This is a regression since who knows when. When spotting that a HTTP
proxy is used we must not uncondititionally enable the HTTP protocol
since if we do tunneling through the proxy we're still using the target
protocol.
Reported by: Naveen Chandran
If no SSLv2 was detected in OpenSSL by configure, then we enforce the
OPENSSL_NO_SSL2 define as it seems some people report it not being
defined properly in the OpenSSL headers.
When a 32 digit hex key is given as a hostkey md5 checksum, the code
would still run it against the knownhost check and not properly
acknowledge that the md5 should then be the sole guide for.
The verbose output now includes the evaluated MD5 hostkey checksum.
Some related source code comments were also updated.
Bug: http://curl.haxx.se/bug/view.cgi?id=3451592
Reported by: Reza Arbab
As there are different return codes for host vs proxy errors, this function
now properly returns the code properly depending on what was attempted to get
resolved.
Bug: http://curl.haxx.se/mail/archive-2011-12/0010.html
Reported by: Jason Liu
When making a distinction which return code to return, the code previously
only regarded HTTP proxies to be proxies and thus return host-related errors
for failures on other proxy types than HTTP. Now all proxy types will be
considered proxies...
Keep track of which sockets that are the result of accept() calls and
refuse to call the closesocket callback for those sockets. Test case 596
now verifies that the open socket callback is called the same number of
times as the closed socket callback for active FTP connections.
Bug: http://curl.haxx.se/mail/lib-2011-12/0018.html
Reported by: Gokhan Sengun
When the new socket is created for an active connection, it is now done
using the open socket callback.
Test case 596 was modified to run fine, although it hides the fact that
the close callback is still called too many times, as it also gets
called for closing sockets that were created with accept().
If the first name server is not available, the multi interface does
not invoke the socket_cb when the DNS request to the first name server
timesout. Ensure that the list of sockets are always updated after
calling Curl_resolver_is_resolved.
This bug can be reproduced if Curl is complied with --enable_ares and
your code uses the multi socket interfaces and the
CURLMOPT_SOCKETFUNCTION option. To test try:
iptables -I INPUT \
-s $(sed -n -e '/name/{s/.* //p;q}' /etc/resolv.conf)/32 \
-j REJECT
and then run a program which uses the multi-interface.
Changed the eob detection to work across the whole of the buffer so that
lines that begin with a dot (which the server will have escaped) are
passed to the client application correctly.
Curl_pop3_write() now has a state machine that scans for the end of a
POP3 body so that the CR LF '.' CR LF sequence can come in everything
from one up to five subsequent packets.
Test case 810 is modified to use SLOWDOWN which makes the server pause
between each single byte and thus makes the POP3 body get sent to curl
basically one byte at a time.
Added convenience macro to use to check if a handle is using a shared
SSL session, and fixed so that Curl_ssl_close_all() doesn't lock when
the session isn't shared.
Skip a floating point addition operation when integral part of time difference
is zero. This avoids potential floating point addition rounding problems while
preserving decimal part value.
Macros that look like function calls need to be made so that we can use
semicolons properly for indentation and for reducing the risk for
mistakes when using them.
1) enables the Window Size option
2) allows the server to enable the echo mode
3) allows an app using libcurl to disable the default binary mode
Signed-off-by: Laurent Rabret
By setting PROTOPT_NOURLQUERY in the protocol handler struct, the
protocol will get the "query part" of the URL cut off before the data is
handled by the protocol-specific code. This makes libcurl adhere to
RFC3986 section 2.2.
Test 1220 is added to verify a file:// URL with query-part.
Bugfix: https handshake fails using gnutls 3 on windows
http://sourceforge.net/tracker/index.php?func=detail&aid=3441084&group_id=976&atid=100976
New gnutls versions have an error handler that knows about Winsock
errors, which is why gnutls_transport_set_global_errno() was deprecated
and then removed.
This is a correction of commit f5bb370 (blame me) which meant to
reimplement gnutls_transport_set_global_errno(), which is not necessary.
Regression: commit b998d95b (shipped first in release 7.22.0) made the
condition always equal false that should reset the TIMER_CONNECT timer
and call the Curl_verboseconnect() function.
