1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-15 22:15:13 -05:00
Commit Graph

8778 Commits

Author SHA1 Message Date
Isaac Boukris
d5fc6e14b0 GSS: make Curl_gss_log_error more verbose
Also display the GSS_C_GSS_CODE (major code) when specified instead of
only GSS_C_MECH_CODE (minor code).

In addition, the old code was printing a colon twice after the prefix
and also miscalculated the length of the buffer in between calls to
gss_display_status (the length of ": " was missing).

Also, gss_buffer is not guaranteed to be NULL terminated and thus need
to restrict reading by its length.

Closes #738
2016-03-29 16:51:29 +02:00
Daniel Stenberg
1fc767210c http2: set correct scheme in handler structs [regression]
Since commit a5aec58 the handler schemes need to match for the
connections to be reused and for HTTP/2 multiplexing to work, reusing
connections is very important!

Closes #736
2016-03-29 16:08:38 +02:00
Daniel Stenberg
2505fbbdb5 hostip.c: minor white space edit for style 2016-03-29 15:19:21 +02:00
Jay Satiro
a43b22e05b wolfssl: Add ALPN support 2016-03-28 18:18:09 -04:00
Steve Holme
f0bdd72c10 http_ntlm: Renamed from curl_ntlm.[c|h]
Renamed the header and source files for this module as they are HTTP
specific and as such, they should use the naming convention as other
HTTP authentication source files do - this revert commit 260ee6b7bf.

Note: We could also rename curl_ntlm_wb.[c|h], however, the Winbind
code needs separating from the HTTP protocol and migrating into the
vauth directory, thus adding support for Winbind to the SASL based
protocols such as IMAP, POP3 and SMTP.
2016-03-27 17:58:50 +01:00
marquis-de-muesli
39bb73665c SSH: new CURLOPT_QUOTE command "statvfs"
usage: "statvfs path"
returns remote file system statistics
2016-03-27 17:52:16 +02:00
marquis-de-muesli
f9d27e0f8e SSH: support CURLINFO_FILETIME 2016-03-27 17:52:16 +02:00
Jay Satiro
3d144ab99b url: don't use bad offset in tld_check_name to show error
libidn's tld_check_lz returns an error offset of the first character
that it failed to process, however that offset is not a byte offset and
may not even be in the locale encoding therefore we can't use it to show
the user the character that failed to process.

Bug: https://github.com/curl/curl/issues/731
Reported-by: Karlson2k
2016-03-26 14:41:35 -04:00
Steve Holme
4adee1947c http_negotiate: Combine GSS-API and SSPI source files
As the GSS-API and SSPI based source files are no longer library/API
specific, following the extraction of that authentication code to the
vauth directory, combine these files rather than maintain two separate
versions.
2016-03-26 17:21:22 +00:00
Steve Holme
6d6f9ca1d9 vauth: Moved the Negotiate authentication code to the new vauth directory
Part 2 of 2 - Moved the GSS-API based Negotiate authentication code.
2016-03-26 17:21:22 +00:00
Steve Holme
ad5e9bfd5d vauth: Moved the Negotiate authentication code to the new vauth directory
Part 1 of 2 - Moved the SSPI based Negotiate authentication code.
2016-03-26 17:21:22 +00:00
Steve Holme
65f972b2e8 warnless.h: Removed spurious character from commit 696bc6b9c9
Not picked up by checksrc or Visual Studio but my own code review, this
would haven broken Intel based Unix builds - Perhaps I should learn to
type on my laptop's keyboard before committing!
2016-03-26 11:35:07 +00:00
Steve Holme
107cb78487 schannel: Fixed compilation warning from commit f8d88a4913
warning C4244: '=': conversion from 'int' to 'unsigned short', possible
                    loss of data
2016-03-26 11:14:07 +00:00
Steve Holme
696bc6b9c9 warnless?: Added some integer based conversion functions 2016-03-26 11:09:01 +00:00
Steve Holme
e04f5c576d build: Corrected typos from commit 70e56939aa 2016-03-25 18:23:07 +00:00
Steve Holme
58a7bc96ec vauth: Refactored function names after move to new vauth directory
Renamed all the SASL functions that moved to the new vauth directory to
include the correct module name.
2016-03-25 17:40:12 +00:00
Steve Holme
7d2a5a05f6 vauth: Updated the copyright year after recent changes
As most of this work was performed in 2015 but not pushed until 2016
updated the copyright year to reflect the public facing changes.
2016-03-25 17:40:12 +00:00
Steve Holme
70e56939aa vauth: Moved the OAuth 2.0 authentication code to the new vauth directory 2016-03-25 15:11:10 +00:00
Steve Holme
6012fa5aee vauth: Moved the NTLM authentication code to the new vauth directory 2016-03-25 15:11:09 +00:00
Steve Holme
e1dca8a117 vauth: Moved the Kerberos V5 authentication code to the new vauth directory 2016-03-25 15:11:07 +00:00
Steve Holme
568d26e0f5 digest.c: Fixed checksrc warnings 2016-03-25 12:17:34 +00:00
Steve Holme
51358a3f40 vauth: Moved the DIGEST authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
ec5b8dc647 vauth: Moved the CRAM-MD5 authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
6101e35819 vauth: Moved the ClearText authentication code to the new vauth directory 2016-03-25 12:05:23 +00:00
Steve Holme
685fee3828 vauth: Moved Curl_sasl_build_spn() to create the initial vauth source files 2016-03-25 09:12:01 +00:00
Steve Holme
dc72f8df0c build: Updated all makefiles and project files for the new vauth directory
Updated the makefiles and Visual Studio project files to support moving
the authentication code to the new lib/vauth directory that was started
in commit 0d04e859e1.
2016-03-25 09:11:59 +00:00
JDepooter
f8d88a4913 schannel: Add ALPN support
Add ALPN support for schannel. This allows cURL to negotiate
HTTP/2.0 connections when built with schannel.

