aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2013-08-28multi_socket: improved 100-continue timeout handlingDaniel Stenberg
When waiting for a 100-continue response from the server, the Curl_readwrite() will refuse to run if called until the timeout has been reached. We timeout code in multi_socket() allows code to run slightly before the actual timeout time, so for test 154 it could lead to the function being executed but refused in Curl_readwrite() and then the application would just sit idling forever. This was detected with runtests.pl -e on test 154.
2013-08-26security.h: rename to curl_sec.h to avoid name collisionDaniel Stenberg
I brought back security.h in commit bb5529331334e. As we actually already found out back in 2005 in commit 62970da675249, the file name security.h causes problems so I renamed it curl_sec.h instead.
2013-08-26smtp: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to use an XOAUTH2 bearer token [RFC6750] with SMTP for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "AUTH XOAUTH2 <bearer token>".
2013-08-26imap: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to use an XOAUTH2 bearer token [RFC6750] with IMAP for authentication using RFC6749 "OAuth 2.0 Authorization Framework". The bearer token is expected to be valid for the user specified in conn->user. If CURLOPT_XOAUTH2_BEARER is defined and the connection has an advertised auth mechanism of "XOAUTH2", the user and access token are formatted as a base64 encoded string and sent to the server as "A001 AUTHENTICATE XOAUTH2 <bearer token>".
2013-08-26security.h: Fixed compilation warningSteve Holme
ISO C forbids forward references to 'enum' types
2013-08-25options: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to specify an XOAUTH2 bearer token [RFC6750] via the option CURLOPT_XOAUTH2_BEARER for authentication using RFC6749 "OAuth 2.0 Authorization Framework".
2013-08-25sasl: added basic SASL XOAUTH2 supportKyle L. Huff
Added the ability to generated a base64 encoded XOAUTH2 token containing: "user=<username>^Aauth=Bearer <bearer token>^A^A" as per RFC6749 "OAuth 2.0 Authorization Framework".
2013-08-25FTP: remove krb4 supportDaniel Stenberg
We've announced this pending removal for a long time and we've repeatedly asked if anyone would care or if anyone objects. Nobody has objected. It has probably not even been working for a good while since nobody has tested/used this code recently. The stuff in krb4.h that was generic enough to be used by other sources is now present in security.h
2013-08-25easy: define away easy_events() for non-debug buildsDaniel Stenberg
2013-08-22multi: move on from STATE_DONE fasterDaniel Stenberg
Make sure we always return CURLM_CALL_MULTI_PERFORM when we reach CURLM_STATE_DONE since the state is transient and it can very well continue executing as there is nothing to wait for. Bug: http://curl.haxx.se/mail/lib-2013-08/0211.html Reported-by: Yi Huang
2013-08-22TFTP: make the CURLOPT_LOW_SPEED* options workDaniel Stenberg
... this also makes sure that the progess callback gets called more often during TFTP transfers. Added test 1238 to verify. Bug: http://curl.haxx.se/bug/view.cgi?id=1269 Reported-by: Jo3
2013-08-21curl_easy_perform_ev: make it CURL_EXTERNGisle Vanem
I build curl.exe (using MingW) with '-DCURLDEBUG' and by importing from libcurl.dll. Which means the new curl_easy_perform_ev() must be exported from libcurl.dll.
2013-08-20CURLM_ADDED_ALREADY: new error codeDaniel Stenberg
Doing curl_multi_add_handle() on an easy handle that is already added to a multi handle now returns this error code. It previously returned CURLM_BAD_EASY_HANDLE for this condition.
2013-08-20multi_init: moved init code here from add_handleDaniel Stenberg
The closure_handle is "owned" by the multi handle and it is unconditional so the setting up of it should be in the Curl_multi_handle function rather than curl_multi_add_handle.
2013-08-20multi: remove dns cache creation code from *add_handleDaniel Stenberg
As it is done unconditionally in multi_init() this code will never run!