Reported by: "Captain Basil"
Bug: http://curl.haxx.se/mail/archive-2011-11/0035.html
When the user requests PORT with a specific port or port range, the code
could lock up in an endless loop. There's now an extra conditional that
makes sure to special treat the error and try the local address only
once so a second failure will abort the loop correctly.
Bug: http://curl.haxx.se/bug/view.cgi?id=3433968
Reported by: Gokhan Sengun
If a proxy offers several Authentication schemes where NTLM and
Negotiate are offered by the proxy and you tell libcurl not to use the
Negotiate scheme then the request never returns when the proxy answers
with its HTTP 407 reply.
It is reproducible by the following steps:
- Use a proxy that offers NTLM and Negotiate ( CURLOPT_PROXY and
CURLOPT_PROXYPORT )
- Tell libcurl NOT to use Negotiate CURL_EASY_SETOPT(CURLOPT_PROXYAUTH,
CURLAUTH_BASIC | CURLAUTH_DIGEST | CURLAUTH_NTLM )
- Start the request
The call to CURL_EASY_PERFORM never returns. If you switch on debug
logging you can see that libcurl issues a new request As soon as it
received the 407 reply. Instead it should return and set the response
code to 407.
Bug: http://curl.haxx.se/mail/lib-2011-10/0323.html
Move calling of ERR_remove_state(0) a.k.a ERR_remove_thread_state(NULL)
from Curl_ossl_close_all() to Curl_ossl_cleanup().
In this way ERR_remove_state(0) is now only called in libcurl by
curl_global_cleanup(). Previously it would get called by functions
curl_easy_cleanup(), curl_multi_cleanup and potentially each time a
connection was removed from a connection cache leading to premature
destruction of OpenSSL's thread local state hash.
Multi-threaded apps using OpenSSL enabled libcurl should still call
function ERR_remove_state(0) or ERR_remove_thread_state(NULL) at the
very end end of threads that do not call curl_global_cleanup().
Now called 'use_ssl' instead, which better matches the current CURLOPT
name and since the option is used for all pingpong protocols (at least)
it makes sense to not use 'ftp' in the name.
Use gnutls_priority_set_direct() instead of gnutls_protocol_set_priority().
Remove the gnutls_certificate_type_set_priority() use since x509 is the
default certificate type anyway.
Reported by: Vincent Torri
This extends the fix from commit d7934b8bd4
When the multi state is changed within the multi_runsingle from DOING to
DO_MORE, we didn't immediately start the FTP state machine again. That
then left the FTP state in FTP_STOP. When curl_multi_fdset() was
subsequently called, the ftp_domore_getsock() function would return the
wrong fd info.
Reported by: Gokhan Sengun
After a PORT has been issued, and the multi handle would switch to the
CURLM_STATE_DO_MORE state (which is unique for FTP), libcurl would
return the wrong fdset to wait for when curl_multi_fdset() is
called. The code would blindly assume that it was waiting for a connect
of the second connection, while that isn't true immediately after the
PORT command.
Also, the function multi.c:domore_getsock() was highly FTP-centric and
therefore ugly to keep in protocol-agnostic code. I solved this problem
by introducing a new function pointer in the Curl_handler struct called
domore_getsock() which is only called during the DOMORE state for
protocols that set that pointer.
The new ftp.c:ftp_domore_getsock() function now returns fdset info about
the control connection's command/response handling while such a state is
in use, and goes over to waiting for a writable second connection first
once the commands are done.
The original problem could be seen by running test 525 and checking the
time stamps in the FTP server log. I can verify that this fix at least
fixes this problem.
Bug: http://curl.haxx.se/mail/lib-2011-10/0250.html
Reported by: Gokhan Sengun
The fix is pretty much the one Nick Zitzmann provided, just edited to do
the right indent levels and with test case 1204 added to verify the fix.
Bug: http://curl.haxx.se/mail/lib-2011-10/0190.html
Reported by: Nick Zitzmann
The default lowat level for gnutls-2.12* is set to zero to avoid
unnecessary system calls and the gnutls_transport_set_lowat function has
been totally removed in >=gnutls-3 which causes build failures.