Closes #724
2016-03-24 09:56:12 +01:00
Steve Holme
96fff9f6b5 http: Minor update based on CODE_STYLE guidelines 2016-03-24 06:35:23 +00:00
Daniel Stenberg
726ae07b07 multi: fix "Operation timed out after" timer
Use the local, reasonably updated, 'now' value when creating the message
string to output for the timeout condition.

Fixes #619
2016-03-23 23:03:08 +01:00
Daniel Stenberg
23ab481644 openssl: boringssl provides the same numbering as openssl
... so we don't need extra boringssl precautions for for
HAVE_ERR_REMOVE_THREAD_STATE_NOARG.

Pointed-out-by: David Benjamin
2016-03-23 14:59:41 +01:00
Daniel Stenberg
240cd84b49 openssl: fix ERR_remove_thread_state() for boringssl/libressl
The removed arg is only done in OpenSSL

Bug: https://twitter.com/xtraemeat/status/712564874098917376
2016-03-23 10:05:29 +01:00
Steve Holme
f974ffdd4b hostip6: Fixed compilation warnings when verbose strings disabled
warning C4189: 'data': local variable is initialized but not referenced

...and some minor formatting/spacing changes.
2016-03-22 06:16:06 +00:00
Steve Holme
9351383745 connect/ntlm/http: Fixed compilation warnings when verbose strings disabled
warning C4189: 'data': local variable is initialized but not referenced
2016-03-20 17:51:06 +00:00
Steve Holme
89f397d7eb openssl: Fixed compilation warning when /Wall enabled
warning C4706: assignment within conditional expression
2016-03-20 17:35:31 +00:00
Steve Holme
f046ac48d6 inet_pton.c: Fixed compilation warnings
warning: conversion to 'unsigned char' from 'int' may alter its value
2016-03-20 11:14:58 +00:00
Daniel Stenberg
80851028ef mbedtls: fix compiler warning
vtls/mbedtls.h:67:36: warning: implicit declaration of function
‘mbedtls_sha256’ [-Wimplicit-function-declaration]
2016-03-19 22:37:21 +01:00
Steve Holme
4ff5cfd5fa easy: Minor coding standard and style updates
Following commit c5744340db. Additionally removes the need for a second
'result code' variable as well.
2016-03-19 20:37:12 +00:00
Jay Satiro
c5744340db easy: Remove poll failure check in easy_transfer
.. because curl_multi_wait can no longer signal poll failure.

follow-up to 77e1726

Bug: https://github.com/curl/curl/issues/707
2016-03-19 15:29:52 -04:00
Steve Holme
c142e73142 ftp/imap/pop3/smtp: Fixed compilation warning when /Wall enabled
warning C4706: assignment within conditional expression
2016-03-19 17:15:53 +00:00
Steve Holme
4ff2fbd1d5 config-w32.h: Fixed compilation warning when /Wall enabled
warning C4668: 'USE_IPV6' is not defined as a preprocessor macro,
               replacing with '0' for '#if/#elif'
2016-03-19 11:05:06 +00:00
Steve Holme
97c9d2ae8c imap.c: Fixed compilation warning with /Wall enabled
warning C4701: potentially uninitialized local variable 'size' used

Technically this can't happen, as the usage of 'size' is protected by
'if(parsed)' and 'parsed' is only set after 'size' has been parsed.

Anyway, lets keep the compiler happy.
2016-03-19 11:01:36 +00:00
Steve Holme
7e312bdfdd formdata.c: Fixed compilation warning
formdata.c:390: warning: cast from pointer to integer of different size

Introduced in commit ca5f9341ef this happens because a char*, which is
32-bits wide in 32-bit land, is being cast to a curl_off_t which is
64-bits wide where 64-bit integers are supported by the compiler.

This doesn't happen in 64-bit land as a pointer is the same size as a
curl_off_t.

