aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-07-23docs: Improve inline GSS-API naming in code documentationMichael Osipov
2014-07-23curl.h/features: Deprecate GSS-Negotiate macros due to bad namingMichael Osipov
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE - CURL_VERSION_GSSNEGOTIATE is deprecated which is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and CURUL_VERSION_SPNEGO now. - Remove display of feature 'GSS-Negotiate'
2014-07-23configure/features: Add feature and version info for GSS-API and SPNEGOMichael Osipov
2014-07-23HTTP: Remove checkprefix("GSS-Negotiate")Michael Osipov
That auth mech has never existed neither on MS nor on Unix side. There is only Negotiate over SPNEGO.
2014-07-23curl_gssapi: Add macros for common mechs and pass them appropriatelyMichael Osipov
Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from HTTP, FTP and SOCKS on Unix
2014-07-22CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 designDaniel Stenberg
This reverts commit cb3e6dfa3511 and instead fixes the problem differently. The reverted commit addressed a test failure in test 1021 by simplifying and generalizing the code flow in a way that damaged the performance. Now we modify the flow so that Curl_proxyCONNECT() again does as much as possible in one go, yet still do test 1021 with and without valgrind. It failed due to mistakes in the multi state machine. Bug: http://curl.haxx.se/bug/view.cgi?id=1397 Reported-by: Paul Saab
2014-07-22url.c: use the preferred symbol name: *READDATAMarcel Raad
with CURL_NO_OLDIES defined, it doesn't compile because this deprecated symbol (*INFILE) is used Bug: http://curl.haxx.se/bug/view.cgi?id=1398
2014-07-19CURLOPT_CHUNK_BGN_FUNCTION: fix typoAlessandro Ghedini
2014-07-18build: link curl to NSS libraries when NSS support is enabledAlessandro Ghedini
This fixes a build failure on Debian caused by commit 24c3cdce88f39731506c287cb276e8bf4a1ce393. Bug: http://curl.haxx.se/mail/lib-2014-07/0209.html
2014-07-17build: Removed unnecessary XML Documentation file directive from VC8 to VC12Steve Holme
The curl tool project files for VC8 to VC12 would set this setting to $(IntDir) which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed this setting. Conflicts: projects/Windows/VC10/src/curlsrc.tmpl projects/Windows/VC11/src/curlsrc.tmpl projects/Windows/VC12/src/curlsrc.tmpl projects/Windows/VC8/src/curlsrc.tmpl projects/Windows/VC9/src/curlsrc.tmpl
2014-07-17build: Removed unnecessary Precompiled Header file directive in VC7 to VC12Steve Holme
The curl tool project files for VC7 to VC12 would set this settings to $(IntDir)$(TargetName).pch which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed this setting. Conflicts: projects/Windows/VC10/src/curlsrc.tmpl projects/Windows/VC11/src/curlsrc.tmpl projects/Windows/VC12/src/curlsrc.tmpl projects/Windows/VC8/src/curlsrc.tmpl projects/Windows/VC9/src/curlsrc.tmpl
2014-07-17build: Removed unnecessary ASM and Object file directives in VC7 to VC12Steve Holme
The curl tool project files for VC7 to VC12 would set these settings to $(IntDir) which is the Visual Studio default value. To avoid confusion when viewing settings from within Visual Studio and for consistency with the libcurl project files removed these two settings.
2014-07-17src/Makefile.am: add .DELETE_ON_ERRORDave Reisner
This prevents targets like tool_hugehelp.c from leaving around half-constructed files if the rule fails with GNU make. Reported-by: Rafaël Carré <funman@videolan.org>
2014-07-17THANKS: added new contributors from 7.37.1 announcementDaniel Stenberg
2014-07-17testcurl.pl: log the value of --runtestopts in the test headerDan Fandrich
2014-07-16RELEASE-NOTES: cleared, working towards next releaseDaniel Stenberg
2014-07-16curl_gssapi.c: make line shorter than 80 columnsDaniel Stenberg
2014-07-16Fix negotiate auth to proxies to track correct stateDavid Woodhouse
2014-07-16Don't abort Negotiate auth when the server has a response for usDavid Woodhouse
It's wrong to assume that we can send a single SPNEGO packet which will complete the authentication. It's a *negotiation* — the clue is in the name. So make sure we handle responses from the server. Curl_input_negotiate() will already handle bailing out if it thinks the state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps talking to us, so we should avoid endless loops that way.
2014-07-16Don't clear GSSAPI state between each exchange in the negotiationDavid Woodhouse
GSSAPI doesn't work very well if we forget everything ever time. XX: Is Curl_http_done() the right place to do the final cleanup?
2014-07-16Use SPNEGO for HTTP NegotiateDavid Woodhouse
This is the correct way to do SPNEGO. Just ask for it Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket isn't available. Of course, we bail out when the server responds with the challenge packet, since we don't expect that. But I'll fix that bug next...