Therefore, the function shouldn't be used except for versions that
require it, <gnutls-2.12.0.
Previously the bit was set before the connection was found working so if
it would first fail to an ipv6 address and then connect fine to a IPv4
address the variable would still be TRUE.
Reported by: Thomas L. Shinnick
Bug: http://curl.haxx.se/bug/view.cgi?id=3421912
When doing a multipart formpost with a read callback, and that callback
returns CURL_READFUNC_ABORT, that return code must be properly
propagated back and handled accordingly. Previously it would be handled
as a zero byte read which would cause a hang!
Added test case 587 to verify. It uses the lib554.c source code with a
small ifdef.
Reported by: Anton Bychkov
Bug: http://curl.haxx.se/mail/lib-2011-10/0097.html
Save the errno value immediately after a connect() failure so that it
won't get reset to something else before we read it.
Bug: http://curl.haxx.se/mail/lib-2011-10/0066.html
Reported by: Frank Van Uffelen and Fabian Hiernaux
Set ACK timeout to 5 seconds.
If we are waiting for block X and receive block Y that is the expected one, we
should send ACK and increase X (which is already implemented). Otherwise drop
the packet and don't increase retry counter.
Prevent modification of easy handle being added with curl_multi_add_handle()
unless this function actually suceeds.
Run Curl_posttransfer() to allow restoring of SIGPIPE handler when
Curl_connect() fails early in multi_runsingle().
It makes much nicer and less convuluted code everywhere if this struct
member is always present even when libcurl is built without SSL support.
This reverts parts of commit 15e3e45170
Modified smtp_endofresp() to detect NTLM from the server specified list
of supported authentication mechanisms.
Modified smtp_authenticate() to start the sending of the NTLM data.
Added smtp_auth_ntlm_type1_message() which creates a NTLM type-1
message. This function is used by authenticate() to start the sending
of data and by smtp_state_auth_ntlm_resp() when the AUTH command
doesn't contain the type-1 message as part of the initial response.
This lack of initial response can happen if an OOM error occurs or the
type-1 message is longer than 504 characters. As the main AUTH command
is limited to 512 character the data has to be transmitted in two
parts; one containing the AUTH NTLM and the second containing the
type-1 message.
Added smtp_state_auth_ntlm_type2msg_resp() which handles the incoming
type-2 message and sends an outgoing type-3 message. This type-2
message is sent by the server in response to our type-1 message.
Modified smtp_state_auth_resp() to handle the response to: the AUTH
NTLM without the initial response and the type-2 response.
Modified smtp_disconnect() to cleanup the NTLM SSPI stack.
Added the output message length as a parameter to both
Curl_ntlm_create_type1_message() and Curl_ntlm_create_type3_message()
for use by future functions that require it.
Updated curl_ntlm.c to cater for the extra parameter on these two
functions.
Changed the name of variable l, in several functions, which represents
the length of strings being sent to the server, to len which is more
meaningful and consistent with other code in smtp.c and elsewhere.
Reworked smtp_authenticate() to be simpler and easier to follow.
Variables and now initialised in their definitions and if no username
and password are specified the function sets the state to SMTP_STOP and
returns immediately, rather than being part of a huge if statement.
Don't even declare the struct members for disabled features
Introducing the CURLSHE_NOT_BUILT_IN return code for the share interface
when trying to set a sharing option that has been disabled (or not
enabled) in the library.
When the progress function returns to cancel the request, we must mark
the connection to get closed and it must do to the DONE state.
do_init() must be called as early as possible so that state variables
for new connections are reset early. We could otherwise see that the old
values were still there when a connection was to be disconnected very
early and it would make it behave wrongly.
Bug: http://curl.haxx.se/mail/lib-2011-10/0006.html
Reported by: Vladimir Grishchenko
The size of the email can now be set via CURLOPT_INFILESIZE. This
allows the email to be rejected by the server, if supported, and the
maximum size has been configured on the server.
Removed the code that striped off the domain name when Curl_gethostname
returned the fully qualified domain name as the function has been
updated to return the un-qualified host name.
Replaced the use of HOSTNAME_MAX as the size of the buffer in the call
to Curl_gethostname with sizeof(host) as this is safer should the buffer
size ever be changed.
