_H
  36#include <net/if.h>
  37#endif
  38#ifdef HAVE_IPHLPAPI_H
  39#include <Iphlpapi.h>
  40#endif
  41#ifdef HAVE_SYS_IOCTL_H
  42#include <sys/ioctl.h>
  43#endif
  44#ifdef HAVE_SYS_PARAM_H
  45#include <sys/param.h>
  46#endif
  47
  48#ifdef __VMS
  49#include <in.h>
  50#include <inet.h>
  51#endif
  52
  53#ifdef HAVE_SYS_UN_H
  54#include <sys/un.h>
  55#endif
  56
  57#ifndef HAVE_SOCKET
  58#error "We cannot compile without socket() support!"
  59#endif
  60
  61#if defined(HAVE_IF_NAMETOINDEX) && defined(USE_WINSOCK)
  62#if defined(__MINGW32__) && (__MINGW64_VERSION_MAJOR <= 5)
  63#include <wincrypt.h>  /* workaround for old mingw-w64 missing to include it */
  64#endif
  65#include <iphlpapi.h>
  66#endif
  67
  68#include "urldata.h"
  69#include "mime.h"
  70#include "bufref.h"
  71#include "vtls/vtls.h"
  72#include "vssh/vssh.h"
  73#include "hostip.h"
  74#include "transfer.h"
  75#include "curl_addrinfo.h"
  76#include "curl_trc.h"
  77#include "progress.h"
  78#include "cookie.h"
  79#include "strcase.h"
  80#include "escape.h"
  81#include "curl_share.h"
  82#include "http_digest.h"
  83#include "multiif.h"
  84#include "getinfo.h"
  85#include "pop3.h"
  86#include "urlapi-int.h"
  87#include "system_win32.h"
  88#include "hsts.h"
  89#include "noproxy.h"
  90#include "cfilters.h"
  91#include "idn.h"
  92#include "http_proxy.h"
  93#include "conncache.h"
  94#include "multihandle.h"
  95#include "curlx/strdup.h"
  96#include "setopt.h"
  97#include "altsvc.h"
  98#include "curlx/dynbuf.h"
  99#include "headers.h"
 100#include "curlx/strerr.h"
 101#include "curlx/strparse.h"
 102
 103/* Now for the protocols */
 104#include "ftp.h"
 105#include "dict.h"
 106#include "telnet.h"
 107#include "tftp.h"
 108#include "http.h"
 109#include "vauth/vauth.h"
 110#include "file.h"
 111#include "curl_ldap.h"
 112#include "vssh/ssh.h"
 113#include "imap.h"
 114#include "url.h"
 115#include "connect.h"
 116#include "gopher.h"
 117#include "mqtt.h"
 118#include "rtsp.h"
 119#include "smtp.h"
 120#include "ws.h"
 121
 122#ifdef USE_NGHTTP2
 123static void data_priority_cleanup(struct Curl_easy *data);
 124#else
 125#define data_priority_cleanup(x)
 126#endif
 127
 128/* Some parts of the code (e.g. chunked encoding) assume this buffer has more
 129 * than a few bytes to play with. Do not let it become too small or bad things
 130 * will happen.
 131 */
 132#if READBUFFER_SIZE < READBUFFER_MIN
 133# error READBUFFER_SIZE is too small
 134#endif
 135
 136/*
 137 * get_protocol_family()
 138 *
 139 * This is used to return the protocol family for a given protocol.
 140 *
 141 * Parameters:
 142 *
 143 * 's'  [in]  - struct Curl_scheme pointer.
 144 *
 145 * Returns the family as a single bit protocol identifier.
 146 */
 147static curl_prot_t get_protocol_family(const struct Curl_scheme *s)
 148{
 149  DEBUGASSERT(s);
 150  DEBUGASSERT(s->family);
 151  return s->family;
 152}
 153
 154void Curl_freeset(struct Curl_easy *data)
 155{
 156  /* Free all dynamic strings stored in the data->set substructure. */
 157  enum dupstring i;
 158  enum dupblob j;
 159
 160  for(i = (enum dupstring)0; i < STRING_LAST; i++) {
 161    curlx_safefree(data->set.str[i]);
 162  }
 163
 164  for(j = (enum dupblob)0; j < BLOB_LAST; j++) {
 165    curlx_safefree(data->set.blobs[j]);
 166  }
 167
 168  Curl_bufref_free(&data->state.referer);
 169  Curl_bufref_free(&data->state.url);
 170
 171#if !defined(CURL_DISABLE_MIME) || !defined(CURL_DISABLE_FORM_API)
 172  Curl_mime_cleanpart(data->set.mimepostp);
 173  curlx_safefree(data->set.mimepostp);
 174#endif
 175
 176#ifndef CURL_DISABLE_COOKIES
 177  curl_slist_free_all(data->state.cookielist);
 178  data->state.cookielist = NULL;
 179#endif
 180}
 181
 182/* free the URL pieces */
 183static void up_free(struct Curl_easy *data)
 184{
 185  struct urlpieces *up = &data->state.up;
 186  curlx_safefree(up->scheme);
 187  curlx_safefree(up->hostname);
 188  curlx_safefree(up->port);
 189  curlx_safefree(up->user);
 190  curlx_safefree(up->password);
 191  curlx_safefree(up->options);
 192  curlx_safefree(up->path);
 193  curlx_safefree(up->query);
 194  curl_url_cleanup(data->state.uh);
 195  data->state.uh = NULL;
 196}
 197
 198/*
 199 * This is the internal function curl_easy_cleanup() calls. This should
 200 * cleanup and free all resources associated with this sessionhandle.
 201 *
 202 * We ignore SIGPIPE when this is called from curl_easy_cleanup.
 203 */
 204
 205CURLcode Curl_close(struct Curl_easy **datap)
 206{
 207  struct Curl_easy *data;
 208
 209  if(!datap || !*datap)
 210    return CURLE_OK;
 211
 212  data = *datap;
 213  *datap = NULL;
 214
 215  if(!data->state.internal && data->multi) {
 216    /* This handle is still part of a multi handle, take care of this first
 217       and detach this handle from there.
 218       This detaches the connection. */
 219    curl_multi_remove_handle(data->multi, data);
 220  }
 221  else {
 222    /* Detach connection if any is left. This should not be normal, but can be
 223       the case for example with CONNECT_ONLY + recv/send (test 556) */
 224    Curl_detach_connection(data);
 225    if(!data->state.internal && data->multi_easy) {
 226      /* when curl_easy_perform() is used, it creates its own multi handle to
 227         use and this is the one */
 228      curl_multi_cleanup(data->multi_easy);
 229      data->multi_easy = NULL;
 230    }
 231  }
 232  DEBUGASSERT(!data->conn || data->state.internal);
 233
 234  Curl_expire_clear(data); /* shut off any timers left */
 235
 236  if(data->state.rangestringalloc)
 237    curlx_free(data->state.range);
 238
 239  /* release any resolve information this transfer kept */
 240  Curl_resolv_destroy_all(data);
 241
 242  data->set.verbose = FALSE; /* no more calls to DEBUGFUNCTION */
 243  data->magic = 0; /* force a clear AFTER the possibly enforced removal from
 244                    * the multi handle and async dns shutdown. The multi
 245                    * handle might check the magic and so might any
 246                    * DEBUGFUNCTION invoked for tracing */
 247
 248  /* freed here in case DONE was not called */
 249  Curl_req_free(&data->req, data);
 250
 251  /* Close down all open SSL info and sessions */
 252  Curl_ssl_close_all(data);
 253  Curl_peer_unlink(&data->state.initial_origin);
 254  Curl_ssl_free_certinfo(data);
 255
 256  Curl_bufref_free(&data->state.referer);
 257
 258  up_free(data);
 259  curlx_dyn_free(&data->state.headerb);
 260  Curl_flush_cookies(data, TRUE);
 261#ifndef CURL_DISABLE_ALTSVC
 262  Curl_altsvc_save(data, data->asi, data->set.str[STRING_ALTSVC]);
 263  Curl_altsvc_cleanup(&data->asi);
 264#endif
 265#ifndef CURL_DISABLE_HSTS
 266  Curl_hsts_save(data, data->hsts, data->set.str[STRING_HSTS]);
 267  if(!data->share || !data->share->hsts)
 268    Curl_hsts_cleanup(&data->hsts);
 269  curl_slist_free_all(data->state.hstslist); /* clean up list */
 270#endif
 271#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_DIGEST_AUTH)
 272  Curl_http_auth_cleanup_digest(data);
 273#endif
 274  curlx_safefree(data->state.most_recent_ftp_entrypath);
 275  curlx_safefree(data->info.contenttype);
 276  curlx_safefree(data->info.wouldredirect);
 277
 278  data_priority_cleanup(data);
 279
 280  /* No longer a dirty share, if it exists */
 281  if(Curl_share_easy_unlink(data))
 282    DEBUGASSERT(0);
 283
 284  Curl_hash_destroy(&data->meta_hash);
 285  Curl_creds_unlink(&data->state.creds);
 286  curlx_safefree(data->state.aptr.uagent);
 287  curlx_safefree(data->state.aptr.accept_encoding);
 288  curlx_safefree(data->state.aptr.rangeline);
 289  curlx_safefree(data->state.aptr.ref);
 290  curlx_safefree(data->state.aptr.host);
 291#ifndef CURL_DISABLE_COOKIES
 292  curlx_safefree(data->req.cookiehost);
 293#endif
 294#ifndef CURL_DISABLE_RTSP
 295  curlx_safefree(data->state.aptr.rtsp_transport);
 296#endif
 297
 298#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_FORM_API)
 299  Curl_mime_cleanpart(data->state.formp);
 300  curlx_safefree(data->state.formp);
 301#endif
 302
 303  /* destruct wildcard structures if it is needed */
 304  Curl_wildcard_dtor(&data->wildcard);
 305  Curl_freeset(data);
 306  Curl_headers_cleanup(data);
 307  Curl_netrc_cleanup(&data->state.netrc);
 308  curlx_free(data);
 309  return CURLE_OK;
 310}
 311
 312/*
 313 * Initialize the UserDefined fields within a Curl_easy.
 314 * This may be safely called on a new or existing Curl_easy.
 315 */
 316void Curl_init_userdefined(struct Curl_easy *data)
 317{
 318  struct UserDefined *set = &data->set;
 319
 320  set->out = stdout;  /* default output to stdout */
 321  set->in_set = stdin;  /* default input from stdin */
 322  set->err = stderr;  /* default stderr to stderr */
 323
 324#if defined(__clang__) && __clang_major__ >= 16
 325#pragma clang diagnostic push
 326#pragma clang diagnostic ignored "-Wcast-function-type-strict"
 327#endif
 328  /* use fwrite as default function to store output */
 329  set->fwrite_func = (curl_write_callback)fwrite;
 330
 331  /* use fread as default function to read input */
 332  set->fread_func_set = (curl_read_callback)fread;
 333#if defined(__clang__) && __clang_major__ >= 16
 334#pragma clang diagnostic pop
 335#endif
 336  set->is_fread_set = 0;
 337
 338  set->seek_client = ZERO_NULL;
 339
 340  set->filesize = -1;        /* we do not know the size */
 341  set->postfieldsize = -1;   /* unknown size */
 342  set->maxredirs = 30;       /* sensible default */
 343
 344  set->method = HTTPREQ_GET; /* Default HTTP request */
 345#ifndef CURL_DISABLE_RTSP
 346  set->rtspreq = RTSPREQ_OPTIONS; /* Default RTSP request */
 347#endif
 348#ifndef CURL_DISABLE_FTP
 349  set->ftp_use_epsv = TRUE;   /* FTP defaults to EPSV operations */
 350  set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
 351  set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
 352  set->ftp_filemethod = FTPFILE_MULTICWD;
 353  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
 354#endif
 355  set->dns_cache_timeout_ms = 60000; /* Timeout every 60 seconds by default */
 356
 357  /* Timeout every 24 hours by default */
 358  set->general_ssl.ca_cache_timeout = 24 * 60 * 60;
 359
 360  set->httpauth = CURLAUTH_BASIC;  /* defaults to basic */
 361
 362#ifndef CURL_DISABLE_PROXY
 363  set->proxyport = 0;
 364  set->proxytype = CURLPROXY_HTTP; /* defaults to HTTP proxy */
 365  set->proxyauth = CURLAUTH_BASIC; /* defaults to basic */
 366  /* SOCKS5 proxy auth defaults to username/password + GSS-API */
 367  set->socks5auth = CURLAUTH_BASIC | CURLAUTH_GSSAPI;
 368#endif
 369
 370  Curl_ssl_easy_config_init(data);
 371#ifndef CURL_DISABLE_DOH
 372  set->doh_verifyhost = TRUE;
 373  set->doh_verifypeer = TRUE;
 374#endif
 375#ifdef USE_SSH
 376  /* defaults to any auth type */
 377  set->ssh_auth_types = CURLSSH_AUTH_DEFAULT;
 378  set->new_directory_perms = 0755; /* Default permissions */
 379#endif
 380
 381  set->new_file_perms = 0644;    /* Default permissions */
 382  set->allowed_protocols = (curl_prot_t)CURLPROTO_64ALL;
 383  set->redir_protocols = CURLPROTO_REDIR;
 384
 385#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
 386  /*
 387   * disallow unprotected protection negotiation NEC reference implementation
 388   * seem not to follow rfc1961 section 4.3/4.4
 389   */
 390  set->socks5_gssapi_nec = FALSE;
 391#endif
 392
 393  /* set default minimum TLS version */
 394#ifdef USE_SSL
 395  Curl_setopt_SSLVERSION(data, CURLOPT_SSLVERSION, CURL_SSLVERSION_DEFAULT);
 396#ifndef CURL_DISABLE_PROXY
 397  Curl_setopt_SSLVERSION(data, CURLOPT_PROXY_SSLVERSION,
 398                         CURL_SSLVERSION_DEFAULT);
 399#endif
 400#endif
 401#ifndef CURL_DISABLE_FTP
 402  set->wildcard_enabled = FALSE;
 403  set->chunk_bgn = ZERO_NULL;
 404  set->chunk_end = ZERO_NULL;
 405  set->fnmatch = ZERO_NULL;
 406#endif
 407  set->tcp_keepalive = FALSE;
 408  set->tcp_keepintvl = 60;
 409  set->tcp_keepidle = 60;
 410  set->tcp_keepcnt = 9;
 411  set->tcp_fastopen = FALSE;
 412  set->tcp_nodelay = TRUE;
 413  set->ssl_enable_alpn = TRUE;
 414  set->expect_100_timeout = 1000L; /* Wait for a second by default. */
 415  set->sep_headers = TRUE; /* separated header lists by default */
 416  set->buffer_size = READBUFFER_SIZE;
 417  set->upload_buffer_size = UPLOADBUFFER_DEFAULT;
 418  set->upload_flags = CURLULFLAG_SEEN;
 419  set->happy_eyeballs_timeout = CURL_HET_DEFAULT;
 420  set->upkeep_interval_ms = CURL_UPKEEP_INTERVAL_DEFAULT;
 421  set->maxconnects = DEFAULT_CONNCACHE_SIZE; /* for easy handles */
 422  set->conn_max_idle_ms = 118 * 1000;
 423  set->conn_max_age_ms = 24 * 3600 * 1000;
 424  set->http09_allowed = FALSE;
 425  set->httpwant = CURL_HTTP_VERSION_NONE;
 426#if defined(USE_HTTP2) || defined(USE_HTTP3)
 427  memset(&set->priority, 0, sizeof(set->priority));
 428#endif
 429  set->quick_exit = 0L;
 430#ifndef CURL_DISABLE_WEBSOCKETS
 431  set->ws_raw_mode = FALSE;
 432  set->ws_no_auto_pong = FALSE;
 433#endif
 434}
 435
 436/* easy->meta_hash destructor. Should never be called as elements
 437 * MUST be added with their own destructor */
 438static void easy_meta_freeentry(void *p)
 439{
 440  (void)p;
 441  /* Always FALSE. Cannot use a 0 assert here since compilers
 442   * are not in agreement if they then want a NORETURN attribute or
 443   * not. *sigh* */
 444  DEBUGASSERT(p == NULL);
 445}
 446
 447/**
 448 * Curl_open()
 449 *
 450 * @param curl is a pointer to a sessionhandle pointer that gets set by this
 451 * function.