2013-08-20curl_easy_perform_ev: debug/test functionDaniel Stenberg
This function is meant to work *exactly* as curl_easy_perform() but will use the event-based libcurl API internally instead of curl_multi_perform(). To avoid relying on an actual event-based library and to not use non-portable functions (like epoll or similar), there's a rather inefficient emulation layer implemented on top of Curl_poll() instead. There's currently some convenience logging done in curl_easy_perform_ev which helps when tracking down problems. They may be suitable to remove or change once things seem to be fine enough. curl has a new --test-event option when built with debug enabled that then uses curl_easy_perform_ev() instead of curl_easy_perform(). If built without debug, using --test-event will only output a warning message. NOTE: curl_easy_perform_ev() is not part if the public API on purpose. It is only present in debug builds of libcurl and MUST NOT be considered stable even then. Use it for libcurl-testing purposes only. runtests.pl now features an -e command line option that makes it use --test-event for all curl command line tests. The man page is updated.
2013-08-20transfer: the recent sessionhandle change broke CURL_DOES_CONVERSIONSGisle Vanem
2013-08-20url: handle arbitrary-length username and password before '@'Jonathan Nieder
libcurl quietly truncates usernames, passwords, and options from before an '@' sign in a URL to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters to fit in fixed-size buffers on the stack. Allocate a buffer large enough to fit the parsed fields on the fly instead to support longer passwords. After this change, there are no more uses of MAX_CURL_OPTIONS_LENGTH left, so stop defining that constant while at it. The hardcoded max username and password length constants, on the other hand, are still used in HTTP proxy credential handling (which this patch doesn't touch). Reported-by: Colby Ranger
2013-08-20url: handle exceptional cases first in parse_url_login()Jonathan Nieder
Instead of nesting "if(success)" blocks and leaving the reader in suspense about what happens in the !success case, deal with failure cases early, usually with a simple goto to clean up and return from the function. No functional change intended. The main effect is to decrease the indentation of this function slightly.
2013-08-20Curl_setopt: handle arbitrary-length username and passwordJonathan Nieder
libcurl truncates usernames, passwords, and options set with curl_easy_setopt to 255 (= MAX_CURL_PASSWORD_LENGTH - 1) characters. This doesn't affect the return value from curl_easy_setopt(), so from the caller's point of view, there is no sign anything strange has happened, except that authentication fails. For example: # Prepare a long (300-char) password. s=0123456789; s=$s$s$s$s$s$s$s$s$s$s; s=$s$s$s; # Start a server. nc -l -p 8888 | tee out & pid=$! # Tell curl to pass the password to the server. curl --user me:$s http://localhost:8888 & sleep 1; kill $pid # Extract the password. userpass=$( awk '/Authorization: Basic/ {print $3}' <out | tr -d '\r' | base64 -d ) password=${userpass#me:} echo ${#password} Expected result: 300 Actual result: 255 The fix is simple: allocate appropriately sized buffers on the heap instead of trying to squeeze the provided values into fixed-size on-stack buffers. Bug: http://bugs.debian.org/719856 Reported-by: Colby Ranger
2013-08-20netrc: handle longer username and passwordJonathan Nieder
libcurl truncates usernames and passwords it reads from .netrc to LOGINSIZE and PASSWORDSIZE (64) characters without any indication to the user, to ensure the values returned from Curl_parsenetrc fit in a caller-provided buffer. Fix the interface by passing back dynamically allocated buffers allocated to fit the user's input. The parser still relies on a 256-character buffer to read each line, though. So now you can include an ~246-character password in your .netrc, instead of the previous limit of 63 characters. Reported-by: Colby Ranger
2013-08-20url: allocate username, password, and options on the heapJonathan Nieder
This makes it possible to increase the size of the buffers when needed in later patches. No functional change yet.
2013-08-20url: use goto in create_conn() for exception handlingJonathan Nieder
Instead of remembering before each "return" statement which temporary allocations, if any, need to be freed, take care to set pointers to NULL when no longer needed and use a goto to a common block to exit the function and free all temporaries. No functional change intended. Currently the only temporary buffer in this function is "proxy" which is already correctly freed when appropriate, but there will be more soon.
