aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2015-06-17http: do not leak basic auth credentials on re-used connectionsKamil Dudka
CVE-2015-3236 This partially reverts commit curl-7_39_0-237-g87c4abb Reported-by: Tomas Tomecek, Kamil Dudka Bug: http://curl.haxx.se/docs/adv_20150617A.html
2015-06-17SMB: rangecheck values read off incoming packetDaniel Stenberg
CVE-2015-3237 Detected by Coverity. CID 1299430. Bug: http://curl.haxx.se/docs/adv_20150617B.html
2015-06-17schannel: schannel_recv overhaulJay Satiro
This commit is several drafts squashed together. The changes from each draft are noted below. If any changes are similar and possibly contradictory the change in the latest draft takes precedence. Bug: https://github.com/bagder/curl/issues/244 Reported-by: Chris Araman %% %% Draft 1 %% - return 0 if len == 0. that will have to be documented. - continue on and process the caches regardless of raw recv - if decrypted data will be returned then set the error code to CURLE_OK and return its count - if decrypted data will not be returned and the connection has closed (eg nread == 0) then return 0 and CURLE_OK - if decrypted data will not be returned and the connection *hasn't* closed then set the error code to CURLE_AGAIN --only if an error code isn't already set-- and return -1 - narrow the Win2k workaround to only Win2k %% %% Draft 2 %% - Trying out a change in flow to handle corner cases. %% %% Draft 3 %% - Back out the lazier decryption change made in draft2. %% %% Draft 4 %% - Some formatting and branching changes - Decrypt all encrypted cached data when len == 0 - Save connection closed state - Change special Win2k check to use connection closed state %% %% Draft 5 %% - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the connection isn't closed. %% %% Draft 6 %% - Save the last error only if it is an unrecoverable error. Prior to this I saved the last error state in all cases; unfortunately the logic to cover that in all cases would lead to some muddle and I'm concerned that could then lead to a bug in the future so I've replaced it by only recording an unrecoverable error and that state will persist. - Do not recurse on renegotiation. Instead we'll continue on to process any trailing encrypted data received during the renegotiation only. - Move the err checks in cleanup after the check for decrypted data. In either case decrypted data is always returned but I think it's easier to understand when those err checks come after the decrypted data check. %% %% Draft 7 %% - Regardless of len value go directly to cleanup if there is an unrecoverable error or a close_notify was already received. Prior to this change we only acknowledged those two states if len != 0. - Fix a bug in connection closed behavior: Set the error state in the cleanup, because we don't know for sure it's an error until that time. - (Related to above) In the case the connection is closed go "greedy" with the decryption to make sure all remaining encrypted data has been decrypted even if it is not needed at that time by the caller. This is necessary because we can only tell if the connection closed gracefully (close_notify) once all encrypted data has been decrypted. - Do not renegotiate when an unrecoverable error is pending. %% %% Draft 8 %% - Don't show 'server closed the connection' info message twice. - Show an info message if server closed abruptly (missing close_notify).
2015-06-15rtsp_do: fix DEAD CODEDaniel Stenberg
"At condition p_request, the value of p_request cannot be NULL." Coverity CID 1306668.
2015-06-15security:choose_mech fix DEAD CODE warningDaniel Stenberg
... by removing the "do {} while (0)" block. Coverity CID 1306669
2015-06-14urldata: store POST size in state.infilesize tooDaniel Stenberg
... to simplify checking when PUT _or_ POST have completed. Reported-by: Frank Meier Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
2015-06-11schannel: Add support for optional client certificatesJoel Depooter
Some servers will request a client certificate, but not require one. This change allows libcurl to connect to such servers when using schannel as its ssl/tls backend. When a server requests a client certificate, libcurl will now continue the handshake without one, rather than terminating the handshake. The server can then decide if that is acceptable or not. Prior to this change, libcurl would terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS error.
2015-06-10debug: remove http2 debug leftoversDaniel Stenberg
2015-06-09INTERNALS: cat lib/README* >> INTERNALSDaniel Stenberg
and a conversion to markdown. Removed the lib/README.* files. The idea being to move toward having INTERNALS as the one and only "book" of internals documentation. Added a TOC to top of the document.
