aboutsummaryrefslogtreecommitdiff
path: root/lib
AgeCommit message (Collapse)Author
2015-04-30schannel: Fix out of bounds arrayJay Satiro
Bug born in changes made several days ago 9a91e80. Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html Reported-by: Brian Chrisman
2015-04-29lib/makefile.m32: add arch -m32/-m64 to LDFLAGSViktor Szakats
This fixes using a multi-target mingw distro to build curl .dll for the non-default target. (mirroring the same patch present in src/makefile.m32)
2015-04-28CURLOPT_HEADEROPT: default to separateDaniel Stenberg
Make the HTTP headers separated by default for improved security and reduced risk for information leakage. Bug: http://curl.haxx.se/docs/adv_20150429.html Reported-by: Yehezkel Horowitz, Oren Souroujon
2015-04-28hash: simplify Curl_str_key_compare()Daniel Stenberg
2015-04-28Negotiate: custom service names for SPNEGO.Linus Nielsen
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME. * Add new curl options, --proxy-service-name and --service-name.
2015-04-27http2: unify http_conn variable names to 'c'Daniel Stenberg
2015-04-27ConnectionExists: call it multi-use instead of pipeliningDaniel Stenberg
So that it fits HTTP/2 as well
2015-04-27nss: fix compilation failure with old versions of NSSPaul Howarth
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
2015-04-26schannel.c: Fix typo introduced with 3447c973d0Marc Hoersken
2015-04-26schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL errorMarc Hoersken
Reported-by: Brian Chrisman
2015-04-26schannel: re-indented file to follow curl style betterDaniel Stenberg
white space changes only
2015-04-26Curl_ossl_init: load builtin modulesDaniel Stenberg
To have engine modules work, we must tell openssl to load builtin modules first. Bug: https://github.com/bagder/curl/pull/206
2015-04-26openssl: fix serial number outputDaniel Stenberg
The code extracting the cert serial number was broken and didn't display it properly. Bug: https://github.com/bagder/curl/issues/235 Reported-by: dkjjr89
2015-04-26sasl_sspi: Populate domain from the realm in the challengeGrant Pannell
Without this, SSPI based digest auth was broken. Bug: https://github.com/bagder/curl/pull/141.patch
2015-04-24netrc: support 'default' tokenViktor Szakats
The 'default' token has no argument and means to match _any_ domain. It must be placed last if there are 'machine <name>' tokens in the same file. See full description here: https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html
2015-04-22cyassl: Implement public key pinningJay Satiro
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22connectionexists: follow-up to fd9d3a1ef1fDaniel Stenberg
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not enabled. Mistake-caught-by: Kamil Dudka
2015-04-22connectionexists: fix build without NTLMDaniel Stenberg
Do not access NTLM-specific struct fields when built without NTLM enabled! bug: http://curl.haxx.se/?i=231 Reported-by: Patrick Rapin
2015-04-22nss: implement public key pinning for NSS backendKamil Dudka
Bug: https://bugzilla.redhat.com/1195771
2015-04-22dist: include {src,lib}/checksrc.whitelistDaniel Stenberg
2015-04-21http_done: close Negotiate connections when doneDaniel Stenberg
When doing HTTP requests Negotiate authenticated, the entire connnection may become authenticated and not just the specific HTTP request which is otherwise how HTTP works, as Negotiate can basically use NTLM under the hood. curl was not adhering to this fact but would assume that such requests would also be authenticated per request. CVE-2015-3148 Bug: http://curl.haxx.se/docs/adv_20150422B.html Reported-by: Isaac Boukris
2015-04-21fix_hostname: zero length host name caused -1 index offsetDaniel Stenberg
If a URL is given with a zero-length host name, like in "http://:80" or just ":80", `fix_hostname()` will index the host name pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address. CVE-2015-3144 Bug: http://curl.haxx.se/docs/adv_20150422D.html Reported-by: Hanno Böck
2015-04-21cookie: cookie parser out of boundary memory accessDaniel Stenberg
The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
2015-04-21ConnectionExists: for NTLM re-use, require credentials to matchDaniel Stenberg
CVE-2015-3143 Bug: http://curl.haxx.se/docs/adv_20150422A.html Reported-by: Paras Sethia
2015-04-21openssl: add OPENSSL_NO_SSL3_METHOD checkbyronhe
2015-04-19vtls/openssl: use https in URLs and a comment typo fixedViktor Szakáts
2015-04-17Revert "HTTP: don't abort connections with pending Negotiate authentication"Daniel Stenberg
This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6. Bug: https://github.com/bagder/curl/issues/223 Reported-by: Michael Osipov
2015-04-17cyassl: Fix include orderJay Satiro
Prior to this change CyaSSL's build options could redefine some generic build symbols. http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-14cyassl: Add support for TLS extension SNIJay Satiro
2015-04-13vtls_openssl: improve PKCS#12 load failure error messageMatthew Hall
2015-04-13vtls_openssl: fix minor typo in PKCS#12 load routineMatthew Hall
2015-04-13vtls_openssl: improve client certificate load failure error messagesMatthew Hall
2015-04-13vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constantMatthew Hall
2015-04-13firefox-db2pem: fix wildcard to find Firefox default profileDaniel Stenberg
At some point, Firefox has changed and generates different directory names for the default profile that made this script fail to find them. Bug: https://github.com/bagder/curl/issues/207 Reported-by: sneakyimp
2015-04-11cyassl: Include the CyaSSL build configJay Satiro
CyaSSL >= 2.6.0 may have an options.h that was generated during its build by configure.
