1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 11:35:07 -05:00
Commit Graph

8421 Commits

Author SHA1 Message Date
Mike Crowe
6b56901b56 gnutls: Support CURLOPT_KEYPASSWD
The gnutls vtls back-end was previously ignoring any password set via
CURLOPT_KEYPASSWD. Presumably this was because
gnutls_certificate_set_x509_key_file did not support encrypted keys.

gnutls now has a gnutls_certificate_set_x509_key_file2 function that
does support encrypted keys. Let's determine at compile time whether the
available gnutls supports this new function. If it does then use it to
pass the password. If it does not then emit a helpful diagnostic if a
password is set. This is preferable to the previous behaviour of just
failing to read the certificate without giving a reason in that case.

Signed-off-by: Mike Crowe <mac@mcrowe.com>
2015-09-22 17:30:33 +02:00
Daniel Stenberg
7362008c1c CURLINFO_TLS_SESSION: always return backend info
... even for those that don't support providing anything in the
'internals' struct member since it offers a convenient way for
applications to figure this out.
2015-09-22 17:21:37 +02:00
Jay Satiro
47b7d658b4 vtls: Change designator name for server's pubkey hash
- Change the designator name we use to show the base64 encoded sha256
hash of the server's public key from 'pinnedpubkey' to
'public key hash'.

Though the server's public key hash is only shown when comparing pinned
public key hashes, the server's hash may not match one of the pinned.
2015-09-19 22:40:40 -04:00
Isaac Boukris
f65e07ca59 NTLM: Reset auth-done when using a fresh connection
With NTLM a new connection will always require authentication.
Fixes #435
2015-09-19 23:21:05 +02:00
Daniel Hwang
30c131f51f ssl: add server cert's "sha256//" hash to verbose
Add a "pinnedpubkey" section to the "Server Certificate" verbose

Bug: https://github.com/bagder/curl/issues/410
Reported-by: W. Mark Kubacki

Closes #430
Closes #410
2015-09-19 23:17:39 +02:00
Jakub Zakrzewski
c979a3d0c4 openldap: only part of LDAP query results received
Introduced with commit 65d141e6da

Closes #440
2015-09-19 23:06:03 +02:00
Alessandro Ghedini
c184a5c6bc openssl: don't output certinfo data 2015-09-19 22:53:31 +02:00
Alessandro Ghedini
c00cec9864 openssl: refactor certificate parsing to use OpenSSL memory BIO
Fixes #427
2015-09-19 22:53:31 +02:00
Kamil Dudka
958d2ffb19 nss: prevent NSS from incorrectly re-using a session
Without this workaround, NSS re-uses a session cache entry despite the
server name does not match.  This causes SNI host name to differ from
the actual host name.  Consequently, certain servers (e.g. github.com)
respond by 400 to such requests.

Bug: https://bugzilla.mozilla.org/1202264
2015-09-18 17:38:51 +02:00
Kamil Dudka
a9fd53887b nss: check return values of NSS functions 2015-09-18 17:07:22 +02:00
Daniel Stenberg
82e3e8e31f openssl: build with < 0.9.8
... without sha256 support and no define saying so.

Reported-by: Rajkumar Mandal
2015-09-17 08:54:04 +02:00
Daniel Stenberg
202162daeb http2: removed unused function 2015-09-13 16:33:51 +02:00
Jay Satiro
df6a4d3519 curl_sspi: fix possibly undefined CRYPT_E_REVOKED
Bug: https://github.com/bagder/curl/pull/411
Reported-by: Viktor Szakats
2015-09-10 02:17:33 -04:00
Daniel Stenberg
87e533ace0 parse_proxy: reject illegal port numbers
If the port number in the proxy string ended weirdly or the number is
too large, skip it. Mostly as a means to bail out early if a "bare" IPv6
numerical address is used without enclosing brackets.

Also mention the bracket requirement for IPv6 numerical addresses to the
man page for CURLOPT_PROXY.

