Commit Graph

7533 Commits

Author SHA1 Message Date
Daniel Stenberg
aae4e4bf70 base64: added Curl_base64url_encode()
This is now used by the http2 code. It has two different symbols at the
end of the base64 table to make the output "url safe".

Bug: https://github.com/tatsuhiro-t/nghttp2/issues/62
2014-07-25 08:24:03 +02:00
Marcel Raad
9c1cf96664 SSPI Negotiate: Fix 3 memory leaks
Curl_base64_decode allocates the output string by itself and two other
strings were not freed either.
2014-07-24 23:50:53 +02:00
Patrick Monnerat
c31dec7f98 GSSAPI: remove useless *_MECHANISM defines. 2014-07-23 18:56:19 +02:00
Daniel Stenberg
5b22c47ca9 findprotocol: show unsupported protocol within quotes
... to aid when for example prefixed with a space or other weird
character.
2014-07-23 18:17:16 +02:00
Patrick Monnerat
8efc11a0c1 GSSAPI: private export mechanisms OIDs. OS400: Make RPG binding up to date. 2014-07-23 16:15:01 +02:00
Marcel Raad
2cd0c2d244 conncache: fix compiler warning
warning C4267: '=' : conversion from 'size_t' to 'long', possible loss
of data

The member connection_id of struct connectdata is a long (always a
32-bit signed integer on Visual C++) and the member next_connection_id
of struct conncache is a size_t, so one of them should be changed to
match the other.

This patch the size_t in struct conncache to long (the less invasive
change as that variable is only ever used in a single code line).

Bug: http://curl.haxx.se/bug/view.cgi?id=1399
2014-07-23 12:06:57 +02:00
Daniel Stenberg
81cd24adb8 http2: more and better error checking
1 - fixes the warnings when built without http2 support

2 - adds CURLE_HTTP2, a new error code for errors detected by nghttp2
basically when they are about http2 specific things.
2014-07-23 09:23:56 +02:00
Dan Fandrich
713f96ee0c cyassl.c: return the correct error code on no CA cert
CyaSSL 3.0.0 returns a unique error code if no CA cert is available,
so translate that into CURLE_SSL_CACERT_BADFILE when peer verification
is requested.
2014-07-23 00:52:56 +02:00
Daniel Stenberg
3cad5ab77a http_negotiate: remove unused variable 2014-07-23 00:01:39 +02:00
Michael Osipov
eed1c63c70 docs: Improve inline GSS-API naming in code documentation 2014-07-23 00:01:39 +02:00
Michael Osipov
e38ba43014 curl.h/features: Deprecate GSS-Negotiate macros due to bad naming
- Replace CURLAUTH_GSSNEGOTIATE with CURLAUTH_NEGOTIATE
- CURL_VERSION_GSSNEGOTIATE is deprecated which
  is served by CURL_VERSION_SSPI, CURL_VERSION_GSSAPI and
  CURUL_VERSION_SPNEGO now.
- Remove display of feature 'GSS-Negotiate'
2014-07-23 00:01:39 +02:00
Michael Osipov
46750c39bd configure/features: Add feature and version info for GSS-API and SPNEGO 2014-07-23 00:01:39 +02:00
Michael Osipov
5128672731 HTTP: Remove checkprefix("GSS-Negotiate")
That auth mech has never existed neither on MS nor on Unix side.
There is only Negotiate over SPNEGO.
2014-07-23 00:01:39 +02:00
Michael Osipov
eda12bcff8 curl_gssapi: Add macros for common mechs and pass them appropriately
Macros defined: KRB5_MECHANISM and SPNEGO_MECHANISM called from
HTTP, FTP and SOCKS on Unix
2014-07-23 00:01:39 +02:00
Daniel Stenberg
a4cece3d47 CONNECT: Revert Curl_proxyCONNECT back to 7.29.0 design
This reverts commit cb3e6dfa35 and instead fixes the problem
differently.

The reverted commit addressed a test failure in test 1021 by simplifying
and generalizing the code flow in a way that damaged the
performance. Now we modify the flow so that Curl_proxyCONNECT() again
does as much as possible in one go, yet still do test 1021 with and
without valgrind. It failed due to mistakes in the multi state machine.

