8226 Commits

Author SHA1 Message Date
Dan Fandrich
32606e4f0b http_negotiate_sspi: added missing data variable 2015-04-30 12:13:49 +02:00
Viktor Szakats
6a61285909 build: update depedency versions, urls, example makefiles
- update default versions of dependencies (except for rare/old platforms)
- update urls
- sync examples makefiles with main ones
- remove line ending space
2015-04-30 08:29:00 +02:00
Anders Bakken
b23fda76c1 curl_multi_add_handle: next is already NULL 2015-04-30 08:21:34 +02:00
Jay Satiro
926cb9ff65 schannel: Fix out of bounds array
Bug born in changes made several days ago 9a91e80.

Bug: http://curl.haxx.se/mail/lib-2015-04/0199.html
Reported-by: Brian Chrisman
2015-04-30 01:44:45 -04:00
Viktor Szakats
790d1a4816 lib/makefile.m32: add arch -m32/-m64 to LDFLAGS
This fixes using a multi-target mingw distro to build curl .dll for the
non-default target.
(mirroring the same patch present in src/makefile.m32)
2015-04-29 13:18:17 -04:00
Daniel Stenberg
6ba2e88a64 CURLOPT_HEADEROPT: default to separate
Make the HTTP headers separated by default for improved security and
reduced risk for information leakage.

Bug: http://curl.haxx.se/docs/adv_20150429.html
Reported-by: Yehezkel Horowitz, Oren Souroujon
2015-04-28 21:02:37 +02:00
Daniel Stenberg
b2ea1bfcd6 hash: simplify Curl_str_key_compare() 2015-04-28 13:10:53 +02:00
Linus Nielsen
97c272e5d1 Negotiate: custom service names for SPNEGO.
* Add new options, CURLOPT_PROXY_SERVICE_NAME and CURLOPT_SERVICE_NAME.
* Add new curl options, --proxy-service-name and --service-name.
2015-04-28 08:29:56 +02:00
Daniel Stenberg
54c394699d http2: unify http_conn variable names to 'c' 2015-04-27 22:54:34 +02:00
Daniel Stenberg
09a31fabe4 ConnectionExists: call it multi-use instead of pipelining
So that it fits HTTP/2 as well
2015-04-27 22:54:34 +02:00
Paul Howarth
d4f62f6c5d nss: fix compilation failure with old versions of NSS
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
2015-04-27 15:37:16 +02:00
Marc Hoersken
92e754de78 schannel.c: Fix typo introduced with 3447c973d0 2015-04-26 19:57:05 +02:00
Marc Hoersken
9a91e8059b schannel.c: Fix possible SEC_E_BUFFER_TOO_SMALL error
Reported-by: Brian Chrisman
2015-04-26 17:59:01 +02:00
Daniel Stenberg
3447c973d0 schannel: re-indented file to follow curl style better
white space changes only
2015-04-26 17:40:40 +02:00
Daniel Stenberg
cae43a10cb Curl_ossl_init: load builtin modules
To have engine modules work, we must tell openssl to load builtin
modules first.

Bug: https://github.com/bagder/curl/pull/206
2015-04-26 17:26:31 +02:00
Daniel Stenberg
aff153f83a openssl: fix serial number output
The code extracting the cert serial number was broken and didn't display
it properly.

Bug: https://github.com/bagder/curl/issues/235
Reported-by: dkjjr89
2015-04-26 16:36:19 +02:00
Grant Pannell
59f3f92ba6 sasl_sspi: Populate domain from the realm in the challenge
Without this, SSPI based digest auth was broken.

Bug: https://github.com/bagder/curl/pull/141.patch
2015-04-26 16:12:23 +02:00
Viktor Szakats
48be87e5f0 netrc: support 'default' token
The 'default' token has no argument and means to match _any_ domain.
It must be placed last if there are 'machine <name>' tokens in the same file.

See full description here:
https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-File.html
2015-04-24 23:57:37 +02:00
Jay Satiro
0675abbc75 cyassl: Implement public key pinning
Also add public key extraction example to CURLOPT_PINNEDPUBLICKEY doc.
2015-04-22 17:07:19 -04:00
Daniel Stenberg
85c45d153b connectionexists: follow-up to fd9d3a1ef1f
PROTOPT_CREDSPERREQUEST still needs to be checked even when NTLM is not
enabled.