Closes #415

Reported-by: Marcel Raad
2015-09-08 15:17:00 +02:00
Daniel Stenberg
27620171ff FTP: do_more: add check for wait_data_conn in upload case
In some timing-dependnt cases when a 4xx response immediately followed
after a 150 when a STOR was issued, this function would wrongly return
'complete == true' while 'wait_data_conn' was still set.

Closes #405

Reported-by: Patricia Muscalu
2015-09-08 09:29:03 +02:00
Kamil Dudka
7380433d6a nss: do not directly access SSL_ImplementedCiphers[]
It causes dynamic linking issues at run-time after an update of NSS.

Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
2015-09-04 14:35:36 +02:00
Daniel Stenberg
82db076d9f gitignore: ignore more generated VC Makefiles 2015-09-03 23:35:41 +02:00
Daniel Stenberg
1869164293 http2: don't pass on Connection: headers
RFC 7540 section 8.1.2.2 states: "An endpoint MUST NOT generate an
HTTP/2 message containing connection-specific header fields; any message
containing connection-specific header fields MUST be treated as
malformed"

Closes #401
2015-09-03 22:23:50 +02:00
Marcel Raad
668231c309 inet_pton.c: Fix MSVC run-time check failure (2)
This fixes another run-time check failure because of a narrowing cast on
Visual C++.

Closes #408
2015-09-03 11:37:50 +02:00
Steve Holme
4963948089 sasl: Only define Curl_sasl_digest_get_pair() when CRYPTO_AUTH enabled
Introduced in commit 59f3f92ba6 this function is only implemented when
CURL_DISABLE_CRYPTO_AUTH is not defined. As such we shouldn't define
the function in the header file either.
2015-08-31 12:44:01 +01:00
Steve Holme
b850437991 sasl: Updated SPN variables and comments for consistency
In places the "host name" and "realm" variable was referred to as
"instance" whilst in others it was referred to as "host".
2015-08-31 12:43:58 +01:00
Steve Holme
415f0370ea win32: Use DES_set_odd_parity() from OpenSSL/BoringSSL by default
Set HAVE_DES_SET_ODD_PARITY when using OpenSSL/BoringSSL as native
Windows builds don't use the autoconf tools.
2015-08-30 22:06:10 +01:00
Steve Holme
347a6ee597 des: Fixed compilation warning from commit 613e5022fe
curl_ntlm_core.c:150: warning 'Curl_des_set_odd_parity' undefined;
                      assuming extern returning int
2015-08-30 21:45:30 +01:00
Steve Holme
fb0825cb0a makefiles: Added our standard copyright header
But kept the original author, when they were specified in a comment, as
the initial copyright holder.
2015-08-30 14:51:13 +01:00
Sergei Nikulov
2132708ac2 cmake: added Windows SSL support
Closes #399
2015-08-25 22:42:28 +02:00
Razvan Cojocaru
62f306ff34 getinfo: added CURLINFO_ACTIVESOCKET
This patch addresses known bug #76, where on 64-bit Windows SOCKET is 64
bits wide, but long is only 32, making CURLINFO_LASTSOCKET unreliable.

Signed-off-by: Razvan Cojocaru <rcojocaru@bitdefender.com>
2015-08-24 12:34:17 +02:00
Daniel Stenberg
36f6f6f4f2 http2: remove dead code
Leftovers from when we removed the private socket hash.

Coverity CID 1317365, "Logically dead code"
2015-08-24 11:31:45 +02:00
Daniel Stenberg
a78534794e ntlm: mark deliberate switch case fall-through
Coverity CID 1317367, "Missing break in switch"
2015-08-24 11:29:22 +02:00
Daniel Stenberg
110d99c661 http2: on_frame_recv: get a proper 'conn' for the debug logging
"Explicit null dereferenced (FORWARD_NULL)"

Coverity CID 1317366
2015-08-24 11:26:30 +02:00
Nathaniel Waisbrot
9756d1da76 CURLOPT_DEFAULT_PROTOCOL: added
- Add new option CURLOPT_DEFAULT_PROTOCOL to allow specifying a default
protocol for schemeless URLs.

