| Age | Commit message (Collapse) | Author |
|---|
|
... when the handshake succeeds
This fixes a connection failure when FTPS handle is reused.
|
|
Updated the info text when the base-64 decode of the type-2 message
returns a null buffer to be more specific.
|
|
|
|
|
|
|
|
|
|
Certificates based on SHA-1 are being phased out[1].
So we should expect a rise in certificates based on SHA-2.
Adding SHA-384 as a valid signature algorithm.
[1] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/
Signed-off-by: Bruno Thomsen <bth@kamstrup.dk>
|
|
|
|
cppcheck pointed these out.
|
|
cppcheck pointed this out.
|
|
|
|
|
|
|
|
|
|
|
|
It turned out some features were not enabled in the build since for
example url.c #ifdefs on features that are defined on a per-backend
basis but vtls.h didn't include the backend headers.
CURLOPT_CERTINFO was one such feature that was accidentally disabled.
|
|
There is no need for such function. Include_directories propagate by
themselves and having a function with one simple link statement makes
little sense.
|
|
This fixes a copy-paste mistake from commit 2968f957.
|
|
Coverity CID 252518. This function is in general far too complicated for
its own good and really should be broken down into several smaller
funcitons instead - but I'm adding this protection here now since it
seems there's a risk the code flow can end up here and dereference a
NULL pointer.
|
|
Coverity CID 1241951. The condition 'len >= 0' would always be true at
that point and thus not necessary to check for.
|
|
Coverity CID 1241957. Removed the unused argument. As this struct and
pointer now are used only for krb5, there's no need to keep unused
function arguments around.
|
|
|
|
Option --pinnedpubkey takes a path to a public key in DER format and
only connect if it matches (currently only implemented with OpenSSL).
Provides CURLOPT_PINNEDPUBLICKEY for curl_easy_setopt().
Extract a public RSA key from a website like so:
openssl s_client -connect google.com:443 2>&1 < /dev/null | \
sed -n '/-----BEGIN/,/-----END/p' | openssl x509 -noout -pubkey \
| openssl rsa -pubin -outform DER > google.com.der
|
|
Coverity CID 1202837. 'newurl' can in fact be allocated even when
Curl_retry_request() returns failure so free it if need be.
|
|
Coverity CID 1243581. 'conn' will never be NULL here, and if it would be
the subsequent statement would dereference it!
|
|
just a minor code style thing to make the code clearer
|
|
First try to fix possible memory leaks, in this case:
Only connssl->ctxt xor onnssl->cred being initialized.
|
|
Coverity CID 1241950. The pointer is never NULL but it might point to
NULL.
|
|
Coverity CID 1241947. Since if sscanf() fails, the previously set value
remains set.
|
|
Coverity pointed out several of these.
|
|
Coverity CID 982331.
|
|
|
|
Coverify CID 1157776. Removed a superfluous if() that always evaluated
true (and an else clause that never ran), and then re-indented the
function accordingly.
|
|
Coverity CID 1215284. The server name is extracted with
Curl_copy_header_value() and passed in to this function, and
copy_header_value can actually can fail and return NULL.
|
|
|
|
For private keys, use the first match from: user-specified key file
(if provided), ~/.ssh/id_rsa, ~/.ssh/id_dsa, ./id_rsa, ./id_dsa
Note that the previous code only looked for id_dsa files. id_rsa is
now generally preferred, as it supports larger key sizes.
For public keys, use the user-specified key file, if provided.
Otherwise, try to extract the public key from the private key file.
This means that passing --pubkey is typically no longer required,
and makes the key-handling behavior more like OpenSSH.
|
|
Coverity CID 1202836. If the proxy environment variable returned an empty
string, it would be leaked. While an empty string is not really a proxy, other
logic in this function already allows a blank string to be returned so allow
that here to avoid the leak.
|
|
Coverity CID 1202837. There's a potential risk that 'newurl' gets
overwritten when it was already pointing to allocated memory.
|
|
Coverity CID 1215287. There's a potential risk for a memory leak in
here, and moving the free call to be unconditional seems like a cheap
price to remove the risk.
|
|
Coverity CID 1215296. There's a potential risk for a memory leak in
here, and moving the free call to be unconditional seems like a cheap
price to remove the risk.
|
|
Coverity detected this. CID 1241954. When Curl_poll() returns a negative value
'mcode' was uninitialized. Pretty harmless since this is debug code only and
would at worst cause an error to _not_ be returned...
|
|
This patch fixes the "SSL3_WRITE_PENDING: bad write retry" error that
sometimes occurs when sending an email over SMTPS with OpenSSL. OpenSSL
appears to require the same pointer on a write that follows a retry
(CURLE_AGAIN) as discussed here:
http://stackoverflow.com/questions/2997218/why-am-i-getting-error1409f07fssl-routinesssl3-write-pending-bad-write-retr
|
|
Mostly because we use C strings and they end at a binary zero so we know
we can't open a file name using an embedded binary zero.
Reported-by: research@g0blin.co.uk
|
|
|
|
The switch to using Curl_expire_latest() in commit cacdc27f52b was a
mistake and was against the advice even mentioned in that commit. The
comparison in asyn-thread.c:Curl_resolver_is_resolved() makes
Curl_expire() the suitable function to use.
Bug: http://curl.haxx.se/bug/view.cgi?id=1426
Reported-By: graysky
|
|
|
|
|
|
|
|
... to further remove specific TLS backend knowledge from url.c
|
|
|