Mistake-caught-by: Kamil Dudka
2015-04-22 13:59:04 +02:00
Daniel Stenberg
fd9d3a1ef1 connectionexists: fix build without NTLM
Do not access NTLM-specific struct fields when built without NTLM
enabled!

bug: http://curl.haxx.se/?i=231
Reported-by: Patrick Rapin
2015-04-22 13:32:45 +02:00
Kamil Dudka
b47c17d67c nss: implement public key pinning for NSS backend
Bug: https://bugzilla.redhat.com/1195771
2015-04-22 13:21:31 +02:00
Daniel Stenberg
1fd33e3ec8 dist: include {src,lib}/checksrc.whitelist 2015-04-22 13:16:04 +02:00
Daniel Stenberg
79b9d5f1a4 http_done: close Negotiate connections when done
When doing HTTP requests Negotiate authenticated, the entire connnection
may become authenticated and not just the specific HTTP request which is
otherwise how HTTP works, as Negotiate can basically use NTLM under the
hood. curl was not adhering to this fact but would assume that such
requests would also be authenticated per request.

CVE-2015-3148

Bug: http://curl.haxx.se/docs/adv_20150422B.html
Reported-by: Isaac Boukris
2015-04-21 23:20:37 +02:00
Daniel Stenberg
0583e87ada fix_hostname: zero length host name caused -1 index offset
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.

CVE-2015-3144

Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
2015-04-21 23:20:36 +02:00
Daniel Stenberg
b5f947b8ac cookie: cookie parser out of boundary memory access
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
2015-04-21 23:20:36 +02:00
Daniel Stenberg
31be461c6b ConnectionExists: for NTLM re-use, require credentials to match
CVE-2015-3143

Bug: http://curl.haxx.se/docs/adv_20150422A.html
Reported-by: Paras Sethia
2015-04-21 23:20:36 +02:00
byronhe
6088fbce06 openssl: add OPENSSL_NO_SSL3_METHOD check 2015-04-21 15:25:21 -04:00
Viktor Szakáts
3a87bdebd1 vtls/openssl: use https in URLs and a comment typo fixed 2015-04-19 19:52:37 +02:00
Daniel Stenberg
2eb02480ef Revert "HTTP: don't abort connections with pending Negotiate authentication"
This reverts commit 5dc68dd6092a789bb5e0a67a1c1356ba87fdcbc6.

Bug: https://github.com/bagder/curl/issues/223
Reported-by: Michael Osipov
2015-04-17 23:23:42 +02:00
Jay Satiro
f70112522f cyassl: Fix include order
Prior to this change CyaSSL's build options could redefine some generic
build symbols.

http://curl.haxx.se/mail/lib-2015-04/0069.html
2015-04-17 15:24:04 -04:00
Jay Satiro
9430dd583e cyassl: Add support for TLS extension SNI 2015-04-14 02:05:25 -04:00
Matthew Hall
a471a9f3b6 vtls_openssl: improve PKCS#12 load failure error message 2015-04-13 22:25:04 +02:00
Matthew Hall
27ac643455 vtls_openssl: fix minor typo in PKCS#12 load routine 2015-04-13 22:25:04 +02:00
Matthew Hall
b3175a767d vtls_openssl: improve client certificate load failure error messages 2015-04-13 22:25:04 +02:00
Matthew Hall
58b0a8b059 vtls_openssl: remove ambiguous SSL_CLIENT_CERT_ERR constant 2015-04-13 22:25:04 +02:00
Daniel Stenberg
7fe172d3b2 firefox-db2pem: fix wildcard to find Firefox default profile
At some point, Firefox has changed and generates different directory
names for the default profile that made this script fail to find them.