Bug: http://curl.haxx.se/bug/view.cgi?id=1397
Reported-by: Paul Saab
2014-07-22 23:00:19 +02:00
Marcel Raad
d242839af8 url.c: use the preferred symbol name: *READDATA
with CURL_NO_OLDIES defined, it doesn't compile because this deprecated
symbol (*INFILE) is used

Bug: http://curl.haxx.se/bug/view.cgi?id=1398
2014-07-22 11:27:51 +02:00
Daniel Stenberg
d19dfa974c curl_gssapi.c: make line shorter than 80 columns 2014-07-16 17:26:08 +02:00
David Woodhouse
3de576efda Fix negotiate auth to proxies to track correct state 2014-07-16 17:26:08 +02:00
David Woodhouse
6bc76194e8 Don't abort Negotiate auth when the server has a response for us
It's wrong to assume that we can send a single SPNEGO packet which will
complete the authentication. It's a *negotiation* — the clue is in the
name. So make sure we handle responses from the server.

Curl_input_negotiate() will already handle bailing out if it thinks the
state is GSS_S_COMPLETE (or SEC_E_OK on Windows) and the server keeps
talking to us, so we should avoid endless loops that way.
2014-07-16 17:26:08 +02:00
David Woodhouse
f78ae415d2 Don't clear GSSAPI state between each exchange in the negotiation
GSSAPI doesn't work very well if we forget everything ever time.

XX: Is Curl_http_done() the right place to do the final cleanup?
2014-07-16 17:26:08 +02:00
David Woodhouse
59431c242b Use SPNEGO for HTTP Negotiate
This is the correct way to do SPNEGO. Just ask for it

Now I correctly see it trying NTLMSSP authentication when a Kerberos ticket
isn't available. Of course, we bail out when the server responds with the
challenge packet, since we don't expect that. But I'll fix that bug next...
2014-07-16 17:26:08 +02:00
David Woodhouse
9ad282b1ae Remove all traces of FBOpenSSL SPNEGO support
This is just fundamentally broken. SPNEGO (RFC4178) is a protocol which
allows client and server to negotiate the underlying mechanism which will
actually be used to authenticate. This is *often* Kerberos, and can also
be NTLM and other things. And to complicate matters, there are various
different OIDs which can be used to specify the Kerberos mechanism too.

A SPNEGO exchange will identify *which* GSSAPI mechanism is being used,
and will exchange GSSAPI tokens which are appropriate for that mechanism.

But this SPNEGO implementation just strips the incoming SPNEGO packet
and extracts the token, if any. And completely discards the information
about *which* mechanism is being used. Then we *assume* it was Kerberos,
and feed the token into gss_init_sec_context() with the default
mechanism (GSS_S_NO_OID for the mech_type argument).

Furthermore... broken as this code is, it was never even *used* for input
tokens anyway, because higher layers of curl would just bail out if the
server actually said anything *back* to us in the negotiation. We assume
that we send a single token to the server, and it accepts it. If the server
wants to continue the exchange (as is required for NTLM and for SPNEGO
to do anything useful), then curl was broken anyway.

So the only bit which actually did anything was the bit in
Curl_output_negotiate(), which always generates an *initial* SPNEGO
token saying "Hey, I support only the Kerberos mechanism and this is its
token".

You could have done that by manually just prefixing the Kerberos token
with the appropriate bytes, if you weren't going to do any proper SPNEGO
handling. There's no need for the FBOpenSSL library at all.

The sane way to do SPNEGO is just to *ask* the GSSAPI library to do
SPNEGO. That's what the 'mech_type' argument to gss_init_sec_context()
is for. And then it should all Just Work™.