2014-07-16Remove all traces of FBOpenSSL SPNEGO supportDavid Woodhouse
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which allows client and server to negotiate the underlying mechanism which will actually be used to authenticate. This is *often* Kerberos, and can also be NTLM and other things. And to complicate matters, there are various different OIDs which can be used to specify the Kerberos mechanism too. A SPNEGO exchange will identify *which* GSSAPI mechanism is being used, and will exchange GSSAPI tokens which are appropriate for that mechanism. But this SPNEGO implementation just strips the incoming SPNEGO packet and extracts the token, if any. And completely discards the information about *which* mechanism is being used. Then we *assume* it was Kerberos, and feed the token into gss_init_sec_context() with the default mechanism (GSS_S_NO_OID for the mech_type argument). Furthermore... broken as this code is, it was never even *used* for input tokens anyway, because higher layers of curl would just bail out if the server actually said anything *back* to us in the negotiation. We assume that we send a single token to the server, and it accepts it. If the server wants to continue the exchange (as is required for NTLM and for SPNEGO to do anything useful), then curl was broken anyway. So the only bit which actually did anything was the bit in Curl_output_negotiate(), which always generates an *initial* SPNEGO token saying "Hey, I support only the Kerberos mechanism and this is its token". You could have done that by manually just prefixing the Kerberos token with the appropriate bytes, if you weren't going to do any proper SPNEGO handling. There's no need for the FBOpenSSL library at all. The sane way to do SPNEGO is just to *ask* the GSSAPI library to do SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context() is for. And then it should all Just Work™. That 'sane way' will be added in a subsequent patch, as will bug fixes for our failure to handle any exchange other than a single outbound token to the server which results in immediate success.
2014-07-16ntlm_wb: Avoid invoking ntlm_auth helper with empty usernameDavid Woodhouse
2014-07-16ntlm_wb: Fix hard-coded limit on NTLM auth packet sizeDavid Woodhouse
Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit a hard limit once let's just make it cope by reallocating as necessary.
2014-07-16RELEASE-NOTES: synced with 4cb2521595Daniel Stenberg
2014-07-16test506: verify aa6884845168Daniel Stenberg
After the fixed cookie lock deadlock, this test now passes and it detects double-locking and double-unlocking of mutexes.
2014-07-15cookie: avoid mutex deadlockYousuke Kimoto
... by removing the extra mutex locks around th call to Curl_flush_cookies() which takes care of the locking itself already. Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
2014-07-15gnutls: fix compiler warningDaniel Stenberg
conversion to 'int' from 'long int' may alter its value
2014-07-15test320: strip off the actual negotiated cipher widthDan Fandrich
It's irrelevant to the test, and will change depending on which SSL library is being used by libcurl.
2014-07-14gnutls: detect lack of SRP support in GnuTLS at run-time and try withoutDan Fandrich
Reported-by: David Woodhouse
2014-07-14configure: respect host tool prefix for krb5-configMichał Górny
Use ${host_alias}-krb5-config if available. This improves cross- compilation support and fixes multilib on Gentoo (at least).
2014-07-14gnutls: handle IP address in cert name checkDavid Woodhouse
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function didn't actually check IP addresses in SubjectAltName, even though it was explicitly documented as doing so. So do it ourselves...
2014-07-14build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_rDan Fandrich
2014-07-14RELEASE-NOTES: next one is called 7.37.1Daniel Stenberg
2014-07-13gnutls: improved error message if setting cipher list failsDan Fandrich
Reported-by: David Woodhouse
2014-07-13netrc: fixed thread safety problem by using getpwuid_r if availableDan Fandrich
The old way using getpwuid could cause problems in programs that enable reading from netrc files simultaneously in multiple threads. Reported-by: David Woodhouse
2014-07-12RELEASE-NOTES: add the reporter of the previous bug fixDan Fandrich
2014-07-12netrc: treat failure to find home dir same as missing netrc fileDan Fandrich
This previously caused a fatal error (with a confusing error code, at that). Reported by: Glen A Johnson Jr.
2014-07-12RELEASE-NOTES: Synced with aaaf9e50ecSteve Holme
2014-07-12ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessionsSteve Holme
Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html Reported-by: David Woodhouse
2014-07-12build: Fixed overridden compiler PDB settings in VC7 to VC12Steve Holme
The curl tool project files for VC7 to VC12 would override the default setting with the output filename being the same as the linker PDB file. As such the compiler file would be overwritten with the linker file for all debug builds. To avoid this overwrite and for consistency with the libcurl project files, removed the setting to force the default filename to be used.
2014-07-12tests: added globbing keyword to URL globbing testsDan Fandrich
2014-07-12Fixed some "statement not reached" warningsDan Fandrich
2014-07-12gnutls: fixed a couple of uninitialized variable referencesDan Fandrich
2014-07-12gnutls: fixed compilation against versions < 2.12.0Dan Fandrich
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but the code path in which they're referenced here is only ever used for somewhat older GnuTLS versions. This caused undeclared identifier errors when compiling against those.
2014-07-12gnutls: explicitly added SRP to the priority stringDan Fandrich
This seems to have become necessary for SRP support to work starting with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS before the function that takes this priority string, there should be no issue with backward compatibility.
2014-07-11tests: adjust for capitalization differences in newer gnutls-servDan Fandrich
2014-07-11test320/1/2/4: fix the port number substitution variablesDan Fandrich
These tests have been broken since commit 1958fe57 in Oct. 2011
2014-07-11tests: document more test identifiers and variablesDan Fandrich
2014-07-11gnutls: ignore invalid certificate dates with VERIFYPEER disabledDan Fandrich
This makes the behaviour consistent with what happens if a date can be extracted from the certificate but is expired.