Age | Commit message (Collapse) | Author |
|
vtls.c:185:46: warning: unused parameter 'data'
|
|
In preparation for moving the NTLM message code into the SASL module,
and separating the native code from the SSPI code, added functions that
simply call the functions in curl_ntlm_msg.c.
|
|
In preparation for moving the NTLM message code into the SASL module
use the SASL functions in the HTTP code instead.
|
|
... so that non-configure builds get the correct functions too based on
the libssh2 version used.
|
|
... if the libssh2 version is new enough.
Bug: http://curl.haxx.se/bug/view.cgi?id=1448
|
|
USE_NTLM would only be defined if: HTTP support was enabled, NTLM and
cryptography weren't disabled, and either a supporting cryptography
library or Windows SSPI was being compiled against.
This means it was not possible to build libcurl without HTTP support
and use NTLM for other protocols such as IMAP, POP3 and SMTP. Rather
than introduce a new SASL pre-processor definition, removed the HTTP
prerequisite just like USE_SPNEGO and USE_KRB5.
Note: Winbind support still needs to be dependent on CURL_DISABLE_HTTP
as it is only available to HTTP at present.
This bug dates back to August 2011 when I started to add support for
NTLM to SMTP.
|
|
Due to commit 40ee1ba0dc the free in Curl_ntlm_decode_type2_target() is
longer required.
|
|
|
|
|
|
|
|
|
|
|
|
Fixed a couple of memory leaks as a result of moving code that used to
populate allocuserpwd and relied on it's clean up.
|
|
Following the addition of SSPI support for HTTP digest, synchronised
elements of the email digest code with that of the new HTTP code.
|
|
Post tidy up to ensure commonality of code style and variable names.
|
|
|
|
Reworked the input token (challenge message) storage as what is passed
to the buf and desc in the response generation are typically blobs of
data rather than strings, so this is more in keeping with other areas
of the SSPI code, such as the NTLM message functions.
|
|
Added void reference to unused 'data' parameter back to fix compilation
warning.
|
|
|
|
Some versions of Microsoft's sspi.h don't define this.
|
|
Introduced in commit 7e6d51a73c these functions and definitions are only
required by the internal challenge-response functions now.
|
|
|
|
|
|
|
|
This temporarily breaks HTTP digest authentication in SSPI based builds,
causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will
resume normal operation.
|
|
|
|
|
|
Added forward declaration of digestdata to overcome the following
compilation warning:
warning: 'struct digestdata' declared inside parameter list
Additionally made the ntlmdata forward declaration dependent on
USE_NTLM similar to how digestdata and kerberosdata are.
|
|
Broken as part of the rework, in commit 7e6d51a73c, to assist with the
addition of HTTP digest via Windows SSPI.
|
|
error: invalid operands to binary
warning: pointer targets in assignment differ in signedness
|
|
|
|
|
|
|
|
|
|
Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html
Reported-by: Jan Ehrhardt
|
|
...as Curl_memdup() duplicates an area of fix size memory, that may be
binary, and not a null terminated string.
|
|
conversion from 'curl_off_t' to 'size_t', possible loss of data
|
|
To provide consistent behaviour between the various HTTP authentication
functions use CURLcode based error codes for Curl_input_digest()
especially as the calling code doesn't use the specific error code just
that it failed.
|
|
These were previously hard coded, and whilst defined in security.h,
they may or may not be present in old header files given that these
defines were never used in the original code.
Not only that, but there appears to be some ambiguity between the ANSI
and UNICODE NTLM definition name in security.h.
|
|
When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.
Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.
Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis
|
|
- Prior to this change no SSL minimum version was set by default at
runtime for PolarSSL. Therefore in most cases PolarSSL would probably
have defaulted to a minimum version of SSLv3 which is no longer secure.
|
|
The previous condition that checked if the socket was marked as readable
when also adding a writable one, was incorrect and didn't take the pause
bits properly into account.
|
|
autotools does not use features.h nor _BSD_SOURCE. As this macro
triggers warnings since glibc 2.20, remove it. It should not have
functional differences.
Signed-off-by: Peter Wu <peter@lekensteyn.nl>
|
|
Typically the USE_WINDOWS_SSPI definition would not be used when the
CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
data structures and functions would incorrectly be used when they
shouldn't be.
Introduced a new USE_KRB5 definition that takes into account the use of
CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
|
|
More CURLcode fixes.
|
|
Basically since servers often then don't respond well to this and
instead send the full contents and then libcurl would instead error out
with the assumption that the server doesn't support resume. As the data
is then already transfered, this is now considered fine.
Test case 1434 added to verify this. Test case 1042 slightly modified.
Reported-by: hugo
Bug: http://curl.haxx.se/bug/view.cgi?id=1443
|
|
More standardisation of CURLcode usage and coding style.
|
|
...and some minor code style changes.
|
|
|
|
|