That 'sane way' will be added in a subsequent patch, as will bug fixes
for our failure to handle any exchange other than a single outbound
token to the server which results in immediate success.
2014-07-16 17:26:08 +02:00
David Woodhouse
223612afa2 ntlm_wb: Avoid invoking ntlm_auth helper with empty username 2014-07-16 17:26:08 +02:00
David Woodhouse
9008f3d564 ntlm_wb: Fix hard-coded limit on NTLM auth packet size
Bumping it to 1KiB in commit aaaf9e50ec is all very well, but having hit
a hard limit once let's just make it cope by reallocating as necessary.
2014-07-16 17:26:08 +02:00
Yousuke Kimoto
aa68848451 cookie: avoid mutex deadlock
... by removing the extra mutex locks around th call to
Curl_flush_cookies() which takes care of the locking itself already.

Bug: http://curl.haxx.se/mail/lib-2014-02/0184.html
2014-07-15 23:50:56 +02:00
Daniel Stenberg
f069b40f9d gnutls: fix compiler warning
conversion to 'int' from 'long int' may alter its value
2014-07-15 21:28:10 +02:00
Dan Fandrich
9087b7e8f5 gnutls: detect lack of SRP support in GnuTLS at run-time and try without
Reported-by: David Woodhouse
2014-07-14 22:31:11 +02:00
David Woodhouse
98866008a9 gnutls: handle IP address in cert name check
Before GnuTLS 3.3.6, the gnutls_x509_crt_check_hostname() function
didn't actually check IP addresses in SubjectAltName, even though it was
explicitly documented as doing so. So do it ourselves...
2014-07-14 20:14:15 +02:00
Dan Fandrich
08c8d5b89a build: set _POSIX_PTHREAD_SEMANTICS on Solaris to get proper getpwuid_r 2014-07-14 20:11:08 +02:00
Dan Fandrich
425459b8ae gnutls: improved error message if setting cipher list fails
Reported-by: David Woodhouse
2014-07-13 01:32:11 +02:00
Dan Fandrich
763c51780c netrc: fixed thread safety problem by using getpwuid_r if available
The old way using getpwuid could cause problems in programs that enable
reading from netrc files simultaneously in multiple threads.

Reported-by: David Woodhouse
2014-07-13 00:27:22 +02:00
Dan Fandrich
135c2dc14f netrc: treat failure to find home dir same as missing netrc file
This previously caused a fatal error (with a confusing error code, at
that).

Reported by: Glen A Johnson Jr.
2014-07-12 20:22:09 +02:00
Steve Holme
aaaf9e50ec ntlm_wb: Fixed buffer size not being large enough for NTLMv2 sessions
Bug: http://curl.haxx.se/mail/lib-2014-07/0103.html
Reported-by: David Woodhouse
2014-07-12 14:56:47 +01:00
Dan Fandrich
efc71583e7 gnutls: fixed a couple of uninitialized variable references 2014-07-12 01:31:12 +02:00
Dan Fandrich
3d2e1724cb gnutls: fixed compilation against versions < 2.12.0
The AES-GCM ciphers were added to GnuTLS as late as ver. 3.0.1 but
the code path in which they're referenced here is only ever used for
somewhat older GnuTLS versions. This caused undeclared identifier errors
when compiling against those.
2014-07-12 00:33:16 +02:00
Dan Fandrich
447c31ce9d gnutls: explicitly added SRP to the priority string
This seems to have become necessary for SRP support to work starting
with GnuTLS ver. 2.99.0. Since support for SRP was added to GnuTLS
before the function that takes this priority string, there should be no
issue with backward compatibility.
2014-07-12 00:11:44 +02:00
Dan Fandrich
baf8b57b1d gnutls: ignore invalid certificate dates with VERIFYPEER disabled
This makes the behaviour consistent with what happens if a date can
be extracted from the certificate but is expired.
2014-07-11 23:21:31 +02:00
Dan Fandrich
1cef8f0bc3 url.c: Fixed memory leak on OOM
This showed itself on some systems with torture failures
in tests 1060 and 1061
2014-07-09 23:55:12 +02:00
Dan Fandrich
3ae2b6cd7f Update instances of some obsolete CURLOPTs to their new names 2014-07-05 22:47:13 +02:00
Marcel Raad
8ffe6f5b57 compiler warnings: potentially uninitialized variables
... pointed out by MSVC2013