2015-06-08openssl: LibreSSL and BoringSSL do not use TLS_client_methodJay Satiro
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of TLS_client_method LibreSSL and BoringSSL didn't and still use SSLv23_client_method. Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 Reported-by: asavah@users.noreply.github.com
2015-06-09CURLOPT_OPENSOCKETFUNCTION: return error at onceDaniel Stenberg
When CURL_SOCKET_BAD is returned in the callback, it should be treated as an error (CURLE_COULDNT_CONNECT) if no other socket is subsequently created when trying to connect to a server. Bug: http://curl.haxx.se/mail/lib-2015-06/0047.html
2015-06-07openssl: Fix verification of server-sent legacy intermediatesJay Satiro
- Try building a chain using issuers in the trusted store first to avoid problems with server-sent legacy intermediates. Prior to this change server-sent legacy intermediates with missing legacy issuers would cause verification to fail even if the client's CA bundle contained a valid replacement for the intermediate and an alternate chain could be constructed that would verify successfully. https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2015-06-05openssl: removed error string #ifdefDaniel Stenberg
ERR_error_string_n() was introduced in 0.9.6, no need to #ifdef anymore
2015-06-05openssl: removed USERDATA_IN_PWD_CALLBACK kludgeDaniel Stenberg
Code for OpenSSL 0.9.4 serves no purpose anymore!
2015-06-05openssl: remove SSL_get_session()-using codeDaniel Stenberg
It was present for OpenSSL 0.9.5 code but we only support 0.9.7 or later.
2015-06-05openssl: remove dummy callback use from SSL_CTX_set_verify()Daniel Stenberg
The existing callback served no purpose.
2015-06-03cookie: Stop exporting any-domain cookiesJay Satiro
Prior to this change any-domain cookies (cookies without a domain that are sent to any domain) were exported with domain name "unknown". Bug: https://github.com/bagder/curl/issues/292
2015-06-02curl_setup: Change fopen text macros to use 't' for MSDOSJay Satiro
Bug: https://github.com/bagder/curl/pull/258#issuecomment-107915198 Reported-by: Gisle Vanem
2015-06-02checksrc: detect fopen() for text without the FOPEN_* macrosDaniel Stenberg
Follow-up to e8423f9ce150 with discussionis in https://github.com/bagder/curl/pull/258 This check scans for fopen() with a mode string without 'b' present, as it may indicate that an FOPEN_* define should rather be used.
2015-06-01curl_setup: Add macros for FOPEN_READTEXT, FOPEN_WRITETEXTJay Satiro
- Change fopen calls to use FOPEN_READTEXT instead of "r" or "rt" - Change fopen calls to use FOPEN_WRITETEXT instead of "w" or "wt" This change is to explicitly specify when we need to read/write text. Unfortunately 't' is not part of POSIX fopen so we can't specify it directly. Instead we now have FOPEN_READTEXT, FOPEN_WRITETEXT. Prior to this change we had an issue on Windows if an application that uses libcurl overrides the default file mode to binary. The default file mode in Windows is normally text mode (translation mode) and that's what libcurl expects. Bug: https://github.com/bagder/curl/pull/258#issuecomment-107093055 Reported-by: Orgad Shaneh
2015-05-31HTTP-NTLM: fail auth on connection close instead of loopingIsaac Boukris
Bug: https://github.com/bagder/curl/issues/256
2015-05-31README.pingpong: removedDaniel Stenberg
2015-05-30HTTP2: moved docs into docs/ and make it markdownDaniel Stenberg
2015-05-30README.http2: refreshed and added multiplexing infoDaniel Stenberg
2015-05-27openssl: typo in commentDaniel Melani
2015-05-27openssl: Use TLS_client_method for OpenSSL 1.1.0+Jay Satiro
SSLv23_client_method is deprecated starting in OpenSSL 1.1.0. The equivalent is TLS_client_method. https://github.com/openssl/openssl/commit/13c9bb3#diff-708d3ae0f2c2973b272b811315381557
2015-05-25http2: Copy data passed in Curl_http2_switched into HTTP/2 connection bufferTatsuhiro Tsujikawa
Previously, after seeing upgrade to HTTP/2, we feed data followed by upgrade response headers directly to nghttp2_session_mem_recv() in Curl_http2_switched(). But it turns out that passed buffer, mem, is part of stream->mem, and callbacks called by nghttp2_session_mem_recv() will write stream specific data into stream->mem, overwriting input data. This will corrupt input, and most likely frame length error is detected by nghttp2 library. The fix is first copy the passed data to HTTP/2 connection buffer, httpc->inbuf, and call nghttp2_session_mem_recv().
2015-05-24conncache: fixed memory leak on OOM (torture tests)Dan Fandrich
2015-05-22security: fix "Unchecked return value" from sscanf()Daniel Stenberg
By (void) prefixing it and adding a comment. Did some minor related cleanups. Coverity CID 1299423.