 452 * @return CURLcode
 453 */
 454
 455CURLcode Curl_open(struct Curl_easy **curl)
 456{
 457  struct Curl_easy *data;
 458
 459  /* simple start-up: alloc the struct, init it with zeroes and return */
 460  data = curlx_calloc(1, sizeof(struct Curl_easy));
 461  if(!data) {
 462    /* this is a serious error */
 463    DEBUGF(curl_mfprintf(stderr, "Error: calloc of Curl_easy failed\n"));
 464    return CURLE_OUT_OF_MEMORY;
 465  }
 466
 467  data->magic = CURLEASY_MAGIC_NUMBER;
 468  /* most recent connection is not yet defined */
 469  data->state.lastconnect_id = -1;
 470  data->state.recent_conn_id = -1;
 471  /* and not assigned an id yet */
 472  data->id = -1;
 473  data->mid = UINT32_MAX;
 474  data->master_mid = UINT32_MAX;
 475  data->progress.hide = TRUE;
 476  data->state.current_speed = -1; /* init to negative == impossible */
 477
 478  Curl_hash_init(&data->meta_hash, 23,
 479                 Curl_hash_str, curlx_str_key_compare, easy_meta_freeentry);
 480  curlx_dyn_init(&data->state.headerb, CURL_MAX_HTTP_HEADER);
 481  Curl_bufref_init(&data->state.url);
 482  Curl_bufref_init(&data->state.referer);
 483  Curl_req_init(&data->req);
 484  Curl_initinfo(data);
 485#ifndef CURL_DISABLE_HTTP
 486  Curl_llist_init(&data->state.httphdrs, NULL);
 487#endif
 488  Curl_netrc_init(&data->state.netrc);
 489  Curl_init_userdefined(data);
 490
 491  *curl = data;
 492  return CURLE_OK;
 493}
 494
 495void Curl_conn_free(struct Curl_easy *data, struct connectdata *conn)
 496{
 497  size_t i;
 498
 499  DEBUGASSERT(conn);
 500
 501  if(conn->scheme && conn->scheme->run->disconnect &&
 502     !conn->bits.shutdown_handler)
 503    conn->scheme->run->disconnect(data, conn, TRUE);
 504
 505  for(i = 0; i < CURL_ARRAYSIZE(conn->cfilter); ++i) {
 506    Curl_conn_cf_discard_all(data, conn, (int)i);
 507  }
 508
 509#ifndef CURL_DISABLE_PROXY
 510  Curl_peer_unlink(&conn->http_proxy.peer);
 511  Curl_peer_unlink(&conn->socks_proxy.peer);
 512  Curl_creds_unlink(&conn->http_proxy.creds);
 513  Curl_creds_unlink(&conn->socks_proxy.creds);
 514#endif
 515  Curl_creds_unlink(&conn->creds);
 516  curlx_safefree(conn->options);
 517  curlx_safefree(conn->localdev);
 518  Curl_ssl_conn_config_cleanup(conn);
 519
 520  curlx_safefree(conn->destination);
 521  Curl_hash_destroy(&conn->meta_hash);
 522  Curl_peer_unlink(&conn->origin);
 523  Curl_peer_unlink(&conn->via_peer);
 524  Curl_peer_unlink(&conn->origin2);
 525  Curl_peer_unlink(&conn->via_peer2);
 526
 527  curlx_free(conn); /* free all the connection oriented data */
 528}
 529
 530/*
 531 * xfer_may_multiplex()
 532 *
 533 * Return a TRUE, iff the transfer can be done over an (appropriate)
 534 * multiplexed connection.
 535 */
 536static bool xfer_may_multiplex(const struct Curl_easy *data,
 537                               const struct connectdata *conn)
 538{
 539#ifndef CURL_DISABLE_HTTP
 540  /* If an HTTP protocol and multiplexing is enabled */
 541  if((conn->scheme->protocol & PROTO_FAMILY_HTTP) &&
 542     (!conn->bits.protoconnstart || !conn->bits.close)) {
 543
 544    if(Curl_multiplex_wanted(data->multi) &&
 545       (data->state.http_neg.allowed & (CURL_HTTP_V2x | CURL_HTTP_V3x)))
 546      /* allows HTTP/2 or newer */
 547      return TRUE;
 548  }
 549#else
 550  (void)data;
 551  (void)conn;
 552#endif
 553  return FALSE;
 554}
 555
 556#ifndef CURL_DISABLE_PROXY
 557static bool proxy_info_matches(const struct proxy_info *data,
 558                               const struct proxy_info *needle)
 559{
 560  if((data->proxytype == needle->proxytype) &&
 561     Curl_peer_same_destination(data->peer, needle->peer) &&
 562     Curl_creds_same(data->creds, needle->creds)) {
 563    return TRUE;
 564  }
 565  return FALSE;
 566}
 567#endif
 568
 569/* A connection has to have been idle for less than 'conn_max_idle_ms'
 570   (the success rate is too low after this), or created less than
 571   'conn_max_age_ms' ago, to be subject for reuse. */
 572static bool conn_maxage(struct Curl_easy *data,
 573                        struct connectdata *conn,
 574                        struct curltime now)
 575{
 576  timediff_t age_ms;
 577
 578  if(data->set.conn_max_idle_ms) {
 579    age_ms = curlx_ptimediff_ms(&now, &conn->lastused);
 580    if(age_ms > data->set.conn_max_idle_ms) {
 581      infof(data, "Too old connection (%" FMT_TIMEDIFF_T
 582            " ms idle, max idle is %" FMT_TIMEDIFF_T " ms), disconnect it",
 583            age_ms, data->set.conn_max_idle_ms);
 584      return TRUE;
 585    }
 586  }
 587
 588  if(data->set.conn_max_age_ms) {
 589    age_ms = curlx_ptimediff_ms(&now, &conn->created);
 590    if(age_ms > data->set.conn_max_age_ms) {
 591      infof(data,
 592            "Too old connection (created %" FMT_TIMEDIFF_T
 593            " ms ago, max lifetime is %" FMT_TIMEDIFF_T " ms), disconnect it",
 594            age_ms, data->set.conn_max_age_ms);
 595      return TRUE;
 596    }
 597  }
 598
 599  return FALSE;
 600}
 601
 602/*
 603 * Return TRUE iff the given connection is considered dead.
 604 */
 605bool Curl_conn_seems_dead(struct connectdata *conn,
 606                          struct Curl_easy *data)
 607{
 608  DEBUGASSERT(!data->conn);
 609  if(!CONN_INUSE(conn)) {
 610    /* The check for a dead socket makes sense only if the connection is not in
 611       use */
 612    bool dead;
 613
 614    if(conn_maxage(data, conn, *Curl_pgrs_now(data))) {
 615      /* avoid check if already too old */
 616      dead = TRUE;
 617    }
 618    else if(conn->scheme->run->connection_is_dead) {
 619      /* The protocol has a special method for checking the state of the
 620         connection. Use it to check if the connection is dead. */
 621      /* briefly attach the connection for the check */
 622      Curl_attach_connection(data, conn);
 623      dead = conn->scheme->run->connection_is_dead(data, conn);
 624      Curl_detach_connection(data);
 625    }
 626    else {
 627      bool input_pending = FALSE;
 628
 629      Curl_attach_connection(data, conn);
 630      dead = !Curl_conn_is_alive(data, conn, &input_pending);
 631      if(input_pending) {
 632        /* For reuse, we want a "clean" connection state. This includes
 633         * that we expect - in general - no waiting input data. Input
 634         * waiting might be a TLS Notify Close, for example. We reject
 635         * that.
 636         * For protocols where data from other end may arrive at
 637         * any time (HTTP/2 PING for example), the protocol handler needs
 638         * to install its own `connection_check` callback.
 639         */
 640        DEBUGF(infof(data, "connection has input pending, not reusable"));
 641        dead = TRUE;
 642      }
 643      Curl_detach_connection(data);
 644    }
 645
 646    if(dead) {
 647      /* remove connection from cpool */
 648      infof(data, "Connection %" FMT_OFF_T " seems to be dead",
 649            conn->connection_id);
 650      return TRUE;
 651    }
 652  }
 653  return FALSE;
 654}
 655
 656CURLcode Curl_conn_upkeep(struct Curl_easy *data,
 657                          struct connectdata *conn)
 658{
 659  CURLcode result = CURLE_OK;
 660  if(curlx_ptimediff_ms(Curl_pgrs_now(data), &conn->keepalive) <=
 661     data->set.upkeep_interval_ms)
 662    return result;
 663
 664  /* briefly attach for action */
 665  Curl_attach_connection(data, conn);
 666  result = Curl_conn_keep_alive(data, conn, FIRSTSOCKET);
 667  Curl_detach_connection(data);
 668
 669  conn->keepalive = *Curl_pgrs_now(data);
 670  return result;
 671}
 672
 673struct url_conn_match {
 674  struct connectdata *found;
 675  struct Curl_easy *data;
 676  struct connectdata *needle;
 677  BIT(may_multiplex);
 678  BIT(want_ntlm_http);
 679  BIT(want_proxy_ntlm_http);
 680  BIT(want_nego_http);
 681  BIT(want_proxy_nego_http);
 682  BIT(may_tls); /* May upgrade clear-text connection to TLS, can only reuse
 683                 * connections that have matching TLS configuration.
 684                 * Always TRUE if `req_tls` is TRUE. */
 685  BIT(require_tls); /* Requires TLS use from a clear-text start, can only
 686                 * reuse connections that have TLS. */
 687  BIT(wait_pipe);
 688  BIT(force_reuse);
 689  BIT(seen_pending_conn);
 690  BIT(seen_single_use_conn);
 691  BIT(seen_multiplex_conn);
 692};
 693
 694static bool url_match_connect_config(struct connectdata *conn,
 695                                     struct url_conn_match *m)
 696{
 697  /* connect-only or to-be-closed connections will not be reused */
 698  if(conn->bits.connect_only || conn->bits.close || conn->bits.no_reuse)
 699    return FALSE;
 700
 701  /* ip_version must match */
 702  if(m->data->set.ipver != CURL_IPRESOLVE_WHATEVER &&
 703     m->data->set.ipver != conn->ip_version)
 704    return FALSE;
 705
 706  if(m->needle->localdev || m->needle->localport) {
 707    /* If we are bound to a specific local end (IP+port), we must not reuse a
 708       random other one, although if we did not ask for a particular one we
 709       can reuse one that was bound.
 710
 711       This comparison is a bit rough and too strict. Since the input
 712       parameters can be specified in numerous ways and still end up the same
 713       it would take a lot of processing to make it really accurate. Instead,
 714       this matching will assume that reuses of bound connections will most
 715       likely also reuse the exact same binding parameters and missing out a
 716       few edge cases should not hurt anyone much.
