1
0
mirror of https://github.com/moparisthebest/curl synced 2024-10-31 23:55:01 -04:00
Commit Graph

642 Commits

Author SHA1 Message Date
Steve Holme
a5aec58726 imap/pop3/smtp: Fixed connections upgraded with TLS are not reused
Regression since commit 710f14edba.

Bug: https://github.com/curl/curl/issues/422
Reported-by: Justin Ehlert
2016-03-08 19:36:46 +00:00
Michael Koenig
9dc3eaee29 TFTP: add option to suppress TFTP option requests (Part 1)
Some TFTP server implementations ignore the "TFTP Option extension"
(RFC 1782-1784, 2347-2349), or implement it in a flawed way, causing
problems with libcurl. Another switch for curl_easy_setopt
"CURLOPT_TFTP_NO_OPTIONS" is introduced which prevents libcurl from
sending TFTP option requests to a server, avoiding many problems caused
by faulty implementations.

Bug: https://github.com/curl/curl/issues/481
2016-02-23 03:00:58 -05:00
Daniel Stenberg
716302c2cd mbedtls: fix ALPN usage segfault
Since we didn't keep the input argument around after having called
mbedtls, it could end up accessing the wrong memory when figuring out
the ALPN protocols.

Closes #642
2016-02-09 23:37:14 +01:00
Daniel Stenberg
4af40b3646 URLs: change all http:// URLs to https:// 2016-02-03 00:19:02 +01:00
Gisle Vanem
bdb465274f urldata: Error on missing SSL backend-specific connect info 2016-01-29 00:11:43 -05:00
Sergei Nikulov
91460b2b8a urldata: moved common variable out of ifdef
Closes https://github.com/bagder/curl/pull/618
2016-01-28 03:01:51 -05:00
Steve Holme
eaa98cef8d oauth2: Don't use XOAUTH2 in OAuth 2.0 variables 2015-11-09 22:25:08 +00:00
Steve Holme
4e3d396900 oauth2: Use OAuth 2.0 rather than XOAUTH2 in comments
When referring to OAuth 2.0 we should use the official name rather the
SASL mechanism name.
2015-11-09 22:25:08 +00:00
Daniel Stenberg
d31ed6ac71 http2: s/priority/weight 2015-10-23 08:22:38 +02:00
Daniel Stenberg
3042cb5043 http2: added three stream prio/deps options
CURLOPT_STREAM_DEPENDS

CURLOPT_STREAM_DEPENDS_E

CURLOPT_STREAM_PRIORITY
2015-10-23 08:22:38 +02:00
Jonas Minnberg
fe7590f729 vtls: added support for mbedTLS
closes #496
2015-10-20 07:57:24 +02:00
Daniel Stenberg
c6aedf680f fread_func: move callback pointer from set to state struct
... and assign it from the set.fread_func_set pointer in the
Curl_init_CONNECT function. This A) avoids that we have code that
assigns fields in the 'set' struct (which we always knew was bad) and
more importantly B) it makes it impossibly to accidentally leave the
wrong value for when the handle is re-used etc.

Introducing a state-init functionality in multi.c, so that we can set a
specific function to get called when we enter a state. The
Curl_init_CONNECT is thus called when switching to the CONNECT state.

Bug: https://github.com/bagder/curl/issues/346

Closes #346
2015-10-15 23:32:19 +02:00
Nathaniel Waisbrot
9756d1da76 CURLOPT_DEFAULT_PROTOCOL: added
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.
2015-08-22 21:57:14 -04:00
Michael Kaufmann
c5d060cab4 HTTP: ignore "Content-Encoding: compress"
Currently, libcurl rejects responses with "Content-Encoding: compress"
when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
treat the Content-Encoding "compress" the same as other
Content-Encodings that it does not support, e.g. "bzip2". That means
just ignoring it.
2015-07-25 00:46:01 +02:00
Jay Satiro
172b2beba6 SSL: Add an option to disable certificate revocation checks
New tool option --ssl-no-revoke.
New value CURLSSLOPT_NO_REVOKE for CURLOPT_SSL_OPTIONS.

Currently this option applies only to WinSSL where we have automatic
certificate revocation checking by default. According to the
ssl-compared chart there are other backends that have automatic checking
(NSS, wolfSSL and DarwinSSL) so we could possibly accommodate them at
some later point.