Bug: http://curl.haxx.se/bug/view.cgi?id=1391
2014-07-05 01:42:10 +02:00
Kamil Dudka
ca2aa61b66 nss: make the list of CRL items global
Otherwise NSS could use an already freed item for another connection.
2014-07-04 13:15:03 +02:00
Kamil Dudka
52cd5ac21c nss: fix a memory leak when CURLOPT_CRLFILE is used 2014-07-04 08:25:05 +02:00
Kamil Dudka
caa4db8a51 nss: make crl_der allocated on heap
... and spell it as crl_der instead of crlDER
2014-07-04 00:37:40 +02:00
Kamil Dudka
2968f957aa nss: let nss_{cache,load}_crl return CURLcode 2014-07-04 00:20:59 +02:00
Ray Satiro
907520c4b9 progress callback: skip last callback update on errors
When an error has been detected, skip the final forced call to the
progress callback by making sure to pass the current return code
variable in the Curl_done() call in the CURLM_STATE_DONE state.

This avoids the "extra" callback that could occur even if you returned
error from the progress callback.

Bug: http://curl.haxx.se/mail/lib-2014-06/0062.html
Reported by: Jonathan Cardoso Machado
2014-07-02 23:53:25 +02:00
Kamil Dudka
7581dee10a nss: make the fallback to SSLv3 work again
This feature was unintentionally disabled by commit ff92fcfb.
2014-07-02 18:11:05 +02:00
Kamil Dudka
7c21558503 nss: do not abort on connection failure
... due to calling SSL_VersionRangeGet() with NULL file descriptor

reported-by: upstream tests 305 and 404
2014-07-02 17:59:03 +02:00
Colin Hogben
0ab9e0c9d9 lib: documentation updates in README.hostip
c-ares now does support IPv6;
avoid implying threaded resolver is Windows-only;
two referenced source files were renamed in 7de2f92
2014-06-21 19:49:48 +02:00
Dan Fandrich
34d02aff71 sasl: Added back qop argument mistakenly removed in e95ca7ce
This caused segfaults on tests 823 869 907.
2014-06-15 14:11:35 +02:00
Dan Fandrich
740ebcd86e https: Fix build when http2 is disabled 2014-06-15 12:24:47 +02:00
Daniel Stenberg
c06e76f6fe http2: better return code error checking 2014-06-14 00:11:01 +02:00
Lindley French
964e43c5e2 conncache: move the connection counter to the cache struct
The static connection counter caused a race condition. Moving the
connection id counter into conncache solves it, as well as simplifying
the related logic.
2014-06-13 15:05:24 +02:00
Daniel Stenberg
d5d98c1297 http2: avoid segfault when usint the plain-text http2
This regression was introduced when *init was split into *init and
*setup...
2014-06-12 23:38:09 +02:00
Daniel Stenberg
3aa1329e0a curl_sasl: revert the goto for error bailout
They were added because of an older code path that used allocations and
should not have been left in the code. With this change the logic goes
back to how it was.
2014-06-11 23:32:10 +02:00
Daniel Stenberg
e95ca7cec9 NTLM: set a fake entropy for debug builds with CURL_ENTROPY set
Curl_rand() will return a dummy and repatable random value for this
case. Makes it possible to write test cases that verify output.

Also, fake timestamp with CURL_FORCETIME set.

Only when built debug enabled of course.

Curl_ssl_random() was not used anymore so it has been
removed. Curl_rand() is enough.

create_digest_md5_message: generate base64 instead of hex string

curl_sasl: also fix memory leaks in some OOM situations
2014-06-11 23:15:48 +02:00
Steve Holme
51bb067a42 Curl_rand: Use a fake entropy for debug builds when CURL_ENTROPY set 2014-06-11 21:13:40 +01:00
Marcel Raad
bde0d89c3d getinfo: HTTP CONNECT code not reset between transfers
httpproxycode is not reset in Curl_initinfo, so a 407 is not reset even
if curl_easy_reset is called between transfers.