2015-04-09lib/makefile.m32: add missing libs to build libcurl.dllViktor Szakats
Add 'gdi32' and 'crypt32' Windows implibs to avoid failure while building libcurl.dll using the mingw compiler. The same logic is used in 'src/makefile.m32' when building curl.exe.
2015-04-07lib/transfer.c: Remove factor of 8 from sleep time calculationDa-Yoon Chung
The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and rate_bps are both in bytes. When using the rate limiting option, curl waits 8 times too long, and then transfers very quickly until the average rate reaches the limit. The average rate follows the limit over time, but the actual traffic is bursty. Thanks-to: Benjamin Gilbert
2015-04-06x509asn1: Silence x64 loss-of-data warning on RSA key length assignmentJay Satiro
The key length in bits will always fit in an unsigned long so the loss-of-data warning assigning the result of x64 pointer arithmetic to an unsigned long is unnecessary.
2015-04-06cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer sizeJay Satiro
Also fix it so that all ERR_error_string calls use an error buffer. CyaSSL's implementation of ERR_error_string only writes the error when an error buffer is passed. http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-05cyassl: Remove 'Connecting to' message from cyassl_connect_step2Jay Satiro
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to' messages since cyassl_connect_step2 is called multiple times, typically. The message is superfluous even once since libcurl already informs the user elsewhere in code that it is connecting.
2015-04-03hostip: fix compiler warningsDaniel Stenberg
introduced in the previous mini-series of 3 commits
2015-04-03actually implement CURLOPT_RESOLVE removalsStefan Bühler
- also log when a CURLOPT_RESOLVE entry couldn't get parsed
2015-04-03move Curl_share_lock and ref counting into Curl_fetch_addrStefan Bühler
2015-04-03fix refreshing of obsolete dns cache entriesStefan Bühler
- cache entries must be also refreshed when they are in use - have the cache count as inuse reference too, freeing timestamp == 0 special value - use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed - remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh) - fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special reference anymore, and it would also release non CURLOPT_RESOLVE references - fix locking in Curl_hostcache_clean - fix unit1305.c: hash now keeps a reference, need to set inuse = 1
2015-04-03cyassl: Set minimum protocol version before CTX callbackJay Satiro
This change is to allow the user's CTX callback to change the minimum protocol version in the CTX without us later overriding it, as we did prior to this change.
2015-04-02cyassl: Fix certificate load checkJay Satiro
SSL_CTX_load_verify_locations can return negative values on fail, therefore to check for failure we check if load is != 1 (success) instead of if load is == 0 (failure), the latter being incorrect given that behavior.
2015-04-02http2: Fix missing nghttp2_session_send call in Curl_http2_switchedTatsuhiro Tsujikawa
Previously in Curl_http2_switched, we called nghttp2_session_mem_recv to parse incoming data which were already received while curl was handling upgrade. But we didn't call nghttp2_session_send, and it led to make curl not send any response to the received frames. Most likely, we received SETTINGS from server at this point, so we missed opportunity to send SETTINGS + ACK. This commit adds missing nghttp2_session_send call in Curl_http2_switched to fix this issue. Bug: https://github.com/bagder/curl/issues/192 Reported-by: Stefan Eissing
2015-04-01cookie: handle spaces after the name in Set-CookieDaniel Stenberg
"name =value" is fine and the space should just be skipped. Updated test 31 to also test for this. Bug: https://github.com/bagder/curl/issues/195 Reported-by: cromestant Help-by: Frank Gevaerts
2015-04-01cyassl: Fix library initialization return valueJay Satiro
(Curl_cyassl_init) - Return 1 on success, 0 in failure. Prior to this change the fail path returned an incorrect value and the evaluation to determine whether CyaSSL_Init had succeeded was incorrect. Ironically that combined with the way curl_global_init tests SSL library initialization (!Curl_ssl_init()) meant that CyaSSL having been successfully initialized would be seen as that even though the code path and return value in Curl_cyassl_init were wrong.
2015-03-31axtls: add timeout within Curl_axtls_connectDan Fandrich
This allows test 405 to pass on axTLS.