 717    */
 718    if((conn->localport != m->needle->localport) ||
 719       (conn->localportrange != m->needle->localportrange) ||
 720       (m->needle->localdev &&
 721        (!conn->localdev || strcmp(conn->localdev, m->needle->localdev))))
 722      return FALSE;
 723  }
 724
 725  if(!m->needle->via_peer != !conn->via_peer)
 726    /* do not mix connections that use the "connect to host" feature and
 727     * connections that do not use this feature */
 728    return FALSE;
 729
 730  return TRUE;
 731}
 732
 733static bool url_match_fully_connected(struct connectdata *conn,
 734                                      struct url_conn_match *m)
 735{
 736  if(!Curl_conn_is_connected(conn, FIRSTSOCKET) ||
 737     conn->bits.upgrade_in_progress) {
 738    /* Not yet connected, or a protocol upgrade is in progress. The later
 739     * happens for HTTP/2 Upgrade: requests that need a response. */
 740    if(m->may_multiplex) {
 741      m->seen_pending_conn = TRUE;
 742      /* Do not pick a connection that has not connected yet */
 743      infof(m->data, "Connection #%" FMT_OFF_T
 744            " is not open enough, cannot reuse", conn->connection_id);
 745    }
 746    /* Do not pick a connection that has not connected yet */
 747    return FALSE;
 748  }
 749  return TRUE;
 750}
 751
 752static bool url_match_multi(struct connectdata *conn,
 753                            struct url_conn_match *m)
 754{
 755  if(CONN_INUSE(conn)) {
 756    DEBUGASSERT(conn->attached_multi);
 757    if(conn->attached_multi != m->data->multi)
 758      return FALSE;
 759  }
 760  return TRUE;
 761}
 762
 763static bool url_match_multiplex_needs(struct connectdata *conn,
 764                                      struct url_conn_match *m)
 765{
 766  if(CONN_INUSE(conn)) {
 767    if(!conn->bits.multiplex) {
 768      /* conn busy and conn cannot take more transfers */
 769      m->seen_single_use_conn = TRUE;
 770      return FALSE;
 771    }
 772    m->seen_multiplex_conn = TRUE;
 773    if(!m->may_multiplex || !url_match_multi(conn, m))
 774      /* conn busy and transfer cannot be multiplexed */
 775      return FALSE;
 776  }
 777  return TRUE;
 778}
 779
 780static bool url_match_multiplex_limits(struct connectdata *conn,
 781                                       struct url_conn_match *m)
 782{
 783  if(CONN_INUSE(conn) && m->may_multiplex) {
 784    DEBUGASSERT(conn->bits.multiplex);
 785    /* If multiplexed, make sure we do not go over concurrency limit */
 786    if(conn->attached_xfers >=
 787            Curl_multi_max_concurrent_streams(m->data->multi)) {
 788      infof(m->data, "client side MAX_CONCURRENT_STREAMS reached"
 789            ", skip (%u)", conn->attached_xfers);
 790      return FALSE;
 791    }
 792    if(conn->attached_xfers >=
 793       Curl_conn_get_max_concurrent(m->data, conn, FIRSTSOCKET)) {
 794      infof(m->data, "MAX_CONCURRENT_STREAMS reached, skip (%u)",
 795            conn->attached_xfers);
 796      return FALSE;
 797    }
 798    /* When not multiplexed, we have a match here! */
 799    infof(m->data, "Multiplexed connection found");
 800  }
 801  return TRUE;
 802}
 803
 804static bool url_match_ssl_use(struct connectdata *conn,
 805                              struct url_conn_match *m)
 806{
 807  if(m->needle->scheme->flags & PROTOPT_SSL) {
 808    /* We are looking for SSL, if `conn` does not do it, not a match. */
 809    if(!Curl_conn_is_ssl(conn, FIRSTSOCKET))
 810      return FALSE;
 811  }
 812  else if(Curl_conn_is_ssl(conn, FIRSTSOCKET)) {
 813    /* If the protocol does not allow reuse of SSL connections OR
 814       is of another protocol family, not a match. */
 815    if(!(m->needle->scheme->flags & PROTOPT_SSL_REUSE) ||
 816       (get_protocol_family(conn->scheme) != m->needle->scheme->protocol))
 817      return FALSE;
 818  }
 819  else if(m->require_tls)
 820    /* a clear-text STARTTLS protocol with required TLS */
 821    return FALSE;
 822  return TRUE;
 823}
 824
 825#ifndef CURL_DISABLE_PROXY
 826static bool url_match_proxy_use(struct connectdata *conn,
 827                                struct url_conn_match *m)
 828{
 829  if(m->needle->bits.httpproxy != conn->bits.httpproxy ||
 830     m->needle->bits.socksproxy != conn->bits.socksproxy)
 831    return FALSE;
 832
 833  if(m->needle->bits.socksproxy &&
 834     !proxy_info_matches(&m->needle->socks_proxy, &conn->socks_proxy))
 835    return FALSE;
 836
 837  if(m->needle->bits.httpproxy) {
 838    if(m->needle->bits.tunnel_proxy != conn->bits.tunnel_proxy)
 839      return FALSE;
 840
 841    if(!proxy_info_matches(&m->needle->http_proxy, &conn->http_proxy))
 842      return FALSE;
 843
 844    if(IS_HTTPS_PROXY(m->needle->http_proxy.proxytype)) {
 845      /* https proxies come in different types, http/1.1, h2, ... */
 846      if(m->needle->http_proxy.proxytype != conn->http_proxy.proxytype)
 847        return FALSE;
 848      /* match SSL config to proxy */
 849      if(!Curl_ssl_conn_config_match(m->data, conn, TRUE)) {
 850        DEBUGF(infof(m->data,
 851                     "Connection #%" FMT_OFF_T
 852                     " has different SSL proxy parameters, cannot reuse",
 853                     conn->connection_id));
 854        return FALSE;
 855      }
 856      /* the SSL config to the server, which may apply here is checked
 857       * further below */
 858    }
 859  }
 860  return TRUE;
 861}
 862#else
 863#define url_match_proxy_use(c, m) ((void)(c), (void)(m), TRUE)
 864#endif
 865
 866#ifndef CURL_DISABLE_HTTP
 867static bool url_match_http_multiplex(struct connectdata *conn,
 868                                     struct url_conn_match *m)
 869{
 870  if(m->may_multiplex &&
 871     (m->data->state.http_neg.allowed & (CURL_HTTP_V2x | CURL_HTTP_V3x)) &&
 872     (m->needle->scheme->protocol & CURLPROTO_HTTP) &&
 873     !conn->httpversion_seen) {
 874    if(m->data->set.pipewait) {
 875      infof(m->data, "Server upgrade does not support multiplex yet, wait");
 876      m->found = NULL;
 877      m->wait_pipe = TRUE;
 878      return TRUE; /* stop searching, we want to wait */
 879    }
 880    infof(m->data, "Server upgrade cannot be used");
 881    return FALSE;
 882  }
 883  return TRUE;
 884}
 885
 886static bool url_match_http_version(struct connectdata *conn,
 887                                   struct url_conn_match *m)
 888{
 889  /* If looking for HTTP and the HTTP versions allowed do not include
 890   * the HTTP version of conn, continue looking. */
 891  if((m->needle->scheme->protocol & PROTO_FAMILY_HTTP)) {
 892    switch(Curl_conn_http_version(m->data, conn)) {
 893    case 30:
 894      if(!(m->data->state.http_neg.allowed & CURL_HTTP_V3x)) {
 895        DEBUGF(infof(m->data, "not reusing conn #%" CURL_FORMAT_CURL_OFF_T
 896                     ", we do not want h3", conn->connection_id));
 897        return FALSE;
 898      }
 899      break;
 900    case 20:
 901      if(!(m->data->state.http_neg.allowed & CURL_HTTP_V2x)) {
 902        DEBUGF(infof(m->data, "not reusing conn #%" CURL_FORMAT_CURL_OFF_T
 903                     ", we do not want h2", conn->connection_id));
 904        return FALSE;
 905      }
 906      break;
 907    default:
 908      if(!(m->data->state.http_neg.allowed & CURL_HTTP_V1x)) {
 909        DEBUGF(infof(m->data, "not reusing conn #%" CURL_FORMAT_CURL_OFF_T
 910                     ", we do not want h1", conn->connection_id));
 911        return FALSE;
 912      }
 913      break;
 914    }
 915  }
 916  return TRUE;
 917}
 918#else
 919#define url_match_http_multiplex(c, m) ((void)(c), (void)(m), TRUE)
 920#define url_match_http_version(c, m)   ((void)(c), (void)(m), TRUE)
 921#endif
 922
 923static bool url_match_proto_config(struct connectdata *conn,
 924                                   struct url_conn_match *m)
 925{
 926  if(!url_match_http_version(conn, m))
 927    return FALSE;
 928
 929#ifndef CURL_DISABLE_FTP
 930  else if(get_protocol_family(m->needle->scheme) & PROTO_FAMILY_FTP) {
 931    if(!ftp_conns_match(m->needle, conn))
 932      return FALSE;
 933  }
 934#endif
 935  return TRUE;
 936}
 937
 938static bool url_match_auth(struct connectdata *conn,
 939                           struct url_conn_match *m)
 940{
 941  if(!Curl_creds_same(m->needle->creds, conn->creds)) {
 942    if(m->needle->creds)
 943      return FALSE;
 944    if(!Curl_creds_same(m->data->state.creds, conn->creds))
 945      return FALSE;
 946  }
 947#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
 948  /* GSS delegation differences do not actually affect every connection and
 949     auth method, but this check takes precaution before efficiency */
 950  if(m->needle->gssapi_delegation != conn->gssapi_delegation)
 951    return FALSE;
 952#endif
 953
 954  return TRUE;
 955}
 956
 957static bool url_match_destination(struct connectdata *conn,
 958                                  struct url_conn_match *m)
 959{
 960  /* Different connect-to peers never match */
 961  if(!Curl_peer_same_destination(m->needle->via_peer, conn->via_peer))
 962    return FALSE;
 963
 964#ifndef CURL_DISABLE_PROXY
 965  if(m->needle->bits.httpproxy && !m->needle->bits.tunnel_proxy) {
 966    /* Talking to a non-tunneling HTTP proxy matches on proxy peers. */
 967    return Curl_peer_equal(m->needle->http_proxy.peer,
 968                           conn->http_proxy.peer);
 969  }
 970#endif
 971
 972  if(m->needle->origin->scheme != conn->origin->scheme) {
 973    /* `needle` and `conn` not having the same scheme.
 974     * This is allowed for the same family *if* conn is using TLS.
 975     * - IMAP+STARTTLS works for IMAPS.
 976     * - IMAPS works for IMAP. */
 977    if(get_protocol_family(conn->origin->scheme) !=
 978       m->needle->scheme->protocol) {
 979      return FALSE;
 980    }
 981    if(!url_match_ssl_use(conn, m)) {
 982      DEBUGF(infof(m->data, "Connection #%" FMT_OFF_T
 983                   " has compatible protocol family, but no SSL, no match",
 984                   conn->connection_id));
 985      return FALSE;
 986    }
 987  }
 988  /* Scheme mismatch is acceptable, just compare hostname/port */
 989  return Curl_peer_same_destination(m->needle->origin, conn->origin);
 990}
 991
 992static bool url_match_ssl_config(struct connectdata *conn,
 993                                 struct url_conn_match *m)
 994{
 995  /* If talking/upgrading to TLS, conn needs to use the same SSL options. */
 996  if(((m->needle->scheme->flags & PROTOPT_SSL) || m->may_tls) &&
 997     !Curl_ssl_conn_config_match(m->data, conn, FALSE)) {
 998    DEBUGF(infof(m->data, "Connection #%" FMT_OFF_T
 999                 " has different SSL parameters, cannot reuse",
1000                 conn->connection_id));
1001    return FALSE;
1002  }
1003  return TRUE;
1004}
1005
1006#ifdef USE_NTLM
1007static bool url_match_auth_ntlm(struct connectdata *conn,
1008                                struct url_conn_match *m)
1009{
1010  /* If we are looking for an HTTP+NTLM connection, check if this is
1011     already authenticating with the right credentials. If not, keep
1012     looking so that we can reuse NTLM connections if
1013     possible. (Especially we must not reuse the same connection if
1014     partway through a handshake!) */
1015  if(m->want_ntlm_http) {
1016    if(!Curl_creds_same(m->data->state.creds, conn->creds)) {
1017      /* we prefer a credential match, but this is at least a connection
1018         that can be reused and "upgraded" to NTLM if it does
1019         not have any auth ongoing. */
1020#ifdef USE_SPNEGO
1021      if((conn->http_ntlm_state == NTLMSTATE_NONE)
1022         && (conn->http_negotiate_state == GSS_AUTHNONE)) {
1023#else
1024      if(conn->http_ntlm_state == NTLMSTATE_NONE) {
1025#endif
1026        m->found = conn;
1027      }
1028      return FALSE;
1029    }
1030  }
1031  else if(conn->http_ntlm_state != NTLMSTATE_NONE) {
1032    /* Connection is using NTLM auth but we do not want NTLM */
1033    return FALSE;
1034  }
1035
1036#ifndef CURL_DISABLE_PROXY
1037  /* Same for Proxy NTLM authentication */
1038  if(m->want_proxy_ntlm_http) {
1039    /* Both conn->http_proxy.user and conn->http_proxy.passwd can be
1040     * NULL */
1041    if(!conn->http_proxy.creds)
1042      return FALSE;
1043
1044    if(!Curl_creds_same(m->needle->http_proxy.creds, conn->http_proxy.creds))
1045      return FALSE;
1046  }
1047  else if(conn->proxy_ntlm_state != NTLMSTATE_NONE) {
1048    /* Proxy connection is using NTLM auth but we do not want NTLM */
1049    return FALSE;
1050  }
1051#endif
1052  if(m->want_ntlm_http || m->want_proxy_ntlm_http) {
1053    /* Credentials are already checked, we may use this connection.
1054     * With NTLM being weird as it is, we MUST use a
1055     * connection where it has already been fully negotiated.
1056     * If it has not, we keep on looking for a better one. */
1057    m->found = conn;
1058
1059    if((m->want_ntlm_http &&
1060       (conn->http_ntlm_state != NTLMSTATE_NONE)) ||
1061        (m->want_proxy_ntlm_http &&
1062         (conn->proxy_ntlm_state != NTLMSTATE_NONE))) {
1063      /* We must use this connection, no other */
1064      m->force_reuse = TRUE;
1065      return TRUE;
1066    }
1067    /* Continue look up for a better connection */
1068    return FALSE;
1069  }
1070  return TRUE;
1071}
1072#else
1073#define url_match_auth_ntlm(c, m) ((void)(c), (void)(m), TRUE)
1074#endif
1075
1076#ifdef USE_SPNEGO
1077static bool url_match_auth_nego(struct connectdata *conn,
1078                                struct url_conn_match *m)
1079{
1080  /* If we are looking for an HTTP+Negotiate connection, check if this is
1081     already authenticating with the right credentials. If not, keep looking
1082     so that we can reuse Negotiate connections if possible. */
1083  if(m->want_nego_http) {
1084    if(!Curl_creds_same(m->needle->creds, conn->creds))
1085      return FALSE;
1086  }
1087  else if(conn->http_negotiate_state != GSS_AUTHNONE) {
1088    /* Connection is using Negotiate auth but we do not want Negotiate */
1089    return FALSE;
1090  }
1091
1092#ifndef CURL_DISABLE_PROXY
1093  /* Same for Proxy Negotiate authentication */
1094  if(m->want_proxy_nego_http) {
1095    /* Both conn->http_proxy.user and conn->http_proxy.passwd can be
1096     * NULL */
1097    if(!conn->http_proxy.creds)
1098      return FALSE;
1099
1100    if(!Curl_creds_same(m->needle->http_proxy.creds, conn->http_proxy.creds))
1101      return FALSE;
1102  }
1103  else if(conn->proxy_negotiate_state != GSS_AUTHNONE) {
1104    /* Proxy connection is using Negotiate auth but we do not want Negotiate */
1105    return FALSE;
1106  }
1107#endif
1108  if(m->want_nego_http || m->want_proxy_nego_http) {
1109    /* Credentials are already checked, we may use this connection. We MUST
1110     * use a connection where it has already been fully negotiated. If it has
1111     * not, we keep on looking for a better one. */
1112    m->found = conn;
1113    if((m->want_nego_http &&
1114        (conn->http_negotiate_state != GSS_AUTHNONE)) ||
1115       (m->want_proxy_nego_http &&
1116        (conn->proxy_negotiate_state != GSS_AUTHNONE))) {
1117      /* We must use this connection, no other */
1118      m->force_reuse = TRUE;
1119      return TRUE;
1120    }
1121    return FALSE; /* get another */
1122  }
1123  return TRUE;
1124}
1125#else
1126#define url_match_auth_nego(c, m) ((void)(c), (void)(m), TRUE)
1127#endif
1128
1129static bool url_match_conn(struct connectdata *conn, void *userdata)
1130{
1131  struct url_conn_match *m = userdata;
1132  /* Check if `conn` can be used for transfer `m->data` */
1133
1134  /* general connect config setting match? */
1135  if(!url_match_connect_config(conn, m))
1136    return FALSE;
1137
1138  /* match for destination and protocol? */
1139  if(!url_match_destination(conn, m))
1140    return FALSE;
1141
1142  if(!url_match_fully_connected(conn, m))
1143    return FALSE;
1144
1145  if(!url_match_multiplex_needs(conn, m))
1146    return FALSE;
1147
1148  if(!url_match_proxy_use(conn, m))
1149    return FALSE;
1150  if(!url_match_ssl_config(conn, m))
1151    return FALSE;
1152
1153  if(!url_match_http_multiplex(conn, m))
1154    return FALSE;
1155  else if(m->wait_pipe)
1156    /* we decided to wait on PIPELINING */
1157    return TRUE;
1158
1159  if(!url_match_auth(conn, m))
1160    return FALSE;
1161
1162  if(!url_match_proto_config(conn, m))
1163    return FALSE;
1164
1165  if(!url_match_auth_ntlm(conn, m))
1166    return FALSE;
1167  else if(m->force_reuse)
1168    return TRUE;
1169
1170  if(!url_match_auth_nego(conn, m))
1171    return FALSE;
1172  else if(m->force_reuse)
1173    return TRUE;
1174
1175  if(!url_match_multiplex_limits(conn, m))
1176    return FALSE;
1177
1178  if(!CONN_INUSE(conn) && Curl_conn_seems_dead(conn, m->data)) {
1179    /* remove and disconnect. */
1180    Curl_conn_terminate(m->data, conn, FALSE);
1181    return FALSE;
1182  }
1183
1184  /* conn matches our needs. */
1185  m->found = conn;
1186  return TRUE;
1187}
1188
1189static bool url_match_result(void *userdata)
1190{
1191  struct url_conn_match *match = userdata;
1192  if(match->found) {
1193    /* Attach it now while still under lock, so the connection does
1194     * no longer appear idle and can be reaped. */
1195    Curl_attach_connection(match->data, match->found);
1196    return TRUE;
1197  }
1198  else if(match->seen_single_use_conn && !match->seen_multiplex_conn) {
1199    /* We have seen a single-use, existing connection to the destination and
1200     * no multiplexed one. It seems safe to assume that the server does
1201     * not support multiplexing. */
1202    match->wait_pipe = FALSE;
1203  }
1204  else if(match->seen_pending_conn && match->data->set.pipewait) {
1205    infof(match->data,
1206          "Found pending candidate for reuse and CURLOPT_PIPEWAIT is set");
1207    match->wait_pipe = TRUE;
1208  }
1209  match->force_reuse = FALSE;
1210  return FALSE;
1211}
1212
1213/*
1214 * Given a transfer and a prototype connection (needle),
1215 * find and attach an existing connection that matches.