Allow (*curl_write_callback) write callbacks to return
CURL_WRITEFUNC_OUT_OF_MEMORY to properly indicate libcurl of OOM conditions
inside the callback itself.
If a socket is larger than FD_SETSIZE, avoid using FD_SET() on the
platforms where this is possible.
Bug: http://curl.haxx.se/bug/view.cgi?id=3413274
Reported by: Tim Starling
To avoid that the progress meter headers get output between each
transfer, make sure the bits gets kept when (re-)inited.
Reported by: Christopher Stone
I think curl should ignore this case and smtp.c should test for this.
Since RFC-2821 seems to allow a "null reverse-path". Ref. "MAIL
FROM:<>" in section 3.7, page 25.
Fixed Curl_gethostname() so that it always returns the un-qualified
machine name rather than being dependent on the socket provider.
Note: The return of getenv("CURL_GETHOSTNAME") is also parsed in case
the developer / test harness provided a fully qualified domain name as
it's value as well.
With this fix, it should work for PolarSSL-1.0.0 (and SVN-1091 trunk)
and retain compatibility with earlier versions. (Tested with 0.14.1)
PolarSSL still doesn't play nicely with curl's CA bundle (we discussed
this before) but I was at least able to retrieve the
https://www.gmail.com/ login page using a modified ca-certificates.crt
file with all 3 versions of PolarSSL.
Renamed the variable from 'proto' to 'level' simply because it is not
protocol you set but level and that is the name of the argument used in
man pages and the POSIX documentation of the setsockopt function.
This workarounds old libssh2 versions not properly initializing
some ssh session variables, which would trigger memory debuggers
warnings on memory being used without having been initialized.
The current version of speedcheck.c may disable timeout by setting zero
to Curl_expire. Which is fine using the curl_multi_perform, because it
recheck all timeout internals, but when using custom event poller (like
hiperfifo.c) it may keep stalle connection forever.
Calling sclose() both in the child and the parent fools the
socket leak detector into thinking it's been closed twice.
Calling close() in the child instead overcomes this problem. It's
not as portable as the sclose() macro, but this code is highly
POSIX-specific, anyway.
Just internal stuff...
Curl_safefree is now a macro defined in memdebug.h instead of a function
prototyped in url.h and implemented in url.c, so inclusion of url.h is no
longer required in order to simply use Curl_safefree.
Provide definition of macro WHILE_FALSE in setup_once.h in order to allow
other macros such as DEBUGF and DEBUGASSERT, and code using it, to compile
without 'conditional expression is constant' warnings.
The WHILE_FALSE stuff fixes 150+ MSVC compiler warnings.
Ensure existing logic in Curl_resolv_timeout() is not subverted upon getting a
negative timeout from resolve_server(). The timeout in resolve_server() could
be checked to avoid calling Curl_resolv_timeout() with an expired timeout, but
fixing this in this way allows existing logic in resolve_server() to be kept
unchanged.
Configure script option --enable-wb-ntlm-auth renamed to --enable-ntlm-wb
Configure script option --disable-wb-ntlm-auth renamed to --disable-ntlm-wb
Preprocessor symbol WINBIND_NTLM_AUTH_ENABLED renamed to NTLM_WB_ENABLED
Preprocessor symbol WINBIND_NTLM_AUTH_FILE renamed to NTLM_WB_FILE
Test harness env var CURL_NTLM_AUTH renamed to CURL_NTLM_WB_FILE
Static function wb_ntlm_close renamed to ntlm_wb_cleanup
Static function wb_ntlm_initiate renamed to ntlm_wb_init
Static function wb_ntlm_response renamed to ntlm_wb_response
Feature string literal NTLM_SSO renamed to NTLM_WB.
Preprocessor symbol USE_NTLM_SSO renamed to WINBIND_NTLM_AUTH_ENABLED.
curl's 'long' option 'ntlm-sso' renamed to 'ntlm-wb'.
Fix some comments to make clear that this is actually a NTLM delegation.
Fixed the order of the preferred SMTP authentication method to:
AUTH CRAM-MD5, AUTH LOGIN then AUTH PLAIN.
