| Age | Commit message (Collapse) | Author |
|---|
|
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
|
|
|
|
Reported-by: David Woodhouse
|
|
The old way using getpwuid could cause problems in programs that enable
reading from netrc files simultaneously in multiple threads.
Reported-by: David Woodhouse
|
|
This previously caused a fatal error (with a confusing error code, at
that).
Reported by: Glen A Johnson Jr.
|
|
Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html
Reported-by: David Woodhouse
|
|
|
|
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
|
|
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
|
|
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
|
|
This showed itself on some systems with torture failures
in tests 1060 and 1061
|
|
|
|
... pointed out by MSVC2013
Bug: http://curl.haxx.se/bug/view.cgi?id=1391
|
|
Otherwise NSS could use an already freed item for another connection.
|
|
|
|
... and spell it as crl_der instead of crlDER
|
|
|
|
When an error has been detected, skip the final forced call to the
progress callback by making sure to pass the current return code
variable in the Curl_done() call in the CURLM_STATE_DONE state.
This avoids the "extra" callback that could occur even if you returned
error from the progress callback.
Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
Reported by: Jonathan Cardoso Machado
|
|
This feature was unintentionally disabled by commit ff92fcfb.
|
|
... due to calling SSL_VersionRangeGet() with NULL file descriptor
reported-by: upstream tests 305 and 404
|
|
c-ares now does support IPv6;
avoid implying threaded resolver is Windows-only;
two referenced source files were renamed in 7de2f92
|
|
This caused segfaults on tests 823 869 907.
|
|
|
|
|
|
The static connection counter caused a race condition. Moving the
connection id counter into conncache solves it, as well as simplifying
the related logic.
|
|
This regression was introduced when *init was split into *init and
*setup...
|
|
They were added because of an older code path that used allocations and
should not have been left in the code. With this change the logic goes
back to how it was.
|
|
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.
Also, fake timestamp with CURL_FORCETIME set.
Only when built debug enabled of course.
Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.
create_digest_md5_message: generate base64 instead of hex string
curl_sasl: also fix memory leaks in some OOM situations
|
|
|
|
httpproxycode is not reset in Curl_initinfo, so a 407 is not reset even
if curl_easy_reset is called between transfers.
Bug: http://curl.haxx.se/bug/view.cgi?id=1380
|
|
The method change is forbidden by the obsolete RFC2616, but libcurl did
it anyway for compatibility reasons. The new RFC7231 allows this
behaviour so there's no need for the scary "Violate RFC 2616/10.3.x"
notice. Also update the comments accordingly.
|
|
Bug: http://curl.haxx.se/bug/view.cgi?id=1378
Reported and Patched-by: Marcel Raad
|
|
Bug: http://curl.haxx.se/mail/lib-2014-06/0003.html
Reported-by: Дмитрий Фалько
|
|
The SASL/Digest previously used the current time's seconds +
microseconds to add randomness but it is much better to instead get more
data from Curl_rand().
It will also allow us to easier "fake" that for debug builds on demand
in a future.
|
|
|
|
|
|
Rather than use a short 8-byte hex string, extended the cnonce to be
32-bytes long, like Windows SSPI does.
Used a combination of random data as well as the current date and
time for the generation.
|
|
|
|
It might not be the most useful combo, but...
|
|
|
|
"Any two of the parameters, readfds, writefds, or exceptfds, can be
given as null. At least one must be non-null, and any non-null
descriptor set must contain at least one handle to a socket."
http://msdn.microsoft.com/en-ca/library/windows/desktop/ms740141(v=vs.85).aspx
When using select(), cURL doesn't adhere to this (WinSock-specific)
rule, and can ask to monitor empty fd_sets, which leads to select()
returning WSAEINVAL (i.e. EINVAL) and connections failing in mysterious
ways as a result (at least when using the curl_multi_socket_action()
interface).
Bug: http://curl.haxx.se/mail/lib-2014-05/0278.html
|
|
The previous #ifdef detection wasn't good enough.
Bug: http://curl.haxx.se/mail/lib-2014-05/0260.html
Reported-by: Chris Young
|
|
PolarSSL added ALPN support in their 1.3.6 release.
See:
https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released
|
|
Make sure that the URL is reset and cleared.
Bug: http://curl.haxx.se/mail/lib-2014-05/0235.html
Reported-by: Jonathan Cardoso Machado
|
|
OpenSSL passes out and outlen variable uninitialized to
select_next_proto_cb callback function. If the callback function
returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled
values in out and outlen and processes as such. Previously, if there
is no overlap in protocol lists, curl code does not fill any values in
these variables and returns SSL_TLSEXT_ERR_OK, which means we are
triggering undefined behavior. valgrind warns this.
This patch fixes this issue by fallback to HTTP/1.1 if there is no
overlap.
|
|
There is an implicit conversion from "unsigned long" to "long"
|
|
|
|
|
|
Security Framework on OS X makes it possible to supply extra anchor (CA)
certificates via the Certificate, Key, and Trust Services API. This
commit makes the '--cacert' option work using this API.
More information:
https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html
The HTTPS tests now pass on OS X except 314, which requires the '--crl'
option to work.
|
|
warning: suggest braces around empty body in an 'else' statement
|