Bug: https://github.com/bagder/curl/issues/264
Reported-by: zenden2k <zenden2k@gmail.com>
2015-07-17 02:40:16 -04:00
Daniel Stenberg
ea7134ac87 http2: initial implementation of the push callback 2015-06-24 23:44:42 +02:00
Jay Satiro
3e7ec1e849 schannel: schannel_recv overhaul
This commit is several drafts squashed together. The changes from each
draft are noted below. If any changes are similar and possibly
contradictory the change in the latest draft takes precedence.

Bug: https://github.com/bagder/curl/issues/244
Reported-by: Chris Araman

%%
%% Draft 1
%%
- return 0 if len == 0. that will have to be documented.
- continue on and process the caches regardless of raw recv
- if decrypted data will be returned then set the error code to CURLE_OK
and return its count
- if decrypted data will not be returned and the connection has closed
(eg nread == 0) then return 0 and CURLE_OK
- if decrypted data will not be returned and the connection *hasn't*
closed then set the error code to CURLE_AGAIN --only if an error code
isn't already set-- and return -1
- narrow the Win2k workaround to only Win2k

%%
%% Draft 2
%%
- Trying out a change in flow to handle corner cases.

%%
%% Draft 3
%%
- Back out the lazier decryption change made in draft2.

%%
%% Draft 4
%%
- Some formatting and branching changes
- Decrypt all encrypted cached data when len == 0
- Save connection closed state
- Change special Win2k check to use connection closed state

%%
%% Draft 5
%%
- Default to CURLE_AGAIN in cleanup if an error code wasn't set and the
connection isn't closed.

%%
%% Draft 6
%%
- Save the last error only if it is an unrecoverable error.

Prior to this I saved the last error state in all cases; unfortunately
the logic to cover that in all cases would lead to some muddle and I'm
concerned that could then lead to a bug in the future so I've replaced
it by only recording an unrecoverable error and that state will persist.

- Do not recurse on renegotiation.

Instead we'll continue on to process any trailing encrypted data
received during the renegotiation only.

- Move the err checks in cleanup after the check for decrypted data.

In either case decrypted data is always returned but I think it's easier
to understand when those err checks come after the decrypted data check.

%%
%% Draft 7
%%
- Regardless of len value go directly to cleanup if there is an
unrecoverable error or a close_notify was already received. Prior to
this change we only acknowledged those two states if len != 0.

- Fix a bug in connection closed behavior: Set the error state in the
cleanup, because we don't know for sure it's an error until that time.

- (Related to above) In the case the connection is closed go "greedy"
with the decryption to make sure all remaining encrypted data has been
decrypted even if it is not needed at that time by the caller. This is
necessary because we can only tell if the connection closed gracefully
(close_notify) once all encrypted data has been decrypted.

- Do not renegotiate when an unrecoverable error is pending.

%%
%% Draft 8
%%
- Don't show 'server closed the connection' info message twice.

- Show an info message if server closed abruptly (missing close_notify).
2015-06-17 00:17:03 -04:00
Daniel Stenberg
b0143a2a33 read_callback: move to SessionHandle from connectdata
With many easy handles using the same connection for multiplexing, it is
important we store and keep the transfer-oriented stuff in the
SessionHandle so that callbacks and callback data work fine even when
many easy handles share the same physical connection.
2015-05-20 23:06:45 +02:00
Daniel Stenberg
811443754a CURLOPT_PIPEWAIT: added
By setting this option to 1 libcurl will wait for a connection to reveal
if it is possible to pipeline/multiplex on before it continues.
2015-05-18 09:33:47 +02:00
Daniel Stenberg
783b3c7b42 http2: separate multiplex/pipelining + cleanup memory leaks 2015-05-18 08:57:18 +02:00
Daniel Stenberg
f4b8b39881 http2: leave WAITPERFORM when conn is multiplexed
No need to wait for our "spot" like for pipelining
2015-05-18 08:57:18 +02:00
Daniel Stenberg
01e1bdb10c http2: force "drainage" of streams
... which is necessary since the socket won't be readable but there is
data waiting in the buffer.
2015-05-18 08:57:17 +02:00
Linus Nielsen
97c272e5d1 Negotiate: custom service names for SPNEGO.
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
2015-04-28 08:29:56 +02:00
Daniel Stenberg
5d23279299 CURLOPT_PATH_AS_IS: added
--path-as-is is the command line option