This fix doesn't address the fact that a 64-bit value cannot be used
for CURLFORM_CONTENTLEN when set in a form array and compiled on a
32-bit platforms, it does at least suppress the compilation warning.
2016-03-18 07:19:31 +00:00
Gisle Vanem
d816e8cf52 openssl: adapt to API breakage in ERR_remove_thread_state()
The OpenSSL API change that broke this is "Convert ERR_STATE to new
multi-threading API": openssl commit 8509dcc.

Closes #713
2016-03-17 10:42:33 +01:00
Daniel Stenberg
8d9d03a157 version: init moved to private name space, added protos
follow-up to 80015cdd52
2016-03-17 00:55:46 +01:00
Daniel Stenberg
5f5b626357 openssl: verbose: show matching SAN pattern
... to allow users to see which specfic wildcard that matched when such
is used.

Also minor logic cleanup to simplify the code, and I removed all tabs
from verbose strings.
2016-03-17 00:49:02 +01:00
Jay Satiro
80015cdd52 version: thread safety 2016-03-16 19:13:42 -04:00
Steve Holme
0e18b8b107 transfer: Removed redundant HTTP authentication include files
It would also seem that share.h is not required here either as there
are no references to the Curl_share structure or functions.
2016-03-16 07:13:16 +00:00
Steve Holme
cd869cf1c1 easy: Removed redundant HTTP authentication include files 2016-03-16 06:59:42 +00:00
Steve Holme
3ccc2621a1 curl_sasl: Minor code indent fixes 2016-03-15 06:47:13 +00:00
Daniel Stenberg
b51f04bf23 easy: add check to malloc() when running event-based
... to allow torture tests then too.
2016-03-14 15:37:03 +01:00
Daniel Stenberg
6a353b105a memdebug: skip logging the limit countdown, fflush when reached 2016-03-14 15:36:40 +01:00
Daniel Stenberg
3c6238b3eb curl_sasl.c: minor code indent fixes 2016-03-14 09:55:38 +01:00
Daniel Stenberg
c3aca6ed47 multi: simplified singlesocket
Since sh_getentry() now checks for invalid sockets itself and by
narrowing the scope of the remove_sock_from_hash variable.
2016-03-14 09:44:14 +01:00
Daniel Stenberg
8eaf884417 multi: introduce sh_getentry() for looking up sockets in the sockhash
Simplify the code by using a single entry that looks for a socket in the
socket hash. As indicated in #712, the code looked for CURL_SOCKET_BAD
at some point and that is ineffective/wrong and this makes it easier to
avoid that.
2016-03-14 09:18:01 +01:00
Jaime Fullaondo
c0717a7059 multi hash: ensure modulo performed on curl_socket_t
Closes #712
2016-03-14 08:16:52 +01:00
Steve Holme
5dc43b975b base64: Minor coding standard and style updates 2016-03-13 17:59:06 +00:00
Steve Holme
0e16de870f base64: Use 'CURLcode result' for curl result codes 2016-03-13 17:14:57 +00:00
Steve Holme
9eb158821f negotiate: Use 'CURLcode result' for curl result codes 2016-03-13 17:09:58 +00:00
Maksim Kuzevanov
d7e3942814 multi_runsingle: avoid loop in CURLM_STATE_WAITPROXYCONNECT
Closes #703
2016-03-13 12:41:17 +01:00
Steve Holme
e4a0a9ef18 digest: Use boolean based success code for Curl_sasl_digest_get_pair()
Rather than use a 0 and 1 integer base result code use a TRUE / FALSE
based success code.
2016-03-12 17:25:15 +00:00
Steve Holme
a7a653fd58 digest: Corrected some typos in comments 2016-03-12 13:20:03 +00:00
Steve Holme
f0fbd099b4 krb5: Corrected some typos in function descriptions 2016-03-12 11:59:52 +00:00
Steve Holme
dbb90e7e9f ntlm: Corrected some typos in function descriptions 2016-03-12 11:56:10 +00:00
Steve Holme
06ccaa0c68 url: Corrected indentation when calling idna_to_ascii_lz() 2016-03-11 07:46:09 +00:00
Steve Holme
58e4a06743 idn_win32: Use boolean based success codes
Rather than use 0 and 1 integer base result codes use a FALSE / TRUE
based success code.
2016-03-11 07:24:39 +00:00
Daniel Stenberg
b084173989 idn_win32.c: warning: Trailing whitespace 2016-03-10 23:32:45 +01:00
Steve Holme
28477fd67a idn_win32.c: Fixed compilation warning from commit 9e7fcd4291
warning C4267: 'function': conversion from 'size_t' to 'int',
               possible loss of data
2016-03-10 21:52:09 +00:00
Daniel Stenberg
863c5766dd ftp: remove a check for NULL(!)
... as it implies we need to check for that on all the other variable
references as well (as Coverity otherwise warns us for missing NULL
checks), and we're alredy making sure that the pointer is never NULL.
2016-03-10 13:52:22 +01:00
Daniel Stenberg
7f7fcd0d75 cookies: first n/v pair in Set-Cookie: is the cookie, then parameters
RFC 6265 section 4.1.1 spells out that the first name/value pair in the
header is the actual cookie name and content, while the following are
the parameters.

libcurl previously had a more liberal approach which causes significant
problems when introducing new cookie parameters, like the suggested new
cookie priority draft.

