aboutsummaryrefslogtreecommitdiff
path: root/lib/curl_schannel.c
AgeCommit message (Collapse)Author
2013-05-05curl_schannel.c: Fixed invalid memory access during SSL shutdownMarc Hoersken
2013-04-07curl_schannel.c: Follow up on memory leak fix ae4558dMarc Hoersken
2013-04-06curl_schannel.c: Fixed memory leak if connection was not successfulMarc Hoersken
2013-02-05schannel: Removed extended error connection setup flagMarc Hoersken
According KB975858 this flag may cause problems on Windows 7 and Windows Server 2008 R2 systems. Extended error information is not currently used by libcurl and therefore not a requirement. The flag may improve the SSL-connection shutdown in case of an error. This means it might be a good improvement in the future. Fixes bug/issue #1187 - thanks for the report
2013-01-09build: fix circular header inclusion with other packagesYang Tse
This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
2013-01-06Revert changes relative to lib/*.[ch] recent renamingYang Tse
This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
2013-01-03build: make use of 93 lib/*.c renamed filesYang Tse
93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-11-08SSL: Several SSL-backend related fixesOscar Koeroo
axTLS: This will make the axTLS backend perform the RFC2818 checks, honoring the VERIFYHOST setting similar to the OpenSSL backend. Generic for OpenSSL and axTLS: Move the hostcheck and cert_hostcheck functions from the lib/ssluse.c files to make them genericly available for both the OpenSSL, axTLS and other SSL backends. They are now in the new lib/hostcheck.c file. CyaSSL: CyaSSL now also has the RFC2818 checks enabled by default. There is a limitation that the verifyhost can not be enabled exclusively on the Subject CN field comparison. This SSL backend will thus behave like the NSS and the GnuTLS (meaning: RFC2818 ok, or bust). In other words: setting verifyhost to 0 or 1 will disable the Subject Alt Names checks too. Schannel: Updated the schannel information messages: Split the IP address usage message from the verifyhost setting and changed the message about disabling SNI (Server Name Indication, used in HTTP virtual hosting) into a message stating that the Subject Alternative Names checks are being disabled when verifyhost is set to 0 or 1. As a side effect of switching off the RFC2818 related servername checks with SCH_CRED_NO_SERVERNAME_CHECK (http://msdn.microsoft.com/en-us/library/aa923430.aspx) the SNI feature is being disabled. This effect is not documented in MSDN, but Wireshark output clearly shows the effect (details on the libcurl maillist). PolarSSL: Fix the prototype change in PolarSSL of ssl_set_session() and the move of the peer_cert from the ssl_context to the ssl_session. Found this change in the PolarSSL SVN between r1316 and r1317 where the POLARSSL_VERSION_NUMBER was at 0x01010100. But to accommodate the Ubuntu PolarSSL version 1.1.4 the check is to discriminate between lower then PolarSSL version 1.2.0 and 1.2.0 and higher. Note: The PolarSSL SVN trunk jumped from version 1.1.1 to 1.2.0. Generic: All the SSL backends are fixed and checked to work with the ssl.verifyhost as a boolean, which is an internal API change.
2012-11-06CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg
After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
2012-10-06curl_schannel.c: Fixed caching more data than requiredMarc Hoersken
Do not fill the decrypted data buffer with more data unless required in order to return the requested amount of data.
2012-10-06curl_schannel: Removed buffer limit and optimized buffer strategyMarc Hoersken
Since there are servers that seem to return very big encrypted data packages, we need to be able to handle those without having an internal size limit. To avoid the buffer growing to fast to early the initial size was decreased and the minimum free space in the buffer was decreased as well.
2012-10-04lib/curl_schannel.c: Hide size_t conversion warningMarc Hoersken
2012-10-03lib/curl_schannel: Increased maximum buffer size to factor 128Marc Hoersken
2012-09-09curl_schannel.c: Reference count the credential/session handleMarc Hoersken
Reference counting the credential handle should avoid that such a handle is freed while it is still required for connection shutdown
2012-07-09Make Curl_schannel_version() return "WinSSL"Yang Tse
Modification based on voting result: http://curl.haxx.se/mail/lib-2012-07/0104.html
2012-07-05unicode NTLM SSPI: cleanup follow-upYang Tse
2012-07-05unicode NTLM SSPI: cleanupYang Tse
Reduce the number of #ifdef UNICODE directives used in source files.
2012-06-25curl_schannel.c: Remove redundant NULL assignments following Curl_safefree()Yang Tse
2012-06-25curl_schannel.c: Replace free() with Curl_safefree()Marc Hoersken
2012-06-20schannel: Implement new buffer size strategyMarc Hoersken
Increase decrypted and encrypted cache buffers using limitted doubling strategy. More information on the mailinglist: http://curl.haxx.se/mail/lib-2012-06/0255.html It updates the two remaining reallocations that have already been there and fixes the other one to use the same "do we need to increase the buffer"-condition as the other two. CURL_SCHANNEL_BUFFER_STEP_SIZE was renamed to CURL_SCHANNEL_BUFFER_FREE_SIZE since that is actually what it is now. Since we don't know how much more data we are going to read during the handshake, CURL_SCHANNEL_BUFFER_FREE_SIZE is used as the minimum free space required in the buffer for the next operation. CURL_SCHANNEL_BUFFER_STEP_SIZE was used for that before, too, but since we don't have a step size now, the define was renamed.
