1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-11 03:55:03 -05:00
Commit Graph

20947 Commits

Author SHA1 Message Date
Steve Holme
a78c61a4bf sasl: Don't use GSSAPI authentication when domain name not specified
Only choose the GSSAPI authentication mechanism when the user name
contains a Windows domain name or the user is a valid UPN.

Fixes #718
2016-08-21 11:56:23 +01:00
Steve Holme
43dbd76616 vauth: Added check for supported SSPI based authentication mechanisms
Completing commit 00417fd66c and 2708d4259b.
2016-08-21 10:27:09 +01:00
Steve Holme
317795d1bf http.c: Remove duplicate (authp->avail & CURLAUTH_DIGEST) check
From commit 2708d4259b.
2016-08-21 10:25:45 +01:00
Marc Hoersken
b820e40f34 socks.c: display the hostname returned by the SOCKS5 proxy server
Instead of displaying the requested hostname the one returned
by the SOCKS5 proxy server is used in case of connection error.
The requested hostname is displayed earlier in the connection sequence.

The upper-value of the port is moved to a temporary variable and
replaced with a 0-byte to make sure the hostname is 0-terminated.
2016-08-20 21:38:43 +02:00
Steve Holme
670802bd0b urldata.h: Corrected comment for httpcode which is also populated by SMTP
As of 7.25.0 and commit 5430007222.
2016-08-20 20:20:32 +01:00
Marc Hoersken
d6bf400e9f socks.c: use Curl_printable_address in SOCKS5 connection sequence
Replace custom string formatting with Curl_printable_address.
Add additional debug and error output in case of failures.
2016-08-20 21:15:00 +02:00
Marc Hoersken
213c27e487 socks.c: align SOCKS4 connection sequence with SOCKS5
Calling sscanf is not required since the raw IPv4 address is
available and the protocol can be detected using ai_family.
2016-08-20 21:15:00 +02:00
Steve Holme
c6b869ec79 http.c: Corrected indentation change from commit 2708d4259b
Made by Visual Studio's auto-correct feature and missed by me in my own
code reviews!
2016-08-20 19:34:54 +01:00
Steve Holme
2708d4259b http: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the HTTP authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

As per commit 00417fd66c existing functionality is maintained for now.
2016-08-20 19:15:13 +01:00
Marc Hoersken
d1bfb1cf54 socks.c: improve verbose output of SOCKS5 connection sequence 2016-08-20 20:07:10 +02:00
Marc Hoersken
8f7f5a8b06 configure.ac: add missing quotes to PKG_CHECK_MODULES 2016-08-20 19:49:51 +02:00
Steve Holme
00417fd66c sasl: Added calls to Curl_auth_is_<mechansism>_supported()
Hooked up the SASL authentication layer to query the new 'is mechanism
supported' functions when deciding what mechanism to use.

For now existing functionality is maintained.
2016-08-20 14:02:44 +01:00
Miroslav Franc
0796a99317 spnego_sspi: fix memory leak in case *outlen is zero (#970) 2016-08-19 14:46:07 +02:00
Daniel Stenberg
2497c42172 CURLMOPT_MAX_TOTAL_CONNECTIONS.3: mention it can also multiplex 2016-08-19 09:40:40 +02:00
Steve Holme
a0f212946b vauth: Introduced Curl_auth_is_<mechansism>_supported() functions
As Windows SSPI authentication calls fail when a particular mechanism
isn't available, introduced these functions for DIGEST, NTLM, Kerberos 5
and Negotiate to allow both HTTP and SASL authentication the opportunity
to query support for a supported mechanism before selecting it.

For now each function returns TRUE to maintain compatability with the
existing code when called.
2016-08-18 20:31:20 +01:00
Daniel Stenberg
cdd61dc35f test1144: verify HEAD with body-only response 2016-08-18 11:45:15 +02:00
Steve Holme
cf582d7bc0 RELEASE-PROCEDURE: Added some more future release dates
...and removed some old ones
2016-08-17 23:25:04 +01:00
David Woodhouse
01f69232b0 curl: allow "pkcs11:" prefix for client certificates
RFC7512 provides a standard method to reference certificates in PKCS#11
tokens, by means of a URI starting 'pkcs11:'.