The previous logic read all n/v pairs from left-to-right and the first
name used that wassn't a known parameter name would be used as the
cookie name, thus accepting "Set-Cookie: Max-Age=2; person=daniel" to be
a cookie named 'person' while an RFC 6265 compliant parser should
consider that to be a cookie named 'Max-Age' with an (unknown) parameter
'person'.

Fixes #709
2016-03-10 11:26:12 +01:00
Daniel Stenberg
4d4ce84bb3 krb5: improved type handling to avoid clang compiler warnings 2016-03-10 10:40:10 +01:00
Daniel Stenberg
549b1a433a url.c: fix clang warning: no newline at end of file 2016-03-10 09:36:49 +01:00
Daniel Stenberg
77e1726719 curl_multi_wait: never return -1 in 'numfds'
Such a return value isn't documented but could still happen, and the
curl tool code checks for it. It would happen when the underlying
Curl_poll() function returns an error. Starting now we mask that error
as a user of curl_multi_wait() would have no way to handle it anyway.

Reported-by: Jay Satiro
Closes #707
2016-03-10 08:17:25 +01:00
Steve Holme
a5aec58726 imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
Regression since commit 710f14edba.

Bug: https://github.com/curl/curl/issues/422
Reported-by: Justin Ehlert
2016-03-08 19:36:46 +00:00
Tim Rühsen
c140bd7891 cookie: do not refuse cookies for localhost
Closes #658
2016-03-08 15:27:43 +01:00
Daniel Stenberg
cb222bcfef ftp_done: clear tunnel_state when secondary socket closes
Introducing a function for closing the secondary connection to make this
bug less likely to happen again.

Reported-by: daboul
Closes #701
2016-03-08 15:00:53 +01:00
Gisle Vanem
a7ec58a89f openssl: use the correct OpenSSL/BoringSSL/LibreSSL in messages 2016-03-08 14:19:01 +01:00
Anders Bakken
46bf7ff78d pipeline: Sanity check pipeline pointer before accessing it.
I got a crash with this stack:

curl/lib/url.c:2873 (Curl_removeHandleFromPipeline)
curl/lib/url.c:2919 (Curl_getoff_all_pipelines)
curl/lib/multi.c:561 (curl_multi_remove_handle)
curl/lib/url.c:415 (Curl_close)
curl/lib/easy.c:859 (curl_easy_cleanup)

Closes #704
2016-03-08 00:25:53 +01:00
Jay Satiro
1e58922f1e mprintf: update trio project link 2016-03-06 22:57:47 -05:00
Viktor Szakats
6c7a5b9603 makefile.m32: add missing libs for static -winssl-ssh2 builds
Bug: https://github.com/curl/curl/pull/693
2016-03-05 21:50:12 -05:00
Jay Satiro
81bdd85318 mbedtls: fix user-specified SSL protocol version
Prior to this change when a single protocol CURL_SSLVERSION_ was
specified by the user that version was set only as the minimum version
but not as the maximum version as well.
2016-03-05 21:39:36 -05:00
Viktor Szakats
05401b9a3b makefile.m32: fix to allow -ssh2-winssl combination
In makefile.m32, option -ssh2 (libssh2) automatically implied -ssl
(OpenSSL) option, with no way to override it with -winssl. Since both
libssh2 and curl support using Windows's built-in SSL backend, modify
the logic to allow that combination.
2016-03-05 13:40:34 -05:00
Jay Satiro
20de9b4f09 cookie: Don't expire session cookies in remove_expired
Prior to this change cookies with an expiry date that failed parsing
and were converted to session cookies could be purged in remove_expired.

Bug: https://github.com/curl/curl/issues/697
Reported-by: Seth Mos
2016-03-05 13:35:17 -05:00
Daniel Stenberg
33a0a926c5 cookie: remove redundant check
... as it was already checked previously within the function.

Reported-by: Dmitry-Me
Closes #695
2016-03-03 21:16:06 +01:00
Anders Bakken
3c2ef2a610 url: if Curl_done is premature then pipeline not in use
Prevent a crash if 2 (or more) requests are made to the same host and
pipelining is enabled and the connection does not complete.

Bug: https://github.com/curl/curl/pull/690
2016-03-01 18:55:04 -05:00
Viktor Szakats
d678bd6f60 makefile.m32: allow to pass .dll/.exe-specific LDFLAGS
using envvars `CURL_LDFLAG_EXTRAS_DLL` and
`CURL_LDFLAG_EXTRAS_EXE` respectively. This
is useful f.e. to pass ASLR-related extra
options, that are required to make this
feature work when using the mingw toolchain.