AUTH PLAIN should be the last as it slightly more insecure than AUTH LOGIN
as the username and password are sent together - there is no handshaking
between the client and server like there is with AUTH LOGIN.
Previous interfaces for these libcurl internal functions did not allow to tell
apart a legitimate zero size result from an error condition. These functions
now return a CURLcode indicating function success or otherwise specific error.
Output size is returned using a pointer argument.
All usage of these two functions, and others closely related, has been adapted
to the new interfaces. Relative error and OOM handling adapted or added where
missing. Unit test 1302 also adapted.
* Added function comments:
- Curl_ntlm_decode_type2_message
- Curl_ntlm_create_type1_message
- Curl_ntlm_create_type3_message
* Modification of ntlm processing state to NTLMSTATE_TYPE2 is now done
only when Curl_ntlm_decode_type2_message() has fully succeeded.
As a bonus, this lets our MemoryTracking subsystem track zlib operations.
And also fixes a shortcut some zlib 1.2.x versions took using malloc()
instead of calloc(), which would trigger memory debuggers warnings on
memory being used without having been initialized.
As I modified conn->bits.tcpconnect to become an array that holds one
bool for each potential connection all uses of that struct field must
index it correctly.
When using the multi interface, a SOCKS proxy, and a connection that
wouldn't immediately consider itself connected (which my Linux tests do
by default), libcurl would be tricked into doing _two_ connects to the
SOCKS proxy when it setup the data connection and then of course the
second attempt would fail miserably and cause error.
This problem is a regression that was introduced by commit
4a42e5cdaa that was introduced in the 7.21.7 release.
Bug: http://curl.haxx.se/mail/lib-2011-08/0199.html
Reported by: Fabian Keil
Until 2011-08-17 libcurl's Memory Tracking feature also performed
automatic malloc and free filling operations using 0xA5 and 0x13
values. Our own preinitialization of dynamically allocated memory
might be useful when not using third party memory debuggers, but
on the other hand this would fool memory debuggers into thinking
that all dynamically allocated memory is properly initialized.
As a default setting, libcurl's Memory Tracking feature no longer
performs preinitialization of dynamically allocated memory on its
own. If you know what you are doing, and really want to retain old
behavior, you can achieve this compiling with preprocessor symbols
CURL_MT_MALLOC_FILL and CURL_MT_FREE_FILL defined with appropriate
values.
"release-ssl-ssh2-zlib" and "debug-ssl-ssh2-zlib" are two new makefile
targets that build libcurl with MSVC and link with libssh2
Bug: http://curl.haxx.se/bug/view.cgi?id=3388920
Reported by: "kdekker"
Strict splitting of http_ntlm.[ch] may trigger 8 compiler warnings when
building with some compilers and strict compiler warnings enabled, depending
on other specific configuration options some could get triggered or not.
Seven are related with 'unused function parameters' and another one with
'var may be used before its value is set'.
For modularity purposes, huge chunks of NTLM existing code is transformed into
functions to allow future internal code reuse.
Resulting three new libcurl private functions:
- Curl_ntlm_create_type1_message()
- Curl_ntlm_create_type3_message()
- Curl_ntlm_decode_type2_message()
Changing static ntlm_sspi_cleanup() into non-static Curl_ntlm_sspi_cleanup()
This 'refactoring' has been prepared by previous commits to allow that this
specific one does not introduce any change to existing code. All existing
goodness and badness previous to this commit should remain the same once it is
applied, the only difference should be that existing code is moved into
functions.
Given the quite big portions of code being moved around, and the importance of
change traceability, this commit has been done in such a way that it is
possible to perform a three-way diff from initial http_ntlm.[ch] to resulting
http_ntlm.[ch] and curl_ntlm.[ch] to actually verify that no functional change
is introduced here.
Notice that Steve Holme has provided several patches, but these included this
refactoring along with 'extra' fixes. I really wanted this 'clean' refactoring
done first, in order to allow discussion or committing of 'extra' fixes on a
case by case basis, so, I had to bite the bullet ;-)
Comments, line adjustments, compiler warning fixes, whatever, may follow
afterwards.