1216 *
1217 * Return TRUE if an existing connection was attached.
1218 * `waitpipe` is TRUE if no existing connection matched, but there
1219 * might be suitable one in the near future (common cause: multiplexing
1220 * capability has not been determined yet, e.g. ALPN handshake).
1221 */
1222static bool url_attach_existing(struct Curl_easy *data,
1223                                struct connectdata *needle,
1224                                bool *waitpipe)
1225{
1226  struct url_conn_match match;
1227  bool success;
1228
1229  DEBUGASSERT(!data->conn);
1230  memset(&match, 0, sizeof(match));
1231  match.data = data;
1232  match.needle = needle;
1233  match.may_multiplex = xfer_may_multiplex(data, needle);
1234
1235#ifdef USE_NTLM
1236  match.want_ntlm_http =
1237    (data->state.authhost.want & CURLAUTH_NTLM) &&
1238    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
1239#ifndef CURL_DISABLE_PROXY
1240  match.want_proxy_ntlm_http =
1241    needle->http_proxy.creds &&
1242    (data->state.authproxy.want & CURLAUTH_NTLM) &&
1243    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
1244#endif
1245#endif
1246
1247#if !defined(CURL_DISABLE_HTTP) && defined(USE_SPNEGO)
1248  match.want_nego_http =
1249    (data->state.authhost.want & CURLAUTH_NEGOTIATE) &&
1250    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
1251#ifndef CURL_DISABLE_PROXY
1252  match.want_proxy_nego_http =
1253    needle->http_proxy.creds &&
1254    (data->state.authproxy.want & CURLAUTH_NEGOTIATE) &&
1255    (needle->scheme->protocol & PROTO_FAMILY_HTTP);
1256#endif
1257#endif
1258  match.require_tls = data->set.use_ssl >= CURLUSESSL_CONTROL;
1259  match.may_tls = data->set.use_ssl > CURLUSESSL_NONE;
1260
1261  /* Find a connection in the pool that matches what "data + needle"
1262   * requires. If a suitable candidate is found, it is attached to "data". */
1263  success = Curl_cpool_find(data, needle->destination,
1264                            url_match_conn, url_match_result, &match);
1265
1266  /* wait_pipe is TRUE if we encounter a bundle that is undecided. There
1267   * is no matching connection then, yet. */
1268  *waitpipe = (bool)match.wait_pipe;
1269  return success;
1270}
1271
1272/*
1273 * Allocate and initialize a new connectdata object.
1274 */
1275static struct connectdata *allocate_conn(struct Curl_easy *data)
1276{
1277  struct connectdata *conn = curlx_calloc(1, sizeof(struct connectdata));
1278  if(!conn)
1279    return NULL;
1280
1281  /* and we setup a few fields in case we end up actually using this struct */
1282
1283  conn->sock[FIRSTSOCKET] = CURL_SOCKET_BAD;     /* no file descriptor */
1284  conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD; /* no file descriptor */
1285  conn->recv_idx = 0; /* default for receiving transfer data */
1286  conn->send_idx = 0; /* default for sending transfer data */
1287  conn->connection_id = -1;    /* no ID */
1288  conn->attached_xfers = 0;
1289
1290  /* Store creation time to help future close decision making */
1291  conn->created = *Curl_pgrs_now(data);
1292
1293  /* Store current time to give a baseline to keepalive connection times. */
1294  conn->keepalive = conn->created;
1295
1296#ifndef CURL_DISABLE_PROXY
1297  conn->http_proxy.proxytype = data->set.proxytype;
1298  conn->socks_proxy.proxytype = CURLPROXY_SOCKS4;
1299
1300  /* note that these two proxy bits are set on what looks to be
1301     requested, they may be altered down the road */
1302  conn->bits.proxy = (data->set.str[STRING_PROXY] &&
1303                      *data->set.str[STRING_PROXY]);
1304  conn->bits.httpproxy = (conn->bits.proxy &&
1305                          (conn->http_proxy.proxytype == CURLPROXY_HTTP ||
1306                           conn->http_proxy.proxytype == CURLPROXY_HTTP_1_0 ||
1307                           IS_HTTPS_PROXY(conn->http_proxy.proxytype)));
1308  conn->bits.socksproxy = (conn->bits.proxy && !conn->bits.httpproxy);
1309
1310  if(data->set.str[STRING_PRE_PROXY] && *data->set.str[STRING_PRE_PROXY]) {
1311    conn->bits.proxy = TRUE;
1312    conn->bits.socksproxy = TRUE;
1313  }
1314
1315  conn->bits.tunnel_proxy = data->set.tunnel_thru_httpproxy;
1316#endif /* CURL_DISABLE_PROXY */
1317
1318#ifndef CURL_DISABLE_FTP
1319  conn->bits.ftp_use_epsv = data->set.ftp_use_epsv;
1320  conn->bits.ftp_use_eprt = data->set.ftp_use_eprt;
1321#endif
1322  conn->ip_version = data->set.ipver;
1323  conn->bits.connect_only = (bool)data->set.connect_only;
1324  conn->transport_wanted = TRNSPRT_TCP; /* most of them are TCP streams */
1325
1326  /* Store the local bind parameters that will be used for this connection */
1327  if(data->set.str[STRING_DEVICE]) {
1328    conn->localdev = curlx_strdup(data->set.str[STRING_DEVICE]);
1329    if(!conn->localdev)
1330      goto error;
1331  }
1332#ifndef CURL_DISABLE_BINDLOCAL
1333  conn->localportrange = data->set.localportrange;
1334  conn->localport = data->set.localport;
1335#endif
1336
1337  /* the close socket stuff needs to be copied to the connection struct as
1338     it may live on without (this specific) Curl_easy */
1339  conn->fclosesocket = data->set.fclosesocket;
1340  conn->closesocket_client = data->set.closesocket_client;
1341  conn->lastused = conn->created;
1342#if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
1343  conn->gssapi_delegation = data->set.gssapi_delegation;
1344#endif
1345  DEBUGF(infof(data, "alloc connection, bits.close=%d", conn->bits.close));
1346  return conn;
1347error:
1348
1349  curlx_free(conn->localdev);
1350  curlx_free(conn);
1351  return NULL;
1352}
1353
1354static CURLcode url_set_conn_scheme(struct Curl_easy *data,
1355                                    struct connectdata *conn,
1356                                    const struct Curl_scheme *scheme)
1357{
1358  /* URL scheme is usable for connection when it is
1359   * - allowed
1360   * - not from a redirect or an allowed redirect protocol */
1361  if(scheme->run &&
1362     (data->set.allowed_protocols & scheme->protocol) &&
1363     (!data->state.this_is_a_follow ||
1364       (data->set.redir_protocols & scheme->protocol))) {
1365    conn->scheme = conn->given = scheme;
1366    return CURLE_OK;
1367  }
1368  if(scheme->flags & PROTOPT_NO_TRANSFER)
1369    failf(data, "Protocol \"%s\" is not for transfers", scheme->name);
1370  else
1371    failf(data, "Protocol \"%s\" is disabled%s", scheme->name,
1372          data->state.this_is_a_follow ? " (in redirect)" : "");
1373  return CURLE_UNSUPPORTED_PROTOCOL;
1374}
1375
1376CURLcode Curl_uc_to_curlcode(CURLUcode uc)
1377{
1378  switch(uc) {
1379  default:
1380    return CURLE_URL_MALFORMAT;
1381  case CURLUE_UNSUPPORTED_SCHEME:
1382    return CURLE_UNSUPPORTED_PROTOCOL;
1383  case CURLUE_OUT_OF_MEMORY:
1384    return CURLE_OUT_OF_MEMORY;
1385  case CURLUE_USER_NOT_ALLOWED:
1386    return CURLE_LOGIN_DENIED;
1387  }
1388}
1389
1390#ifndef CURL_DISABLE_HSTS
1391static CURLcode hsts_upgrade(struct Curl_easy *data,
1392                             struct connectdata *conn,
1393                             CURLU *uh,
1394                             uint16_t port_override,
1395                             uint32_t scope_id)
1396{
1397  /* HSTS upgrade */
1398  if(data->hsts && (conn->origin->scheme == &Curl_scheme_http) &&
1399     Curl_hsts_applies(data->hsts, conn->origin)) {
1400    char *url;
1401    CURLUcode uc;
1402    CURLcode result;
1403
1404    curlx_safefree(data->state.up.scheme);
1405    uc = curl_url_set(uh, CURLUPART_SCHEME, "https", 0);
1406    if(uc)
1407      return Curl_uc_to_curlcode(uc);
1408    Curl_bufref_free(&data->state.url);
1409    /* after update, get the updated version */
1410    uc = curl_url_get(uh, CURLUPART_URL, &url, 0);
1411    if(uc)
1412      return Curl_uc_to_curlcode(uc);
1413    Curl_bufref_set(&data->state.url, url, 0, curl_free);
1414
1415    result = Curl_peer_from_url(uh, data, port_override, scope_id,
1416                                &data->state.up, &conn->origin);
1417    if(result)
1418      return result;
1419    infof(data, "Switched from HTTP to HTTPS due to HSTS => %s", url);
1420  }
1421  return CURLE_OK;
1422}
1423#else
1424#define hsts_upgrade(x, y, z, a, b) CURLE_OK
1425#endif
1426
1427static CURLcode url_set_data_creds(struct Curl_easy *data,
1428                                   struct connectdata *conn,
1429                                   CURLU *uh)
1430{
1431  CURLcode result = CURLE_OK;
1432
1433  /* We reset any existing credentials on the transfer. Then
1434   * set the CURLOPT_* credentials ONLY IF the origin is the initial one. */
1435  Curl_creds_unlink(&data->state.creds);
1436  if((data->set.str[STRING_USERNAME] ||
1437      data->set.str[STRING_PASSWORD] ||
1438      data->set.str[STRING_BEARER] ||
1439      data->set.str[STRING_SASL_AUTHZID] ||
1440      data->set.str[STRING_SERVICE_NAME]) &&
1441     Curl_auth_allowed_to_origin(data, conn->origin)) {
1442    result = Curl_creds_create(data->set.str[STRING_USERNAME],
1443                               data->set.str[STRING_PASSWORD],
1444                               data->set.str[STRING_BEARER],
1445                               data->set.str[STRING_SASL_AUTHZID],
1446                               data->set.str[STRING_SERVICE_NAME],
1447                               CREDS_OPTION, &data->state.creds);
1448    if(result)
1449      return result;
1450  }
1451
1452  /* Extract credentials from the URL only if there are none OR
1453   * if no CURLOPT_USER was set. */
1454  if(!data->state.creds || !Curl_creds_has_user(data->state.creds)) {
1455    char *udecoded = NULL;
1456    char *pdecoded = NULL;
1457    CURLUcode uc;
1458
1459    uc = curl_url_get(uh, CURLUPART_USER, &data->state.up.user, 0);
1460    if(uc && (uc != CURLUE_NO_USER)) {
1461      result = Curl_uc_to_curlcode(uc);
1462      goto out;
1463    }
1464    uc = curl_url_get(uh, CURLUPART_PASSWORD, &data->state.up.password, 0);
1465    if(uc && (uc != CURLUE_NO_PASSWORD)) {
1466      result = Curl_uc_to_curlcode(uc);
1467      goto out;
1468    }
1469    if(data->state.up.user) {
1470      result = Curl_urldecode(data->state.up.user, 0, &udecoded, NULL,
1471                              conn->scheme->flags&PROTOPT_USERPWDCTRL ?
1472                              REJECT_ZERO : REJECT_CTRL);
1473    }
1474    if(!result && data->state.up.password) {
1475      result = Curl_urldecode(data->state.up.password, 0, &pdecoded, NULL,
1476                              conn->scheme->flags&PROTOPT_USERPWDCTRL ?
1477                              REJECT_ZERO : REJECT_CTRL);
1478    }
1479    if(!result)
1480      result = Curl_creds_merge(udecoded, pdecoded, data->state.creds,
1481                                CREDS_URL, &data->state.creds);
1482out:
1483    curlx_free(udecoded);
1484    curlx_free(pdecoded);
1485    if(result)
1486      failf(data, "error extracting credentials from URL");
1487  }
1488  return result;
1489}
1490
1491/*
1492 * Parse URL and fill in the relevant members of the connection struct.
1493 */
1494static CURLcode parseurlandfillconn(struct Curl_easy *data,
1495                                    struct connectdata *conn)
1496{
1497  CURLcode result = CURLE_OK;
1498  CURLU *uh;
1499  CURLUcode uc;
1500  bool use_set_uh = (data->set.uh && !data->state.this_is_a_follow);
1501  uint16_t port_override = data->state.allow_port ? data->set.use_port : 0;
1502  uint32_t scope_id = 0;
1503
1504  up_free(data); /* cleanup previous leftovers first */
1505
1506  /* parse the URL */
1507  if(use_set_uh)
1508    uh = data->state.uh = curl_url_dup(data->set.uh);
1509  else
1510    uh = data->state.uh = curl_url();
1511  if(!uh) {
1512    result = CURLE_OUT_OF_MEMORY;
1513    goto out;
1514  }
1515
1516  /* Calculate the *real* URL this transfer uses, applying defaults
1517   * where information is missing. */
1518  if(data->set.str[STRING_DEFAULT_PROTOCOL] &&
1519     !Curl_is_absolute_url(Curl_bufref_ptr(&data->state.url), NULL, 0, TRUE)) {
1520    char *url = curl_maprintf("%s://%s",
1521                              data->set.str[STRING_DEFAULT_PROTOCOL],
1522                              Curl_bufref_ptr(&data->state.url));
1523    if(!url) {
1524      result = CURLE_OUT_OF_MEMORY;
1525      goto out;
1526    }
1527    Curl_bufref_set(&data->state.url, url, 0, curl_free);
1528  }
1529
1530  if(!use_set_uh) {
1531    char *newurl;
1532    uc = curl_url_set(uh, CURLUPART_URL, Curl_bufref_ptr(&data->state.url),
1533                      (unsigned int)(CURLU_GUESS_SCHEME |
1534                       CURLU_NON_SUPPORT_SCHEME |
1535                       (data->set.disallow_username_in_url ?