Ref: https://github.com/curl/curl/pull/670#issuecomment-190863985

Closes https://github.com/curl/curl/pull/689
2016-03-01 17:46:16 -05:00
Daniel Stenberg
c2a809cd26 formpost: fix memory leaks in AddFormData error branches
Reported-by: Dmitry-Me
Fixes #688
2016-02-29 20:32:08 +01:00
Jay Satiro
ae7d6b7154 getinfo: Fix syntax error when mbedTLS
The assignment of the mbedTLS TLS session info in the parent commit was
incorrect. Change the assignment to a pointer to the session structure.
2016-02-28 16:05:38 -05:00
Jay Satiro
2e0a3b935c getinfo: Add support for mbedTLS TLS session info
.. and preprocessor check TLS session info is defined for all backends.
2016-02-27 19:01:00 -05:00
Daniel Stenberg
1e486db9c2 file: try reading from files with no size
Some systems have special files that report as 0 bytes big, but still
contain data that can be read (for example /proc/cpuinfo on
Linux). Starting now, a zero byte size is considered "unknown" size and
will be read as far as possible anyway.

Reported-by: Jesse Tan

Closes #681
2016-02-25 23:45:17 +01:00
Daniel Stenberg
46bf7996f4 Curl_read: check for activated HTTP/1 pipelining, not only requested
... as when pipelining is used, we read things into a unified buffer and
we don't do that with HTTP/2. This could then easily make programs that
set CURLMOPT_PIPELINING = CURLPIPE_HTTP1|CURLPIPE_MULTIPLEX to get data
intermixed or plain broken between HTTP/2 streams.

Reported-by: Anders Bakken
2016-02-24 14:20:57 +01:00
Jay Satiro
332414a30e getinfo: CURLINFO_TLS_SSL_PTR supersedes CURLINFO_TLS_SESSION
The two options are almost the same, except in the case of OpenSSL:

CURLINFO_TLS_SESSION OpenSSL session internals is SSL_CTX *.

CURLINFO_TLS_SSL_PTR OpenSSL session internals is SSL *.

For backwards compatibility we couldn't modify CURLINFO_TLS_SESSION to
return an SSL pointer for OpenSSL.

Also, add support for the 'internals' member to point to SSL object for
the other backends axTLS, PolarSSL, Secure Channel, Secure Transport and
wolfSSL.

Bug: https://github.com/curl/curl/issues/234
Reported-by: dkjjr89@users.noreply.github.com

Bug: https://curl.haxx.se/mail/lib-2015-09/0127.html
Reported-by: Michael König
2016-02-23 19:03:03 -05:00
Daniel Stenberg
3438ce7f46 multi_remove_handle: keep the timeout list until after disconnect
The internal Curl_done() function uses Curl_expire() at times and that
uses the timeout list. Better clean up the list once we're done using
it. This caused a segfault.

Reported-by: 蔡文凱
Bug: https://curl.haxx.se/mail/lib-2016-02/0097.html
2016-02-23 13:08:11 +01:00
Jay Satiro
186546f1c5 TFTP: add option to suppress TFTP option requests (Part 2)
- Add tests.

- Add an example to CURLOPT_TFTP_NO_OPTIONS.3.

- Add --tftp-no-options to expose CURLOPT_TFTP_NO_OPTIONS.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:01:07 -05:00
Michael Koenig
9dc3eaee29 TFTP: add option to suppress TFTP option requests (Part 1)
Some TFTP server implementations ignore the "TFTP Option extension"
(RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
problems with libcurl. Another switch for curl_easy_setopt
"CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
sending TFTP option requests to a server, avoiding many problems caused
by faulty implementations.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:00:58 -05:00
Emil Lerner
3fa220a6a5 curl_sasl: Fix memory leak in digest parser
If any parameter in a HTTP DIGEST challenge message is present multiple
times, memory allocated for all but the last entry should be freed.

Bug: https://github.com/curl/curl/pull/667
2016-02-19 21:52:05 -05:00
Daniel Stenberg
eb083e0d39 http2: don't decompress gzip decoding automatically
At one point during the development of HTTP/2, the commit 133cdd29ea
introduced automatic decompression of Content-Encoding as that was what
the spec said then. Now however, HTTP/2 should work the same way as
HTTP/1 in this regard.

Reported-by: Kazuho Oku

Closes #661
2016-02-17 08:25:40 +01:00
Tatsuhiro Tsujikawa
b080a7cd06 http: Don't break the header into chunks if HTTP/2
nghttp2 callback deals with TLS layer and therefore the header does not
need to be broken into chunks.