2015-05-22security: simplify choose_mechDaniel Stenberg
Coverity CID 1299424 identified dead code because of checks that could never equal true (if the mechanism's name was NULL). Simplified the function by removing a level of pointers and removing the loop and array that weren't used.
2015-05-22RTSP: catch attempted unsupported requests betterDaniel Stenberg
Replace use of assert with code that properly catches bad input at run-time even in non-debug builds. This flaw was sort of detected by Coverity CID 1299425 which claimed the "case RTSPREQ_NONE" was dead code.
2015-05-22share_init: fix OOM crashDaniel Stenberg
A failed calloc() would lead to NULL pointer use. Coverity CID 1299427.
2015-05-22parse_proxy: switch off tunneling if non-HTTP proxyDaniel Stenberg
non-HTTP proxy implies not using CURLOPT_HTTPPROXYTUNNEL Bug: http://curl.haxx.se/mail/lib-2015-05/0056.html Reported-by: Sean Boudreau
2015-05-22http2: on_frame_recv: return early on stream 0Daniel Stenberg
Coverity CID 1299426 warned about possible NULL dereference otherwise, but that would only ever happen if we get invalid HTTP/2 data with frames for stream 0. Avoid this risk by returning early when stream 0 is used.
2015-05-22http: removed self assignmentDaniel Stenberg
Follow-up fix from b0143a2a33f0 Detected by coverity. CID 1299429
2015-05-22http2: Make HTTP Upgrade workTatsuhiro Tsujikawa
This commit just add implicitly opened stream 1 to streams hash.
2015-05-22strerror: Change SEC_E_ILLEGAL_MESSAGE descriptionJay Satiro
Prior to this change the description for SEC_E_ILLEGAL_MESSAGE was OS and language specific, and invariably translated to something not very helpful like: "The message received was unexpected or badly formatted." Bug: https://github.com/bagder/curl/issues/267 Reported-by: Michael Osipov
2015-05-21telnet: Fix read-callback change for Windows buildsJay Satiro
Refer to b0143a2 for more information on the read-callback change.
2015-05-20read_callback: move to SessionHandle from connectdataDaniel Stenberg
With many easy handles using the same connection for multiplexing, it is important we store and keep the transfer-oriented stuff in the SessionHandle so that callbacks and callback data work fine even when many easy handles share the same physical connection.
2015-05-20http2: show stream IDs in decimalDaniel Stenberg
It makes them easier to match output from the nghttpd test server.
2015-05-20http2: Faster http2 uploadTatsuhiro Tsujikawa
Previously, when we send all given buffer in data_source_callback, we return NGHTTP2_ERR_DEFERRED, and nghttp2 library removes this stream temporarily for writing. This itself is good. If this is the sole stream in the session, nghttp2_session_want_write() returns zero, which means that libcurl does not check writeability of the underlying socket. This leads to very slow upload, because it seems curl only upload 16k something per 1 second. To fix this, if we still have data to send, call nghttp2_session_resume_data after nghttp2_session_send. This makes nghttp2_session_want_write() returns nonzero (if connection window still opens), and as a result, socket writeability is checked, and upload speed becomes normal.
2015-05-20gtls: don't fail on non-fatal alerts during handshakeDmitry Eremin-Solenikov
Stop curl from failing when non-fatal alert is received during handshake. This e.g. fixes lots of problems when working with https sites through proxies.
2015-05-19openssl: Use SSL_CTX_set_msg_callback and SSL_CTX_set_msg_callback_argBrian Prodoehl
BoringSSL removed support for direct callers of SSL_CTX_callback_ctrl and SSL_CTX_ctrl, so move to a way that should work on BoringSSL and OpenSSL. re #275
2015-05-19transfer: remove erroneous and misleading commentDaniel Stenberg
2015-05-19http: silence compile-time warnings without USE_NGHTTP2Kamil Dudka
Error: CLANG_WARNING: lib/http.c:173:16: warning: Value stored to 'http' during its initialization is never read Error: COMPILER_WARNING: lib/http.c: scope_hint: In function ‘http_disconnect’ lib/http.c:173:16: warning: unused variable ‘http’ [-Wunused-variable]
2015-05-19transfer: Replace __func__ instances with function nameJay Satiro
.. also make __func__ replacement in multi. Prior to this change debug builds would fail to build if the compiler was building pre-c99 and didn't support __func__.
2015-05-19build: bump version in default nghttp2 pathsViktor Szakats
2015-05-18http: Add some include guards for the new HTTP/2 stuffJay Satiro
2015-05-18http2: store upload state per streamDaniel Stenberg
Use a curl_off_t for upload left
2015-05-18http2: fix build when NOT h2-enabledDaniel Stenberg