1536                        CURLU_DISALLOW_USER : 0) |
1537                       (data->set.path_as_is ? CURLU_PATH_AS_IS : 0)));
1538    if(uc) {
1539      failf(data, "URL rejected: %s", curl_url_strerror(uc));
1540      result = Curl_uc_to_curlcode(uc);
1541      goto out;
1542    }
1543
1544    /* after it was parsed, get the generated normalized version */
1545    uc = curl_url_get(uh, CURLUPART_URL, &newurl, CURLU_GET_EMPTY);
1546    if(uc) {
1547      result = Curl_uc_to_curlcode(uc);
1548      goto out;
1549    }
1550    Curl_bufref_set(&data->state.url, newurl, 0, curl_free);
1551  }
1552
1553#ifdef USE_IPV6
1554  scope_id = data->set.scope_id;
1555#endif
1556
1557  /* `uh` is now as the connection should use it, probably. */
1558  result = Curl_peer_from_url(uh, data, port_override, scope_id,
1559                              &data->state.up, &conn->origin);
1560  if(result)
1561    goto out;
1562
1563  result = hsts_upgrade(data, conn, uh, port_override, scope_id);
1564  if(result)
1565    goto out;
1566
1567  /* now that the origin is fixed, check and set the connection scheme */
1568  result = url_set_conn_scheme(data, conn, conn->origin->scheme);
1569  if(result)
1570    goto out;
1571
1572  /* When the transfers initial_origin is not set, this is the initial
1573   * request. Remember this starting point. This is used to
1574   * select credentials. */
1575  if(!data->state.initial_origin)
1576    Curl_peer_link(&data->state.initial_origin, conn->origin);
1577
1578  result = url_set_data_creds(data, conn, uh);
1579  if(result)
1580    goto out;
1581
1582  uc = curl_url_get(uh, CURLUPART_OPTIONS, &data->state.up.options,
1583                    CURLU_URLDECODE);
1584  if(!uc) {
1585    conn->options = curlx_strdup(data->state.up.options);
1586    if(!conn->options) {
1587      result = CURLE_OUT_OF_MEMORY;
1588      goto out;
1589    }
1590  }
1591  else if(uc != CURLUE_NO_OPTIONS) {
1592    result = Curl_uc_to_curlcode(uc);
1593    goto out;
1594  }
1595
1596  uc = curl_url_get(uh, CURLUPART_PATH, &data->state.up.path, CURLU_URLENCODE);
1597  if(uc) {
1598    result = Curl_uc_to_curlcode(uc);
1599    goto out;
1600  }
1601
1602  uc = curl_url_get(uh, CURLUPART_QUERY, &data->state.up.query,
1603                    CURLU_GET_EMPTY);
1604  if(uc && (uc != CURLUE_NO_QUERY)) {
1605    result = CURLE_OUT_OF_MEMORY;
1606    goto out;
1607  }
1608
1609#ifdef USE_IPV6
1610  /* Fill in the conn parts that do not use authority, yet. */
1611  conn->scope_id = conn->origin->scopeid;
1612#endif
1613
1614#ifdef CURLVERBOSE
1615  Curl_creds_trace(data, data->state.creds, "transfer credentials");
1616#endif
1617
1618out:
1619  return result;
1620}
1621
1622/*
1623 * If we are doing a resumed transfer, we need to setup our stuff
1624 * properly.
1625 */
1626static CURLcode setup_range(struct Curl_easy *data)
1627{
1628  struct UrlState *s = &data->state;
1629  s->resume_from = data->set.set_resume_from;
1630  if(s->resume_from || data->set.str[STRING_SET_RANGE]) {
1631    if(s->rangestringalloc)
1632      curlx_free(s->range);
1633
1634    if(s->resume_from)
1635      s->range = curl_maprintf("%" FMT_OFF_T "-", s->resume_from);
1636    else
1637      s->range = curlx_strdup(data->set.str[STRING_SET_RANGE]);
1638
1639    if(!s->range)
1640      return CURLE_OUT_OF_MEMORY;
1641
1642    s->rangestringalloc = TRUE;
1643
1644    /* tell ourselves to fetch this range */
1645    s->use_range = TRUE;        /* enable range download */
1646  }
1647  else
1648    s->use_range = FALSE; /* disable range download */
1649
1650  return CURLE_OK;
1651}
1652
1653/*
1654 * setup_connection_internals() -
1655 *
1656 * Setup connection internals specific to the requested protocol in the
1657 * Curl_easy. This is inited and setup before the connection is made but
1658 * is about the particular protocol that is to be used.
1659 *
1660 * This MUST get called after proxy magic has been figured out.
1661 */
1662static CURLcode setup_connection_internals(struct Curl_easy *data,
1663                                           struct connectdata *conn)
1664{
1665  struct Curl_peer *peer = NULL;
1666  CURLcode result;
1667
1668  DEBUGF(infof(data, "setup connection, bits.close=%d", conn->bits.close));
1669  if(conn->scheme->run->setup_connection) {
1670    result = conn->scheme->run->setup_connection(data, conn);
1671    if(result)
1672      return result;
1673  }
1674  DEBUGF(infof(data, "setup connection, bits.close=%d", conn->bits.close));
1675
1676  /* Now create the destination name */
1677  peer = Curl_conn_get_destination(conn, FIRSTSOCKET);
1678  if(!peer)
1679    return CURLE_FAILED_INIT;
1680
1681  /* IPv6 addresses with a scope_id (0 is default == global) have a
1682   * printable representation with a '%<scope_id>' suffix. */
1683  if(peer->ipv6)
1684    if(peer->scopeid)
1685      conn->destination = curl_maprintf("[%s%%%u]:%u",
1686        peer->hostname, peer->scopeid, peer->port);
1687    else
1688      conn->destination = curl_maprintf("[%s]:%u",
1689        peer->hostname, peer->port);
1690  else
1691    conn->destination = curl_maprintf("%s:%u", peer->hostname, peer->port);
1692  if(!conn->destination)
1693    return CURLE_OUT_OF_MEMORY;
1694
1695  Curl_strntolower(conn->destination, conn->destination,
1696                   strlen(conn->destination));
1697
1698  return CURLE_OK;
1699}
1700
1701#ifndef CURL_DISABLE_PROXY
1702
1703#ifndef CURL_DISABLE_HTTP
1704/****************************************************************
1705 * Detect what (if any) proxy to use. Remember that this selects a host
1706 * name and is not limited to HTTP proxies only.
1707 * The returned pointer must be freed by the caller (unless NULL)
1708 ****************************************************************/
1709static char *url_detect_proxy(struct Curl_easy *data,
1710                              struct connectdata *conn)
1711{
1712  char *proxy = NULL;
1713
1714  /* If proxy was not specified, we check for default proxy environment
1715   * variables, to enable i.e Lynx compliance:
1716   *
1717   * http_proxy=http://some.server.dom:port/
1718   * https_proxy=http://some.server.dom:port/
1719   * ftp_proxy=http://some.server.dom:port/
1720   * no_proxy=domain1.dom,host.domain2.dom
1721   *   (a comma-separated list of hosts which should
1722   *   not be proxied, or an asterisk to override
1723   *   all proxy variables)
1724   * all_proxy=http://some.server.dom:port/
1725   *   (seems to exist for the CERN www lib. Probably
1726   *   the first to check for.)
1727   *
1728   * For compatibility, the all-uppercase versions of these variables are
1729   * checked if the lowercase versions do not exist.
1730   */
1731  char proxy_env[20];
1732  const char *envp;
1733  VERBOSE(envp = proxy_env);
1734
1735  curl_msnprintf(proxy_env, sizeof(proxy_env), "%s_proxy",
1736                 conn->scheme->name);
1737
1738  /* read the protocol proxy: */
1739  proxy = curl_getenv(proxy_env);
1740
1741  /*
1742   * We do not try the uppercase version of HTTP_PROXY because of
1743   * security reasons:
1744   *
1745   * When curl is used in a webserver application
1746   * environment (cgi or php), this environment variable can
1747   * be controlled by the web server user by setting the
1748   * http header 'Proxy:' to some value.
1749   *
1750   * This can cause 'internal' http/ftp requests to be
1751   * arbitrarily redirected by any external attacker.
1752   */
1753  if(!proxy && !curl_strequal("http_proxy", proxy_env)) {
1754    /* There was no lowercase variable, try the uppercase version: */
1755    Curl_strntoupper(proxy_env, proxy_env, sizeof(proxy_env));
1756    proxy = curl_getenv(proxy_env);
1757  }
1758
1759  if(!proxy) {
1760#ifndef CURL_DISABLE_WEBSOCKETS
1761    /* websocket proxy fallbacks */
1762    if(curl_strequal("ws_proxy", proxy_env)) {
1763      proxy = curl_getenv("http_proxy");
1764    }
1765    else if(curl_strequal("wss_proxy", proxy_env)) {
1766      proxy = curl_getenv("https_proxy");
1767      if(!proxy)
1768        proxy = curl_getenv("HTTPS_PROXY");
1769    }
1770    if(!proxy) {
1771#endif
1772      envp = "all_proxy";
1773      proxy = curl_getenv(envp); /* default proxy to use */
1774      if(!proxy) {
1775        envp = "ALL_PROXY";
1776        proxy = curl_getenv(envp);
1777      }
1778#ifndef CURL_DISABLE_WEBSOCKETS
1779    }
1780#endif
1781  }
1782  if(proxy)
1783    infof(data, "Uses proxy env variable %s == '%s'", envp, proxy);
1784
1785  return proxy;
1786}
1787#endif /* CURL_DISABLE_HTTP */
1788
1789/*
1790 * If this is supposed to use a proxy, we need to figure out the proxy
1791 * hostname, so that we can reuse an existing connection
1792 * that may exist registered to the same proxy host.
1793 */
1794static CURLcode parse_proxy(struct Curl_easy *data,
1795                            const char *proxy,
1796                            bool for_pre_proxy,
1797                            struct proxy_info *proxyinfo)
1798{
1799  char *proxyuser = NULL;
1800  char *proxypasswd = NULL;
1801  CURLcode result = CURLE_OK;
1802  /* Set the start proxy type for url scheme guessing */
1803  uint8_t proxytype = for_pre_proxy ? CURLPROXY_SOCKS4 : data->set.proxytype;
1804  CURLU *uhp = curl_url();
1805  CURLUcode uc;
1806
1807  if(!uhp) {
1808    result = CURLE_OUT_OF_MEMORY;
1809    goto error;
1810  }
1811  /* When parsing the proxy, allowing non-supported schemes since we have
1812     these made up ones for proxies. Guess scheme for URLs without it. */
1813  uc = curl_url_set(uhp, CURLUPART_URL, proxy,
1814                    CURLU_NON_SUPPORT_SCHEME | CURLU_GUESS_SCHEME);
1815  if(uc) {
1816    failf(data, "Unsupported proxy syntax in \'%s\': %s", proxy,
1817          curl_url_strerror(uc));
1818    result = CURLE_COULDNT_RESOLVE_PROXY;
1819    goto error;
1820  }
1821
1822  result = Curl_peer_from_proxy_url(uhp, data, proxy, proxytype,
1823                                    &proxyinfo->peer, &proxytype);
1824  if(result)
1825    goto error;
1826
1827  switch(proxytype) {
1828    case CURLPROXY_HTTP:
1829    case CURLPROXY_HTTP_1_0:
1830    case CURLPROXY_HTTPS:
1831    case CURLPROXY_HTTPS2:
1832      if(for_pre_proxy) {
1833        failf(data, "Unsupported pre-proxy type for \'%s\'", proxy);
1834        result = CURLE_COULDNT_RESOLVE_PROXY;
1835        goto error;
1836      }
1837      break;
1838    case CURLPROXY_SOCKS4:
1839    case CURLPROXY_SOCKS4A:
1840    case CURLPROXY_SOCKS5:
1841    case CURLPROXY_SOCKS5_HOSTNAME:
1842      break;
1843    default:
1844      failf(data, "Unsupported proxy type %u for \'%s\'", proxytype, proxy);
1845      result = CURLE_COULDNT_RESOLVE_PROXY;
1846      goto error;
1847  }
1848
1849  /* Is there a username and password given in this proxy URL? */
1850  uc = curl_url_get(uhp, CURLUPART_USER, &proxyuser, CURLU_URLDECODE);
1851  if(uc && (uc != CURLUE_NO_USER)) {
1852    result = Curl_uc_to_curlcode(uc);
1853    goto error;
1854  }
1855  uc = curl_url_get(uhp, CURLUPART_PASSWORD, &proxypasswd, CURLU_URLDECODE);
1856  if(uc && (uc != CURLUE_NO_PASSWORD)) {
1857    result = Curl_uc_to_curlcode(uc);
1858    goto error;
1859  }
1860
1861  if(proxyuser || proxypasswd) {
1862    result = Curl_creds_create(proxyuser, proxypasswd, NULL, NULL,
1863                               data->set.str[STRING_PROXY_SERVICE_NAME],
1864                               CREDS_URL, &proxyinfo->creds);
1865    if(result)
1866      goto error;
1867  }
1868  else if(!for_pre_proxy &&
1869          (data->set.str[STRING_PROXYUSERNAME] ||
1870           data->set.str[STRING_PROXYPASSWORD] ||
1871           data->set.str[STRING_PROXY_SERVICE_NAME])) {
1872    /* No user/passwd in URL, if this is not a pre-proxy, the
1873     * CURLOPT_PROXY* settings apply. */
1874    result = Curl_creds_create(data->set.str[STRING_PROXYUSERNAME],
1875                               data->set.str[STRING_PROXYPASSWORD],
1876                               NULL, NULL,
1877                               data->set.str[STRING_PROXY_SERVICE_NAME],
1878                               CREDS_OPTION, &proxyinfo->creds);
1879  }
1880  else
1881    Curl_creds_unlink(&proxyinfo->creds);
1882
1883  proxyinfo->proxytype = proxytype;
1884
1885error:
1886  curlx_free(proxyuser);
1887  curlx_free(proxypasswd);
1888  curl_url_cleanup(uhp);
1889#ifdef DEBUGBUILD
1890  if(!result) {
1891    DEBUGASSERT(proxyinfo);
1892    DEBUGASSERT(proxyinfo->peer);
1893  }
1894#endif
1895  return result;
1896}
1897
1898static CURLcode url_set_conn_proxies(struct Curl_easy *data,
1899                                     struct connectdata *conn)
1900{
1901  char *proxy = NULL;
1902  char *pre_proxy = NULL;
1903  char *no_proxy = NULL;
1904  CURLcode result = CURLE_OK;
1905
1906  /*************************************************************
1907   * Detect what (if any) proxy to use
1908   *************************************************************/
1909  if(data->set.str[STRING_PROXY]) {
1910    proxy = curlx_strdup(data->set.str[STRING_PROXY]);
1911    /* if global proxy is set, this is it */
1912    if(!proxy) {
1913      failf(data, "memory shortage");
1914      result = CURLE_OUT_OF_MEMORY;
1915      goto out;
1916    }
1917  }
1918
1919  if(data->set.str[STRING_PRE_PROXY]) {
1920    pre_proxy = curlx_strdup(data->set.str[STRING_PRE_PROXY]);
1921    /* if global socks proxy is set, this is it */
1922    if(!pre_proxy) {
1923      failf(data, "memory shortage");
1924      result = CURLE_OUT_OF_MEMORY;
1925      goto out;
1926    }
1927  }
1928
1929  if(!data->set.str[STRING_NOPROXY]) {
1930    const char *p = "no_proxy";
1931    no_proxy = curl_getenv(p);
1932    if(!no_proxy) {
1933      p = "NO_PROXY";
1934      no_proxy = curl_getenv(p);
1935    }
1936    if(no_proxy) {
1937      infof(data, "Uses proxy env variable %s == '%s'", p, no_proxy);
1938    }
1939  }
1940
1941  if(Curl_check_noproxy(conn->origin->hostname, data->set.str[STRING_NOPROXY] ?