Added docs in curl.1 and CURLOPT_PATH_AS_IS.3

Added test in test 1241
2015-03-24 10:31:58 +01:00
Alessandro Ghedini
4dcd25e138 url: add CURLOPT_SSL_FALSESTART option
This option can be used to enable/disable TLS False Start defined in the RFC
draft-bmoeller-tls-falsestart.
2015-03-20 20:14:33 +01:00
Dan Fandrich
9e66d3f4d3 axtls: version 1.5.2 now requires that config.h be manually included 2015-03-19 10:11:17 +01:00
Daniel Stenberg
00ea0e7db0 http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*
Since they already exist and will make comparing easier
2015-03-07 11:10:30 +01:00
Alessandro Ghedini
44ffe27056 urldata: remove unused asked_for_h2 field 2015-03-07 10:36:10 +01:00
Daniel Stenberg
042526c19f urldata: fix gnutls build 2015-03-06 10:13:40 +01:00
Daniel Stenberg
709cf76f6b openssl: remove all uses of USE_SSLEAY
SSLeay was the name of the library that was subsequently turned into
OpenSSL many moons ago (1999). curl does not work with the old SSLeay
library since years. This is now reflected by only using USE_OPENSSL in
code that depends on OpenSSL.
2015-03-05 10:57:52 +01:00
Alessandro Ghedini
3af90a6e19 url: add CURLOPT_SSL_VERIFYSTATUS option
This option can be used to enable/disable certificate status verification using
the "Certificate Status Request" TLS extension defined in RFC6066 section 8.

This also adds the CURLE_SSL_INVALIDCERTSTATUS error, to be used when the
certificate status verification fails, and the Curl_ssl_cert_status_request()
function, used to check whether the SSL backend supports the status_request
extension.
2015-01-16 23:23:29 +01:00
Steve Holme
1abe65d928 code/docs: Use Unix rather than UNIX to avoid use of the trademark
Use Unix when generically writing about Unix based systems as UNIX is
the trademark and should only be used in a particular product's name.
2014-12-26 21:42:44 +00:00
Patrick Monnerat
9081014c2c IPV6: address scope != scope id
There was a confusion between these: this commit tries to disambiguate them.
- Scope can be computed from the address itself.
- Scope id is scope dependent: it is currently defined as 1-based local
  interface index for link-local scoped addresses, and as a site index(?) for
  (obsolete) site-local addresses. Linux only supports it for link-local
  addresses.
The URL parser properly parses a scope id as an interface index, but stores it
in a field named "scope": confusion. The field has been renamed into "scope_id".
Curl_if2ip() used the scope id as it was a scope. This caused failures
to bind to an interface.
Scope is now computed from the addresses and Curl_if2ip() matches them.
If redundantly specified in the URL, scope id is check for mismatch with
the interface index.

This commit should fix SF bug #1451.
2014-12-16 13:52:06 +01:00
Daniel Stenberg
680d5fd041 http2: avoid logging neg "failure" if h2 was not requested 2014-12-09 00:09:24 +01:00
Anthon Pang
1b3a398ec1 docs: Fix FAILONERROR typos
It returns error for >= 400 HTTP responses.

Bug: https://github.com/bagder/curl/pull/129
2014-12-04 12:14:59 -08:00
Peter Wu
970c22f970 libcurl: add UNIX domain sockets support
The ability to do HTTP requests over a UNIX domain socket has been
requested before, in Apr 2008 [0][1] and Sep 2010 [2]. While a
discussion happened, no patch seems to get through. I decided to give it
a go since I need to test a nginx HTTP server which listens on a UNIX
domain socket.

One patch [3] seems to make it possible to use the
CURLOPT_OPENSOCKETFUNCTION function to gain a UNIX domain socket.
Another person wrote a Go program which can do HTTP over a UNIX socket
for Docker[4] which uses a special URL scheme (though the name contains
cURL, it has no relation to the cURL library).