We're working on fixing various applications so that whenever they would
have been able to use certificates from a file, users can simply insert
a PKCS#11 URI instead and expect it to work. This expectation is now a
part of the Fedora packaging guidelines, for example.

This doesn't work with cURL because of the way that the colon is used
to separate the certificate argument from the passphrase. So instead of

   curl -E 'pkcs11:manufacturer=piv_II;id=%01' …

I instead need to invoke cURL with the colon escaped, like this:

   curl -E 'pkcs11\:manufacturer=piv_II;id=%01' …

This is suboptimal because we want *consistency* — the URI should be
usable in place of a filename anywhere, without having strange
differences for different applications.

This patch therefore disables the processing in parse_cert_parameter()
when the string starts with 'pkcs11:'. It means you can't pass a
passphrase with an unescaped PKCS#11 URI, but there's no need to do so
because RFC7512 allows a PIN to be given as a 'pin-value' attribute in
the URI itself.

Also, if users are already using RFC7512 URIs with the colon escaped as
in the above example — even providing a passphrase for cURL to handling
instead of using a pin-value attribute, that will continue to work
because their string will start 'pkcs11\:' and won't match the check.

What *does* break with this patch is the extremely unlikely case that a
user has a file which is in the local directory and literally named
just "pkcs11", and they have a passphrase on it. If that ever happened,
the user would need to refer to it as './pkcs11:<passphrase>' instead.
2016-08-17 11:35:16 +02:00
Daniel Stenberg
667fcb04a6 nss: make the global variables static 2016-08-17 10:50:06 +02:00
Daniel Stenberg
f975f06033 openssl: use regular malloc instead of OPENSSL_malloc
This allows for better memmory debugging and torture tests.
2016-08-16 10:58:33 +02:00
Daniel Stenberg
fa6b6f1a46 proxy: fix tests as follow-up to 93b0d907d5
This fixes tests that were added after 113f04e664 as the tests would
fail otherwise.

We bring back "Proxy-Connection: Keep-Alive" now unconditionally to fix
regressions with old and stupid proxies, but we could possibly switch to
using it only for CONNECT or only for NTLM in a future if we want to
gradually reduce it.

Fixes #954

Reported-by: János Fekete
2016-08-16 10:15:26 +02:00
Daniel Stenberg
93b0d907d5 Revert "Proxy-Connection: stop sending this header by default"
This reverts commit 113f04e664.
2016-08-16 08:36:04 +02:00
Daniel Stenberg
84e45f4b3a CURLOPT_PROXY.3: unsupported schemes cause errors now
Follow-up to a96319ebb9 (document the new behavior)
2016-08-15 14:49:26 +02:00
Daniel Stenberg
d5fa91b323 tests/README: mention nghttpx for HTTP/2 tests 2016-08-15 11:36:17 +02:00
Daniel Stenberg
ee1fa9cda9 README.md: add our CII Best Practices badge 2016-08-15 11:15:01 +02:00
Daniel Stenberg
321c897c06 proxy: polished the error message for unsupported schemes
Follow up to a96319ebb9
2016-08-15 11:11:46 +02:00
Daniel Stenberg
f1cdcc4c3e test219: verify unsupported scheme for proxies get rejected 2016-08-15 11:11:04 +02:00
Daniel Stenberg
a96319ebb9 proxy: reject attempts to use unsupported proxy schemes
I discovered some people have been using "https://example.com" style
strings as proxy and it "works" (curl doesn't complain) because curl
ignores unknown schemes and then assumes plain HTTP instead.

I think this misleads users into believing curl uses HTTPS to proxies
when it doesn't. Now curl rejects proxy strings using unsupported
schemes instead of just ignoring and defaulting to HTTP.
2016-08-15 10:46:27 +02:00
Daniel Stenberg
a5174b022b RELEASE-NOTES: synced with b7ee5316c2 2016-08-15 08:47:21 +02:00
Marc Hoersken
b7ee5316c2 socks.c: Correctly calculate position of port in response packet
Third commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:07:11 +02:00
Marc Hoersken
cc3384a254 socks.c: Do not modify and invalidate calculated response length
Second commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:05:32 +02:00
Marc Hoersken
59580e12ba socks.c: Move error output after reading the whole response packet
First commit to fix issue #944 regarding SOCKS5 error handling.