1942                        data->set.str[STRING_NOPROXY] : no_proxy)) {
1943    curlx_safefree(proxy);
1944    curlx_safefree(pre_proxy);
1945  }
1946#ifndef CURL_DISABLE_HTTP
1947  else if(!proxy && !pre_proxy)
1948    /* if the host is not in the noproxy list, detect proxy. */
1949    proxy = url_detect_proxy(data, conn);
1950#endif /* CURL_DISABLE_HTTP */
1951  curlx_safefree(no_proxy);
1952
1953  if(proxy && (!*proxy || (conn->scheme->flags & PROTOPT_NONETWORK))) {
1954    curlx_free(proxy);  /* Do not bother with an empty proxy string
1955                           or if the protocol does not work with network */
1956    proxy = NULL;
1957  }
1958  if(pre_proxy && (!*pre_proxy ||
1959                    (conn->scheme->flags & PROTOPT_NONETWORK))) {
1960    curlx_free(pre_proxy);  /* Do not bother with an empty socks proxy string
1961                               or if the protocol does not work with
1962                               network */
1963    pre_proxy = NULL;
1964  }
1965
1966  /***********************************************************************
1967   * If this is supposed to use a proxy, we need to figure out the proxy host
1968   * name, proxy type and port number, so that we can reuse an existing
1969   * connection that may exist registered to the same proxy host.
1970   ***********************************************************************/
1971  if(proxy || pre_proxy) {
1972    if(pre_proxy) {
1973      result = parse_proxy(data, pre_proxy, TRUE, &conn->socks_proxy);
1974      if(result)
1975        goto out;
1976    }
1977
1978    if(proxy) {
1979      result = parse_proxy(data, proxy, FALSE, &conn->http_proxy);
1980      if(result)
1981        goto out;
1982      switch(conn->http_proxy.proxytype) {
1983      case CURLPROXY_SOCKS4:
1984      case CURLPROXY_SOCKS4A:
1985      case CURLPROXY_SOCKS5:
1986      case CURLPROXY_SOCKS5_HOSTNAME:
1987        /* Whoops, it's not a HTTP proxy */
1988        if(conn->socks_proxy.peer) {
1989          /* and we already have a SOCKS pre-proxy. Cannot have both */
1990          failf(data, "Having a SOCKS pre-proxy and proxy is not "
1991                "supported with \'%s\'", proxy);
1992          result = CURLE_COULDNT_RESOLVE_PROXY;
1993          goto out;
1994        }
1995        /* switch */
1996        conn->socks_proxy = conn->http_proxy;
1997        memset(&conn->http_proxy, 0, sizeof(conn->http_proxy));
1998        break;
1999      default:
2000        break;
2001      }
2002    }
2003
2004    if(conn->http_proxy.peer) {
2005#ifdef CURL_DISABLE_HTTP
2006      /* asking for an HTTP proxy is a bit funny when HTTP is disabled... */
2007      result = CURLE_UNSUPPORTED_PROTOCOL;
2008      goto out;
2009#else
2010      /* force this connection's protocol to become HTTP if compatible */
2011      if(!(conn->scheme->protocol & PROTO_FAMILY_HTTP)) {
2012        if((conn->scheme->flags & PROTOPT_PROXY_AS_HTTP) &&
2013           !conn->bits.tunnel_proxy)
2014          conn->scheme = &Curl_scheme_http;
2015        else
2016          /* if not converting to HTTP over the proxy, enforce tunneling */
2017          conn->bits.tunnel_proxy = TRUE;
2018      }
2019#endif
2020    }
2021    else
2022      conn->bits.tunnel_proxy = FALSE; /* no tunneling if not HTTP */
2023  }
2024
2025  conn->bits.socksproxy = !!conn->socks_proxy.peer;
2026  conn->bits.httpproxy = !!conn->http_proxy.peer;
2027  conn->bits.proxy = conn->bits.httpproxy || conn->bits.socksproxy;
2028
2029  if(!conn->bits.proxy) {
2030    /* we are not using the proxy after all... */
2031    conn->bits.proxy = FALSE;
2032    conn->bits.httpproxy = FALSE;
2033    conn->bits.socksproxy = FALSE;
2034    conn->bits.tunnel_proxy = FALSE;
2035    /* CURLPROXY_HTTPS does not have its own flag in conn->bits, yet we need
2036       to signal that CURLPROXY_HTTPS is not used for this connection */
2037    conn->http_proxy.proxytype = CURLPROXY_HTTP;
2038  }
2039
2040out:
2041
2042  curlx_free(pre_proxy);
2043  curlx_free(proxy);
2044  return result;
2045}
2046#endif /* CURL_DISABLE_PROXY */
2047
2048/*
2049 * Curl_parse_login_details()
2050 *
2051 * This is used to parse a login string for username, password and options in
2052 * the following formats:
2053 *
2054 *   user
2055 *   user:password
2056 *   user:password;options
2057 *   user;options
2058 *   user;options:password
2059 *   :password
2060 *   :password;options
2061 *   ;options
2062 *   ;options:password
2063 *
2064 * Parameters:
2065 *
2066 * login    [in]     - login string.
2067 * len      [in]     - length of the login string.
2068 * userp    [in/out] - address where a pointer to newly allocated memory
2069 *                     holding the user will be stored upon completion.
2070 * passwdp  [in/out] - address where a pointer to newly allocated memory
2071 *                     holding the password will be stored upon completion.
2072 * optionsp [in/out] - OPTIONAL address where a pointer to newly allocated
2073 *                     memory holding the options will be stored upon
2074 *                     completion.
2075 *
2076 * Returns CURLE_OK on success.
2077 */
2078CURLcode Curl_parse_login_details(const char *login, const size_t len,
2079                                  char **userp, char **passwdp,
2080                                  char **optionsp)
2081{
2082  char *ubuf = NULL;
2083  char *pbuf = NULL;
2084  const char *psep = NULL;
2085  const char *osep = NULL;
2086  size_t ulen;
2087  size_t plen;
2088  size_t olen;
2089
2090  DEBUGASSERT(userp);
2091  DEBUGASSERT(passwdp);
2092
2093  /* Attempt to find the password separator */
2094  psep = memchr(login, ':', len);
2095
2096  /* Attempt to find the options separator */
2097  if(optionsp)
2098    osep = memchr(login, ';', len);
2099
2100  /* Calculate the portion lengths */
2101  ulen = (psep ?
2102          (size_t)(osep && psep > osep ? osep - login : psep - login) :
2103          (osep ? (size_t)(osep - login) : len));
2104  plen = (psep ?
2105          (osep && osep > psep ? (size_t)(osep - psep) :
2106           (size_t)(login + len - psep)) - 1 : 0);
2107  olen = (osep ?
2108          (psep && psep > osep ? (size_t)(psep - osep) :
2109           (size_t)(login + len - osep)) - 1 : 0);
2110
2111  /* Clone the user portion buffer, which can be zero length */
2112  ubuf = curlx_memdup0(login, ulen);
2113  if(!ubuf)
2114    goto error;
2115
2116  /* Clone the password portion buffer */
2117  if(psep) {
2118    pbuf = curlx_memdup0(&psep[1], plen);
2119    if(!pbuf)
2120      goto error;
2121  }
2122
2123  /* Allocate the options portion buffer */
2124  if(optionsp) {
2125    char *obuf = NULL;
2126    if(olen) {
2127      obuf = curlx_memdup0(&osep[1], olen);
2128      if(!obuf)
2129        goto error;
2130    }
2131    *optionsp = obuf;
2132  }
2133  *userp = ubuf;
2134  *passwdp = pbuf;
2135  return CURLE_OK;
2136error:
2137  curlx_free(ubuf);
2138  curlx_free(pbuf);
2139  return CURLE_OUT_OF_MEMORY;
2140}
2141
2142#ifndef CURL_DISABLE_NETRC
2143static bool str_has_ctrl(const char *input)
2144{
2145  if(input) {
2146    const unsigned char *str = (const unsigned char *)input;
2147    while(*str) {
2148      if(*str < 0x20)
2149        return TRUE;
2150      str++;
2151    }
2152  }
2153  return FALSE;
2154}
2155#endif
2156
2157/*
2158 * Override the login details from the URL with that in the CURLOPT_USERPWD
2159 * option or a .netrc file, if applicable.
2160 */
2161static CURLcode override_login(struct Curl_easy *data,
2162                               struct connectdata *conn)
2163{
2164  CURLUcode uc;
2165  char **optionsp = &conn->options;
2166#ifndef CURL_DISABLE_NETRC
2167  struct Curl_creds *ncreds_in = NULL;
2168  struct Curl_creds *ncreds_out = NULL;
2169#endif
2170  CURLcode result = CURLE_OK;
2171  bool creds_changed = FALSE;
2172
2173  if(data->set.str[STRING_OPTIONS]) {
2174    curlx_free(*optionsp);
2175    *optionsp = curlx_strdup(data->set.str[STRING_OPTIONS]);
2176    if(!*optionsp) {
2177      result = CURLE_OUT_OF_MEMORY;
2178      goto out;
2179    }
2180  }
2181
2182#ifndef CURL_DISABLE_NETRC
2183  if(data->set.use_netrc) {
2184    /* Determine how to react on already existing credentials */
2185    if(data->set.use_netrc == CURL_NETRC_REQUIRED) {
2186      Curl_creds_unlink(&conn->creds);
2187    }
2188
2189    if(data->state.creds) {
2190      switch(data->state.creds->source) {
2191      case CREDS_OPTION:
2192        /* we never override credentials set via CURLOPT_* */
2193        goto out;
2194      case CREDS_URL:
2195        if(data->set.use_netrc == CURL_NETRC_REQUIRED) {
2196          /* use the URL user to search netrc */
2197          result = Curl_creds_create(
2198            data->state.creds->user, NULL, NULL, NULL, NULL, CREDS_URL,
2199            &ncreds_in);
2200          if(result)
2201            goto out;
2202        }
2203        else if(data->state.creds) {
2204          /* only search when something is still missing */
2205          Curl_creds_link(&ncreds_in, data->state.creds);
2206        }
2207        break;
2208      default:
2209        /* ignore credentials from other sources */
2210        break;
2211      }
2212    }
2213
2214    /* Only search in netrc when the creds are not already complete */
2215    if(!Curl_creds_has_passwd(ncreds_in)) {
2216      NETRCcode ret;
2217
2218      CURL_TRC_M(data, "netrc: find credentials for %s, user %s",
2219                 conn->origin->hostname,
2220                 Curl_creds_has_user(ncreds_in) ? ncreds_in->user : "*");
2221      ret = Curl_parsenetrc(&data->state.netrc,
2222                            conn->origin->hostname,
2223                            ncreds_in,
2224                            data->set.str[STRING_NETRC_FILE],
2225                            &ncreds_out);
2226      DEBUGASSERT(!ret || !ncreds_out);
2227      if(ret == NETRC_OUT_OF_MEMORY) {
2228        result = CURLE_OUT_OF_MEMORY;
2229        goto out;
2230      }
2231      else if(ret && ((ret == NETRC_NO_MATCH) ||
2232                      (data->set.use_netrc == CURL_NETRC_OPTIONAL))) {
2233        infof(data, "Could not find host %s in the %s file; using defaults",
2234              conn->origin->hostname,
2235              (data->set.str[STRING_NETRC_FILE] ?
2236               data->set.str[STRING_NETRC_FILE] : ".netrc"));
2237      }
2238      else if(ret) {
2239        const char *m = Curl_netrc_strerror(ret);
2240        failf(data, ".netrc error: %s", m);
2241        result = CURLE_READ_ERROR;
2242        goto out;
2243      }
2244      else if(ncreds_out) {
2245        if(!(conn->scheme->flags & PROTOPT_USERPWDCTRL)) {
2246          /* if the protocol cannot handle control codes in credentials, make
2247             sure there are none */
2248          if(str_has_ctrl(ncreds_out->user) ||
2249             str_has_ctrl(ncreds_out->passwd)) {
2250            failf(data, "control code detected in .netrc credentials");
2251            result = CURLE_READ_ERROR;
2252            goto out;
2253          }
2254        }
2255        CURL_TRC_M(data, "netrc: using credentials for %s as %s",
2256                   conn->origin->hostname, ncreds_out->user);
2257        result = Curl_creds_merge(ncreds_out->user, ncreds_out->passwd,
2258                                  data->state.creds, CREDS_NETRC,
2259                                  &data->state.creds);
2260        if(result)
2261          goto out;
2262        creds_changed = TRUE;
2263      }
2264      else
2265        DEBUGASSERT(0);
2266    }
2267  }
2268
2269#endif
2270
2271  if(creds_changed) {
2272    /* for updated strings, we update them in the URL */
2273    uc = curl_url_set(data->state.uh, CURLUPART_USER,
2274                      Curl_creds_user(data->state.creds), CURLU_URLENCODE);
2275    if(!uc)
2276      uc = curl_url_set(data->state.uh, CURLUPART_PASSWORD,
2277                        Curl_creds_passwd(data->state.creds), CURLU_URLENCODE);
2278    if(uc)
2279      result = Curl_uc_to_curlcode(uc);
2280  }
2281
2282out:
2283#ifndef CURL_DISABLE_NETRC
2284  Curl_creds_unlink(&ncreds_in);
2285  Curl_creds_unlink(&ncreds_out);
2286#endif
2287  return result;
2288}
2289
2290/*
2291 * Set the login details so they are available in the connection
2292 */
2293static CURLcode url_set_conn_login(struct Curl_easy *data,
2294                                   struct connectdata *conn)
2295{
2296  /* If our protocol needs a password and we have none, use the defaults */
2297  if((conn->scheme->flags & PROTOPT_NEEDSPWD) && !conn->creds) {
2298    if(data->state.creds)
2299      Curl_creds_link(&conn->creds, data->state.creds);
2300    else
2301      return Curl_creds_create(CURL_DEFAULT_USER, CURL_DEFAULT_PASSWORD,
2302                               NULL, NULL, NULL, CREDS_NONE, &conn->creds);
2303  }
2304  else if(!(conn->scheme->flags & PROTOPT_CREDSPERREQUEST)) {
2305    /* for protocols that do not handle credentials per request,
2306     * the connection credentials are set by the initial transfer. */
2307    Curl_creds_link(&conn->creds, data->state.creds);
2308  }
2309
2310  return CURLE_OK;
2311}
2312
2313/*
2314 * Parses one "connect to" string in the form:
2315 * "HOST:PORT:CONNECT-TO-HOST:CONNECT-TO-PORT".
2316 */
2317static CURLcode parse_connect_to_string(struct Curl_easy *data,
2318                                        const struct Curl_peer *dest,
2319                                        const char *conn_to_line,
2320                                        struct Curl_peer **pvia_dest)
2321{
2322  CURLcode result = CURLE_OK;
2323  const char *ptr = conn_to_line;
2324  bool host_match = FALSE;
2325  bool port_match = FALSE;
2326
2327  *pvia_dest = NULL;
2328
2329  if(*ptr == ':') {
2330    /* an empty hostname always matches */
2331    host_match = TRUE;
2332    ptr++;
2333  }
2334  else {
2335    /* check whether the URL's hostname matches. Use the URL hostname
2336     * when it was an IPv6 address. Otherwise use the connection's hostname
2337     * that has IDN conversion. */
2338    const char *hostname_to_match = (dest->user_hostname[0] == '[') ?
