aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2012-11-12Digst: Add microseconds into nounce calculationGabriel Sjoberg
When using only 1 second precision, curl doesn't create new cnonce values quickly enough for all uses. For example, issuing the following command multiple times to a recent Tomcat causes authentication failures: curl --digest -utest:test http://tomcat.test.com:8080/manager/list This is because curl uses the same cnonce for several seconds, but doesn't increment the nonce counter.  Tomcat correctly interprets this as a replay attack and rejects the request. When microsecond-precision is available, this commit causes curl to change cnonce values much more frequently. With microsecond resolution, increasing the nounce length used in the headers to 32 was made to further reduce the risk of duplication.
2012-11-12SCP/SFTP: improve error code used for send failuresDaniel Stenberg
Instead of relying on the generic CURLE error for SCP or SFTP send failures, try passing back a more suitable error if possible.
2012-11-12Curl_write: remove unneeded typecastDaniel Stenberg
2012-11-09tool_metalink: allow to use hash algorithms provided by NSSKamil Dudka
Fixes bug #3578163: http://sourceforge.net/tracker/?func=detail&atid=100976&aid=3578163&group_id=976
2012-11-09tool_metalink: allow to handle failure of hash alg initializationKamil Dudka
2012-11-09tool_metalink: introduce metalink_cleanup() in the internal APIKamil Dudka
... to release resources allocated at global scope
2012-11-08hostcheck: only build for the actual usersDaniel Stenberg
and make local function static
2012-11-08SSL: Several SSL-backend related fixesOscar Koeroo
axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
2012-11-08libcurl: VERSIONINFO updateDaniel Stenberg
Since we added the curl_multi_wait function, the VERSIONINFO needed updating. Reported by: Patrick Monnerat
2012-11-08Added .def file to output.Guenter Knauf
Requested by Johnny Luong on the libcurl list.
2012-11-08Added deps for static metalink-aware MinGW builds.Guenter Knauf
2012-11-08Fix compilation of lib1501Fabian Keil
2012-11-08Curl_readwrite: remove debug outputDaniel Stenberg
The text "additional stuff not fine" text was added for debug purposes a while ago, but it isn't really helping anyone and for some reason some Linux distributions provide their libcurls built with debug info still present and thus (far too many) users get to read this info.
2012-11-07RELEASE-NOTES: synced with 487538e87a3d5eDaniel Stenberg
6 new bugfixes and 3 more contributors...
2012-11-07http_perhapsrewind: consider NTLM over proxy tooDaniel Stenberg
The logic previously checked for a started NTLM negotiation only for host and not also with proxy, leading to problems doing POSTs over a proxy NTLM that are larger than 2000 bytes. Now it includes proxy in the check. Bug: http://curl.haxx.se/bug/view.cgi?id=3582321 Reported by: John Suprock
2012-11-07Curl_connecthost: friendlier "couldn't connect" messageLars Buitinck
2012-11-06test1413: verify redirects to URLs with fragmentsDaniel Stenberg
The bug report claimed it didn't work. This problem was probably fixed in 473003fbdf. Bug: http://curl.haxx.se/bug/view.cgi?id=3581898
2012-11-06URL parser: cut off '#' fragments from URLs (better)Daniel Stenberg
The existing logic only cut off the fragment from the separate 'path' buffer which is used when sending HTTP to hosts. The buffer that held the full URL used for proxies were not dealt with. It is now. Test case 5 was updated to use a fragment on a URL over a proxy. Bug: http://curl.haxx.se/bug/view.cgi?id=3579813
2012-11-06OpenSSL/servercert: use correct buffer size, not size of pointerDaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=3579286
2012-11-06curl: set CURLOPT_SSL_VERIFYHOST to 0 to disableDaniel Stenberg
2012-11-06test 2027/2030: take duplicate Digest requests into accountDaniel Stenberg
With the reversion of ce8311c7e49eca and the new clear logic, this flaw is present and we allow it.
2012-11-06Curl_pretransfer: clear out unwanted auth methodsDaniel Stenberg
As a handle can be re-used after having done HTTP auth in a previous request, it must make sure to clear out the HTTP types that aren't wanted in this new request.
2012-11-06test1412: verify Digest with repeated URLsDaniel Stenberg
This test case verifies that bug 3582718 is fixed. Bug: http://curl.haxx.se/bug/view.cgi?id=3582718 Reported by: Nick Zitzmann (originally)
2012-11-06Revert "Zero out auth structs before transfer"Daniel Stenberg
This reverts commit ce8311c7e49eca93c136b58efa6763853541ec97. The commit made test 2024 work but caused a regression with repeated Digest authentication. We need to fix this differently.
