Age | Commit message (Collapse) | Author |
|
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.
Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.
Fixes #2724
Closes #2791
|
|
* enable it in `src/Makefile.m32`
* enable it in `winbuild/MakefileBuild.vc` if a custom manifest is
_not_ enabled via the existing `EMBED_MANIFEST` option
* enable it for all Windows CMake builds (also disable the built-in
minimal manifest, added by CMake by default.)
For other build systems, add the `-DCURL_EMBED_MANIFEST` option to
the list of RC (Resource Compiler) flags to enable the manifest
included in `src/curl.rc`. This may require to disable whatever
automatic or other means in which way another manifest is added to
`curl.exe`.
Notice that Borland C doesn't support this method due to a
long-pending resource compiler bug. Watcom C may also not handle
it correctly when the `-zm` `wrc` option is used (this option may
be unnecessary though) and regardless of options in certain earlier
revisions of the 2.0 beta version.
Closes https://github.com/curl/curl/pull/1221
Fixes https://github.com/curl/curl/issues/2591
|
|
Change requirement from $(DISTDIR) to $(DIRDIST)
closes #2603
|
|
- Move verify_certificate functionality in schannel.c into a new
file called schannel_verify.c. Additionally, some structure defintions
from schannel.c have been moved to schannel.h to allow them to be
used in schannel_verify.c.
- Make verify_certificate functionality for Schannel available on
all versions of Windows instead of just Windows CE. verify_certificate
will be invoked on Windows CE or when the user specifies
CURLOPT_CAINFO and CURLOPT_SSL_VERIFYPEER.
- In verify_certificate, create a custom certificate chain engine that
exclusively trusts the certificate store backed by the CURLOPT_CAINFO
file.
- doc updates of --cacert/CAINFO support for schannel
- Use CERT_NAME_SEARCH_ALL_NAMES_FLAG when invoking CertGetNameString
when available. This implements a TODO in schannel.c to improve
handling of multiple SANs in a certificate. In particular, all SANs
will now be searched instead of just the first name.
- Update tool_operate.c to not search for the curl-ca-bundle.crt file
when using Schannel to maintain backward compatibility. Previously,
any curl-ca-bundle.crt file found in that search would have been
ignored by Schannel. But, with CAINFO support, the file found by
that search would have been used as the certificate store and
could cause issues for any users that have curl-ca-bundle.crt in
the search path.
- Update url.c to not set the build time CURL_CA_BUNDLE if the selected
SSL backend is Schannel. We allow setting CA location for schannel
only when explicitly specified by the user via CURLOPT_CAINFO /
--cacert.
- Add new test cases 3000 and 3001. These test cases check that the first
and last SAN, respectively, matches the connection hostname. New test
certificates have been added for these cases. For 3000, the certificate
prefix is Server-localhost-firstSAN and for 3001, the certificate
prefix is Server-localhost-secondSAN.
- Remove TODO 15.2 (Add support for custom server certificate
validation), this commit addresses it.
Closes https://github.com/curl/curl/pull/1325
|
|
- Support custom devel paths for c-ares, mbedTLS, nghttp2, libSSH2,
OpenSSL and zlib. Respectively: CARES_PATH, MBEDTLS_PATH,
NGHTTP2_PATH, SSH2_PATH, SSL_PATH and ZLIB_PATH.
- Use lib.exe for making the static library instead of link.exe /lib.
The latter is undocumented and could cause problems as noted in the
comments.
- Remove a dangling URL that no longer worked. (I was not able to find
the IDN download at MSDN/microsoft.com, so it seems to be removed.)
- Remove custom override for release-ssh2-ssl-dll-zlib configuration.
Nobody knows why it was there and as far as we can see is unnecessary.
Closes https://github.com/curl/curl/pull/2474
|
|
Due to the check in Makefile.vc and MakefileBuild.vc, no make call can
be invoked unless a build-type was specified. However, a clean target
only existed when a build type was specified. As a result, the clean
target was unreachable. Made clean target unconditional.
Closes #2455
|
|
Check for existence of import and static libraries with documented names
and use them if they do. Fallback to previous names.
According to
https://github.com/madler/zlib/blob/master/win32/README-WIN32.txt on
Windows, the names of the import library is "zdll.lib" and static
library is "zlib.lib".
closes #2354
|
|
- Add macros to the top of the makefile for rc and mt utilities so that
it is easier to change their locations.
Bug: https://curl.haxx.se/mail/lib-2018-02/0075.html
Reported-by: Stefan Kanthak
Closes https://github.com/curl/curl/issues/2329
|
|
- Fix winbuild and the VS project generator to treat curl_ctype.{c,h} as
curlx files since they are required by both src and lib.
Follow-up to 4272a0b which added curl_ctype.
|
|
Link.exe requires /DEBUG to properly generate a full pdb file on release
builds.
Closes #2274
|
|
|
|
Embedded manifest option didn't work due to incorrect path.