2339      dest->user_hostname : dest->hostname;
2340    size_t hlen = strlen(hostname_to_match);
2341    host_match = curl_strnequal(ptr, hostname_to_match, hlen);
2342    ptr += hlen;
2343
2344    host_match = host_match && *ptr == ':';
2345    ptr++;
2346  }
2347
2348  if(host_match) {
2349    if(*ptr == ':') {
2350      /* an empty port always matches */
2351      port_match = TRUE;
2352      ptr++;
2353    }
2354    else {
2355      /* check whether the URL's port matches */
2356      const char *ptr_next = strchr(ptr, ':');
2357      if(ptr_next) {
2358        curl_off_t port_to_match;
2359        if(!curlx_str_number(&ptr, &port_to_match, 0xffff) &&
2360           ((uint16_t)port_to_match == dest->port)) {
2361          port_match = TRUE;
2362        }
2363        ptr = ptr_next + 1;
2364      }
2365    }
2366  }
2367
2368  if(host_match && port_match && ptr && *ptr)
2369    result = Curl_peer_from_connect_to(data, dest, ptr, pvia_dest);
2370
2371  return result;
2372}
2373
2374/* With `conn->origin` known, determine if we should talk to that
2375 * directly or via another peer. This is the result of inspecting
2376 * the "connect to" slist and "alt-svc" settings. */
2377static CURLcode url_set_conn_peer(struct Curl_easy *data,
2378                                  struct connectdata *conn)
2379{
2380  CURLcode result = CURLE_OK;
2381  const struct Curl_peer *origin = conn->origin;
2382  struct Curl_peer *via_peer = NULL;
2383  struct curl_slist *conn_to_entry = data->set.connect_to;
2384
2385  DEBUGASSERT(!conn->via_peer);
2386  Curl_peer_unlink(&conn->via_peer);
2387
2388  while(conn_to_entry && !via_peer) {
2389    result = parse_connect_to_string(data, origin, conn_to_entry->data,
2390                                     &via_peer);
2391    if(result)
2392      return result;
2393    conn_to_entry = conn_to_entry->next;
2394  }
2395
2396#ifndef CURL_DISABLE_ALTSVC
2397  if(data->asi && !via_peer &&
2398     ((conn->scheme->protocol == CURLPROTO_HTTPS) ||
2399#ifdef DEBUGBUILD
2400      /* allow debug builds to circumvent the HTTPS restriction */
2401      getenv("CURL_ALTSVC_HTTP")
2402#else
2403      0
2404#endif
2405       )) {
2406    /* no connect_to match, try alt-svc! */
2407    enum alpnid srcalpnid = ALPN_none;
2408    bool hit = FALSE;
2409    struct altsvc *as = NULL;
2410    int allowed_alpns = ALPN_none;
2411    struct http_negotiation *neg = &data->state.http_neg;
2412    bool same_dest = FALSE;
2413
2414    DEBUGF(infof(data, "Alt-svc check wanted=%x, allowed=%x",
2415                 neg->wanted, neg->allowed));
2416#ifdef USE_HTTP3
2417    if(neg->allowed & CURL_HTTP_V3x)
2418      allowed_alpns |= ALPN_h3;
2419#endif
2420#ifdef USE_HTTP2
2421    if(neg->allowed & CURL_HTTP_V2x)
2422      allowed_alpns |= ALPN_h2;
2423#endif
2424    if(neg->allowed & CURL_HTTP_V1x)
2425      allowed_alpns |= ALPN_h1;
2426    allowed_alpns &= (int)data->asi->flags;
2427
2428    DEBUGF(infof(data, "check Alt-Svc for host '%s'", origin->hostname));
2429#ifdef USE_HTTP3
2430    if(!hit && (neg->wanted & CURL_HTTP_V3x)) {
2431      srcalpnid = ALPN_h3;
2432      hit = Curl_altsvc_lookup(data->asi,
2433                               ALPN_h3, origin->hostname,
2434                               origin->port, /* from */
2435                               &as /* to */,
2436                               allowed_alpns, &same_dest);
2437    }
2438#endif
2439#ifdef USE_HTTP2
2440    if(!hit && (neg->wanted & CURL_HTTP_V2x) &&
2441       !neg->h2_prior_knowledge) {
2442      srcalpnid = ALPN_h2;
2443      hit = Curl_altsvc_lookup(data->asi,
2444                               ALPN_h2, origin->hostname,
2445                               origin->port, /* from */
2446                               &as /* to */,
2447                               allowed_alpns, &same_dest);
2448    }
2449#endif
2450    if(!hit && (neg->wanted & CURL_HTTP_V1x) &&
2451       !neg->only_10) {
2452      srcalpnid = ALPN_h1;
2453      hit = Curl_altsvc_lookup(data->asi,
2454                               ALPN_h1, origin->hostname,
2455                               origin->port, /* from */
2456                               &as /* to */,
2457                               allowed_alpns, &same_dest);
2458    }
2459
2460    if(hit && same_dest) {
2461      /* same destination, but more HTTPS version options */
2462      switch(as->dst.alpnid) {
2463      case ALPN_h1:
2464        neg->wanted |= CURL_HTTP_V1x;
2465        neg->preferred = CURL_HTTP_V1x;
2466        break;
2467      case ALPN_h2:
2468        neg->wanted |= CURL_HTTP_V2x;
2469        neg->preferred = CURL_HTTP_V2x;
2470        break;
2471      case ALPN_h3:
2472        neg->wanted |= CURL_HTTP_V3x;
2473        neg->preferred = CURL_HTTP_V3x;
2474        break;
2475      default: /* should not be possible */
2476        break;
2477      }
2478    }
2479    else if(hit) {
2480      result = Curl_peer_create(data, conn->origin->scheme,
2481                                as->dst.host, as->dst.port,
2482                                &via_peer);
2483      if(result)
2484        return result;
2485      infof(data, "Alt-svc connecting from [%s]%s:%u to [%s]%s:%u",
2486            Curl_alpnid2str(srcalpnid), origin->hostname, origin->port,
2487            Curl_alpnid2str(as->dst.alpnid),
2488            via_peer->hostname, via_peer->port);
2489      conn->bits.altused = TRUE;
2490      if(srcalpnid != as->dst.alpnid) {
2491        /* protocol version switch */
2492        switch(as->dst.alpnid) {
2493        case ALPN_h1:
2494          neg->wanted = neg->allowed = CURL_HTTP_V1x;
2495          neg->only_10 = FALSE;
2496          break;
2497        case ALPN_h2:
2498          neg->wanted = neg->allowed = CURL_HTTP_V2x;
2499          break;
2500        case ALPN_h3:
2501          conn->transport_wanted = TRNSPRT_QUIC;
2502          neg->wanted = neg->allowed = CURL_HTTP_V3x;
2503          break;
2504        default: /* should not be possible */
2505          break;
2506        }
2507      }
2508    }
2509  }
2510#endif
2511
2512  if(via_peer)
2513    conn->via_peer = via_peer;
2514
2515  return result;
2516}
2517
2518/*
2519 * Adjust reused connection settings to the transfer/needle.
2520 */
2521static void url_conn_reuse_adjust(struct Curl_easy *data,
2522                                  struct connectdata *needle)
2523{
2524  struct connectdata *conn = data->conn;
2525
2526  /* get the user+password information from the needle since it may
2527   * be new for this request even when we reuse conn */
2528  if(needle->creds) {
2529    /* use the new username and password though */
2530    Curl_creds_link(&conn->creds, needle->creds);
2531  }
2532
2533#ifndef CURL_DISABLE_PROXY
2534  /* use the new proxy username and proxy password though */
2535  Curl_creds_link(&conn->http_proxy.creds, needle->http_proxy.creds);
2536  Curl_creds_link(&conn->socks_proxy.creds, needle->socks_proxy.creds);
2537#endif
2538
2539  /* Finding a connection for reuse in the cpool matches, among other
2540   * things on the "remote-relevant" hostname. This is not necessarily
2541   * the authority of the URL, e.g. conn->origin. For example:
2542   * - we use a proxy (not tunneling). we want to send all requests
2543   *   that use the same proxy on this connection.
2544   * - we have a "connect-to" setting that may redirect the hostname of
2545   *   a new request to the same remote endpoint of an existing conn.
2546   *   We want to reuse an existing conn to the remote endpoint.
2547   * Since connection reuse does not match on conn->origin necessarily, we
2548   * switch conn to needle's host settings.
2549   */
2550  Curl_peer_link(&conn->origin, needle->origin);
2551  Curl_peer_link(&conn->via_peer, needle->via_peer);
2552  Curl_peer_link(&conn->origin2, needle->origin2);
2553  Curl_peer_link(&conn->via_peer2, needle->via_peer2);
2554}
2555
2556static void conn_meta_freeentry(void *p)
2557{
2558  (void)p;
2559  /* Always FALSE. Cannot use a 0 assert here since compilers
2560   * are not in agreement if they then want a NORETURN attribute or
2561   * not. *sigh* */
2562  DEBUGASSERT(p == NULL);
2563}
2564
2565static CURLcode url_create_needle(struct Curl_easy *data,
2566                                  struct connectdata **pneedle)
2567{
2568  struct connectdata *needle = NULL;
2569  CURLcode result = CURLE_OK;
2570  bool network_scheme = TRUE; /* almost all are */
2571
2572  /*************************************************************
2573   * Check input data
2574   *************************************************************/
2575  if(!Curl_bufref_ptr(&data->state.url)) {
2576    result = CURLE_URL_MALFORMAT;
2577    goto out;
2578  }
2579
2580  /* First, split up the current URL in parts so that we can use the
2581     parts for checking against the already present connections. In order
2582     to not have to modify everything at once, we allocate a temporary
2583     connection data struct and fill in for comparison purposes. */
2584  needle = allocate_conn(data);
2585  if(!needle) {
2586    result = CURLE_OUT_OF_MEMORY;
2587    goto out;
2588  }
2589
2590  /* Do the unfailable inits first, before checks that may early return */
2591  Curl_hash_init(&needle->meta_hash, 23,
2592                 Curl_hash_str, curlx_str_key_compare, conn_meta_freeentry);
2593
2594  /*************************************************************
2595   * Determine `conn->origin` and propulate `data->state.up` and
2596   * other URL related properties.
2597   *************************************************************/
2598  result = parseurlandfillconn(data, needle);
2599  if(result)
2600    goto out;
2601  DEBUGASSERT(needle->origin);
2602  network_scheme = !(needle->origin->scheme->flags & PROTOPT_NONETWORK);
2603
2604#ifdef USE_UNIX_SOCKETS
2605  /*************************************************************
2606   * Set UDS first. It overrides "via_peer" and proxy settings.
2607   *************************************************************/
2608  if(network_scheme && data->set.str[STRING_UNIX_SOCKET_PATH]) {
2609    result = Curl_peer_uds_create(needle->origin->scheme,
2610                                  data->set.str[STRING_UNIX_SOCKET_PATH],
2611                                  (bool)data->set.abstract_unix_socket,
2612                                  &needle->via_peer);
2613    if(result)
2614      goto out;
2615  }
2616#endif /* USE_UNIX_SOCKETS */
2617
2618  if(network_scheme && !needle->via_peer) {
2619    /*************************************************************
2620     * If the `via_peer` is not already set (via UDS above),
2621     * determine if we talk to `conn->origin` directly or use
2622     * `conn->via_peer` using "connect to" and "alt-svc" properties.
2623     *************************************************************/
2624    result = url_set_conn_peer(data, needle);
2625    if(result)
2626      goto out;
2627  }
2628
2629#ifndef CURL_DISABLE_PROXY
2630  /* After the Unix socket init but before the proxy vars are used, parse and
2631   * initialize the proxy settings.
2632   * Any UDS `via_peer` disables proxies. */
2633  if(network_scheme && !(needle->via_peer && needle->via_peer->unix_socket)) {
2634    result = url_set_conn_proxies(data, needle);
2635    if(result)
2636      goto out;
2637
2638    /*************************************************************
2639     * If the protocol is using SSL and HTTP proxy is used, we set
2640     * the tunnel_proxy bit.
2641     *************************************************************/
2642    if((needle->given->flags & PROTOPT_SSL) && needle->bits.httpproxy)
2643      needle->bits.tunnel_proxy = TRUE;
2644  }
2645#endif /* CURL_DISABLE_PROXY */
2646
2647  /* Check for overridden login details and set them accordingly so that
2648     they are known when protocol->setup_connection is called! */
2649  result = override_login(data, needle);
2650  if(result)
2651    goto out;
2652
2653  result = url_set_conn_login(data, needle); /* default credentials */
2654  if(result)
2655    goto out;
2656
2657  /*************************************************************
2658   * Check whether the host and the "connect to host" are equal.
2659   * Do this after the hostnames have been IDN-converted.
2660   *************************************************************/
2661  if(Curl_peer_equal(needle->origin, needle->via_peer)) {
2662    Curl_peer_unlink(&needle->via_peer);
2663  }
2664
2665#ifndef CURL_DISABLE_PROXY
2666  /*************************************************************
2667   * If the "connect to" feature is used with an HTTP proxy,
2668   * we set the tunnel_proxy bit.
2669   *************************************************************/
2670  if(needle->via_peer && needle->bits.httpproxy)
2671    needle->bits.tunnel_proxy = TRUE;
2672#endif
2673
2674  /*************************************************************
2675   * Setup internals depending on protocol. Needs to be done after
2676   * we figured out what/if proxy to use.
2677   *************************************************************/
2678  result = setup_connection_internals(data, needle);
2679  if(result)
2680    goto out;
2681
2682  if(needle->scheme->flags & PROTOPT_ALPN) {
2683    /* The protocol wants it, so set the bits if enabled in the easy handle
2684       (default) */
2685    if(data->set.ssl_enable_alpn)
2686      needle->bits.tls_enable_alpn = TRUE;
2687  }
2688
2689  if(network_scheme) {
2690    /* Setup callbacks for network connections */
2691    needle->recv[FIRSTSOCKET] = Curl_cf_recv;
2692    needle->send[FIRSTSOCKET] = Curl_cf_send;
2693    needle->recv[SECONDARYSOCKET] = Curl_cf_recv;
2694    needle->send[SECONDARYSOCKET] = Curl_cf_send;
2695    needle->bits.tcp_fastopen = data->set.tcp_fastopen;
2696#ifdef USE_UNIX_SOCKETS
2697    if(Curl_conn_get_first_peer(needle, FIRSTSOCKET)->unix_socket)
2698      needle->transport_wanted = TRNSPRT_UNIX;
2699#endif
2700  }
2701
2702out:
2703  if(!result) {
2704    DEBUGASSERT(needle);
2705    DEBUGASSERT(needle->origin);
2706    *pneedle = needle;
2707  }
2708  else {
2709    *pneedle = NULL;
2710    if(needle)
2711      Curl_conn_free(data, needle);
2712  }
2713  return result;
2714}
2715
2716/**
2717 * Find an existing connection for the transfer or create a new one.
2718 * Returns
2719 * - CURLE_OK on success with a connection attached to data
2720 * - CURLE_NO_CONNECTION_AVAILABLE when connection limits apply or when
2721 *   a suitable connection has not determined its multiplex capability.