2012-06-20schannel SSL: fix compiler warningYang Tse
2012-06-20schannel SSL: fix for renegotiate problemMark Salisbury
In schannel_connect_step2() doread should be initialized based on connssl->connecting_state.
2012-06-20schannel_connect_step2: checksrc whitespace fixDaniel Stenberg
2012-06-20schannel SSL: changes in schannel_connect_step2Mark Salisbury
Process extra data buffer before returning from schannel_connect_step2. Without this change I've seen WinCE hang when schannel_connect_step2 returns and calls Curl_socket_ready. If the encrypted handshake does not fit in the intial buffer (seen with large certificate chain), increasing the encrypted data buffer is necessary. Fixed warning in curl_schannel.c line 1215.
2012-06-20schannel SSL: Made send method handle unexpected cases betterMark Salisbury
Implemented timeout loop in schannel_send while sending data. This is as close as I think we can get to write buffering; I put a big comment in to explain my thinking. With some committer adjustments
2012-06-19curl_schannel.c: Avoid unnecessary realloc calls to reduce buffer sizeMarc Hoersken
2012-06-19schannel SSL: Use standard Curl read/write methodsMark Salisbury
Replaced calls to swrite with Curl_write_plain and calls to sread with Curl_read_plain. With some committer adjustments
2012-06-19schannel SSL: make wording of some trace messages better reflect realityYang Tse
2012-06-19schannel SSL: Implemented SSL shutdownMark Salisbury
curl_schannel.c - implemented graceful SSL shutdown. If we fail to shutdown the connection gracefully, I've seen schannel try to use a session ID for future connects and the server aborts the connection during the handshake.
2012-06-19schannel SSL: certificate validation on WinCEMark Salisbury
curl_schannel.c - auto certificate validation doesn't seem to work right on CE. I added a method to perform the certificate validation which uses CertGetCertificateChain and manually handles the result.
2012-06-19schannel SSL: Added helper methods to simplify codeMark Salisbury
Added helper methods InitSecBuffer() and InitSecBufferDesc() to make it easier to set up SecBuffer & SecBufferDesc structs.
2012-06-16Win32: downplay MS bazillion type synonyms gameYang Tse
Avoid usage of some MS type synonyms to allow compilation with compiler headers that don't define these, using simpler synonyms.
2012-06-15SSPI related code: Unicode support for WinCEMark Salisbury
SSPI related code now compiles with ANSI and WCHAR versions of security methods (WinCE requires WCHAR versions of methods). Pulled UTF8 to WCHAR conversion methods out of idn_win32.c into their own file. curl_sasl.c - include curl_memory.h to use correct memory functions. getenv.c and telnet.c - WinCE compatibility fix With some committer adjustments
2012-06-14schannel: fix printf-style format stringsYang Tse
2012-06-14Fix bad failf() and info() usageYang Tse
Calls to failf() are not supposed to provide trailing newline. Calls to infof() must provide trailing newline. Fixed 30 or so strings.
2012-06-14schannel: fix unused parameter warningsYang Tse
2012-06-14schannel: fix comparisons between signed and unsignedYang Tse
2012-06-14schannel: fix discarding qualifier from pointer typeYang Tse
2012-06-14schannel: fix shadowing of global declarationsYang Tse
2012-06-14schannel: fix Curl_schannel_init() and Curl_schannel_cleanup() declarationsYang Tse
2012-06-13Changed Schannel string to SSL-Windows-native.Guenter Knauf
This is more descriptive for the user who might not even know what schannnel is at all.
2012-06-13schannel: remove version number and identify its use with 'schannel' literalYang Tse
Version number is removed in order to make this info consistent with how we do it with other MS and Linux system libraries for which we don't provide this info. Identifier changed from 'WinSSPI' to 'schannel' given that this is the actual provider of the SSL/TLS support. libcurl can still be built with SSPI and without SCHANNEL support.
2012-06-12sspi: make Curl_sspi_strerror() libcurl's sspi status code string functionYang Tse
2012-06-11checksrc: shorten a few lines to complyDaniel Stenberg
2012-06-11sspi: Reworked Curl_sspi_version() to return version componentsSteve Holme
Reworked the version function to return four version components rather than a string that has to be freed by the caller.
2012-06-11schannel: Code cleanup and bug fixesMarc Hoersken
curl_sspi.c: Fixed mingw32-gcc compiler warnings curl_sspi.c: Fixed length of error code hex output The hex value was printed as signed 64-bit value on 64-bit systems: SEC_E_WRONG_PRINCIPAL (0xFFFFFFFF80090322) It is now correctly printed as the following: SEC_E_WRONG_PRINCIPAL (0x80090322) curl_sspi.c: Fallback to security function table version number Instead of reporting an unknown version, the interface version is used. curl_sspi.c: Removed SSPI/ version prefix from Curl_sspi_version curl_schannel: Replaced static buffer sizes with defined names curl_schannel.c: First brace when declaring functions on column 0 curl_schannel.c: Put the pointer sign directly at variable name curl_schannel.c: Use structs directly instead of typedef'ed structs curl_schannel.c: Removed space before opening brace curl_schannel.c: Fixed lines being longer than 80 chars
2012-06-11curl_sspi: Added Curl_sspi_version functionMarc Hoersken
Added new function to get SSPI version as string. Added required library version.lib to makefiles. Changed curl_schannel.c to use Curl_sspi_version.
2012-06-11schannel: Replace ASCII specific code with general definesMarc Hoersken
2012-06-11schannel: Moved interal struct types to urldata.hMarc Hoersken
Moved type definitions in order to avoid inclusion loop