Bug: https://github.com/bagder/curl/issues/207
Reported-by: sneakyimp
2015-04-13 15:31:26 +02:00
Jay Satiro
72bea7cc65 cyassl: Include the CyaSSL build config
CyaSSL >= 2.6.0 may have an options.h that was generated during
its build by configure.
2015-04-11 23:58:42 -04:00
Viktor Szakats
e44155156a lib/makefile.m32: add missing libs to build libcurl.dll
Add 'gdi32' and 'crypt32' Windows implibs to avoid failure
while building libcurl.dll using the mingw compiler.
The same logic is used in 'src/makefile.m32' when
building curl.exe.
2015-04-09 21:34:14 +02:00
Da-Yoon Chung
a9e46749b2 lib/transfer.c: Remove factor of 8 from sleep time calculation
The factor of 8 is a bytes-to-bits conversion factor, but pkt_size and
rate_bps are both in bytes. When using the rate limiting option, curl
waits 8 times too long, and then transfers very quickly until the
average rate reaches the limit. The average rate follows the limit over
time, but the actual traffic is bursty.

Thanks-to: Benjamin Gilbert
2015-04-07 21:55:23 +02:00
Jay Satiro
c3101ae287 x509asn1: Silence x64 loss-of-data warning on RSA key length assignment
The key length in bits will always fit in an unsigned long so the
loss-of-data warning assigning the result of x64 pointer arithmetic to
an unsigned long is unnecessary.
2015-04-06 17:55:48 +02:00
Jay Satiro
d363c07912 cyassl: Use CYASSL_MAX_ERROR_SZ for error buffer size
Also fix it so that all ERR_error_string calls use an error buffer.
CyaSSL's implementation of ERR_error_string only writes the error when
an error buffer is passed.

http://www.yassl.com/forums/topic599-openssl-compatibility-and-errerrorstring.html
2015-04-06 17:54:14 +02:00
Jay Satiro
a30be951d6 cyassl: Remove 'Connecting to' message from cyassl_connect_step2
Prior to this change libcurl could show multiple 'CyaSSL: Connecting to'
messages since cyassl_connect_step2 is called multiple times, typically.
The message is superfluous even once since libcurl already informs the
user elsewhere in code that it is connecting.
2015-04-05 18:18:11 +02:00
Daniel Stenberg
81ee1e69fe hostip: fix compiler warnings
introduced in the previous mini-series of 3 commits
2015-04-03 23:41:58 +02:00
Stefan Bühler
846f492053 actually implement CURLOPT_RESOLVE removals
- also log when a CURLOPT_RESOLVE entry couldn't get parsed
2015-04-03 16:46:14 +02:00
Stefan Bühler
b4be97fb67 move Curl_share_lock and ref counting into Curl_fetch_addr 2015-04-03 16:46:14 +02:00
Stefan Bühler
0db831976e fix refreshing of obsolete dns cache entries
- cache entries must be also refreshed when they are in use
- have the cache count as inuse reference too, freeing timestamp == 0 special
  value
- use timestamp == 0 for CURLOPT_RESOLVE entries which don't get refreshed
- remove CURLOPT_RESOLVE special inuse reference (timestamp == 0 will prevent refresh)
- fix Curl_hostcache_clean - CURLOPT_RESOLVE entries don't have a special
  reference anymore, and it would also release non CURLOPT_RESOLVE references
- fix locking in Curl_hostcache_clean
- fix unit1305.c: hash now keeps a reference, need to set inuse = 1
2015-04-03 16:46:14 +02:00
Jay Satiro
f203edc544 cyassl: Set minimum protocol version before CTX callback
This change is to allow the user's CTX callback to change the minimum
protocol version in the CTX without us later overriding it, as we did
prior to this change.
2015-04-03 10:51:58 +02:00
Jay Satiro
0b5efa57ad cyassl: Fix certificate load check
SSL_CTX_load_verify_locations can return negative values on fail,
therefore to check for failure we check if load is != 1 (success)
instead of if load is == 0 (failure), the latter being incorrect given
that behavior.
2015-04-02 17:18:42 +02:00
Tatsuhiro Tsujikawa
21e82bd635 http2: Fix missing nghttp2_session_send call in Curl_http2_switched
Previously in Curl_http2_switched, we called nghttp2_session_mem_recv to
parse incoming data which were already received while curl was handling
upgrade.  But we didn't call nghttp2_session_send, and it led to make
curl not send any response to the received frames.  Most likely, we
received SETTINGS from server at this point, so we missed opportunity to
send SETTINGS + ACK.  This commit adds missing nghttp2_session_send call
in Curl_http2_switched to fix this issue.

Bug: https://github.com/bagder/curl/issues/192
Reported-by: Stefan Eissing
2015-04-02 15:19:29 +02:00