2722 * - a fatal error
2723 */
2724static CURLcode url_find_or_create_conn(struct Curl_easy *data)
2725{
2726  struct connectdata *needle = NULL;
2727  bool waitpipe = FALSE;
2728  CURLcode result;
2729
2730  /* create the template connection for transfer data. Use this needle to
2731   * find an existing connection or, if none exists, convert needle
2732   * to a full connection and attach it to data. */
2733  result = url_create_needle(data, &needle);
2734  if(result)
2735    goto out;
2736  DEBUGASSERT(needle);
2737
2738  /***********************************************************************
2739   * file: is a special case in that it does not need a network connection
2740   ***********************************************************************/
2741#ifndef CURL_DISABLE_FILE
2742  if(needle->scheme->flags & PROTOPT_NONETWORK) {
2743    bool done;
2744    /* this is supposed to be the connect function so we better at least check
2745       that the file is present here! */
2746    DEBUGASSERT(needle->scheme->run->connect_it);
2747    data->info.conn_scheme = needle->scheme->name;
2748    /* conn_protocol can only provide "old" protocols */
2749    data->info.conn_protocol = (needle->scheme->protocol) & CURLPROTO_MASK;
2750    result = needle->scheme->run->connect_it(data, &done);
2751    if(result)
2752      goto out;
2753
2754    /* Setup a "faked" transfer that will do nothing */
2755    Curl_attach_connection(data, needle);
2756    needle = NULL;
2757    result = Curl_cpool_add(data, data->conn);
2758    if(!result) {
2759      /* Setup whatever necessary for a resumed transfer */
2760      result = setup_range(data);
2761      if(!result) {
2762        Curl_xfer_setup_nop(data);
2763        result = Curl_init_do(data, data->conn);
2764      }
2765    }
2766
2767    if(result) {
2768      DEBUGASSERT(data->conn->scheme->run->done);
2769      /* we ignore the return code for the protocol-specific DONE */
2770      (void)data->conn->scheme->run->done(data, result, FALSE);
2771    }
2772    goto out;
2773  }
2774#endif
2775
2776  /* Complete the easy's SSL configuration for connection cache matching */
2777  result = Curl_ssl_easy_config_complete(data);
2778  if(result)
2779    goto out;
2780
2781  /* Get rid of any dead connections so limit are easier kept. */
2782  Curl_cpool_prune_dead(data);
2783
2784  /*************************************************************
2785   * Reuse of existing connection is not allowed when
2786   * - connect_only is set or
2787   * - reuse_fresh is set and this is not a follow-up request
2788   *   (like with HTTP followlocation)
2789   *************************************************************/
2790  if((!data->set.reuse_fresh || data->state.followlocation) &&
2791     !data->set.connect_only) {
2792    /* Ok, try to find and attach an existing one */
2793    url_attach_existing(data, needle, &waitpipe);
2794  }
2795
2796  if(data->conn) {
2797    /* We attached an existing connection for this transfer. Copy
2798     * over transfer specific properties over from needle. */
2799    struct connectdata *conn = data->conn;
2800    VERBOSE(bool tls_upgraded = (!(needle->given->flags & PROTOPT_SSL) &&
2801                                 Curl_conn_is_ssl(conn, FIRSTSOCKET)));
2802
2803    conn->bits.reuse = TRUE;
2804    url_conn_reuse_adjust(data, needle);
2805
2806#ifndef CURL_DISABLE_PROXY
2807    infof(data, "Reusing existing %s: connection%s with %s %s",
2808          conn->given->name,
2809          tls_upgraded ? " (upgraded to SSL)" : "",
2810          conn->bits.proxy ? "proxy" : "host",
2811          conn->socks_proxy.peer ? conn->socks_proxy.peer->user_hostname :
2812          conn->http_proxy.peer ? conn->http_proxy.peer->user_hostname :
2813          conn->origin->hostname);
2814#else
2815    infof(data, "Reusing existing %s: connection%s with host %s",
2816          conn->given->name,
2817          tls_upgraded ? " (upgraded to SSL)" : "",
2818          conn->origin->hostname);
2819#endif
2820  }
2821  else {
2822    /* We have decided that we want a new connection. We may not be able to do
2823       that if we have reached the limit of how many connections we are
2824       allowed to open. */
2825    DEBUGF(infof(data, "new connection, bits.close=%d", needle->bits.close));
2826
2827    if(waitpipe) {
2828      /* There is a connection that *might* become usable for multiplexing
2829         "soon", and we wait for that */
2830      infof(data, "Waiting on connection to negotiate possible multiplexing.");
2831      result = CURLE_NO_CONNECTION_AVAILABLE;
2832      goto out;
2833    }
2834    else {
2835      switch(Curl_cpool_check_limits(data, needle)) {
2836      case CPOOL_LIMIT_DEST:
2837        infof(data, "No more connections allowed to host");
2838        result = CURLE_NO_CONNECTION_AVAILABLE;
2839        goto out;
2840      case CPOOL_LIMIT_TOTAL:
2841        if(data->master_mid != UINT32_MAX)
2842          CURL_TRC_M(data, "Allowing sub-requests (like DoH) to override "
2843                     "max connection limit");
2844        else {
2845          infof(data, "No connections available, total of %zu reached.",
2846                data->multi->max_total_connections);
2847          result = CURLE_NO_CONNECTION_AVAILABLE;
2848          goto out;
2849        }
2850        break;
2851      default:
2852        break;
2853      }
2854    }
2855
2856    /* Convert needle into a full connection by filling in all the
2857     * remaining parts like the cloned SSL configuration. */
2858    result = Curl_ssl_conn_config_init(data, needle);
2859    if(result) {
2860      DEBUGF(curl_mfprintf(stderr, "Error: init connection ssl config\n"));
2861      goto out;
2862    }
2863    /* attach it and no longer own it */
2864    Curl_attach_connection(data, needle);
2865    needle = NULL;
2866
2867    result = Curl_cpool_add(data, data->conn);
2868    if(result)
2869      goto out;
2870
2871#ifdef USE_NTLM
2872    /* If NTLM is requested in a part of this connection, make sure we do not
2873       assume the state is fine as this is a fresh connection and NTLM is
2874       connection based. */
2875    if((data->state.authhost.picked & CURLAUTH_NTLM) &&
2876       data->state.authhost.done) {
2877      infof(data, "NTLM picked AND auth done set, clear picked");
2878      data->state.authhost.picked = CURLAUTH_NONE;
2879      data->state.authhost.done = FALSE;
2880    }
2881
2882    if((data->state.authproxy.picked & CURLAUTH_NTLM) &&
2883       data->state.authproxy.done) {
2884      infof(data, "NTLM-proxy picked AND auth done set, clear picked");
2885      data->state.authproxy.picked = CURLAUTH_NONE;
2886      data->state.authproxy.done = FALSE;
2887    }
2888#endif
2889  }
2890
2891  /* Setup and init stuff before DO starts, in preparing for the transfer. */
2892  result = Curl_init_do(data, data->conn);
2893  if(result)
2894    goto out;
2895
2896  /* Setup whatever necessary for a resumed transfer */
2897  result = setup_range(data);
2898  if(result)
2899    goto out;
2900
2901  /* persist the scheme and handler the transfer is using */
2902  data->info.conn_scheme = data->conn->scheme->name;
2903  /* conn_protocol can only provide "old" protocols */
2904  data->info.conn_protocol = (data->conn->scheme->protocol) & CURLPROTO_MASK;
2905  data->info.used_proxy =
2906#ifdef CURL_DISABLE_PROXY
2907    0
2908#else
2909    data->conn->bits.proxy
2910#endif
2911    ;
2912
2913  /* Lastly, inform connection filters that a new transfer is attached */
2914  result = Curl_conn_ev_data_setup(data);
2915
2916out:
2917  if(needle)
2918    Curl_conn_free(data, needle);
2919  DEBUGASSERT(result || data->conn);
2920  return result;
2921}
2922
2923CURLcode Curl_connect(struct Curl_easy *data, bool *pconnected)
2924{
2925  CURLcode result;
2926  struct connectdata *conn;
2927
2928  *pconnected = FALSE;
2929
2930  /* Set the request to virgin state based on transfer settings */
2931  Curl_req_hard_reset(&data->req, data);
2932
2933  /* Get or create a connection for the transfer. */
2934  result = url_find_or_create_conn(data);
2935  conn = data->conn;
2936
2937  if(result)
2938    goto out;
2939
2940  DEBUGASSERT(conn);
2941  Curl_pgrsTime(data, TIMER_POSTQUEUE);
2942  if(conn->bits.reuse) {
2943    if(conn->attached_xfers > 1)
2944      /* multiplexed */
2945      *pconnected = TRUE;
2946  }
2947  else if(conn->scheme->flags & PROTOPT_NONETWORK) {
2948    Curl_pgrsTime(data, TIMER_NAMELOOKUP);
2949    *pconnected = TRUE;
2950  }
2951  else {
2952    result = Curl_conn_setup(data, conn, FIRSTSOCKET, CURL_CF_SSL_DEFAULT);
2953    if(!result)
2954      result = Curl_headers_init(data);
2955    CURL_TRC_M(data, "Curl_conn_setup() -> %d", result);
2956  }
2957
2958out:
2959  if(result == CURLE_NO_CONNECTION_AVAILABLE)
2960    DEBUGASSERT(!conn);
2961
2962  if(result && conn) {
2963    /* We are not allowed to return failure with memory left allocated in the
2964       connectdata struct, free those here */
2965    Curl_detach_connection(data);
2966    Curl_conn_terminate(data, conn, TRUE);
2967  }
2968
2969  return result;
2970}
2971
2972/*
2973 * Curl_init_do() inits the readwrite session. This is inited each time (in
2974 * the DO function before the protocol-specific DO functions are invoked) for
2975 * a transfer, sometimes multiple times on the same Curl_easy. Make sure
2976 * nothing in here depends on stuff that are setup dynamically for the
2977 * transfer.
2978 *
2979 * Allow this function to get called with 'conn' set to NULL.
2980 */
2981
2982CURLcode Curl_init_do(struct Curl_easy *data, struct connectdata *conn)
2983{
2984  CURLcode result;
2985
2986  if(conn) {
2987    conn->bits.do_more = FALSE; /* by default there is no curl_do_more() to
2988                                   use */
2989    /* if the protocol used does not support wildcards, switch it off */
2990    if(data->state.wildcardmatch &&
2991       !(conn->scheme->flags & PROTOPT_WILDCARD))
2992      data->state.wildcardmatch = FALSE;
2993  }
2994
2995  data->state.done = FALSE; /* *_done() is not called yet */
2996
2997  data->req.no_body = data->set.opt_no_body;
2998  if(data->req.no_body)
2999    /* in HTTP lingo, no body means using the HEAD request... */
3000    data->state.httpreq = HTTPREQ_HEAD;
3001
3002  result = Curl_req_start(&data->req, data);
3003  if(!result) {
3004    Curl_pgrsReset(data);
3005  }
3006  return result;
3007}
3008
3009#if defined(USE_HTTP2) || defined(USE_HTTP3)
3010
3011#ifdef USE_NGHTTP2
3012
3013static void priority_remove_child(struct Curl_easy *parent,
3014                                  struct Curl_easy *child)
3015{
3016  struct Curl_data_prio_node **pnext = &parent->set.priority.children;
3017  struct Curl_data_prio_node *pnode = parent->set.priority.children;
3018
3019  DEBUGASSERT(child->set.priority.parent == parent);
3020  while(pnode && pnode->data != child) {
3021    pnext = &pnode->next;
3022    pnode = pnode->next;
3023  }
3024
3025  DEBUGASSERT(pnode);
3026  if(pnode) {
3027    *pnext = pnode->next;
3028    curlx_free(pnode);
3029  }
3030
3031  child->set.priority.parent = 0;
3032  child->set.priority.exclusive = FALSE;
3033}
3034
3035CURLcode Curl_data_priority_add_child(struct Curl_easy *parent,
3036                                      struct Curl_easy *child,
3037                                      bool exclusive)
3038{
3039  if(child->set.priority.parent) {
3040    priority_remove_child(child->set.priority.parent, child);
3041  }
3042
3043  if(parent) {
3044    struct Curl_data_prio_node **tail;
3045    struct Curl_data_prio_node *pnode;
3046
3047    pnode = curlx_calloc(1, sizeof(*pnode));
3048    if(!pnode)
3049      return CURLE_OUT_OF_MEMORY;
3050    pnode->data = child;
3051
3052    if(parent->set.priority.children && exclusive) {
3053      /* exclusive: move all existing children underneath the new child */
3054      struct Curl_data_prio_node *node = parent->set.priority.children;
3055      while(node) {
3056        node->data->set.priority.parent = child;
3057        node = node->next;
3058      }
3059
3060      tail = &child->set.priority.children;
3061      while(*tail)
3062        tail = &(*tail)->next;
3063
3064      DEBUGASSERT(!*tail);
3065      *tail = parent->set.priority.children;
3066      parent->set.priority.children = 0;
3067    }
3068
3069    tail = &parent->set.priority.children;
3070    while(*tail) {
3071      (*tail)->data->set.priority.exclusive = FALSE;
3072      tail = &(*tail)->next;
3073    }
3074
3075    DEBUGASSERT(!*tail);
3076    *tail = pnode;
3077  }
3078
3079  child->set.priority.parent = parent;
3080  child->set.priority.exclusive = exclusive;
3081  return CURLE_OK;
3082}
3083
3084#endif /* USE_NGHTTP2 */
3085
3086#ifdef USE_NGHTTP2
3087static void data_priority_cleanup(struct Curl_easy *data)
3088{
3089  while(data->set.priority.children) {
3090    struct Curl_easy *tmp = data->set.priority.children->data;
3091    priority_remove_child(data, tmp);
3092    if(data->set.priority.parent)
3093      Curl_data_priority_add_child(data->set.priority.parent, tmp, FALSE);
3094  }
3095
3096  if(data->set.priority.parent)
3097    priority_remove_child(data->set.priority.parent, data);
3098}
3099#endif
3100
3101void Curl_data_priority_clear_state(struct Curl_easy *data)
3102{
3103  memset(&data->state.priority, 0, sizeof(data->state.priority));
3104}
3105
3106#endif /* USE_HTTP2 || USE_HTTP3 */
3107
3108CURLcode Curl_conn_meta_set(struct connectdata *conn, const char *key,
3109                            void *meta_data, Curl_meta_dtor *meta_dtor)
3110{
3111  if(!Curl_hash_add2(&conn->meta_hash, CURL_UNCONST(key), strlen(key) + 1,
3112                     meta_data, meta_dtor)) {
3113    meta_dtor(CURL_UNCONST(key), strlen(key) + 1, meta_data);
3114    return CURLE_OUT_OF_MEMORY;
3115  }
3116  return CURLE_OK;
3117}
3118
3119void Curl_conn_meta_remove(struct connectdata *conn, const char *key)
3120{
3121  Curl_hash_delete(&conn->meta_hash, CURL_UNCONST(key), strlen(key) + 1);
3122}
3123
3124void *Curl_conn_meta_get(struct connectdata *conn, const char *key)
3125{
3126  return Curl_hash_pick(&conn->meta_hash, CURL_UNCONST(key), strlen(key) + 1);
3127}
3128
3129CURLcode Curl_1st_fatal(CURLcode r1, CURLcode r2)
3130{
3131  if(r1 && (r1 != CURLE_AGAIN))
3132    return r1;
3133  if(r2 && (r2 != CURLE_AGAIN))
3134    return r2;
3135  return r1;
3136}