This patch considers support for UNIX domain sockets at the same level
as HTTP proxies / IPv6, it acts as an intermediate socket provider and
not as a separate protocol. Since this feature affects network
operations, a new feature flag was added ("unix-sockets") with a
corresponding CURL_VERSION_UNIX_SOCKETS macro.

A new CURLOPT_UNIX_SOCKET_PATH option is added and documented. This
option enables UNIX domain sockets support for all requests on the
handle (replacing IP sockets and skipping proxies).

A new configure option (--enable-unix-sockets) and CMake option
(ENABLE_UNIX_SOCKETS) can disable this optional feature. Note that I
deliberately did not mark this feature as advanced, this is a
feature/component that should easily be available.

 [0]: http://curl.haxx.se/mail/lib-2008-04/0279.html
 [1]: http://daniel.haxx.se/blog/2008/04/14/http-over-unix-domain-sockets/
 [2]: http://sourceforge.net/p/curl/feature-requests/53/
 [3]: http://curl.haxx.se/mail/lib-2008-04/0361.html
 [4]: https://github.com/Soulou/curl-unix-socket

Signed-off-by: Peter Wu <peter@lekensteyn.nl>
2014-12-04 02:52:19 +01:00
Steve Holme
86b889485d sasl_gssapi: Added GSS-API based Kerberos V5 variables 2014-12-03 07:47:05 +00:00
Bill Nagel
02d2c0a08d smb: Added initial SMB functionality
Initial implementation of the SMB/CIFS protocol.
2014-11-30 18:01:15 +00:00
Bill Nagel
557658776f smb: Added SMB protocol and port definitions
Added the necessary protocol and port definitions in order to support
SMB/CIFS.
2014-11-29 21:26:40 +00:00
Michael Osipov
9f10e45e42 kerberos: Use symbol qualified with _KERBEROS5
For consistency renamed USE_KRB5 to USE_KERBEROS5.
2014-11-16 13:29:04 +00:00
Steve Holme
2e16100609 urldata: Don't define sec_complete when no GSS-API support present
This variable is only used with HAVE_GSSAPI is defined by the FTP code
so let's place the definition with the other GSS-API based variables.
2014-11-15 13:15:02 +00:00
Michael Osipov
d54b551f6c docs: Use consistent naming for Kerberos 2014-11-15 13:10:45 +00:00
Steve Holme
500d2db302 http_digest: Reworked the SSPI based input token storage
Reworked the input token (challenge message) storage as what is passed
to the buf and desc in the response generation are typically blobs of
data rather than strings, so this is more in keeping with other areas
of the SSPI code, such as the NTLM message functions.
2014-11-06 14:59:53 +00:00
Steve Holme
1033acd92d http_digest: Added required SSPI based variables to digest structure 2014-11-06 11:10:08 +00:00
Daniel Stenberg
b387560692 curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.

Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.

Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis
2014-11-05 08:05:14 +01:00
Steve Holme
b6821dbb91 sasl: Fixed Kerberos V5 inclusion when CURL_DISABLE_CRYPTO_AUTH is used
Typically the USE_WINDOWS_SSPI definition would not be used when the
CURL_DISABLE_CRYPTO_AUTH define is, however, it is still a valid build
configuration and, as such, the SASL Kerberos V5 (GSSAPI) authentication
data structures and functions would incorrectly be used when they
shouldn't be.

Introduced a new USE_KRB5 definition that takes into account the use of
CURL_DISABLE_CRYPTO_AUTH like USE_SPNEGO and USE_NTLM do.
2014-11-02 00:35:16 +00:00
Kamil Dudka
276741af4d transfer: drop the code handling the ssl_connect_retry flag
Its last use has been removed by the previous commit.
2014-10-29 14:34:46 +01:00
Steve Holme
d91d21f05b sspi: Renamed max token length variables
Code cleanup to try and synchronise code between the different SSPI
based authentication mechanisms.
2014-10-26 14:43:02 +00:00
Steve Holme
3fe5b462f7 ntlm: Only define ntlm data structure when USE_NTLM is defined 2014-10-25 22:36:49 +01:00
Steve Holme
28ff8babad ntlm: Changed handles to be dynamic like other SSPI handles
Code cleanup to try and synchronise code between the different SSPI
based authentication mechanisms.
2014-10-25 14:16:06 +01:00