Reported-by: David Kalnischkies
2016-08-14 17:01:13 +02:00
Ronnie Mose
cdaed77206 MANUAL: Remove invalid link to LDAP documentation (#962)
The server developer.netscape.com does not resolve into any
ip address and can be removed.
2016-08-13 14:38:09 +02:00
Jay Satiro
b6fcdc32eb openssl: accept subjectAltName iPAddress if no dNSName match
Undo change introduced in d4643d6 which caused iPAddress match to be
ignored if dNSName was present but did not match.

Also, if iPAddress is present but does not match, and dNSName is not
present, fail as no-match. Prior to this change in such a case the CN
would be checked for a match.

Bug: https://github.com/curl/curl/issues/959
Reported-by: wmsch@users.noreply.github.com
2016-08-13 02:14:46 -04:00
Dambaev Alexander
c2f9b78afe configure.ac: add zlib search with pkg-config
Closes #956
2016-08-12 08:22:58 +02:00
Daniel Stenberg
2c8ccdac14 rtsp: ignore whitespace in session id
Follow-up to e577c43bb to fix test case 569 brekage: stop the parser at
whitespace as well.

Help-by: Erik Janssen
2016-08-11 14:02:12 +02:00
Daniel Stenberg
31e33a9a46 HTTP: retry failed HEAD requests too
Mark's new document about HTTP Retries
(https://mnot.github.io/I-D/httpbis-retry/) made me check our code and I
spotted that we don't retry failed HEAD requests which seems totally
inconsistent and I can't see any reason for that separate treatment.

So, no separate treatment for HEAD starting now. A HTTP request sent
over a reused connection that gets cut off before a single byte is
received will be retried on a fresh connection.

Made-aware-by: Mark Nottingham
2016-08-11 08:33:36 +02:00
Daniel Stenberg
04f84edd5b mk-ca-bundle.1: document -m, added in 1.26 2016-08-11 08:21:33 +02:00
Daniel Stenberg
6301692fae RELEASE-NOTES: synced with e577c43bb5 2016-08-10 09:12:34 +02:00
Erik Janssen
e577c43bb5 rtsp: accept any RTSP session id
Makes libcurl work in communication with gstreamer-based RTSP
servers. The original code validates the session id to be in accordance
with the RFC. I think it is better not to do that:

- For curl the actual content is a don't care.

- The clarity of the RFC is debatable, is $ allowed or only as \$, that
  is imho not clear

- Gstreamer seems to url-encode the session id but % is not allowed by
the RFC

- less code

With this patch curl will correctly handle real-life lines like:
Session: biTN4Kc.8%2B1w-AF.; timeout=60

Bug: https://curl.haxx.se/mail/lib-2016-08/0076.html
2016-08-10 08:58:10 +02:00
Daniel Stenberg
85e63bcfc7 symbols-in-versions: add CURL_STRICTER
Added in 5fce88aa8c
2016-08-09 21:34:47 +02:00
Simon Warta
dec9346460 winbuild: Allow changing C compiler via environment variable CC (#952)
This makes it possible to use specific compilers or a cache.

Sample use for clcache:
set CC=clcache.bat
nmake /f Makefile.vc DEBUG=no MODE=static VC=14 GEN_PDB=no
2016-08-09 21:27:36 +02:00
Daniel Stenberg
50cb384fd9 LICENSE-MIXING.md: switched to markdown 2016-08-09 15:04:50 +02:00
Daniel Stenberg
dcdc5f416d docs-make: have markdown files use .md 2016-08-09 14:47:20 +02:00
Daniel Stenberg
5fce88aa8c curl.h: make CURL_NO_OLDIES define CURL_STRICTER 2016-08-09 14:46:51 +02:00
Daniel Stenberg
6152b5916e HISTORY.md: use markdown extension 2016-08-09 12:05:43 +02:00
Daniel Stenberg
615a12cbad SSLCERTS.md: renamed to markdown extension 2016-08-09 12:03:46 +02:00
Daniel Stenberg
d263e83079 INTERNALS.md: use markdown extension for markdown content 2016-08-09 12:01:47 +02:00
Daniel Stenberg
e24597dc83 CONTRIBUTE.md: markdown extension 2016-08-09 11:40:39 +02:00
Daniel Stenberg
08fd82f370 CONTRIBUTE: changed to markdown 2016-08-09 11:39:58 +02:00