aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2014-11-06http_digest: Fixed auth retry loop when SSPI based authentication failsSteve Holme
2014-11-06http_digest: Reworked the SSPI based input token storageSteve Holme
Reworked the input token (challenge message) storage as what is passed to the buf and desc in the response generation are typically blobs of data rather than strings, so this is more in keeping with other areas of the SSPI code, such as the NTLM message functions.
2014-11-06sasl_sspi: Fixed compilation warning from commit 2d2a62e3d9Steve Holme
Added void reference to unused 'data' parameter back to fix compilation warning.
2014-11-06sspi: Align definition values to even columns as we use 2 char spacingSteve Holme
2014-11-06sspi: Fixed missing definition of ISC_REQ_USE_HTTP_STYLESteve Holme
Some versions of Microsoft's sspi.h don't define this.
2014-11-06sasl: Removed non-SSPI Digest functions and defines from SSPI based buildsSteve Holme
Introduced in commit 7e6d51a73c these functions and definitions are only required by the internal challenge-response functions now.
2014-11-06sasl_sspi: Added HTTP digest response generation codeSteve Holme
2014-11-06http_digest: Added SSPI based challenge decoding codeSteve Holme
2014-11-06http_digest: Added SSPI based clean-up codeSteve Holme
2014-11-06http_digest: Added SSPI based authentication functionsSteve Holme
This temporarily breaks HTTP digest authentication in SSPI based builds, causing CURLE_NOT_BUILT_IN to be returned. A follow up commit will resume normal operation.
2014-11-06http_digest: Added required SSPI based variables to digest structureSteve Holme
2014-11-05http_digest: Fixed memory leaks from commit 6f8d8131b1Steve Holme
2014-11-05sasl: Fixed compilation warning from commit 25264131e2Steve Holme
Added forward declaration of digestdata to overcome the following compilation warning: warning: 'struct digestdata' declared inside parameter list Additionally made the ntlmdata forward declaration dependent on USE_NTLM similar to how digestdata and kerberosdata are.
2014-11-05sasl: Fixed HTTP digest challenges with spaces between auth parametersSteve Holme
Broken as part of the rework, in commit 7e6d51a73c, to assist with the addition of HTTP digest via Windows SSPI.
2014-11-05http_digest: Fixed compilation errors from commit 6f8d8131b1Steve Holme
error: invalid operands to binary warning: pointer targets in assignment differ in signedness
2014-11-05http_digest: Moved response generation into SASL moduleSteve Holme
2014-11-05http_digest: Moved challenge decoding into SASL moduleSteve Holme
2014-11-05http_digest: Moved clean-up function into SASL moduleSteve Holme
2014-11-05http_digest: Moved algorithm definitions to SASL moduleSteve Holme
2014-11-05ssh: Fixed build on platforms where R_OK is not definedGisle Vanem
Bug: http://curl.haxx.se/mail/lib-2014-11/0035.html Reported-by: Jan Ehrhardt
2014-11-05strdup: Removed irrelevant commentSteve Holme
...as Curl_memdup() duplicates an area of fix size memory, that may be binary, and not a null terminated string.
2014-11-05url.c: Fixed compilation warningSteve Holme
conversion from 'curl_off_t' to 'size_t', possible loss of data
2014-11-05http_digest: Use CURLcode instead of CURLdigestSteve Holme
To provide consistent behaviour between the various HTTP authentication functions use CURLcode based error codes for Curl_input_digest() especially as the calling code doesn't use the specific error code just that it failed.
2014-11-05sspi: Define authentication package name constantsSteve Holme
These were previously hard coded, and whilst defined in security.h, they may or may not be present in old header files given that these defines were never used in the original code. Not only that, but there appears to be some ambiguity between the ANSI and UNICODE NTLM definition name in security.h.
2014-11-05curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of boundsDaniel Stenberg
When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
2014-11-04SSL: PolarSSL default min SSL version TLS 1.0Jay Satiro
- Prior to this change no SSL minimum version was set by default at runtime for PolarSSL. Therefore in most cases PolarSSL would probably have defaulted to a minimum version of SSLv3 which is no longer secure.
