aboutsummaryrefslogtreecommitdiff
path: root/lib/vauth
AgeCommit message (Collapse)Author
2017-08-05gssapi: fix memory leak of output token in multi round contextIsaac Boukris
When multiple rounds are needed to establish a security context (usually ntlm), we overwrite old token with a new one without free. Found by proposed gss tests using stub a gss implementation (by valgrind error), though I have confirmed the leak with a real gssapi implementation as well. Closes https://github.com/curl/curl/pull/1733
2017-05-08rand: treat fake entropy the same regardless of endiannessJay Satiro
When the random seed is purposely made predictable for testing purposes by using the CURL_ENTROPY environment variable, process that data in an endian agnostic way so the the initial random seed is the same regardless of endianness. - Change Curl_rand to write to a char array instead of int array. - Add Curl_rand_hex to write random hex characters to a buffer. Fixes #1315 Closes #1468 Co-authored-by: Daniel Stenberg Reported-by: Michael Kaufmann
2017-04-22lib: fix maybe-uninitialized warningsMarcel Raad
With -Og, GCC complains: easy.c:628:7: error: ‘mcode’ may be used uninitialized in this function [-Werror=maybe-uninitialized] ../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] vauth/digest.c:208:9: note: ‘tok_buf’ was declared here ../lib/strcase.h:35:29: error: ‘tok_buf’ may be used uninitialized in this function [-Werror=maybe-uninitialized] vauth/digest.c:566:15: note: ‘tok_buf’ was declared here Fix this by initializing the variables.
2017-04-07sspi: print out InitializeSecurityContext() error messageIsaac Boukris
Reported-by: Carsten (talksinmath) Fixes #1384 Closes #1395
2017-03-29NTLM: check for features with #ifdef instead of #ifMarcel Raad
Feature defines are normally checked with #ifdef instead of #if in the rest of the codebase. Additionally, some compilers warn when a macro is implicitly evaluated to 0 because it is not defined, which was the case here. Ref: https://github.com/curl/curl/pull/1362#discussion_r108605101 Closes https://github.com/curl/curl/pull/1367
2017-03-26spelling fixesklemens
Closes #1356
2017-02-27digest_sspi: fix compilation warningMarcel Raad
MSVC complains: warning C4701: potentially uninitialized local variable 'output_token_len' used
2017-02-21digest_sspi: Handle 'stale=TRUE' directive in HTTP digestJay Satiro
- If the server has provided another challenge use it as the replacement input token if stale=TRUE. Otherwise previous credentials have failed so return CURLE_LOGIN_DENIED. Prior to this change the stale directive was ignored and if another challenge was received it would cause error CURLE_BAD_CONTENT_ENCODING. Ref: https://tools.ietf.org/html/rfc2617#page-10 Bug: https://github.com/curl/curl/issues/928 Reported-by: tarek112@users.noreply.github.com
2017-02-20digest_sspi: Fix nonce-count generation in HTTP digestMax Khon
- on the first invocation: keep security context returned by InitializeSecurityContext() - on subsequent invocations: use MakeSignature() instead of InitializeSecurityContext() to generate HTTP digest response Bug: https://github.com/curl/curl/issues/870 Reported-by: Andreas Roth Closes https://github.com/curl/curl/pull/1251
2017-02-06use *.sourceforge.io and misc URL updatesViktor Szakats
Ref: https://sourceforge.net/blog/introducing-https-for-project-websites/ Closes: https://github.com/curl/curl/pull/1247
2016-12-29digest_sspi: copy terminating NUL as wellMax Khon
Curl_auth_decode_digest_http_message(): copy terminating NUL as later Curl_override_sspi_http_realm() expects a NUL-terminated string. Fixes #1180
2016-11-24checksrc: white space edits to comply to stricter checksrcDaniel Stenberg
2016-11-24Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.Patrick Monnerat
See CRL-01-006.
2016-11-14Curl_rand: fixed and moved to rand.cDaniel Stenberg
Now Curl_rand() is made to fail if it cannot get the necessary random level. Changed the proto of Curl_rand() slightly to provide a number of ints at once. Moved out from vtls, since it isn't a TLS function and vtls provides Curl_ssl_random() for this to use. Discussion: https://curl.haxx.se/mail/lib-2016-11/0119.html
2016-10-31digest_sspi: fix includeMarcel Raad
Fix compile break from 811a693b80
2016-10-31strcasecompare: all case insensitive string compares ignore locale nowDaniel Stenberg
We had some confusions on when each function was used. We should not act differently on different locales anyway.
2016-10-31strcasecompare: is the new name for strequal()Daniel Stenberg
... to make it less likely that we forget that the function actually does case insentive compares. Also replaced several invokes of the function with a plain strcmp when case sensitivity is not an issue (like comparing with "-").
2016-08-21sasl: Don't use GSSAPI authentication when domain name not specifiedSteve Holme
Only choose the GSSAPI authentication mechanism when the user name contains a Windows domain name or the user is a valid UPN. Fixes #718
2016-08-21vauth: Added check for supported SSPI based authentication mechanismsSteve Holme
Completing commit 00417fd66c and 2708d4259b.