Bug: http://curl.haxx.se/bug/view.cgi?id=1380
2014-06-10 22:44:51 +02:00
Alessandro Ghedini
e9344390ee transfer: fix info messages when switching method on 301 and 302
The method change is forbidden by the obsolete RFC2616, but libcurl did
it anyway for compatibility reasons. The new RFC7231 allows this
behaviour so there's no need for the scary "Violate RFC 2616/10.3.x"
notice. Also update the comments accordingly.
2014-06-09 08:29:37 +02:00
Steve Holme
65467cf9cb config-win32.h: Updated for VC12
Bug: http://curl.haxx.se/bug/view.cgi?id=1378
Reported and Patched-by: Marcel Raad
2014-06-05 22:44:46 +01:00
Daniel Stenberg
c50ce85918 Curl_ossl_init: call OPENSSL_config for initing engines
Bug: http://curl.haxx.se/mail/lib-2014-06/0003.html
Reported-by: Дмитрий Фалько
2014-06-03 22:15:38 +02:00
Daniel Stenberg
bbd3dc611e random: use Curl_rand() for proper random data
The SASL/Digest previously used the current time's seconds +
microseconds to add randomness but it is much better to instead get more
data from Curl_rand().

It will also allow us to easier "fake" that for debug builds on demand
in a future.
2014-06-03 18:25:48 +02:00
Steve Holme
62a26ec696 curl_sasl: Fixed copy/paste error of now.tv_sec in commit eefeb73af4 2014-06-02 23:15:15 +01:00
Steve Holme
1eb308275a curl_sasl: Fixed compilation warning under DEBUGBUILD 2014-06-01 12:29:16 +01:00
Steve Holme
eefeb73af4 curl_sasl: Extended native DIGEST-MD5 cnonce to be a 32-byte hex string
Rather than use a short 8-byte hex string, extended the cnonce to be
32-bytes long, like Windows SSPI does.

Used a combination of random data as well as the current date and
time for the generation.
2014-06-01 11:18:12 +01:00
Steve Holme
aa6be2ef13 curl_sasl_sspi: Fixed corrupt hostname in DIGEST-MD5 SPN generation 2014-06-01 10:35:52 +01:00
Daniel Stenberg
b99f8e8b4e gnutls: allow building with nghttp2 but without ALPN support
It might not be the most useful combo, but...
2014-05-28 00:30:23 +02:00
Alessandro Ghedini
345bfab518 gnutls: don't use deprecated type names anymore 2014-05-28 00:27:33 +02:00
Brad Spencer
fb4937a311 select: with winsock, avoid passing unsupported arguments to select()
"Any two of the parameters, readfds, writefds, or exceptfds, can be
given as null. At least one must be non-null, and any non-null
descriptor set must contain at least one handle to a socket."

http://msdn.microsoft.com/en-ca/library/windows/desktop/ms740141(v=vs.85).aspx

When using select(), cURL doesn't adhere to this (WinSock-specific)
rule, and can ask to monitor empty fd_sets, which leads to select()
returning WSAEINVAL (i.e. EINVAL) and connections failing in mysterious
ways as a result (at least when using the curl_multi_socket_action()
interface).

Bug: http://curl.haxx.se/mail/lib-2014-05/0278.html
2014-05-27 23:58:28 +02:00
Daniel Stenberg
1b89456509 url-parser: only use if_nametoindex if detected by configure
The previous #ifdef detection wasn't good enough.

Bug: http://curl.haxx.se/mail/lib-2014-05/0260.html
Reported-by: Chris Young
2014-05-26 22:10:15 +02:00
Fabian Frank
1439dfb576 polarssl: add ALPN support
PolarSSL added ALPN support in their 1.3.6 release.

See:
https://polarssl.org/tech-updates/releases/polarssl-1.3.6-released
2014-05-25 23:11:24 +02:00
Daniel Stenberg
ac6da721a3 curl_easy_reset: reset the URL
Make sure that the URL is reset and cleared.

Bug: http://curl.haxx.se/mail/lib-2014-05/0235.html
Reported-by: Jonathan Cardoso Machado
2014-05-24 19:06:11 +02:00
Tatsuhiro Tsujikawa
c7638d93b0 openssl: Fix uninitialized variable use in NPN callback
OpenSSL passes out and outlen variable uninitialized to
select_next_proto_cb callback function.  If the callback function
returns SSL_TLSEXT_ERR_OK, the caller assumes the callback filled
values in out and outlen and processes as such.  Previously, if there
is no overlap in protocol lists, curl code does not fill any values in
these variables and returns SSL_TLSEXT_ERR_OK, which means we are
triggering undefined behavior.  valgrind warns this.