Fixes https://github.com/curl/curl/issues/1832
|
|
Disabled in cda19a345f6970e22fe8b7a808aeb8f086a21eac. It only needs to
be disabled for libcurl.
|
|
This is consistent with 7bc64561a2e63ca93e4b0b31d350773ba80955c2, which
changed the warning level from 3 to 4 for the Visual Studio project
files. But disable the level 4 warning C4127 "conditional expression is
constant", as that one is issued by older versions of the Windows SDK
as well as curl itself under some circumstances.
Closes https://github.com/curl/curl/pull/1667
|
|
Make sure to always define WIN32_LEAN_AND_MEAN before including any
Windows headers to avoid pulling in unnecessary headers. This avoids
unnecessary macro clashes and compiler warnings.
Ref: https://github.com/curl/curl/issues/1562
Closes https://github.com/curl/curl/pull/1672
|
|
Compile with `WIN32_LEAN_AND_MEAN` which prevents `windows.h` from
including too much clutter including `wincrypt.h` which in turn contains
some preprocessor macros that clash with boringssl symbols.
Detect boringssl by checking the existance of `is_boringssl.h` and set
the corresponding `HAVE_BORINGSSL` for compilation which is used in
`ldap.c` to undefine the evil macros.
Closes #1610
|
|
Closes #1321
|
|
- Auto-detect OpenSSL 1.1 libs
Closes https://github.com/curl/curl/pull/1322
|
|
Closes #1141
|
|
Reported-by: Bruce Stephens
Fixes #1098
|
|
Follow-up to 811a693b
|
|
This makes it possible to use specific compilers or a cache.
Sample use for clcache:
set CC=clcache.bat
nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
|
|
In the old line number 290, CC and CURL_CC had the same value. After
that, /DCURL_STATICLIB was added to CC but not CURL_CC (intended?).
This gets rid of the CC variable entirely. It is a first step to make it
possible to manualyl set a CC variable in order to be able to change the
compiler.
|
|
$(CURL_CC) is always used with $(CURL_CFLAGS) appended, so before this,
all arguments in CURL_CFLAGS have been added twice.
|
|
Embedded manifest option didn't work due to typo.
Reported-by: Stefan Kanthak
|
|
Closes #822
|
|
Add WITH_MBEDTLS option. Make WITH_SSL, WITH_MBEDTLS and ENABLE_WINSSL
options mutual exclusive.
Closes #606
|
|
Updated the makefiles and Visual Studio project files to support moving
the authentication code to the new lib/vauth directory that was started
in commit 0d04e859e1.
|
|
|
|
|
|
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
|
|
Added support for a WITH_CARES option to be used when invoking nmake
via Makefile.vc. This option enables linking against both the DLL and
static versions of the c-ares libraries, as well as the debug and
release varients, depending on the value of DEBUG. The USE_ARES
preprocessor symbol is also defined.
|
|
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.
A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.
But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).
Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.
So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".
You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.
The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.
That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
|
|
|
|
|
|
|
|
|
|
|
|
Bug: http://curl.haxx.se/bug/view.cgi?id=1186
|
|
This reverts renaming and usage of lib/*.h header files done
28-12-2012, reverting 2 commits:
f871de0... build: make use of 76 lib/*.h renamed files
ffd8e12... build: rename 76 lib/*.h files
This also reverts removal of redundant include guard (redundant thanks
to changes in above commits) done 2-12-2013, reverting 1 commit:
c087374... curl_setup.h: remove redundant include guard
This also reverts renaming and usage of lib/*.c source files done
3-12-2013, reverting 3 commits:
13606bb... build: make use of 93 lib/*.c renamed files
5b6e792... build: rename 93 lib/*.c files
7d83dff... build: commit 13606bbfde follow-up 1
Start of related discussion thread:
http://curl.haxx.se/mail/lib-2013-01/0012.html
Asking for confirmation on pushing this revertion commit:
http://curl.haxx.se/mail/lib-2013-01/0048.html
Confirmation summary:
http://curl.haxx.se/mail/lib-2013-01/0079.html
NOTICE: The list of 2 files that have been modified by other
intermixed commits, while renamed, and also by at least one
of the 6 commits this one reverts follows below. These 2 files
will exhibit a hole in history unless git's '--follow' option
is used when viewing logs.
lib/curl_imap.h
lib/curl_smtp.h
|
|
93 *.c source files renamed to use our standard naming scheme.
This change affects 77 files in libcurl's source tree.
|
|
|
|
And fix some newlines to be proper CRLF
Bug: http://curl.haxx.se/bug/view.cgi?id=3586741
|
|
|
|
|
|
|
|
|
|
Since libssh2 supports now agent stuff it also depends on user32.lib.
Posted to the list by Jan Ehrhardt.
|
|
|
|
Since Simple and Protected GSSAPI Negotiation Mechanism
is already implemented in curl and supported by the MinGW
builds, this change adds build support to winbuild makefiles.
|