aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2015-08-06NTLM: handle auth for only a single requestIsaac Boukris
Currently when the server responds with 401 on NTLM authenticated connection (re-used) we consider it to have failed. However this is legitimate and may happen when for example IIS is set configured to 'authPersistSingleRequest' or when the request goes thru a proxy (with 'via' header). Implemented by imploying an additional state once a connection is re-used to indicate that if we receive 401 we need to restart authentication. Closes #363
2015-08-02SSH: three state machine fixupsDaniel Stenberg
The SSH state machine didn't clear the 'rc' variable appropriately in a two places which prevented it from looping the way it should. And it lacked an 'else' statement that made it possible to erroneously get stuck in the SSH_AUTH_AGENT state. Reported-by: Tim Stack Closes #357
2015-08-02curl_gssapi: remove 'const' to fix compiler warningsDaniel Stenberg
initialization discards 'const' qualifier from pointer target type
2015-08-01sspi: Fix typo from left over from old code which referenced NTLMSteve Holme
References to NTLM in the identity generation should have been removed in commit c469941293 but not all were.
2015-08-01win32: Fix compilation warnings from commit 40c921f8b8Steve Holme
connect.c:953:5: warning: initializer element is not computable at load time connect.c:953:5: warning: missing initializer for field 'dwMinorVersion' of 'OSVERSIONINFOEX' curl_sspi.c:97:5: warning: initializer element is not computable at load time curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion' of 'OSVERSIONINFOEX'
2015-08-01schannel: Fix compilation warning from commit 7a8e861a56Steve Holme
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion' of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
2015-07-30http: move HTTP/2 cleanup code off http_disconnect()Kamil Dudka
Otherwise it would never be called for an HTTP/2 connection, which has its own disconnect handler. I spotted this while debugging <https://bugzilla.redhat.com/1248389> where the http_disconnect() handler was called on an FTP session handle causing 'dnf' to crash. conn->data->req.protop of type (struct FTP *) was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in Curl_add_buffer_free() after printing the "Connection cache is full, closing the oldest one." message. A previously working version of libcurl started to crash after it was recompiled with the HTTP/2 support despite the HTTP/2 protocol was not actually used. This commit makes it work again although I suspect the root cause (reinterpreting session handle data of incompatible protocol) still has to be fixed. Otherwise the same will happen when mixing FTP and HTTP/2 connections and exceeding the connection cache limit. Reported-by: Tomas Tomecek Bug: https://bugzilla.redhat.com/1248389
2015-07-25HTTP: ignore "Content-Encoding: compress"Michael Kaufmann
Currently, libcurl rejects responses with "Content-Encoding: compress" when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should treat the Content-Encoding "compress" the same as other Content-Encodings that it does not support, e.g. "bzip2". That means just ignoring it.
2015-07-24openssl: work around MSVC warningMarcel Raad
MSVC 12 complains: lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local variable 'verstr' used It's a false positive, but as it's normally not, I have enabled warning-as-error for that warning.
2015-07-23http2: verify success of strchr() in http2_send()Kamil Dudka
Detected by Coverity. Error: NULL_RETURNS: lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times). lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr". lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf". 1300| 1301| hdbuf = strchr(hdbuf, 0x0a); 1302|-> ++hdbuf; 1303| 1304| authority_idx = 0;
2015-07-22Windows: Fix VerifyVersionInfo callsJay Satiro
- Fix the VerifyVersionInfo calls, which we use to test for the OS major version, to also test for the minor version as well as the service pack major and minor versions. MSDN: "If you are testing the major version, you must also test the minor version and the service pack major and minor versions." https://msdn.microsoft.com/en-us/library/windows/desktop/ms725492.aspx Bug: https://github.com/bagder/curl/pull/353#issuecomment-123493098 Reported-by: Marcel Raad <MarcelRaad@users.noreply.github.com>
2015-07-22schannel: Replace deprecated GetVersion with VerifyVersionInfoMarcel Raad
2015-07-21libcurl: VERSIONINFO updatePatrick Monnerat
Addition of new procedures curl_pushheader_bynum and curl_pushheader_byname requires VERSIONINFO updating.
2015-07-21http2: satisfy external references even if http2 is not compiled in.Patrick Monnerat
2015-07-20http2: add stream != NULL checks for reliabilityDaniel Stenberg
They should not trigger, but in case of internal problems we at least avoid crashes this way.