This patch fixes this issue by fallback to HTTP/1.1 if there is no
overlap.
2014-05-23 17:00:07 +02:00
Steve Holme
a7999da39e tool_getparam.c: Fixed compilation warnings
There is an implicit conversion from "unsigned long" to "long"
2014-05-22 21:01:51 +01:00
Dan Fandrich
f634355868 http: Fix a compiler warning when http2 support is disabled 2014-05-22 08:38:26 +02:00
Nick Zitzmann
32e9275edb darwinssl: fix lint & build warnings in the previous commit 2014-05-21 19:21:15 -05:00
Vilmos Nebehaj
cd2cedf002 Add support for --cacert in DarwinSSL.
Security Framework on OS X makes it possible to supply extra anchor (CA)
certificates via the Certificate, Key, and Trust Services API. This
commit makes the '--cacert' option work using this API.

More information:

https://developer.apple.com/library/mac/documentation/security/Reference/certifkeytrustservices/Reference/reference.html

The HTTPS tests now pass on OS X except 314, which requires the '--crl'
option to work.
2014-05-21 18:48:14 -05:00
Steve Holme
c6d5f80d8b http.c: Fixed compilation warning
warning: suggest braces around empty body in an 'else' statement
2014-05-22 00:40:07 +01:00
Steve Holme
691985ceb0 bits.close: Fixed compilation warning
warning: implicit declaration of function 'connclose'
2014-05-22 00:29:21 +01:00
Daniel Stenberg
df13f8e8c2 bits.close: introduce connection close tracking
Make all code use connclose() and connkeep() when changing the "close
state" for a connection. These two macros take a string argument with an
explanation, and debug builds of curl will include that in the debug
output. Helps tracking connection re-use/close issues.
2014-05-22 00:34:10 +02:00
Daniel Stenberg
99114faf82 http2: make connection re-use work
Http2 connections would wrongly get closed after each individual
request.

Co-authored-by: Tatsuhiro Tsujikawa
Bug: http://curl.haxx.se/bug/view.cgi?id=1374
2014-05-20 16:50:24 +02:00
Fabian Frank
316f79cef2 ALPN: fix typo in http/1.1 identifier
According to https://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-05
it is "http/1.1" and not "http/1.0".
2014-05-20 12:57:56 +02:00
Steve Holme
6f6646d6e9 build: Slight rename of new LIB_* makefile file variables
In order to try and be consistent between curl and libcurl renamed the
recently introduced LIB_* makefile file variables.
2014-05-18 22:16:54 +01:00
Dan Fandrich
5a067c4b39 axtls: Fixed too long source line 2014-05-17 11:54:48 +02:00
Dan Fandrich
c9ea1d341a axtls: Add a TODO to a potential blocking call with no timeout 2014-05-16 23:27:07 +02:00
Daniel Stenberg
68f0166a92 HTTP: CREDSPERREQUEST is for HTTP too
Commit 517b06d657 (in 7.36.0) that brought the CREDSPERREQUEST flag
only set it for HTTPS, making HTTP less good at doing connection re-use
than it should be. Now set it for HTTP as well.

Simple test case

"curl -v -u foo:bar localhost --next -u bar:foo localhos"

Bug: http://curl.haxx.se/mail/lib-2014-05/0127.html
Reported-by: Kamil Dudka
2014-05-15 23:28:31 +02:00
Daniel Stenberg
53a5b95c21 CURLINFO_SSL_VERIFYRESULT: assign at first connect call
The variable wasn't assigned at all until step3 which would lead to a
failed connect never assigning the variable and thus returning a bad
value.

Reported-by: Larry Lin
Bug: http://curl.haxx.se/mail/lib-2014-04/0203.html
2014-05-15 22:02:00 +02:00
Daniel Stenberg
84bd19ffd4 timers: fix timer regression involving redirects / reconnects
In commit 0b3750b5c2 (released in 7.36.0) we fixed a timeout issue
but instead broke the timings.