- Add new tool option --proto-default to expose
CURLOPT_DEFAULT_PROTOCOL.

In the case of schemeless URLs libcurl will behave in this way:

When the option is used libcurl will use the supplied default.

When the option is not used, libcurl will follow its usual plan of
guessing from the hostname and falling back to 'http'.
2015-08-22 21:57:14 -04:00
Daniel Stenberg
613e5022fe NTLM: recent boringssl brought DES_set_odd_parity back
... so improve the #ifdefs for using our local implementation.
2015-08-22 23:59:18 +02:00
Alessandro Ghedini
8363656cb4 openssl: handle lack of server cert when strict checking disabled
If strict certificate checking is disabled (CURLOPT_SSL_VERIFYPEER
and CURLOPT_SSL_VERIFYHOST are disabled) do not fail if the server
doesn't present a certificate at all.

Closes #392
2015-08-21 15:32:51 +02:00
Daniel Stenberg
38ef1b3e7f ftp: clear the do_more bit when the server has connected
The multi state machine would otherwise go into the DO_MORE state after
DO, even for the case when the FTP state machine had already performed
those duties, which caused libcurl to get stuck in that state and fail
miserably. This occured for for active ftp uploads.

Reported-by: Patricia Muscalu
2015-08-21 13:30:08 +02:00
Erik Janssen
14ff86256b rtsp: stop reading empty DESCRIBE responses
Based-on-patch-by: Jim Hollinger
2015-08-20 23:07:03 +02:00
Erik Janssen
e4fb5f2f61 rtsp: support basic/digest authentication 2015-08-20 23:02:28 +02:00
Marcel Raad
618dfd65e4 inet_pton.c: Fix MSVC run-time check failure
Visual Studio complains with a message box:

"Run-Time Check Failure #1 - A cast to a smaller data type has caused a
loss of data.  If this was intentional, you should mask the source of
the cast with the appropriate bitmask.

For example:
char c = (i & 0xFF);

Changing the code in this way will not affect the quality of the
resulting optimized code."

This is because only 'val' is cast to unsigned char, so the "& 0xff" has
no effect.

Closes #387
2015-08-19 09:31:45 +02:00
Jay Satiro
9518139c73 gitignore: Sort for readability
find . -name .gitignore -print0 | xargs -i -0 sort -o '{}' '{}'
2015-08-18 01:03:05 -04:00
Anders Bakken
5778e6f526 http2: discard frames with no SessionHandle
Return 0 instead of NGHTTP2_ERR_CALLBACK_FAILURE if we can't locate the
SessionHandle. Apparently mod_h2 will sometimes send a frame for a
stream_id we're finished with.

Use nghttp2_session_get_stream_user_data and
nghttp2_session_set_stream_user_data to identify SessionHandles instead
of a hash.

Closes #372
2015-08-11 08:16:33 +02:00
Viktor Szakats
9ee40ce2ab build: refer to fixed libidn versions
closes #371
2015-08-10 23:20:18 +02:00
Daniel Stenberg
ade6682f8d SFTP: fix range request off-by-one in size check
Reported-by: Tim Stack

Closes #359
2015-08-10 09:18:19 +02:00
Isaac Boukris
fe6049f04b NTLM: handle auth for only a single request
Currently when the server responds with 401 on NTLM authenticated
connection (re-used) we consider it to have failed.  However this is
legitimate and may happen when for example IIS is set configured to
'authPersistSingleRequest' or when the request goes thru a proxy (with
'via' header).

Implemented by imploying an additional state once a connection is
re-used to indicate that if we receive 401 we need to restart
authentication.

Closes #363
2015-08-06 14:39:26 +02:00
Daniel Stenberg
c4eb10e2f0 SSH: three state machine fixups
The SSH state machine didn't clear the 'rc' variable appropriately in a
two places which prevented it from looping the way it should. And it
lacked an 'else' statement that made it possible to erroneously get
stuck in the SSH_AUTH_AGENT state.