2015-07-17SSL: Add an option to disable certificate revocation checksJay Satiro
New tool option --ssl-no-revoke. New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS. Currently this option applies only to WinSSL where we have automatic certificate revocation checking by default. According to the ssl-compared chart there are other backends that have automatic checking (NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at some later point. Bug: https://github.com/bagder/curl/issues/264 Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-16ntlm_wb: Fix theoretical memory leakDavid Woodhouse
Static analysis indicated that my commit 9008f3d564 ("ntlm_wb: Fix hard-coded limit on NTLM auth packet size") introduced a potential memory leak on an error path, because we forget to free the buffer before returning an error. Fix this. Although actually, it never happens in practice because we never *get* here with state == NTLMSTATE_TYPE1. The state is always zero. That might want cleaning up in a separate patch. Reported-by: Terri Oda
2015-07-15strerror: Add CRYPT_E_REVOKED to SSPI error stringsJay Satiro
2015-07-14openssl: VMS support for SHA256John Malmberg
setup-vms.h: More symbols for SHA256, hacks for older VAX openssl.h: Use OpenSSL OPENSSL_NO_SHA256 macro to allow building on VAX. openssl.c: Use OpenSSL version checks and OPENSSL_NO_SHA256 macro to allow building on VAX and 64 bit VMS.
2015-07-07http2: Fix memory leak in push header arrayTatsuhiro Tsujikawa
2015-07-02cyassl: fixed mismatched sha256sum function prototypeDan Fandrich
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-07-01OpenVMS: VMS Software, Inc now the supplier.John Malmberg
setup-vms.h: Symbol case fixups submitted by Michael Steve build_gnv_curl_pcsi_desc.com: VSI aka as VMS Software, is now the supplier of new versions of VMS. The install kit needs to accept VSI as a producer.
2015-06-24http2: Use nghttp2 library error code for error return valueTatsuhiro Tsujikawa
2015-06-24http2: Harden header validation for curl_pushheader_bynameTatsuhiro Tsujikawa
Since we do prefix match using given header by application code against header name pair in format "NAME:VALUE", and VALUE part can contain ":", we have to careful about existence of ":" in header parameter. ":" should be allowed to match HTTP/2 pseudo-header field, and other use of ":" in header must be treated as error, and curl_pushheader_byname should return NULL. This commit implements this behaviour.
2015-06-24http2: curl_pushheader_byname now takes a const char *Daniel Stenberg
2015-06-24http2: free all header memory after the push callbackDaniel Stenberg
2015-06-24http2: init the pushed transfer properlyDaniel Stenberg
2015-06-24http2: fixed the header accessor functions for the push callbackDaniel Stenberg
2015-06-24http2: setup the new pushed stream properlyDaniel Stenberg
2015-06-24http2: initial implementation of the push callbackDaniel Stenberg
2015-06-23pretransfer: init state.infilesize here, not in add_handleDaniel Stenberg
... to properly support that options are set to the handle after it is added to the multi handle. Bug: http://curl.haxx.se/mail/lib-2015-06/0122.html Reported-by: Stefan Bühler
2015-06-18cookie: Fix bug in export if any-domain cookie is presentJay Satiro
In 3013bb6 I had changed cookie export to ignore any-domain cookies, however the logic I used to do so was incorrect, and would lead to a busy loop in the case of exporting a cookie list that contained any-domain cookies. The result of that is worse though, because in that case the other cookies would not be written resulting in an empty file once the application is terminated to stop the busy loop.
2015-06-18FTP: fixed compiling with --disable-proxy, broken in b88f980aDan Fandrich
2015-06-18Makefile.m32: add support for CURL_LDFLAG_EXTRASViktor Szakats
It is similar to existing CURL_CFLAG_EXTRAS, but for extra linker option.
2015-06-18RTSP: removed another piece of dead codeDaniel Stenberg
Coverity CID 1306668
2015-06-18openssl: fix use of uninitialized bufferDaniel Stenberg
Make sure that the error buffer is always initialized and simplify the use of it to make the logic easier. Bug: https://github.com/bagder/curl/issues/318 Reported-by: sneis
2015-06-18openssl: fix build with BoringSSLDaniel Stenberg
OPENSSL_load_builtin_modules does not exist in BoringSSL. Regression from cae43a1
2015-06-17openssl: Fix build with openssl < ~ 0.9.8fPaul Howarth
The symbol SSL3_MT_NEWSESSION_TICKET appears to have been introduced at around openssl 0.9.8f, and the use of it in lib/vtls/openssl.c breaks builds with older openssls (certainly with 0.9.8b, which is the latest older version I have to try with).