To fix this, I introduce a new timestamp to use for the timeouts and
restored the previous timestamp and timestamp position so that the old
timer functionality is restored.

In addition to that, that change also broke connection timeouts for when
more than one connect was used (as it would then count the total time
from the first connect and not for the most recent one). Now
Curl_timeleft() has been modified so that it checks against different
start times depending on which timeout it checks.

Test 1303 is updated accordingly.

Bug: http://curl.haxx.se/mail/lib-2014-05/0147.html
Reported-by: Ryan Braud
2014-05-15 21:28:19 +02:00
Steve Holme
678239df54 darwinssl: Updated copyright following recent changes 2014-05-15 18:38:42 +01:00
Nick Zitzmann
69cdc95932 darwinssl: fix potential crash when attempting to copy an identity
from a P12 file

This could've happened if SecPKCS12Import() returned noErr _and_ no
identity.
2014-05-14 17:48:14 -05:00
Daniel Stenberg
52d16c84d2 openssl: unbreak PKCS12 support
Regression introduced in ce362e8eb9 (7.31.0)

Bug: http://curl.haxx.se/bug/view.cgi?id=1371
Reported-by: Dmitry
2014-05-12 13:06:50 +02:00
Steve Holme
b4c81b6cee Makefile.inc: Added resource file to assist Visual Studio project generation 2014-05-11 20:52:56 +01:00
Steve Holme
8342b6e1dc sasl: Fixed missing qop in the client's challenge-response message
Whilst the qop directive isn't required to be present in a client's
response, as servers should assume a qop of "auth" if it isn't
specified, some may return authentication failure if it is missing.
2014-05-11 14:48:28 +01:00
Steve Holme
fdb2d32144 Makefile.inc: Separated the lib and lib/vtls source file variables
To cater for the automatic generation of the new Visual Studio project
files, moved the lib file list into a separated variable so that lib
and lib/vtls can be referenced independently.
2014-05-09 23:07:32 +01:00
Steve Holme
0ab2c444b5 Makefile.b32: Fixed for vtls changes
Follow up fix to commits a47c142a88, 11e8066ef9 and 92b9ae5c5d.

Bug: http://curl.haxx.se/mail/lib-2014-05/0025.html
Reported and assisted by: Jon Torrey
2014-05-09 21:09:51 +01:00
Steve Holme
65bb4a0d38 getinfo.c: Fixed compilation warning
The indicated statement is not reachable.
2014-05-09 13:18:55 +01:00
Kamil Dudka
ec5fde24de http: avoid auth failure on a duplicated header
... 'WWW-Authenticate: Negotiate' received from server

Reported by: David Woodhouse
Bug: https://bugzilla.redhat.com/1093348
2014-05-09 13:44:04 +02:00
Patrick Watson
94898303d2 mk-ca-bundle: added -p
-p takes a list of Mozilla trust purposes and levels for certificates to
include in output.  Takes the form of a comma separated list of
purposes, a colon, and a comma separated list of levels.
2014-05-08 11:37:45 +02:00
Tatsuhiro Tsujikawa
6404896d8c http2: Compile with latest nghttp2
Now nghttp2_submit_request returns assigned stream ID, we don't have
to check stream ID using before_stream_send_callback.  The
adjust_priority_callback was removed.
2014-05-07 20:51:51 +01:00
Steve Holme
6f8085ca77 url.c: Fixed compilation warning/error
Depending on compiler line 3505 could generate the following warning or
error:

* warning: ISO C90 forbids mixed declarations and code
* A declaration cannot appear after an executable statement in a block
* error C2275: 'size_t' : illegal use of this type as an expression
2014-05-07 10:55:19 +01:00
Daniel Stenberg
5de8d84098 fix_hostname: strip off a single trailing dot from host name
Primarily for SNI, we need the host name without a trailing dot.
"https://www.example.com." resolves fine but fails on SNI unless the dot
is removed.

Reported-by: Leon Winter
Bug: http://curl.haxx.se/mail/lib-2014-04/0161.html
2014-05-06 08:44:11 +02:00