Bug: https://github.com/curl/curl/issues/659
Reported-by: Kazuho Oku
2016-02-16 14:49:12 -05:00
Viktor Szakats
71398487e7 openssl: use macro to guard the opaque EVP_PKEY branch 2016-02-16 00:29:36 +01:00
Viktor Szakats
ae01698ea4 openssl: avoid direct PKEY access with OpenSSL 1.1.0
by using API instead of accessing an internal structure.
This is required starting OpenSSL 1.1.0-pre3.

Closes #650
2016-02-16 00:29:24 +01:00
David Byron
cae21ffc16 SCP: use libssh2_scp_recv2 to support > 2GB files on windows
libssh2_scp_recv2 is introduced in libssh2 1.7.0 - to be released "any
day now.

Closes #451
2016-02-14 11:03:07 +01:00
Shine Fan
078753c40d gtls: fix for builds lacking encrypted key file support
Bug: https://github.com/curl/curl/pull/651
2016-02-13 22:21:32 -05:00
Daniel Stenberg
d6b37d83f9 curlx_tvdiff: handle 32bit time_t overflows
On 32bit systems, make sure we don't overflow and return funky values
for very large time differences.

Reported-by: Anders Bakken

Closes #646
2016-02-12 08:13:03 +01:00
Kamil Dudka
64fa3b8d64 nss: search slash in forward direction in dup_nickname()
It is wasteful to search it backwards if we look for _any_ slash.
2016-02-10 18:58:49 +01:00
Kamil Dudka
6390e65664 nss: do not count enabled cipher-suites
We only care if at least one cipher-suite is enabled, so it does
not make any sense to iterate till the end and count all enabled
cipher-suites.
2016-02-10 18:58:48 +01:00
Daniel Stenberg
c276aefee3 mbedtls.c: re-indent to better match curl standards 2016-02-10 10:46:57 +01:00
Rafael Antonio
c62d7944cf mbedtls: fix memory leak when destroying SSL connection data
Closes #626
2016-02-09 23:42:57 +01:00
Daniel Stenberg
716302c2cd mbedtls: fix ALPN usage segfault
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642
2016-02-09 23:37:14 +01:00
David Benjamin
39c803cba2 openssl: remove most BoringSSL #ifdefs.
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
2016-02-09 08:46:36 +01:00
Daniel Stenberg
18c735e790 cookies: allow spaces in cookie names, cut of trailing spaces
It turns out Firefox and Chrome both allow spaces in cookie names and
there are sites out there using that.

Turned out the code meant to strip off trailing space from cookie names
didn't work. Fixed now.

Test case 8 modified to verify both these changes.

Closes #639
2016-02-08 15:49:54 +01:00
Ludwig Nussel
7b55279d1d configure: --with-ca-fallback: use built-in TLS CA fallback
When trying to verify a peer without having any root CA certificates
set, this makes libcurl use the TLS library's built in default as
fallback.

Closes #569
2016-02-08 14:45:58 +01:00
Daniel Stenberg
113f04e664 Proxy-Connection: stop sending this header by default
RFC 7230 says we should stop. Firefox already stopped.

Bug: https://github.com/curl/curl/issues/633
Reported-By: Brad Fitzpatrick

Closes #633
2016-02-08 11:09:40 +01:00
Jay Satiro
d6a8869ea3 openssl: Fix signed/unsigned mismatch warning in X509V3_ext
sk_X509_EXTENSION_num may return an unsigned integer, however the value
will fit in an int.

Bug: https://github.com/curl/curl/commit/dd1b44c#commitcomment-15913896
Reported-by: Gisle Vanem
2016-02-06 19:10:49 -05:00
Michael Kaufmann
9e7fcd4291 idn_win32: Better error checking
.. also fix a conversion bug in the unused function
curl_win32_ascii_to_idn().

And remove wprintfs on error (Jay).

Bug: https://github.com/curl/curl/pull/637
2016-02-06 17:51:51 -05:00
Viktor Szakats
d49881cb19 URLs: change more http to https 2016-02-04 18:46:54 -05:00
Jay Satiro
742deff4dd sasl_sspi: Fix memory leak in domain populate
Free an existing domain before replacing it.

Bug: https://github.com/curl/curl/issues/635
Reported-by: silveja1@users.noreply.github.com
2016-02-04 18:11:07 -05:00
Viktor Szakats
20dcd19501 URLs: follow GitHub project rename (also Travis CI)
Closes #632
2016-02-04 23:01:38 +01:00
Dan Fandrich
093f9cd38d URLs: Change more haxx.se URLs from http: to https: 2016-02-03 01:45:21 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Daniel Stenberg
41ae9f717a dotdot: allow an empty input string too
It isn't used by the code in current conditions but for safety it seems
sensible to at least not crash on such input.

Extended unit test 1395 to verify this too as well as a plain "/" input.
2016-02-02 22:43:54 +01:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Isaac Boukris
d41dcba4e9 NTLM: Fix ConnectionExists to compare Proxy credentials
Proxy NTLM authentication should compare credentials when
re-using a connection similar to host authentication, as it
authenticate the connection.