2015-06-17FTP: do the HTTP CONNECT for data connection blockingDaniel Stenberg
** WORK-AROUND ** The introduced non-blocking general behaviour for Curl_proxyCONNECT() didn't work for the data connection establishment unless it was very fast. The newly introduced function argument makes it operate in a more blocking manner, more like it used to work in the past. This blocking approach is only used when the FTP data connecting through HTTP proxy. Blocking like this is bad. A better fix would make it work more asynchronously. Bug: https://github.com/bagder/curl/issues/278
2015-06-17http: do not leak basic auth credentials on re-used connectionsKamil Dudka
CVE-2015-3236 This partially reverts commit curl-7_39_0-237-g87c4abb Reported-by: Tomas Tomecek, Kamil Dudka Bug: http://curl.haxx.se/docs/adv_20150617A.html
2015-06-17SMB: rangecheck values read off incoming packetDaniel Stenberg
CVE-2015-3237 Detected by Coverity. CID 1299430. Bug: http://curl.haxx.se/docs/adv_20150617B.html
2015-06-17schannel: schannel_recv overhaulJay Satiro
This commit is several drafts squashed together. The changes from each draft are noted below. If any changes are similar and possibly contradictory the change in the latest draft takes precedence. Bug: https://github.com/bagder/curl/issues/244 Reported-by: Chris Araman %% %% Draft 1 %% - return 0 if len == 0. that will have to be documented. - continue on and process the caches regardless of raw recv - if decrypted data will be returned then set the error code to CURLE_OK and return its count - if decrypted data will not be returned and the connection has closed (eg nread == 0) then return 0 and CURLE_OK - if decrypted data will not be returned and the connection *hasn't* closed then set the error code to CURLE_AGAIN --only if an error code isn't already set-- and return -1 - narrow the Win2k workaround to only Win2k %% %% Draft 2 %% - Trying out a change in flow to handle corner cases. %% %% Draft 3 %% - Back out the lazier decryption change made in draft2. %% %% Draft 4 %% - Some formatting and branching changes - Decrypt all encrypted cached data when len == 0 - Save connection closed state - Change special Win2k check to use connection closed state %% %% Draft 5 %% - Default to CURLE_AGAIN in cleanup if an error code wasn't set and the connection isn't closed. %% %% Draft 6 %% - Save the last error only if it is an unrecoverable error. Prior to this I saved the last error state in all cases; unfortunately the logic to cover that in all cases would lead to some muddle and I'm concerned that could then lead to a bug in the future so I've replaced it by only recording an unrecoverable error and that state will persist. - Do not recurse on renegotiation. Instead we'll continue on to process any trailing encrypted data received during the renegotiation only. - Move the err checks in cleanup after the check for decrypted data. In either case decrypted data is always returned but I think it's easier to understand when those err checks come after the decrypted data check. %% %% Draft 7 %% - Regardless of len value go directly to cleanup if there is an unrecoverable error or a close_notify was already received. Prior to this change we only acknowledged those two states if len != 0. - Fix a bug in connection closed behavior: Set the error state in the cleanup, because we don't know for sure it's an error until that time. - (Related to above) In the case the connection is closed go "greedy" with the decryption to make sure all remaining encrypted data has been decrypted even if it is not needed at that time by the caller. This is necessary because we can only tell if the connection closed gracefully (close_notify) once all encrypted data has been decrypted. - Do not renegotiate when an unrecoverable error is pending. %% %% Draft 8 %% - Don't show 'server closed the connection' info message twice. - Show an info message if server closed abruptly (missing close_notify).
2015-06-15rtsp_do: fix DEAD CODEDaniel Stenberg
"At condition p_request, the value of p_request cannot be NULL." Coverity CID 1306668.
2015-06-15security:choose_mech fix DEAD CODE warningDaniel Stenberg
... by removing the "do {} while (0)" block. Coverity CID 1306669
2015-06-14urldata: store POST size in state.infilesize tooDaniel Stenberg
... to simplify checking when PUT _or_ POST have completed. Reported-by: Frank Meier Bug: http://curl.haxx.se/mail/lib-2015-06/0019.html
2015-06-11schannel: Add support for optional client certificatesJoel Depooter
Some servers will request a client certificate, but not require one. This change allows libcurl to connect to such servers when using schannel as its ssl/tls backend. When a server requests a client certificate, libcurl will now continue the handshake without one, rather than terminating the handshake. The server can then decide if that is acceptable or not. Prior to this change, libcurl would terminate the handshake, reporting a SEC_I_INCOMPLETE_CREDENTIALS error.
2015-06-10debug: remove http2 debug leftoversDaniel Stenberg
2015-06-09INTERNALS: cat lib/README* >> INTERNALSDaniel Stenberg
and a conversion to markdown. Removed the lib/README.* files. The idea being to move toward having INTERNALS as the one and only "book" of internals documentation. Added a TOC to top of the document.
2015-06-08openssl: LibreSSL and BoringSSL do not use TLS_client_methodJay Satiro
Although OpenSSL 1.1.0+ deprecated SSLv23_client_method in favor of TLS_client_method LibreSSL and BoringSSL didn't and still use SSLv23_client_method. Bug: https://github.com/bagder/curl/commit/49a6642#commitcomment-11578009 Reported-by: asavah@users.noreply.github.com