2013-08-20sasl: allow arbitrarily long username and passwordJonathan Nieder
Use appropriately sized buffers on the heap instead of fixed-size buffers on the stack, to allow for longer usernames and passwords. Callers never pass anything longer than MAX_CURL_USER_LENGTH (resp. MAX_CURL_PASSWORD_LENGTH), so no functional change inteded yet.
2013-08-19imap: Fixed response check for SEARCH commandAlex McLellan
Adding this line allows libcurl to return the server response when performing a search command via a custom request.
2013-08-14ftp: convert state names to a global arrayDaniel Stenberg
... just to make them easier to print in debug ouputs while debugging. They are still within #ifdef [debugbuild].
2013-08-14ftp_domore_getsock: when passive mode, the second conn is already thereDaniel Stenberg
This makes the socket callback get called with the proper bitmask as otherwise the application could be left hanging waiting for reading on an upload connection! Bug: http://curl.haxx.se/mail/lib-2013-08/0043.html Reported-by: Bill Doyle
2013-08-12nss: make sure that NSS is initializedKamil Dudka
... prior to calling PK11_GenerateRandom()
2013-08-12multi: s/easy/dataDaniel Stenberg
With everything being struct SessionHandle pointers now, this rename makes multi.c use the library-wide practise of calling that pointer 'data' instead of the previously used 'easy'.
2013-08-12cleanup: removed one function, made one staticDaniel Stenberg
Moved Curl_easy_addmulti() from easy.c to multi.c, renamed it to easy_addmulti and made it static. Removed Curl_easy_initHandleData() and uses of it since it was emptied in commit cdda92ab67b47d74a.
2013-08-12SessionHandle: the protocol specific pointer is now a void *Daniel Stenberg
All protocol handler structs are now opaque (void *) in the SessionHandle struct and moved in the request-specific sub-struct 'SingleRequest'. The intension is to keep the protocol specific knowledge in their own dedicated source files [protocol].c etc. There's some "leakage" where this policy is violated, to be addressed at a later point in time.
2013-08-12urldata: clean up the use of the protocol specific structsDaniel Stenberg
1 - always allocate the struct in protocol->setup_connection. Some protocol handlers had to get this function added. 2 - always free at the end of a request. This is also an attempt to keep less memory in the handle after it is completed.
2013-08-09comments: remove old and wrong multi/easy interface statementsDaniel Stenberg
2013-08-08global dns cache: fix memory leakDaniel Stenberg
The take down of the global dns cache didn't take CURLOPT_RESOLVE names into account.
2013-08-08global dns cache: didn't work [regression]Daniel Stenberg
CURLOPT_DNS_USE_GLOBAL_CACHE broke in commit c43127414d89ccb (been broken since the libcurl 7.29.0 release). While this option has been documented as deprecated for almost a decade and nobody even reported this bug, it should remain functional. Added test case 1512 to verify
2013-08-08FTP: renamed several local functionsDaniel Stenberg
The previous naming scheme ftp_state_post_XXXX() wasn't really helpful as it wasn't always immediately after 'xxxx' and it wasn't easy to understand what it does based on such a name. This new one is instead ftp_state_yyyy() where yyyy describes what it does or sends.
2013-08-06FTP: when EPSV gets a 229 but fails to connect, retry with PASVDaniel Stenberg
This is a regression as this logic used to work. It isn't clear when it broke, but I'm assuming in 7.28.0 when we went all-multi internally. This likely never worked with the multi interface. As the failed connection is detected once the multi state has reached DO_MORE, the Curl_do_more() function was now expanded somewhat so that the ftp_do_more() function can request to go "back" to the previous state when it makes another attempt - using PASV. Added test case 1233 to verify this fix. It has the little issue that it assumes no service is listening/accepting connections on port 1... Reported-by: byte_bucket in the #curl IRC channel
2013-08-05md5: remove use of CommonCrypto-to-OpenSSL macros for the benefit of LeopardNick Zitzmann
For some reason, OS X 10.5's GCC suddenly stopped working correctly with macros that change MD5_Init etc. in the code to CC_MD5_Init etc., so I worked around this by removing use of the macros and inserting static functions that just call CommonCrypto's implementations of the functions instead.