2014-11-03Curl_single_getsock: fix hold/pause sock handlingCarlo Wood
The previous condition that checked if the socket was marked as readable when also adding a writable one, was incorrect and didn't take the pause bits properly into account.
2014-11-03cmake: drop _BSD_SOURCE macro usagePeter Wu
autotools does not use features.h nor _BSD_SOURCE. As this macro triggers warnings since glibc 2.20, remove it. It should not have functional differences. Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-11-02sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is usedSteve Holme
Typically the USE_WINDOWS_SSPI definition would not be used when the CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication data structures and functions would incorrectly be used when they shouldn't be. Introduced a new USE_KRB5 definition that takes into account the use of CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
2014-11-02openssl: Use 'CURLcode result'Steve Holme
More CURLcode fixes.
2014-11-01resume: consider a resume from [content-length] to be OKDaniel Stenberg
Basically since servers often then don't respond well to this and instead send the full contents and then libcurl would instead error out with the assumption that the server doesn't support resume. As the data is then already transfered, this is now considered fine. Test case 1434 added to verify this. Test case 1042 slightly modified. Reported-by: hugo Bug: http://curl.haxx.se/bug/view.cgi?id=1443
2014-11-01openssl: Use 'CURLcode result'Steve Holme
More standardisation of CURLcode usage and coding style.
2014-11-01openssl: Use 'CURLcode result'Steve Holme
...and some minor code style changes.
2014-11-01ftplistparser: We prefer 'CURLcode result'Steve Holme
2014-10-30code cleanup: Use 'CURLcode result'Steve Holme
2014-10-30build: added Watcom support to build with WinSSL.Guenter Knauf
2014-10-29openssl: enable NPN separately from ALPNDaniel Stenberg
... and allow building with nghttp2 but completely without NPN and ALPN, as nghttp2 can still be used for plain-text HTTP. Reported-by: Lucas Pardue
2014-10-29vtls.c: Fixed compilation warningSteve Holme
conversion from 'size_t' to 'unsigned int', possible loss of data
2014-10-29sspi: Return CURLE_LOGIN_DENIED on AcquireCredentialsHandle() failureSteve Holme
Return a more appropriate error, rather than CURLE_OUT_OF_MEMORY when acquiring the credentials handle fails. This is then consistent with the code prior to commit f7e24683c4 when log-in credentials were empty.
2014-10-29sasl_sspi: Allow DIGEST-MD5 to use current windows credentialsSteve Holme
Fixed the ability to use the current log-in credentials with DIGEST-MD5. I had previously disabled this functionality in commit 607883f13c as I couldn't get this to work under Windows 8, however, from testing HTTP Digest authentication through Windows SSPI and then further testing of this code I have found it works in Windows 7. Some further investigation is required to see what the differences are between Windows 7 and 8, but for now enable this functionality as the code will return an error when AcquireCredentialsHandle() fails.
2014-10-29transfer: drop the code handling the ssl_connect_retry flagKamil Dudka
Its last use has been removed by the previous commit.
2014-10-29nss: drop the code for libcurl-level downgrade to SSLv3Kamil Dudka
This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56.
2014-10-29openssl: fix a line length warningKamil Dudka
2014-10-29Added NetWare support to build with nghttp2.Guenter Knauf
2014-10-29Fixed error message since we require ALPN support.Guenter Knauf
2014-10-29Check for ALPN via OpenSSL version number.Guenter Knauf
This check works also with to non-configure platforms.
2014-10-28sasl_sspi: Fixed typo in commentSteve Holme
2014-10-28code cleanup: We prefer 'CURLcode result'Steve Holme
2014-10-28mk-ca-bundle: spell fix "version"Daniel Stenberg
2014-10-27HTTP: return larger than 3 digit response codes tooDaniel Stenberg
HTTP 1.1 is clearly specified to only allow three digit response codes, and libcurl used sscanf("%3d") for that purpose. This made libcurl support smaller numbers but not larger. It does now, but we will not make any specific promises nor document this further since it is going outside of what HTTP is. Bug: http://curl.haxx.se/bug/view.cgi?id=1441 Reported-by: Balaji