2012-11-06CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg
After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
2012-11-06gnutls: fix compiler warningsDaniel Stenberg
2012-11-06gnutls: print alerts during handshakeAlessandro Ghedini
2012-11-06gnutls: fix the error_is_fatal logicAlessandro Ghedini
2012-11-06RELEASE-NOTES: synced with fa6d78829fd30adDaniel Stenberg
2012-11-06httpcustomheader.c: free the headers after useDaniel Stenberg
2012-11-06uniformly use AM_CPPFLAGS, avoid deprecated INCLUDESDave Reisner
Since automake 1.12.4, the warnings are issued on running automake: warning: 'INCLUDES' is the old name for 'AM_CPPFLAGS' (or '*_CPPFLAGS') Avoid INCLUDES and roll these flags into AM_CPPFLAGS. Compile tested on: Ubuntu 10.04 (automake 1:1.11.1-1) Ubuntu 12.04 (automake 1:1.11.3-1ubuntu2) Arch Linux (automake 1.12.4)
2012-11-06libauthretry.c: shorten lines to fit within 80 colsDaniel Stenberg
2012-11-05ftp_readresp: fix build without krb4 supportDaniel Stenberg
Oops, my previous commit broke builds with krb support.
2012-11-04test/README: mention the 1500 test number rangeDaniel Stenberg
2012-11-04FTP: prevent the multi interface from blockingDaniel Stenberg
As pointed out in Bug report #3579064, curl_multi_perform() would wrongly use a blocking mechanism internally for some commands which could lead to for example a very long block if the LIST response never showed. The solution was to make sure to properly continue to use the multi interface non-blocking state machine. The new test 1501 verifies the fix. Bug: http://curl.haxx.se/bug/view.cgi?id=3579064 Reported by: Guido Berhoerster
2012-11-01winbuild: Use machine type of development environmentMarc Hoersken
This patch restores the original behavior instead of always falling back to x86 if no MACHINE-type was specified.
2012-11-01winbuild: Additional clean upMarc Hoersken
2012-11-01Even more winbuild refactoringSapien2
2012-11-01Minor winbuild refactoringSapien2
2012-11-01Architecture selection for winbuild and minor makefiles refactoringSapien2
2012-11-01BUGS: fix the bug tracker URLDaniel Stenberg
The URL we used before is the one that goes directly to 'add' a bug report, but since you can only do that after first having logged in to sourceforge, the link often doesn't work for visitors. Bug: http://curl.haxx.se/bug/view.cgi?id=3582408 Reported by: Oscar Norlander
2012-11-01evhiperfifo: fix the pointer passed to WRITEDATADaniel Stenberg
Bug: http://curl.haxx.se/bug/view.cgi?id=3582407 Reported by: Oscar Norlander
2012-11-01Fixed MSVC libssh2 static build.Guenter Knauf
Since libssh2 supports now agent stuff it also depends on user32.lib. Posted to the list by Jan Ehrhardt.
2012-10-23tlsauthtype: deal with the string case insensitivelyDaniel Stenberg
When given a string as 'srp' it didn't work, but required 'SRP'. Starting now, the check disregards casing. Bug: http://curl.haxx.se/bug/view.cgi?id=3578418 Reported by: Jeff Connelly
2012-10-23asyn-ares: restore working with c-ares < 1.6.1Daniel Stenberg
Back in those days the public ares.h header didn't include the ares_version.h header so it needs to be included here. Bug: http://curl.haxx.se/bug/view.cgi?id=3577710
2012-10-22metalink/md5: Use CommonCrypto on Apple operating systemsNick Zitzmann
Previously the Metalink code used Apple's CommonCrypto library only if curl was built using the --with-darwinssl option. Now we use CommonCrypto on all Apple operating systems including Tiger or later, or iOS 5 or later, so you don't need to build --with-darwinssl anymore. Also rolled out this change to libcurl's md5 code.
2012-10-18href_extractor.c: fix the URLDaniel Stenberg
2012-10-18href_extractor: example code extracting href elementsMichał Kowalczyk
It does so in a streaming manner using the "Streaming HTML parser".
2012-10-16darwinssl: un-broke iOS build, fix error on server disconnectNick Zitzmann
The iOS build was broken by a reference to a function that only existed under OS X; fixed. Also fixed a hard-to-reproduce problem where, if the server disconnected before libcurl got the chance to hang up first and SecureTransport was in use, then we'd raise an error instead of failing gracefully.
2012-10-16gnutls: put reset code into else blockAlessandro Ghedini
Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=690551