2013-08-05Simplify check for trusted certificates.Guenter Knauf
This changes the previous check for untrusted certs to a check for certs explicitely marked as trusted. The change is backward-compatible (tested with certdata.txt v1.80).
2013-08-04formadd: wrong pointer for file name when CURLFORM_BUFFERPTR usedDaniel Stenberg
The internal function that's used to detect known file extensions for the default Content-Type got the the wrong pointer passed in when CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that strlen() would be used which could lead to an out-of-bounds read (and thus segfault). In most cases it would only lead to it not finding or using the correct default content-type. It also showed that test 554 and test 587 were testing for the previous/wrong behavior and now they're updated as well. Bug: http://curl.haxx.se/bug/view.cgi?id=1262 Reported-by: Konstantin Isakov
2013-08-04Skip more untrusted certificates.Guenter Knauf
Christian Heimes brought to our attention that the certdata.txt format has recently changed [1], causing ca-bundle.crt created with mk-ca-bundle.[pl|vbs] to include untrusted certs. [1] http://lists.debian.org/debian-release/2012/11/msg00411.html
2013-08-03multi: remove data->state.current_conn struct fieldDaniel Stenberg
Not needed
2013-08-03multi: remove the one_easy struct fieldDaniel Stenberg
Since the merge of SessionHandle with Curl_one_easy, this indirection isn't used anymore.
2013-08-03multi: rename all Curl_one_easy to SessionHandleDaniel Stenberg
2013-08-03multi: remove the multi_pos struct fieldDaniel Stenberg
Since Curl_one_easy is really a SessionHandle now, this indirection doesn't exist anymore.
2013-08-03multi: remove easy_handle struct fieldDaniel Stenberg
It isn't needed anymore
2013-08-03multi: remove 'Curl_one_easy' struct, phase 1Daniel Stenberg
The motivation for having a separate struct that keep track of an easy handle when using the multi handle was removed when we switched to always using the multi interface internally. Now they were just two separate struct that was always allocated for each easy handle. This first step just moves the Curl_one_easy struct members into the SessionHandle struct and hides this somehow (== keeps the source code changes to a minimum) by defining Curl_one_easy to SessionHandle The biggest changes in this commit are: 1 - the linked list of easy handles had to be changed somewhat due to the new struct layout. This made the main linked list pointer get renamed to 'easyp' and there's also a new pointer to the last node, called easylp. It is no longer circular but ends with ->next pointing to NULL. New nodes are still added last. 2 - easy->state is now called easy->mstate to avoid name collision
2013-07-30darwinssl: added LFs to some strings passed into infof()Nick Zitzmann
(This doesn't need to appear in the release notes.) I noticed a few places where infof() was called, and there should've been an LF at the end of the string, but there wasn't.
2013-07-30darwinssl: fix build error in crypto authentication under Snow LeopardNick Zitzmann
It turns out Snow Leopard not only has SecItemCopyMatching() defined in a header not included by the omnibus header, but it won't work for our purposes, because searching for SecIdentityRef objects wasn't added to that API until Lion. So we now use the old SecKeychainSearch API instead if the user is building under, or running under, Snow Leopard. Bug: http://sourceforge.net/p/curl/bugs/1255/ Reported by: Edward Rudd
2013-07-30md5 & metalink: use better build macros on Apple operating systemsNick Zitzmann
Previously we used __MAC_10_X and __IPHONE_X to mark digest-generating code that was specific to OS X and iOS. Now we use __MAC_OS_X_VERSION_MAX_ALLOWED and __IPHONE_OS_VERSION_MAX_ALLOWED instead of those macros. Bug: http://sourceforge.net/p/curl/bugs/1255/ Reported by: Edward Rudd