2016-08-19spnego_sspi: fix memory leak in case *outlen is zero (#970)Miroslav Franc
2016-08-18vauth: Introduced Curl_auth_is_<mechansism>_supported() functionsSteve Holme
As Windows SSPI authentication calls fail when a particular mechanism isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5 and Negotiate to allow both HTTP and SASL authentication the opportunity to query support for a supported mechanism before selecting it. For now each function returns TRUE to maintain compatability with the existing code when called.
2016-07-23vauth.h: No need to query HAVE_GSSAPI || USE_WINDOWS_SSPI for SPNEGOSteve Holme
As SPNEGO is only defined when these pre-processor variables are defined there is no need to query them explicitly.
2016-07-23spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declarationSteve Holme
Typo introduced in commit ad5e9bfd5d.
2016-07-20vauth: Fix memleak by freeing credentials if out of memoryJay Satiro
This is a follow up to the parent commit dcdd4be which fixes one leak but creates another by failing to free the credentials handle if out of memory. Also there's a second location a few lines down where we fail to do same. This commit fixes both of those issues.
2016-07-20vauth: Fixed memory leak due to function returning without freeSaurav Babu
This patch allocates memory to "output_token" only when it is required so that memory is not leaked if function returns.
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-04-06URLs: change http to https in many placesViktor Szakats
Closes #754
2016-04-06vauth: Corrected a number of typos in commentsSteve Holme
Reported-by: Michael Osipov
2016-04-03code: style updatesDaniel Stenberg
2016-04-03vauth: Removed the need for a separate GSS-API based SPN functionSteve Holme
2016-04-03spnego: Small code tidy upSteve Holme
* Prefer dereference of string pointer rather than strlen() * Free challenge pointer in one place * Additional comments
2016-04-03krb5: Small code tidy upSteve Holme
* Prefer dereference of string pointer rather than strlen() * Free challenge pointer in one place * Additional comments
2016-04-03krb5_gssapi: Only process challenge when presentSteve Holme
This wouldn't cause a problem because of the way the function is called, but prior to this change, we were processing the challenge message when the credentials were NULL rather than when the challenge message was populated. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
2016-04-03krb5: Fixed missing client response when mutual authentication enabledSteve Holme
Although mutual authentication is currently turned off and can only be enabled by changing libcurl source code, authentication using Kerberos 5 has been broken since commit 79543caf90 in this use case.
2016-04-03krb5_sspi: Only process challenge when presentSteve Holme
This wouldn't cause a problem because of the way the function is called, but prior to this change, we were processing the challenge message when the credentials were NULL rather than when the challenge message was populated. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
2016-04-03krb5_sspi: Only generate the output token when its not allocatedSteve Holme
Prior to this change, we were generating the output token when the credentials were NULL rather than when the output token was NULL. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
2016-04-03krb5: Only generate a SPN when its not knownSteve Holme
Prior to this change, we were generating the SPN in the SSPI code when the credentials were NULL and in the GSS-API code when the context was empty. It is better to decouple the SPN generation from these checks and only generate it when the SPN itself is NULL. This also brings this part of the Kerberos 5 code in line with the Negotiate code.
2016-04-02spnego: Renamed the context's SPN variableSteve Holme
To be consistent with the Kerberos 5 context and other authentication code.
2016-04-02krb5_gssapi: Renamed the status variablesSteve Holme
For consistency with the spnego code.
2016-04-02krb5: Moved host from Curl_auth_create_gssapi_user_message() to be argumentSteve Holme
For consistency with the spnego and oauth2 code moved the setting of the host name outside of the Curl_auth_create_gssapi_user_messag() function. This will allow us to more easily override it in the future.
2016-04-01spnego: Corrected some typos in commentsSteve Holme
Corrected typos from commit ad5e9bfd5d and 6d6f9ca1d9.
2016-03-29GSS: make Curl_gss_log_error more verboseIsaac Boukris
Also display the GSS_C_GSS_CODE (major code) when specified instead of only GSS_C_MECH_CODE (minor code). In addition, the old code was printing a colon twice after the prefix and also miscalculated the length of the buffer in between calls to gss_display_status (the length of ": " was missing). Also, gss_buffer is not guaranteed to be NULL terminated and thus need to restrict reading by its length. Closes #738
2016-03-26vauth: Moved the Negotiate authentication code to the new vauth directorySteve Holme
Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-26vauth: Moved the Negotiate authentication code to the new vauth directorySteve Holme
Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
2016-03-25vauth: Refactored function names after move to new vauth directorySteve Holme
Renamed all the SASL functions that moved to the new vauth directory to include the correct module name.
2016-03-25vauth: Updated the copyright year after recent changesSteve Holme
As most of this work was performed in 2015 but not pushed until 2016 updated the copyright year to reflect the public facing changes.
2016-03-25vauth: Moved the OAuth 2.0 authentication code to the new vauth directorySteve Holme
2016-03-25vauth: Moved the NTLM authentication code to the new vauth directorySteve Holme
2016-03-25vauth: Moved the Kerberos V5 authentication code to the new vauth directorySteve Holme
2016-03-25digest.c: Fixed checksrc warningsSteve Holme