Reported-by: Tim Stack

Closes #357
2015-08-02 22:50:31 +02:00
Daniel Stenberg
3b4ee0d432 curl_gssapi: remove 'const' to fix compiler warnings
initialization discards 'const' qualifier from pointer target type
2015-08-02 00:24:38 +02:00
Steve Holme
f75b6065db sspi: Fix typo from left over from old code which referenced NTLM
References to NTLM in the identity generation should have been removed
in commit c469941293 but not all were.
2015-08-01 23:09:03 +01:00
Steve Holme
11ab3f8918 win32: Fix compilation warnings from commit 40c921f8b8
connect.c:953:5: warning: initializer element is not computable at load
                 time
connect.c:953:5: warning: missing initializer for field 'dwMinorVersion'
                 of 'OSVERSIONINFOEX'
curl_sspi.c:97:5: warning: initializer element is not computable at load
                  time
curl_sspi.c:97:5: warning: missing initializer for field 'szCSDVersion'
                  of 'OSVERSIONINFOEX'
2015-08-01 22:55:01 +01:00
Steve Holme
a1b2a6bd93 schannel: Fix compilation warning from commit 7a8e861a56
schannel.c:1125:5: warning: missing initializer for field 'dwMinorVersion'
                   of 'OSVERSIONINFOEX' [-Wmissing-field-initializers
2015-08-01 22:54:57 +01:00
Kamil Dudka
f7dcc7c118 http: move HTTP/2 cleanup code off http_disconnect()
Otherwise it would never be called for an HTTP/2 connection, which has
its own disconnect handler.

I spotted this while debugging <https://bugzilla.redhat.com/1248389>
where the http_disconnect() handler was called on an FTP session handle
causing 'dnf' to crash.  conn->data->req.protop of type (struct FTP *)
was reinterpreted as type (struct HTTP *) which resulted in SIGSEGV in
Curl_add_buffer_free() after printing the "Connection cache is full,
closing the oldest one." message.

A previously working version of libcurl started to crash after it was
recompiled with the HTTP/2 support despite the HTTP/2 protocol was not
actually used.  This commit makes it work again although I suspect the
root cause (reinterpreting session handle data of incompatible protocol)
still has to be fixed.  Otherwise the same will happen when mixing FTP
and HTTP/2 connections and exceeding the connection cache limit.

Reported-by: Tomas Tomecek
Bug: https://bugzilla.redhat.com/1248389
2015-07-30 15:16:43 +02:00
Michael Kaufmann
c5d060cab4 HTTP: ignore "Content-Encoding: compress"
Currently, libcurl rejects responses with "Content-Encoding: compress"
when CURLOPT_ACCEPT_ENCODING is set to "". I think that libcurl should
treat the Content-Encoding "compress" the same as other
Content-Encodings that it does not support, e.g. "bzip2". That means
just ignoring it.
2015-07-25 00:46:01 +02:00
Marcel Raad
98835eed29 openssl: work around MSVC warning
MSVC 12 complains:

lib\vtls\openssl.c(1554): warning C4701: potentially uninitialized local
variable 'verstr' used It's a false positive, but as it's normally not,
I have enabled warning-as-error for that warning.
2015-07-24 00:12:31 +02:00
Kamil Dudka
da650c1e54 http2: verify success of strchr() in http2_send()
Detected by Coverity.

Error: NULL_RETURNS:
lib/http2.c:1301: returned_null: "strchr" returns null (checked 103 out of 109 times).
lib/http2.c:1301: var_assigned: Assigning: "hdbuf" = null return value from "strchr".
lib/http2.c:1302: dereference: Incrementing a pointer which might be null: "hdbuf".
1300|
1301|     hdbuf = strchr(hdbuf, 0x0a);
1302|->   ++hdbuf;
1303|
1304|     authority_idx = 0;
2015-07-23 11:51:53 +02:00