Example:
curl -v -x http://proxy:port http://host/ -U good_user:good_pwd
  --proxy-ntlm --next -x http://proxy:port http://host/
    [-U fake_user:fake_pwd --proxy-ntlm]

CVE-2016-0755

Bug: http://curl.haxx.se/docs/adv_20160127A.html
2016-01-26 23:42:55 +01:00
Jay Satiro
d58ba66eec mbedtls: Fix pinned key return value on fail
- Switch from verifying a pinned public key in a callback during the
certificate verification to inline after the certificate verification.

The callback method had three problems:

1. If a pinned public key didn't match, CURLE_SSL_PINNEDPUBKEYNOTMATCH
was not returned.

2. If peer certificate verification was disabled the pinned key
verification did not take place as it should.

3. (related to #2) If there was no certificate of depth 0 the callback
would not have checked the pinned public key.

Though all those problems could have been fixed it would have made the
code more complex. Instead we now verify inline after the certificate
verification in mbedtls_connect_step2.

Ref: http://curl.haxx.se/mail/lib-2016-01/0047.html
Ref: https://github.com/bagder/curl/pull/601
2016-01-18 03:48:10 -05:00
Kamil Dudka
be538e0766 ssh: make CURLOPT_SSH_PUBLIC_KEYFILE treat "" as NULL
The CURLOPT_SSH_PUBLIC_KEYFILE option has been documented to handle
empty strings specially since curl-7_25_0-31-g05a443a but the behavior
was unintentionally removed in curl-7_38_0-47-gfa7d04f.

This commit restores the original behavior and clarifies it in the
documentation that NULL and "" have both the same meaning when passed
to CURLOPT_SSH_PUBLIC_KEYFILE.

Bug: http://curl.haxx.se/mail/lib-2016-01/0072.html
2016-01-15 10:34:34 +01:00
Daniel Stenberg
35083ca60e openssl: improved error detection/reporting
... by extracting the LIB + REASON from the OpenSSL error code. OpenSSL
1.1.0+ returned a new func number of another cerfificate fail so this
required a fix and this is the better way to catch this error anyway.
2016-01-14 21:25:30 +01:00
Daniel Stenberg
fdcc4d6daa openssl: for 1.1.0+ they now provide a SSLeay() macro of their own 2016-01-14 16:38:14 +01:00
Daniel Stenberg
13b6d3b7dd ConnectionExists: only do pipelining/multiplexing when asked
When an HTTP/2 upgrade request fails (no protocol switch), it would
previously detect that as still possible to pipeline on (which is
acorrect) and do that when PIPEWAIT was enabled even if pipelining was
not explictily enabled.

It should only pipelined if explicitly asked to.

Closes #584
2016-01-11 23:55:13 +01:00
Mohammad AlSaleh
3d209b5fb0 lib: Prefix URLs with lower-case protocol names/schemes
Before this patch, if a URL does not start with the protocol
name/scheme, effective URLs would be prefixed with upper-case protocol
names/schemes. This behavior might not be expected by library users or
end users.

For example, if `CURLOPT_DEFAULT_PROTOCOL` is set to "https". And the
URL is "hostname/path". The effective URL would be
"HTTPS://hostname/path" instead of "https://hostname/path".

After this patch, effective URLs would be prefixed with a lower-case
protocol name/scheme.

Closes #597

Signed-off-by: Mohammad AlSaleh <CE.Mohammad.AlSaleh@gmail.com>
2016-01-11 23:38:42 +01:00
Michael Kaufmann
5d7c9379ef IDN host names: Remove the port number before converting to ACE
Closes #596
2016-01-11 00:11:28 +01:00
Thomas Glanzmann
bf93a1217c mbedtls: implement CURLOPT_PINNEDPUBLICKEY 2016-01-10 00:17:26 +01:00
Tatsuhiro Tsujikawa
5da7461a55 url: Fix compile error with --enable-werror 2016-01-09 02:26:23 -05:00
Tatsuhiro Tsujikawa
b019af41e7 http2: Ensure that http2_handle_stream_close is called
Previously, when HTTP/2 is enabled and used, and stream has content
length known, Curl_read was not called when there was no bytes left to
read. Because of this, we could not make sure that
http2_handle_stream_close was called for every stream. Since we use
http2_handle_stream_close to emit trailer fields, they were
effectively ignored. This commit changes the code so that Curl_read is
called even if no bytes left to read, to ensure that
http2_handle_stream_close is called for every stream.

Discussed in https://github.com/bagder/curl/pull/564
2016-01-08 17:16:47 -05:00
Daniel Stenberg
325686ef9e http2: handle the received SETTINGS frame
This regression landed in 5778e6f5 and made libcurl not act on received
settings and instead stayed with its internal defaults.

Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
Reported-by: Bankde
2016-01-08 23:06:59 +01:00
Daniel Stenberg
c338d8cf9c Revert "multiplex: allow only once HTTP/2 is actually used"
This reverts commit 46cb70e9fa.

Bug: http://curl.haxx.se/mail/lib-2016-01/0031.html
2016-01-08 14:39:54 +01:00
Tatsuhiro Tsujikawa
984d1e9e23 http2: Fix PUSH_PROMISE headers being treated as trailers
Discussed in https://github.com/bagder/curl/pull/564
2016-01-08 03:06:25 -05:00
Michael Kaufmann
d9b4d1ce20 connection reuse: IDN host names fixed
Use the ACE form of IDN hostnames as key in the connection cache.  Add
new tests.

Closes #592
2016-01-08 00:19:46 +01:00
Jay Satiro
89a1eb7b1c mbedtls: Fix ALPN support
- Fix ALPN reply detection.

- Wrap nghttp2 code in ifdef USE_NGHTTP2.


Prior to this change ALPN and HTTP/2 did not work properly in mbedTLS.
2016-01-07 01:49:31 -05:00
Jay Satiro
973ee6bdd3 http2: Fix client write for trailers on stream close
Check that the trailer buffer exists before attempting a client write
for trailers on stream close.

Refer to comments in https://github.com/bagder/curl/pull/564
2016-01-06 22:10:49 -05:00
Daniel Stenberg
a2cae9aafd ConnectionExists: add missing newline in infof() call
Mistake from commit a464f33843
2016-01-06 00:54:49 +01:00
Daniel Stenberg
46cb70e9fa multiplex: allow only once HTTP/2 is actually used
To make sure curl doesn't allow multiplexing before a connection is
upgraded to HTTP/2 (like when Upgrade: h2c fails), we must make sure the
connection uses HTTP/2 as well and not only check what's wanted.

Closes #584

Patch-by: c0ff
2016-01-06 00:54:49 +01:00
Marc Hoersken
7cbe4d8d79 ftplistparser.c: fix handling of file LISTings using Windows EOL
Previously file.txt[CR][LF] would have been returned as file.tx
(without the last t) if filetype is symlink. Now the t is
included and the internal item_length includes the zero byte.

Spotted using test 576 on Windows.
2015-12-23 14:19:36 +01:00
Anders Bakken
a464f33843 ConnectionExists: with *PIPEWAIT, wait for connections
Try harder to prevent libcurl from opening up an additional socket when
CURLOPT_PIPEWAIT is set. Accomplished by letting ongoing TCP and TLS
handshakes complete first before the decision is made.

Closes #575
2015-12-23 10:20:37 +01:00
Daniel Stenberg
151da51404 cyassl: deal with lack of *get_peer_certificate
The function is only present in wolfssl/cyassl if it was built with
--enable-opensslextra. With these checks added, pinning support is disabled
unless the TLS lib has that function available.

Also fix the mistake in configure that checks for the wrong lib name.

Closes #566
2015-12-16 10:27:18 +01:00
Daniel Stenberg
1ff3a07be9 wolfssl: handle builds without SSLv3 support 2015-12-16 10:06:09 +01:00
Tatsuhiro Tsujikawa
15cb03ad84 http2: Support trailer fields
This commit adds trailer support in HTTP/2.  In HTTP/1.1, chunked
encoding must be used to send trialer fields.  HTTP/2 deprecated any
trandfer-encoding, including chunked.  But trailer fields are now
always available.

Since trailer fields are relatively rare these days (gRPC uses them
extensively though), allocating buffer for trailer fields is done when
we detect that HEADERS frame containing trailer fields is started.  We
use Curl_add_buffer_* functions to buffer all trailers, just like we
do for regular header fields.  And then deliver them when stream is
closed.  We have to be careful here so that all data are delivered to
upper layer before sending trailers to the application.

We can deliver trailer field one by one using NGHTTP2_ERR_PAUSE
mechanism, but current method is far more simple.

Another possibility is use chunked encoding internally for HTTP/2
traffic.  I have not tested it, but it could add another overhead.

Closes #564
2015-12-15 23:47:46 +01:00
Jay Satiro
6c2c019654 x509asn1: Fix host altname verification
- In Curl_verifyhost check all altnames in the certificate.

Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.

Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl
2015-12-15 14:07:28 -05:00
Daniel Stenberg
afcab2c2b6 cyassl: fix compiler warning on type conversion 2015-12-15 00:36:08 +01:00
Anders Bakken
8fbaf6749a setstropt: const-correctness
Closes #565
2015-12-14 23:14:39 +01:00
Daniel Stenberg
727f775e59 libressl: the latest openssl x509 funcs are not in libressl 2015-12-14 09:49:54 +01:00
Daniel Stenberg
4bcc532de5 http: add libcurl option to allow HTTP/2 for HTTPS only
... and stick to 1.1 for HTTP. This is in line with what browsers do and
should have very little risk.
2015-12-13 09:24:51 +01:00